summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 11:47:26 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 11:47:26 +0100
commit2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch)
treec4fb7d1f51fa51e7677232de806aae150e29e2ac
parentf5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff)
parentecebda56da46a03dafff923d91c382f31faa9eec (diff)
* New upstream release (http://www.openssh.com/txt/release-6.2).
- Add support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option (closes: #195716). - Fix Sophie Germain formula in moduli(5) (closes: #698612). - Update ssh-copy-id to Phil Hands' greatly revised version (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798).
-rw-r--r--ChangeLog671
-rw-r--r--INSTALL4
-rw-r--r--Makefile.in32
-rw-r--r--PROTOCOL42
-rw-r--r--PROTOCOL.agent4
-rw-r--r--PROTOCOL.krl164
-rw-r--r--README4
-rw-r--r--acss.c267
-rw-r--r--acss.h47
-rw-r--r--auth-options.c4
-rw-r--r--auth-rsa.c4
-rw-r--r--auth.c73
-rw-r--r--auth.h19
-rw-r--r--auth1.c13
-rw-r--r--auth2-chall.c13
-rw-r--r--auth2-gss.c8
-rw-r--r--auth2-jpake.c4
-rw-r--r--auth2-pubkey.c216
-rw-r--r--auth2.c239
-rw-r--r--authfile.c6
-rw-r--r--buildpkg.sh.in20
-rw-r--r--channels.c12
-rw-r--r--cipher-acss.c86
-rw-r--r--cipher-aes.c3
-rw-r--r--cipher-ctr.c6
-rw-r--r--cipher.c147
-rw-r--r--cipher.h8
-rw-r--r--clientloop.c145
-rw-r--r--clientloop.h3
-rw-r--r--compat.c4
-rw-r--r--config.h.in40
-rwxr-xr-xconfigure540
-rw-r--r--configure.ac273
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/redhat/openssh.spec2
-rwxr-xr-xcontrib/redhat/sshd.init8
-rw-r--r--contrib/ssh-copy-id309
-rw-r--r--contrib/ssh-copy-id.1251
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--contrib/suse/rc.sshd8
-rw-r--r--debian/changelog10
-rw-r--r--debian/patches/auth-log-verbosity.patch8
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch4
-rw-r--r--debian/patches/consolekit.patch55
-rw-r--r--debian/patches/copy-id-restorecon.patch19
-rw-r--r--debian/patches/debian-banner.patch31
-rw-r--r--debian/patches/debian-config.patch4
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/gssapi.patch123
-rw-r--r--debian/patches/keepalive-extensions.patch8
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch4
-rw-r--r--debian/patches/max-startups-default.patch57
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch6
-rw-r--r--debian/patches/openbsd-docs.patch12
-rw-r--r--debian/patches/package-versioning.patch28
-rw-r--r--debian/patches/quieter-signals.patch4
-rw-r--r--debian/patches/selinux-role.patch56
-rw-r--r--debian/patches/series2
-rw-r--r--debian/patches/shell-path.patch4
-rw-r--r--debian/patches/ssh-argv0.patch4
-rw-r--r--debian/patches/ssh-vulnkey.patch74
-rw-r--r--debian/patches/ssh1-keepalive.patch4
-rw-r--r--debian/patches/user-group-modes.patch28
-rw-r--r--defines.h10
-rw-r--r--includes.h6
-rw-r--r--kex.c30
-rw-r--r--kex.h4
-rw-r--r--key.c40
-rw-r--r--key.h6
-rw-r--r--krl.c1229
-rw-r--r--krl.h63
-rw-r--r--log.c19
-rw-r--r--log.h4
-rw-r--r--loginrec.c4
-rw-r--r--mac.c52
-rw-r--r--misc.c2
-rw-r--r--moduli397
-rw-r--r--moduli.010
-rw-r--r--moduli.513
-rw-r--r--monitor.c64
-rw-r--r--monitor.h90
-rw-r--r--monitor_wrap.c41
-rw-r--r--mux.c12
-rw-r--r--myproposal.h13
-rw-r--r--openbsd-compat/Makefile.in6
-rw-r--r--openbsd-compat/bsd-misc.c30
-rw-r--r--openbsd-compat/bsd-misc.h10
-rw-r--r--openbsd-compat/bsd-setres_id.c99
-rw-r--r--openbsd-compat/bsd-setres_id.h24
-rw-r--r--openbsd-compat/openbsd-compat.h11
-rw-r--r--openbsd-compat/openssl-compat.h43
-rw-r--r--openbsd-compat/strtoull.c110
-rw-r--r--openbsd-compat/sys-queue.h53
-rw-r--r--openbsd-compat/sys-tree.h114
-rw-r--r--openbsd-compat/vis.c2
-rw-r--r--openbsd-compat/vis.h4
-rw-r--r--packet.c132
-rw-r--r--platform.c18
-rw-r--r--platform.h5
-rw-r--r--regress/Makefile18
-rw-r--r--regress/cert-userkey.sh27
-rw-r--r--regress/cipher-speed.sh25
-rw-r--r--regress/forward-control.sh168
-rw-r--r--regress/integrity.sh74
-rw-r--r--regress/keys-command.sh39
-rw-r--r--regress/krl.sh161
-rwxr-xr-xregress/modpipe.c175
-rw-r--r--regress/multiplex.sh50
-rw-r--r--regress/test-exec.sh4
-rw-r--r--regress/try-ciphers.sh37
-rw-r--r--sandbox-seccomp-filter.c8
-rw-r--r--scp.02
-rw-r--r--scp.c2
-rw-r--r--servconf.c75
-rw-r--r--servconf.h20
-rw-r--r--serverloop.c23
-rw-r--r--session.c14
-rw-r--r--sftp-server.014
-rw-r--r--sftp-server.816
-rw-r--r--sftp-server.c26
-rw-r--r--sftp.02
-rw-r--r--sftp.c36
-rw-r--r--ssh-add.015
-rw-r--r--ssh-add.114
-rw-r--r--ssh-add.c39
-rw-r--r--ssh-agent.02
-rw-r--r--ssh-gss.h11
-rw-r--r--ssh-keygen.084
-rw-r--r--ssh-keygen.1125
-rw-r--r--ssh-keygen.c317
-rw-r--r--ssh-keyscan.02
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-pkcs11-helper.02
-rw-r--r--ssh.057
-rw-r--r--ssh.1111
-rw-r--r--ssh_config.032
-rw-r--r--ssh_config.520
-rw-r--r--sshconnect.c45
-rw-r--r--sshconnect2.c48
-rw-r--r--sshd.04
-rw-r--r--sshd.86
-rw-r--r--sshd.c42
-rw-r--r--sshd_config5
-rw-r--r--sshd_config.0105
-rw-r--r--sshd_config.582
-rw-r--r--uidswap.c34
-rw-r--r--umac.c8
-rw-r--r--umac.h8
-rw-r--r--version.h4
149 files changed, 7337 insertions, 1927 deletions
diff --git a/ChangeLog b/ChangeLog
index f8e600847..dbd8b0aa9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,673 @@
120120322
2 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
3 Hands' greatly revised version.
4 - (djm) Release 6.2p1
5
620120318
7 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
8 [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
9 so mark it as broken. Patch from des AT des.no
10
1120120317
12 - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none
13 of the bits the configure test looks for.
14
1520120316
16 - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
17 is unable to successfully compile them. Based on patch from des AT
18 des.no
19 - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
20 Add a usleep replacement for platforms that lack it; ok dtucker
21 - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
22 occur after UID switch; patch from John Marshall via des AT des.no;
23 ok dtucker@
24
2520120312
26 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh]
27 Improve portability of cipher-speed test, based mostly on a patch from
28 Iain Morgan.
29 - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin")
30 in addition to root as an owner of system directories on AIX and HP-UX.
31 ok djm@
32
3320130307
34 - (dtucker) [INSTALL] Bump documented autoconf version to what we're
35 currently using.
36 - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it
37 was removed in configure.ac rev 1.481 as it was redundant.
38 - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days
39 ago.
40 - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a
41 chance to complete on broken systems; ok dtucker@
42
4320130306
44 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding
45 connection to start so that the test works on slower machines.
46 - (dtucker) [configure.ac] test that we can set number of file descriptors
47 to zero with setrlimit before enabling the rlimit sandbox. This affects
48 (at least) HPUX 11.11.
49
5020130305
51 - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for
52 HP/UX. Spotted by Kevin Brott
53 - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by
54 Amit Kulkarni and Kevin Brott.
55 - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure
56 build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin
57 Brott.
58 - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov.
59
6020130227
61 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
62 [contrib/suse/openssh.spec] Crank version numbers
63 - (tim) [regress/forward-control.sh] use sh in case login shell is csh.
64 - (tim) [regress/integrity.sh] shell portability fix.
65 - (tim) [regress/integrity.sh] keep old solaris awk from hanging.
66 - (tim) [regress/krl.sh] keep old solaris awk from hanging.
67
6820130226
69 - OpenBSD CVS Sync
70 - djm@cvs.openbsd.org 2013/02/20 08:27:50
71 [integrity.sh]
72 Add an option to modpipe that warns if the modification offset it not
73 reached in it's stream and turn it on for t-integrity. This should catch
74 cases where the session is not fuzzed for being too short (cf. my last
75 "oops" commit)
76 - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage
77 for UsePAM=yes configuration
78
7920130225
80 - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed
81 to use Solaris native GSS libs. Patch from Pierre Ossman.
82
8320130223
84 - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer
85 bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu.
86 ok tim
87
8820130222
89 - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to
90 ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm.
91 - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
92 libgss too. Patch from Pierre Ossman, ok djm.
93 - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
94 seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
95 ok dtucker
96
9720130221
98 - (tim) [regress/forward-control.sh] shell portability fix.
99
10020130220
101 - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix.
102 - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded
103 err.h include from krl.c. Additional portability fixes for modpipe. OK djm
104 - OpenBSD CVS Sync
105 - djm@cvs.openbsd.org 2013/02/20 08:27:50
106 [regress/integrity.sh regress/modpipe.c]
107 Add an option to modpipe that warns if the modification offset it not
108 reached in it's stream and turn it on for t-integrity. This should catch
109 cases where the session is not fuzzed for being too short (cf. my last
110 "oops" commit)
111 - djm@cvs.openbsd.org 2013/02/20 08:29:27
112 [regress/modpipe.c]
113 s/Id/OpenBSD/ in RCS tag
114
11520130219
116 - OpenBSD CVS Sync
117 - djm@cvs.openbsd.org 2013/02/18 22:26:47
118 [integrity.sh]
119 crank the offset yet again; it was still fuzzing KEX one of Darren's
120 portable test hosts at 2800
121 - djm@cvs.openbsd.org 2013/02/19 02:14:09
122 [integrity.sh]
123 oops, forgot to increase the output of the ssh command to ensure that
124 we actually reach $offset
125 - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that
126 lack support for SHA2.
127 - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms
128 that do not have them.
129
13020130217
131 - OpenBSD CVS Sync
132 - djm@cvs.openbsd.org 2013/02/17 23:16:55
133 [integrity.sh]
134 make the ssh command generates some output to ensure that there are at
135 least offset+tries bytes in the stream.
136
13720130216
138 - OpenBSD CVS Sync
139 - djm@cvs.openbsd.org 2013/02/16 06:08:45
140 [integrity.sh]
141 make sure the fuzz offset is actually past the end of KEX for all KEX
142 types. diffie-hellman-group-exchange-sha256 requires an offset around
143 2700. Noticed via test failures in portable OpenSSH on platforms that
144 lack ECC and this the more byte-frugal ECDH KEX algorithms.
145
14620130215
147 - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from
148 Iain Morgan
149 - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
150 Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
151 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c
152 openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
153 platforms that don't have it.
154 - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul,
155 group strto* function prototypes together.
156 - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes
157 an argument. Pointed out by djm.
158 - (djm) OpenBSD CVS Sync
159 - djm@cvs.openbsd.org 2013/02/14 21:35:59
160 [auth2-pubkey.c]
161 Correct error message that had a typo and was logging the wrong thing;
162 patch from Petr Lautrbach
163 - dtucker@cvs.openbsd.org 2013/02/15 00:21:01
164 [sshconnect2.c]
165 Warn more loudly if an IdentityFile provided by the user cannot be read.
166 bz #1981, ok djm@
167
16820130214
169 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC.
170 - (djm) [regress/krl.sh] typo; found by Iain Morgan
171 - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead
172 of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
173 Iain Morgan
174
17520130212
176 - (djm) OpenBSD CVS Sync
177 - djm@cvs.openbsd.org 2013/01/24 21:45:37
178 [krl.c]
179 fix handling of (unused) KRL signatures; skip string in correct buffer
180 - djm@cvs.openbsd.org 2013/01/24 22:08:56
181 [krl.c]
182 skip serial lookup when cert's serial number is zero
183 - krw@cvs.openbsd.org 2013/01/25 05:00:27
184 [krl.c]
185 Revert last. Breaks due to likely typo. Let djm@ fix later.
186 ok djm@ via dlg@
187 - djm@cvs.openbsd.org 2013/01/25 10:22:19
188 [krl.c]
189 redo last commit without the vi-vomit that snuck in:
190 skip serial lookup when cert's serial number is zero
191 (now with 100% better comment)
192 - djm@cvs.openbsd.org 2013/01/26 06:11:05
193 [Makefile.in acss.c acss.h cipher-acss.c cipher.c]
194 [openbsd-compat/openssl-compat.h]
195 remove ACSS, now that it is gone from libcrypto too
196 - djm@cvs.openbsd.org 2013/01/27 10:06:12
197 [krl.c]
198 actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
199 - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
200 [servconf.c sshd_config sshd_config.5]
201 Change default of MaxStartups to 10:30:100 to start doing random early
202 drop at 10 connections up to 100 connections. This will make it harder
203 to DoS as CPUs have come a long way since the original value was set
204 back in 2000. Prompted by nion at debian org, ok markus@
205 - dtucker@cvs.openbsd.org 2013/02/06 00:22:21
206 [auth.c]
207 Fix comment, from jfree.e1 at gmail
208 - djm@cvs.openbsd.org 2013/02/08 00:41:12
209 [sftp.c]
210 fix NULL deref when built without libedit and control characters
211 entered as command; debugging and patch from Iain Morgan an
212 Loganaden Velvindron in bz#1956
213 - markus@cvs.openbsd.org 2013/02/10 21:19:34
214 [version.h]
215 openssh 6.2
216 - djm@cvs.openbsd.org 2013/02/10 23:32:10
217 [ssh-keygen.c]
218 append to moduli file when screening candidates rather than overwriting.
219 allows resumption of interrupted screen; patch from Christophe Garault
220 in bz#1957; ok dtucker@
221 - djm@cvs.openbsd.org 2013/02/10 23:35:24
222 [packet.c]
223 record "Received disconnect" messages at ERROR rather than INFO priority,
224 since they are abnormal and result in a non-zero ssh exit status; patch
225 from Iain Morgan in bz#2057; ok dtucker@
226 - dtucker@cvs.openbsd.org 2013/02/11 21:21:58
227 [sshd.c]
228 Add openssl version to debug output similar to the client. ok markus@
229 - djm@cvs.openbsd.org 2013/02/11 23:58:51
230 [regress/try-ciphers.sh]
231 remove acss here too
232 - (djm) [regress/try-ciphers.sh] clean up CVS merge botch
233
23420130211
235 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
236 libcrypto that lacks EVP_CIPHER_CTX_ctrl
237
23820130208
239 - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
240 patch from Iain Morgan in bz#2059
241 - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
242 __attribute__ on return values and work around if necessary. ok djm@
243
24420130207
245 - (djm) [configure.ac] Don't probe seccomp capability of running kernel
246 at configure time; the seccomp sandbox will fall back to rlimit at
247 runtime anyway. Patch from plautrba AT redhat.com in bz#2011
248
24920130120
250 - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
251 Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
252 prototypes for openssl-1.0.0-fips.
253 - (djm) OpenBSD CVS Sync
254 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
255 [ssh-keygen.1]
256 tweak previous;
257 - jmc@cvs.openbsd.org 2013/01/18 07:59:46
258 [ssh-keygen.c]
259 -u before -V in usage();
260 - jmc@cvs.openbsd.org 2013/01/18 08:00:49
261 [sshd_config.5]
262 tweak previous;
263 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
264 [ssh-keygen.1]
265 add -Q to the options list; ok djm
266 - jmc@cvs.openbsd.org 2013/01/18 21:48:43
267 [ssh-keygen.1]
268 command-line (adj.) -> command line (n.);
269 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
270 [ssh-keygen.1]
271 fix some formatting; ok djm
272 - markus@cvs.openbsd.org 2013/01/19 12:34:55
273 [krl.c]
274 RB_INSERT does not remove existing elments; ok djm@
275 - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
276 version.
277 - (djm) [regress/krl.sh] replacement for jot; most platforms lack it
278
27920130118
280 - (djm) OpenBSD CVS Sync
281 - djm@cvs.openbsd.org 2013/01/17 23:00:01
282 [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
283 [krl.c krl.h PROTOCOL.krl]
284 add support for Key Revocation Lists (KRLs). These are a compact way to
285 represent lists of revoked keys and certificates, taking as little as
286 a single bit of incremental cost to revoke a certificate by serial number.
287 KRLs are loaded via the existing RevokedKeys sshd_config option.
288 feedback and ok markus@
289 - djm@cvs.openbsd.org 2013/01/18 00:45:29
290 [regress/Makefile regress/cert-userkey.sh regress/krl.sh]
291 Tests for Key Revocation Lists (KRLs)
292 - djm@cvs.openbsd.org 2013/01/18 03:00:32
293 [krl.c]
294 fix KRL generation bug for list sections
295
29620130117
297 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
298 check for GCM support before testing GCM ciphers.
299
30020130112
301 - (djm) OpenBSD CVS Sync
302 - djm@cvs.openbsd.org 2013/01/12 11:22:04
303 [cipher.c]
304 improve error message for integrity failure in AES-GCM modes; ok markus@
305 - djm@cvs.openbsd.org 2013/01/12 11:23:53
306 [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
307 test AES-GCM modes; feedback markus@
308 - (djm) [regress/integrity.sh] repair botched merge
309
31020130109
311 - (djm) OpenBSD CVS Sync
312 - dtucker@cvs.openbsd.org 2012/12/14 05:26:43
313 [auth.c]
314 use correct string in error message; from rustybsd at gmx.fr
315 - djm@cvs.openbsd.org 2013/01/02 00:32:07
316 [clientloop.c mux.c]
317 channel_setup_local_fwd_listener() returns 0 on failure, not -ve
318 bz#2055 reported by mathieu.lacage AT gmail.com
319 - djm@cvs.openbsd.org 2013/01/02 00:33:49
320 [PROTOCOL.agent]
321 correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
322 bz#2051 from david AT lechnology.com
323 - djm@cvs.openbsd.org 2013/01/03 05:49:36
324 [servconf.h]
325 add a couple of ServerOptions members that should be copied to the privsep
326 child (for consistency, in this case they happen only to be accessed in
327 the monitor); ok dtucker@
328 - djm@cvs.openbsd.org 2013/01/03 12:49:01
329 [PROTOCOL]
330 fix description of MAC calculation for EtM modes; ok markus@
331 - djm@cvs.openbsd.org 2013/01/03 12:54:49
332 [sftp-server.8 sftp-server.c]
333 allow specification of an alternate start directory for sftp-server(8)
334 "I like this" markus@
335 - djm@cvs.openbsd.org 2013/01/03 23:22:58
336 [ssh-keygen.c]
337 allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
338 ok markus@
339 - jmc@cvs.openbsd.org 2013/01/04 19:26:38
340 [sftp-server.8 sftp-server.c]
341 sftp-server.8: add argument name to -d
342 sftp-server.c: add -d to usage()
343 ok djm
344 - markus@cvs.openbsd.org 2013/01/08 18:49:04
345 [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
346 [myproposal.h packet.c ssh_config.5 sshd_config.5]
347 support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
348 ok and feedback djm@
349 - djm@cvs.openbsd.org 2013/01/09 05:40:17
350 [ssh-keygen.c]
351 correctly initialise fingerprint type for fingerprinting PKCS#11 keys
352 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
353 Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
354 cipher compat code to openssl-compat.h
355
35620121217
357 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress
358 tests will work with VPATH directories.
359
36020121213
361 - (djm) OpenBSD CVS Sync
362 - markus@cvs.openbsd.org 2012/12/12 16:45:52
363 [packet.c]
364 reset incoming_packet buffer for each new packet in EtM-case, too;
365 this happens if packets are parsed only parially (e.g. ignore
366 messages sent when su/sudo turn off echo); noted by sthen/millert
367 - naddy@cvs.openbsd.org 2012/12/12 16:46:10
368 [cipher.c]
369 use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled
370 counter mode code; ok djm@
371 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
372 compat code for older OpenSSL
373 - (djm) [cipher.c] Fix missing prototype for compat code
374
37520121212
376 - (djm) OpenBSD CVS Sync
377 - markus@cvs.openbsd.org 2012/12/11 22:16:21
378 [monitor.c]
379 drain the log messages after receiving the keystate from the unpriv
380 child. otherwise it might block while sending. ok djm@
381 - markus@cvs.openbsd.org 2012/12/11 22:31:18
382 [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
383 [packet.c ssh_config.5 sshd_config.5]
384 add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
385 that change the packet format and compute the MAC over the encrypted
386 message (including the packet size) instead of the plaintext data;
387 these EtM modes are considered more secure and used by default.
388 feedback and ok djm@
389 - sthen@cvs.openbsd.org 2012/12/11 22:51:45
390 [mac.c]
391 fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
392 - markus@cvs.openbsd.org 2012/12/11 22:32:56
393 [regress/try-ciphers.sh]
394 add etm modes
395 - markus@cvs.openbsd.org 2012/12/11 22:42:11
396 [regress/Makefile regress/modpipe.c regress/integrity.sh]
397 test the integrity of the packets; with djm@
398 - markus@cvs.openbsd.org 2012/12/11 23:12:13
399 [try-ciphers.sh]
400 add hmac-ripemd160-etm@openssh.com
401 - (djm) [mac.c] fix merge botch
402 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test
403 work on platforms without 'jot'
404 - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip
405 - (djm) [regress/Makefile] fix t-exec rule
406
40720121207
408 - (dtucker) OpenBSD CVS Sync
409 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
410 [regress/keys-command.sh]
411 Fix some problems with the keys-command test:
412 - use string comparison rather than numeric comparison
413 - check for existing KEY_COMMAND file and don't clobber if it exists
414 - clean up KEY_COMMAND file if we do create it.
415 - check that KEY_COMMAND is executable (which it won't be if eg /var/run
416 is mounted noexec).
417 ok djm.
418 - jmc@cvs.openbsd.org 2012/12/03 08:33:03
419 [ssh-add.1 sshd_config.5]
420 tweak previous;
421 - markus@cvs.openbsd.org 2012/12/05 15:42:52
422 [ssh-add.c]
423 prevent double-free of comment; ok djm@
424 - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
425 [serverloop.c]
426 Cast signal to int for logging. A no-op on openbsd (they're always ints)
427 but will prevent warnings in portable. ok djm@
428
42920121205
430 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
431
43220121203
433 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
434 TAILQ_FOREACH_SAFE needed for upcoming changes.
435 - (djm) OpenBSD CVS Sync
436 - djm@cvs.openbsd.org 2012/12/02 20:26:11
437 [ssh_config.5 sshconnect2.c]
438 Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
439 This allows control of which keys are offered from tokens using
440 IdentityFile. ok markus@
441 - djm@cvs.openbsd.org 2012/12/02 20:42:15
442 [ssh-add.1 ssh-add.c]
443 make deleting explicit keys "ssh-add -d" symmetric with adding keys -
444 try to delete the corresponding certificate too and respect the -k option
445 to allow deleting of the key only; feedback and ok markus@
446 - djm@cvs.openbsd.org 2012/12/02 20:46:11
447 [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
448 [sshd_config.5]
449 make AllowTcpForwarding accept "local" and "remote" in addition to its
450 current "yes"/"no" to allow the server to specify whether just local or
451 remote TCP forwarding is enabled. ok markus@
452 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
453 [regress/cipher-speed.sh regress/try-ciphers.sh]
454 Add umac-128@openssh.com to the list of MACs to be tested
455 - djm@cvs.openbsd.org 2012/10/19 05:10:42
456 [regress/cert-userkey.sh]
457 include a serial number when generating certs
458 - djm@cvs.openbsd.org 2012/11/22 22:49:30
459 [regress/Makefile regress/keys-command.sh]
460 regress for AuthorizedKeysCommand; hints from markus@
461 - djm@cvs.openbsd.org 2012/12/02 20:47:48
462 [Makefile regress/forward-control.sh]
463 regress for AllowTcpForwarding local/remote; ok markus@
464 - djm@cvs.openbsd.org 2012/12/03 00:14:06
465 [auth2-chall.c ssh-keygen.c]
466 Fix compilation with -Wall -Werror (trivial type fixes)
467 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
468 debugging. ok dtucker@
469 - (djm) [configure.ac] Revert previous. configure.ac already does this
470 for us.
471
47220121114
473 - (djm) OpenBSD CVS Sync
474 - djm@cvs.openbsd.org 2012/11/14 02:24:27
475 [auth2-pubkey.c]
476 fix username passed to helper program
477 prepare stdio fds before closefrom()
478 spotted by landry@
479 - djm@cvs.openbsd.org 2012/11/14 02:32:15
480 [ssh-keygen.c]
481 allow the full range of unsigned serial numbers; 'fine' deraadt@
482 - djm@cvs.openbsd.org 2012/12/02 20:34:10
483 [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
484 [monitor.c monitor.h]
485 Fixes logging of partial authentication when privsep is enabled
486 Previously, we recorded "Failed xxx" since we reset authenticated before
487 calling auth_log() in auth2.c. This adds an explcit "Partial" state.
488
489 Add a "submethod" to auth_log() to report which submethod is used
490 for keyboard-interactive.
491
492 Fix multiple authentication when one of the methods is
493 keyboard-interactive.
494
495 ok markus@
496 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
497 [regress/multiplex.sh]
498 Use 'kill -0' to test for the presence of a pid since it's more portable
499
50020121107
501 - (djm) OpenBSD CVS Sync
502 - eric@cvs.openbsd.org 2011/11/28 08:46:27
503 [moduli.5]
504 fix formula
505 ok djm@
506 - jmc@cvs.openbsd.org 2012/09/26 17:34:38
507 [moduli.5]
508 last stage of rfc changes, using consistent Rs/Re blocks, and moving the
509 references into a STANDARDS section;
510
51120121105
512 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
513 openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
514 openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids
515 and gids from uidswap.c to the compat library, which allows it to work with
516 the new setresuid calls in auth2-pubkey. with tim@, ok djm@
517 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
518 don't have it. Spotted by tim@.
519
52020121104
521 - (djm) OpenBSD CVS Sync
522 - jmc@cvs.openbsd.org 2012/10/31 08:04:50
523 [sshd_config.5]
524 tweak previous;
525 - djm@cvs.openbsd.org 2012/11/04 10:38:43
526 [auth2-pubkey.c sshd.c sshd_config.5]
527 Remove default of AuthorizedCommandUser. Administrators are now expected
528 to explicitly specify a user. feedback and ok markus@
529 - djm@cvs.openbsd.org 2012/11/04 11:09:15
530 [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
531 [sshd_config.5]
532 Support multiple required authentication via an AuthenticationMethods
533 option. This option lists one or more comma-separated lists of
534 authentication method names. Successful completion of all the methods in
535 any list is required for authentication to complete;
536 feedback and ok markus@
537
53820121030
539 - (djm) OpenBSD CVS Sync
540 - markus@cvs.openbsd.org 2012/10/05 12:34:39
541 [sftp.c]
542 fix signed vs unsigned warning; feedback & ok: djm@
543 - djm@cvs.openbsd.org 2012/10/30 21:29:55
544 [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
545 [sshd.c sshd_config sshd_config.5]
546 new sshd_config option AuthorizedKeysCommand to support fetching
547 authorized_keys from a command in addition to (or instead of) from
548 the filesystem. The command is run as the target server user unless
549 another specified via a new AuthorizedKeysCommandUser option.
550
551 patch originally by jchadima AT redhat.com, reworked by me; feedback
552 and ok markus@
553
55420121019
555 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
556 the generated file as intended.
557
55820121005
559 - (dtucker) OpenBSD CVS Sync
560 - djm@cvs.openbsd.org 2012/09/17 09:54:44
561 [sftp.c]
562 an XXX for later
563 - markus@cvs.openbsd.org 2012/09/17 13:04:11
564 [packet.c]
565 clear old keys on rekeing; ok djm
566 - dtucker@cvs.openbsd.org 2012/09/18 10:36:12
567 [sftp.c]
568 Add bounds check on sftp tab-completion. Part of a patch from from
569 Jean-Marc Robert via tech@, ok djm
570 - dtucker@cvs.openbsd.org 2012/09/21 10:53:07
571 [sftp.c]
572 Fix improper handling of absolute paths when PWD is part of the completed
573 path. Patch from Jean-Marc Robert via tech@, ok djm.
574 - dtucker@cvs.openbsd.org 2012/09/21 10:55:04
575 [sftp.c]
576 Fix handling of filenames containing escaped globbing characters and
577 escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.
578 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
579 [ssh.1]
580 last stage of rfc changes, using consistent Rs/Re blocks, and moving the
581 references into a STANDARDS section;
582 - naddy@cvs.openbsd.org 2012/10/01 13:59:51
583 [monitor_wrap.c]
584 pasto; ok djm@
585 - djm@cvs.openbsd.org 2012/10/02 07:07:45
586 [ssh-keygen.c]
587 fix -z option, broken in revision 1.215
588 - markus@cvs.openbsd.org 2012/10/04 13:21:50
589 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
590 add umac128 variant; ok djm@ at n2k12
591 - dtucker@cvs.openbsd.org 2012/09/06 04:11:07
592 [regress/try-ciphers.sh]
593 Restore missing space. (Id sync only).
594 - dtucker@cvs.openbsd.org 2012/09/09 11:51:25
595 [regress/multiplex.sh]
596 Add test for ssh -Ostop
597 - dtucker@cvs.openbsd.org 2012/09/10 00:49:21
598 [regress/multiplex.sh]
599 Log -O cmd output to the log file and make logging consistent with the
600 other tests. Test clean shutdown of an existing channel when testing
601 "stop".
602 - dtucker@cvs.openbsd.org 2012/09/10 01:51:19
603 [regress/multiplex.sh]
604 use -Ocheck and waiting for completions by PID to make multiplexing test
605 less racy and (hopefully) more reliable on slow hardware.
606 - [Makefile umac.c] Add special-case target to build umac128.o.
607 - [umac.c] Enforce allowed umac output sizes. From djm@.
608 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom".
609
61020120917
611 - (dtucker) OpenBSD CVS Sync
612 - dtucker@cvs.openbsd.org 2012/09/13 23:37:36
613 [servconf.c]
614 Fix comment line length
615 - markus@cvs.openbsd.org 2012/09/14 16:51:34
616 [sshconnect.c]
617 remove unused variable
618
61920120907
620 - (dtucker) OpenBSD CVS Sync
621 - dtucker@cvs.openbsd.org 2012/09/06 09:50:13
622 [clientloop.c]
623 Make the escape command help (~?) context sensitive so that only commands
624 that will work in the current session are shown. ok markus@
625 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
626 [ssh.1]
627 missing letter in previous;
628 - dtucker@cvs.openbsd.org 2012/09/07 00:30:19
629 [clientloop.c]
630 Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@
631 - dtucker@cvs.openbsd.org 2012/09/07 01:10:21
632 [clientloop.c]
633 Merge escape help text for ~v and ~V; ok djm@
634 - dtucker@cvs.openbsd.org 2012/09/07 06:34:21
635 [clientloop.c]
636 when muxmaster is run with -N, make it shut down gracefully when a client
637 sends it "-O stop" rather than hanging around (bz#1985). ok djm@
638
63920120906
640 - (dtucker) OpenBSD CVS Sync
641 - jmc@cvs.openbsd.org 2012/08/15 18:25:50
642 [ssh-keygen.1]
643 a little more info on certificate validity;
644 requested by Ross L Richardson, and provided by djm
645 - dtucker@cvs.openbsd.org 2012/08/17 00:45:45
646 [clientloop.c clientloop.h mux.c]
647 Force a clean shutdown of ControlMaster client sessions when the ~. escape
648 sequence is used. This means that ~. should now work in mux clients even
649 if the server is no longer responding. Found by tedu, ok djm.
650 - djm@cvs.openbsd.org 2012/08/17 01:22:56
651 [kex.c]
652 add some comments about better handling first-KEX-follows notifications
653 from the server. Nothing uses these right now. No binary change
654 - djm@cvs.openbsd.org 2012/08/17 01:25:58
655 [ssh-keygen.c]
656 print details of which host lines were deleted when using
657 "ssh-keygen -R host"; ok markus@
658 - djm@cvs.openbsd.org 2012/08/17 01:30:00
659 [compat.c sshconnect.c]
660 Send client banner immediately, rather than waiting for the server to
661 move first for SSH protocol 2 connections (the default). Patch based on
662 one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
663 - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
664 [clientloop.c log.c ssh.1 log.h]
665 Add ~v and ~V escape sequences to raise and lower the logging level
666 respectively. Man page help from jmc, ok deraadt jmc
667
66820120830
669 - (dtucker) [moduli] Import new moduli file.
670
120120828 67120120828
2 - (djm) Release openssh-6.1 672 - (djm) Release openssh-6.1
3 673
@@ -172,6 +842,7 @@
172 [dns.c dns.h key.c key.h ssh-keygen.c] 842 [dns.c dns.h key.c key.h ssh-keygen.c]
173 add support for RFC6594 SSHFP DNS records for ECDSA key types. 843 add support for RFC6594 SSHFP DNS records for ECDSA key types.
174 patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ 844 patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
845 (Original authors Ondřej Surý, Ondřej Caletka and Daniel Black)
175 - djm@cvs.openbsd.org 2012/06/01 00:49:35 846 - djm@cvs.openbsd.org 2012/06/01 00:49:35
176 [PROTOCOL.mux] 847 [PROTOCOL.mux]
177 correct types of port numbers (integers, not strings); bz#2004 from 848 correct types of port numbers (integers, not strings); bz#2004 from
diff --git a/INSTALL b/INSTALL
index 7c6046932..576723048 100644
--- a/INSTALL
+++ b/INSTALL
@@ -89,7 +89,7 @@ http://nlnetlabs.nl/projects/ldns/
89Autoconf: 89Autoconf:
90 90
91If you modify configure.ac or configure doesn't exist (eg if you checked 91If you modify configure.ac or configure doesn't exist (eg if you checked
92the code out of CVS yourself) then you will need autoconf-2.61 to rebuild 92the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
93the automatically generated files by running "autoreconf". Earlier 93the automatically generated files by running "autoreconf". Earlier
94versions may also work but this is not guaranteed. 94versions may also work but this is not guaranteed.
95 95
@@ -266,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at
266http://www.openssh.com/ 266http://www.openssh.com/
267 267
268 268
269$Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $ 269$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index 9a286a390..5b2431d4a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $ 1# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -39,13 +39,15 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
39 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 39 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
40 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 40 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
41 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ 41 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
42 -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ 42 -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
43 43
44CC=@CC@ 44CC=@CC@
45LD=@LD@ 45LD=@LD@
46CFLAGS=@CFLAGS@ 46CFLAGS=@CFLAGS@
47CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ 47CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
48LIBS=@LIBS@ 48LIBS=@LIBS@
49K5LIBS=@K5LIBS@
50GSSLIBS=@GSSLIBS@
49SSHLIBS=@SSHLIBS@ 51SSHLIBS=@SSHLIBS@
50SSHDLIBS=@SSHDLIBS@ 52SSHDLIBS=@SSHDLIBS@
51LIBEDIT=@LIBEDIT@ 53LIBEDIT=@LIBEDIT@
@@ -63,8 +65,8 @@ MANFMT=@MANFMT@
63 65
64TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) 66TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
65 67
66LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 68LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
67 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 69 canohost.o channels.o cipher.o cipher-aes.o \
68 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ 70 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
69 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ 71 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
70 log.o match.o md-sha256.o moduli.o nchan.o packet.o \ 72 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
@@ -73,8 +75,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
73 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 75 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
74 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 76 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
75 kexgssc.o \ 77 kexgssc.o \
76 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ 78 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
77 schnorr.o ssh-pkcs11.o 79 jpake.o schnorr.o ssh-pkcs11.o krl.o
78 80
79SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 81SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
80 sshconnect.o sshconnect1.o sshconnect2.o mux.o \ 82 sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -143,10 +145,10 @@ libssh.a: $(LIBSSH_OBJS)
143 $(RANLIB) $@ 145 $(RANLIB) $@
144 146
145ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) 147ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
146 $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) 148 $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
147 149
148sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) 150sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
149 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) 151 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
150 152
151scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 153scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
152 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 154 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -202,6 +204,13 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
202moduli: 204moduli:
203 echo 205 echo
204 206
207# special case target for umac128
208umac128.o: umac.c
209 $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
210 -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
211 -Dumac_update=umac128_update -Dumac_final=umac128_final \
212 -Dumac_delete=umac128_delete
213
205clean: regressclean 214clean: regressclean
206 rm -f *.o *.a $(TARGETS) logintest config.cache config.log 215 rm -f *.o *.a $(TARGETS) logintest config.cache config.log
207 rm -f *.out core survey 216 rm -f *.out core survey
@@ -384,7 +393,12 @@ uninstall:
384 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 393 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
385 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 394 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
386 395
387tests interop-tests: $(TARGETS) 396regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
397 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
398 $(CC) $(CPPFLAGS) -o $@ $? \
399 $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
400
401tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
388 BUILDDIR=`pwd`; \ 402 BUILDDIR=`pwd`; \
389 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ 403 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
390 [ -f `pwd`/regress/Makefile ] || \ 404 [ -f `pwd`/regress/Makefile ] || \
diff --git a/PROTOCOL b/PROTOCOL
index c28196011..48b3a4400 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -51,6 +51,46 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or 51curve points encoded using point compression are NOT accepted or
52generated. 52generated.
53 53
541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56OpenSSH supports MAC algorithms, whose names contain "-etm", that
57perform the calculations in a different order to that defined in RFC
584253. These variants use the so-called "encrypt then MAC" ordering,
59calculating the MAC over the packet ciphertext rather than the
60plaintext. This ordering closes a security flaw in the SSH transport
61protocol, where decryption of unauthenticated ciphertext provided a
62"decryption oracle" that could, in conjunction with cipher flaws, reveal
63session plaintext.
64
65Specifically, the "-etm" MAC algorithms modify the transport protocol
66to calculate the MAC over the packet ciphertext and to send the packet
67length unencrypted. This is necessary for the transport to obtain the
68length of the packet and location of the MAC tag so that it may be
69verified without decrypting unauthenticated data.
70
71As such, the MAC covers:
72
73 mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75where "packet_length" is encoded as a uint32 and "encrypted_packet"
76contains:
77
78 byte padding_length
79 byte[n1] payload; n1 = packet_length - padding_length - 1
80 byte[n2] random padding; n2 = padding_length
81
821.6 transport: AES-GCM
83
84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85Because of problems with the specification of the key exchange
86the behaviour of OpenSSH differs from the RFC as follows:
87
88AES-GCM is only negotiated as the cipher algorithms
89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91the exchanged MAC algorithms are ignored and there doesn't have to be
92a matching MAC.
93
542. Connection protocol changes 942. Connection protocol changes
55 95
562.1. connection: Channel write close extension "eow@openssh.com" 962.1. connection: Channel write close extension "eow@openssh.com"
@@ -291,4 +331,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
291This extension is advertised in the SSH_FXP_VERSION hello with version 331This extension is advertised in the SSH_FXP_VERSION hello with version
292"1". 332"1".
293 333
294$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ 334$OpenBSD: PROTOCOL,v 1.20 2013/01/08 18:49:04 markus Exp $
diff --git a/PROTOCOL.agent b/PROTOCOL.agent
index de94d037d..3fcaa14d4 100644
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@@ -152,7 +152,7 @@ fully specified using just rsa_q, rsa_p and rsa_e at the cost of extra
152computation. 152computation.
153 153
154"key_constraints" may only be present if the request type is 154"key_constraints" may only be present if the request type is
155SSH_AGENTC_ADD_RSA_IDENTITY. 155SSH_AGENTC_ADD_RSA_ID_CONSTRAINED.
156 156
157The agent will reply with a SSH_AGENT_SUCCESS if the key has been 157The agent will reply with a SSH_AGENT_SUCCESS if the key has been
158successfully added or a SSH_AGENT_FAILURE if an error occurred. 158successfully added or a SSH_AGENT_FAILURE if an error occurred.
@@ -557,4 +557,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
557 SSH_AGENT_CONSTRAIN_LIFETIME 1 557 SSH_AGENT_CONSTRAIN_LIFETIME 1
558 SSH_AGENT_CONSTRAIN_CONFIRM 2 558 SSH_AGENT_CONSTRAIN_CONFIRM 2
559 559
560$OpenBSD: PROTOCOL.agent,v 1.6 2010/08/31 11:54:45 djm Exp $ 560$OpenBSD: PROTOCOL.agent,v 1.7 2013/01/02 00:33:49 djm Exp $
diff --git a/PROTOCOL.krl b/PROTOCOL.krl
new file mode 100644
index 000000000..e8caa4527
--- /dev/null
+++ b/PROTOCOL.krl
@@ -0,0 +1,164 @@
1This describes the key/certificate revocation list format for OpenSSH.
2
31. Overall format
4
5The KRL consists of a header and zero or more sections. The header is:
6
7#define KRL_MAGIC 0x5353484b524c0a00ULL /* "SSHKRL\n\0" */
8#define KRL_FORMAT_VERSION 1
9
10 uint64 KRL_MAGIC
11 uint32 KRL_FORMAT_VERSION
12 uint64 krl_version
13 uint64 generated_date
14 uint64 flags
15 string reserved
16 string comment
17
18Where "krl_version" is a version number that increases each time the KRL
19is modified, "generated_date" is the time in seconds since 1970-01-01
2000:00:00 UTC that the KRL was generated, "comment" is an optional comment
21and "reserved" an extension field whose contents are currently ignored.
22No "flags" are currently defined.
23
24Following the header are zero or more sections, each consisting of:
25
26 byte section_type
27 string section_data
28
29Where "section_type" indicates the type of the "section_data". An exception
30to this is the KRL_SECTION_SIGNATURE section, that has a slightly different
31format (see below).
32
33The available section types are:
34
35#define KRL_SECTION_CERTIFICATES 1
36#define KRL_SECTION_EXPLICIT_KEY 2
37#define KRL_SECTION_FINGERPRINT_SHA1 3
38#define KRL_SECTION_SIGNATURE 4
39
403. Certificate serial section
41
42These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
43serial number or key ID. The consist of the CA key that issued the
44certificates to be revoked and a reserved field whose contents is currently
45ignored.
46
47 string ca_key
48 string reserved
49
50Followed by one or more sections:
51
52 byte cert_section_type
53 string cert_section_data
54
55The certificate section types are:
56
57#define KRL_SECTION_CERT_SERIAL_LIST 0x20
58#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
59#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
60#define KRL_SECTION_CERT_KEY_ID 0x23
61
622.1 Certificate serial list section
63
64This section is identified as KRL_SECTION_CERT_SERIAL_LIST. It revokes
65certificates by listing their serial numbers. The cert_section_data in this
66case contains:
67
68 uint64 revoked_cert_serial
69 uint64 ...
70
71This section may appear multiple times.
72
732.2. Certificate serial range section
74
75These sections use type KRL_SECTION_CERT_SERIAL_RANGE and hold
76a range of serial numbers of certificates:
77
78 uint64 serial_min
79 uint64 serial_max
80
81All certificates in the range serial_min <= serial <= serial_max are
82revoked.
83
84This section may appear multiple times.
85
862.3. Certificate serial bitmap section
87
88Bitmap sections use type KRL_SECTION_CERT_SERIAL_BITMAP and revoke keys
89by listing their serial number in a bitmap.
90
91 uint64 serial_offset
92 mpint revoked_keys_bitmap
93
94A bit set at index N in the bitmap corresponds to revocation of a keys with
95serial number (serial_offset + N).
96
97This section may appear multiple times.
98
992.4. Revoked key ID sections
100
101KRL_SECTION_CERT_KEY_ID sections revoke particular certificate "key
102ID" strings. This may be useful in revoking all certificates
103associated with a particular identity, e.g. a host or a user.
104
105 string key_id[0]
106 ...
107
108This section must contain at least one "key_id". This section may appear
109multiple times.
110
1113. Explicit key sections
112
113These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys
114(not certificates). They are less space efficient than serial numbers,
115but are able to revoke plain keys.
116
117 string public_key_blob[0]
118 ....
119
120This section must contain at least one "public_key_blob". The blob
121must be a raw key (i.e. not a certificate).
122
123This section may appear multiple times.
124
1254. SHA1 fingerprint sections
126
127These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke
128plain keys (i.e. not certificates) by listing their SHA1 hashes:
129
130 string public_key_hash[0]
131 ....
132
133This section must contain at least one "public_key_hash". The hash blob
134is obtained by taking the SHA1 hash of the public key blob. Hashes in
135this section must appear in numeric order, treating each hash as a big-
136endian integer.
137
138This section may appear multiple times.
139
1405. KRL signature sections
141
142The KRL_SECTION_SIGNATURE section serves a different purpose to the
143preceeding ones: to provide cryptographic authentication of a KRL that
144is retrieved over a channel that does not provide integrity protection.
145Its format is slightly different to the previously-described sections:
146in order to simplify the signature generation, it includes as a "body"
147two string components instead of one.
148
149 byte KRL_SECTION_SIGNATURE
150 string signature_key
151 string signature
152
153The signature is calculated over the entire KRL from the KRL_MAGIC
154to this subsection's "signature_key", including both and using the
155signature generation rules appropriate for the type of "signature_key".
156
157This section must appear last in the KRL. If multiple signature sections
158appear, they must appear consecutively at the end of the KRL file.
159
160Implementations that retrieve KRLs over untrusted channels must verify
161signatures. Signature sections are optional for KRLs distributed by
162trusted means.
163
164$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $
diff --git a/README b/README
index 81cb922be..21dc6e1f7 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-6.1 for the release notes. 1See http://www.openssh.com/txt/release-6.2 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
64 64
65$Id: README,v 1.81 2012/08/22 11:57:13 djm Exp $ 65$Id: README,v 1.82 2013/02/26 23:48:19 djm Exp $
diff --git a/acss.c b/acss.c
deleted file mode 100644
index 86e2c01a8..000000000
--- a/acss.c
+++ /dev/null
@@ -1,267 +0,0 @@
1/* $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
2/*
3 * Copyright (c) 2004 The OpenBSD project
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "includes.h"
19
20#include <string.h>
21
22#include <openssl/evp.h>
23
24#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
25
26#include "acss.h"
27
28/* decryption sbox */
29static unsigned char sboxdec[] = {
30 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
31 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
32 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
33 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
34 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
35 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
36 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
37 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
38 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
39 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
40 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
41 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
42 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
43 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
44 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
45 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
46 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
47 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
48 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
49 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
50 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
51 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
52 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
53 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
54 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
55 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
56 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
57 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
58 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
59 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
60 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
61 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
62};
63
64/* encryption sbox */
65static unsigned char sboxenc[] = {
66 0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
67 0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
68 0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
69 0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
70 0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
71 0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
72 0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
73 0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
74 0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
75 0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
76 0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
77 0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
78 0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
79 0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
80 0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
81 0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
82 0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
83 0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
84 0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
85 0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
86 0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
87 0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
88 0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
89 0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
90 0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
91 0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
92 0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
93 0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
94 0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
95 0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
96 0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
97 0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
98};
99
100static unsigned char reverse[] = {
101 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
102 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
103 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
104 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
105 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
106 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
107 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
108 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
109 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
110 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
111 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
112 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
113 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
114 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
115 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
116 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
117 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
118 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
119 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
120 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
121 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
122 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
123 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
124 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
125 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
126 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
127 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
128 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
129 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
130 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
131 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
132 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
133};
134
135/*
136 * Two linear feedback shift registers are used:
137 *
138 * lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier)
139 * x^15 + x + 1
140 * lfsr25: polynomial of degree 25, not know if primitive modulo 2
141 * x^13 + x^5 + x^4 + x^1 + 1
142 *
143 * Output bits are discarded, instead the feedback bits are added to produce
144 * the cipher stream. Depending on the mode, feedback bytes may be inverted
145 * bit-wise before addition.
146 *
147 * The lfsrs are seeded with bytes from the raw key:
148 *
149 * lfsr17: byte 0[0:7] at bit 9
150 * byte 1[0:7] at bit 0
151 *
152 * lfsr25: byte 2[0:4] at bit 16
153 * byte 2[5:7] at bit 22
154 * byte 3[0:7] at bit 8
155 * byte 4[0:7] at bit 0
156 *
157 * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
158 * lfsr25.
159 *
160 */
161
162int
163acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
164 unsigned char *out)
165{
166 unsigned long i;
167 unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
168
169 lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
170
171 /* keystream is sum of lfsrs */
172 for (i = 0; i < len; i++) {
173 lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
174 key->lfsr17 = (key->lfsr17 >> 8)
175 ^ (lfsr17tmp << 9)
176 ^ (lfsr17tmp << 12)
177 ^ (lfsr17tmp << 15);
178 key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */
179
180 lfsr25tmp = key->lfsr25
181 ^ (key->lfsr25 >> 3)
182 ^ (key->lfsr25 >> 4)
183 ^ (key->lfsr25 >> 12);
184 key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
185 key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */
186
187 lfsrsumtmp = key->lfsrsum;
188
189 /* addition */
190 switch (key->mode) {
191 case ACSS_AUTHENTICATE:
192 case ACSS_DATA:
193 key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
194 key->lfsrsum += key->lfsr25 >> 17;
195 break;
196 case ACSS_SESSIONKEY:
197 key->lfsrsum = key->lfsr17 >> 9;
198 key->lfsrsum += key->lfsr25 >> 17;
199 break;
200 case ACSS_TITLEKEY:
201 key->lfsrsum = key->lfsr17 >> 9;
202 key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
203 break;
204 default:
205 return 1;
206 }
207 key->lfsrsum += (lfsrsumtmp >> 8);
208
209 if (key->encrypt) {
210 out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
211 } else {
212 out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
213 }
214 }
215
216 return 0;
217}
218
219static void
220acss_seed(ACSS_KEY *key)
221{
222 int i;
223
224 /* if available, mangle with subkey */
225 if (key->subkey_avilable) {
226 for (i = 0; i < ACSS_KEYSIZE; i++)
227 key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
228 } else {
229 for (i = 0; i < ACSS_KEYSIZE; i++)
230 key->seed[i] = reverse[key->data[i]];
231 }
232
233 /* seed lfsrs */
234 key->lfsr17 = key->seed[1]
235 | (key->seed[0] << 9)
236 | (1 << 8); /* inject 1 at bit 9 */
237 key->lfsr25 = key->seed[4]
238 | (key->seed[3] << 8)
239 | ((key->seed[2] & 0x1f) << 16)
240 | ((key->seed[2] & 0xe0) << 17)
241 | (1 << 21); /* inject 1 at bit 22 */
242
243 key->lfsrsum = 0;
244}
245
246void
247acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
248{
249 memcpy(key->data, data, sizeof(key->data));
250 memset(key->subkey, 0, sizeof(key->subkey));
251
252 if (enc != -1)
253 key->encrypt = enc;
254 key->mode = mode;
255 key->subkey_avilable = 0;
256
257 acss_seed(key);
258}
259
260void
261acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
262{
263 memcpy(key->subkey, subkey, sizeof(key->subkey));
264 key->subkey_avilable = 1;
265 acss_seed(key);
266}
267#endif
diff --git a/acss.h b/acss.h
deleted file mode 100644
index 91b489542..000000000
--- a/acss.h
+++ /dev/null
@@ -1,47 +0,0 @@
1/* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
2/*
3 * Copyright (c) 2004 The OpenBSD project
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef _ACSS_H_
19#define _ACSS_H_
20
21/* 40bit key */
22#define ACSS_KEYSIZE 5
23
24/* modes of acss */
25#define ACSS_AUTHENTICATE 0
26#define ACSS_SESSIONKEY 1
27#define ACSS_TITLEKEY 2
28#define ACSS_DATA 3
29
30typedef struct acss_key_st {
31 unsigned int lfsr17; /* current state of lfsrs */
32 unsigned int lfsr25;
33 unsigned int lfsrsum;
34 unsigned char seed[ACSS_KEYSIZE];
35 unsigned char data[ACSS_KEYSIZE];
36 unsigned char subkey[ACSS_KEYSIZE];
37 int encrypt; /* XXX make these bit flags? */
38 int mode;
39 int seeded;
40 int subkey_avilable;
41} ACSS_KEY;
42
43void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
44void acss_setsubkey(ACSS_KEY *, const unsigned char *);
45int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
46
47#endif /* ifndef _ACSS_H_ */
diff --git a/auth-options.c b/auth-options.c
index 146b3d174..78e8f3955 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -363,7 +363,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
363 xfree(patterns); 363 xfree(patterns);
364 goto bad_option; 364 goto bad_option;
365 } 365 }
366 if (options.allow_tcp_forwarding) 366 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
367 channel_add_permitted_opens(host, port); 367 channel_add_permitted_opens(host, port);
368 xfree(patterns); 368 xfree(patterns);
369 goto next_option; 369 goto next_option;
diff --git a/auth-rsa.c b/auth-rsa.c
index 99c4e882d..33cdb5dae 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ 1/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -278,6 +278,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
278 temporarily_use_uid(pw); 278 temporarily_use_uid(pw);
279 279
280 for (i = 0; !allowed && i < options.num_authkeys_files; i++) { 280 for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
281 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
282 continue;
281 file = expand_authorized_keys( 283 file = expand_authorized_keys(
282 options.authorized_keys_files[i], pw); 284 options.authorized_keys_files[i], pw);
283 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); 285 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
diff --git a/auth.c b/auth.c
index 2216dcddd..514602a0c 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.96 2012/05/13 01:42:32 dtucker Exp $ */ 1/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -72,6 +72,7 @@
72#endif 72#endif
73#include "authfile.h" 73#include "authfile.h"
74#include "monitor_wrap.h" 74#include "monitor_wrap.h"
75#include "krl.h"
75 76
76/* import */ 77/* import */
77extern ServerOptions options; 78extern ServerOptions options;
@@ -252,7 +253,8 @@ allowed_user(struct passwd * pw)
252} 253}
253 254
254void 255void
255auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) 256auth_log(Authctxt *authctxt, int authenticated, int partial,
257 const char *method, const char *submethod, const char *info)
256{ 258{
257 void (*authlog) (const char *fmt,...) = verbose; 259 void (*authlog) (const char *fmt,...) = verbose;
258 char *authmsg; 260 char *authmsg;
@@ -269,12 +271,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
269 271
270 if (authctxt->postponed) 272 if (authctxt->postponed)
271 authmsg = "Postponed"; 273 authmsg = "Postponed";
274 else if (partial)
275 authmsg = "Partial";
272 else 276 else
273 authmsg = authenticated ? "Accepted" : "Failed"; 277 authmsg = authenticated ? "Accepted" : "Failed";
274 278
275 authlog("%s %s for %s%.100s from %.200s port %d%s", 279 authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
276 authmsg, 280 authmsg,
277 method, 281 method,
282 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
278 authctxt->valid ? "" : "invalid user ", 283 authctxt->valid ? "" : "invalid user ",
279 authctxt->user, 284 authctxt->user,
280 get_remote_ipaddr(), 285 get_remote_ipaddr(),
@@ -304,7 +309,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
304 * Check whether root logins are disallowed. 309 * Check whether root logins are disallowed.
305 */ 310 */
306int 311int
307auth_root_allowed(char *method) 312auth_root_allowed(const char *method)
308{ 313{
309 switch (options.permit_root_login) { 314 switch (options.permit_root_login) {
310 case PERMIT_YES: 315 case PERMIT_YES:
@@ -409,40 +414,41 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
409 return host_status; 414 return host_status;
410} 415}
411 416
412
413/* 417/*
414 * Check a given file for security. This is defined as all components 418 * Check a given path for security. This is defined as all components
415 * of the path to the file must be owned by either the owner of 419 * of the path to the file must be owned by either the owner of
416 * of the file or root and no directories must be group or world writable. 420 * of the file or root and no directories must be group or world writable.
417 * 421 *
418 * XXX Should any specific check be done for sym links ? 422 * XXX Should any specific check be done for sym links ?
419 * 423 *
420 * Takes an open file descriptor, the file name, a uid and and 424 * Takes a file name, its stat information (preferably from fstat() to
425 * avoid races), the uid of the expected owner, their home directory and an
421 * error buffer plus max size as arguments. 426 * error buffer plus max size as arguments.
422 * 427 *
423 * Returns 0 on success and -1 on failure 428 * Returns 0 on success and -1 on failure
424 */ 429 */
425static int 430int
426secure_filename(FILE *f, const char *file, struct passwd *pw, 431auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
427 char *err, size_t errlen) 432 uid_t uid, char *err, size_t errlen)
428{ 433{
429 uid_t uid = pw->pw_uid;
430 char buf[MAXPATHLEN], homedir[MAXPATHLEN]; 434 char buf[MAXPATHLEN], homedir[MAXPATHLEN];
431 char *cp; 435 char *cp;
432 int comparehome = 0; 436 int comparehome = 0;
433 struct stat st; 437 struct stat st;
434 438
435 if (realpath(file, buf) == NULL) { 439 if (realpath(name, buf) == NULL) {
436 snprintf(err, errlen, "realpath %s failed: %s", file, 440 snprintf(err, errlen, "realpath %s failed: %s", name,
437 strerror(errno)); 441 strerror(errno));
438 return -1; 442 return -1;
439 } 443 }
440 if (realpath(pw->pw_dir, homedir) != NULL) 444 if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
441 comparehome = 1; 445 comparehome = 1;
442 446
443 /* check the open file to avoid races */ 447 if (!S_ISREG(stp->st_mode)) {
444 if (fstat(fileno(f), &st) < 0 || 448 snprintf(err, errlen, "%s is not a regular file", buf);
445 !secure_permissions(&st, uid)) { 449 return -1;
450 }
451 if (!secure_permissions(stp, uid)) {
446 snprintf(err, errlen, "bad ownership or modes for file %s", 452 snprintf(err, errlen, "bad ownership or modes for file %s",
447 buf); 453 buf);
448 return -1; 454 return -1;
@@ -477,6 +483,27 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
477 return 0; 483 return 0;
478} 484}
479 485
486/*
487 * Version of secure_path() that accepts an open file descriptor to
488 * avoid races.
489 *
490 * Returns 0 on success and -1 on failure
491 */
492static int
493secure_filename(FILE *f, const char *file, struct passwd *pw,
494 char *err, size_t errlen)
495{
496 struct stat st;
497
498 /* check the open file to avoid races */
499 if (fstat(fileno(f), &st) < 0) {
500 snprintf(err, errlen, "cannot stat file %s: %s",
501 file, strerror(errno));
502 return -1;
503 }
504 return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
505}
506
480static FILE * 507static FILE *
481auth_openfile(const char *file, struct passwd *pw, int strict_modes, 508auth_openfile(const char *file, struct passwd *pw, int strict_modes,
482 int log_missing, char *file_type) 509 int log_missing, char *file_type)
@@ -636,7 +663,16 @@ auth_key_is_revoked(Key *key, int hostkey)
636 663
637 if (options.revoked_keys_file == NULL) 664 if (options.revoked_keys_file == NULL)
638 return 0; 665 return 0;
639 666 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
667 case 0:
668 return 0; /* Not revoked */
669 case -2:
670 break; /* Not a KRL */
671 default:
672 goto revoked;
673 }
674 debug3("%s: treating %s as a key list", __func__,
675 options.revoked_keys_file);
640 switch (key_in_file(key, options.revoked_keys_file, 0)) { 676 switch (key_in_file(key, options.revoked_keys_file, 0)) {
641 case 0: 677 case 0:
642 /* key not revoked */ 678 /* key not revoked */
@@ -647,6 +683,7 @@ auth_key_is_revoked(Key *key, int hostkey)
647 "authentication"); 683 "authentication");
648 return 1; 684 return 1;
649 case 1: 685 case 1:
686 revoked:
650 /* Key revoked */ 687 /* Key revoked */
651 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 688 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
652 error("WARNING: authentication attempt with a revoked " 689 error("WARNING: authentication attempt with a revoked "
diff --git a/auth.h b/auth.h
index 568212f9d..c2328f05b 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.69 2011/05/23 03:30:07 djm Exp $ */ 1/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -65,6 +65,8 @@ struct Authctxt {
65#ifdef BSD_AUTH 65#ifdef BSD_AUTH
66 auth_session_t *as; 66 auth_session_t *as;
67#endif 67#endif
68 char **auth_methods; /* modified from server config */
69 u_int num_auth_methods;
68#ifdef KRB5 70#ifdef KRB5
69 krb5_context krb5_ctx; 71 krb5_context krb5_ctx;
70 krb5_ccache krb5_fwd_ccache; 72 krb5_ccache krb5_fwd_ccache;
@@ -121,6 +123,10 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
121int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 123int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
122int user_key_allowed(struct passwd *, Key *); 124int user_key_allowed(struct passwd *, Key *);
123 125
126struct stat;
127int auth_secure_path(const char *, struct stat *, const char *, uid_t,
128 char *, size_t);
129
124#ifdef KRB5 130#ifdef KRB5
125int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); 131int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
126int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); 132int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
@@ -143,12 +149,17 @@ void disable_forwarding(void);
143void do_authentication(Authctxt *); 149void do_authentication(Authctxt *);
144void do_authentication2(Authctxt *); 150void do_authentication2(Authctxt *);
145 151
146void auth_log(Authctxt *, int, char *, char *); 152void auth_log(Authctxt *, int, int, const char *, const char *,
147void userauth_finish(Authctxt *, int, char *); 153 const char *);
154void userauth_finish(Authctxt *, int, const char *, const char *);
155int auth_root_allowed(const char *);
156
148void userauth_send_banner(const char *); 157void userauth_send_banner(const char *);
149int auth_root_allowed(char *);
150 158
151char *auth2_read_banner(void); 159char *auth2_read_banner(void);
160int auth2_methods_valid(const char *, int);
161int auth2_update_methods_lists(Authctxt *, const char *);
162int auth2_setup_methods_lists(Authctxt *);
152 163
153void privsep_challenge_enable(void); 164void privsep_challenge_enable(void);
154 165
diff --git a/auth1.c b/auth1.c
index 9079b737c..de49b172d 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth1.c,v 1.75 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt)
253 if (options.use_pam && (PRIVSEP(do_pam_account()))) 253 if (options.use_pam && (PRIVSEP(do_pam_account())))
254#endif 254#endif
255 { 255 {
256 auth_log(authctxt, 1, "without authentication", ""); 256 auth_log(authctxt, 1, 0, "without authentication",
257 NULL, "");
257 return; 258 return;
258 } 259 }
259 } 260 }
@@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt)
352 353
353 skip: 354 skip:
354 /* Log before sending the reply */ 355 /* Log before sending the reply */
355 auth_log(authctxt, authenticated, get_authname(type), info); 356 auth_log(authctxt, authenticated, 0, get_authname(type),
357 NULL, info);
356 358
357 if (client_user != NULL) { 359 if (client_user != NULL) {
358 xfree(client_user); 360 xfree(client_user);
@@ -412,6 +414,11 @@ do_authentication(Authctxt *authctxt)
412 authctxt->pw = fakepw(); 414 authctxt->pw = fakepw();
413 } 415 }
414 416
417 /* Configuration may have changed as a result of Match */
418 if (options.num_auth_methods != 0)
419 fatal("AuthenticationMethods is not supported with SSH "
420 "protocol 1");
421
415 setproctitle("%s%s", authctxt->valid ? user : "unknown", 422 setproctitle("%s%s", authctxt->valid ? user : "unknown",
416 use_privsep ? " [net]" : ""); 423 use_privsep ? " [net]" : "");
417 424
diff --git a/auth2-chall.c b/auth2-chall.c
index e6dbffe22..6505d4009 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -283,7 +283,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
283 KbdintAuthctxt *kbdintctxt; 283 KbdintAuthctxt *kbdintctxt;
284 int authenticated = 0, res; 284 int authenticated = 0, res;
285 u_int i, nresp; 285 u_int i, nresp;
286 char **response = NULL, *method; 286 const char *devicename = NULL;
287 char **response = NULL;
287 288
288 if (authctxt == NULL) 289 if (authctxt == NULL)
289 fatal("input_userauth_info_response: no authctxt"); 290 fatal("input_userauth_info_response: no authctxt");
@@ -329,9 +330,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
329 /* Failure! */ 330 /* Failure! */
330 break; 331 break;
331 } 332 }
332 333 devicename = kbdintctxt->device->name;
333 xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name);
334
335 if (!authctxt->postponed) { 334 if (!authctxt->postponed) {
336 if (authenticated) { 335 if (authenticated) {
337 auth2_challenge_stop(authctxt); 336 auth2_challenge_stop(authctxt);
@@ -341,8 +340,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
341 auth2_challenge_start(authctxt); 340 auth2_challenge_start(authctxt);
342 } 341 }
343 } 342 }
344 userauth_finish(authctxt, authenticated, method); 343 userauth_finish(authctxt, authenticated, "keyboard-interactive",
345 xfree(method); 344 devicename);
346} 345}
347 346
348void 347void
diff --git a/auth2-gss.c b/auth2-gss.c
index 7dc87dba4..17d4a3a84 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -197,7 +197,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
197 } 197 }
198 authctxt->postponed = 0; 198 authctxt->postponed = 0;
199 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 199 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
200 userauth_finish(authctxt, 0, "gssapi-with-mic"); 200 userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
201 } else { 201 } else {
202 if (send_tok.length != 0) { 202 if (send_tok.length != 0) {
203 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 203 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -286,7 +286,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
286 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 286 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
287 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 287 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
288 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 288 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
289 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 289 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
290} 290}
291 291
292static void 292static void
@@ -327,7 +327,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
327 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 327 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
328 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 328 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
329 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 329 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
330 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 330 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
331} 331}
332 332
333Authmethod method_gsskeyex = { 333Authmethod method_gsskeyex = {
diff --git a/auth2-jpake.c b/auth2-jpake.c
index a460e8216..ed0eba47b 100644
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
556 authctxt->postponed = 0; 556 authctxt->postponed = 0;
557 jpake_free(authctxt->jpake_ctx); 557 jpake_free(authctxt->jpake_ctx);
558 authctxt->jpake_ctx = NULL; 558 authctxt->jpake_ctx = NULL;
559 userauth_finish(authctxt, authenticated, method_jpake.name); 559 userauth_finish(authctxt, authenticated, method_jpake.name, NULL);
560} 560}
561 561
562#endif /* JPAKE */ 562#endif /* JPAKE */
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index d42ba14b8..f980b0dad 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -27,9 +27,15 @@
27 27
28#include <sys/types.h> 28#include <sys/types.h>
29#include <sys/stat.h> 29#include <sys/stat.h>
30#include <sys/wait.h>
30 31
32#include <errno.h>
31#include <fcntl.h> 33#include <fcntl.h>
34#ifdef HAVE_PATHS_H
35# include <paths.h>
36#endif
32#include <pwd.h> 37#include <pwd.h>
38#include <signal.h>
33#include <stdio.h> 39#include <stdio.h>
34#include <stdarg.h> 40#include <stdarg.h>
35#include <string.h> 41#include <string.h>
@@ -241,7 +247,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
241 if (strcmp(cp, cert->principals[i]) == 0) { 247 if (strcmp(cp, cert->principals[i]) == 0) {
242 debug3("matched principal \"%.100s\" " 248 debug3("matched principal \"%.100s\" "
243 "from file \"%s\" on line %lu", 249 "from file \"%s\" on line %lu",
244 cert->principals[i], file, linenum); 250 cert->principals[i], file, linenum);
245 if (auth_parse_options(pw, line_opts, 251 if (auth_parse_options(pw, line_opts,
246 file, linenum) != 1) 252 file, linenum) != 1)
247 continue; 253 continue;
@@ -254,31 +260,22 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
254 fclose(f); 260 fclose(f);
255 restore_uid(); 261 restore_uid();
256 return 0; 262 return 0;
257} 263}
258 264
259/* return 1 if user allows given key */ 265/*
266 * Checks whether key is allowed in authorized_keys-format file,
267 * returns 1 if the key is allowed or 0 otherwise.
268 */
260static int 269static int
261user_key_allowed2(struct passwd *pw, Key *key, char *file) 270check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
262{ 271{
263 char line[SSH_MAX_PUBKEY_BYTES]; 272 char line[SSH_MAX_PUBKEY_BYTES];
264 const char *reason; 273 const char *reason;
265 int found_key = 0; 274 int found_key = 0;
266 FILE *f;
267 u_long linenum = 0; 275 u_long linenum = 0;
268 Key *found; 276 Key *found;
269 char *fp; 277 char *fp;
270 278
271 /* Temporarily use the user's uid. */
272 temporarily_use_uid(pw);
273
274 debug("trying public key file %s", file);
275 f = auth_openkeyfile(file, pw, options.strict_modes);
276
277 if (!f) {
278 restore_uid();
279 return 0;
280 }
281
282 found_key = 0; 279 found_key = 0;
283 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); 280 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
284 281
@@ -373,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
373 break; 370 break;
374 } 371 }
375 } 372 }
376 restore_uid();
377 fclose(f);
378 key_free(found); 373 key_free(found);
379 if (!found_key) 374 if (!found_key)
380 debug2("key not found"); 375 debug2("key not found");
@@ -437,7 +432,180 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
437 return ret; 432 return ret;
438} 433}
439 434
440/* check whether given key is in .ssh/authorized_keys* */ 435/*
436 * Checks whether key is allowed in file.
437 * returns 1 if the key is allowed or 0 otherwise.
438 */
439static int
440user_key_allowed2(struct passwd *pw, Key *key, char *file)
441{
442 FILE *f;
443 int found_key = 0;
444
445 /* Temporarily use the user's uid. */
446 temporarily_use_uid(pw);
447
448 debug("trying public key file %s", file);
449 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
450 found_key = check_authkeys_file(f, file, key, pw);
451 fclose(f);
452 }
453
454 restore_uid();
455 return found_key;
456}
457
458/*
459 * Checks whether key is allowed in output of command.
460 * returns 1 if the key is allowed or 0 otherwise.
461 */
462static int
463user_key_command_allowed2(struct passwd *user_pw, Key *key)
464{
465 FILE *f;
466 int ok, found_key = 0;
467 struct passwd *pw;
468 struct stat st;
469 int status, devnull, p[2], i;
470 pid_t pid;
471 char *username, errmsg[512];
472
473 if (options.authorized_keys_command == NULL ||
474 options.authorized_keys_command[0] != '/')
475 return 0;
476
477 if (options.authorized_keys_command_user == NULL) {
478 error("No user for AuthorizedKeysCommand specified, skipping");
479 return 0;
480 }
481
482 username = percent_expand(options.authorized_keys_command_user,
483 "u", user_pw->pw_name, (char *)NULL);
484 pw = getpwnam(username);
485 if (pw == NULL) {
486 error("AuthorizedKeysCommandUser \"%s\" not found: %s",
487 username, strerror(errno));
488 free(username);
489 return 0;
490 }
491 free(username);
492
493 temporarily_use_uid(pw);
494
495 if (stat(options.authorized_keys_command, &st) < 0) {
496 error("Could not stat AuthorizedKeysCommand \"%s\": %s",
497 options.authorized_keys_command, strerror(errno));
498 goto out;
499 }
500 if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
501 errmsg, sizeof(errmsg)) != 0) {
502 error("Unsafe AuthorizedKeysCommand: %s", errmsg);
503 goto out;
504 }
505
506 if (pipe(p) != 0) {
507 error("%s: pipe: %s", __func__, strerror(errno));
508 goto out;
509 }
510
511 debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
512 options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
513
514 /*
515 * Don't want to call this in the child, where it can fatal() and
516 * run cleanup_exit() code.
517 */
518 restore_uid();
519
520 switch ((pid = fork())) {
521 case -1: /* error */
522 error("%s: fork: %s", __func__, strerror(errno));
523 close(p[0]);
524 close(p[1]);
525 return 0;
526 case 0: /* child */
527 for (i = 0; i < NSIG; i++)
528 signal(i, SIG_DFL);
529
530 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
531 error("%s: open %s: %s", __func__, _PATH_DEVNULL,
532 strerror(errno));
533 _exit(1);
534 }
535 /* Keep stderr around a while longer to catch errors */
536 if (dup2(devnull, STDIN_FILENO) == -1 ||
537 dup2(p[1], STDOUT_FILENO) == -1) {
538 error("%s: dup2: %s", __func__, strerror(errno));
539 _exit(1);
540 }
541 closefrom(STDERR_FILENO + 1);
542
543 /* Don't use permanently_set_uid() here to avoid fatal() */
544 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
545 error("setresgid %u: %s", (u_int)pw->pw_gid,
546 strerror(errno));
547 _exit(1);
548 }
549 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
550 error("setresuid %u: %s", (u_int)pw->pw_uid,
551 strerror(errno));
552 _exit(1);
553 }
554 /* stdin is pointed to /dev/null at this point */
555 if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
556 error("%s: dup2: %s", __func__, strerror(errno));
557 _exit(1);
558 }
559
560 execl(options.authorized_keys_command,
561 options.authorized_keys_command, user_pw->pw_name, NULL);
562
563 error("AuthorizedKeysCommand %s exec failed: %s",
564 options.authorized_keys_command, strerror(errno));
565 _exit(127);
566 default: /* parent */
567 break;
568 }
569
570 temporarily_use_uid(pw);
571
572 close(p[1]);
573 if ((f = fdopen(p[0], "r")) == NULL) {
574 error("%s: fdopen: %s", __func__, strerror(errno));
575 close(p[0]);
576 /* Don't leave zombie child */
577 kill(pid, SIGTERM);
578 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
579 ;
580 goto out;
581 }
582 ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
583 fclose(f);
584
585 while (waitpid(pid, &status, 0) == -1) {
586 if (errno != EINTR) {
587 error("%s: waitpid: %s", __func__, strerror(errno));
588 goto out;
589 }
590 }
591 if (WIFSIGNALED(status)) {
592 error("AuthorizedKeysCommand %s exited on signal %d",
593 options.authorized_keys_command, WTERMSIG(status));
594 goto out;
595 } else if (WEXITSTATUS(status) != 0) {
596 error("AuthorizedKeysCommand %s returned status %d",
597 options.authorized_keys_command, WEXITSTATUS(status));
598 goto out;
599 }
600 found_key = ok;
601 out:
602 restore_uid();
603 return found_key;
604}
605
606/*
607 * Check whether key authenticates and authorises the user.
608 */
441int 609int
442user_key_allowed(struct passwd *pw, Key *key) 610user_key_allowed(struct passwd *pw, Key *key)
443{ 611{
@@ -454,9 +622,17 @@ user_key_allowed(struct passwd *pw, Key *key)
454 if (success) 622 if (success)
455 return success; 623 return success;
456 624
625 success = user_key_command_allowed2(pw, key);
626 if (success > 0)
627 return success;
628
457 for (i = 0; !success && i < options.num_authkeys_files; i++) { 629 for (i = 0; !success && i < options.num_authkeys_files; i++) {
630
631 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
632 continue;
458 file = expand_authorized_keys( 633 file = expand_authorized_keys(
459 options.authorized_keys_files[i], pw); 634 options.authorized_keys_files[i], pw);
635
460 success = user_key_allowed2(pw, key, file); 636 success = user_key_allowed2(pw, key, file);
461 xfree(file); 637 xfree(file);
462 } 638 }
diff --git a/auth2.c b/auth2.c
index 1b7403904..f00f14764 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -98,8 +98,10 @@ static void input_service_request(int, u_int32_t, void *);
98static void input_userauth_request(int, u_int32_t, void *); 98static void input_userauth_request(int, u_int32_t, void *);
99 99
100/* helper */ 100/* helper */
101static Authmethod *authmethod_lookup(const char *); 101static Authmethod *authmethod_lookup(Authctxt *, const char *);
102static char *authmethods_get(void); 102static char *authmethods_get(Authctxt *authctxt);
103static int method_allowed(Authctxt *, const char *);
104static int list_starts_with(const char *, const char *);
103 105
104char * 106char *
105auth2_read_banner(void) 107auth2_read_banner(void)
@@ -263,6 +265,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
263 if (use_privsep) 265 if (use_privsep)
264 mm_inform_authserv(service, style, role); 266 mm_inform_authserv(service, style, role);
265 userauth_banner(); 267 userauth_banner();
268 if (auth2_setup_methods_lists(authctxt) != 0)
269 packet_disconnect("no authentication methods enabled");
266 } else if (strcmp(user, authctxt->user) != 0 || 270 } else if (strcmp(user, authctxt->user) != 0 ||
267 strcmp(service, authctxt->service) != 0) { 271 strcmp(service, authctxt->service) != 0) {
268 packet_disconnect("Change of username or service not allowed: " 272 packet_disconnect("Change of username or service not allowed: "
@@ -285,12 +289,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
285 authctxt->server_caused_failure = 0; 289 authctxt->server_caused_failure = 0;
286 290
287 /* try to authenticate user */ 291 /* try to authenticate user */
288 m = authmethod_lookup(method); 292 m = authmethod_lookup(authctxt, method);
289 if (m != NULL && authctxt->failures < options.max_authtries) { 293 if (m != NULL && authctxt->failures < options.max_authtries) {
290 debug2("input_userauth_request: try method %s", method); 294 debug2("input_userauth_request: try method %s", method);
291 authenticated = m->userauth(authctxt); 295 authenticated = m->userauth(authctxt);
292 } 296 }
293 userauth_finish(authctxt, authenticated, method); 297 userauth_finish(authctxt, authenticated, method, NULL);
294 298
295 xfree(service); 299 xfree(service);
296 xfree(user); 300 xfree(user);
@@ -298,13 +302,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
298} 302}
299 303
300void 304void
301userauth_finish(Authctxt *authctxt, int authenticated, char *method) 305userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
306 const char *submethod)
302{ 307{
303 char *methods; 308 char *methods;
309 int partial = 0;
304 310
305 if (!authctxt->valid && authenticated) 311 if (!authctxt->valid && authenticated)
306 fatal("INTERNAL ERROR: authenticated invalid user %s", 312 fatal("INTERNAL ERROR: authenticated invalid user %s",
307 authctxt->user); 313 authctxt->user);
314 if (authenticated && authctxt->postponed)
315 fatal("INTERNAL ERROR: authenticated and postponed");
308 316
309 /* Special handling for root */ 317 /* Special handling for root */
310 if (authenticated && authctxt->pw->pw_uid == 0 && 318 if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -315,6 +323,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
315#endif 323#endif
316 } 324 }
317 325
326 if (authenticated && options.num_auth_methods != 0) {
327 if (!auth2_update_methods_lists(authctxt, method)) {
328 authenticated = 0;
329 partial = 1;
330 }
331 }
332
333 /* Log before sending the reply */
334 auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
335
336 if (authctxt->postponed)
337 return;
338
318#ifdef USE_PAM 339#ifdef USE_PAM
319 if (options.use_pam && authenticated) { 340 if (options.use_pam && authenticated) {
320 if (!PRIVSEP(do_pam_account())) { 341 if (!PRIVSEP(do_pam_account())) {
@@ -333,17 +354,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
333#ifdef _UNICOS 354#ifdef _UNICOS
334 if (authenticated && cray_access_denied(authctxt->user)) { 355 if (authenticated && cray_access_denied(authctxt->user)) {
335 authenticated = 0; 356 authenticated = 0;
336 fatal("Access denied for user %s.",authctxt->user); 357 fatal("Access denied for user %s.", authctxt->user);
337 } 358 }
338#endif /* _UNICOS */ 359#endif /* _UNICOS */
339 360
340 /* Log before sending the reply */
341 auth_log(authctxt, authenticated, method, " ssh2");
342
343 if (authctxt->postponed)
344 return;
345
346 /* XXX todo: check if multiple auth methods are needed */
347 if (authenticated == 1) { 361 if (authenticated == 1) {
348 /* turn off userauth */ 362 /* turn off userauth */
349 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 363 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -364,34 +378,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
364#endif 378#endif
365 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 379 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
366 } 380 }
367 methods = authmethods_get(); 381 methods = authmethods_get(authctxt);
382 debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
383 partial, methods);
368 packet_start(SSH2_MSG_USERAUTH_FAILURE); 384 packet_start(SSH2_MSG_USERAUTH_FAILURE);
369 packet_put_cstring(methods); 385 packet_put_cstring(methods);
370 packet_put_char(0); /* XXX partial success, unused */ 386 packet_put_char(partial);
371 packet_send(); 387 packet_send();
372 packet_write_wait(); 388 packet_write_wait();
373 xfree(methods); 389 xfree(methods);
374 } 390 }
375} 391}
376 392
393/*
394 * Checks whether method is allowed by at least one AuthenticationMethods
395 * methods list. Returns 1 if allowed, or no methods lists configured.
396 * 0 otherwise.
397 */
398static int
399method_allowed(Authctxt *authctxt, const char *method)
400{
401 u_int i;
402
403 /*
404 * NB. authctxt->num_auth_methods might be zero as a result of
405 * auth2_setup_methods_lists(), so check the configuration.
406 */
407 if (options.num_auth_methods == 0)
408 return 1;
409 for (i = 0; i < authctxt->num_auth_methods; i++) {
410 if (list_starts_with(authctxt->auth_methods[i], method))
411 return 1;
412 }
413 return 0;
414}
415
377static char * 416static char *
378authmethods_get(void) 417authmethods_get(Authctxt *authctxt)
379{ 418{
380 Buffer b; 419 Buffer b;
381 char *list; 420 char *list;
382 int i; 421 u_int i;
383 422
384 buffer_init(&b); 423 buffer_init(&b);
385 for (i = 0; authmethods[i] != NULL; i++) { 424 for (i = 0; authmethods[i] != NULL; i++) {
386 if (strcmp(authmethods[i]->name, "none") == 0) 425 if (strcmp(authmethods[i]->name, "none") == 0)
387 continue; 426 continue;
388 if (authmethods[i]->enabled != NULL && 427 if (authmethods[i]->enabled == NULL ||
389 *(authmethods[i]->enabled) != 0) { 428 *(authmethods[i]->enabled) == 0)
390 if (buffer_len(&b) > 0) 429 continue;
391 buffer_append(&b, ",", 1); 430 if (!method_allowed(authctxt, authmethods[i]->name))
392 buffer_append(&b, authmethods[i]->name, 431 continue;
393 strlen(authmethods[i]->name)); 432 if (buffer_len(&b) > 0)
394 } 433 buffer_append(&b, ",", 1);
434 buffer_append(&b, authmethods[i]->name,
435 strlen(authmethods[i]->name));
395 } 436 }
396 buffer_append(&b, "\0", 1); 437 buffer_append(&b, "\0", 1);
397 list = xstrdup(buffer_ptr(&b)); 438 list = xstrdup(buffer_ptr(&b));
@@ -400,7 +441,7 @@ authmethods_get(void)
400} 441}
401 442
402static Authmethod * 443static Authmethod *
403authmethod_lookup(const char *name) 444authmethod_lookup(Authctxt *authctxt, const char *name)
404{ 445{
405 int i; 446 int i;
406 447
@@ -408,10 +449,154 @@ authmethod_lookup(const char *name)
408 for (i = 0; authmethods[i] != NULL; i++) 449 for (i = 0; authmethods[i] != NULL; i++)
409 if (authmethods[i]->enabled != NULL && 450 if (authmethods[i]->enabled != NULL &&
410 *(authmethods[i]->enabled) != 0 && 451 *(authmethods[i]->enabled) != 0 &&
411 strcmp(name, authmethods[i]->name) == 0) 452 strcmp(name, authmethods[i]->name) == 0 &&
453 method_allowed(authctxt, authmethods[i]->name))
412 return authmethods[i]; 454 return authmethods[i];
413 debug2("Unrecognized authentication method name: %s", 455 debug2("Unrecognized authentication method name: %s",
414 name ? name : "NULL"); 456 name ? name : "NULL");
415 return NULL; 457 return NULL;
416} 458}
417 459
460/*
461 * Check a comma-separated list of methods for validity. Is need_enable is
462 * non-zero, then also require that the methods are enabled.
463 * Returns 0 on success or -1 if the methods list is invalid.
464 */
465int
466auth2_methods_valid(const char *_methods, int need_enable)
467{
468 char *methods, *omethods, *method;
469 u_int i, found;
470 int ret = -1;
471
472 if (*_methods == '\0') {
473 error("empty authentication method list");
474 return -1;
475 }
476 omethods = methods = xstrdup(_methods);
477 while ((method = strsep(&methods, ",")) != NULL) {
478 for (found = i = 0; !found && authmethods[i] != NULL; i++) {
479 if (strcmp(method, authmethods[i]->name) != 0)
480 continue;
481 if (need_enable) {
482 if (authmethods[i]->enabled == NULL ||
483 *(authmethods[i]->enabled) == 0) {
484 error("Disabled method \"%s\" in "
485 "AuthenticationMethods list \"%s\"",
486 method, _methods);
487 goto out;
488 }
489 }
490 found = 1;
491 break;
492 }
493 if (!found) {
494 error("Unknown authentication method \"%s\" in list",
495 method);
496 goto out;
497 }
498 }
499 ret = 0;
500 out:
501 free(omethods);
502 return ret;
503}
504
505/*
506 * Prune the AuthenticationMethods supplied in the configuration, removing
507 * any methods lists that include disabled methods. Note that this might
508 * leave authctxt->num_auth_methods == 0, even when multiple required auth
509 * has been requested. For this reason, all tests for whether multiple is
510 * enabled should consult options.num_auth_methods directly.
511 */
512int
513auth2_setup_methods_lists(Authctxt *authctxt)
514{
515 u_int i;
516
517 if (options.num_auth_methods == 0)
518 return 0;
519 debug3("%s: checking methods", __func__);
520 authctxt->auth_methods = xcalloc(options.num_auth_methods,
521 sizeof(*authctxt->auth_methods));
522 authctxt->num_auth_methods = 0;
523 for (i = 0; i < options.num_auth_methods; i++) {
524 if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
525 logit("Authentication methods list \"%s\" contains "
526 "disabled method, skipping",
527 options.auth_methods[i]);
528 continue;
529 }
530 debug("authentication methods list %d: %s",
531 authctxt->num_auth_methods, options.auth_methods[i]);
532 authctxt->auth_methods[authctxt->num_auth_methods++] =
533 xstrdup(options.auth_methods[i]);
534 }
535 if (authctxt->num_auth_methods == 0) {
536 error("No AuthenticationMethods left after eliminating "
537 "disabled methods");
538 return -1;
539 }
540 return 0;
541}
542
543static int
544list_starts_with(const char *methods, const char *method)
545{
546 size_t l = strlen(method);
547
548 if (strncmp(methods, method, l) != 0)
549 return 0;
550 if (methods[l] != ',' && methods[l] != '\0')
551 return 0;
552 return 1;
553}
554
555/*
556 * Remove method from the start of a comma-separated list of methods.
557 * Returns 0 if the list of methods did not start with that method or 1
558 * if it did.
559 */
560static int
561remove_method(char **methods, const char *method)
562{
563 char *omethods = *methods;
564 size_t l = strlen(method);
565
566 if (!list_starts_with(omethods, method))
567 return 0;
568 *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
569 free(omethods);
570 return 1;
571}
572
573/*
574 * Called after successful authentication. Will remove the successful method
575 * from the start of each list in which it occurs. If it was the last method
576 * in any list, then authentication is deemed successful.
577 * Returns 1 if the method completed any authentication list or 0 otherwise.
578 */
579int
580auth2_update_methods_lists(Authctxt *authctxt, const char *method)
581{
582 u_int i, found = 0;
583
584 debug3("%s: updating methods list after \"%s\"", __func__, method);
585 for (i = 0; i < authctxt->num_auth_methods; i++) {
586 if (!remove_method(&(authctxt->auth_methods[i]), method))
587 continue;
588 found = 1;
589 if (*authctxt->auth_methods[i] == '\0') {
590 debug2("authentication methods list %d complete", i);
591 return 1;
592 }
593 debug3("authentication methods list %d remaining: \"%s\"",
594 i, authctxt->auth_methods[i]);
595 }
596 /* This should not happen, but would be bad if it did */
597 if (!found)
598 fatal("%s: method not in AuthenticationMethods", __func__);
599 return 0;
600}
601
602
diff --git a/authfile.c b/authfile.c
index b0b4e1272..1ecbda8b1 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */ 1/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -151,7 +151,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
151 cipher_set_key_string(&ciphercontext, cipher, passphrase, 151 cipher_set_key_string(&ciphercontext, cipher, passphrase,
152 CIPHER_ENCRYPT); 152 CIPHER_ENCRYPT);
153 cipher_crypt(&ciphercontext, cp, 153 cipher_crypt(&ciphercontext, cp,
154 buffer_ptr(&buffer), buffer_len(&buffer)); 154 buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
155 cipher_cleanup(&ciphercontext); 155 cipher_cleanup(&ciphercontext);
156 memset(&ciphercontext, 0, sizeof(ciphercontext)); 156 memset(&ciphercontext, 0, sizeof(ciphercontext));
157 157
@@ -475,7 +475,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
475 cipher_set_key_string(&ciphercontext, cipher, passphrase, 475 cipher_set_key_string(&ciphercontext, cipher, passphrase,
476 CIPHER_DECRYPT); 476 CIPHER_DECRYPT);
477 cipher_crypt(&ciphercontext, cp, 477 cipher_crypt(&ciphercontext, cp,
478 buffer_ptr(&copy), buffer_len(&copy)); 478 buffer_ptr(&copy), buffer_len(&copy), 0, 0);
479 cipher_cleanup(&ciphercontext); 479 cipher_cleanup(&ciphercontext);
480 memset(&ciphercontext, 0, sizeof(ciphercontext)); 480 memset(&ciphercontext, 0, sizeof(ciphercontext));
481 buffer_free(&copy); 481 buffer_free(&copy);
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index 4de9d42e4..4b842b3f7 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -337,17 +337,17 @@ then
337else 337else
338 if [ "\${USE_SYM_LINKS}" = yes ] 338 if [ "\${USE_SYM_LINKS}" = yes ]
339 then 339 then
340 [ "$RCS_D" = yes ] && \ 340 [ "$RCS_D" = yes ] && \\
341 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 341 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
342 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 342 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
343 [ "$RC1_D" = no ] || \ 343 [ "$RC1_D" = no ] || \\
344 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 344 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
345 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 345 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
346 else 346 else
347 [ "$RCS_D" = yes ] && \ 347 [ "$RCS_D" = yes ] && \\
348 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 348 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
349 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 349 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
350 [ "$RC1_D" = no ] || \ 350 [ "$RC1_D" = no ] || \\
351 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 351 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
352 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 352 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
353 fi 353 fi
@@ -538,10 +538,10 @@ then
538PRE_INS_STOP=no 538PRE_INS_STOP=no
539POST_INS_START=no 539POST_INS_START=no
540# determine if should restart the daemon 540# determine if should restart the daemon
541if [ -s ${piddir}/sshd.pid ] && \ 541if [ -s ${piddir}/sshd.pid ] && \\
542 /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1 542 /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
543then 543then
544 ans=\`ckyorn -d n \ 544 ans=\`ckyorn -d n \\
545-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? 545-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
546 case \$ans in 546 case \$ans in
547 [y,Y]*) PRE_INS_STOP=yes 547 [y,Y]*) PRE_INS_STOP=yes
@@ -552,7 +552,7 @@ then
552else 552else
553 553
554# determine if we should start sshd 554# determine if we should start sshd
555 ans=\`ckyorn -d n \ 555 ans=\`ckyorn -d n \\
556-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? 556-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
557 case \$ans in 557 case \$ans in
558 [y,Y]*) POST_INS_START=yes ;; 558 [y,Y]*) POST_INS_START=yes ;;
@@ -573,7 +573,7 @@ USE_SYM_LINKS=no
573PRE_INS_STOP=no 573PRE_INS_STOP=no
574POST_INS_START=no 574POST_INS_START=no
575# Use symbolic links? 575# Use symbolic links?
576ans=\`ckyorn -d n \ 576ans=\`ckyorn -d n \\
577-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? 577-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
578case \$ans in 578case \$ans in
579 [y,Y]*) USE_SYM_LINKS=yes ;; 579 [y,Y]*) USE_SYM_LINKS=yes ;;
@@ -582,7 +582,7 @@ esac
582# determine if should restart the daemon 582# determine if should restart the daemon
583if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] 583if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
584then 584then
585 ans=\`ckyorn -d n \ 585 ans=\`ckyorn -d n \\
586-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? 586-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
587 case \$ans in 587 case \$ans in
588 [y,Y]*) PRE_INS_STOP=yes 588 [y,Y]*) PRE_INS_STOP=yes
@@ -593,7 +593,7 @@ then
593else 593else
594 594
595# determine if we should start sshd 595# determine if we should start sshd
596 ans=\`ckyorn -d n \ 596 ans=\`ckyorn -d n \\
597-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? 597-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
598 case \$ans in 598 case \$ans in
599 [y,Y]*) POST_INS_START=yes ;; 599 [y,Y]*) POST_INS_START=yes ;;
diff --git a/channels.c b/channels.c
index 7791febd7..9cf85a38d 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ 1/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port)
3165void 3165void
3166channel_disable_adm_local_opens(void) 3166channel_disable_adm_local_opens(void)
3167{ 3167{
3168 if (num_adm_permitted_opens == 0) { 3168 channel_clear_adm_permitted_opens();
3169 permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); 3169 permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
3170 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3170 permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL;
3171 = NULL; 3171 num_adm_permitted_opens = 1;
3172 num_adm_permitted_opens = 1;
3173 }
3174} 3172}
3175 3173
3176void 3174void
diff --git a/cipher-acss.c b/cipher-acss.c
deleted file mode 100644
index e755f92b9..000000000
--- a/cipher-acss.c
+++ /dev/null
@@ -1,86 +0,0 @@
1/*
2 * Copyright (c) 2004 The OpenBSD project
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "includes.h"
18
19#include <openssl/evp.h>
20
21#include <string.h>
22
23#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
24
25#include "acss.h"
26#include "openbsd-compat/openssl-compat.h"
27
28#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)
29
30typedef struct {
31 ACSS_KEY ks;
32} EVP_ACSS_KEY;
33
34#define EVP_CTRL_SET_ACSS_MODE 0xff06
35#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07
36
37static int
38acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
39 const unsigned char *iv, int enc)
40{
41 acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
42 return 1;
43}
44
45static int
46acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
47 LIBCRYPTO_EVP_INL_TYPE inl)
48{
49 acss(&data(ctx)->ks,inl,in,out);
50 return 1;
51}
52
53static int
54acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
55{
56 switch(type) {
57 case EVP_CTRL_SET_ACSS_MODE:
58 data(ctx)->ks.mode = arg;
59 return 1;
60 case EVP_CTRL_SET_ACSS_SUBKEY:
61 acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
62 return 1;
63 default:
64 return -1;
65 }
66}
67
68const EVP_CIPHER *
69evp_acss(void)
70{
71 static EVP_CIPHER acss_cipher;
72
73 memset(&acss_cipher, 0, sizeof(EVP_CIPHER));
74
75 acss_cipher.nid = NID_undef;
76 acss_cipher.block_size = 1;
77 acss_cipher.key_len = 5;
78 acss_cipher.init = acss_init_key;
79 acss_cipher.do_cipher = acss_ciph;
80 acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
81 acss_cipher.ctrl = acss_ctrl;
82
83 return (&acss_cipher);
84}
85#endif
86
diff --git a/cipher-aes.c b/cipher-aes.c
index bfda6d2f2..07ec7aa5d 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -46,9 +46,6 @@ struct ssh_rijndael_ctx
46 u_char r_iv[RIJNDAEL_BLOCKSIZE]; 46 u_char r_iv[RIJNDAEL_BLOCKSIZE];
47}; 47};
48 48
49const EVP_CIPHER * evp_rijndael(void);
50void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
51
52static int 49static int
53ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 50ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
54 int enc) 51 int enc)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 04975b4b6..d1fe69f57 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -16,6 +16,7 @@
16 */ 16 */
17#include "includes.h" 17#include "includes.h"
18 18
19#ifndef OPENSSL_HAVE_EVPCTR
19#include <sys/types.h> 20#include <sys/types.h>
20 21
21#include <stdarg.h> 22#include <stdarg.h>
@@ -33,9 +34,6 @@
33#include <openssl/aes.h> 34#include <openssl/aes.h>
34#endif 35#endif
35 36
36const EVP_CIPHER *evp_aes_128_ctr(void);
37void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
38
39struct ssh_aes_ctr_ctx 37struct ssh_aes_ctr_ctx
40{ 38{
41 AES_KEY aes_ctx; 39 AES_KEY aes_ctx;
@@ -144,3 +142,5 @@ evp_aes_128_ctr(void)
144#endif 142#endif
145 return (&aes_ctr); 143 return (&aes_ctr);
146} 144}
145
146#endif /* OPENSSL_HAVE_EVPCTR */
diff --git a/cipher.c b/cipher.c
index bb5c0ac3a..9ca1d0065 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ 1/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -54,41 +54,46 @@
54extern const EVP_CIPHER *evp_ssh1_bf(void); 54extern const EVP_CIPHER *evp_ssh1_bf(void);
55extern const EVP_CIPHER *evp_ssh1_3des(void); 55extern const EVP_CIPHER *evp_ssh1_3des(void);
56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
57extern const EVP_CIPHER *evp_aes_128_ctr(void);
58extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
59 57
60struct Cipher { 58struct Cipher {
61 char *name; 59 char *name;
62 int number; /* for ssh1 only */ 60 int number; /* for ssh1 only */
63 u_int block_size; 61 u_int block_size;
64 u_int key_len; 62 u_int key_len;
63 u_int iv_len; /* defaults to block_size */
64 u_int auth_len;
65 u_int discard_len; 65 u_int discard_len;
66 u_int cbc_mode; 66 u_int cbc_mode;
67 const EVP_CIPHER *(*evptype)(void); 67 const EVP_CIPHER *(*evptype)(void);
68} ciphers[] = { 68} ciphers[] = {
69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, 69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
70 { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, 70 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, 71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, 72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
73 73
74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, 74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
75 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, 75 { "blowfish-cbc",
76 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, 76 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
77 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, 77 { "cast128-cbc",
78 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, 78 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
79 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, 79 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
80 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, 80 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
81 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, 81 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
82 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 82 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
83 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
84 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
83 { "rijndael-cbc@lysator.liu.se", 85 { "rijndael-cbc@lysator.liu.se",
84 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 86 SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
85 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, 87 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
86 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, 88 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
87 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, 89 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
88#ifdef USE_CIPHER_ACSS 90#ifdef OPENSSL_HAVE_EVPGCM
89 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, 91 { "aes128-gcm@openssh.com",
92 SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
93 { "aes256-gcm@openssh.com",
94 SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
90#endif 95#endif
91 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } 96 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
92}; 97};
93 98
94/*--*/ 99/*--*/
@@ -106,6 +111,18 @@ cipher_keylen(const Cipher *c)
106} 111}
107 112
108u_int 113u_int
114cipher_authlen(const Cipher *c)
115{
116 return (c->auth_len);
117}
118
119u_int
120cipher_ivlen(const Cipher *c)
121{
122 return (c->iv_len ? c->iv_len : c->block_size);
123}
124
125u_int
109cipher_get_number(const Cipher *c) 126cipher_get_number(const Cipher *c)
110{ 127{
111 return (c->number); 128 return (c->number);
@@ -224,11 +241,12 @@ cipher_init(CipherContext *cc, Cipher *cipher,
224 keylen = 8; 241 keylen = 8;
225 } 242 }
226 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 243 cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
244 cc->encrypt = do_encrypt;
227 245
228 if (keylen < cipher->key_len) 246 if (keylen < cipher->key_len)
229 fatal("cipher_init: key length %d is insufficient for %s.", 247 fatal("cipher_init: key length %d is insufficient for %s.",
230 keylen, cipher->name); 248 keylen, cipher->name);
231 if (iv != NULL && ivlen < cipher->block_size) 249 if (iv != NULL && ivlen < cipher_ivlen(cipher))
232 fatal("cipher_init: iv length %d is insufficient for %s.", 250 fatal("cipher_init: iv length %d is insufficient for %s.",
233 ivlen, cipher->name); 251 ivlen, cipher->name);
234 cc->cipher = cipher; 252 cc->cipher = cipher;
@@ -249,6 +267,11 @@ cipher_init(CipherContext *cc, Cipher *cipher,
249 (do_encrypt == CIPHER_ENCRYPT)) == 0) 267 (do_encrypt == CIPHER_ENCRYPT)) == 0)
250 fatal("cipher_init: EVP_CipherInit failed for %s", 268 fatal("cipher_init: EVP_CipherInit failed for %s",
251 cipher->name); 269 cipher->name);
270 if (cipher_authlen(cipher) &&
271 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
272 -1, (u_char *)iv))
273 fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
274 cipher->name);
252 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 275 klen = EVP_CIPHER_CTX_key_length(&cc->evp);
253 if (klen > 0 && keylen != (u_int)klen) { 276 if (klen > 0 && keylen != (u_int)klen) {
254 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 277 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
@@ -273,13 +296,59 @@ cipher_init(CipherContext *cc, Cipher *cipher,
273 } 296 }
274} 297}
275 298
299/*
300 * cipher_crypt() operates as following:
301 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
302 * Theses bytes are treated as additional authenticated data for
303 * authenticated encryption modes.
304 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
305 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
306 * This tag is written on encryption and verified on decryption.
307 * Both 'aadlen' and 'authlen' can be set to 0.
308 */
276void 309void
277cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 310cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
311 u_int len, u_int aadlen, u_int authlen)
278{ 312{
313 if (authlen) {
314 u_char lastiv[1];
315
316 if (authlen != cipher_authlen(cc->cipher))
317 fatal("%s: authlen mismatch %d", __func__, authlen);
318 /* increment IV */
319 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
320 1, lastiv))
321 fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
322 /* set tag on decyption */
323 if (!cc->encrypt &&
324 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
325 authlen, (u_char *)src + aadlen + len))
326 fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
327 }
328 if (aadlen) {
329 if (authlen &&
330 EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
331 fatal("%s: EVP_Cipher(aad) failed", __func__);
332 memcpy(dest, src, aadlen);
333 }
279 if (len % cc->cipher->block_size) 334 if (len % cc->cipher->block_size)
280 fatal("cipher_encrypt: bad plaintext length %d", len); 335 fatal("%s: bad plaintext length %d", __func__, len);
281 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 336 if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
282 fatal("evp_crypt: EVP_Cipher failed"); 337 len) < 0)
338 fatal("%s: EVP_Cipher failed", __func__);
339 if (authlen) {
340 /* compute tag (on encrypt) or verify tag (on decrypt) */
341 if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
342 if (cc->encrypt)
343 fatal("%s: EVP_Cipher(final) failed", __func__);
344 else
345 fatal("Decryption integrity check failed");
346 }
347 if (cc->encrypt &&
348 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
349 authlen, dest + aadlen + len))
350 fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
351 }
283} 352}
284 353
285void 354void
@@ -351,10 +420,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
351 ssh_rijndael_iv(&cc->evp, 0, iv, len); 420 ssh_rijndael_iv(&cc->evp, 0, iv, len);
352 else 421 else
353#endif 422#endif
423#ifndef OPENSSL_HAVE_EVPCTR
354 if (c->evptype == evp_aes_128_ctr) 424 if (c->evptype == evp_aes_128_ctr)
355 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 425 ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
356 else 426 else
357 memcpy(iv, cc->evp.iv, len); 427#endif
428 memcpy(iv, cc->evp.iv, len);
358 break; 429 break;
359 case SSH_CIPHER_3DES: 430 case SSH_CIPHER_3DES:
360 ssh1_3des_iv(&cc->evp, 0, iv, 24); 431 ssh1_3des_iv(&cc->evp, 0, iv, 24);
@@ -382,10 +453,12 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
382 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 453 ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
383 else 454 else
384#endif 455#endif
456#ifndef OPENSSL_HAVE_EVPCTR
385 if (c->evptype == evp_aes_128_ctr) 457 if (c->evptype == evp_aes_128_ctr)
386 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 458 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
387 else 459 else
388 memcpy(cc->evp.iv, iv, evplen); 460#endif
461 memcpy(cc->evp.iv, iv, evplen);
389 break; 462 break;
390 case SSH_CIPHER_3DES: 463 case SSH_CIPHER_3DES:
391 ssh1_3des_iv(&cc->evp, 1, iv, 24); 464 ssh1_3des_iv(&cc->evp, 1, iv, 24);
@@ -395,21 +468,13 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
395 } 468 }
396} 469}
397 470
398#if OPENSSL_VERSION_NUMBER < 0x00907000L
399#define EVP_X_STATE(evp) &(evp).c
400#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
401#else
402#define EVP_X_STATE(evp) (evp).cipher_data
403#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
404#endif
405
406int 471int
407cipher_get_keycontext(const CipherContext *cc, u_char *dat) 472cipher_get_keycontext(const CipherContext *cc, u_char *dat)
408{ 473{
409 Cipher *c = cc->cipher; 474 Cipher *c = cc->cipher;
410 int plen = 0; 475 int plen = 0;
411 476
412 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 477 if (c->evptype == EVP_rc4) {
413 plen = EVP_X_STATE_LEN(cc->evp); 478 plen = EVP_X_STATE_LEN(cc->evp);
414 if (dat == NULL) 479 if (dat == NULL)
415 return (plen); 480 return (plen);
@@ -424,7 +489,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat)
424 Cipher *c = cc->cipher; 489 Cipher *c = cc->cipher;
425 int plen; 490 int plen;
426 491
427 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 492 if (c->evptype == EVP_rc4) {
428 plen = EVP_X_STATE_LEN(cc->evp); 493 plen = EVP_X_STATE_LEN(cc->evp);
429 memcpy(EVP_X_STATE(cc->evp), dat, plen); 494 memcpy(EVP_X_STATE(cc->evp), dat, plen);
430 } 495 }
diff --git a/cipher.h b/cipher.h
index 3dd2270bb..8cb57c3e5 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */ 1/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -64,6 +64,7 @@ typedef struct CipherContext CipherContext;
64struct Cipher; 64struct Cipher;
65struct CipherContext { 65struct CipherContext {
66 int plaintext; 66 int plaintext;
67 int encrypt;
67 EVP_CIPHER_CTX evp; 68 EVP_CIPHER_CTX evp;
68 Cipher *cipher; 69 Cipher *cipher;
69}; 70};
@@ -76,11 +77,14 @@ char *cipher_name(int);
76int ciphers_valid(const char *); 77int ciphers_valid(const char *);
77void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, 78void cipher_init(CipherContext *, Cipher *, const u_char *, u_int,
78 const u_char *, u_int, int); 79 const u_char *, u_int, int);
79void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); 80void cipher_crypt(CipherContext *, u_char *, const u_char *,
81 u_int, u_int, u_int);
80void cipher_cleanup(CipherContext *); 82void cipher_cleanup(CipherContext *);
81void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); 83void cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
82u_int cipher_blocksize(const Cipher *); 84u_int cipher_blocksize(const Cipher *);
83u_int cipher_keylen(const Cipher *); 85u_int cipher_keylen(const Cipher *);
86u_int cipher_authlen(const Cipher *);
87u_int cipher_ivlen(const Cipher *);
84u_int cipher_is_cbc(const Cipher *); 88u_int cipher_is_cbc(const Cipher *);
85 89
86u_int cipher_get_number(const Cipher *); 90u_int cipher_get_number(const Cipher *);
diff --git a/clientloop.c b/clientloop.c
index 5b76b9893..1a16b2525 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -977,9 +977,9 @@ process_cmdline(void)
977 goto out; 977 goto out;
978 } 978 }
979 if (local || dynamic) { 979 if (local || dynamic) {
980 if (channel_setup_local_fwd_listener(fwd.listen_host, 980 if (!channel_setup_local_fwd_listener(fwd.listen_host,
981 fwd.listen_port, fwd.connect_host, 981 fwd.listen_port, fwd.connect_host,
982 fwd.connect_port, options.gateway_ports) < 0) { 982 fwd.connect_port, options.gateway_ports)) {
983 logit("Port forwarding failed."); 983 logit("Port forwarding failed.");
984 goto out; 984 goto out;
985 } 985 }
@@ -1005,6 +1005,63 @@ out:
1005 xfree(fwd.connect_host); 1005 xfree(fwd.connect_host);
1006} 1006}
1007 1007
1008/* reasons to suppress output of an escape command in help output */
1009#define SUPPRESS_NEVER 0 /* never suppress, always show */
1010#define SUPPRESS_PROTO1 1 /* don't show in protocol 1 sessions */
1011#define SUPPRESS_MUXCLIENT 2 /* don't show in mux client sessions */
1012#define SUPPRESS_MUXMASTER 4 /* don't show in mux master sessions */
1013#define SUPPRESS_SYSLOG 8 /* don't show when logging to syslog */
1014struct escape_help_text {
1015 const char *cmd;
1016 const char *text;
1017 unsigned int flags;
1018};
1019static struct escape_help_text esc_txt[] = {
1020 {".", "terminate session", SUPPRESS_MUXMASTER},
1021 {".", "terminate connection (and any multiplexed sessions)",
1022 SUPPRESS_MUXCLIENT},
1023 {"B", "send a BREAK to the remote system", SUPPRESS_PROTO1},
1024 {"C", "open a command line", SUPPRESS_MUXCLIENT},
1025 {"R", "request rekey", SUPPRESS_PROTO1},
1026 {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT},
1027 {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT},
1028 {"#", "list forwarded connections", SUPPRESS_NEVER},
1029 {"&", "background ssh (when waiting for connections to terminate)",
1030 SUPPRESS_MUXCLIENT},
1031 {"?", "this message", SUPPRESS_NEVER},
1032};
1033
1034static void
1035print_escape_help(Buffer *b, int escape_char, int protocol2, int mux_client,
1036 int using_stderr)
1037{
1038 unsigned int i, suppress_flags;
1039 char string[1024];
1040
1041 snprintf(string, sizeof string, "%c?\r\n"
1042 "Supported escape sequences:\r\n", escape_char);
1043 buffer_append(b, string, strlen(string));
1044
1045 suppress_flags = (protocol2 ? 0 : SUPPRESS_PROTO1) |
1046 (mux_client ? SUPPRESS_MUXCLIENT : 0) |
1047 (mux_client ? 0 : SUPPRESS_MUXMASTER) |
1048 (using_stderr ? 0 : SUPPRESS_SYSLOG);
1049
1050 for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) {
1051 if (esc_txt[i].flags & suppress_flags)
1052 continue;
1053 snprintf(string, sizeof string, " %c%-3s - %s\r\n",
1054 escape_char, esc_txt[i].cmd, esc_txt[i].text);
1055 buffer_append(b, string, strlen(string));
1056 }
1057
1058 snprintf(string, sizeof string,
1059 " %c%c - send the escape character by typing it twice\r\n"
1060 "(Note that escapes are only recognized immediately after "
1061 "newline.)\r\n", escape_char, escape_char);
1062 buffer_append(b, string, strlen(string));
1063}
1064
1008/* 1065/*
1009 * Process the characters one by one, call with c==NULL for proto1 case. 1066 * Process the characters one by one, call with c==NULL for proto1 case.
1010 */ 1067 */
@@ -1055,6 +1112,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1055 if (c && c->ctl_chan != -1) { 1112 if (c && c->ctl_chan != -1) {
1056 chan_read_failed(c); 1113 chan_read_failed(c);
1057 chan_write_failed(c); 1114 chan_write_failed(c);
1115 mux_master_session_cleanup_cb(c->self,
1116 NULL);
1058 return 0; 1117 return 0;
1059 } else 1118 } else
1060 quit_pending = 1; 1119 quit_pending = 1;
@@ -1063,11 +1122,16 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1063 case 'Z' - 64: 1122 case 'Z' - 64:
1064 /* XXX support this for mux clients */ 1123 /* XXX support this for mux clients */
1065 if (c && c->ctl_chan != -1) { 1124 if (c && c->ctl_chan != -1) {
1125 char b[16];
1066 noescape: 1126 noescape:
1127 if (ch == 'Z' - 64)
1128 snprintf(b, sizeof b, "^Z");
1129 else
1130 snprintf(b, sizeof b, "%c", ch);
1067 snprintf(string, sizeof string, 1131 snprintf(string, sizeof string,
1068 "%c%c escape not available to " 1132 "%c%s escape not available to "
1069 "multiplexed sessions\r\n", 1133 "multiplexed sessions\r\n",
1070 escape_char, ch); 1134 escape_char, b);
1071 buffer_append(berr, string, 1135 buffer_append(berr, string,
1072 strlen(string)); 1136 strlen(string));
1073 continue; 1137 continue;
@@ -1106,6 +1170,31 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1106 } 1170 }
1107 continue; 1171 continue;
1108 1172
1173 case 'V':
1174 /* FALLTHROUGH */
1175 case 'v':
1176 if (c && c->ctl_chan != -1)
1177 goto noescape;
1178 if (!log_is_on_stderr()) {
1179 snprintf(string, sizeof string,
1180 "%c%c [Logging to syslog]\r\n",
1181 escape_char, ch);
1182 buffer_append(berr, string,
1183 strlen(string));
1184 continue;
1185 }
1186 if (ch == 'V' && options.log_level >
1187 SYSLOG_LEVEL_QUIET)
1188 log_change_level(--options.log_level);
1189 if (ch == 'v' && options.log_level <
1190 SYSLOG_LEVEL_DEBUG3)
1191 log_change_level(++options.log_level);
1192 snprintf(string, sizeof string,
1193 "%c%c [LogLevel %s]\r\n", escape_char, ch,
1194 log_level_name(options.log_level));
1195 buffer_append(berr, string, strlen(string));
1196 continue;
1197
1109 case '&': 1198 case '&':
1110 if (c && c->ctl_chan != -1) 1199 if (c && c->ctl_chan != -1)
1111 goto noescape; 1200 goto noescape;
@@ -1159,43 +1248,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1159 continue; 1248 continue;
1160 1249
1161 case '?': 1250 case '?':
1162 if (c && c->ctl_chan != -1) { 1251 print_escape_help(berr, escape_char, compat20,
1163 snprintf(string, sizeof string, 1252 (c && c->ctl_chan != -1),
1164"%c?\r\n\ 1253 log_is_on_stderr());
1165Supported escape sequences:\r\n\
1166 %c. - terminate session\r\n\
1167 %cB - send a BREAK to the remote system\r\n\
1168 %cR - Request rekey (SSH protocol 2 only)\r\n\
1169 %c# - list forwarded connections\r\n\
1170 %c? - this message\r\n\
1171 %c%c - send the escape character by typing it twice\r\n\
1172(Note that escapes are only recognized immediately after newline.)\r\n",
1173 escape_char, escape_char,
1174 escape_char, escape_char,
1175 escape_char, escape_char,
1176 escape_char, escape_char);
1177 } else {
1178 snprintf(string, sizeof string,
1179"%c?\r\n\
1180Supported escape sequences:\r\n\
1181 %c. - terminate connection (and any multiplexed sessions)\r\n\
1182 %cB - send a BREAK to the remote system\r\n\
1183 %cC - open a command line\r\n\
1184 %cR - Request rekey (SSH protocol 2 only)\r\n\
1185 %c^Z - suspend ssh\r\n\
1186 %c# - list forwarded connections\r\n\
1187 %c& - background ssh (when waiting for connections to terminate)\r\n\
1188 %c? - this message\r\n\
1189 %c%c - send the escape character by typing it twice\r\n\
1190(Note that escapes are only recognized immediately after newline.)\r\n",
1191 escape_char, escape_char,
1192 escape_char, escape_char,
1193 escape_char, escape_char,
1194 escape_char, escape_char,
1195 escape_char, escape_char,
1196 escape_char);
1197 }
1198 buffer_append(berr, string, strlen(string));
1199 continue; 1254 continue;
1200 1255
1201 case '#': 1256 case '#':
@@ -2209,10 +2264,10 @@ client_stop_mux(void)
2209 if (options.control_path != NULL && muxserver_sock != -1) 2264 if (options.control_path != NULL && muxserver_sock != -1)
2210 unlink(options.control_path); 2265 unlink(options.control_path);
2211 /* 2266 /*
2212 * If we are in persist mode, signal that we should close when all 2267 * If we are in persist mode, or don't have a shell, signal that we
2213 * active channels are closed. 2268 * should close when all active channels are closed.
2214 */ 2269 */
2215 if (options.control_persist) { 2270 if (options.control_persist || no_shell_flag) {
2216 session_closed = 1; 2271 session_closed = 1;
2217 setproctitle("[stopped mux]"); 2272 setproctitle("[stopped mux]");
2218 } 2273 }
diff --git a/clientloop.h b/clientloop.h
index 3bb794879..d2baa0324 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.h,v 1.29 2011/09/09 22:46:44 djm Exp $ */ 1/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -76,4 +76,5 @@ void muxserver_listen(void);
76void muxclient(const char *); 76void muxclient(const char *);
77void mux_exit_message(Channel *, int); 77void mux_exit_message(Channel *, int);
78void mux_tty_alloc_failed(Channel *); 78void mux_tty_alloc_failed(Channel *);
79void mux_master_session_cleanup_cb(int, void *);
79 80
diff --git a/compat.c b/compat.c
index 0dc089fd6..f680f4fe3 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: compat.c,v 1.79 2011/09/23 07:45:05 markus Exp $ */ 1/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -45,6 +45,8 @@ int datafellows = 0;
45void 45void
46enable_compat20(void) 46enable_compat20(void)
47{ 47{
48 if (compat20)
49 return;
48 debug("Enabling compatibility mode for protocol 2.0"); 50 debug("Enabling compatibility mode for protocol 2.0");
49 compat20 = 1; 51 compat20 = 1;
50} 52}
diff --git a/config.h.in b/config.h.in
index 6c4f2272a..67858ef6d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -74,6 +74,9 @@
74/* Define if your snprintf is busted */ 74/* Define if your snprintf is busted */
75#undef BROKEN_SNPRINTF 75#undef BROKEN_SNPRINTF
76 76
77/* FreeBSD strnvis does not do what we need */
78#undef BROKEN_STRNVIS
79
77/* tcgetattr with ICANON may hang */ 80/* tcgetattr with ICANON may hang */
78#undef BROKEN_TCGETATTR_ICANON 81#undef BROKEN_TCGETATTR_ICANON
79 82
@@ -215,6 +218,9 @@
215/* Define to 1 if you have the `BN_is_prime_ex' function. */ 218/* Define to 1 if you have the `BN_is_prime_ex' function. */
216#undef HAVE_BN_IS_PRIME_EX 219#undef HAVE_BN_IS_PRIME_EX
217 220
221/* Define to 1 if you have the <bsd/libutil.h> header file. */
222#undef HAVE_BSD_LIBUTIL_H
223
218/* Define to 1 if you have the <bsm/audit.h> header file. */ 224/* Define to 1 if you have the <bsm/audit.h> header file. */
219#undef HAVE_BSM_AUDIT_H 225#undef HAVE_BSM_AUDIT_H
220 226
@@ -256,6 +262,10 @@
256 don't. */ 262 don't. */
257#undef HAVE_DECL_GLOB_NOMATCH 263#undef HAVE_DECL_GLOB_NOMATCH
258 264
265/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE',
266 and to 0 if you don't. */
267#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
268
259/* Define to 1 if you have the declaration of `h_errno', and to 0 if you 269/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
260 don't. */ 270 don't. */
261#undef HAVE_DECL_H_ERRNO 271#undef HAVE_DECL_H_ERRNO
@@ -326,6 +336,9 @@
326/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */ 336/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
327#undef HAVE_DSA_GENERATE_PARAMETERS_EX 337#undef HAVE_DSA_GENERATE_PARAMETERS_EX
328 338
339/* Define to 1 if you have the <elf.h> header file. */
340#undef HAVE_ELF_H
341
329/* Define to 1 if you have the <endian.h> header file. */ 342/* Define to 1 if you have the <endian.h> header file. */
330#undef HAVE_ENDIAN_H 343#undef HAVE_ENDIAN_H
331 344
@@ -338,6 +351,9 @@
338/* Define if your system has /etc/default/login */ 351/* Define if your system has /etc/default/login */
339#undef HAVE_ETC_DEFAULT_LOGIN 352#undef HAVE_ETC_DEFAULT_LOGIN
340 353
354/* Define if libcrypto has EVP_CIPHER_CTX_ctrl */
355#undef HAVE_EVP_CIPHER_CTX_CTRL
356
341/* Define to 1 if you have the `EVP_sha256' function. */ 357/* Define to 1 if you have the `EVP_sha256' function. */
342#undef HAVE_EVP_SHA256 358#undef HAVE_EVP_SHA256
343 359
@@ -428,6 +444,12 @@
428/* Define to 1 if you have the `getpeerucred' function. */ 444/* Define to 1 if you have the `getpeerucred' function. */
429#undef HAVE_GETPEERUCRED 445#undef HAVE_GETPEERUCRED
430 446
447/* Define to 1 if you have the `getpgid' function. */
448#undef HAVE_GETPGID
449
450/* Define to 1 if you have the `getpgrp' function. */
451#undef HAVE_GETPGRP
452
431/* Define to 1 if you have the `getpwanam' function. */ 453/* Define to 1 if you have the `getpwanam' function. */
432#undef HAVE_GETPWANAM 454#undef HAVE_GETPWANAM
433 455
@@ -972,6 +994,9 @@
972/* Define to 1 if you have the `strtoul' function. */ 994/* Define to 1 if you have the `strtoul' function. */
973#undef HAVE_STRTOUL 995#undef HAVE_STRTOUL
974 996
997/* Define to 1 if you have the `strtoull' function. */
998#undef HAVE_STRTOULL
999
975/* define if you have struct addrinfo data type */ 1000/* define if you have struct addrinfo data type */
976#undef HAVE_STRUCT_ADDRINFO 1001#undef HAVE_STRUCT_ADDRINFO
977 1002
@@ -1152,6 +1177,9 @@
1152/* Define to 1 if you have the `user_from_uid' function. */ 1177/* Define to 1 if you have the `user_from_uid' function. */
1153#undef HAVE_USER_FROM_UID 1178#undef HAVE_USER_FROM_UID
1154 1179
1180/* Define to 1 if you have the `usleep' function. */
1181#undef HAVE_USLEEP
1182
1155/* Define to 1 if you have the <util.h> header file. */ 1183/* Define to 1 if you have the <util.h> header file. */
1156#undef HAVE_UTIL_H 1184#undef HAVE_UTIL_H
1157 1185
@@ -1307,6 +1335,9 @@
1307/* Need setpgrp to acquire controlling tty */ 1335/* Need setpgrp to acquire controlling tty */
1308#undef NEED_SETPGRP 1336#undef NEED_SETPGRP
1309 1337
1338/* compiler does not accept __attribute__ on return types */
1339#undef NO_ATTRIBUTE_ON_RETURN_TYPE
1340
1310/* Define if the concept of ports only accessible to superusers isn't known */ 1341/* Define if the concept of ports only accessible to superusers isn't known */
1311#undef NO_IPPORT_RESERVED_CONCEPT 1342#undef NO_IPPORT_RESERVED_CONCEPT
1312 1343
@@ -1322,6 +1353,12 @@
1322/* libcrypto includes complete ECC support */ 1353/* libcrypto includes complete ECC support */
1323#undef OPENSSL_HAS_ECC 1354#undef OPENSSL_HAS_ECC
1324 1355
1356/* libcrypto has EVP AES CTR */
1357#undef OPENSSL_HAVE_EVPCTR
1358
1359/* libcrypto has EVP AES GCM */
1360#undef OPENSSL_HAVE_EVPGCM
1361
1325/* libcrypto is missing AES 192 and 256 bit functions */ 1362/* libcrypto is missing AES 192 and 256 bit functions */
1326#undef OPENSSL_LOBOTOMISED_AES 1363#undef OPENSSL_LOBOTOMISED_AES
1327 1364
@@ -1356,6 +1393,9 @@
1356/* must supply username to passwd */ 1393/* must supply username to passwd */
1357#undef PASSWD_NEEDS_USERNAME 1394#undef PASSWD_NEEDS_USERNAME
1358 1395
1396/* System dirs owned by bin (uid 2) */
1397#undef PLATFORM_SYS_DIR_UID
1398
1359/* Port number of PRNGD/EGD random number socket */ 1399/* Port number of PRNGD/EGD random number socket */
1360#undef PRNGD_PORT 1400#undef PRNGD_PORT
1361 1401
diff --git a/configure b/configure
index 2f249c936..4eeed9d09 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.496 . 2# From configure.ac Revision: 1.518 .
3# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.68 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
5# 5#
@@ -614,6 +614,8 @@ XAUTH_PATH
614STRIP_OPT 614STRIP_OPT
615xauth_path 615xauth_path
616PRIVSEP_PATH 616PRIVSEP_PATH
617K5LIBS
618GSSLIBS
617KRB5CONF 619KRB5CONF
618SSHDLIBS 620SSHDLIBS
619SSHLIBS 621SSHLIBS
@@ -5589,60 +5591,6 @@ if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then :
5589 have_linux_no_new_privs=1 5591 have_linux_no_new_privs=1
5590fi 5592fi
5591 5593
5592if test "x$have_linux_no_new_privs" = "x1" ; then
5593ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" "
5594 #include <sys/types.h>
5595 #include <linux/seccomp.h>
5596
5597"
5598if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then :
5599 have_seccomp_filter=1
5600fi
5601
5602fi
5603if test "x$have_seccomp_filter" = "x1" ; then
5604{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5
5605$as_echo_n "checking kernel for seccomp_filter support... " >&6; }
5606if test "$cross_compiling" = yes; then :
5607 { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5
5608$as_echo "cross-compiling, assuming yes" >&6; }
5609
5610else
5611 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5612/* end confdefs.h. */
5613
5614 #include <errno.h>
5615 #include <linux/seccomp.h>
5616 #include <stdlib.h>
5617 #include <sys/prctl.h>
5618
5619int
5620main ()
5621{
5622 errno = 0;
5623 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
5624 exit(errno == EFAULT ? 0 : 1);
5625 ;
5626 return 0;
5627}
5628_ACEOF
5629if ac_fn_c_try_run "$LINENO"; then :
5630 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5631$as_echo "yes" >&6; }
5632else
5633
5634 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5635$as_echo "no" >&6; }
5636 # Disable seccomp filter as a target
5637 have_seccomp_filter=0
5638
5639fi
5640rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
5641 conftest.$ac_objext conftest.beam conftest.$ac_ext
5642fi
5643
5644fi
5645
5646use_stack_protector=1 5594use_stack_protector=1
5647 5595
5648# Check whether --with-stackprotect was given. 5596# Check whether --with-stackprotect was given.
@@ -5998,6 +5946,34 @@ fi
5998 fi 5946 fi
5999fi 5947fi
6000 5948
5949{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler allows __attribute__ on return types" >&5
5950$as_echo_n "checking if compiler allows __attribute__ on return types... " >&6; }
5951cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5952/* end confdefs.h. */
5953
5954#include <stdlib.h>
5955__attribute__((__unused__)) static void foo(void){return;}
5956int
5957main ()
5958{
5959 exit(0);
5960 ;
5961 return 0;
5962}
5963_ACEOF
5964if ac_fn_c_try_compile "$LINENO"; then :
5965 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5966$as_echo "yes" >&6; }
5967else
5968 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5969$as_echo "no" >&6; }
5970
5971$as_echo "#define NO_ATTRIBUTE_ON_RETURN_TYPE 1" >>confdefs.h
5972
5973
5974fi
5975rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5976
6001if test "x$no_attrib_nonnull" != "x1" ; then 5977if test "x$no_attrib_nonnull" != "x1" ; then
6002 5978
6003$as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h 5979$as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h
@@ -6089,6 +6065,7 @@ for ac_header in \
6089 crypto/sha2.h \ 6065 crypto/sha2.h \
6090 dirent.h \ 6066 dirent.h \
6091 endian.h \ 6067 endian.h \
6068 elf.h \
6092 features.h \ 6069 features.h \
6093 fcntl.h \ 6070 fcntl.h \
6094 floatingpoint.h \ 6071 floatingpoint.h \
@@ -6515,6 +6492,9 @@ $as_echo "#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1" >>confdefs.h
6515 6492
6516$as_echo "#define PTY_ZEROREAD 1" >>confdefs.h 6493$as_echo "#define PTY_ZEROREAD 1" >>confdefs.h
6517 6494
6495
6496$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
6497
6518 ;; 6498 ;;
6519*-*-cygwin*) 6499*-*-cygwin*)
6520 check_for_libcrypt_later=1 6500 check_for_libcrypt_later=1
@@ -6779,6 +6759,9 @@ $as_echo "#define LOCKED_PASSWD_STRING \"*\"" >>confdefs.h
6779 6759
6780 $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h 6760 $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h
6781 6761
6762
6763$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
6764
6782 maildir="/var/mail" 6765 maildir="/var/mail"
6783 LIBS="$LIBS -lsec" 6766 LIBS="$LIBS -lsec"
6784 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5 6767 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5
@@ -7008,22 +6991,32 @@ _ACEOF
7008fi 6991fi
7009done 6992done
7010 6993
7011 have_seccomp_audit_arch=1 6994 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp architecture" >&5
6995$as_echo_n "checking for seccomp architecture... " >&6; }
6996 seccomp_audit_arch=
7012 case "$host" in 6997 case "$host" in
7013 x86_64-*) 6998 x86_64-*)
7014 6999 seccomp_audit_arch=AUDIT_ARCH_X86_64
7015$as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64" >>confdefs.h
7016
7017 ;; 7000 ;;
7018 i*86-*) 7001 i*86-*)
7019 7002 seccomp_audit_arch=AUDIT_ARCH_I386
7020$as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386" >>confdefs.h
7021
7022 ;;
7023 *)
7024 have_seccomp_audit_arch=0
7025 ;; 7003 ;;
7004 arm*-*)
7005 seccomp_audit_arch=AUDIT_ARCH_ARM
7006 ;;
7026 esac 7007 esac
7008 if test "x$seccomp_audit_arch" != "x" ; then
7009 { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$seccomp_audit_arch\"" >&5
7010$as_echo "\"$seccomp_audit_arch\"" >&6; }
7011
7012cat >>confdefs.h <<_ACEOF
7013#define SECCOMP_AUDIT_ARCH $seccomp_audit_arch
7014_ACEOF
7015
7016 else
7017 { $as_echo "$as_me:${as_lineno-$LINENO}: result: architecture not supported" >&5
7018$as_echo "architecture not supported" >&6; }
7019 fi
7027 ;; 7020 ;;
7028mips-sony-bsd|mips-sony-newsos4) 7021mips-sony-bsd|mips-sony-newsos4)
7029 7022
@@ -7074,6 +7067,9 @@ fi
7074 7067
7075$as_echo "#define BROKEN_GLOB 1" >>confdefs.h 7068$as_echo "#define BROKEN_GLOB 1" >>confdefs.h
7076 7069
7070
7071$as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h
7072
7077 ;; 7073 ;;
7078*-*-bsdi*) 7074*-*-bsdi*)
7079 $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h 7075 $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
@@ -7558,6 +7554,7 @@ done
7558 7554
7559 MANTYPE=man 7555 MANTYPE=man
7560 TEST_SHELL=ksh 7556 TEST_SHELL=ksh
7557 SKIP_DISABLE_LASTLOG_DEFINE=yes
7561 ;; 7558 ;;
7562*-*-unicosmk*) 7559*-*-unicosmk*)
7563 7560
@@ -8389,12 +8386,13 @@ fi
8389done 8386done
8390 8387
8391 8388
8392for ac_header in libutil.h 8389for ac_header in bsd/libutil.h libutil.h
8393do : 8390do :
8394 ac_fn_c_check_header_mongrel "$LINENO" "libutil.h" "ac_cv_header_libutil_h" "$ac_includes_default" 8391 as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
8395if test "x$ac_cv_header_libutil_h" = xyes; then : 8392ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
8393if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
8396 cat >>confdefs.h <<_ACEOF 8394 cat >>confdefs.h <<_ACEOF
8397#define HAVE_LIBUTIL_H 1 8395#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
8398_ACEOF 8396_ACEOF
8399 8397
8400fi 8398fi
@@ -9584,6 +9582,8 @@ for ac_func in \
9584 getopt \ 9582 getopt \
9585 getpeereid \ 9583 getpeereid \
9586 getpeerucred \ 9584 getpeerucred \
9585 getpgid \
9586 getpgrp \
9587 _getpty \ 9587 _getpty \
9588 getrlimit \ 9588 getrlimit \
9589 getttyent \ 9589 getttyent \
@@ -9643,6 +9643,7 @@ for ac_func in \
9643 strtonum \ 9643 strtonum \
9644 strtoll \ 9644 strtoll \
9645 strtoul \ 9645 strtoul \
9646 strtoull \
9646 swap32 \ 9647 swap32 \
9647 sysconf \ 9648 sysconf \
9648 tcgetpgrp \ 9649 tcgetpgrp \
@@ -9651,6 +9652,7 @@ for ac_func in \
9651 unsetenv \ 9652 unsetenv \
9652 updwtmpx \ 9653 updwtmpx \
9653 user_from_uid \ 9654 user_from_uid \
9655 usleep \
9654 vasprintf \ 9656 vasprintf \
9655 vhangup \ 9657 vhangup \
9656 vsnprintf \ 9658 vsnprintf \
@@ -11258,6 +11260,147 @@ fi
11258rm -f core conftest.err conftest.$ac_objext \ 11260rm -f core conftest.err conftest.$ac_objext \
11259 conftest$ac_exeext conftest.$ac_ext 11261 conftest$ac_exeext conftest.$ac_ext
11260 11262
11263# Check for OpenSSL with EVP_aes_*ctr
11264{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES CTR via EVP" >&5
11265$as_echo_n "checking whether OpenSSL has AES CTR via EVP... " >&6; }
11266cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11267/* end confdefs.h. */
11268
11269#include <string.h>
11270#include <openssl/evp.h>
11271
11272int
11273main ()
11274{
11275
11276 exit(EVP_aes_128_ctr() == NULL ||
11277 EVP_aes_192_cbc() == NULL ||
11278 EVP_aes_256_cbc() == NULL);
11279
11280 ;
11281 return 0;
11282}
11283_ACEOF
11284if ac_fn_c_try_link "$LINENO"; then :
11285
11286 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
11287$as_echo "yes" >&6; }
11288
11289$as_echo "#define OPENSSL_HAVE_EVPCTR 1" >>confdefs.h
11290
11291
11292else
11293
11294 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11295$as_echo "no" >&6; }
11296
11297
11298fi
11299rm -f core conftest.err conftest.$ac_objext \
11300 conftest$ac_exeext conftest.$ac_ext
11301
11302# Check for OpenSSL with EVP_aes_*gcm
11303{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES GCM via EVP" >&5
11304$as_echo_n "checking whether OpenSSL has AES GCM via EVP... " >&6; }
11305cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11306/* end confdefs.h. */
11307
11308#include <string.h>
11309#include <openssl/evp.h>
11310
11311int
11312main ()
11313{
11314
11315 exit(EVP_aes_128_gcm() == NULL ||
11316 EVP_aes_256_gcm() == NULL ||
11317 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
11318 EVP_CTRL_GCM_IV_GEN == 0 ||
11319 EVP_CTRL_GCM_SET_TAG == 0 ||
11320 EVP_CTRL_GCM_GET_TAG == 0 ||
11321 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
11322
11323 ;
11324 return 0;
11325}
11326_ACEOF
11327if ac_fn_c_try_link "$LINENO"; then :
11328
11329 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
11330$as_echo "yes" >&6; }
11331
11332$as_echo "#define OPENSSL_HAVE_EVPGCM 1" >>confdefs.h
11333
11334
11335else
11336
11337 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11338$as_echo "no" >&6; }
11339
11340
11341fi
11342rm -f core conftest.err conftest.$ac_objext \
11343 conftest$ac_exeext conftest.$ac_ext
11344
11345{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_ctrl" >&5
11346$as_echo_n "checking for library containing EVP_CIPHER_CTX_ctrl... " >&6; }
11347if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
11348 $as_echo_n "(cached) " >&6
11349else
11350 ac_func_search_save_LIBS=$LIBS
11351cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11352/* end confdefs.h. */
11353
11354/* Override any GCC internal prototype to avoid an error.
11355 Use char because int might match the return type of a GCC
11356 builtin and then its argument prototype would still apply. */
11357#ifdef __cplusplus
11358extern "C"
11359#endif
11360char EVP_CIPHER_CTX_ctrl ();
11361int
11362main ()
11363{
11364return EVP_CIPHER_CTX_ctrl ();
11365 ;
11366 return 0;
11367}
11368_ACEOF
11369for ac_lib in '' crypto; do
11370 if test -z "$ac_lib"; then
11371 ac_res="none required"
11372 else
11373 ac_res=-l$ac_lib
11374 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
11375 fi
11376 if ac_fn_c_try_link "$LINENO"; then :
11377 ac_cv_search_EVP_CIPHER_CTX_ctrl=$ac_res
11378fi
11379rm -f core conftest.err conftest.$ac_objext \
11380 conftest$ac_exeext
11381 if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
11382 break
11383fi
11384done
11385if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
11386
11387else
11388 ac_cv_search_EVP_CIPHER_CTX_ctrl=no
11389fi
11390rm conftest.$ac_ext
11391LIBS=$ac_func_search_save_LIBS
11392fi
11393{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_ctrl" >&5
11394$as_echo "$ac_cv_search_EVP_CIPHER_CTX_ctrl" >&6; }
11395ac_res=$ac_cv_search_EVP_CIPHER_CTX_ctrl
11396if test "$ac_res" != no; then :
11397 test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
11398
11399$as_echo "#define HAVE_EVP_CIPHER_CTX_CTRL 1" >>confdefs.h
11400
11401fi
11402
11403
11261{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5 11404{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5
11262$as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; } 11405$as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; }
11263cat confdefs.h - <<_ACEOF >conftest.$ac_ext 11406cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -11887,6 +12030,57 @@ _ACEOF
11887 12030
11888 12031
11889 12032
12033if test "x$have_linux_no_new_privs" = "x1" ; then
12034ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" "
12035 #include <sys/types.h>
12036 #include <linux/seccomp.h>
12037
12038"
12039if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then :
12040 have_seccomp_filter=1
12041fi
12042
12043fi
12044if test "x$have_seccomp_filter" = "x1" ; then
12045{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5
12046$as_echo_n "checking kernel for seccomp_filter support... " >&6; }
12047cat confdefs.h - <<_ACEOF >conftest.$ac_ext
12048/* end confdefs.h. */
12049
12050 #include <errno.h>
12051 #include <elf.h>
12052 #include <linux/audit.h>
12053 #include <linux/seccomp.h>
12054 #include <stdlib.h>
12055 #include <sys/prctl.h>
12056
12057int
12058main ()
12059{
12060 int i = $seccomp_audit_arch;
12061 errno = 0;
12062 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
12063 exit(errno == EFAULT ? 0 : 1);
12064 ;
12065 return 0;
12066}
12067_ACEOF
12068if ac_fn_c_try_link "$LINENO"; then :
12069 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
12070$as_echo "yes" >&6; }
12071else
12072
12073 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
12074$as_echo "no" >&6; }
12075 # Disable seccomp filter as a target
12076 have_seccomp_filter=0
12077
12078
12079fi
12080rm -f core conftest.err conftest.$ac_objext \
12081 conftest$ac_exeext conftest.$ac_ext
12082fi
12083
11890# Decide which sandbox style to use 12084# Decide which sandbox style to use
11891sandbox_arg="" 12085sandbox_arg=""
11892 12086
@@ -11935,6 +12129,7 @@ main ()
11935 struct rlimit rl_zero; 12129 struct rlimit rl_zero;
11936 int fd, r; 12130 int fd, r;
11937 fd_set fds; 12131 fd_set fds;
12132 struct timeval tv;
11938 12133
11939 fd = open("/dev/null", O_RDONLY); 12134 fd = open("/dev/null", O_RDONLY);
11940 FD_ZERO(&fds); 12135 FD_ZERO(&fds);
@@ -11942,7 +12137,9 @@ main ()
11942 rl_zero.rlim_cur = rl_zero.rlim_max = 0; 12137 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
11943 setrlimit(RLIMIT_FSIZE, &rl_zero); 12138 setrlimit(RLIMIT_FSIZE, &rl_zero);
11944 setrlimit(RLIMIT_NOFILE, &rl_zero); 12139 setrlimit(RLIMIT_NOFILE, &rl_zero);
11945 r = select(fd+1, &fds, NULL, NULL, NULL); 12140 tv.tv_sec = 1;
12141 tv.tv_usec = 0;
12142 r = select(fd+1, &fds, NULL, NULL, &tv);
11946 exit (r == -1 ? 1 : 0); 12143 exit (r == -1 ? 1 : 0);
11947 12144
11948 ; 12145 ;
@@ -11963,6 +12160,54 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
11963fi 12160fi
11964 12161
11965 12162
12163{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit(RLIMIT_NOFILE,{0,0}) works" >&5
12164$as_echo_n "checking if setrlimit(RLIMIT_NOFILE,{0,0}) works... " >&6; }
12165if test "$cross_compiling" = yes; then :
12166 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5
12167$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;}
12168
12169else
12170 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
12171/* end confdefs.h. */
12172
12173#include <sys/types.h>
12174#ifdef HAVE_SYS_TIME_H
12175# include <sys/time.h>
12176#endif
12177#include <sys/resource.h>
12178#include <errno.h>
12179#include <stdlib.h>
12180
12181int
12182main ()
12183{
12184
12185 struct rlimit rl_zero;
12186 int fd, r;
12187 fd_set fds;
12188
12189 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
12190 r = setrlimit(RLIMIT_NOFILE, &rl_zero);
12191 exit (r == -1 ? 1 : 0);
12192
12193 ;
12194 return 0;
12195}
12196_ACEOF
12197if ac_fn_c_try_run "$LINENO"; then :
12198 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
12199$as_echo "yes" >&6; }
12200 rlimit_nofile_zero_works=yes
12201else
12202 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
12203$as_echo "no" >&6; }
12204 rlimit_nofile_zero_works=no
12205fi
12206rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
12207 conftest.$ac_objext conftest.beam conftest.$ac_ext
12208fi
12209
12210
11966{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5 12211{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5
11967$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; } 12212$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; }
11968if test "$cross_compiling" = yes; then : 12213if test "$cross_compiling" = yes; then :
@@ -12026,11 +12271,13 @@ $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h
12026elif test "x$sandbox_arg" = "xseccomp_filter" || \ 12271elif test "x$sandbox_arg" = "xseccomp_filter" || \
12027 ( test -z "$sandbox_arg" && \ 12272 ( test -z "$sandbox_arg" && \
12028 test "x$have_seccomp_filter" = "x1" && \ 12273 test "x$have_seccomp_filter" = "x1" && \
12274 test "x$ac_cv_header_elf_h" = "xyes" && \
12029 test "x$ac_cv_header_linux_audit_h" = "xyes" && \ 12275 test "x$ac_cv_header_linux_audit_h" = "xyes" && \
12030 test "x$have_seccomp_audit_arch" = "x1" && \ 12276 test "x$ac_cv_header_linux_filter_h" = "xyes" && \
12277 test "x$seccomp_audit_arch" != "x" && \
12031 test "x$have_linux_no_new_privs" = "x1" && \ 12278 test "x$have_linux_no_new_privs" = "x1" && \
12032 test "x$ac_cv_func_prctl" = "xyes" ) ; then 12279 test "x$ac_cv_func_prctl" = "xyes" ) ; then
12033 test "x$have_seccomp_audit_arch" != "x1" && \ 12280 test "x$seccomp_audit_arch" = "x" && \
12034 as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5 12281 as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5
12035 test "x$have_linux_no_new_privs" != "x1" && \ 12282 test "x$have_linux_no_new_privs" != "x1" && \
12036 as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5 12283 as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5
@@ -12044,7 +12291,8 @@ $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
12044 12291
12045elif test "x$sandbox_arg" = "xrlimit" || \ 12292elif test "x$sandbox_arg" = "xrlimit" || \
12046 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ 12293 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
12047 test "x$select_works_with_rlimit" == "xyes" ) ; then 12294 test "x$select_works_with_rlimit" = "xyes" && \
12295 test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
12048 test "x$ac_cv_func_setrlimit" != "xyes" && \ 12296 test "x$ac_cv_func_setrlimit" != "xyes" && \
12049 as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 12297 as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5
12050 test "x$select_works_with_rlimit" != "xyes" && \ 12298 test "x$select_works_with_rlimit" != "xyes" && \
@@ -15229,6 +15477,9 @@ fi
15229 15477
15230 15478
15231 if test -x $KRB5CONF ; then 15479 if test -x $KRB5CONF ; then
15480 K5CFLAGS="`$KRB5CONF --cflags`"
15481 K5LIBS="`$KRB5CONF --libs`"
15482 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
15232 15483
15233 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5 15484 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5
15234$as_echo_n "checking for gssapi support... " >&6; } 15485$as_echo_n "checking for gssapi support... " >&6; }
@@ -15238,15 +15489,13 @@ $as_echo "yes" >&6; }
15238 15489
15239$as_echo "#define GSSAPI 1" >>confdefs.h 15490$as_echo "#define GSSAPI 1" >>confdefs.h
15240 15491
15241 k5confopts=gssapi 15492 GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
15493 GSSLIBS="`$KRB5CONF --libs gssapi`"
15494 CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
15242 else 15495 else
15243 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 15496 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
15244$as_echo "no" >&6; } 15497$as_echo "no" >&6; }
15245 k5confopts=""
15246 fi 15498 fi
15247 K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
15248 K5LIBS="`$KRB5CONF --libs $k5confopts`"
15249 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
15250 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 15499 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
15251$as_echo_n "checking whether we are using Heimdal... " >&6; } 15500$as_echo_n "checking whether we are using Heimdal... " >&6; }
15252 cat confdefs.h - <<_ACEOF >conftest.$ac_ext 15501 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -15449,7 +15698,7 @@ if ${ac_cv_lib_gssapi_krb5_gss_init_sec_context+:} false; then :
15449 $as_echo_n "(cached) " >&6 15698 $as_echo_n "(cached) " >&6
15450else 15699else
15451 ac_check_lib_save_LIBS=$LIBS 15700 ac_check_lib_save_LIBS=$LIBS
15452LIBS="-lgssapi_krb5 $K5LIBS $LIBS" 15701LIBS="-lgssapi_krb5 $LIBS"
15453cat confdefs.h - <<_ACEOF >conftest.$ac_ext 15702cat confdefs.h - <<_ACEOF >conftest.$ac_ext
15454/* end confdefs.h. */ 15703/* end confdefs.h. */
15455 15704
@@ -15482,7 +15731,7 @@ $as_echo "$ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&6; }
15482if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then : 15731if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then :
15483 $as_echo "#define GSSAPI 1" >>confdefs.h 15732 $as_echo "#define GSSAPI 1" >>confdefs.h
15484 15733
15485 K5LIBS="-lgssapi_krb5 $K5LIBS" 15734 GSSLIBS="-lgssapi_krb5"
15486else 15735else
15487 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5 15736 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5
15488$as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; } 15737$as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; }
@@ -15490,7 +15739,7 @@ if ${ac_cv_lib_gssapi_gss_init_sec_context+:} false; then :
15490 $as_echo_n "(cached) " >&6 15739 $as_echo_n "(cached) " >&6
15491else 15740else
15492 ac_check_lib_save_LIBS=$LIBS 15741 ac_check_lib_save_LIBS=$LIBS
15493LIBS="-lgssapi $K5LIBS $LIBS" 15742LIBS="-lgssapi $LIBS"
15494cat confdefs.h - <<_ACEOF >conftest.$ac_ext 15743cat confdefs.h - <<_ACEOF >conftest.$ac_ext
15495/* end confdefs.h. */ 15744/* end confdefs.h. */
15496 15745
@@ -15523,7 +15772,48 @@ $as_echo "$ac_cv_lib_gssapi_gss_init_sec_context" >&6; }
15523if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then : 15772if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then :
15524 $as_echo "#define GSSAPI 1" >>confdefs.h 15773 $as_echo "#define GSSAPI 1" >>confdefs.h
15525 15774
15526 K5LIBS="-lgssapi $K5LIBS" 15775 GSSLIBS="-lgssapi"
15776else
15777 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgss" >&5
15778$as_echo_n "checking for gss_init_sec_context in -lgss... " >&6; }
15779if ${ac_cv_lib_gss_gss_init_sec_context+:} false; then :
15780 $as_echo_n "(cached) " >&6
15781else
15782 ac_check_lib_save_LIBS=$LIBS
15783LIBS="-lgss $LIBS"
15784cat confdefs.h - <<_ACEOF >conftest.$ac_ext
15785/* end confdefs.h. */
15786
15787/* Override any GCC internal prototype to avoid an error.
15788 Use char because int might match the return type of a GCC
15789 builtin and then its argument prototype would still apply. */
15790#ifdef __cplusplus
15791extern "C"
15792#endif
15793char gss_init_sec_context ();
15794int
15795main ()
15796{
15797return gss_init_sec_context ();
15798 ;
15799 return 0;
15800}
15801_ACEOF
15802if ac_fn_c_try_link "$LINENO"; then :
15803 ac_cv_lib_gss_gss_init_sec_context=yes
15804else
15805 ac_cv_lib_gss_gss_init_sec_context=no
15806fi
15807rm -f core conftest.err conftest.$ac_objext \
15808 conftest$ac_exeext conftest.$ac_ext
15809LIBS=$ac_check_lib_save_LIBS
15810fi
15811{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gss_gss_init_sec_context" >&5
15812$as_echo "$ac_cv_lib_gss_gss_init_sec_context" >&6; }
15813if test "x$ac_cv_lib_gss_gss_init_sec_context" = xyes; then :
15814 $as_echo "#define GSSAPI 1" >>confdefs.h
15815
15816 GSSLIBS="-lgss"
15527else 15817else
15528 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 15818 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5
15529$as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;} 15819$as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;}
@@ -15533,6 +15823,9 @@ fi
15533fi 15823fi
15534 15824
15535 15825
15826fi
15827
15828
15536 ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default" 15829 ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default"
15537if test "x$ac_cv_header_gssapi_h" = xyes; then : 15830if test "x$ac_cv_header_gssapi_h" = xyes; then :
15538 15831
@@ -15620,7 +15913,6 @@ fi
15620done 15913done
15621 15914
15622 15915
15623 LIBS="$LIBS $K5LIBS"
15624 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5 15916 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5
15625$as_echo_n "checking for library containing k_hasafs... " >&6; } 15917$as_echo_n "checking for library containing k_hasafs... " >&6; }
15626if ${ac_cv_search_k_hasafs+:} false; then : 15918if ${ac_cv_search_k_hasafs+:} false; then :
@@ -15679,12 +15971,39 @@ $as_echo "#define USE_AFS 1" >>confdefs.h
15679 15971
15680fi 15972fi
15681 15973
15974
15975 ac_fn_c_check_decl "$LINENO" "GSS_C_NT_HOSTBASED_SERVICE" "ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" "
15976#ifdef HAVE_GSSAPI_H
15977# include <gssapi.h>
15978#elif defined(HAVE_GSSAPI_GSSAPI_H)
15979# include <gssapi/gssapi.h>
15980#endif
15981
15982#ifdef HAVE_GSSAPI_GENERIC_H
15983# include <gssapi_generic.h>
15984#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
15985# include <gssapi/gssapi_generic.h>
15986#endif
15987
15988"
15989if test "x$ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" = xyes; then :
15990 ac_have_decl=1
15991else
15992 ac_have_decl=0
15993fi
15994
15995cat >>confdefs.h <<_ACEOF
15996#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl
15997_ACEOF
15998
15682 fi 15999 fi
15683 16000
15684 16001
15685fi 16002fi
15686 16003
15687 16004
16005
16006
15688# Check whether user wants ConsoleKit support 16007# Check whether user wants ConsoleKit support
15689CONSOLEKIT_MSG="no" 16008CONSOLEKIT_MSG="no"
15690LIBCK_CONNECTOR="" 16009LIBCK_CONNECTOR=""
@@ -16868,7 +17187,6 @@ _ACEOF
16868 17187
16869fi 17188fi
16870 17189
16871
16872{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5 17190{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5
16873$as_echo_n "checking if your system defines WTMPX_FILE... " >&6; } 17191$as_echo_n "checking if your system defines WTMPX_FILE... " >&6; }
16874cat confdefs.h - <<_ACEOF >conftest.$ac_ext 17192cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -16921,6 +17239,60 @@ if test ! -z "$blibpath" ; then
16921$as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;} 17239$as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
16922fi 17240fi
16923 17241
17242ac_fn_c_check_member "$LINENO" "struct lastlog" "ll_line" "ac_cv_member_struct_lastlog_ll_line" "
17243#ifdef HAVE_SYS_TYPES_H
17244#include <sys/types.h>
17245#endif
17246#ifdef HAVE_UTMP_H
17247#include <utmp.h>
17248#endif
17249#ifdef HAVE_UTMPX_H
17250#include <utmpx.h>
17251#endif
17252#ifdef HAVE_LASTLOG_H
17253#include <lastlog.h>
17254#endif
17255
17256"
17257if test "x$ac_cv_member_struct_lastlog_ll_line" = xyes; then :
17258
17259else
17260
17261 if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
17262 $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h
17263
17264 fi
17265
17266fi
17267
17268
17269ac_fn_c_check_member "$LINENO" "struct utmp" "ut_line" "ac_cv_member_struct_utmp_ut_line" "
17270#ifdef HAVE_SYS_TYPES_H
17271#include <sys/types.h>
17272#endif
17273#ifdef HAVE_UTMP_H
17274#include <utmp.h>
17275#endif
17276#ifdef HAVE_UTMPX_H
17277#include <utmpx.h>
17278#endif
17279#ifdef HAVE_LASTLOG_H
17280#include <lastlog.h>
17281#endif
17282
17283"
17284if test "x$ac_cv_member_struct_utmp_ut_line" = xyes; then :
17285
17286else
17287
17288 $as_echo "#define DISABLE_UTMP 1" >>confdefs.h
17289
17290 $as_echo "#define DISABLE_WTMP 1" >>confdefs.h
17291
17292
17293fi
17294
17295
16924CFLAGS="$CFLAGS $werror_flags" 17296CFLAGS="$CFLAGS $werror_flags"
16925 17297
16926if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then 17298if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
diff --git a/configure.ac b/configure.ac
index fabd3e0f1..198a2056e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.496 2012/07/06 01:49:29 djm Exp $ 1# $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.496 $) 18AC_REVISION($Revision: 1.518 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -120,32 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
120 #include <sys/types.h> 120 #include <sys/types.h>
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123if test "x$have_linux_no_new_privs" = "x1" ; then
124AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
125 #include <sys/types.h>
126 #include <linux/seccomp.h>
127])
128fi
129if test "x$have_seccomp_filter" = "x1" ; then
130AC_MSG_CHECKING([kernel for seccomp_filter support])
131AC_RUN_IFELSE([AC_LANG_PROGRAM([[
132 #include <errno.h>
133 #include <linux/seccomp.h>
134 #include <stdlib.h>
135 #include <sys/prctl.h>
136 ]],
137 [[ errno = 0;
138 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
139 exit(errno == EFAULT ? 0 : 1); ]])],
140 [ AC_MSG_RESULT([yes]) ], [
141 AC_MSG_RESULT([no])
142 # Disable seccomp filter as a target
143 have_seccomp_filter=0
144 ],
145 [ AC_MSG_RESULT([cross-compiling, assuming yes]) ]
146)
147fi
148
149use_stack_protector=1 123use_stack_protector=1
150AC_ARG_WITH([stackprotect], 124AC_ARG_WITH([stackprotect],
151 [ --without-stackprotect Don't use compiler's stack protection], [ 125 [ --without-stackprotect Don't use compiler's stack protection], [
@@ -239,6 +213,18 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
239 fi 213 fi
240fi 214fi
241 215
216AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
217AC_COMPILE_IFELSE(
218 [AC_LANG_PROGRAM([[
219#include <stdlib.h>
220__attribute__((__unused__)) static void foo(void){return;}]],
221 [[ exit(0); ]])],
222 [ AC_MSG_RESULT([yes]) ],
223 [ AC_MSG_RESULT([no])
224 AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
225 [compiler does not accept __attribute__ on return types]) ]
226)
227
242if test "x$no_attrib_nonnull" != "x1" ; then 228if test "x$no_attrib_nonnull" != "x1" ; then
243 AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) 229 AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
244fi 230fi
@@ -310,6 +296,7 @@ AC_CHECK_HEADERS([ \
310 crypto/sha2.h \ 296 crypto/sha2.h \
311 dirent.h \ 297 dirent.h \
312 endian.h \ 298 endian.h \
299 elf.h \
313 features.h \ 300 features.h \
314 fcntl.h \ 301 fcntl.h \
315 floatingpoint.h \ 302 floatingpoint.h \
@@ -493,6 +480,7 @@ case "$host" in
493 AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], 480 AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
494 [AIX 5.2 and 5.3 (and presumably newer) require this]) 481 [AIX 5.2 and 5.3 (and presumably newer) require this])
495 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) 482 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
483 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
496 ;; 484 ;;
497*-*-cygwin*) 485*-*-cygwin*)
498 check_for_libcrypt_later=1 486 check_for_libcrypt_later=1
@@ -602,6 +590,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
602 AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], 590 AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
603 [String used in /etc/passwd to denote locked account]) 591 [String used in /etc/passwd to denote locked account])
604 AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) 592 AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
593 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
605 maildir="/var/mail" 594 maildir="/var/mail"
606 LIBS="$LIBS -lsec" 595 LIBS="$LIBS -lsec"
607 AC_CHECK_LIB([xnet], [t_error], , 596 AC_CHECK_LIB([xnet], [t_error], ,
@@ -713,20 +702,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
713 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], 702 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
714 [], [#include <linux/types.h>]) 703 [], [#include <linux/types.h>])
715 AC_CHECK_FUNCS([prctl]) 704 AC_CHECK_FUNCS([prctl])
716 have_seccomp_audit_arch=1 705 AC_MSG_CHECKING([for seccomp architecture])
706 seccomp_audit_arch=
717 case "$host" in 707 case "$host" in
718 x86_64-*) 708 x86_64-*)
719 AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], 709 seccomp_audit_arch=AUDIT_ARCH_X86_64
720 [Specify the system call convention in use])
721 ;; 710 ;;
722 i*86-*) 711 i*86-*)
723 AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], 712 seccomp_audit_arch=AUDIT_ARCH_I386
724 [Specify the system call convention in use])
725 ;;
726 *)
727 have_seccomp_audit_arch=0
728 ;; 713 ;;
714 arm*-*)
715 seccomp_audit_arch=AUDIT_ARCH_ARM
716 ;;
729 esac 717 esac
718 if test "x$seccomp_audit_arch" != "x" ; then
719 AC_MSG_RESULT(["$seccomp_audit_arch"])
720 AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
721 [Specify the system call convention in use])
722 else
723 AC_MSG_RESULT([architecture not supported])
724 fi
730 ;; 725 ;;
731mips-sony-bsd|mips-sony-newsos4) 726mips-sony-bsd|mips-sony-newsos4)
732 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) 727 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
@@ -750,6 +745,7 @@ mips-sony-bsd|mips-sony-newsos4)
750 AC_CHECK_HEADER([net/if_tap.h], , 745 AC_CHECK_HEADER([net/if_tap.h], ,
751 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) 746 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
752 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) 747 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
748 AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need])
753 ;; 749 ;;
754*-*-bsdi*) 750*-*-bsdi*)
755 AC_DEFINE([SETEUID_BREAKS_SETUID]) 751 AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -926,6 +922,7 @@ mips-sony-bsd|mips-sony-newsos4)
926 AC_CHECK_FUNCS([getluid setluid]) 922 AC_CHECK_FUNCS([getluid setluid])
927 MANTYPE=man 923 MANTYPE=man
928 TEST_SHELL=ksh 924 TEST_SHELL=ksh
925 SKIP_DISABLE_LASTLOG_DEFINE=yes
929 ;; 926 ;;
930*-*-unicosmk*) 927*-*-unicosmk*)
931 AC_DEFINE([NO_SSH_LASTLOG], [1], 928 AC_DEFINE([NO_SSH_LASTLOG], [1],
@@ -1194,7 +1191,7 @@ AC_CHECK_FUNCS([utimes],
1194) 1191)
1195 1192
1196dnl Checks for libutil functions 1193dnl Checks for libutil functions
1197AC_CHECK_HEADERS([libutil.h]) 1194AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1198AC_SEARCH_LIBS([fmt_scaled], [util bsd]) 1195AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1199AC_SEARCH_LIBS([login], [util bsd]) 1196AC_SEARCH_LIBS([login], [util bsd])
1200AC_SEARCH_LIBS([logout], [util bsd]) 1197AC_SEARCH_LIBS([logout], [util bsd])
@@ -1563,6 +1560,8 @@ AC_CHECK_FUNCS([ \
1563 getopt \ 1560 getopt \
1564 getpeereid \ 1561 getpeereid \
1565 getpeerucred \ 1562 getpeerucred \
1563 getpgid \
1564 getpgrp \
1566 _getpty \ 1565 _getpty \
1567 getrlimit \ 1566 getrlimit \
1568 getttyent \ 1567 getttyent \
@@ -1622,6 +1621,7 @@ AC_CHECK_FUNCS([ \
1622 strtonum \ 1621 strtonum \
1623 strtoll \ 1622 strtoll \
1624 strtoul \ 1623 strtoul \
1624 strtoull \
1625 swap32 \ 1625 swap32 \
1626 sysconf \ 1626 sysconf \
1627 tcgetpgrp \ 1627 tcgetpgrp \
@@ -1630,6 +1630,7 @@ AC_CHECK_FUNCS([ \
1630 unsetenv \ 1630 unsetenv \
1631 updwtmpx \ 1631 updwtmpx \
1632 user_from_uid \ 1632 user_from_uid \
1633 usleep \
1633 vasprintf \ 1634 vasprintf \
1634 vhangup \ 1635 vhangup \
1635 vsnprintf \ 1636 vsnprintf \
@@ -2323,6 +2324,56 @@ AC_LINK_IFELSE(
2323 ] 2324 ]
2324) 2325)
2325 2326
2327# Check for OpenSSL with EVP_aes_*ctr
2328AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2329AC_LINK_IFELSE(
2330 [AC_LANG_PROGRAM([[
2331#include <string.h>
2332#include <openssl/evp.h>
2333 ]], [[
2334 exit(EVP_aes_128_ctr() == NULL ||
2335 EVP_aes_192_cbc() == NULL ||
2336 EVP_aes_256_cbc() == NULL);
2337 ]])],
2338 [
2339 AC_MSG_RESULT([yes])
2340 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2341 [libcrypto has EVP AES CTR])
2342 ],
2343 [
2344 AC_MSG_RESULT([no])
2345 ]
2346)
2347
2348# Check for OpenSSL with EVP_aes_*gcm
2349AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2350AC_LINK_IFELSE(
2351 [AC_LANG_PROGRAM([[
2352#include <string.h>
2353#include <openssl/evp.h>
2354 ]], [[
2355 exit(EVP_aes_128_gcm() == NULL ||
2356 EVP_aes_256_gcm() == NULL ||
2357 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2358 EVP_CTRL_GCM_IV_GEN == 0 ||
2359 EVP_CTRL_GCM_SET_TAG == 0 ||
2360 EVP_CTRL_GCM_GET_TAG == 0 ||
2361 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2362 ]])],
2363 [
2364 AC_MSG_RESULT([yes])
2365 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2366 [libcrypto has EVP AES GCM])
2367 ],
2368 [
2369 AC_MSG_RESULT([no])
2370 ]
2371)
2372
2373AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2374 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2375 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2376
2326AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) 2377AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2327AC_LINK_IFELSE( 2378AC_LINK_IFELSE(
2328 [AC_LANG_PROGRAM([[ 2379 [AC_LANG_PROGRAM([[
@@ -2589,6 +2640,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
2589 [non-privileged user for privilege separation]) 2640 [non-privileged user for privilege separation])
2590AC_SUBST([SSH_PRIVSEP_USER]) 2641AC_SUBST([SSH_PRIVSEP_USER])
2591 2642
2643if test "x$have_linux_no_new_privs" = "x1" ; then
2644AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
2645 #include <sys/types.h>
2646 #include <linux/seccomp.h>
2647])
2648fi
2649if test "x$have_seccomp_filter" = "x1" ; then
2650AC_MSG_CHECKING([kernel for seccomp_filter support])
2651AC_LINK_IFELSE([AC_LANG_PROGRAM([[
2652 #include <errno.h>
2653 #include <elf.h>
2654 #include <linux/audit.h>
2655 #include <linux/seccomp.h>
2656 #include <stdlib.h>
2657 #include <sys/prctl.h>
2658 ]],
2659 [[ int i = $seccomp_audit_arch;
2660 errno = 0;
2661 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
2662 exit(errno == EFAULT ? 0 : 1); ]])],
2663 [ AC_MSG_RESULT([yes]) ], [
2664 AC_MSG_RESULT([no])
2665 # Disable seccomp filter as a target
2666 have_seccomp_filter=0
2667 ]
2668)
2669fi
2670
2592# Decide which sandbox style to use 2671# Decide which sandbox style to use
2593sandbox_arg="" 2672sandbox_arg=""
2594AC_ARG_WITH([sandbox], 2673AC_ARG_WITH([sandbox],
@@ -2623,6 +2702,7 @@ AC_RUN_IFELSE(
2623 struct rlimit rl_zero; 2702 struct rlimit rl_zero;
2624 int fd, r; 2703 int fd, r;
2625 fd_set fds; 2704 fd_set fds;
2705 struct timeval tv;
2626 2706
2627 fd = open("/dev/null", O_RDONLY); 2707 fd = open("/dev/null", O_RDONLY);
2628 FD_ZERO(&fds); 2708 FD_ZERO(&fds);
@@ -2630,7 +2710,9 @@ AC_RUN_IFELSE(
2630 rl_zero.rlim_cur = rl_zero.rlim_max = 0; 2710 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
2631 setrlimit(RLIMIT_FSIZE, &rl_zero); 2711 setrlimit(RLIMIT_FSIZE, &rl_zero);
2632 setrlimit(RLIMIT_NOFILE, &rl_zero); 2712 setrlimit(RLIMIT_NOFILE, &rl_zero);
2633 r = select(fd+1, &fds, NULL, NULL, NULL); 2713 tv.tv_sec = 1;
2714 tv.tv_usec = 0;
2715 r = select(fd+1, &fds, NULL, NULL, &tv);
2634 exit (r == -1 ? 1 : 0); 2716 exit (r == -1 ? 1 : 0);
2635 ]])], 2717 ]])],
2636 [AC_MSG_RESULT([yes]) 2718 [AC_MSG_RESULT([yes])
@@ -2640,6 +2722,32 @@ AC_RUN_IFELSE(
2640 [AC_MSG_WARN([cross compiling: assuming yes])] 2722 [AC_MSG_WARN([cross compiling: assuming yes])]
2641) 2723)
2642 2724
2725AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
2726AC_RUN_IFELSE(
2727 [AC_LANG_PROGRAM([[
2728#include <sys/types.h>
2729#ifdef HAVE_SYS_TIME_H
2730# include <sys/time.h>
2731#endif
2732#include <sys/resource.h>
2733#include <errno.h>
2734#include <stdlib.h>
2735 ]],[[
2736 struct rlimit rl_zero;
2737 int fd, r;
2738 fd_set fds;
2739
2740 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
2741 r = setrlimit(RLIMIT_NOFILE, &rl_zero);
2742 exit (r == -1 ? 1 : 0);
2743 ]])],
2744 [AC_MSG_RESULT([yes])
2745 rlimit_nofile_zero_works=yes],
2746 [AC_MSG_RESULT([no])
2747 rlimit_nofile_zero_works=no],
2748 [AC_MSG_WARN([cross compiling: assuming yes])]
2749)
2750
2643AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) 2751AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
2644AC_RUN_IFELSE( 2752AC_RUN_IFELSE(
2645 [AC_LANG_PROGRAM([[ 2753 [AC_LANG_PROGRAM([[
@@ -2676,11 +2784,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
2676elif test "x$sandbox_arg" = "xseccomp_filter" || \ 2784elif test "x$sandbox_arg" = "xseccomp_filter" || \
2677 ( test -z "$sandbox_arg" && \ 2785 ( test -z "$sandbox_arg" && \
2678 test "x$have_seccomp_filter" = "x1" && \ 2786 test "x$have_seccomp_filter" = "x1" && \
2787 test "x$ac_cv_header_elf_h" = "xyes" && \
2679 test "x$ac_cv_header_linux_audit_h" = "xyes" && \ 2788 test "x$ac_cv_header_linux_audit_h" = "xyes" && \
2680 test "x$have_seccomp_audit_arch" = "x1" && \ 2789 test "x$ac_cv_header_linux_filter_h" = "xyes" && \
2790 test "x$seccomp_audit_arch" != "x" && \
2681 test "x$have_linux_no_new_privs" = "x1" && \ 2791 test "x$have_linux_no_new_privs" = "x1" && \
2682 test "x$ac_cv_func_prctl" = "xyes" ) ; then 2792 test "x$ac_cv_func_prctl" = "xyes" ) ; then
2683 test "x$have_seccomp_audit_arch" != "x1" && \ 2793 test "x$seccomp_audit_arch" = "x" && \
2684 AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) 2794 AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
2685 test "x$have_linux_no_new_privs" != "x1" && \ 2795 test "x$have_linux_no_new_privs" != "x1" && \
2686 AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) 2796 AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
@@ -2692,7 +2802,8 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
2692 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) 2802 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
2693elif test "x$sandbox_arg" = "xrlimit" || \ 2803elif test "x$sandbox_arg" = "xrlimit" || \
2694 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ 2804 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
2695 test "x$select_works_with_rlimit" == "xyes" ) ; then 2805 test "x$select_works_with_rlimit" = "xyes" && \
2806 test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
2696 test "x$ac_cv_func_setrlimit" != "xyes" && \ 2807 test "x$ac_cv_func_setrlimit" != "xyes" && \
2697 AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) 2808 AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
2698 test "x$select_works_with_rlimit" != "xyes" && \ 2809 test "x$select_works_with_rlimit" != "xyes" && \
@@ -3584,6 +3695,9 @@ AC_ARG_WITH([kerberos5],
3584 [$KRB5ROOT/bin/krb5-config], 3695 [$KRB5ROOT/bin/krb5-config],
3585 [$KRB5ROOT/bin:$PATH]) 3696 [$KRB5ROOT/bin:$PATH])
3586 if test -x $KRB5CONF ; then 3697 if test -x $KRB5CONF ; then
3698 K5CFLAGS="`$KRB5CONF --cflags`"
3699 K5LIBS="`$KRB5CONF --libs`"
3700 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
3587 3701
3588 AC_MSG_CHECKING([for gssapi support]) 3702 AC_MSG_CHECKING([for gssapi support])
3589 if $KRB5CONF | grep gssapi >/dev/null ; then 3703 if $KRB5CONF | grep gssapi >/dev/null ; then
@@ -3591,14 +3705,12 @@ AC_ARG_WITH([kerberos5],
3591 AC_DEFINE([GSSAPI], [1], 3705 AC_DEFINE([GSSAPI], [1],
3592 [Define this if you want GSSAPI 3706 [Define this if you want GSSAPI
3593 support in the version 2 protocol]) 3707 support in the version 2 protocol])
3594 k5confopts=gssapi 3708 GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
3709 GSSLIBS="`$KRB5CONF --libs gssapi`"
3710 CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
3595 else 3711 else
3596 AC_MSG_RESULT([no]) 3712 AC_MSG_RESULT([no])
3597 k5confopts=""
3598 fi 3713 fi
3599 K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
3600 K5LIBS="`$KRB5CONF --libs $k5confopts`"
3601 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
3602 AC_MSG_CHECKING([whether we are using Heimdal]) 3714 AC_MSG_CHECKING([whether we are using Heimdal])
3603 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h> 3715 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
3604 ]], [[ char *tmp = heimdal_version; ]])], 3716 ]], [[ char *tmp = heimdal_version; ]])],
@@ -3630,14 +3742,16 @@ AC_ARG_WITH([kerberos5],
3630 3742
3631 AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context], 3743 AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
3632 [ AC_DEFINE([GSSAPI]) 3744 [ AC_DEFINE([GSSAPI])
3633 K5LIBS="-lgssapi_krb5 $K5LIBS" ], 3745 GSSLIBS="-lgssapi_krb5" ],
3634 [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], 3746 [ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
3635 [ AC_DEFINE([GSSAPI]) 3747 [ AC_DEFINE([GSSAPI])
3636 K5LIBS="-lgssapi $K5LIBS" ], 3748 GSSLIBS="-lgssapi" ],
3637 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), 3749 [ AC_CHECK_LIB([gss], [gss_init_sec_context],
3638 $K5LIBS) 3750 [ AC_DEFINE([GSSAPI])
3639 ], 3751 GSSLIBS="-lgss" ],
3640 $K5LIBS) 3752 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
3753 ])
3754 ])
3641 3755
3642 AC_CHECK_HEADER([gssapi.h], , 3756 AC_CHECK_HEADER([gssapi.h], ,
3643 [ unset ac_cv_header_gssapi_h 3757 [ unset ac_cv_header_gssapi_h
@@ -3665,12 +3779,27 @@ AC_ARG_WITH([kerberos5],
3665 AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h]) 3779 AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
3666 AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h]) 3780 AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
3667 3781
3668 LIBS="$LIBS $K5LIBS"
3669 AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], 3782 AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
3670 [Define this if you want to use libkafs' AFS support])]) 3783 [Define this if you want to use libkafs' AFS support])])
3784
3785 AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
3786#ifdef HAVE_GSSAPI_H
3787# include <gssapi.h>
3788#elif defined(HAVE_GSSAPI_GSSAPI_H)
3789# include <gssapi/gssapi.h>
3790#endif
3791
3792#ifdef HAVE_GSSAPI_GENERIC_H
3793# include <gssapi_generic.h>
3794#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
3795# include <gssapi/gssapi_generic.h>
3796#endif
3797 ]])
3671 fi 3798 fi
3672 ] 3799 ]
3673) 3800)
3801AC_SUBST([GSSLIBS])
3802AC_SUBST([K5LIBS])
3674 3803
3675# Check whether user wants ConsoleKit support 3804# Check whether user wants ConsoleKit support
3676CONSOLEKIT_MSG="no" 3805CONSOLEKIT_MSG="no"
@@ -4361,7 +4490,6 @@ if test -n "$conf_wtmp_location"; then
4361 [Define if you want to specify the path to your wtmp file]) 4490 [Define if you want to specify the path to your wtmp file])
4362fi 4491fi
4363 4492
4364
4365dnl wtmpx detection 4493dnl wtmpx detection
4366AC_MSG_CHECKING([if your system defines WTMPX_FILE]) 4494AC_MSG_CHECKING([if your system defines WTMPX_FILE])
4367AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ 4495AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
@@ -4393,6 +4521,43 @@ if test ! -z "$blibpath" ; then
4393 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) 4521 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
4394fi 4522fi
4395 4523
4524AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
4525 if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
4526 AC_DEFINE([DISABLE_LASTLOG])
4527 fi
4528 ], [
4529#ifdef HAVE_SYS_TYPES_H
4530#include <sys/types.h>
4531#endif
4532#ifdef HAVE_UTMP_H
4533#include <utmp.h>
4534#endif
4535#ifdef HAVE_UTMPX_H
4536#include <utmpx.h>
4537#endif
4538#ifdef HAVE_LASTLOG_H
4539#include <lastlog.h>
4540#endif
4541 ])
4542
4543AC_CHECK_MEMBER([struct utmp.ut_line], [], [
4544 AC_DEFINE([DISABLE_UTMP])
4545 AC_DEFINE([DISABLE_WTMP])
4546 ], [
4547#ifdef HAVE_SYS_TYPES_H
4548#include <sys/types.h>
4549#endif
4550#ifdef HAVE_UTMP_H
4551#include <utmp.h>
4552#endif
4553#ifdef HAVE_UTMPX_H
4554#include <utmpx.h>
4555#endif
4556#ifdef HAVE_LASTLOG_H
4557#include <lastlog.h>
4558#endif
4559 ])
4560
4396dnl Adding -Werror to CFLAGS early prevents configure tests from running. 4561dnl Adding -Werror to CFLAGS early prevents configure tests from running.
4397dnl Add now. 4562dnl Add now.
4398CFLAGS="$CFLAGS $werror_flags" 4563CFLAGS="$CFLAGS $werror_flags"
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 9fd07953a..196bd7904 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
16 16
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%define version 6.1p1 19%define version 6.2p1
20%if %{use_stable} 20%if %{use_stable}
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
@@ -363,4 +363,4 @@ fi
363* Mon Jan 01 1998 ... 363* Mon Jan 01 1998 ...
364Template Version: 1.31 364Template Version: 1.31
365 365
366$Id: openssh.spec,v 1.78 2012/08/22 11:57:15 djm Exp $ 366$Id: openssh.spec,v 1.79 2013/02/26 23:48:20 djm Exp $
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index f74ad4486..3898c6c99 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 6.1p1 1%define ver 6.2p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index e9a751796..40c8dfd9f 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -29,7 +29,7 @@ do_restart_sanity_check()
29{ 29{
30 $SSHD -t 30 $SSHD -t
31 RETVAL=$? 31 RETVAL=$?
32 if [ ! "$RETVAL" = 0 ]; then 32 if [ $RETVAL -ne 0 ]; then
33 failure $"Configuration file or keys are invalid" 33 failure $"Configuration file or keys are invalid"
34 echo 34 echo
35 fi 35 fi
@@ -49,7 +49,7 @@ start()
49 echo -n $"Starting $prog:" 49 echo -n $"Starting $prog:"
50 $SSHD $OPTIONS && success || failure 50 $SSHD $OPTIONS && success || failure
51 RETVAL=$? 51 RETVAL=$?
52 [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd 52 [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
53 echo 53 echo
54} 54}
55 55
@@ -58,7 +58,7 @@ stop()
58 echo -n $"Stopping $prog:" 58 echo -n $"Stopping $prog:"
59 killproc $SSHD -TERM 59 killproc $SSHD -TERM
60 RETVAL=$? 60 RETVAL=$?
61 [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd 61 [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
62 echo 62 echo
63} 63}
64 64
@@ -87,7 +87,7 @@ case "$1" in
87 condrestart) 87 condrestart)
88 if [ -f /var/lock/subsys/sshd ] ; then 88 if [ -f /var/lock/subsys/sshd ] ; then
89 do_restart_sanity_check 89 do_restart_sanity_check
90 if [ "$RETVAL" = 0 ] ; then 90 if [ $RETVAL -eq 0 ] ; then
91 stop 91 stop
92 # avoid race 92 # avoid race
93 sleep 3 93 sleep 3
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 86d037abd..af18a1929 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -1,54 +1,293 @@
1#!/bin/sh 1#!/bin/sh
2 2
3# Shell script to install your public key on a remote machine 3# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
4# Takes the remote machine name as an argument. 4# 2013 Martin Kletzander <mkletzan@redhat.com>
5# Obviously, the remote machine must accept password authentication, 5# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
6# or one of the other keys in your ssh-agent, for this to work. 6# 2010 Eric Moret <eric.moret@gmail.com>
7 7# 2009 Xr <xr@i-jeuxvideo.com>
8ID_FILE="${HOME}/.ssh/id_rsa.pub" 8# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
9 9# 2004 Reini Urban <rurban@x-ray.at>
10if [ "-i" = "$1" ]; then 10# 2003 Colin Watson <cjwatson@debian.org>
11 shift 11# All rights reserved.
12 # check if we have 2 parameters left, if so the first is the new ID file 12#
13 if [ -n "$2" ]; then 13# Redistribution and use in source and binary forms, with or without
14 if expr "$1" : ".*\.pub" > /dev/null ; then 14# modification, are permitted provided that the following conditions
15 ID_FILE="$1" 15# are met:
16 else 16# 1. Redistributions of source code must retain the above copyright
17 ID_FILE="$1.pub" 17# notice, this list of conditions and the following disclaimer.
18 fi 18# 2. Redistributions in binary form must reproduce the above copyright
19 shift # and this should leave $1 as the target name 19# notice, this list of conditions and the following disclaimer in the
20# documentation and/or other materials provided with the distribution.
21#
22# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32
33# Shell script to install your public key(s) on a remote machine
34# See the ssh-copy-id(1) man page for details
35
36# check that we have something mildly sane as our shell, or try to find something better
37if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
38then
39 SANE_SH=${SANE_SH:-/usr/bin/ksh}
40 if printf 'true ^ false\n' | "$SANE_SH"
41 then
42 printf "'%s' seems viable.\n" "$SANE_SH"
43 exec "$SANE_SH" "$0" "$@"
44 else
45 cat <<-EOF
46 oh dear.
47
48 If you have a more recent shell available, that supports \$(...) etc.
49 please try setting the environment variable SANE_SH to the path of that
50 shell, and then retry running this script. If that works, please report
51 a bug describing your setup, and the shell you used to make it work.
52
53 EOF
54 printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
55 exit 1
20 fi 56 fi
21else 57fi
22 if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then 58
23 GET_ID="$GET_ID ssh-add -L" 59DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
60
61usage () {
62 printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
63 exit 1
64}
65
66# escape any single quotes in an argument
67quote() {
68 printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
69}
70
71use_id_file() {
72 local L_ID_FILE="$1"
73
74 if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
75 PUB_ID_FILE="$L_ID_FILE"
76 else
77 PUB_ID_FILE="$L_ID_FILE.pub"
24 fi 78 fi
79
80 PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
81
82 # check that the files are readable
83 for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
84 ErrMSG=$( { : < $f ; } 2>&1 ) || {
85 printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
86 exit 1
87 }
88 done
89 GET_ID="cat \"$PUB_ID_FILE\""
90}
91
92if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
93 GET_ID="ssh-add -L"
25fi 94fi
26 95
27if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then 96while test "$#" -gt 0
28 GET_ID="cat \"${ID_FILE}\"" 97do
98 [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
99 printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
100 usage
101 }
102
103 OPT= OPTARG=
104 # implement something like getopt to avoid Solaris pain
105 case "$1" in
106 -i?*|-o?*|-p?*)
107 OPT="$(printf -- "$1"|cut -c1-2)"
108 OPTARG="$(printf -- "$1"|cut -c3-)"
109 shift
110 ;;
111 -o|-p)
112 OPT="$1"
113 OPTARG="$2"
114 shift 2
115 ;;
116 -i)
117 OPT="$1"
118 test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
119 OPTARG="$2"
120 shift
121 }
122 shift
123 ;;
124 -n|-h|-\?)
125 OPT="$1"
126 OPTARG=
127 shift
128 ;;
129 --)
130 shift
131 while test "$#" -gt 0
132 do
133 SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
134 shift
135 done
136 break
137 ;;
138 -*)
139 printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
140 usage
141 ;;
142 *)
143 SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
144 shift
145 continue
146 ;;
147 esac
148
149 case "$OPT" in
150 -i)
151 SEEN_OPT_I="yes"
152 use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
153 ;;
154 -o|-p)
155 SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
156 ;;
157 -n)
158 DRY_RUN=1
159 ;;
160 -h|-\?)
161 usage
162 ;;
163 esac
164done
165
166eval set -- "$SAVEARGS"
167
168if [ $# != 1 ] ; then
169 printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
170 usage
29fi 171fi
30 172
31if [ -z "`eval $GET_ID`" ]; then 173# drop trailing colon
32 echo "$0: ERROR: No identities found" >&2 174USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
33 exit 1 175# tack the hostname onto SSH_OPTS
176SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
177# and populate "$@" for later use (only way to get proper quoting of options)
178eval set -- "$SSH_OPTS"
179
180if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
181 use_id_file "$PUB_ID_FILE"
34fi 182fi
35 183
36if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then 184if [ -z "$(eval $GET_ID)" ] ; then
37 echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 185 printf '%s: ERROR: No identities found\n' "$0" >&2
38 exit 1 186 exit 1
39fi 187fi
40 188
41# strip any trailing colon 189# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
42host=`echo $1 | sed 's/:$//'` 190# and has the side effect of setting $NEW_IDS
191populate_new_ids() {
192 local L_SUCCESS="$1"
43 193
44{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1 194 # repopulate "$@" inside this function
195 eval set -- "$SSH_OPTS"
45 196
46cat <<EOF 197 umask 0177
47Now try logging into the machine, with "ssh '$host'", and check in: 198 local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
199 trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT
200 printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
201 NEW_IDS=$(
202 eval $GET_ID | {
203 while read ID ; do
204 printf '%s\n' "$ID" > $L_TMP_ID_FILE
48 205
49 ~/.ssh/authorized_keys 206 # the next line assumes $PRIV_ID_FILE only set if using a single id file - this
207 # assumption will break if we implement the possibility of multiple -i options.
208 # The point being that if file based, ssh needs the private key, which it cannot
209 # find if only given the contents of the .pub file in an unrelated tmpfile
210 ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
211 -o PreferredAuthentications=publickey \
212 -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
213 if [ "$?" = "$L_SUCCESS" ] ; then
214 : > $L_TMP_ID_FILE
215 else
216 grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || {
217 sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE
218 cat >/dev/null #consume the other keys, causing loop to end
219 }
220 fi
221
222 cat $L_TMP_ID_FILE
223 done
224 }
225 )
226 rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
227
228 if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
229 printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
230 exit 1
231 fi
232 if [ -z "$NEW_IDS" ] ; then
233 printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
234 exit 0
235 fi
236 printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
237}
50 238
51to make sure we haven't added extra keys that you weren't expecting. 239REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
240 sed -ne 's/.*remote software version //p')
52 241
53EOF 242case "$REMOTE_VERSION" in
243 NetScreen*)
244 populate_new_ids 1
245 for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
246 KEY_NO=$(($KEY_NO + 1))
247 printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
248 printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
249 continue
250 }
251 [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
252 if [ $? = 255 ] ; then
253 printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
254 else
255 ADDED=$(($ADDED + 1))
256 fi
257 done
258 if [ -z "$ADDED" ] ; then
259 exit 1
260 fi
261 ;;
262 *)
263 # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
264 populate_new_ids 0
265 [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
266 umask 077 ;
267 mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
268 if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
269 || exit 1
270 ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
271 ;;
272esac
273
274if [ "$DRY_RUN" ] ; then
275 cat <<-EOF
276 =-=-=-=-=-=-=-=
277 Would have added the following key(s):
278
279 $NEW_IDS
280 =-=-=-=-=-=-=-=
281 EOF
282else
283 cat <<-EOF
284
285 Number of key(s) added: $ADDED
286
287 Now try logging into the machine, with: "ssh $SSH_OPTS"
288 and check to make sure that only the key(s) you wanted were added.
289
290 EOF
291fi
54 292
293# =-=-=-=
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
index cb15ab24d..67a59e492 100644
--- a/contrib/ssh-copy-id.1
+++ b/contrib/ssh-copy-id.1
@@ -1,75 +1,186 @@
1.ig \" -*- nroff -*- 1.ig \" -*- nroff -*-
2Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/> 2Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
3 3
4Permission is granted to make and distribute verbatim copies of 4Redistribution and use in source and binary forms, with or without
5this manual provided the copyright notice and this permission notice 5modification, are permitted provided that the following conditions
6are preserved on all copies. 6are met:
71. Redistributions of source code must retain the above copyright
8 notice, this list of conditions and the following disclaimer.
92. Redistributions in binary form must reproduce the above copyright
10 notice, this list of conditions and the following disclaimer in the
11 documentation and/or other materials provided with the distribution.
7 12
8Permission is granted to copy and distribute modified versions of this 13THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
9manual under the conditions for verbatim copying, provided that the 14IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
10entire resulting derived work is distributed under the terms of a 15OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
11permission notice identical to this one. 16IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
12 17INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
13Permission is granted to copy and distribute translations of this 18NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
14manual into another language, under the above conditions for modified 19DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
15versions, except that this permission notice may be included in 20THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
16translations approved by the Free Software Foundation instead of in 21(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
17the original English. 22THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18.. 23..
19.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" 24.Dd $Mdocdate: June 17 2010 $
20.SH NAME 25.Dt SSH-COPY-ID 1
21ssh-copy-id \- install your public key in a remote machine's authorized_keys 26.Os
22.SH SYNOPSIS 27.Sh NAME
23.B ssh-copy-id [-i [identity_file]] 28.Nm ssh-copy-id
24.I "[user@]machine" 29.Nd use locally available keys to authorise logins on a remote machine
30.Sh SYNOPSIS
31.Nm
32.Op Fl n
33.Op Fl i Op Ar identity_file
34.Op Fl p Ar port
35.Op Fl o Ar ssh_option
36.Op Ar user Ns @ Ns
37.Ar hostname
38.Nm
39.Fl h | Fl ?
25.br 40.br
26.SH DESCRIPTION 41.Sh DESCRIPTION
27.BR ssh-copy-id 42.Nm
28is a script that uses ssh to log into a remote machine and 43is a script that uses
29append the indicated identity file to that machine's 44.Xr ssh 1
30.B ~/.ssh/authorized_keys 45to log into a remote machine (presumably using a login password,
31file. 46so password authentication should be enabled, unless you've done some
32.PP 47clever use of multiple identities). It assembles a list of one or more
33If the 48fingerprints (as described below) and tries to log in with each key, to
34.B -i 49see if any of them are already installed (of course, if you are not using
35option is given then the identity file (defaults to 50.Xr ssh-agent 1
36.BR ~/.ssh/id_rsa.pub ) 51this may result in you being repeatedly prompted for pass-phrases).
37is used, regardless of whether there are any keys in your 52It then assembles a list of those that failed to log in, and using ssh,
38.BR ssh-agent . 53enables logins with those keys on the remote server. By default it adds
39Otherwise, if this: 54the keys by appending them to the remote user's
40.PP 55.Pa ~/.ssh/authorized_keys
41.B " ssh-add -L" 56(creating the file, and directory, if necessary). It is also capable
42.PP 57of detecting if the remote system is a NetScreen, and using its
43provides any output, it uses that in preference to the identity file. 58.Ql set ssh pka-dsa key ...
44.PP 59command instead.
45If the 60.Pp
46.B -i 61The options are as follows:
47option is used, or the 62.Bl -tag -width Ds
48.B ssh-add 63.It Fl i Ar identity_file
49produced no output, then it uses the contents of the identity 64Use only the key(s) contained in
50file. Once it has one or more fingerprints (by whatever means) it 65.Ar identity_file
51uses ssh to append them to 66(rather than looking for identities via
52.B ~/.ssh/authorized_keys 67.Xr ssh-add 1
53on the remote machine (creating the file, and directory, if necessary.) 68or in the
54 69.Ic default_ID_file ) .
55.SH NOTES 70If the filename does not end in
56This program does not modify the permissions of any 71.Pa .pub
57pre-existing files or directories. Therefore, if the remote 72this is added. If the filename is omitted, the
58.B sshd 73.Ic default_ID_file
59has 74is used.
60.B StrictModes 75.Pp
61set in its 76Note that this can be used to ensure that the keys copied have the
62configuration, then the user's home, 77comment one prefers and/or extra options applied, by ensuring that the
63.B ~/.ssh 78key file has these set as preferred before the copy is attempted.
64folder, and 79.It Fl n
65.B ~/.ssh/authorized_keys 80do a dry-run. Instead of installing keys on the remote system simply
66file may need to have group writability disabled manually, e.g. via 81prints the key(s) that would have been installed.
67 82.It Fl h , Fl ?
68.B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys" 83Print Usage summary
69 84.It Fl p Ar port , Fl o Ar ssh_option
70on the remote machine. 85These two options are simply passed through untouched, along with their
71 86argument, to allow one to set the port or other
72.SH "SEE ALSO" 87.Xr ssh 1
73.BR ssh (1), 88options, respectively.
74.BR ssh-agent (1), 89.Pp
75.BR sshd (8) 90Rather than specifying these as command line options, it is often better to use (per-host) settings in
91.Xr ssh 1 Ns 's
92configuration file:
93.Xr ssh_config 5 .
94.El
95.Pp
96Default behaviour without
97.Fl i ,
98is to check if
99.Ql ssh-add -L
100provides any output, and if so those keys are used. Note that this results in
101the comment on the key being the filename that was given to
102.Xr ssh-add 1
103when the key was loaded into your
104.Xr ssh-agent 1
105rather than the comment contained in that file, which is a bit of a shame.
106Otherwise, if
107.Xr ssh-add 1
108provides no keys contents of the
109.Ic default_ID_file
110will be used.
111.Pp
112The
113.Ic default_ID_file
114is the most recent file that matches:
115.Pa ~/.ssh/id*.pub ,
116(excluding those that match
117.Pa ~/.ssh/*-cert.pub )
118so if you create a key that is not the one you want
119.Nm
120to use, just use
121.Xr touch 1
122on your preferred key's
123.Pa .pub
124file to reinstate it as the most recent.
125.Pp
126.Sh EXAMPLES
127If you have already installed keys from one system on a lot of remote
128hosts, and you then create a new key, on a new client machine, say,
129it can be difficult to keep track of which systems on which you've
130installed the new key. One way of dealing with this is to load both
131the new key and old key(s) into your
132.Xr ssh-agent 1 .
133Load the new key first, without the
134.Fl c
135option, then load one or more old keys into the agent, possibly by
136ssh-ing to the client machine that has that old key, using the
137.Fl A
138option to allow agent forwarding:
139.Pp
140.D1 user@newclient$ ssh-add
141.D1 user@newclient$ ssh -A old.client
142.D1 user@oldl$ ssh-add -c
143.D1 No ... prompt for pass-phrase ...
144.D1 user@old$ logoff
145.D1 user@newclient$ ssh someserver
146.Pp
147now, if the new key is installed on the server, you'll be allowed in
148unprompted, whereas if you only have the old key(s) enabled, you'll be
149asked for confirmation, which is your cue to log back out and run
150.Pp
151.D1 user@newclient$ ssh-copy-id -i someserver
152.Pp
153The reason you might want to specify the -i option in this case is to
154ensure that the comment on the installed key is the one from the
155.Pa .pub
156file, rather than just the filename that was loaded into you agent.
157It also ensures that only the id you intended is installed, rather than
158all the keys that you have in your
159.Xr ssh-agent 1 .
160Of course, you can specify another id, or use the contents of the
161.Xr ssh-agent 1
162as you prefer.
163.Pp
164Having mentioned
165.Xr ssh-add 1 Ns 's
166.Fl c
167option, you might consider using this whenever using agent forwarding
168to avoid your key being hijacked, but it is much better to instead use
169.Xr ssh 1 Ns 's
170.Ar ProxyCommand
171and
172.Fl W
173option,
174to bounce through remote servers while always doing direct end-to-end
175authentication. This way the middle hop(s) don't get access to your
176.Xr ssh-agent 1 .
177A web search for
178.Ql ssh proxycommand nc
179should prove enlightening (N.B. the modern approach is to use the
180.Fl W
181option, rather than
182.Xr nc 1 ) .
183.Sh "SEE ALSO"
184.Xr ssh 1 ,
185.Xr ssh-agent 1 ,
186.Xr sshd 8
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 3b8abecc8..960feae07 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 6.1p1 16Version: 6.2p1
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index 4a3bc41db..28f28e41d 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -49,7 +49,7 @@ case "$1" in
49 ## Start daemon with startproc(8). If this fails 49 ## Start daemon with startproc(8). If this fails
50 ## the echo return value is set appropriate. 50 ## the echo return value is set appropriate.
51 51
52 startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" 52 startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
53 53
54 # Remember status and be verbose 54 # Remember status and be verbose
55 rc_status -v 55 rc_status -v
@@ -59,7 +59,7 @@ case "$1" in
59 ## Stop daemon with killproc(8) and if this fails 59 ## Stop daemon with killproc(8) and if this fails
60 ## set echo the echo return value. 60 ## set echo the echo return value.
61 61
62 killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd 62 killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
63 63
64 # Remember status and be verbose 64 # Remember status and be verbose
65 rc_status -v 65 rc_status -v
@@ -87,7 +87,7 @@ case "$1" in
87 87
88 echo -n "Reload service sshd" 88 echo -n "Reload service sshd"
89 89
90 killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd 90 killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
91 91
92 rc_status -v 92 rc_status -v
93 93
@@ -103,7 +103,7 @@ case "$1" in
103 # 2 - service dead, but /var/lock/ lock file exists 103 # 2 - service dead, but /var/lock/ lock file exists
104 # 3 - service not running 104 # 3 - service not running
105 105
106 checkproc -p $SSHD_PIDFILE /usr/sbin/sshd 106 checkproc -p $SSHD_PIDFILE $SSHD_BIN
107 107
108 rc_status -v 108 rc_status -v
109 ;; 109 ;;
diff --git a/debian/changelog b/debian/changelog
index 092837792..174c0c585 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,11 @@
1openssh (1:6.1p1-5) UNRELEASED; urgency=low 1openssh (1:6.2p1-1) UNRELEASED; urgency=low
2 2
3 * New upstream release (http://www.openssh.com/txt/release-6.2).
4 - Add support for multiple required authentication in SSH protocol 2 via
5 an AuthenticationMethods option (closes: #195716).
6 - Fix Sophie Germain formula in moduli(5) (closes: #698612).
7 - Update ssh-copy-id to Phil Hands' greatly revised version (closes:
8 #99785, #322228, #620428; LP: #518883, #835901, #1074798).
3 * Use dh-autoreconf. 9 * Use dh-autoreconf.
4 10
5 -- Colin Watson <cjwatson@debian.org> Mon, 06 May 2013 10:47:33 +0100 11 -- Colin Watson <cjwatson@debian.org> Mon, 06 May 2013 10:47:33 +0100
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index bc2602306..206967bc9 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug-Debian: http://bugs.debian.org/630606 3Bug-Debian: http://bugs.debian.org/630606
4Forwarded: no 4Forwarded: no
5Last-Update: 2011-07-28 5Last-Update: 2013-05-07
6 6
7Index: b/auth-options.c 7Index: b/auth-options.c
8=================================================================== 8===================================================================
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c
96=================================================================== 96===================================================================
97--- a/auth2-pubkey.c 97--- a/auth2-pubkey.c
98+++ b/auth2-pubkey.c 98+++ b/auth2-pubkey.c
99@@ -211,6 +211,7 @@ 99@@ -217,6 +217,7 @@
100 restore_uid(); 100 restore_uid();
101 return 0; 101 return 0;
102 } 102 }
@@ -104,7 +104,7 @@ Index: b/auth2-pubkey.c
104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
105 /* Skip leading whitespace. */ 105 /* Skip leading whitespace. */
106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
107@@ -281,6 +282,8 @@ 107@@ -278,6 +279,8 @@
108 found_key = 0; 108 found_key = 0;
109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); 109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
110 110
@@ -113,7 +113,7 @@ Index: b/auth2-pubkey.c
113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
114 char *cp, *key_options = NULL; 114 char *cp, *key_options = NULL;
115 115
116@@ -417,6 +420,7 @@ 116@@ -412,6 +415,7 @@
117 if (key_cert_check_authority(key, 0, 1, 117 if (key_cert_check_authority(key, 0, 1,
118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
119 goto fail_reason; 119 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 6ffc716ee..c6a4b64c6 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8)
2Author: Tomas Pospisek <tpo_deb@sourcepole.ch> 2Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
4Bug-Debian: http://bugs.debian.org/441817 4Bug-Debian: http://bugs.debian.org/441817
5Last-Update: 2010-03-01 5Last-Update: 2013-05-07
6 6
7Index: b/Makefile.in 7Index: b/Makefile.in
8=================================================================== 8===================================================================
9--- a/Makefile.in 9--- a/Makefile.in
10+++ b/Makefile.in 10+++ b/Makefile.in
11@@ -277,6 +277,7 @@ 11@@ -286,6 +286,7 @@
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index a952e4405..d67123a1e 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,13 +1,13 @@
1Description: Add support for registering ConsoleKit sessions on login 1Description: Add support for registering ConsoleKit sessions on login
2Author: Colin Watson <cjwatson@ubuntu.com> 2Author: Colin Watson <cjwatson@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
4Last-Updated: 2012-10-31 4Last-Updated: 2013-05-07
5 5
6Index: b/Makefile.in 6Index: b/Makefile.in
7=================================================================== 7===================================================================
8--- a/Makefile.in 8--- a/Makefile.in
9+++ b/Makefile.in 9+++ b/Makefile.in
10@@ -94,7 +94,8 @@ 10@@ -96,7 +96,8 @@
11 sftp-server.o sftp-common.o \ 11 sftp-server.o sftp-common.o \
12 roaming_common.o roaming_serv.o \ 12 roaming_common.o roaming_serv.o \
13 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 13 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -21,9 +21,9 @@ Index: b/configure.ac
21=================================================================== 21===================================================================
22--- a/configure.ac 22--- a/configure.ac
23+++ b/configure.ac 23+++ b/configure.ac
24@@ -3672,6 +3672,30 @@ 24@@ -3801,6 +3801,30 @@
25 ] 25 AC_SUBST([GSSLIBS])
26 ) 26 AC_SUBST([K5LIBS])
27 27
28+# Check whether user wants ConsoleKit support 28+# Check whether user wants ConsoleKit support
29+CONSOLEKIT_MSG="no" 29+CONSOLEKIT_MSG="no"
@@ -52,7 +52,7 @@ Index: b/configure.ac
52 # Looking for programs, paths and files 52 # Looking for programs, paths and files
53 53
54 PRIVSEP_PATH=/var/empty 54 PRIVSEP_PATH=/var/empty
55@@ -4435,6 +4459,7 @@ 55@@ -4600,6 +4624,7 @@
56 echo " libedit support: $LIBEDIT_MSG" 56 echo " libedit support: $LIBEDIT_MSG"
57 echo " Solaris process contract support: $SPC_MSG" 57 echo " Solaris process contract support: $SPC_MSG"
58 echo " Solaris project support: $SP_MSG" 58 echo " Solaris project support: $SP_MSG"
@@ -64,7 +64,7 @@ Index: b/configure
64=================================================================== 64===================================================================
65--- a/configure 65--- a/configure
66+++ b/configure 66+++ b/configure
67@@ -735,6 +735,7 @@ 67@@ -737,6 +737,7 @@
68 with_sandbox 68 with_sandbox
69 with_selinux 69 with_selinux
70 with_kerberos5 70 with_kerberos5
@@ -72,7 +72,7 @@ Index: b/configure
72 with_privsep_path 72 with_privsep_path
73 with_xauth 73 with_xauth
74 enable_strip 74 enable_strip
75@@ -1425,6 +1426,7 @@ 75@@ -1427,6 +1428,7 @@
76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) 76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
77 --with-selinux Enable SELinux support 77 --with-selinux Enable SELinux support
78 --with-kerberos5=PATH Enable Kerberos 5 support 78 --with-kerberos5=PATH Enable Kerberos 5 support
@@ -80,8 +80,8 @@ Index: b/configure
80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
81 --with-xauth=PATH Specify path to xauth program 81 --with-xauth=PATH Specify path to xauth program
82 --with-maildir=/path/to/mail Specify your system mail directory 82 --with-maildir=/path/to/mail Specify your system mail directory
83@@ -15683,6 +15685,135 @@ 83@@ -16002,6 +16004,135 @@
84 fi 84
85 85
86 86
87+# Check whether user wants ConsoleKit support 87+# Check whether user wants ConsoleKit support
@@ -216,7 +216,7 @@ Index: b/configure
216 # Looking for programs, paths and files 216 # Looking for programs, paths and files
217 217
218 PRIVSEP_PATH=/var/empty 218 PRIVSEP_PATH=/var/empty
219@@ -18155,6 +18286,7 @@ 219@@ -18527,6 +18658,7 @@
220 echo " libedit support: $LIBEDIT_MSG" 220 echo " libedit support: $LIBEDIT_MSG"
221 echo " Solaris process contract support: $SPC_MSG" 221 echo " Solaris process contract support: $SPC_MSG"
222 echo " Solaris project support: $SP_MSG" 222 echo " Solaris project support: $SP_MSG"
@@ -522,7 +522,7 @@ Index: b/monitor.c
522 static Authctxt *authctxt; 522 static Authctxt *authctxt;
523 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 523 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
524 524
525@@ -283,6 +290,9 @@ 525@@ -284,6 +291,9 @@
526 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 526 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
527 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 527 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
528 #endif 528 #endif
@@ -532,7 +532,7 @@ Index: b/monitor.c
532 {0, 0, NULL} 532 {0, 0, NULL}
533 }; 533 };
534 534
535@@ -325,6 +335,9 @@ 535@@ -326,6 +336,9 @@
536 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 536 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
537 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 537 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
538 #endif 538 #endif
@@ -542,7 +542,7 @@ Index: b/monitor.c
542 {0, 0, NULL} 542 {0, 0, NULL}
543 }; 543 };
544 544
545@@ -495,6 +508,9 @@ 545@@ -514,6 +527,9 @@
546 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 546 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
547 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 547 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
548 } 548 }
@@ -552,7 +552,7 @@ Index: b/monitor.c
552 552
553 for (;;) 553 for (;;)
554 monitor_read(pmonitor, mon_dispatch, NULL); 554 monitor_read(pmonitor, mon_dispatch, NULL);
555@@ -2196,6 +2212,34 @@ 555@@ -2232,6 +2248,34 @@
556 buffer_put_int(m, major); 556 buffer_put_int(m, major);
557 buffer_put_string(m, hash.value, hash.length); 557 buffer_put_string(m, hash.value, hash.length);
558 558
@@ -591,19 +591,20 @@ Index: b/monitor.h
591=================================================================== 591===================================================================
592--- a/monitor.h 592--- a/monitor.h
593+++ b/monitor.h 593+++ b/monitor.h
594@@ -62,6 +62,7 @@ 594@@ -75,6 +75,8 @@
595 MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, 595
596 MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, 596 MONITOR_REQ_AUTHROLE = 300,
597 MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, 597
598+ MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER, 598+ MONITOR_REQ_CONSOLEKIT_REGISTER = 400, MONITOR_ANS_CONSOLEKIT_REGISTER = 401,
599 MONITOR_REQ_TERM, 599+
600 MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, 600 };
601 MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, 601
602 struct mm_master;
602Index: b/monitor_wrap.c 603Index: b/monitor_wrap.c
603=================================================================== 604===================================================================
604--- a/monitor_wrap.c 605--- a/monitor_wrap.c
605+++ b/monitor_wrap.c 606+++ b/monitor_wrap.c
606@@ -1310,6 +1310,37 @@ 607@@ -1311,6 +1311,37 @@
607 mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) 608 mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
608 { 609 {
609 Buffer m; 610 Buffer m;
@@ -666,7 +667,7 @@ Index: b/session.c
666 667
667 #if defined(KRB5) && defined(USE_AFS) 668 #if defined(KRB5) && defined(USE_AFS)
668 #include <kafs.h> 669 #include <kafs.h>
669@@ -1129,6 +1130,9 @@ 670@@ -1132,6 +1133,9 @@
670 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 671 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
671 char *path = NULL; 672 char *path = NULL;
672 #endif 673 #endif
@@ -676,7 +677,7 @@ Index: b/session.c
676 677
677 /* Initialize the environment. */ 678 /* Initialize the environment. */
678 envsize = 100; 679 envsize = 100;
679@@ -1273,6 +1277,11 @@ 680@@ -1276,6 +1280,11 @@
680 child_set_env(&env, &envsize, "KRB5CCNAME", 681 child_set_env(&env, &envsize, "KRB5CCNAME",
681 s->authctxt->krb5_ccname); 682 s->authctxt->krb5_ccname);
682 #endif 683 #endif
@@ -688,7 +689,7 @@ Index: b/session.c
688 #ifdef USE_PAM 689 #ifdef USE_PAM
689 /* 690 /*
690 * Pull in any environment variables that may have 691 * Pull in any environment variables that may have
691@@ -2300,6 +2309,10 @@ 692@@ -2308,6 +2317,10 @@
692 693
693 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 694 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
694 695
diff --git a/debian/patches/copy-id-restorecon.patch b/debian/patches/copy-id-restorecon.patch
deleted file mode 100644
index d26680c4a..000000000
--- a/debian/patches/copy-id-restorecon.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1Description: Call restorecon on copied ~/.ssh/authorized_keys if possible
2Author: Tomas Mraz <tmraz@fedoraproject.org>
3Bug-Debian: http://bugs.debian.org/658675
4Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=739989
5Last-Update: 2012-08-24
6
7Index: b/contrib/ssh-copy-id
8===================================================================
9--- a/contrib/ssh-copy-id
10+++ b/contrib/ssh-copy-id
11@@ -41,7 +41,7 @@
12 # strip any trailing colon
13 host=`echo $1 | sed 's/:$//'`
14
15-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
16+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1
17
18 cat <<EOF
19 Now try logging into the machine, with "ssh '$host'", and check in:
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 22b1e4c14..d96f2cc59 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option
4Author: Kees Cook <kees@debian.org> 4Author: Kees Cook <kees@debian.org>
5Bug-Debian: http://bugs.debian.org/562048 5Bug-Debian: http://bugs.debian.org/562048
6Forwarded: not-needed 6Forwarded: not-needed
7Last-Update: 2012-09-07 7Last-Update: 2013-05-07
8 8
9Index: b/servconf.c 9Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -146,6 +146,7 @@ 13@@ -150,6 +150,7 @@
14 options->ip_qos_interactive = -1; 14 options->ip_qos_interactive = -1;
15 options->ip_qos_bulk = -1; 15 options->ip_qos_bulk = -1;
16 options->version_addendum = NULL; 16 options->version_addendum = NULL;
@@ -18,7 +18,7 @@ Index: b/servconf.c
18 } 18 }
19 19
20 void 20 void
21@@ -295,6 +296,8 @@ 21@@ -299,6 +300,8 @@
22 options->ip_qos_bulk = IPTOS_THROUGHPUT; 22 options->ip_qos_bulk = IPTOS_THROUGHPUT;
23 if (options->version_addendum == NULL) 23 if (options->version_addendum == NULL)
24 options->version_addendum = xstrdup(""); 24 options->version_addendum = xstrdup("");
@@ -27,23 +27,23 @@ Index: b/servconf.c
27 /* Turn privilege separation on by default */ 27 /* Turn privilege separation on by default */
28 if (use_privsep == -1) 28 if (use_privsep == -1)
29 use_privsep = PRIVSEP_NOSANDBOX; 29 use_privsep = PRIVSEP_NOSANDBOX;
30@@ -343,6 +346,7 @@ 30@@ -349,6 +352,7 @@
31 sZeroKnowledgePasswordAuthentication, sHostCertificate,
32 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
33 sKexAlgorithms, sIPQoS, sVersionAddendum, 31 sKexAlgorithms, sIPQoS, sVersionAddendum,
32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
33 sAuthenticationMethods,
34+ sDebianBanner, 34+ sDebianBanner,
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -479,6 +483,7 @@ 38@@ -488,6 +492,7 @@
39 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
40 { "ipqos", sIPQoS, SSHCFG_ALL },
41 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 42+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1538,6 +1543,10 @@ 46@@ -1593,6 +1598,10 @@
47 } 47 }
48 return 0; 48 return 0;
49 49
@@ -58,10 +58,11 @@ Index: b/servconf.h
58=================================================================== 58===================================================================
59--- a/servconf.h 59--- a/servconf.h
60+++ b/servconf.h 60+++ b/servconf.h
61@@ -172,6 +172,7 @@ 61@@ -184,6 +184,8 @@
62 char *authorized_principals_file;
63 62
64 char *version_addendum; /* Appended to SSH banner */ 63 u_int num_auth_methods;
64 char *auth_methods[MAX_AUTH_METHODS];
65+
65+ int debian_banner; 66+ int debian_banner;
66 } ServerOptions; 67 } ServerOptions;
67 68
@@ -70,7 +71,7 @@ Index: b/sshd.c
70=================================================================== 71===================================================================
71--- a/sshd.c 72--- a/sshd.c
72+++ b/sshd.c 73+++ b/sshd.c
73@@ -425,7 +425,8 @@ 74@@ -434,7 +434,8 @@
74 } 75 }
75 76
76 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -84,7 +85,7 @@ Index: b/sshd_config.5
84=================================================================== 85===================================================================
85--- a/sshd_config.5 86--- a/sshd_config.5
86+++ b/sshd_config.5 87+++ b/sshd_config.5
87@@ -342,6 +342,11 @@ 88@@ -397,6 +397,11 @@
88 .Dq no . 89 .Dq no .
89 The default is 90 The default is
90 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 57ebbf540..77e807502 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -18,7 +18,7 @@ Description: Various Debian-specific configuration changes
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Author: Russ Allbery <rra@debian.org> 19Author: Russ Allbery <rra@debian.org>
20Forwarded: not-needed 20Forwarded: not-needed
21Last-Update: 2010-02-28 21Last-Update: 2013-05-07
22 22
23Index: b/readconf.c 23Index: b/readconf.c
24=================================================================== 24===================================================================
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -499,7 +515,8 @@ 87@@ -502,7 +518,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index cec6f6639..25201a7d4 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
4Bug-Debian: http://bugs.debian.org/430154 4Bug-Debian: http://bugs.debian.org/430154
5Last-Update: 2010-03-01 5Last-Update: 2013-05-07
6 6
7Index: b/ssh_config.5 7Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -585,6 +585,9 @@ 11@@ -588,6 +588,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 786500feb..7690e5824 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13 security history. 13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk> 14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2012-09-07 16Last-Updated: 2013-05-07
17 17
18Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
@@ -137,15 +137,15 @@ Index: b/Makefile.in
137=================================================================== 137===================================================================
138--- a/Makefile.in 138--- a/Makefile.in
139+++ b/Makefile.in 139+++ b/Makefile.in
140@@ -70,6 +70,7 @@ 140@@ -72,6 +72,7 @@
141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
144+ kexgssc.o \ 144+ kexgssc.o \
145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ 145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
146 schnorr.o ssh-pkcs11.o 146 jpake.o schnorr.o ssh-pkcs11.o krl.o
147 147
148@@ -86,7 +87,7 @@ 148@@ -88,7 +89,7 @@
149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
151 auth-krb5.o \ 151 auth-krb5.o \
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
210--- a/auth2-gss.c 210--- a/auth2-gss.c
211+++ b/auth2-gss.c 211+++ b/auth2-gss.c
212@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
213 /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
214 214
215 /* 215 /*
216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -280,7 +280,7 @@ Index: b/auth2-gss.c
280 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
281 281
282@@ -294,6 +330,12 @@ 282@@ -294,6 +330,12 @@
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
284 } 284 }
285 285
286+Authmethod method_gsskeyex = { 286+Authmethod method_gsskeyex = {
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327 /* import options */ 327 /* import options */
328 extern Options options; 328 extern Options options;
329 329
330@@ -1544,6 +1548,15 @@ 330@@ -1599,6 +1603,15 @@
331 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 332 if (!rekeying) {
333 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347=================================================================== 347===================================================================
348--- a/config.h.in 348--- a/config.h.in
349+++ b/config.h.in 349+++ b/config.h.in
350@@ -1471,6 +1471,9 @@ 350@@ -1511,6 +1511,9 @@
351 /* Use btmp to log bad logins */ 351 /* Use btmp to log bad logins */
352 #undef USE_BTMP 352 #undef USE_BTMP
353 353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357 /* Use libedit for sftp */ 357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT 358 #undef USE_LIBEDIT
359 359
360@@ -1486,6 +1489,9 @@ 360@@ -1526,6 +1529,9 @@
361 /* Use PIPES instead of a socketpair() */ 361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES 362 #undef USE_PIPES
363 363
@@ -371,7 +371,7 @@ Index: b/configure
371=================================================================== 371===================================================================
372--- a/configure 372--- a/configure
373+++ b/configure 373+++ b/configure
374@@ -6608,6 +6608,63 @@ 374@@ -6588,6 +6588,63 @@
375 375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377 377
@@ -439,7 +439,7 @@ Index: b/configure.ac
439=================================================================== 439===================================================================
440--- a/configure.ac 440--- a/configure.ac
441+++ b/configure.ac 441+++ b/configure.ac
442@@ -545,6 +545,30 @@ 442@@ -533,6 +533,30 @@
443 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
@@ -1277,7 +1277,7 @@ Index: b/kex.c
1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1278 # if defined(HAVE_EVP_SHA256) 1278 # if defined(HAVE_EVP_SHA256)
1279 # define evp_ssh_sha256 EVP_sha256 1279 # define evp_ssh_sha256 EVP_sha256
1280@@ -358,6 +362,20 @@ 1280@@ -369,6 +373,20 @@
1281 k->kex_type = KEX_ECDH_SHA2; 1281 k->kex_type = KEX_ECDH_SHA2;
1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name); 1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1283 #endif 1283 #endif
@@ -1312,7 +1312,7 @@ Index: b/kex.h
1312 KEX_MAX 1312 KEX_MAX
1313 }; 1313 };
1314 1314
1315@@ -129,6 +132,12 @@ 1315@@ -131,6 +134,12 @@
1316 sig_atomic_t done; 1316 sig_atomic_t done;
1317 int flags; 1317 int flags;
1318 const EVP_MD *evp_md; 1318 const EVP_MD *evp_md;
@@ -1325,7 +1325,7 @@ Index: b/kex.h
1325 char *client_version_string; 1325 char *client_version_string;
1326 char *server_version_string; 1326 char *server_version_string;
1327 int (*verify_host_key)(Key *); 1327 int (*verify_host_key)(Key *);
1328@@ -156,6 +165,11 @@ 1328@@ -158,6 +167,11 @@
1329 void kexecdh_client(Kex *); 1329 void kexecdh_client(Kex *);
1330 void kexecdh_server(Kex *); 1330 void kexecdh_server(Kex *);
1331 1331
@@ -2016,7 +2016,7 @@ Index: b/monitor.c
2016 #endif 2016 #endif
2017 2017
2018 #ifdef SSH_AUDIT_EVENTS 2018 #ifdef SSH_AUDIT_EVENTS
2019@@ -251,6 +253,7 @@ 2019@@ -252,6 +254,7 @@
2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2024,7 @@ Index: b/monitor.c
2024 #endif 2024 #endif
2025 #ifdef JPAKE 2025 #ifdef JPAKE
2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2027@@ -263,6 +266,12 @@ 2027@@ -264,6 +267,12 @@
2028 }; 2028 };
2029 2029
2030 struct mon_table mon_dispatch_postauth20[] = { 2030 struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2037,7 @@ Index: b/monitor.c
2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2039 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2039 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2040@@ -371,6 +380,10 @@ 2040@@ -372,6 +381,10 @@
2041 /* Permit requests for moduli and signatures */ 2041 /* Permit requests for moduli and signatures */
2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2048,7 +2048,7 @@ Index: b/monitor.c
2048 } else { 2048 } else {
2049 mon_dispatch = mon_dispatch_proto15; 2049 mon_dispatch = mon_dispatch_proto15;
2050 2050
2051@@ -468,6 +481,10 @@ 2051@@ -487,6 +500,10 @@
2052 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2052 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2053 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2053 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2054 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2054 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
2059 } else { 2059 } else {
2060 mon_dispatch = mon_dispatch_postauth15; 2060 mon_dispatch = mon_dispatch_postauth15;
2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062@@ -1800,6 +1817,13 @@ 2062@@ -1836,6 +1853,13 @@
2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
2073 kex->server = 1; 2073 kex->server = 1;
2074 kex->hostkey_type = buffer_get_int(m); 2074 kex->hostkey_type = buffer_get_int(m);
2075 kex->kex_type = buffer_get_int(m); 2075 kex->kex_type = buffer_get_int(m);
2076@@ -2006,6 +2030,9 @@ 2076@@ -2042,6 +2066,9 @@
2077 OM_uint32 major; 2077 OM_uint32 major;
2078 u_int len; 2078 u_int len;
2079 2079
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
2083 goid.elements = buffer_get_string(m, &len); 2083 goid.elements = buffer_get_string(m, &len);
2084 goid.length = len; 2084 goid.length = len;
2085 2085
2086@@ -2033,6 +2060,9 @@ 2086@@ -2069,6 +2096,9 @@
2087 OM_uint32 flags = 0; /* GSI needs this */ 2087 OM_uint32 flags = 0; /* GSI needs this */
2088 u_int len; 2088 u_int len;
2089 2089
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
2093 in.value = buffer_get_string(m, &len); 2093 in.value = buffer_get_string(m, &len);
2094 in.length = len; 2094 in.length = len;
2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096@@ -2050,6 +2080,7 @@ 2096@@ -2086,6 +2116,7 @@
2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
2101 } 2101 }
2102 return (0); 2102 return (0);
2103 } 2103 }
2104@@ -2061,6 +2092,9 @@ 2104@@ -2097,6 +2128,9 @@
2105 OM_uint32 ret; 2105 OM_uint32 ret;
2106 u_int len; 2106 u_int len;
2107 2107
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
2111 gssbuf.value = buffer_get_string(m, &len); 2111 gssbuf.value = buffer_get_string(m, &len);
2112 gssbuf.length = len; 2112 gssbuf.length = len;
2113 mic.value = buffer_get_string(m, &len); 2113 mic.value = buffer_get_string(m, &len);
2114@@ -2087,7 +2121,11 @@ 2114@@ -2123,7 +2157,11 @@
2115 { 2115 {
2116 int authenticated; 2116 int authenticated;
2117 2117
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
2124 2124
2125 buffer_clear(m); 2125 buffer_clear(m);
2126 buffer_put_int(m, authenticated); 2126 buffer_put_int(m, authenticated);
2127@@ -2100,6 +2138,74 @@ 2127@@ -2136,6 +2174,74 @@
2128 /* Monitor loop will terminate if authenticated */ 2128 /* Monitor loop will terminate if authenticated */
2129 return (authenticated); 2129 return (authenticated);
2130 } 2130 }
@@ -2203,20 +2203,21 @@ Index: b/monitor.h
2203=================================================================== 2203===================================================================
2204--- a/monitor.h 2204--- a/monitor.h
2205+++ b/monitor.h 2205+++ b/monitor.h
2206@@ -53,6 +53,8 @@ 2206@@ -70,6 +70,9 @@
2207 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, 2207 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
2208 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, 2208 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
2209 MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, 2209
2210+ MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, 2210+ MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
2211+ MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, 2211+ MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
2212 MONITOR_REQ_PAM_START, 2212+
2213 MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, 2213 };
2214 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, 2214
2215 struct mm_master;
2215Index: b/monitor_wrap.c 2216Index: b/monitor_wrap.c
2216=================================================================== 2217===================================================================
2217--- a/monitor_wrap.c 2218--- a/monitor_wrap.c
2218+++ b/monitor_wrap.c 2219+++ b/monitor_wrap.c
2219@@ -1270,7 +1270,7 @@ 2220@@ -1271,7 +1271,7 @@
2220 } 2221 }
2221 2222
2222 int 2223 int
@@ -2225,7 +2226,7 @@ Index: b/monitor_wrap.c
2225 { 2226 {
2226 Buffer m; 2227 Buffer m;
2227 int authenticated = 0; 2228 int authenticated = 0;
2228@@ -1287,6 +1287,51 @@ 2229@@ -1288,6 +1288,51 @@
2229 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2230 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2230 return (authenticated); 2231 return (authenticated);
2231 } 2232 }
@@ -2406,7 +2407,7 @@ Index: b/servconf.c
2406=================================================================== 2407===================================================================
2407--- a/servconf.c 2408--- a/servconf.c
2408+++ b/servconf.c 2409+++ b/servconf.c
2409@@ -100,7 +100,10 @@ 2410@@ -102,7 +102,10 @@
2410 options->kerberos_ticket_cleanup = -1; 2411 options->kerberos_ticket_cleanup = -1;
2411 options->kerberos_get_afs_token = -1; 2412 options->kerberos_get_afs_token = -1;
2412 options->gss_authentication=-1; 2413 options->gss_authentication=-1;
@@ -2417,7 +2418,7 @@ Index: b/servconf.c
2417 options->password_authentication = -1; 2418 options->password_authentication = -1;
2418 options->kbd_interactive_authentication = -1; 2419 options->kbd_interactive_authentication = -1;
2419 options->challenge_response_authentication = -1; 2420 options->challenge_response_authentication = -1;
2420@@ -229,8 +232,14 @@ 2421@@ -233,8 +236,14 @@
2421 options->kerberos_get_afs_token = 0; 2422 options->kerberos_get_afs_token = 0;
2422 if (options->gss_authentication == -1) 2423 if (options->gss_authentication == -1)
2423 options->gss_authentication = 0; 2424 options->gss_authentication = 0;
@@ -2432,7 +2433,7 @@ Index: b/servconf.c
2432 if (options->password_authentication == -1) 2433 if (options->password_authentication == -1)
2433 options->password_authentication = 1; 2434 options->password_authentication = 1;
2434 if (options->kbd_interactive_authentication == -1) 2435 if (options->kbd_interactive_authentication == -1)
2435@@ -323,7 +332,9 @@ 2436@@ -327,7 +336,9 @@
2436 sBanner, sUseDNS, sHostbasedAuthentication, 2437 sBanner, sUseDNS, sHostbasedAuthentication,
2437 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2438 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2438 sClientAliveCountMax, sAuthorizedKeysFile, 2439 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2444,7 @@ Index: b/servconf.c
2443 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2444 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2444 sUsePrivilegeSeparation, sAllowAgentForwarding, 2445 sUsePrivilegeSeparation, sAllowAgentForwarding,
2445 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2446 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2446@@ -387,10 +398,20 @@ 2447@@ -393,10 +404,20 @@
2447 #ifdef GSSAPI 2448 #ifdef GSSAPI
2448 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2449 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2449 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2450 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2465,7 @@ Index: b/servconf.c
2464 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2465 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2465 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2466 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2466 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2467 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2467@@ -1031,10 +1052,22 @@ 2468@@ -1049,10 +1070,22 @@
2468 intptr = &options->gss_authentication; 2469 intptr = &options->gss_authentication;
2469 goto parse_flag; 2470 goto parse_flag;
2470 2471
@@ -2487,7 +2488,7 @@ Index: b/servconf.c
2487 case sPasswordAuthentication: 2488 case sPasswordAuthentication:
2488 intptr = &options->password_authentication; 2489 intptr = &options->password_authentication;
2489 goto parse_flag; 2490 goto parse_flag;
2490@@ -1868,7 +1901,10 @@ 2491@@ -1927,7 +1960,10 @@
2491 #endif 2492 #endif
2492 #ifdef GSSAPI 2493 #ifdef GSSAPI
2493 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2494 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2502,7 +2503,7 @@ Index: b/servconf.h
2502=================================================================== 2503===================================================================
2503--- a/servconf.h 2504--- a/servconf.h
2504+++ b/servconf.h 2505+++ b/servconf.h
2505@@ -103,7 +103,10 @@ 2506@@ -110,7 +110,10 @@
2506 int kerberos_get_afs_token; /* If true, try to get AFS token if 2507 int kerberos_get_afs_token; /* If true, try to get AFS token if
2507 * authenticated with Kerberos. */ 2508 * authenticated with Kerberos. */
2508 int gss_authentication; /* If true, permit GSSAPI authentication */ 2509 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2525,7 +2526,7 @@ Index: b/ssh-gss.h
2525 * 2526 *
2526 * Redistribution and use in source and binary forms, with or without 2527 * Redistribution and use in source and binary forms, with or without
2527 * modification, are permitted provided that the following conditions 2528 * modification, are permitted provided that the following conditions
2528@@ -60,10 +60,22 @@ 2529@@ -61,10 +61,22 @@
2529 2530
2530 #define SSH_GSS_OIDTYPE 0x06 2531 #define SSH_GSS_OIDTYPE 0x06
2531 2532
@@ -2548,7 +2549,7 @@ Index: b/ssh-gss.h
2548 void *data; 2549 void *data;
2549 } ssh_gssapi_ccache; 2550 } ssh_gssapi_ccache;
2550 2551
2551@@ -71,8 +83,11 @@ 2552@@ -72,8 +84,11 @@
2552 gss_buffer_desc displayname; 2553 gss_buffer_desc displayname;
2553 gss_buffer_desc exportedname; 2554 gss_buffer_desc exportedname;
2554 gss_cred_id_t creds; 2555 gss_cred_id_t creds;
@@ -2560,7 +2561,7 @@ Index: b/ssh-gss.h
2560 } ssh_gssapi_client; 2561 } ssh_gssapi_client;
2561 2562
2562 typedef struct ssh_gssapi_mech_struct { 2563 typedef struct ssh_gssapi_mech_struct {
2563@@ -83,6 +98,7 @@ 2564@@ -84,6 +99,7 @@
2564 int (*userok) (ssh_gssapi_client *, char *); 2565 int (*userok) (ssh_gssapi_client *, char *);
2565 int (*localname) (ssh_gssapi_client *, char **); 2566 int (*localname) (ssh_gssapi_client *, char **);
2566 void (*storecreds) (ssh_gssapi_client *); 2567 void (*storecreds) (ssh_gssapi_client *);
@@ -2568,7 +2569,7 @@ Index: b/ssh-gss.h
2568 } ssh_gssapi_mech; 2569 } ssh_gssapi_mech;
2569 2570
2570 typedef struct { 2571 typedef struct {
2571@@ -93,10 +109,11 @@ 2572@@ -94,10 +110,11 @@
2572 gss_OID oid; /* client */ 2573 gss_OID oid; /* client */
2573 gss_cred_id_t creds; /* server */ 2574 gss_cred_id_t creds; /* server */
2574 gss_name_t client; /* server */ 2575 gss_name_t client; /* server */
@@ -2581,7 +2582,7 @@ Index: b/ssh-gss.h
2581 2582
2582 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2583 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
2583 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2584 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
2584@@ -116,16 +133,30 @@ 2585@@ -117,16 +134,30 @@
2585 void ssh_gssapi_delete_ctx(Gssctxt **); 2586 void ssh_gssapi_delete_ctx(Gssctxt **);
2586 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2587 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
2587 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 2588 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2631,7 +2632,7 @@ Index: b/ssh_config.5
2631=================================================================== 2632===================================================================
2632--- a/ssh_config.5 2633--- a/ssh_config.5
2633+++ b/ssh_config.5 2634+++ b/ssh_config.5
2634@@ -527,11 +527,43 @@ 2635@@ -530,11 +530,43 @@
2635 The default is 2636 The default is
2636 .Dq no . 2637 .Dq no .
2637 Note that this option applies to protocol version 2 only. 2638 Note that this option applies to protocol version 2 only.
@@ -2764,7 +2765,7 @@ Index: b/sshconnect2.c
2764 xxx_kex = kex; 2765 xxx_kex = kex;
2765 2766
2766 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2767 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2767@@ -305,6 +361,7 @@ 2768@@ -306,6 +362,7 @@
2768 void input_gssapi_hash(int type, u_int32_t, void *); 2769 void input_gssapi_hash(int type, u_int32_t, void *);
2769 void input_gssapi_error(int, u_int32_t, void *); 2770 void input_gssapi_error(int, u_int32_t, void *);
2770 void input_gssapi_errtok(int, u_int32_t, void *); 2771 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2772,7 +2773,7 @@ Index: b/sshconnect2.c
2772 #endif 2773 #endif
2773 2774
2774 void userauth(Authctxt *, char *); 2775 void userauth(Authctxt *, char *);
2775@@ -320,6 +377,11 @@ 2776@@ -321,6 +378,11 @@
2776 2777
2777 Authmethod authmethods[] = { 2778 Authmethod authmethods[] = {
2778 #ifdef GSSAPI 2779 #ifdef GSSAPI
@@ -2784,7 +2785,7 @@ Index: b/sshconnect2.c
2784 {"gssapi-with-mic", 2785 {"gssapi-with-mic",
2785 userauth_gssapi, 2786 userauth_gssapi,
2786 NULL, 2787 NULL,
2787@@ -626,19 +688,31 @@ 2788@@ -627,19 +689,31 @@
2788 static u_int mech = 0; 2789 static u_int mech = 0;
2789 OM_uint32 min; 2790 OM_uint32 min;
2790 int ok = 0; 2791 int ok = 0;
@@ -2818,7 +2819,7 @@ Index: b/sshconnect2.c
2818 ok = 1; /* Mechanism works */ 2819 ok = 1; /* Mechanism works */
2819 } else { 2820 } else {
2820 mech++; 2821 mech++;
2821@@ -735,8 +809,8 @@ 2822@@ -736,8 +810,8 @@
2822 { 2823 {
2823 Authctxt *authctxt = ctxt; 2824 Authctxt *authctxt = ctxt;
2824 Gssctxt *gssctxt; 2825 Gssctxt *gssctxt;
@@ -2829,7 +2830,7 @@ Index: b/sshconnect2.c
2829 2830
2830 if (authctxt == NULL) 2831 if (authctxt == NULL)
2831 fatal("input_gssapi_response: no authentication context"); 2832 fatal("input_gssapi_response: no authentication context");
2832@@ -846,6 +920,48 @@ 2833@@ -847,6 +921,48 @@
2833 xfree(msg); 2834 xfree(msg);
2834 xfree(lang); 2835 xfree(lang);
2835 } 2836 }
@@ -2893,7 +2894,7 @@ Index: b/sshd.c
2893 #ifdef LIBWRAP 2894 #ifdef LIBWRAP
2894 #include <tcpd.h> 2895 #include <tcpd.h>
2895 #include <syslog.h> 2896 #include <syslog.h>
2896@@ -1607,10 +1611,13 @@ 2897@@ -1645,10 +1649,13 @@
2897 logit("Disabling protocol version 1. Could not load host key"); 2898 logit("Disabling protocol version 1. Could not load host key");
2898 options.protocol &= ~SSH_PROTO_1; 2899 options.protocol &= ~SSH_PROTO_1;
2899 } 2900 }
@@ -2907,7 +2908,7 @@ Index: b/sshd.c
2907 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2908 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2908 logit("sshd: no hostkeys available -- exiting."); 2909 logit("sshd: no hostkeys available -- exiting.");
2909 exit(1); 2910 exit(1);
2910@@ -1938,6 +1945,60 @@ 2911@@ -1976,6 +1983,60 @@
2911 /* Log the connection. */ 2912 /* Log the connection. */
2912 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2913 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2913 2914
@@ -2968,7 +2969,7 @@ Index: b/sshd.c
2968 /* 2969 /*
2969 * We don't want to listen forever unless the other side 2970 * We don't want to listen forever unless the other side
2970 * successfully authenticates itself. So we set up an alarm which is 2971 * successfully authenticates itself. So we set up an alarm which is
2971@@ -2319,6 +2380,48 @@ 2972@@ -2357,6 +2418,48 @@
2972 2973
2973 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2974 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2974 2975
@@ -3017,7 +3018,7 @@ Index: b/sshd.c
3017 /* start key exchange */ 3018 /* start key exchange */
3018 kex = kex_setup(myproposal); 3019 kex = kex_setup(myproposal);
3019 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3020 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3020@@ -2326,6 +2429,13 @@ 3021@@ -2364,6 +2467,13 @@
3021 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3022 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3022 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3023 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3023 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3024 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3036,7 @@ Index: b/sshd_config
3035=================================================================== 3036===================================================================
3036--- a/sshd_config 3037--- a/sshd_config
3037+++ b/sshd_config 3038+++ b/sshd_config
3038@@ -77,6 +77,8 @@ 3039@@ -80,6 +80,8 @@
3039 # GSSAPI options 3040 # GSSAPI options
3040 #GSSAPIAuthentication no 3041 #GSSAPIAuthentication no
3041 #GSSAPICleanupCredentials yes 3042 #GSSAPICleanupCredentials yes
@@ -3048,7 +3049,7 @@ Index: b/sshd_config.5
3048=================================================================== 3049===================================================================
3049--- a/sshd_config.5 3050--- a/sshd_config.5
3050+++ b/sshd_config.5 3051+++ b/sshd_config.5
3051@@ -426,12 +426,40 @@ 3052@@ -481,12 +481,40 @@
3052 The default is 3053 The default is
3053 .Dq no . 3054 .Dq no .
3054 Note that this option applies to protocol version 2 only. 3055 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 0937a49e6..028bd62e5 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -12,7 +12,7 @@ Author: Richard Kettlewell <rjk@greenend.org.uk>
12Author: Ian Jackson <ian@chiark.greenend.org.uk> 12Author: Ian Jackson <ian@chiark.greenend.org.uk>
13Author: Matthew Vernon <matthew@debian.org> 13Author: Matthew Vernon <matthew@debian.org>
14Author: Colin Watson <cjwatson@debian.org> 14Author: Colin Watson <cjwatson@debian.org>
15Last-Update: 2010-02-27 15Last-Update: 2013-05-07
16 16
17Index: b/readconf.c 17Index: b/readconf.c
18=================================================================== 18===================================================================
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -1099,8 +1103,15 @@ 81@@ -1113,8 +1117,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1139,6 +1150,12 @@ 98@@ -1153,6 +1164,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -1048,6 +1048,9 @@ 115@@ -1122,6 +1122,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index ae32969ea..8afabfaba 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks
3 either way and opted to keep the status quo. We need this patch anyway. 3 either way and opted to keep the status quo. We need this patch anyway.
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
6Last-Update: 2010-04-10 6Last-Update: 2013-05-07
7 7
8Index: b/Makefile.in 8Index: b/Makefile.in
9=================================================================== 9===================================================================
10--- a/Makefile.in 10--- a/Makefile.in
11+++ b/Makefile.in 11+++ b/Makefile.in
12@@ -284,9 +284,9 @@ 12@@ -293,9 +293,9 @@
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 15 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch
deleted file mode 100644
index 87e690bd1..000000000
--- a/debian/patches/max-startups-default.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1Description: Change default of MaxStartups to 10:30:100
2 This causes sshd to start doing random early drop at 10 connections up to
3 100 connections. This will make it harder to DoS as CPUs have come a long
4 way since the original value was set back in 2000.
5Author: Darren Tucker
6Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
7Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
8Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89
9Bug-Debian: http://bugs.debian.org/700102
10Forwarded: not-needed
11Last-Update: 2013-02-08
12
13Index: b/servconf.c
14===================================================================
15--- a/servconf.c
16+++ b/servconf.c
17@@ -264,11 +264,11 @@
18 if (options->gateway_ports == -1)
19 options->gateway_ports = 0;
20 if (options->max_startups == -1)
21- options->max_startups = 10;
22+ options->max_startups = 100;
23 if (options->max_startups_rate == -1)
24- options->max_startups_rate = 100; /* 100% */
25+ options->max_startups_rate = 30; /* 30% */
26 if (options->max_startups_begin == -1)
27- options->max_startups_begin = options->max_startups;
28+ options->max_startups_begin = 10;
29 if (options->max_authtries == -1)
30 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
31 if (options->max_sessions == -1)
32Index: b/sshd_config
33===================================================================
34--- a/sshd_config
35+++ b/sshd_config
36@@ -108,7 +108,7 @@
37 #ClientAliveCountMax 3
38 #UseDNS yes
39 #PidFile /var/run/sshd.pid
40-#MaxStartups 10
41+#MaxStartups 10:30:100
42 #PermitTunnel no
43 #ChrootDirectory none
44 #VersionAddendum none
45Index: b/sshd_config.5
46===================================================================
47--- a/sshd_config.5
48+++ b/sshd_config.5
49@@ -781,7 +781,7 @@
50 Additional connections will be dropped until authentication succeeds or the
51 .Cm LoginGraceTime
52 expires for a connection.
53-The default is 10.
54+The default is 10:30:100.
55 .Pp
56 Alternatively, random early drop can be enabled by specifying
57 the three colon separated values
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 42b32638c..fa7c725b4 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning
2Author: Scott Moser <smoser@ubuntu.com> 2Author: Scott Moser <smoser@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
5Last-Update: 2010-12-14 5Last-Update: 2013-05-07
6 6
7Index: b/sshconnect.c 7Index: b/sshconnect.c
8=================================================================== 8===================================================================
9--- a/sshconnect.c 9--- a/sshconnect.c
10+++ b/sshconnect.c 10+++ b/sshconnect.c
11@@ -956,9 +956,12 @@ 11@@ -975,9 +975,12 @@
12 error("%s. This could either mean that", key_msg); 12 error("%s. This could either mean that", key_msg);
13 error("DNS SPOOFING is happening or the IP address for the host"); 13 error("DNS SPOOFING is happening or the IP address for the host");
14 error("and its host key have changed at the same time."); 14 error("and its host key have changed at the same time.");
@@ -22,7 +22,7 @@ Index: b/sshconnect.c
22 } 22 }
23 /* The host key has changed. */ 23 /* The host key has changed. */
24 warn_changed_key(host_key); 24 warn_changed_key(host_key);
25@@ -966,6 +969,8 @@ 25@@ -985,6 +988,8 @@
26 user_hostfiles[0]); 26 user_hostfiles[0]);
27 error("Offending %s key in %s:%lu", key_type(host_found->key), 27 error("Offending %s key in %s:%lu", key_type(host_found->key),
28 host_found->file, host_found->line); 28 host_found->file, host_found->line);
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index fe8ebe757..48c3ff598 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages
6 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 6 https://bugs.launchpad.net/bugs/456660 (ssl(8))
7Author: Colin Watson <cjwatson@debian.org> 7Author: Colin Watson <cjwatson@debian.org>
8Forwarded: not-needed 8Forwarded: not-needed
9Last-Update: 2010-02-28 9Last-Update: 2013-05-07
10 10
11Index: b/moduli.5 11Index: b/moduli.5
12=================================================================== 12===================================================================
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1
34=================================================================== 34===================================================================
35--- a/ssh-keygen.1 35--- a/ssh-keygen.1
36+++ b/ssh-keygen.1 36+++ b/ssh-keygen.1
37@@ -152,9 +152,7 @@ 37@@ -171,9 +171,7 @@
38 .Pa ~/.ssh/id_dsa 38 .Pa ~/.ssh/id_dsa
39 or 39 or
40 .Pa ~/.ssh/id_rsa . 40 .Pa ~/.ssh/id_rsa .
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
45 .Pp 45 .Pp
46 Normally this program generates the key and asks for a file in which 46 Normally this program generates the key and asks for a file in which
47 to store the private key. 47 to store the private key.
48@@ -200,9 +198,7 @@ 48@@ -219,9 +217,7 @@
49 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 49 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
50 do not exist, generate the host keys with the default key file path, 50 do not exist, generate the host keys with the default key file path,
51 an empty passphrase, default bits for the key type, and default comment. 51 an empty passphrase, default bits for the key type, and default comment.
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
56 .It Fl a Ar trials 56 .It Fl a Ar trials
57 Specifies the number of primality tests to perform when screening DH-GEX 57 Specifies the number of primality tests to perform when screening DH-GEX
58 candidates using the 58 candidates using the
59@@ -556,7 +552,7 @@ 59@@ -606,7 +602,7 @@
60 Valid generator values are 2, 3, and 5. 60 Valid generator values are 2, 3, and 5.
61 .Pp 61 .Pp
62 Screened DH groups may be installed in 62 Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
65 It is important that this file contains moduli of a range of bit lengths and 65 It is important that this file contains moduli of a range of bit lengths and
66 that both ends of a connection share common moduli. 66 that both ends of a connection share common moduli.
67 .Sh CERTIFICATES 67 .Sh CERTIFICATES
68@@ -682,7 +678,7 @@ 68@@ -801,7 +797,7 @@
69 where the user wishes to log in using public key authentication. 69 where the user wishes to log in using public key authentication.
70 There is no need to keep the contents of this file secret. 70 There is no need to keep the contents of this file secret.
71 .Pp 71 .Pp
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
123=================================================================== 123===================================================================
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -224,8 +224,7 @@ 126@@ -276,8 +276,7 @@
127 By default, no banner is displayed. 127 By default, no banner is displayed.
128 .It Cm ChallengeResponseAuthentication 128 .It Cm ChallengeResponseAuthentication
129 Specifies whether challenge-response authentication is allowed (e.g. via 129 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b396cb116..c337ad671 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,26 +5,30 @@ Description: Include the Debian version in our identification
5 vulnerable-looking version strings. (However, see debian-banner.patch.) 5 vulnerable-looking version strings. (However, see debian-banner.patch.)
6Author: Matthew Vernon <matthew@debian.org> 6Author: Matthew Vernon <matthew@debian.org>
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2012-09-07 8Last-Update: 2013-05-07
9 9
10Index: b/sshconnect.c 10Index: b/sshconnect.c
11=================================================================== 11===================================================================
12--- a/sshconnect.c 12--- a/sshconnect.c
13+++ b/sshconnect.c 13+++ b/sshconnect.c
14@@ -556,7 +556,7 @@ 14@@ -435,10 +435,10 @@
15 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", 15 /* Send our own protocol version identification. */
16 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, 16 if (compat20) {
17 compat20 ? PROTOCOL_MINOR_2 : minor1, 17 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
18- SSH_VERSION, compat20 ? "\r\n" : "\n"); 18- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
19+ SSH_RELEASE, compat20 ? "\r\n" : "\n"); 19+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
20 if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) 20 } else {
21 != strlen(buf)) 21 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
22 fatal("write: %.100s", strerror(errno)); 22- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
23+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
24 }
25 if (roaming_atomicio(vwrite, connection_out, client_version_string,
26 strlen(client_version_string)) != strlen(client_version_string))
23Index: b/sshd.c 27Index: b/sshd.c
24=================================================================== 28===================================================================
25--- a/sshd.c 29--- a/sshd.c
26+++ b/sshd.c 30+++ b/sshd.c
27@@ -425,7 +425,7 @@ 31@@ -434,7 +434,7 @@
28 } 32 }
29 33
30 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -38,7 +42,7 @@ Index: b/version.h
38--- a/version.h 42--- a/version.h
39+++ b/version.h 43+++ b/version.h
40@@ -3,4 +3,9 @@ 44@@ -3,4 +3,9 @@
41 #define SSH_VERSION "OpenSSH_6.1" 45 #define SSH_VERSION "OpenSSH_6.2"
42 46
43 #define SSH_PORTABLE "p1" 47 #define SSH_PORTABLE "p1"
44-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 48-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index e436fe59e..f25ff89d0 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org>
10Author: Colin Watson <cjwatson@debian.org> 10Author: Colin Watson <cjwatson@debian.org>
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
12Bug-Debian: http://bugs.debian.org/313371 12Bug-Debian: http://bugs.debian.org/313371
13Last-Update: 2010-02-27 13Last-Update: 2013-05-07
14 14
15Index: b/clientloop.c 15Index: b/clientloop.c
16=================================================================== 16===================================================================
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -1655,8 +1655,10 @@ 19@@ -1710,8 +1710,10 @@
20 exit_status = 0; 20 exit_status = 0;
21 } 21 }
22 22
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 80fe3247b..f2f8fcd21 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
5Author: Manoj Srivastava <srivasta@debian.org> 5Author: Manoj Srivastava <srivasta@debian.org>
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
7Bug-Debian: http://bugs.debian.org/394795 7Bug-Debian: http://bugs.debian.org/394795
8Last-Update: 2010-02-27 8Last-Update: 2013-05-07
9 9
10Index: b/auth.h 10Index: b/auth.h
11=================================================================== 11===================================================================
@@ -23,7 +23,7 @@ Index: b/auth1.c
23=================================================================== 23===================================================================
24--- a/auth1.c 24--- a/auth1.c
25+++ b/auth1.c 25+++ b/auth1.c
26@@ -383,7 +383,7 @@ 26@@ -385,7 +385,7 @@
27 do_authentication(Authctxt *authctxt) 27 do_authentication(Authctxt *authctxt)
28 { 28 {
29 u_int ulen; 29 u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
32 32
33 /* Get the name of the user that we wish to log in as. */ 33 /* Get the name of the user that we wish to log in as. */
34 packet_read_expect(SSH_CMSG_USER); 34 packet_read_expect(SSH_CMSG_USER);
35@@ -392,11 +392,17 @@ 35@@ -394,11 +394,17 @@
36 user = packet_get_cstring(&ulen); 36 user = packet_get_cstring(&ulen);
37 packet_check_eom(); 37 packet_check_eom();
38 38
@@ -54,7 +54,7 @@ Index: b/auth2.c
54=================================================================== 54===================================================================
55--- a/auth2.c 55--- a/auth2.c
56+++ b/auth2.c 56+++ b/auth2.c
57@@ -217,7 +217,7 @@ 57@@ -219,7 +219,7 @@
58 { 58 {
59 Authctxt *authctxt = ctxt; 59 Authctxt *authctxt = ctxt;
60 Authmethod *m = NULL; 60 Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
63 int authenticated = 0; 63 int authenticated = 0;
64 64
65 if (authctxt == NULL) 65 if (authctxt == NULL)
66@@ -229,8 +229,13 @@ 66@@ -231,8 +231,13 @@
67 debug("userauth-request for user %s service %s method %s", user, service, method); 67 debug("userauth-request for user %s service %s method %s", user, service, method);
68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
69 69
@@ -77,7 +77,7 @@ Index: b/auth2.c
77 77
78 if (authctxt->attempt++ == 0) { 78 if (authctxt->attempt++ == 0) {
79 /* setup auth context */ 79 /* setup auth context */
80@@ -254,8 +259,9 @@ 80@@ -256,8 +261,9 @@
81 use_privsep ? " [net]" : ""); 81 use_privsep ? " [net]" : "");
82 authctxt->service = xstrdup(service); 82 authctxt->service = xstrdup(service);
83 authctxt->style = style ? xstrdup(style) : NULL; 83 authctxt->style = style ? xstrdup(style) : NULL;
@@ -86,8 +86,8 @@ Index: b/auth2.c
86- mm_inform_authserv(service, style); 86- mm_inform_authserv(service, style);
87+ mm_inform_authserv(service, style, role); 87+ mm_inform_authserv(service, style, role);
88 userauth_banner(); 88 userauth_banner();
89 } else if (strcmp(user, authctxt->user) != 0 || 89 if (auth2_setup_methods_lists(authctxt) != 0)
90 strcmp(service, authctxt->service) != 0) { 90 packet_disconnect("no authentication methods enabled");
91Index: b/monitor.c 91Index: b/monitor.c
92=================================================================== 92===================================================================
93--- a/monitor.c 93--- a/monitor.c
@@ -100,7 +100,7 @@ Index: b/monitor.c
100 int mm_answer_authpassword(int, Buffer *); 100 int mm_answer_authpassword(int, Buffer *);
101 int mm_answer_bsdauthquery(int, Buffer *); 101 int mm_answer_bsdauthquery(int, Buffer *);
102 int mm_answer_bsdauthrespond(int, Buffer *); 102 int mm_answer_bsdauthrespond(int, Buffer *);
103@@ -225,6 +226,7 @@ 103@@ -226,6 +227,7 @@
104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -808,6 +810,7 @@ 111@@ -837,6 +839,7 @@
112 else { 112 else {
113 /* Allow service/style information on the auth context */ 113 /* Allow service/style information on the auth context */
114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117 } 117 }
118 #ifdef USE_PAM 118 #ifdef USE_PAM
119@@ -840,14 +843,37 @@ 119@@ -869,14 +872,37 @@
120 120
121 authctxt->service = buffer_get_string(m, NULL); 121 authctxt->service = buffer_get_string(m, NULL);
122 authctxt->style = buffer_get_string(m, NULL); 122 authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +156,7 @@ Index: b/monitor.c
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1435,7 +1461,7 @@ 159@@ -1471,7 +1497,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0) 161 if (res == 0)
162 goto error; 162 goto error;
@@ -169,15 +169,15 @@ Index: b/monitor.h
169=================================================================== 169===================================================================
170--- a/monitor.h 170--- a/monitor.h
171+++ b/monitor.h 171+++ b/monitor.h
172@@ -30,7 +30,7 @@ 172@@ -73,6 +73,8 @@
173 173 MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
174 enum monitor_reqtype { 174 MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
175 MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, 175
176- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, 176+ MONITOR_REQ_AUTHROLE = 300,
177+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, 177+
178 MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, 178 };
179 MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, 179
180 MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, 180 struct mm_master;
181Index: b/monitor_wrap.c 181Index: b/monitor_wrap.c
182=================================================================== 182===================================================================
183--- a/monitor_wrap.c 183--- a/monitor_wrap.c
@@ -369,12 +369,12 @@ Index: b/platform.h
369+void platform_setusercontext_post_groups(struct passwd *, const char *); 369+void platform_setusercontext_post_groups(struct passwd *, const char *);
370 char *platform_get_krb5_client(const char *); 370 char *platform_get_krb5_client(const char *);
371 char *platform_krb5_get_principal_name(const char *); 371 char *platform_krb5_get_principal_name(const char *);
372 372 int platform_sys_dir_uid(uid_t);
373Index: b/session.c 373Index: b/session.c
374=================================================================== 374===================================================================
375--- a/session.c 375--- a/session.c
376+++ b/session.c 376+++ b/session.c
377@@ -1471,7 +1471,7 @@ 377@@ -1474,7 +1474,7 @@
378 378
379 /* Set login name, uid, gid, and groups. */ 379 /* Set login name, uid, gid, and groups. */
380 void 380 void
@@ -383,7 +383,7 @@ Index: b/session.c
383 { 383 {
384 char *chroot_path, *tmp; 384 char *chroot_path, *tmp;
385 385
386@@ -1499,7 +1499,7 @@ 386@@ -1502,7 +1502,7 @@
387 endgrent(); 387 endgrent();
388 #endif 388 #endif
389 389
@@ -392,7 +392,7 @@ Index: b/session.c
392 392
393 if (options.chroot_directory != NULL && 393 if (options.chroot_directory != NULL &&
394 strcasecmp(options.chroot_directory, "none") != 0) { 394 strcasecmp(options.chroot_directory, "none") != 0) {
395@@ -1625,7 +1625,7 @@ 395@@ -1633,7 +1633,7 @@
396 396
397 /* Force a password change */ 397 /* Force a password change */
398 if (s->authctxt->force_pwchange) { 398 if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
401 child_close_fds(); 401 child_close_fds();
402 do_pwchange(s); 402 do_pwchange(s);
403 exit(1); 403 exit(1);
404@@ -1652,7 +1652,7 @@ 404@@ -1660,7 +1660,7 @@
405 /* When PAM is enabled we rely on it to do the nologin check */ 405 /* When PAM is enabled we rely on it to do the nologin check */
406 if (!options.use_pam) 406 if (!options.use_pam)
407 do_nologin(pw); 407 do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
410 /* 410 /*
411 * PAM session modules in do_setusercontext may have 411 * PAM session modules in do_setusercontext may have
412 * generated messages, so if this in an interactive 412 * generated messages, so if this in an interactive
413@@ -2064,7 +2064,7 @@ 413@@ -2072,7 +2072,7 @@
414 tty_parse_modes(s->ttyfd, &n_bytes); 414 tty_parse_modes(s->ttyfd, &n_bytes);
415 415
416 if (!use_privsep) 416 if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
436=================================================================== 436===================================================================
437--- a/sshd.c 437--- a/sshd.c
438+++ b/sshd.c 438+++ b/sshd.c
439@@ -736,7 +736,7 @@ 439@@ -745,7 +745,7 @@
440 RAND_seed(rnd, sizeof(rnd)); 440 RAND_seed(rnd, sizeof(rnd));
441 441
442 /* Drop privileges */ 442 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index efb2c5432..6f2da2944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
3 3
4# SELinux 4# SELinux
5selinux-role.patch 5selinux-role.patch
6copy-id-restorecon.patch
7 6
8# Key blacklisting 7# Key blacklisting
9ssh-vulnkey.patch 8ssh-vulnkey.patch
@@ -27,7 +26,6 @@ shell-path.patch
27dnssec-sshfp.patch 26dnssec-sshfp.patch
28auth-log-verbosity.patch 27auth-log-verbosity.patch
29mention-ssh-keygen-on-keychange.patch 28mention-ssh-keygen-on-keychange.patch
30max-startups-default.patch
31 29
32# Versioning 30# Versioning
33package-versioning.patch 31package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 8c549128b..4c4532e99 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
6Bug-Debian: http://bugs.debian.org/492728 6Bug-Debian: http://bugs.debian.org/492728
7Last-Update: 2010-02-27 7Last-Update: 2013-05-07
8 8
9Index: b/sshconnect.c 9Index: b/sshconnect.c
10=================================================================== 10===================================================================
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
19 perror(argv[0]); 19 perror(argv[0]);
20 exit(1); 20 exit(1);
21 } 21 }
22@@ -1273,7 +1273,7 @@ 22@@ -1292,7 +1292,7 @@
23 if (pid == 0) { 23 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL); 24 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 25 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 3cc1272ec..6f4a3cd9a 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1)
5 manual page from ssh(1). 5 manual page from ssh(1).
6Bug-Debian: http://bugs.debian.org/111341 6Bug-Debian: http://bugs.debian.org/111341
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2010-02-28 8Last-Update: 2013-05-07
9 9
10Index: b/ssh.1 10Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1425,6 +1425,7 @@ 14@@ -1433,6 +1433,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index c13cb3412..b7531cce0 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
8 See CVE-2008-0166. 8 See CVE-2008-0166.
9Author: Colin Watson <cjwatson@ubuntu.com> 9Author: Colin Watson <cjwatson@ubuntu.com>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2010-02-27 11Last-Update: 2013-05-07
12 12
13Index: b/Makefile.in 13Index: b/Makefile.in
14=================================================================== 14===================================================================
@@ -22,24 +22,26 @@ Index: b/Makefile.in
22 PRIVSEP_PATH=@PRIVSEP_PATH@ 22 PRIVSEP_PATH=@PRIVSEP_PATH@
23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ 23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
24 STRIP_OPT=@STRIP_OPT@ 24 STRIP_OPT=@STRIP_OPT@
25@@ -38,6 +39,7 @@ 25@@ -37,7 +38,8 @@
26 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
26 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 27 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
27 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 28 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
28 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ 29- -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
29+ -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ 30+ -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
31+ -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
30 32
31 CC=@CC@ 33 CC=@CC@
32 LD=@LD@ 34 LD=@LD@
33@@ -59,7 +61,7 @@ 35@@ -61,7 +63,7 @@
34 EXEEXT=@EXEEXT@ 36 EXEEXT=@EXEEXT@
35 MANFMT=@MANFMT@ 37 MANFMT=@MANFMT@
36 38
37-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) 39-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
38+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) 40+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
39 41
40 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 42 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
41 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 43 canohost.o channels.o cipher.o cipher-aes.o \
42@@ -94,8 +96,8 @@ 44@@ -96,8 +98,8 @@
43 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 45 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
44 sandbox-seccomp-filter.o 46 sandbox-seccomp-filter.o
45 47
@@ -50,7 +52,7 @@ Index: b/Makefile.in
50 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
51 53
52 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
53@@ -172,6 +174,9 @@ 55@@ -174,6 +176,9 @@
54 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
55 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
56 58
@@ -60,7 +62,7 @@ Index: b/Makefile.in
60 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
61 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
62 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
63@@ -260,6 +265,7 @@ 65@@ -269,6 +274,7 @@
64 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
65 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
66 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -68,7 +70,7 @@ Index: b/Makefile.in
68 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
69 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
70 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
71@@ -274,6 +280,7 @@ 73@@ -283,6 +289,7 @@
72 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
73 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
74 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -76,7 +78,7 @@ Index: b/Makefile.in
76 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
77 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
78 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
79@@ -355,6 +362,7 @@ 81@@ -364,6 +371,7 @@
80 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
81 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
82 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -84,7 +86,7 @@ Index: b/Makefile.in
84 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
85 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
86 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
87@@ -367,6 +375,7 @@ 89@@ -376,6 +384,7 @@
88 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
89 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -130,7 +132,7 @@ Index: b/auth.c
130 #include "auth.h" 132 #include "auth.h"
131 #include "auth-options.h" 133 #include "auth-options.h"
132 #include "canohost.h" 134 #include "canohost.h"
133@@ -608,10 +609,34 @@ 135@@ -635,10 +636,34 @@
134 136
135 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
136 int 138 int
@@ -165,12 +167,12 @@ Index: b/auth.c
165+ 167+
166 if (options.revoked_keys_file == NULL) 168 if (options.revoked_keys_file == NULL)
167 return 0; 169 return 0;
168 170 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
169Index: b/auth.h 171Index: b/auth.h
170=================================================================== 172===================================================================
171--- a/auth.h 173--- a/auth.h
172+++ b/auth.h 174+++ b/auth.h
173@@ -174,7 +174,7 @@ 175@@ -185,7 +185,7 @@
174 176
175 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
176 FILE *auth_openprincipals(const char *, struct passwd *, int); 178 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -196,7 +198,7 @@ Index: b/auth2-pubkey.c
196=================================================================== 198===================================================================
197--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
198+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
199@@ -440,9 +440,10 @@ 201@@ -608,9 +608,10 @@
200 u_int success, i; 202 u_int success, i;
201 char *file; 203 char *file;
202 204
@@ -462,7 +464,7 @@ Index: b/servconf.c
462=================================================================== 464===================================================================
463--- a/servconf.c 465--- a/servconf.c
464+++ b/servconf.c 466+++ b/servconf.c
465@@ -107,6 +107,7 @@ 467@@ -109,6 +109,7 @@
466 options->password_authentication = -1; 468 options->password_authentication = -1;
467 options->kbd_interactive_authentication = -1; 469 options->kbd_interactive_authentication = -1;
468 options->challenge_response_authentication = -1; 470 options->challenge_response_authentication = -1;
@@ -470,7 +472,7 @@ Index: b/servconf.c
470 options->permit_empty_passwd = -1; 472 options->permit_empty_passwd = -1;
471 options->permit_user_env = -1; 473 options->permit_user_env = -1;
472 options->use_login = -1; 474 options->use_login = -1;
473@@ -246,6 +247,8 @@ 475@@ -250,6 +251,8 @@
474 options->kbd_interactive_authentication = 0; 476 options->kbd_interactive_authentication = 0;
475 if (options->challenge_response_authentication == -1) 477 if (options->challenge_response_authentication == -1)
476 options->challenge_response_authentication = 1; 478 options->challenge_response_authentication = 1;
@@ -479,7 +481,7 @@ Index: b/servconf.c
479 if (options->permit_empty_passwd == -1) 481 if (options->permit_empty_passwd == -1)
480 options->permit_empty_passwd = 0; 482 options->permit_empty_passwd = 0;
481 if (options->permit_user_env == -1) 483 if (options->permit_user_env == -1)
482@@ -323,7 +326,7 @@ 484@@ -327,7 +330,7 @@
483 sListenAddress, sAddressFamily, 485 sListenAddress, sAddressFamily,
484 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 486 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
485 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +490,7 @@ Index: b/servconf.c
488 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
489 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
490 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
491@@ -433,6 +436,7 @@ 493@@ -439,6 +442,7 @@
492 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
493 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
494 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +498,7 @@ Index: b/servconf.c
496 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
497 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
498 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 500 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
499@@ -1116,6 +1120,10 @@ 501@@ -1134,6 +1138,10 @@
500 intptr = &options->tcp_keep_alive; 502 intptr = &options->tcp_keep_alive;
501 goto parse_flag; 503 goto parse_flag;
502 504
@@ -507,7 +509,7 @@ Index: b/servconf.c
507 case sEmptyPasswd: 509 case sEmptyPasswd:
508 intptr = &options->permit_empty_passwd; 510 intptr = &options->permit_empty_passwd;
509 goto parse_flag; 511 goto parse_flag;
510@@ -1921,6 +1929,7 @@ 512@@ -1980,6 +1988,7 @@
511 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
512 dump_cfg_fmtint(sStrictModes, o->strict_modes); 514 dump_cfg_fmtint(sStrictModes, o->strict_modes);
513 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -519,7 +521,7 @@ Index: b/servconf.h
519=================================================================== 521===================================================================
520--- a/servconf.h 522--- a/servconf.h
521+++ b/servconf.h 523+++ b/servconf.h
522@@ -113,6 +113,7 @@ 524@@ -120,6 +120,7 @@
523 int challenge_response_authentication; 525 int challenge_response_authentication;
524 int zero_knowledge_password_authentication; 526 int zero_knowledge_password_authentication;
525 /* If true, permit jpake auth */ 527 /* If true, permit jpake auth */
@@ -554,7 +556,7 @@ Index: b/ssh-add.c
554=================================================================== 556===================================================================
555--- a/ssh-add.c 557--- a/ssh-add.c
556+++ b/ssh-add.c 558+++ b/ssh-add.c
557@@ -142,7 +142,7 @@ 559@@ -167,7 +167,7 @@
558 add_file(AuthenticationConnection *ac, const char *filename, int key_only) 560 add_file(AuthenticationConnection *ac, const char *filename, int key_only)
559 { 561 {
560 Key *private, *cert; 562 Key *private, *cert;
@@ -563,7 +565,7 @@ Index: b/ssh-add.c
563 char msg[1024], *certpath = NULL; 565 char msg[1024], *certpath = NULL;
564 int fd, perms_ok, ret = -1; 566 int fd, perms_ok, ret = -1;
565 Buffer keyblob; 567 Buffer keyblob;
566@@ -218,6 +218,14 @@ 568@@ -243,6 +243,14 @@
567 } else { 569 } else {
568 fprintf(stderr, "Could not add identity: %s\n", filename); 570 fprintf(stderr, "Could not add identity: %s\n", filename);
569 } 571 }
@@ -582,7 +584,7 @@ Index: b/ssh-keygen.1
582=================================================================== 584===================================================================
583--- a/ssh-keygen.1 585--- a/ssh-keygen.1
584+++ b/ssh-keygen.1 586+++ b/ssh-keygen.1
585@@ -691,6 +691,7 @@ 587@@ -810,6 +810,7 @@
586 .Xr ssh 1 , 588 .Xr ssh 1 ,
587 .Xr ssh-add 1 , 589 .Xr ssh-add 1 ,
588 .Xr ssh-agent 1 , 590 .Xr ssh-agent 1 ,
@@ -1233,7 +1235,7 @@ Index: b/ssh.1
1233=================================================================== 1235===================================================================
1234--- a/ssh.1 1236--- a/ssh.1
1235+++ b/ssh.1 1237+++ b/ssh.1
1236@@ -1421,6 +1421,7 @@ 1238@@ -1429,6 +1429,7 @@
1237 .Xr ssh-agent 1 , 1239 .Xr ssh-agent 1 ,
1238 .Xr ssh-keygen 1 , 1240 .Xr ssh-keygen 1 ,
1239 .Xr ssh-keyscan 1 , 1241 .Xr ssh-keyscan 1 ,
@@ -1281,7 +1283,7 @@ Index: b/ssh_config.5
1281=================================================================== 1283===================================================================
1282--- a/ssh_config.5 1284--- a/ssh_config.5
1283+++ b/ssh_config.5 1285+++ b/ssh_config.5
1284@@ -1187,6 +1187,23 @@ 1286@@ -1201,6 +1201,23 @@
1285 .Dq any . 1287 .Dq any .
1286 The default is 1288 The default is
1287 .Dq any:any . 1289 .Dq any:any .
@@ -1309,24 +1311,24 @@ Index: b/sshconnect2.c
1309=================================================================== 1311===================================================================
1310--- a/sshconnect2.c 1312--- a/sshconnect2.c
1311+++ b/sshconnect2.c 1313+++ b/sshconnect2.c
1312@@ -1489,6 +1489,8 @@ 1314@@ -1491,6 +1491,8 @@
1313 1315
1314 /* list of keys stored in the filesystem */ 1316 /* list of keys stored in the filesystem and PKCS#11 */
1315 for (i = 0; i < options.num_identity_files; i++) { 1317 for (i = 0; i < options.num_identity_files; i++) {
1316+ if (options.identity_files[i] == NULL) 1318+ if (options.identity_files[i] == NULL)
1317+ continue; 1319+ continue;
1318 key = options.identity_keys[i]; 1320 key = options.identity_keys[i];
1319 if (key && key->type == KEY_RSA1) 1321 if (key && key->type == KEY_RSA1)
1320 continue; 1322 continue;
1321@@ -1582,7 +1584,7 @@ 1323@@ -1609,7 +1611,7 @@
1322 debug("Offering %s public key: %s", key_type(id->key), 1324 debug("Offering %s public key: %s", key_type(id->key),
1323 id->filename); 1325 id->filename);
1324 sent = send_pubkey_test(authctxt, id); 1326 sent = send_pubkey_test(authctxt, id);
1325- } else if (id->key == NULL) { 1327- } else if (id->key == NULL) {
1326+ } else if (id->key == NULL && id->filename) { 1328+ } else if (id->key == NULL && id->filename) {
1327 debug("Trying private key: %s", id->filename); 1329 debug("Trying private key: %s", id->filename);
1328 id->key = load_identity_file(id->filename); 1330 id->key = load_identity_file(id->filename,
1329 if (id->key != NULL) { 1331 id->userprovided);
1330Index: b/sshd.8 1332Index: b/sshd.8
1331=================================================================== 1333===================================================================
1332--- a/sshd.8 1334--- a/sshd.8
@@ -1343,7 +1345,7 @@ Index: b/sshd.c
1343=================================================================== 1345===================================================================
1344--- a/sshd.c 1346--- a/sshd.c
1345+++ b/sshd.c 1347+++ b/sshd.c
1346@@ -1593,6 +1593,11 @@ 1348@@ -1631,6 +1631,11 @@
1347 sensitive_data.host_keys[i] = NULL; 1349 sensitive_data.host_keys[i] = NULL;
1348 continue; 1350 continue;
1349 } 1351 }
@@ -1359,7 +1361,7 @@ Index: b/sshd_config.5
1359=================================================================== 1361===================================================================
1360--- a/sshd_config.5 1362--- a/sshd_config.5
1361+++ b/sshd_config.5 1363+++ b/sshd_config.5
1362@@ -803,6 +803,20 @@ 1364@@ -870,6 +870,20 @@
1363 Specifies whether password authentication is allowed. 1365 Specifies whether password authentication is allowed.
1364 The default is 1366 The default is
1365 .Dq yes . 1367 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index b71ff9df9..87211e8a3 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,7 +1,7 @@
1Description: Partial server keep-alive implementation for SSH1 1Description: Partial server keep-alive implementation for SSH1
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
4Last-Update: 2010-02-27 4Last-Update: 2013-05-07
5 5
6Index: b/clientloop.c 6Index: b/clientloop.c
7=================================================================== 7===================================================================
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1088,7 +1088,10 @@ 54@@ -1102,7 +1102,10 @@
55 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 1368ccb3c..ddedbf79a 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability
9Author: Colin Watson <cjwatson@debian.org> 9Author: Colin Watson <cjwatson@debian.org>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
12Last-Update: 2010-02-27 12Last-Update: 2013-05-07
13 13
14Index: b/readconf.c 14Index: b/readconf.c
15=================================================================== 15===================================================================
@@ -38,7 +38,7 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1312,6 +1312,8 @@ 41@@ -1320,6 +1320,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not accessible by others.
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1342,6 +1342,8 @@ 54@@ -1356,6 +1356,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -381,8 +381,7 @@ 67@@ -386,8 +386,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,21 +74,21 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -443,8 +442,7 @@ 77@@ -449,8 +448,7 @@
78 78 snprintf(err, errlen, "%s is not a regular file", buf);
79 /* check the open file to avoid races */ 79 return -1;
80 if (fstat(fileno(f), &st) < 0 || 80 }
81- (st.st_uid != 0 && st.st_uid != uid) || 81- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
82- (st.st_mode & 022) != 0) { 82- (stp->st_mode & 022) != 0) {
83+ !secure_permissions(&st, uid)) { 83+ if (!secure_permissions(stp, uid)) {
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -459,8 +457,7 @@ 87@@ -465,8 +463,7 @@
88 strlcpy(buf, cp, sizeof(buf)); 88 strlcpy(buf, cp, sizeof(buf));
89 89
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
91- (st.st_uid != 0 && st.st_uid != uid) || 91- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
92- (st.st_mode & 022) != 0) { 92- (st.st_mode & 022) != 0) {
93+ !secure_permissions(&st, uid)) { 93+ !secure_permissions(&st, uid)) {
94 snprintf(err, errlen, 94 snprintf(err, errlen,
@@ -115,7 +115,7 @@ Index: b/misc.c
115 int 115 int
116+secure_permissions(struct stat *st, uid_t uid) 116+secure_permissions(struct stat *st, uid_t uid)
117+{ 117+{
118+ if (st->st_uid != 0 && st->st_uid != uid) 118+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
119+ return 0; 119+ return 0;
120+ if ((st->st_mode & 002) != 0) 120+ if ((st->st_mode & 002) != 0)
121+ return 0; 121+ return 0;
diff --git a/defines.h b/defines.h
index 53f83a142..64515c2ff 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.169 2012/02/15 04:13:06 tim Exp $ */ 28/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -227,11 +227,7 @@ typedef uint16_t u_int16_t;
227typedef uint32_t u_int32_t; 227typedef uint32_t u_int32_t;
228# define HAVE_U_INTXX_T 1 228# define HAVE_U_INTXX_T 1
229# else 229# else
230# if (SIZEOF_CHAR == 1)
231typedef unsigned char u_int8_t; 230typedef unsigned char u_int8_t;
232# else
233# error "8 bit int type not found."
234# endif
235# if (SIZEOF_SHORT_INT == 2) 231# if (SIZEOF_SHORT_INT == 2)
236typedef unsigned short int u_int16_t; 232typedef unsigned short int u_int16_t;
237# else 233# else
@@ -283,6 +279,10 @@ typedef unsigned char u_char;
283# define HAVE_U_CHAR 279# define HAVE_U_CHAR
284#endif /* HAVE_U_CHAR */ 280#endif /* HAVE_U_CHAR */
285 281
282#ifndef ULLONG_MAX
283# define ULLONG_MAX ((unsigned long long)-1)
284#endif
285
286#ifndef SIZE_T_MAX 286#ifndef SIZE_T_MAX
287#define SIZE_T_MAX ULONG_MAX 287#define SIZE_T_MAX ULONG_MAX
288#endif /* SIZE_T_MAX */ 288#endif /* SIZE_T_MAX */
diff --git a/includes.h b/includes.h
index b4c53d9b4..3e206c899 100644
--- a/includes.h
+++ b/includes.h
@@ -137,8 +137,10 @@
137# include <tmpdir.h> 137# include <tmpdir.h>
138#endif 138#endif
139 139
140#ifdef HAVE_LIBUTIL_H 140#if defined(HAVE_BSD_LIBUTIL_H)
141# include <libutil.h> /* Openpty on FreeBSD at least */ 141# include <bsd/libutil.h>
142#elif defined(HAVE_LIBUTIL_H)
143# include <libutil.h>
142#endif 144#endif
143 145
144#if defined(KRB5) && defined(USE_AFS) 146#if defined(KRB5) && defined(USE_AFS)
diff --git a/kex.c b/kex.c
index 58349fc19..f9e7a9c09 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -246,8 +246,18 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
246 packet_get_char(); 246 packet_get_char();
247 for (i = 0; i < PROPOSAL_MAX; i++) 247 for (i = 0; i < PROPOSAL_MAX; i++)
248 xfree(packet_get_string(NULL)); 248 xfree(packet_get_string(NULL));
249 (void) packet_get_char(); 249 /*
250 (void) packet_get_int(); 250 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
251 * KEX method has the server move first, but a server might be using
252 * a custom method or one that we otherwise don't support. We should
253 * be prepared to remember first_kex_follows here so we can eat a
254 * packet later.
255 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
256 * for cases where the server *doesn't* go first. I guess we should
257 * ignore it when it is set for these cases, which is what we do now.
258 */
259 (void) packet_get_char(); /* first_kex_follows */
260 (void) packet_get_int(); /* reserved */
251 packet_check_eom(); 261 packet_check_eom();
252 262
253 kex_kexinit_finish(kex); 263 kex_kexinit_finish(kex);
@@ -298,6 +308,7 @@ choose_enc(Enc *enc, char *client, char *server)
298 enc->name = name; 308 enc->name = name;
299 enc->enabled = 0; 309 enc->enabled = 0;
300 enc->iv = NULL; 310 enc->iv = NULL;
311 enc->iv_len = cipher_ivlen(enc->cipher);
301 enc->key = NULL; 312 enc->key = NULL;
302 enc->key_len = cipher_keylen(enc->cipher); 313 enc->key_len = cipher_keylen(enc->cipher);
303 enc->block_size = cipher_blocksize(enc->cipher); 314 enc->block_size = cipher_blocksize(enc->cipher);
@@ -423,7 +434,7 @@ kex_choose_conf(Kex *kex)
423 char **my, **peer; 434 char **my, **peer;
424 char **cprop, **sprop; 435 char **cprop, **sprop;
425 int nenc, nmac, ncomp; 436 int nenc, nmac, ncomp;
426 u_int mode, ctos, need; 437 u_int mode, ctos, need, authlen;
427 int first_kex_follows, type; 438 int first_kex_follows, type;
428 439
429 my = kex_buf2prop(&kex->my, NULL); 440 my = kex_buf2prop(&kex->my, NULL);
@@ -456,13 +467,16 @@ kex_choose_conf(Kex *kex)
456 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 467 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
457 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 468 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
458 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 469 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
459 choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); 470 choose_enc(&newkeys->enc, cprop[nenc], sprop[nenc]);
460 choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); 471 /* ignore mac for authenticated encryption */
472 authlen = cipher_authlen(newkeys->enc.cipher);
473 if (authlen == 0)
474 choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
461 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); 475 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
462 debug("kex: %s %s %s %s", 476 debug("kex: %s %s %s %s",
463 ctos ? "client->server" : "server->client", 477 ctos ? "client->server" : "server->client",
464 newkeys->enc.name, 478 newkeys->enc.name,
465 newkeys->mac.name, 479 authlen == 0 ? newkeys->mac.name : "<implicit>",
466 newkeys->comp.name); 480 newkeys->comp.name);
467 } 481 }
468 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); 482 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
@@ -475,6 +489,8 @@ kex_choose_conf(Kex *kex)
475 need = newkeys->enc.key_len; 489 need = newkeys->enc.key_len;
476 if (need < newkeys->enc.block_size) 490 if (need < newkeys->enc.block_size)
477 need = newkeys->enc.block_size; 491 need = newkeys->enc.block_size;
492 if (need < newkeys->enc.iv_len)
493 need = newkeys->enc.iv_len;
478 if (need < newkeys->mac.key_len) 494 if (need < newkeys->mac.key_len)
479 need = newkeys->mac.key_len; 495 need = newkeys->mac.key_len;
480 } 496 }
diff --git a/kex.h b/kex.h
index fa50b2ccb..8013ab8a4 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -92,6 +92,7 @@ struct Enc {
92 Cipher *cipher; 92 Cipher *cipher;
93 int enabled; 93 int enabled;
94 u_int key_len; 94 u_int key_len;
95 u_int iv_len;
95 u_int block_size; 96 u_int block_size;
96 u_char *key; 97 u_char *key;
97 u_char *iv; 98 u_char *iv;
@@ -103,6 +104,7 @@ struct Mac {
103 u_char *key; 104 u_char *key;
104 u_int key_len; 105 u_int key_len;
105 int type; 106 int type;
107 int etm; /* Encrypt-then-MAC */
106 const EVP_MD *evp_md; 108 const EVP_MD *evp_md;
107 HMAC_CTX evp_ctx; 109 HMAC_CTX evp_ctx;
108 struct umac_ctx *umac_ctx; 110 struct umac_ctx *umac_ctx;
diff --git a/key.c b/key.c
index 2a16b25b9..fdfed5c56 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */
2/* 2/*
3 * read_bignum(): 3 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -55,6 +55,8 @@
55#include "misc.h" 55#include "misc.h"
56#include "ssh2.h" 56#include "ssh2.h"
57 57
58static int to_blob(const Key *, u_char **, u_int *, int);
59
58static struct KeyCert * 60static struct KeyCert *
59cert_new(void) 61cert_new(void)
60{ 62{
@@ -324,14 +326,15 @@ key_equal(const Key *a, const Key *b)
324} 326}
325 327
326u_char* 328u_char*
327key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) 329key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
330 u_int *dgst_raw_length)
328{ 331{
329 const EVP_MD *md = NULL; 332 const EVP_MD *md = NULL;
330 EVP_MD_CTX ctx; 333 EVP_MD_CTX ctx;
331 u_char *blob = NULL; 334 u_char *blob = NULL;
332 u_char *retval = NULL; 335 u_char *retval = NULL;
333 u_int len = 0; 336 u_int len = 0;
334 int nlen, elen, otype; 337 int nlen, elen;
335 338
336 *dgst_raw_length = 0; 339 *dgst_raw_length = 0;
337 340
@@ -371,10 +374,7 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
371 case KEY_ECDSA_CERT: 374 case KEY_ECDSA_CERT:
372 case KEY_RSA_CERT: 375 case KEY_RSA_CERT:
373 /* We want a fingerprint of the _key_ not of the cert */ 376 /* We want a fingerprint of the _key_ not of the cert */
374 otype = k->type; 377 to_blob(k, &blob, &len, 1);
375 k->type = key_type_plain(k->type);
376 key_to_blob(k, &blob, &len);
377 k->type = otype;
378 break; 378 break;
379 case KEY_UNSPEC: 379 case KEY_UNSPEC:
380 return retval; 380 return retval;
@@ -1591,18 +1591,19 @@ key_from_blob(const u_char *blob, u_int blen)
1591 return key; 1591 return key;
1592} 1592}
1593 1593
1594int 1594static int
1595key_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1595to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
1596{ 1596{
1597 Buffer b; 1597 Buffer b;
1598 int len; 1598 int len, type;
1599 1599
1600 if (key == NULL) { 1600 if (key == NULL) {
1601 error("key_to_blob: key == NULL"); 1601 error("key_to_blob: key == NULL");
1602 return 0; 1602 return 0;
1603 } 1603 }
1604 buffer_init(&b); 1604 buffer_init(&b);
1605 switch (key->type) { 1605 type = force_plain ? key_type_plain(key->type) : key->type;
1606 switch (type) {
1606 case KEY_DSA_CERT_V00: 1607 case KEY_DSA_CERT_V00:
1607 case KEY_RSA_CERT_V00: 1608 case KEY_RSA_CERT_V00:
1608 case KEY_DSA_CERT: 1609 case KEY_DSA_CERT:
@@ -1613,7 +1614,8 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1613 buffer_len(&key->cert->certblob)); 1614 buffer_len(&key->cert->certblob));
1614 break; 1615 break;
1615 case KEY_DSA: 1616 case KEY_DSA:
1616 buffer_put_cstring(&b, key_ssh_name(key)); 1617 buffer_put_cstring(&b,
1618 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1617 buffer_put_bignum2(&b, key->dsa->p); 1619 buffer_put_bignum2(&b, key->dsa->p);
1618 buffer_put_bignum2(&b, key->dsa->q); 1620 buffer_put_bignum2(&b, key->dsa->q);
1619 buffer_put_bignum2(&b, key->dsa->g); 1621 buffer_put_bignum2(&b, key->dsa->g);
@@ -1621,14 +1623,16 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1621 break; 1623 break;
1622#ifdef OPENSSL_HAS_ECC 1624#ifdef OPENSSL_HAS_ECC
1623 case KEY_ECDSA: 1625 case KEY_ECDSA:
1624 buffer_put_cstring(&b, key_ssh_name(key)); 1626 buffer_put_cstring(&b,
1627 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1625 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); 1628 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1626 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), 1629 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1627 EC_KEY_get0_public_key(key->ecdsa)); 1630 EC_KEY_get0_public_key(key->ecdsa));
1628 break; 1631 break;
1629#endif 1632#endif
1630 case KEY_RSA: 1633 case KEY_RSA:
1631 buffer_put_cstring(&b, key_ssh_name(key)); 1634 buffer_put_cstring(&b,
1635 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1632 buffer_put_bignum2(&b, key->rsa->e); 1636 buffer_put_bignum2(&b, key->rsa->e);
1633 buffer_put_bignum2(&b, key->rsa->n); 1637 buffer_put_bignum2(&b, key->rsa->n);
1634 break; 1638 break;
@@ -1650,6 +1654,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1650} 1654}
1651 1655
1652int 1656int
1657key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1658{
1659 return to_blob(key, blobp, lenp, 0);
1660}
1661
1662int
1653key_sign( 1663key_sign(
1654 const Key *key, 1664 const Key *key,
1655 u_char **sigp, u_int *lenp, 1665 u_char **sigp, u_int *lenp,
@@ -2028,7 +2038,7 @@ key_cert_check_authority(const Key *k, int want_host, int require_principal,
2028} 2038}
2029 2039
2030int 2040int
2031key_cert_is_legacy(Key *k) 2041key_cert_is_legacy(const Key *k)
2032{ 2042{
2033 switch (k->type) { 2043 switch (k->type) {
2034 case KEY_DSA_CERT_V00: 2044 case KEY_DSA_CERT_V00:
diff --git a/key.h b/key.h
index ca56b4271..4beaf202e 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.h,v 1.34 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -97,7 +97,7 @@ Key *key_demote(const Key *);
97int key_equal_public(const Key *, const Key *); 97int key_equal_public(const Key *, const Key *);
98int key_equal(const Key *, const Key *); 98int key_equal(const Key *, const Key *);
99char *key_fingerprint(Key *, enum fp_type, enum fp_rep); 99char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
100u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); 100u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
101const char *key_type(const Key *); 101const char *key_type(const Key *);
102const char *key_cert_type(const Key *); 102const char *key_cert_type(const Key *);
103int key_write(const Key *, FILE *); 103int key_write(const Key *, FILE *);
@@ -115,7 +115,7 @@ int key_certify(Key *, Key *);
115void key_cert_copy(const Key *, struct Key *); 115void key_cert_copy(const Key *, struct Key *);
116int key_cert_check_authority(const Key *, int, int, const char *, 116int key_cert_check_authority(const Key *, int, int, const char *,
117 const char **); 117 const char **);
118int key_cert_is_legacy(Key *); 118int key_cert_is_legacy(const Key *);
119 119
120int key_ecdsa_nid_from_name(const char *); 120int key_ecdsa_nid_from_name(const char *);
121int key_curve_name_to_nid(const char *); 121int key_curve_name_to_nid(const char *);
diff --git a/krl.c b/krl.c
new file mode 100644
index 000000000..5a6bd14aa
--- /dev/null
+++ b/krl.c
@@ -0,0 +1,1229 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: krl.c,v 1.9 2013/01/27 10:06:12 djm Exp $ */
18
19#include "includes.h"
20
21#include <sys/types.h>
22#include <sys/param.h>
23#include <openbsd-compat/sys-tree.h>
24#include <openbsd-compat/sys-queue.h>
25
26#include <errno.h>
27#include <fcntl.h>
28#include <limits.h>
29#include <string.h>
30#include <time.h>
31#include <unistd.h>
32
33#include "buffer.h"
34#include "key.h"
35#include "authfile.h"
36#include "misc.h"
37#include "log.h"
38#include "xmalloc.h"
39
40#include "krl.h"
41
42/* #define DEBUG_KRL */
43#ifdef DEBUG_KRL
44# define KRL_DBG(x) debug3 x
45#else
46# define KRL_DBG(x)
47#endif
48
49/*
50 * Trees of revoked serial numbers, key IDs and keys. This allows
51 * quick searching, querying and producing lists in canonical order.
52 */
53
54/* Tree of serial numbers. XXX make smarter: really need a real sparse bitmap */
55struct revoked_serial {
56 u_int64_t lo, hi;
57 RB_ENTRY(revoked_serial) tree_entry;
58};
59static int serial_cmp(struct revoked_serial *a, struct revoked_serial *b);
60RB_HEAD(revoked_serial_tree, revoked_serial);
61RB_GENERATE_STATIC(revoked_serial_tree, revoked_serial, tree_entry, serial_cmp);
62
63/* Tree of key IDs */
64struct revoked_key_id {
65 char *key_id;
66 RB_ENTRY(revoked_key_id) tree_entry;
67};
68static int key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b);
69RB_HEAD(revoked_key_id_tree, revoked_key_id);
70RB_GENERATE_STATIC(revoked_key_id_tree, revoked_key_id, tree_entry, key_id_cmp);
71
72/* Tree of blobs (used for keys and fingerprints) */
73struct revoked_blob {
74 u_char *blob;
75 u_int len;
76 RB_ENTRY(revoked_blob) tree_entry;
77};
78static int blob_cmp(struct revoked_blob *a, struct revoked_blob *b);
79RB_HEAD(revoked_blob_tree, revoked_blob);
80RB_GENERATE_STATIC(revoked_blob_tree, revoked_blob, tree_entry, blob_cmp);
81
82/* Tracks revoked certs for a single CA */
83struct revoked_certs {
84 Key *ca_key;
85 struct revoked_serial_tree revoked_serials;
86 struct revoked_key_id_tree revoked_key_ids;
87 TAILQ_ENTRY(revoked_certs) entry;
88};
89TAILQ_HEAD(revoked_certs_list, revoked_certs);
90
91struct ssh_krl {
92 u_int64_t krl_version;
93 u_int64_t generated_date;
94 u_int64_t flags;
95 char *comment;
96 struct revoked_blob_tree revoked_keys;
97 struct revoked_blob_tree revoked_sha1s;
98 struct revoked_certs_list revoked_certs;
99};
100
101/* Return equal if a and b overlap */
102static int
103serial_cmp(struct revoked_serial *a, struct revoked_serial *b)
104{
105 if (a->hi >= b->lo && a->lo <= b->hi)
106 return 0;
107 return a->lo < b->lo ? -1 : 1;
108}
109
110static int
111key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b)
112{
113 return strcmp(a->key_id, b->key_id);
114}
115
116static int
117blob_cmp(struct revoked_blob *a, struct revoked_blob *b)
118{
119 int r;
120
121 if (a->len != b->len) {
122 if ((r = memcmp(a->blob, b->blob, MIN(a->len, b->len))) != 0)
123 return r;
124 return a->len > b->len ? 1 : -1;
125 } else
126 return memcmp(a->blob, b->blob, a->len);
127}
128
129struct ssh_krl *
130ssh_krl_init(void)
131{
132 struct ssh_krl *krl;
133
134 if ((krl = calloc(1, sizeof(*krl))) == NULL)
135 return NULL;
136 RB_INIT(&krl->revoked_keys);
137 RB_INIT(&krl->revoked_sha1s);
138 TAILQ_INIT(&krl->revoked_certs);
139 return krl;
140}
141
142static void
143revoked_certs_free(struct revoked_certs *rc)
144{
145 struct revoked_serial *rs, *trs;
146 struct revoked_key_id *rki, *trki;
147
148 RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) {
149 RB_REMOVE(revoked_serial_tree, &rc->revoked_serials, rs);
150 free(rs);
151 }
152 RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, trki) {
153 RB_REMOVE(revoked_key_id_tree, &rc->revoked_key_ids, rki);
154 free(rki->key_id);
155 free(rki);
156 }
157 if (rc->ca_key != NULL)
158 key_free(rc->ca_key);
159}
160
161void
162ssh_krl_free(struct ssh_krl *krl)
163{
164 struct revoked_blob *rb, *trb;
165 struct revoked_certs *rc, *trc;
166
167 if (krl == NULL)
168 return;
169
170 free(krl->comment);
171 RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) {
172 RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb);
173 free(rb->blob);
174 free(rb);
175 }
176 RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) {
177 RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb);
178 free(rb->blob);
179 free(rb);
180 }
181 TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) {
182 TAILQ_REMOVE(&krl->revoked_certs, rc, entry);
183 revoked_certs_free(rc);
184 }
185}
186
187void
188ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version)
189{
190 krl->krl_version = version;
191}
192
193void
194ssh_krl_set_comment(struct ssh_krl *krl, const char *comment)
195{
196 free(krl->comment);
197 if ((krl->comment = strdup(comment)) == NULL)
198 fatal("%s: strdup", __func__);
199}
200
201/*
202 * Find the revoked_certs struct for a CA key. If allow_create is set then
203 * create a new one in the tree if one did not exist already.
204 */
205static int
206revoked_certs_for_ca_key(struct ssh_krl *krl, const Key *ca_key,
207 struct revoked_certs **rcp, int allow_create)
208{
209 struct revoked_certs *rc;
210
211 *rcp = NULL;
212 TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
213 if (key_equal(rc->ca_key, ca_key)) {
214 *rcp = rc;
215 return 0;
216 }
217 }
218 if (!allow_create)
219 return 0;
220 /* If this CA doesn't exist in the list then add it now */
221 if ((rc = calloc(1, sizeof(*rc))) == NULL)
222 return -1;
223 if ((rc->ca_key = key_from_private(ca_key)) == NULL) {
224 free(rc);
225 return -1;
226 }
227 RB_INIT(&rc->revoked_serials);
228 RB_INIT(&rc->revoked_key_ids);
229 TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry);
230 debug3("%s: new CA %s", __func__, key_type(ca_key));
231 *rcp = rc;
232 return 0;
233}
234
235static int
236insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
237{
238 struct revoked_serial rs, *ers, *crs, *irs;
239
240 KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi));
241 bzero(&rs, sizeof(rs));
242 rs.lo = lo;
243 rs.hi = hi;
244 ers = RB_NFIND(revoked_serial_tree, rt, &rs);
245 if (ers == NULL || serial_cmp(ers, &rs) != 0) {
246 /* No entry matches. Just insert */
247 if ((irs = malloc(sizeof(rs))) == NULL)
248 return -1;
249 memcpy(irs, &rs, sizeof(*irs));
250 ers = RB_INSERT(revoked_serial_tree, rt, irs);
251 if (ers != NULL) {
252 KRL_DBG(("%s: bad: ers != NULL", __func__));
253 /* Shouldn't happen */
254 free(irs);
255 return -1;
256 }
257 ers = irs;
258 } else {
259 KRL_DBG(("%s: overlap found %llu:%llu", __func__,
260 ers->lo, ers->hi));
261 /*
262 * The inserted entry overlaps an existing one. Grow the
263 * existing entry.
264 */
265 if (ers->lo > lo)
266 ers->lo = lo;
267 if (ers->hi < hi)
268 ers->hi = hi;
269 }
270 /*
271 * The inserted or revised range might overlap or abut adjacent ones;
272 * coalesce as necessary.
273 */
274
275 /* Check predecessors */
276 while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) {
277 KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi));
278 if (ers->lo != 0 && crs->hi < ers->lo - 1)
279 break;
280 /* This entry overlaps. */
281 if (crs->lo < ers->lo) {
282 ers->lo = crs->lo;
283 KRL_DBG(("%s: pred extend %llu:%llu", __func__,
284 ers->lo, ers->hi));
285 }
286 RB_REMOVE(revoked_serial_tree, rt, crs);
287 free(crs);
288 }
289 /* Check successors */
290 while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) {
291 KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi));
292 if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1)
293 break;
294 /* This entry overlaps. */
295 if (crs->hi > ers->hi) {
296 ers->hi = crs->hi;
297 KRL_DBG(("%s: succ extend %llu:%llu", __func__,
298 ers->lo, ers->hi));
299 }
300 RB_REMOVE(revoked_serial_tree, rt, crs);
301 free(crs);
302 }
303 KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi));
304 return 0;
305}
306
307int
308ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
309 u_int64_t serial)
310{
311 return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial);
312}
313
314int
315ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
316 u_int64_t lo, u_int64_t hi)
317{
318 struct revoked_certs *rc;
319
320 if (lo > hi || lo == 0)
321 return -1;
322 if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0)
323 return -1;
324 return insert_serial_range(&rc->revoked_serials, lo, hi);
325}
326
327int
328ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
329 const char *key_id)
330{
331 struct revoked_key_id *rki, *erki;
332 struct revoked_certs *rc;
333
334 if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0)
335 return -1;
336
337 debug3("%s: revoke %s", __func__, key_id);
338 if ((rki = calloc(1, sizeof(*rki))) == NULL ||
339 (rki->key_id = strdup(key_id)) == NULL) {
340 free(rki);
341 fatal("%s: strdup", __func__);
342 }
343 erki = RB_INSERT(revoked_key_id_tree, &rc->revoked_key_ids, rki);
344 if (erki != NULL) {
345 free(rki->key_id);
346 free(rki);
347 }
348 return 0;
349}
350
351/* Convert "key" to a public key blob without any certificate information */
352static int
353plain_key_blob(const Key *key, u_char **blob, u_int *blen)
354{
355 Key *kcopy;
356 int r;
357
358 if ((kcopy = key_from_private(key)) == NULL)
359 return -1;
360 if (key_is_cert(kcopy)) {
361 if (key_drop_cert(kcopy) != 0) {
362 error("%s: key_drop_cert", __func__);
363 key_free(kcopy);
364 return -1;
365 }
366 }
367 r = key_to_blob(kcopy, blob, blen);
368 free(kcopy);
369 return r == 0 ? -1 : 0;
370}
371
372/* Revoke a key blob. Ownership of blob is transferred to the tree */
373static int
374revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len)
375{
376 struct revoked_blob *rb, *erb;
377
378 if ((rb = calloc(1, sizeof(*rb))) == NULL)
379 return -1;
380 rb->blob = blob;
381 rb->len = len;
382 erb = RB_INSERT(revoked_blob_tree, rbt, rb);
383 if (erb != NULL) {
384 free(rb->blob);
385 free(rb);
386 }
387 return 0;
388}
389
390int
391ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key)
392{
393 u_char *blob;
394 u_int len;
395
396 debug3("%s: revoke type %s", __func__, key_type(key));
397 if (plain_key_blob(key, &blob, &len) != 0)
398 return -1;
399 return revoke_blob(&krl->revoked_keys, blob, len);
400}
401
402int
403ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key)
404{
405 u_char *blob;
406 u_int len;
407
408 debug3("%s: revoke type %s by sha1", __func__, key_type(key));
409 if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL)
410 return -1;
411 return revoke_blob(&krl->revoked_sha1s, blob, len);
412}
413
414int
415ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key)
416{
417 if (!key_is_cert(key))
418 return ssh_krl_revoke_key_sha1(krl, key);
419
420 if (key_cert_is_legacy(key) || key->cert->serial == 0) {
421 return ssh_krl_revoke_cert_by_key_id(krl,
422 key->cert->signature_key,
423 key->cert->key_id);
424 } else {
425 return ssh_krl_revoke_cert_by_serial(krl,
426 key->cert->signature_key,
427 key->cert->serial);
428 }
429}
430
431/*
432 * Select a copact next section type to emit in a KRL based on the
433 * current section type, the run length of contiguous revoked serial
434 * numbers and the gaps from the last and to the next revoked serial.
435 * Applies a mostly-accurate bit cost model to select the section type
436 * that will minimise the size of the resultant KRL.
437 */
438static int
439choose_next_state(int current_state, u_int64_t contig, int final,
440 u_int64_t last_gap, u_int64_t next_gap, int *force_new_section)
441{
442 int new_state;
443 u_int64_t cost, cost_list, cost_range, cost_bitmap, cost_bitmap_restart;
444
445 /*
446 * Avoid unsigned overflows.
447 * The limits are high enough to avoid confusing the calculations.
448 */
449 contig = MIN(contig, 1ULL<<31);
450 last_gap = MIN(last_gap, 1ULL<<31);
451 next_gap = MIN(next_gap, 1ULL<<31);
452
453 /*
454 * Calculate the cost to switch from the current state to candidates.
455 * NB. range sections only ever contain a single range, so their
456 * switching cost is independent of the current_state.
457 */
458 cost_list = cost_bitmap = cost_bitmap_restart = 0;
459 cost_range = 8;
460 switch (current_state) {
461 case KRL_SECTION_CERT_SERIAL_LIST:
462 cost_bitmap_restart = cost_bitmap = 8 + 64;
463 break;
464 case KRL_SECTION_CERT_SERIAL_BITMAP:
465 cost_list = 8;
466 cost_bitmap_restart = 8 + 64;
467 break;
468 case KRL_SECTION_CERT_SERIAL_RANGE:
469 case 0:
470 cost_bitmap_restart = cost_bitmap = 8 + 64;
471 cost_list = 8;
472 }
473
474 /* Estimate base cost in bits of each section type */
475 cost_list += 64 * contig + (final ? 0 : 8+64);
476 cost_range += (2 * 64) + (final ? 0 : 8+64);
477 cost_bitmap += last_gap + contig + (final ? 0 : MIN(next_gap, 8+64));
478 cost_bitmap_restart += contig + (final ? 0 : MIN(next_gap, 8+64));
479
480 /* Convert to byte costs for actual comparison */
481 cost_list = (cost_list + 7) / 8;
482 cost_bitmap = (cost_bitmap + 7) / 8;
483 cost_bitmap_restart = (cost_bitmap_restart + 7) / 8;
484 cost_range = (cost_range + 7) / 8;
485
486 /* Now pick the best choice */
487 *force_new_section = 0;
488 new_state = KRL_SECTION_CERT_SERIAL_BITMAP;
489 cost = cost_bitmap;
490 if (cost_range < cost) {
491 new_state = KRL_SECTION_CERT_SERIAL_RANGE;
492 cost = cost_range;
493 }
494 if (cost_list < cost) {
495 new_state = KRL_SECTION_CERT_SERIAL_LIST;
496 cost = cost_list;
497 }
498 if (cost_bitmap_restart < cost) {
499 new_state = KRL_SECTION_CERT_SERIAL_BITMAP;
500 *force_new_section = 1;
501 cost = cost_bitmap_restart;
502 }
503 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
504 "list %llu range %llu bitmap %llu new bitmap %llu, "
505 "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final,
506 cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state,
507 *force_new_section ? " restart" : "");
508 return new_state;
509}
510
511/* Generate a KRL_SECTION_CERTIFICATES KRL section */
512static int
513revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
514{
515 int final, force_new_sect, r = -1;
516 u_int64_t i, contig, gap, last = 0, bitmap_start = 0;
517 struct revoked_serial *rs, *nrs;
518 struct revoked_key_id *rki;
519 int next_state, state = 0;
520 Buffer sect;
521 u_char *kblob = NULL;
522 u_int klen;
523 BIGNUM *bitmap = NULL;
524
525 /* Prepare CA scope key blob if we have one supplied */
526 if (key_to_blob(rc->ca_key, &kblob, &klen) == 0)
527 return -1;
528
529 buffer_init(&sect);
530
531 /* Store the header */
532 buffer_put_string(buf, kblob, klen);
533 buffer_put_string(buf, NULL, 0); /* Reserved */
534
535 free(kblob);
536
537 /* Store the revoked serials. */
538 for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials);
539 rs != NULL;
540 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
541 debug3("%s: serial %llu:%llu state 0x%02x", __func__,
542 rs->lo, rs->hi, state);
543
544 /* Check contiguous length and gap to next section (if any) */
545 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
546 final = nrs == NULL;
547 gap = nrs == NULL ? 0 : nrs->lo - rs->hi;
548 contig = 1 + (rs->hi - rs->lo);
549
550 /* Choose next state based on these */
551 next_state = choose_next_state(state, contig, final,
552 state == 0 ? 0 : rs->lo - last, gap, &force_new_sect);
553
554 /*
555 * If the current section is a range section or has a different
556 * type to the next section, then finish it off now.
557 */
558 if (state != 0 && (force_new_sect || next_state != state ||
559 state == KRL_SECTION_CERT_SERIAL_RANGE)) {
560 debug3("%s: finish state 0x%02x", __func__, state);
561 switch (state) {
562 case KRL_SECTION_CERT_SERIAL_LIST:
563 case KRL_SECTION_CERT_SERIAL_RANGE:
564 break;
565 case KRL_SECTION_CERT_SERIAL_BITMAP:
566 buffer_put_bignum2(&sect, bitmap);
567 BN_free(bitmap);
568 bitmap = NULL;
569 break;
570 }
571 buffer_put_char(buf, state);
572 buffer_put_string(buf,
573 buffer_ptr(&sect), buffer_len(&sect));
574 }
575
576 /* If we are starting a new section then prepare it now */
577 if (next_state != state || force_new_sect) {
578 debug3("%s: start state 0x%02x", __func__, next_state);
579 state = next_state;
580 buffer_clear(&sect);
581 switch (state) {
582 case KRL_SECTION_CERT_SERIAL_LIST:
583 case KRL_SECTION_CERT_SERIAL_RANGE:
584 break;
585 case KRL_SECTION_CERT_SERIAL_BITMAP:
586 if ((bitmap = BN_new()) == NULL)
587 goto out;
588 bitmap_start = rs->lo;
589 buffer_put_int64(&sect, bitmap_start);
590 break;
591 }
592 }
593
594 /* Perform section-specific processing */
595 switch (state) {
596 case KRL_SECTION_CERT_SERIAL_LIST:
597 for (i = 0; i < contig; i++)
598 buffer_put_int64(&sect, rs->lo + i);
599 break;
600 case KRL_SECTION_CERT_SERIAL_RANGE:
601 buffer_put_int64(&sect, rs->lo);
602 buffer_put_int64(&sect, rs->hi);
603 break;
604 case KRL_SECTION_CERT_SERIAL_BITMAP:
605 if (rs->lo - bitmap_start > INT_MAX) {
606 error("%s: insane bitmap gap", __func__);
607 goto out;
608 }
609 for (i = 0; i < contig; i++) {
610 if (BN_set_bit(bitmap,
611 rs->lo + i - bitmap_start) != 1)
612 goto out;
613 }
614 break;
615 }
616 last = rs->hi;
617 }
618 /* Flush the remaining section, if any */
619 if (state != 0) {
620 debug3("%s: serial final flush for state 0x%02x",
621 __func__, state);
622 switch (state) {
623 case KRL_SECTION_CERT_SERIAL_LIST:
624 case KRL_SECTION_CERT_SERIAL_RANGE:
625 break;
626 case KRL_SECTION_CERT_SERIAL_BITMAP:
627 buffer_put_bignum2(&sect, bitmap);
628 BN_free(bitmap);
629 bitmap = NULL;
630 break;
631 }
632 buffer_put_char(buf, state);
633 buffer_put_string(buf,
634 buffer_ptr(&sect), buffer_len(&sect));
635 }
636 debug3("%s: serial done ", __func__);
637
638 /* Now output a section for any revocations by key ID */
639 buffer_clear(&sect);
640 RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
641 debug3("%s: key ID %s", __func__, rki->key_id);
642 buffer_put_cstring(&sect, rki->key_id);
643 }
644 if (buffer_len(&sect) != 0) {
645 buffer_put_char(buf, KRL_SECTION_CERT_KEY_ID);
646 buffer_put_string(buf, buffer_ptr(&sect),
647 buffer_len(&sect));
648 }
649 r = 0;
650 out:
651 if (bitmap != NULL)
652 BN_free(bitmap);
653 buffer_free(&sect);
654 return r;
655}
656
657int
658ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
659 u_int nsign_keys)
660{
661 int r = -1;
662 struct revoked_certs *rc;
663 struct revoked_blob *rb;
664 Buffer sect;
665 u_char *kblob = NULL, *sblob = NULL;
666 u_int klen, slen, i;
667
668 if (krl->generated_date == 0)
669 krl->generated_date = time(NULL);
670
671 buffer_init(&sect);
672
673 /* Store the header */
674 buffer_append(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1);
675 buffer_put_int(buf, KRL_FORMAT_VERSION);
676 buffer_put_int64(buf, krl->krl_version);
677 buffer_put_int64(buf, krl->generated_date);
678 buffer_put_int64(buf, krl->flags);
679 buffer_put_string(buf, NULL, 0);
680 buffer_put_cstring(buf, krl->comment ? krl->comment : "");
681
682 /* Store sections for revoked certificates */
683 TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
684 if (revoked_certs_generate(rc, &sect) != 0)
685 goto out;
686 buffer_put_char(buf, KRL_SECTION_CERTIFICATES);
687 buffer_put_string(buf, buffer_ptr(&sect),
688 buffer_len(&sect));
689 }
690
691 /* Finally, output sections for revocations by public key/hash */
692 buffer_clear(&sect);
693 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
694 debug3("%s: key len %u ", __func__, rb->len);
695 buffer_put_string(&sect, rb->blob, rb->len);
696 }
697 if (buffer_len(&sect) != 0) {
698 buffer_put_char(buf, KRL_SECTION_EXPLICIT_KEY);
699 buffer_put_string(buf, buffer_ptr(&sect),
700 buffer_len(&sect));
701 }
702 buffer_clear(&sect);
703 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
704 debug3("%s: hash len %u ", __func__, rb->len);
705 buffer_put_string(&sect, rb->blob, rb->len);
706 }
707 if (buffer_len(&sect) != 0) {
708 buffer_put_char(buf, KRL_SECTION_FINGERPRINT_SHA1);
709 buffer_put_string(buf, buffer_ptr(&sect),
710 buffer_len(&sect));
711 }
712
713 for (i = 0; i < nsign_keys; i++) {
714 if (key_to_blob(sign_keys[i], &kblob, &klen) == 0)
715 goto out;
716
717 debug3("%s: signature key len %u", __func__, klen);
718 buffer_put_char(buf, KRL_SECTION_SIGNATURE);
719 buffer_put_string(buf, kblob, klen);
720
721 if (key_sign(sign_keys[i], &sblob, &slen,
722 buffer_ptr(buf), buffer_len(buf)) == -1)
723 goto out;
724 debug3("%s: signature sig len %u", __func__, slen);
725 buffer_put_string(buf, sblob, slen);
726 }
727
728 r = 0;
729 out:
730 free(kblob);
731 free(sblob);
732 buffer_free(&sect);
733 return r;
734}
735
736static void
737format_timestamp(u_int64_t timestamp, char *ts, size_t nts)
738{
739 time_t t;
740 struct tm *tm;
741
742 t = timestamp;
743 tm = localtime(&t);
744 *ts = '\0';
745 strftime(ts, nts, "%Y%m%dT%H%M%S", tm);
746}
747
748static int
749parse_revoked_certs(Buffer *buf, struct ssh_krl *krl)
750{
751 int ret = -1, nbits;
752 u_char type, *blob;
753 u_int blen;
754 Buffer subsect;
755 u_int64_t serial, serial_lo, serial_hi;
756 BIGNUM *bitmap = NULL;
757 char *key_id = NULL;
758 Key *ca_key = NULL;
759
760 buffer_init(&subsect);
761
762 if ((blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL ||
763 buffer_get_string_ptr_ret(buf, NULL) == NULL) { /* reserved */
764 error("%s: buffer error", __func__);
765 goto out;
766 }
767 if ((ca_key = key_from_blob(blob, blen)) == NULL)
768 goto out;
769
770 while (buffer_len(buf) > 0) {
771 if (buffer_get_char_ret(&type, buf) != 0 ||
772 (blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL) {
773 error("%s: buffer error", __func__);
774 goto out;
775 }
776 buffer_clear(&subsect);
777 buffer_append(&subsect, blob, blen);
778 debug3("%s: subsection type 0x%02x", __func__, type);
779 /* buffer_dump(&subsect); */
780
781 switch (type) {
782 case KRL_SECTION_CERT_SERIAL_LIST:
783 while (buffer_len(&subsect) > 0) {
784 if (buffer_get_int64_ret(&serial,
785 &subsect) != 0) {
786 error("%s: buffer error", __func__);
787 goto out;
788 }
789 if (ssh_krl_revoke_cert_by_serial(krl, ca_key,
790 serial) != 0) {
791 error("%s: update failed", __func__);
792 goto out;
793 }
794 }
795 break;
796 case KRL_SECTION_CERT_SERIAL_RANGE:
797 if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 ||
798 buffer_get_int64_ret(&serial_hi, &subsect) != 0) {
799 error("%s: buffer error", __func__);
800 goto out;
801 }
802 if (ssh_krl_revoke_cert_by_serial_range(krl, ca_key,
803 serial_lo, serial_hi) != 0) {
804 error("%s: update failed", __func__);
805 goto out;
806 }
807 break;
808 case KRL_SECTION_CERT_SERIAL_BITMAP:
809 if ((bitmap = BN_new()) == NULL) {
810 error("%s: BN_new", __func__);
811 goto out;
812 }
813 if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 ||
814 buffer_get_bignum2_ret(&subsect, bitmap) != 0) {
815 error("%s: buffer error", __func__);
816 goto out;
817 }
818 if ((nbits = BN_num_bits(bitmap)) < 0) {
819 error("%s: bitmap bits < 0", __func__);
820 goto out;
821 }
822 for (serial = 0; serial < (u_int)nbits; serial++) {
823 if (serial > 0 && serial_lo + serial == 0) {
824 error("%s: bitmap wraps u64", __func__);
825 goto out;
826 }
827 if (!BN_is_bit_set(bitmap, serial))
828 continue;
829 if (ssh_krl_revoke_cert_by_serial(krl, ca_key,
830 serial_lo + serial) != 0) {
831 error("%s: update failed", __func__);
832 goto out;
833 }
834 }
835 BN_free(bitmap);
836 bitmap = NULL;
837 break;
838 case KRL_SECTION_CERT_KEY_ID:
839 while (buffer_len(&subsect) > 0) {
840 if ((key_id = buffer_get_cstring_ret(&subsect,
841 NULL)) == NULL) {
842 error("%s: buffer error", __func__);
843 goto out;
844 }
845 if (ssh_krl_revoke_cert_by_key_id(krl, ca_key,
846 key_id) != 0) {
847 error("%s: update failed", __func__);
848 goto out;
849 }
850 free(key_id);
851 key_id = NULL;
852 }
853 break;
854 default:
855 error("Unsupported KRL certificate section %u", type);
856 goto out;
857 }
858 if (buffer_len(&subsect) > 0) {
859 error("KRL certificate section contains unparsed data");
860 goto out;
861 }
862 }
863
864 ret = 0;
865 out:
866 if (ca_key != NULL)
867 key_free(ca_key);
868 if (bitmap != NULL)
869 BN_free(bitmap);
870 free(key_id);
871 buffer_free(&subsect);
872 return ret;
873}
874
875
876/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
877int
878ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
879 const Key **sign_ca_keys, u_int nsign_ca_keys)
880{
881 Buffer copy, sect;
882 struct ssh_krl *krl;
883 char timestamp[64];
884 int ret = -1, r, sig_seen;
885 Key *key = NULL, **ca_used = NULL;
886 u_char type, *blob;
887 u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0;
888
889 *krlp = NULL;
890 if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 ||
891 memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) {
892 debug3("%s: not a KRL", __func__);
893 /*
894 * Return success but a NULL *krlp here to signal that the
895 * file might be a simple list of keys.
896 */
897 return 0;
898 }
899
900 /* Take a copy of the KRL buffer so we can verify its signature later */
901 buffer_init(&copy);
902 buffer_append(&copy, buffer_ptr(buf), buffer_len(buf));
903
904 buffer_init(&sect);
905 buffer_consume(&copy, sizeof(KRL_MAGIC) - 1);
906
907 if ((krl = ssh_krl_init()) == NULL) {
908 error("%s: alloc failed", __func__);
909 goto out;
910 }
911
912 if (buffer_get_int_ret(&format_version, &copy) != 0) {
913 error("%s: KRL truncated", __func__);
914 goto out;
915 }
916 if (format_version != KRL_FORMAT_VERSION) {
917 error("%s: KRL unsupported format version %u",
918 __func__, format_version);
919 goto out;
920 }
921 if (buffer_get_int64_ret(&krl->krl_version, &copy) != 0 ||
922 buffer_get_int64_ret(&krl->generated_date, &copy) != 0 ||
923 buffer_get_int64_ret(&krl->flags, &copy) != 0 ||
924 buffer_get_string_ptr_ret(&copy, NULL) == NULL || /* reserved */
925 (krl->comment = buffer_get_cstring_ret(&copy, NULL)) == NULL) {
926 error("%s: buffer error", __func__);
927 goto out;
928 }
929
930 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
931 debug("KRL version %llu generated at %s%s%s", krl->krl_version,
932 timestamp, *krl->comment ? ": " : "", krl->comment);
933
934 /*
935 * 1st pass: verify signatures, if any. This is done to avoid
936 * detailed parsing of data whose provenance is unverified.
937 */
938 sig_seen = 0;
939 sects_off = buffer_len(buf) - buffer_len(&copy);
940 while (buffer_len(&copy) > 0) {
941 if (buffer_get_char_ret(&type, &copy) != 0 ||
942 (blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
943 error("%s: buffer error", __func__);
944 goto out;
945 }
946 debug3("%s: first pass, section 0x%02x", __func__, type);
947 if (type != KRL_SECTION_SIGNATURE) {
948 if (sig_seen) {
949 error("KRL contains non-signature section "
950 "after signature");
951 goto out;
952 }
953 /* Not interested for now. */
954 continue;
955 }
956 sig_seen = 1;
957 /* First string component is the signing key */
958 if ((key = key_from_blob(blob, blen)) == NULL) {
959 error("%s: invalid signature key", __func__);
960 goto out;
961 }
962 sig_off = buffer_len(buf) - buffer_len(&copy);
963 /* Second string component is the signature itself */
964 if ((blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
965 error("%s: buffer error", __func__);
966 goto out;
967 }
968 /* Check signature over entire KRL up to this point */
969 if (key_verify(key, blob, blen,
970 buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) {
971 error("bad signaure on KRL");
972 goto out;
973 }
974 /* Check if this key has already signed this KRL */
975 for (i = 0; i < nca_used; i++) {
976 if (key_equal(ca_used[i], key)) {
977 error("KRL signed more than once with "
978 "the same key");
979 goto out;
980 }
981 }
982 /* Record keys used to sign the KRL */
983 ca_used = xrealloc(ca_used, nca_used + 1, sizeof(*ca_used));
984 ca_used[nca_used++] = key;
985 key = NULL;
986 break;
987 }
988
989 /*
990 * 2nd pass: parse and load the KRL, skipping the header to the point
991 * where the section start.
992 */
993 buffer_append(&copy, (u_char*)buffer_ptr(buf) + sects_off,
994 buffer_len(buf) - sects_off);
995 while (buffer_len(&copy) > 0) {
996 if (buffer_get_char_ret(&type, &copy) != 0 ||
997 (blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
998 error("%s: buffer error", __func__);
999 goto out;
1000 }
1001 debug3("%s: second pass, section 0x%02x", __func__, type);
1002 buffer_clear(&sect);
1003 buffer_append(&sect, blob, blen);
1004
1005 switch (type) {
1006 case KRL_SECTION_CERTIFICATES:
1007 if ((r = parse_revoked_certs(&sect, krl)) != 0)
1008 goto out;
1009 break;
1010 case KRL_SECTION_EXPLICIT_KEY:
1011 case KRL_SECTION_FINGERPRINT_SHA1:
1012 while (buffer_len(&sect) > 0) {
1013 if ((blob = buffer_get_string_ret(&sect,
1014 &blen)) == NULL) {
1015 error("%s: buffer error", __func__);
1016 goto out;
1017 }
1018 if (type == KRL_SECTION_FINGERPRINT_SHA1 &&
1019 blen != 20) {
1020 error("%s: bad SHA1 length", __func__);
1021 goto out;
1022 }
1023 if (revoke_blob(
1024 type == KRL_SECTION_EXPLICIT_KEY ?
1025 &krl->revoked_keys : &krl->revoked_sha1s,
1026 blob, blen) != 0)
1027 goto out; /* revoke_blob frees blob */
1028 }
1029 break;
1030 case KRL_SECTION_SIGNATURE:
1031 /* Handled above, but still need to stay in synch */
1032 buffer_clear(&sect);
1033 if ((blob = buffer_get_string_ptr_ret(&copy,
1034 &blen)) == NULL) {
1035 error("%s: buffer error", __func__);
1036 goto out;
1037 }
1038 break;
1039 default:
1040 error("Unsupported KRL section %u", type);
1041 goto out;
1042 }
1043 if (buffer_len(&sect) > 0) {
1044 error("KRL section contains unparsed data");
1045 goto out;
1046 }
1047 }
1048
1049 /* Check that the key(s) used to sign the KRL weren't revoked */
1050 sig_seen = 0;
1051 for (i = 0; i < nca_used; i++) {
1052 if (ssh_krl_check_key(krl, ca_used[i]) == 0)
1053 sig_seen = 1;
1054 else {
1055 key_free(ca_used[i]);
1056 ca_used[i] = NULL;
1057 }
1058 }
1059 if (nca_used && !sig_seen) {
1060 error("All keys used to sign KRL were revoked");
1061 goto out;
1062 }
1063
1064 /* If we have CA keys, then verify that one was used to sign the KRL */
1065 if (sig_seen && nsign_ca_keys != 0) {
1066 sig_seen = 0;
1067 for (i = 0; !sig_seen && i < nsign_ca_keys; i++) {
1068 for (j = 0; j < nca_used; j++) {
1069 if (ca_used[j] == NULL)
1070 continue;
1071 if (key_equal(ca_used[j], sign_ca_keys[i])) {
1072 sig_seen = 1;
1073 break;
1074 }
1075 }
1076 }
1077 if (!sig_seen) {
1078 error("KRL not signed with any trusted key");
1079 goto out;
1080 }
1081 }
1082
1083 *krlp = krl;
1084 ret = 0;
1085 out:
1086 if (ret != 0)
1087 ssh_krl_free(krl);
1088 for (i = 0; i < nca_used; i++) {
1089 if (ca_used[i] != NULL)
1090 key_free(ca_used[i]);
1091 }
1092 free(ca_used);
1093 if (key != NULL)
1094 key_free(key);
1095 buffer_free(&copy);
1096 buffer_free(&sect);
1097 return ret;
1098}
1099
1100/* Checks whether a given key/cert is revoked. Does not check its CA */
1101static int
1102is_key_revoked(struct ssh_krl *krl, const Key *key)
1103{
1104 struct revoked_blob rb, *erb;
1105 struct revoked_serial rs, *ers;
1106 struct revoked_key_id rki, *erki;
1107 struct revoked_certs *rc;
1108
1109 /* Check explicitly revoked hashes first */
1110 bzero(&rb, sizeof(rb));
1111 if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
1112 return -1;
1113 erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
1114 free(rb.blob);
1115 if (erb != NULL) {
1116 debug("%s: revoked by key SHA1", __func__);
1117 return -1;
1118 }
1119
1120 /* Next, explicit keys */
1121 bzero(&rb, sizeof(rb));
1122 if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
1123 return -1;
1124 erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
1125 free(rb.blob);
1126 if (erb != NULL) {
1127 debug("%s: revoked by explicit key", __func__);
1128 return -1;
1129 }
1130
1131 if (!key_is_cert(key))
1132 return 0;
1133
1134 /* Check cert revocation */
1135 if (revoked_certs_for_ca_key(krl, key->cert->signature_key,
1136 &rc, 0) != 0)
1137 return -1;
1138 if (rc == NULL)
1139 return 0; /* No entry for this CA */
1140
1141 /* Check revocation by cert key ID */
1142 bzero(&rki, sizeof(rki));
1143 rki.key_id = key->cert->key_id;
1144 erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki);
1145 if (erki != NULL) {
1146 debug("%s: revoked by key ID", __func__);
1147 return -1;
1148 }
1149
1150 /*
1151 * Legacy cert formats lack serial numbers. Zero serials numbers
1152 * are ignored (it's the default when the CA doesn't specify one).
1153 */
1154 if (key_cert_is_legacy(key) || key->cert->serial == 0)
1155 return 0;
1156
1157 bzero(&rs, sizeof(rs));
1158 rs.lo = rs.hi = key->cert->serial;
1159 ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs);
1160 if (ers != NULL) {
1161 KRL_DBG(("%s: %llu matched %llu:%llu", __func__,
1162 key->cert->serial, ers->lo, ers->hi));
1163 debug("%s: revoked by serial", __func__);
1164 return -1;
1165 }
1166 KRL_DBG(("%s: %llu no match", __func__, key->cert->serial));
1167
1168 return 0;
1169}
1170
1171int
1172ssh_krl_check_key(struct ssh_krl *krl, const Key *key)
1173{
1174 int r;
1175
1176 debug2("%s: checking key", __func__);
1177 if ((r = is_key_revoked(krl, key)) != 0)
1178 return r;
1179 if (key_is_cert(key)) {
1180 debug2("%s: checking CA key", __func__);
1181 if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0)
1182 return r;
1183 }
1184 debug3("%s: key okay", __func__);
1185 return 0;
1186}
1187
1188/* Returns 0 on success, -1 on error or key revoked, -2 if path is not a KRL */
1189int
1190ssh_krl_file_contains_key(const char *path, const Key *key)
1191{
1192 Buffer krlbuf;
1193 struct ssh_krl *krl;
1194 int revoked, fd;
1195
1196 if (path == NULL)
1197 return 0;
1198
1199 if ((fd = open(path, O_RDONLY)) == -1) {
1200 error("open %s: %s", path, strerror(errno));
1201 error("Revoked keys file not accessible - refusing public key "
1202 "authentication");
1203 return -1;
1204 }
1205 buffer_init(&krlbuf);
1206 if (!key_load_file(fd, path, &krlbuf)) {
1207 close(fd);
1208 buffer_free(&krlbuf);
1209 error("Revoked keys file not readable - refusing public key "
1210 "authentication");
1211 return -1;
1212 }
1213 close(fd);
1214 if (ssh_krl_from_blob(&krlbuf, &krl, NULL, 0) != 0) {
1215 buffer_free(&krlbuf);
1216 error("Invalid KRL, refusing public key "
1217 "authentication");
1218 return -1;
1219 }
1220 buffer_free(&krlbuf);
1221 if (krl == NULL) {
1222 debug3("%s: %s is not a KRL file", __func__, path);
1223 return -2;
1224 }
1225 debug2("%s: checking KRL %s", __func__, path);
1226 revoked = ssh_krl_check_key(krl, key) != 0;
1227 ssh_krl_free(krl);
1228 return revoked ? -1 : 0;
1229}
diff --git a/krl.h b/krl.h
new file mode 100644
index 000000000..2c43f5bb2
--- /dev/null
+++ b/krl.h
@@ -0,0 +1,63 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */
18
19#ifndef _KRL_H
20#define _KRL_H
21
22/* Functions to manage key revocation lists */
23
24#define KRL_MAGIC "SSHKRL\n\0"
25#define KRL_FORMAT_VERSION 1
26
27/* KRL section types */
28#define KRL_SECTION_CERTIFICATES 1
29#define KRL_SECTION_EXPLICIT_KEY 2
30#define KRL_SECTION_FINGERPRINT_SHA1 3
31#define KRL_SECTION_SIGNATURE 4
32
33/* KRL_SECTION_CERTIFICATES subsection types */
34#define KRL_SECTION_CERT_SERIAL_LIST 0x20
35#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
36#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
37#define KRL_SECTION_CERT_KEY_ID 0x23
38
39struct ssh_krl;
40
41struct ssh_krl *ssh_krl_init(void);
42void ssh_krl_free(struct ssh_krl *krl);
43void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
44void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key);
45void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
46int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
47 u_int64_t serial);
48int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
49 u_int64_t lo, u_int64_t hi);
50int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
51 const char *key_id);
52int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key);
53int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key);
54int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key);
55int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
56 u_int nsign_keys);
57int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
58 const Key **sign_ca_keys, u_int nsign_ca_keys);
59int ssh_krl_check_key(struct ssh_krl *krl, const Key *key);
60int ssh_krl_file_contains_key(const char *path, const Key *key);
61
62#endif /* _KRL_H */
63
diff --git a/log.c b/log.c
index 201740893..dabee1407 100644
--- a/log.c
+++ b/log.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.c,v 1.42 2011/06/17 21:44:30 djm Exp $ */ 1/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -45,7 +45,7 @@
45#include <syslog.h> 45#include <syslog.h>
46#include <unistd.h> 46#include <unistd.h>
47#include <errno.h> 47#include <errno.h>
48#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) 48#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
49# include <vis.h> 49# include <vis.h>
50#endif 50#endif
51 51
@@ -330,6 +330,21 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
330#endif 330#endif
331} 331}
332 332
333void
334log_change_level(LogLevel new_log_level)
335{
336 /* no-op if log_init has not been called */
337 if (argv0 == NULL)
338 return;
339 log_init(argv0, new_log_level, log_facility, log_on_stderr);
340}
341
342int
343log_is_on_stderr(void)
344{
345 return log_on_stderr;
346}
347
333#define MSGBUFSIZ 1024 348#define MSGBUFSIZ 1024
334 349
335void 350void
diff --git a/log.h b/log.h
index 1b8d2142b..e3e328b06 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.h,v 1.18 2011/06/17 21:44:30 djm Exp $ */ 1/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -49,6 +49,8 @@ typedef enum {
49typedef void (log_handler_fn)(LogLevel, const char *, void *); 49typedef void (log_handler_fn)(LogLevel, const char *, void *);
50 50
51void log_init(char *, LogLevel, SyslogFacility, int); 51void log_init(char *, LogLevel, SyslogFacility, int);
52void log_change_level(LogLevel);
53int log_is_on_stderr(void);
52 54
53SyslogFacility log_facility_number(char *); 55SyslogFacility log_facility_number(char *);
54const char * log_facility_name(SyslogFacility); 56const char * log_facility_name(SyslogFacility);
diff --git a/loginrec.c b/loginrec.c
index 32941c985..f9662fa5c 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -180,10 +180,6 @@
180# include <util.h> 180# include <util.h>
181#endif 181#endif
182 182
183#ifdef HAVE_LIBUTIL_H
184# include <libutil.h>
185#endif
186
187/** 183/**
188 ** prototypes for helper functions in this file 184 ** prototypes for helper functions in this file
189 **/ 185 **/
diff --git a/mac.c b/mac.c
index 9b450e4e2..3f2dc6f2a 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ 1/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -48,6 +48,7 @@
48 48
49#define SSH_EVP 1 /* OpenSSL EVP-based MAC */ 49#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ 50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
51#define SSH_UMAC128 3
51 52
52struct { 53struct {
53 char *name; 54 char *name;
@@ -56,19 +57,36 @@ struct {
56 int truncatebits; /* truncate digest if != 0 */ 57 int truncatebits; /* truncate digest if != 0 */
57 int key_len; /* just for UMAC */ 58 int key_len; /* just for UMAC */
58 int len; /* just for UMAC */ 59 int len; /* just for UMAC */
60 int etm; /* Encrypt-then-MAC */
59} macs[] = { 61} macs[] = {
60 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, 62 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
61 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, 63 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
64 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
62#ifdef HAVE_EVP_SHA256 65#ifdef HAVE_EVP_SHA256
63 { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, 66 { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
64 { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, 67 { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
65#endif 68#endif
66 { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, 69 { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 },
67 { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, 70 { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 },
68 { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, 71 { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
69 { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, 72 { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
70 { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, 73 { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 },
71 { NULL, 0, NULL, 0, -1, -1 } 74 { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 },
75
76 /* Encrypt-then-MAC variants */
77 { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
78 { "hmac-sha1-96-etm@openssh.com", SSH_EVP, EVP_sha1, 96, 0, 0, 1 },
79#ifdef HAVE_EVP_SHA256
80 { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
81 { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
82#endif
83 { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 },
84 { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 },
85 { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
86 { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 },
87 { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 },
88
89 { NULL, 0, NULL, 0, 0, 0, 0 }
72}; 90};
73 91
74static void 92static void
@@ -88,6 +106,7 @@ mac_setup_by_id(Mac *mac, int which)
88 } 106 }
89 if (macs[which].truncatebits != 0) 107 if (macs[which].truncatebits != 0)
90 mac->mac_len = macs[which].truncatebits / 8; 108 mac->mac_len = macs[which].truncatebits / 8;
109 mac->etm = macs[which].etm;
91} 110}
92 111
93int 112int
@@ -122,6 +141,9 @@ mac_init(Mac *mac)
122 case SSH_UMAC: 141 case SSH_UMAC:
123 mac->umac_ctx = umac_new(mac->key); 142 mac->umac_ctx = umac_new(mac->key);
124 return 0; 143 return 0;
144 case SSH_UMAC128:
145 mac->umac_ctx = umac128_new(mac->key);
146 return 0;
125 default: 147 default:
126 return -1; 148 return -1;
127 } 149 }
@@ -151,6 +173,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
151 umac_update(mac->umac_ctx, data, datalen); 173 umac_update(mac->umac_ctx, data, datalen);
152 umac_final(mac->umac_ctx, m, nonce); 174 umac_final(mac->umac_ctx, m, nonce);
153 break; 175 break;
176 case SSH_UMAC128:
177 put_u64(nonce, seqno);
178 umac128_update(mac->umac_ctx, data, datalen);
179 umac128_final(mac->umac_ctx, m, nonce);
180 break;
154 default: 181 default:
155 fatal("mac_compute: unknown MAC type"); 182 fatal("mac_compute: unknown MAC type");
156 } 183 }
@@ -163,6 +190,9 @@ mac_clear(Mac *mac)
163 if (mac->type == SSH_UMAC) { 190 if (mac->type == SSH_UMAC) {
164 if (mac->umac_ctx != NULL) 191 if (mac->umac_ctx != NULL)
165 umac_delete(mac->umac_ctx); 192 umac_delete(mac->umac_ctx);
193 } else if (mac->type == SSH_UMAC128) {
194 if (mac->umac_ctx != NULL)
195 umac128_delete(mac->umac_ctx);
166 } else if (mac->evp_md != NULL) 196 } else if (mac->evp_md != NULL)
167 HMAC_cleanup(&mac->evp_ctx); 197 HMAC_cleanup(&mac->evp_ctx);
168 mac->evp_md = NULL; 198 mac->evp_md = NULL;
diff --git a/misc.c b/misc.c
index ddff00e52..3938d4053 100644
--- a/misc.c
+++ b/misc.c
@@ -645,7 +645,7 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
645int 645int
646secure_permissions(struct stat *st, uid_t uid) 646secure_permissions(struct stat *st, uid_t uid)
647{ 647{
648 if (st->st_uid != 0 && st->st_uid != uid) 648 if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
649 return 0; 649 return 0;
650 if ((st->st_mode & 002) != 0) 650 if ((st->st_mode & 002) != 0)
651 return 0; 651 return 0;
diff --git a/moduli b/moduli
index 3bb155de9..49f76ee98 100644
--- a/moduli
+++ b/moduli
@@ -1,206 +1,199 @@
1# $OpenBSD: moduli,v 1.7 2012/07/20 00:39:57 dtucker Exp $ 1# $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $
2# Time Type Tests Tries Size Generator Modulus 2# Time Type Tests Tries Size Generator Modulus
320120705004026 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844A94DCF 320120821044040 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A770E2EC9F
420120705004028 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844B1694B 420120821044046 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7711F2C6B
520120705004036 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844E34093 520120821044047 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771225323
620120705004039 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F41247 620120821044048 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712507AB
720120705004040 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F8B39B 720120821044050 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712A2DB3
820120705004042 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284500D22F 820120821044051 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712CACEF
920120705004044 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284504854B 920120821044053 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7713959C3
1020120705004047 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451642A3 1020120821044057 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7715BBA13
1120120705004049 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451B31D3 1120120821044103 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77191592F
1220120705004052 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452B05CB 1220120821044104 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771938E1F
1320120705004053 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452BB06B 1320120821044106 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771A1E127
1420120705004057 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284544D6EF 1420120821044108 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B3CDFB
1520120705004101 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428454FBFBF 1520120821044109 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B71913
1620120705004103 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284556870F 1620120821044111 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771C2759F
1720120705004104 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A1DCF 1720120821044113 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771CF8ABF
1820120705004106 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A71F3 1820120821044114 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771D2B49B
1920120705004107 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455C229B 1920120821044116 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771DF6193
2020120705004109 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845624C8F 2020120821044117 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771E67E33
2120120705004111 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845650AD7 2120120821044120 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771FA581B
2220120705004113 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284572AE77 2220120821044121 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772027DDB
2320120705004116 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428457F0DE7 2320120821044123 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772093F8B
2420120705004119 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428458D623F 2420120821044124 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7720EEF6F
2520120705004121 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598C1BF 2520120821044125 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77216CAD7
2620120705004122 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598FF9F 2620120821044126 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77219A90B
2720120705004127 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845B559BF 2720120821044129 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7722A0103
2820120705004129 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845BA77E7 2820120821044130 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772343DBF
2920120705004131 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C3989F 2920120821044133 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772460C3F
3020120705004132 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C5A23F 3020120821044137 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7726A4E0F
3120120705004134 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845CAF1DB 3120120821044138 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772716D8B
3220120705004136 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D1CB5B 3220120821044141 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7728D719B
3320120705004137 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D4528F 3320120821044143 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77297AA8B
3420120705004139 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845DCBCB3 3420120821044145 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772A8794B
3520120705004143 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EE91B7 3520120821044147 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772B4D6AB
3620120705004144 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EFF1A7 3620120821044149 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BD325F
3720120705004145 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F363FB 3720120821044150 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BDAE07
3820120705004146 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F3738B 3820120821044151 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772C95CE3
3920120705004148 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F437CF 3920120821044502 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96361507
4020120705004150 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284601A3BF 4020120821044515 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F965885BF
4120120705004152 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284603421F 4120120821044519 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F966006C7
4220120705004153 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284605C5B7 4220120821044528 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9674A0EB
4320120705004155 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428460AF7CB 4320120821044539 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969457F3
4420120705004159 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846266533 4420120821044544 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969BE79B
4520120705004201 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846287DD3 4520120821044606 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96E1E827
4620120705004204 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846397273 4620120821044623 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9714284B
4720120705004206 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284646FA83 4720120821044630 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97231CB7
4820120705004207 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846475ED3 4820120821044636 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F972E01DF
4920120705004210 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284651649F 4920120821044647 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974BCED3
5020120705004212 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659876B 5020120821044650 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974C3A43
5120120705004213 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659F8F3 5120120821044653 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974E8F73
5220120705004214 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465BD413 5220120821044701 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9763403B
5320120705004216 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465F222B 5320120821044705 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9767666B
5420120705004217 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284660995B 5420120821044708 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9768D81F
5520120705004221 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428467B9247 5520120821044726 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F979FD437
5620120705004227 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468DAF87 5620120821044729 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A29BC7
5720120705004230 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468E1A13 5720120821044732 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A56447
5820120705004838 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7205887 5820120821044737 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97AEDBDB
5920120705004853 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F73B39C7 5920120821044740 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97B187F3
6020120705004937 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7A3E153 6020120821044746 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97BC6EE3
6120120705005002 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7DB4473 6120120821044757 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97DCCDEB
6220120705005017 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7F7293F 6220120821044817 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F981975F7
6320120705005025 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F802FE8B 6320120821044831 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F983EC267
6420120705005048 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F836B5D3 6420120821044841 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F985A032F
6520120705005117 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F878CDEB 6520120821044846 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9863B0AB
6620120705005122 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F87AB3EB 6620120821044852 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F986E5C7F
6720120705005140 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F89EAA43 6720120821044911 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98A8FF6B
6820120705005148 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8AA75F3 6820120821044917 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98B40E4B
6920120705005201 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8C2EAAB 6920120821044924 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98C5840F
7020120705005215 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8DEAC73 7020120821044940 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98F22CEB
7120120705005221 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8E3C303 7120120821044947 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99040FFF
7220120705005231 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8F51EFF 7220120821044954 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99139AE3
7320120705005246 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F9115B97 7320120821045010 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9940BEFB
7420120705005317 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F95737CF 7420120821045017 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9954379F
7520120705005324 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F960A5F7 7520120821045020 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99548C23
7620120705005339 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F97DBAB3 7620120821045023 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99562FC3
7720120705005353 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F999A9CF 7720120821045028 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9960CDCF
7820120705005453 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA253557 7820120821045038 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F997AC0B3
7920120705005516 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA597D23 7920120821045045 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F998D9B6B
8020120705005521 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA5B9B1B 8020120821045050 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9994BB77
8120120705005600 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAB57F73 8120120821045059 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC001B
8220120705005606 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FABBBAFB 8220120821045101 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC5547
8320120705005632 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAF58CB3 8320120821045107 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99B86567
8420120705005640 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB01659B 8420120821045110 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99BA2677
8520120705005645 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB04D9E7 8520120821045128 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99EF4523
8620120705005659 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB205C67 8620120821045154 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A419DAB
8720120705011229 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DA381EB 8720120821045214 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A7D1E67
8820120705011307 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DAEFA5B 8820120821045218 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A826443
8920120705011647 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E09B2B7 8920120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
9020120705011825 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E30C613 9020120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
9120120705011957 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E5B7E3F 9120120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
9220120705012217 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E9ED607 9220120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
9320120705012259 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EB4E9E3 9320120821050118 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682361D5F
9420120705012319 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EBDF313 9420120821050218 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936828ADA17
9520120705012338 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EC9AD5F 9520120821050243 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682A8A7CB
9620120705012817 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205F79773F 9620120821050427 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368341AC87
9720120705012947 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FB2897B 9720120821050515 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936837F8657
9820120705013020 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FC0CFAB 9820120821050545 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A3DFD3
9920120705013559 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20606541A3 9920120821050554 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A9635F
10020120705013637 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206078A9DF 10020120821050636 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683DF582B
10120120705013859 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060C181BB 10120120821050648 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683E86803
10220120705014010 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060DFB1BB 10220120821050758 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684495A13
10320120705014101 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060F217A3 10320120821050807 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936844FAB5B
10420120705014248 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061182263 10420120821050849 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368486D99B
10520120705014325 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061214FC3 10520120821050916 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684A776A7
10620120705014539 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206162E447 10620120821050942 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684C4FF73
10720120705014658 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206186D1F3 10720120821051003 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DB980F
10820120705014856 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061D0EF73 10820120821051010 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DD4FBF
10920120705015000 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062023BFB 10920120821051158 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685721537
11020120705015045 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20621EDDEB 11020120821051206 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685768253
11120120705015234 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062752373 11120120821051231 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685930F13
11220120705015345 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062B97207 11220120821051240 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685987B0B
11320120705015734 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20636C6B0F 11320120821051324 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685D5E36B
11420120705015750 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063752183 11420120821051349 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685F3AB7F
11520120705015806 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20637DAF9B 11520120821051424 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686206187
11620120705015900 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063B134BB 11620120821051516 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368668EB4B
11720120705015921 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063C148EB 11720120821051540 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368686EB87
11820120705020044 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20640F2047 11820120821051622 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686BCCF13
11920120705020232 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20647E3FEB 11920120821051703 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686F13B9F
12020120705020339 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2064C2CC83 12020120821051715 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686FB2D4F
12120120705020502 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065162F7B 12120120821051837 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876ED7DF
12220120705020512 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065194343 12220120821051843 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876F05DB
12320120705020523 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20651C2E2B 12320120821051930 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293687AEDE8F
12420120705020541 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206528BA2F 12420120821052131 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293688637CFF
12520120705021818 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165EF071CF 12520120821053137 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942284EA9F
12620120705022441 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165F6DCFB7 12620120821053209 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94228B7F67
12720120705024326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541660E5F72B 12720120821053317 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9422A2B3C7
12820120705025034 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416617271AB 12820120821053841 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94232DEF87
12920120705025525 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661CDD5AF 12920120821054039 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942359AB7B
13020120705025705 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661E6A71F 13020120821054334 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423A371A7
13120120705025752 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661EE2413 13120120821054455 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423C1CEEF
13220120705030403 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662662DC7 13220120821054844 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424273F1F
13320120705030432 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416626728EF 13320120821055307 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424987667
13420120705030953 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662CA2463 13420120821055436 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424B90BAB
13520120705031728 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416635CAC93 13520120821055700 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424F6C7CF
13620120705032458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541663EC109F 13620120821060224 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94258ADCEF
13720120705032902 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166431CB8F 13720120821060334 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425A1FCEB
13820120705033016 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166441BDC3 13820120821060420 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425AEBF43
13920120705033652 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664BF1503 13920120821060927 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942634C34F
14020120705033740 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664C48A73 14020120821061829 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94272F0D4F
14120120705034025 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664F440CF 14120120821062020 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94275B00B7
14220120705034138 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541665048ECB 14220120821062241 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9427941F5F
14320120705034458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416653F1BC7 14320120821063416 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9428D5E367
14420120705040416 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541666BE5B43 14420120821063648 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942917E127
14520120705041326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416676F9AD3 14520120821064052 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9429825A2B
14620120705041429 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416677BBDD7 14620120821064951 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942A74C4EB
14720120705041928 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667DA5427 14720120821065736 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942B4640D3
14820120705042013 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667E0CDA7 14820120821071146 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CCD6D1B
14920120705044833 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A1D45AB 14920120821071337 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CF9321B
15020120705045307 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A71DD37 15020120821072545 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942E48654F
15120120705050710 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166B8634A3 15120120821075022 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9430F1B6A3
15220120705051048 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BC572CB 15220120821080229 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9432356F63
15320120705051219 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BDA113F 15320120821081230 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94333D9363
15420120705051634 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166C28FFCB 15420120821081746 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C6A7A7
15520120705052331 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166CAA425B 15520120821081811 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C94C93
15620120705052812 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166D041A0B 15620120821084945 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45B27D047
15720120705053701 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166DA81DB7 15720120821091240 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45C370A33
15820120705055127 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166EC251D7 15820120821092428 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45CBB9FBB
15920120705055500 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F01CF6B 15920120821093047 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45D001E73
16020120705055603 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F0EF763 16020120821095420 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E104D6F
16120120705055831 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F39358B 16120120821095624 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E21E2BF
16220120705060133 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F5FDC7B 16220120821102749 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45F9B1B7B
16320120705060444 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8017B3 16320120821105854 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4610E205F
16420120705060616 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8A763B 16420120821110658 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461631FBF
16520120705074615 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E404D4A9FF 16520120821110744 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461635E3B
16620120705075624 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405259C43 16620120821115206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4636E0DF7
16720120705075814 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4052CF1E3 16720120821121256 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4645F38B3
16820120705082750 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405CAF157 16820120821121421 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46467609B
16920120705091841 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40777DB37 16920120821122649 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA464F87D6B
17020120705094647 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40863BD9B 17020120821122854 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46508F94B
17120120705113042 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40BE821C7 17120120821125200 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4661CBC5B
17220120705113614 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C0EADAB 17220120821130613 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466BC6B33
17320120705113856 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C1D4D93 17320120821131115 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466ED9CC7
17420120705115824 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40CBE3D6B 17420120821132817 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA467B278B3
17520120705122406 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40D792E73 17520120821135349 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA468D8351B
17620120705123711 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40DDA1F9F 17620120821141206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA469A817A7
17720120705124452 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40E149903 17720120821144909 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46B488EF7
17820120705133408 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F205063 17820120821150021 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46BC5D5E7
17920120705133854 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F36CB23 17920120821153843 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46D774723
18020120705140912 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40FF3C14B 18020120821162006 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46F5488DB
18120120705151048 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41130009B 18120120821170404 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47157A067
18220120705154517 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E411EA83DB 18220120821173305 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472A1E94B
18320120705155613 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4123EC08F 18320120821173936 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472E0E57F
18420120705162202 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4130DF347 18420120821174533 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4731F7433
18520120705162423 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41319263F 18520120821180053 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA473C7CE3F
18620120705163533 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4136A686F 18620120821180952 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4742A8237
18720120705170312 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4144BD02B 18720120821181124 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA474343C5B
18820120705175100 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E415E0D6BB 18820120821183540 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4754D89DB
18920120705190344 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E418110983 18920120821183852 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47569B47F
19020120705191532 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4186E4BE3 19020120821184512 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AC57DB
19120120705193904 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41933A90B 19120120821184603 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AD78CB
19220120705201440 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A1607FF 19220120821184701 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475B0038F
19320120705202233 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A3C4B5F 19320120821185939 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4763BD72F
19420120705204542 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41AFA0127 19420120821190630 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476853BB7
19520120705205809 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41B59BD9B 19520120821190945 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476A47843
19620120705213138 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41C73B903 19620120821195501 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA478A96AEF
19720120705214528 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41CE1ACFB
19820120705215449 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41D2A1E9B
19920120705225456 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41F236C7F
20020120705231339 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41FB99943
20120120705232933 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4203D8FB3
20220120705233827 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420804A5B
20320120705234448 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420AC9D9F
20420120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB 19720120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB
20520120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B 19820120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B
20620120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477 19920120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477
diff --git a/moduli.0 b/moduli.0
index bf510de32..77dfa4295 100644
--- a/moduli.0
+++ b/moduli.0
@@ -25,7 +25,7 @@ DESCRIPTION
25 25
26 0 Unknown, not tested. 26 0 Unknown, not tested.
27 2 "Safe" prime; (p-1)/2 is also prime. 27 2 "Safe" prime; (p-1)/2 is also prime.
28 4 Sophie Germain; (p+1)*2 is also prime. 28 4 Sophie Germain; 2p+1 is also prime.
29 29
30 Moduli candidates initially produced by ssh-keygen(1) 30 Moduli candidates initially produced by ssh-keygen(1)
31 are Sophie Germain primes (type 4). Further primality 31 are Sophie Germain primes (type 4). Further primality
@@ -66,7 +66,9 @@ DESCRIPTION
66SEE ALSO 66SEE ALSO
67 ssh-keygen(1), sshd(8) 67 ssh-keygen(1), sshd(8)
68 68
69 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer 69STANDARDS
70 Protocol, RFC 4419, 2006. 70 M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
71 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
72 2006.
71 73
72OpenBSD 5.2 October 14, 2010 OpenBSD 5.2 74OpenBSD 5.3 September 26, 2012 OpenBSD 5.3
diff --git a/moduli.5 b/moduli.5
index 097abc109..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -1,4 +1,4 @@
1.\" $OpenBSD: moduli.5,v 1.15 2010/10/14 20:41:28 jmc Exp $ 1.\" $OpenBSD: moduli.5,v 1.17 2012/09/26 17:34:38 jmc Exp $
2.\" 2.\"
3.\" Copyright (c) 2008 Damien Miller <djm@mindrot.org> 3.\" Copyright (c) 2008 Damien Miller <djm@mindrot.org>
4.\" 4.\"
@@ -13,7 +13,7 @@
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.Dd $Mdocdate: October 14 2010 $ 16.Dd $Mdocdate: September 26 2012 $
17.Dt MODULI 5 17.Dt MODULI 5
18.Os 18.Os
19.Sh NAME 19.Sh NAME
@@ -61,7 +61,7 @@ Unknown, not tested.
61.It 2 61.It 2
62"Safe" prime; (p-1)/2 is also prime. 62"Safe" prime; (p-1)/2 is also prime.
63.It 4 63.It 4
64Sophie Germain; (p+1)*2 is also prime. 64Sophie Germain; 2p+1 is also prime.
65.El 65.El
66.Pp 66.Pp
67Moduli candidates initially produced by 67Moduli candidates initially produced by
@@ -115,8 +115,13 @@ that best meets the size requirement.
115.Sh SEE ALSO 115.Sh SEE ALSO
116.Xr ssh-keygen 1 , 116.Xr ssh-keygen 1 ,
117.Xr sshd 8 117.Xr sshd 8
118.Sh STANDARDS
118.Rs 119.Rs
120.%A M. Friedl
121.%A N. Provos
122.%A W. Simpson
123.%D March 2006
119.%R RFC 4419 124.%R RFC 4419
120.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" 125.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
121.%D 2006 126.%D 2006
122.Re 127.Re
diff --git a/monitor.c b/monitor.c
index a5d1c5ba1..9b08020ca 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ 1/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -209,6 +209,7 @@ static int key_blobtype = MM_NOKEY;
209static char *hostbased_cuser = NULL; 209static char *hostbased_cuser = NULL;
210static char *hostbased_chost = NULL; 210static char *hostbased_chost = NULL;
211static char *auth_method = "unknown"; 211static char *auth_method = "unknown";
212static char *auth_submethod = NULL;
212static u_int session_id2_len = 0; 213static u_int session_id2_len = 0;
213static u_char *session_id2 = NULL; 214static u_char *session_id2 = NULL;
214static pid_t monitor_child_pid; 215static pid_t monitor_child_pid;
@@ -376,7 +377,7 @@ void
376monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 377monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
377{ 378{
378 struct mon_table *ent; 379 struct mon_table *ent;
379 int authenticated = 0; 380 int authenticated = 0, partial = 0;
380 381
381 debug3("preauth child monitor started"); 382 debug3("preauth child monitor started");
382 383
@@ -407,8 +408,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
407 408
408 /* The first few requests do not require asynchronous access */ 409 /* The first few requests do not require asynchronous access */
409 while (!authenticated) { 410 while (!authenticated) {
411 partial = 0;
410 auth_method = "unknown"; 412 auth_method = "unknown";
413 auth_submethod = NULL;
411 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); 414 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
415
416 /* Special handling for multiple required authentications */
417 if (options.num_auth_methods != 0) {
418 if (!compat20)
419 fatal("AuthenticationMethods is not supported"
420 "with SSH protocol 1");
421 if (authenticated &&
422 !auth2_update_methods_lists(authctxt,
423 auth_method)) {
424 debug3("%s: method %s: partial", __func__,
425 auth_method);
426 authenticated = 0;
427 partial = 1;
428 }
429 }
430
412 if (authenticated) { 431 if (authenticated) {
413 if (!(ent->flags & MON_AUTHDECIDE)) 432 if (!(ent->flags & MON_AUTHDECIDE))
414 fatal("%s: unexpected authentication from %d", 433 fatal("%s: unexpected authentication from %d",
@@ -429,9 +448,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
429 } 448 }
430#endif 449#endif
431 } 450 }
432
433 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 451 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
434 auth_log(authctxt, authenticated, auth_method, 452 auth_log(authctxt, authenticated, partial,
453 auth_method, auth_submethod,
435 compat20 ? " ssh2" : ""); 454 compat20 ? " ssh2" : "");
436 if (!authenticated) 455 if (!authenticated)
437 authctxt->failures++; 456 authctxt->failures++;
@@ -447,10 +466,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
447#endif 466#endif
448 } 467 }
449 468
450 /* Drain any buffered messages from the child */
451 while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
452 ;
453
454 if (!authctxt->valid) 469 if (!authctxt->valid)
455 fatal("%s: authenticated invalid user", __func__); 470 fatal("%s: authenticated invalid user", __func__);
456 if (strcmp(auth_method, "unknown") == 0) 471 if (strcmp(auth_method, "unknown") == 0)
@@ -461,6 +476,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
461 476
462 mm_get_keystate(pmonitor); 477 mm_get_keystate(pmonitor);
463 478
479 /* Drain any buffered messages from the child */
480 while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
481 ;
482
464 close(pmonitor->m_sendfd); 483 close(pmonitor->m_sendfd);
465 close(pmonitor->m_log_recvfd); 484 close(pmonitor->m_log_recvfd);
466 pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; 485 pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1;
@@ -816,7 +835,17 @@ mm_answer_pwnamallow(int sock, Buffer *m)
816 COPY_MATCH_STRING_OPTS(); 835 COPY_MATCH_STRING_OPTS();
817#undef M_CP_STROPT 836#undef M_CP_STROPT
818#undef M_CP_STRARRAYOPT 837#undef M_CP_STRARRAYOPT
819 838
839 /* Create valid auth method lists */
840 if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
841 /*
842 * The monitor will continue long enough to let the child
843 * run to it's packet_disconnect(), but it must not allow any
844 * authentication to succeed.
845 */
846 debug("%s: no valid authentication method lists", __func__);
847 }
848
820 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); 849 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
821 mm_request_send(sock, MONITOR_ANS_PWNAM, m); 850 mm_request_send(sock, MONITOR_ANS_PWNAM, m);
822 851
@@ -977,7 +1006,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
977 debug3("%s: sending authenticated: %d", __func__, authok); 1006 debug3("%s: sending authenticated: %d", __func__, authok);
978 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 1007 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
979 1008
980 auth_method = "bsdauth"; 1009 if (compat20)
1010 auth_method = "keyboard-interactive"; /* XXX auth_submethod */
1011 else
1012 auth_method = "bsdauth";
981 1013
982 return (authok != 0); 1014 return (authok != 0);
983} 1015}
@@ -1116,7 +1148,8 @@ mm_answer_pam_query(int sock, Buffer *m)
1116 xfree(prompts); 1148 xfree(prompts);
1117 if (echo_on != NULL) 1149 if (echo_on != NULL)
1118 xfree(echo_on); 1150 xfree(echo_on);
1119 auth_method = "keyboard-interactive/pam"; 1151 auth_method = "keyboard-interactive";
1152 auth_submethod = "pam";
1120 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1153 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
1121 return (0); 1154 return (0);
1122} 1155}
@@ -1145,7 +1178,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
1145 buffer_clear(m); 1178 buffer_clear(m);
1146 buffer_put_int(m, ret); 1179 buffer_put_int(m, ret);
1147 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); 1180 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
1148 auth_method = "keyboard-interactive/pam"; 1181 auth_method = "keyboard-interactive";
1182 auth_submethod = "pam";
1149 if (ret == 0) 1183 if (ret == 0)
1150 sshpam_authok = sshpam_ctxt; 1184 sshpam_authok = sshpam_ctxt;
1151 return (0); 1185 return (0);
@@ -1159,7 +1193,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
1159 (sshpam_device.free_ctx)(sshpam_ctxt); 1193 (sshpam_device.free_ctx)(sshpam_ctxt);
1160 buffer_clear(m); 1194 buffer_clear(m);
1161 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 1195 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1162 auth_method = "keyboard-interactive/pam"; 1196 auth_method = "keyboard-interactive";
1197 auth_submethod = "pam";
1163 return (sshpam_authok == sshpam_ctxt); 1198 return (sshpam_authok == sshpam_ctxt);
1164} 1199}
1165#endif 1200#endif
@@ -1233,7 +1268,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
1233 hostbased_chost = chost; 1268 hostbased_chost = chost;
1234 } else { 1269 } else {
1235 /* Log failed attempt */ 1270 /* Log failed attempt */
1236 auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); 1271 auth_log(authctxt, 0, 0, auth_method, NULL,
1272 compat20 ? " ssh2" : "");
1237 xfree(blob); 1273 xfree(blob);
1238 xfree(cuser); 1274 xfree(cuser);
1239 xfree(chost); 1275 xfree(chost);
diff --git a/monitor.h b/monitor.h
index 15a38c347..504daa79a 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ 1/* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */
2 2
3/* 3/*
4 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -28,47 +28,55 @@
28#ifndef _MONITOR_H_ 28#ifndef _MONITOR_H_
29#define _MONITOR_H_ 29#define _MONITOR_H_
30 30
31/* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */
31enum monitor_reqtype { 32enum monitor_reqtype {
32 MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, 33 MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1,
33 MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, 34 MONITOR_REQ_FREE = 2,
34 MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, 35 MONITOR_REQ_AUTHSERV = 4,
35 MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, 36 MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7,
36 MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, 37 MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9,
37 MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, 38 MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11,
38 MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, 39 MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
39 MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, 40 MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
40 MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, 41 MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
41 MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, 42 MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
42 MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, 43 MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
43 MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, 44 MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
44 MONITOR_REQ_KEYEXPORT, 45 MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
45 MONITOR_REQ_PTY, MONITOR_ANS_PTY, 46 MONITOR_REQ_KEYEXPORT = 26,
46 MONITOR_REQ_PTYCLEANUP, 47 MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29,
47 MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, 48 MONITOR_REQ_PTYCLEANUP = 30,
48 MONITOR_REQ_SESSID, 49 MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33,
49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, 50 MONITOR_REQ_SESSID = 34,
50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, 51 MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, 52 MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
52 MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, 53 MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
53 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, 54 MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43,
54 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, 55 MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
55 MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, 56 MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
56 MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, 57 MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
57 MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, 58 MONITOR_REQ_TERM = 50,
58 MONITOR_REQ_PAM_START, 59 MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53,
59 MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, 60 MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55,
60 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, 61 MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
61 MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, 62 MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
62 MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, 63 MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
63 MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, 64
64 MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, 65 MONITOR_REQ_PAM_START = 100,
65 MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER, 66 MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
66 MONITOR_REQ_TERM, 67 MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
67 MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, 68 MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
68 MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, 69 MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
69 MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, 70 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
70 MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, 71 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
71 MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, 72
73 MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
74 MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
75
76 MONITOR_REQ_AUTHROLE = 300,
77
78 MONITOR_REQ_CONSOLEKIT_REGISTER = 400, MONITOR_ANS_CONSOLEKIT_REGISTER = 401,
79
72}; 80};
73 81
74struct mm_master; 82struct mm_master;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index b758c9f72..8cc76b380 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */ 1/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -509,25 +509,24 @@ mm_newkeys_from_blob(u_char *blob, int blen)
509 enc->enabled = buffer_get_int(&b); 509 enc->enabled = buffer_get_int(&b);
510 enc->block_size = buffer_get_int(&b); 510 enc->block_size = buffer_get_int(&b);
511 enc->key = buffer_get_string(&b, &enc->key_len); 511 enc->key = buffer_get_string(&b, &enc->key_len);
512 enc->iv = buffer_get_string(&b, &len); 512 enc->iv = buffer_get_string(&b, &enc->iv_len);
513 if (len != enc->block_size)
514 fatal("%s: bad ivlen: expected %u != %u", __func__,
515 enc->block_size, len);
516 513
517 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 514 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher)
518 fatal("%s: bad cipher name %s or pointer %p", __func__, 515 fatal("%s: bad cipher name %s or pointer %p", __func__,
519 enc->name, enc->cipher); 516 enc->name, enc->cipher);
520 517
521 /* Mac structure */ 518 /* Mac structure */
522 mac->name = buffer_get_string(&b, NULL); 519 if (cipher_authlen(enc->cipher) == 0) {
523 if (mac->name == NULL || mac_setup(mac, mac->name) == -1) 520 mac->name = buffer_get_string(&b, NULL);
524 fatal("%s: can not setup mac %s", __func__, mac->name); 521 if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
525 mac->enabled = buffer_get_int(&b); 522 fatal("%s: can not setup mac %s", __func__, mac->name);
526 mac->key = buffer_get_string(&b, &len); 523 mac->enabled = buffer_get_int(&b);
527 if (len > mac->key_len) 524 mac->key = buffer_get_string(&b, &len);
528 fatal("%s: bad mac key length: %u > %d", __func__, len, 525 if (len > mac->key_len)
529 mac->key_len); 526 fatal("%s: bad mac key length: %u > %d", __func__, len,
530 mac->key_len = len; 527 mac->key_len);
528 mac->key_len = len;
529 }
531 530
532 /* Comp structure */ 531 /* Comp structure */
533 comp->type = buffer_get_int(&b); 532 comp->type = buffer_get_int(&b);
@@ -569,13 +568,15 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
569 buffer_put_int(&b, enc->enabled); 568 buffer_put_int(&b, enc->enabled);
570 buffer_put_int(&b, enc->block_size); 569 buffer_put_int(&b, enc->block_size);
571 buffer_put_string(&b, enc->key, enc->key_len); 570 buffer_put_string(&b, enc->key, enc->key_len);
572 packet_get_keyiv(mode, enc->iv, enc->block_size); 571 packet_get_keyiv(mode, enc->iv, enc->iv_len);
573 buffer_put_string(&b, enc->iv, enc->block_size); 572 buffer_put_string(&b, enc->iv, enc->iv_len);
574 573
575 /* Mac structure */ 574 /* Mac structure */
576 buffer_put_cstring(&b, mac->name); 575 if (cipher_authlen(enc->cipher) == 0) {
577 buffer_put_int(&b, mac->enabled); 576 buffer_put_cstring(&b, mac->name);
578 buffer_put_string(&b, mac->key, mac->key_len); 577 buffer_put_int(&b, mac->enabled);
578 buffer_put_string(&b, mac->key, mac->key_len);
579 }
579 580
580 /* Comp structure */ 581 /* Comp structure */
581 buffer_put_int(&b, comp->type); 582 buffer_put_int(&b, comp->type);
@@ -639,7 +640,7 @@ mm_send_keystate(struct monitor *monitor)
639 ivlen = packet_get_keyiv_len(MODE_OUT); 640 ivlen = packet_get_keyiv_len(MODE_OUT);
640 packet_get_keyiv(MODE_OUT, iv, ivlen); 641 packet_get_keyiv(MODE_OUT, iv, ivlen);
641 buffer_put_string(&m, iv, ivlen); 642 buffer_put_string(&m, iv, ivlen);
642 ivlen = packet_get_keyiv_len(MODE_OUT); 643 ivlen = packet_get_keyiv_len(MODE_IN);
643 packet_get_keyiv(MODE_IN, iv, ivlen); 644 packet_get_keyiv(MODE_IN, iv, ivlen);
644 buffer_put_string(&m, iv, ivlen); 645 buffer_put_string(&m, iv, ivlen);
645 goto skip; 646 goto skip;
diff --git a/mux.c b/mux.c
index 5e0e65ff3..1ae0e0915 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ 1/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -63,10 +63,6 @@
63# include <util.h> 63# include <util.h>
64#endif 64#endif
65 65
66#ifdef HAVE_LIBUTIL_H
67# include <libutil.h>
68#endif
69
70#include "openbsd-compat/sys-queue.h" 66#include "openbsd-compat/sys-queue.h"
71#include "xmalloc.h" 67#include "xmalloc.h"
72#include "log.h" 68#include "log.h"
@@ -188,7 +184,7 @@ static const struct {
188 184
189/* Cleanup callback fired on closure of mux slave _session_ channel */ 185/* Cleanup callback fired on closure of mux slave _session_ channel */
190/* ARGSUSED */ 186/* ARGSUSED */
191static void 187void
192mux_master_session_cleanup_cb(int cid, void *unused) 188mux_master_session_cleanup_cb(int cid, void *unused)
193{ 189{
194 Channel *cc, *c = channel_by_id(cid); 190 Channel *cc, *c = channel_by_id(cid);
@@ -738,9 +734,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
738 } 734 }
739 735
740 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 736 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
741 if (channel_setup_local_fwd_listener(fwd.listen_host, 737 if (!channel_setup_local_fwd_listener(fwd.listen_host,
742 fwd.listen_port, fwd.connect_host, fwd.connect_port, 738 fwd.listen_port, fwd.connect_host, fwd.connect_port,
743 options.gateway_ports) < 0) { 739 options.gateway_ports)) {
744 fail: 740 fail:
745 logit("slave-requested %s failed", fwd_desc); 741 logit("slave-requested %s failed", fwd_desc);
746 buffer_put_int(r, MUX_S_FAILURE); 742 buffer_put_int(r, MUX_S_FAILURE);
diff --git a/myproposal.h b/myproposal.h
index b9b819c0a..99d093461 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */ 1/* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -73,6 +73,7 @@
73#define KEX_DEFAULT_ENCRYPT \ 73#define KEX_DEFAULT_ENCRYPT \
74 "aes128-ctr,aes192-ctr,aes256-ctr," \ 74 "aes128-ctr,aes192-ctr,aes256-ctr," \
75 "arcfour256,arcfour128," \ 75 "arcfour256,arcfour128," \
76 "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
76 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ 77 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
77 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" 78 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
78#ifdef HAVE_EVP_SHA256 79#ifdef HAVE_EVP_SHA256
@@ -83,9 +84,19 @@
83# define SHA2_HMAC_MODES 84# define SHA2_HMAC_MODES
84#endif 85#endif
85#define KEX_DEFAULT_MAC \ 86#define KEX_DEFAULT_MAC \
87 "hmac-md5-etm@openssh.com," \
88 "hmac-sha1-etm@openssh.com," \
89 "umac-64-etm@openssh.com," \
90 "umac-128-etm@openssh.com," \
91 "hmac-sha2-256-etm@openssh.com," \
92 "hmac-sha2-512-etm@openssh.com," \
93 "hmac-ripemd160-etm@openssh.com," \
94 "hmac-sha1-96-etm@openssh.com," \
95 "hmac-md5-96-etm@openssh.com," \
86 "hmac-md5," \ 96 "hmac-md5," \
87 "hmac-sha1," \ 97 "hmac-sha1," \
88 "umac-64@openssh.com," \ 98 "umac-64@openssh.com," \
99 "umac-128@openssh.com," \
89 SHA2_HMAC_MODES \ 100 SHA2_HMAC_MODES \
90 "hmac-ripemd160," \ 101 "hmac-ripemd160," \
91 "hmac-ripemd160@openssh.com," \ 102 "hmac-ripemd160@openssh.com," \
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 196a81d13..e1c3651e8 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $ 1# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,9 +16,9 @@ RANLIB=@RANLIB@
16INSTALL=@INSTALL@ 16INSTALL=@INSTALL@
17LDFLAGS=-L. @LDFLAGS@ 17LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o 23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
24 24
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 3ef373f56..d75854e83 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -165,6 +165,17 @@ int nanosleep(const struct timespec *req, struct timespec *rem)
165} 165}
166#endif 166#endif
167 167
168#if !defined(HAVE_USLEEP)
169int usleep(unsigned int useconds)
170{
171 struct timespec ts;
172
173 ts.tv_sec = useconds / 1000000;
174 ts.tv_nsec = (useconds % 1000000) * 1000;
175 return nanosleep(&ts, NULL);
176}
177#endif
178
168#ifndef HAVE_TCGETPGRP 179#ifndef HAVE_TCGETPGRP
169pid_t 180pid_t
170tcgetpgrp(int fd) 181tcgetpgrp(int fd)
@@ -242,8 +253,25 @@ strdup(const char *str)
242#endif 253#endif
243 254
244#ifndef HAVE_ISBLANK 255#ifndef HAVE_ISBLANK
245int isblank(int c) 256int
257isblank(int c)
246{ 258{
247 return (c == ' ' || c == '\t'); 259 return (c == ' ' || c == '\t');
248} 260}
249#endif 261#endif
262
263#ifndef HAVE_GETPGID
264pid_t
265getpgid(pid_t pid)
266{
267#if defined(HAVE_GETPGRP) && !defined(GETPGRP_VOID)
268 return getpgrp(pid);
269#elif defined(HAVE_GETPGRP)
270 if (pid == 0)
271 return getpgrp();
272#endif
273
274 errno = ESRCH;
275 return -1;
276}
277#endif
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index eac5217ca..430066376 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-misc.h,v 1.21 2012/07/03 22:50:10 dtucker Exp $ */ 1/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> 4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -80,6 +80,10 @@ struct timespec {
80int nanosleep(const struct timespec *, struct timespec *); 80int nanosleep(const struct timespec *, struct timespec *);
81#endif 81#endif
82 82
83#ifndef HAVE_USLEEP
84int usleep(unsigned int useconds);
85#endif
86
83#ifndef HAVE_TCGETPGRP 87#ifndef HAVE_TCGETPGRP
84pid_t tcgetpgrp(int); 88pid_t tcgetpgrp(int);
85#endif 89#endif
@@ -102,4 +106,8 @@ mysig_t mysignal(int sig, mysig_t act);
102int isblank(int); 106int isblank(int);
103#endif 107#endif
104 108
109#ifndef HAVE_GETPGID
110pid_t getpgid(pid_t);
111#endif
112
105#endif /* _BSD_MISC_H */ 113#endif /* _BSD_MISC_H */
diff --git a/openbsd-compat/bsd-setres_id.c b/openbsd-compat/bsd-setres_id.c
new file mode 100644
index 000000000..020b214b8
--- /dev/null
+++ b/openbsd-compat/bsd-setres_id.c
@@ -0,0 +1,99 @@
1/* $Id: bsd-setres_id.c,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include "includes.h"
20
21#include <sys/types.h>
22
23#include <stdarg.h>
24#include <unistd.h>
25
26#include "log.h"
27
28#if !defined(HAVE_SETRESGID) || defined(BROKEN_SETRESGID)
29int
30setresgid(gid_t rgid, gid_t egid, gid_t sgid)
31{
32 int ret = 0, saved_errno;
33
34 if (rgid != sgid) {
35 errno = ENOSYS;
36 return -1;
37 }
38#if defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
39 if (setregid(rgid, egid) < 0) {
40 saved_errno = errno;
41 error("setregid %u: %.100s", rgid, strerror(errno));
42 errno = saved_errno;
43 ret = -1;
44 }
45#else
46 if (setegid(egid) < 0) {
47 saved_errno = errno;
48 error("setegid %u: %.100s", (u_int)egid, strerror(errno));
49 errno = saved_errno;
50 ret = -1;
51 }
52 if (setgid(rgid) < 0) {
53 saved_errno = errno;
54 error("setgid %u: %.100s", rgid, strerror(errno));
55 errno = saved_errno;
56 ret = -1;
57 }
58#endif
59 return ret;
60}
61#endif
62
63#if !defined(HAVE_SETRESUID) || defined(BROKEN_SETRESUID)
64int
65setresuid(uid_t ruid, uid_t euid, uid_t suid)
66{
67 int ret = 0, saved_errno;
68
69 if (ruid != suid) {
70 errno = ENOSYS;
71 return -1;
72 }
73#if defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
74 if (setreuid(ruid, euid) < 0) {
75 saved_errno = errno;
76 error("setreuid %u: %.100s", ruid, strerror(errno));
77 errno = saved_errno;
78 ret = -1;
79 }
80#else
81
82# ifndef SETEUID_BREAKS_SETUID
83 if (seteuid(euid) < 0) {
84 saved_errno = errno;
85 error("seteuid %u: %.100s", euid, strerror(errno));
86 errno = saved_errno;
87 ret = -1;
88 }
89# endif
90 if (setuid(ruid) < 0) {
91 saved_errno = errno;
92 error("setuid %u: %.100s", ruid, strerror(errno));
93 errno = saved_errno;
94 ret = -1;
95 }
96#endif
97 return ret;
98}
99#endif
diff --git a/openbsd-compat/bsd-setres_id.h b/openbsd-compat/bsd-setres_id.h
new file mode 100644
index 000000000..6c269e0b9
--- /dev/null
+++ b/openbsd-compat/bsd-setres_id.h
@@ -0,0 +1,24 @@
1/* $Id: bsd-setres_id.h,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#ifndef HAVE_SETRESGID
20int setresgid(gid_t, gid_t, gid_t);
21#endif
22#ifndef HAVE_SETRESUID
23int setresuid(uid_t, uid_t, uid_t);
24#endif
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 807acf626..a8c579f49 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.52 2011/09/23 01:16:11 djm Exp $ */ 1/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -149,6 +149,7 @@ int writev(int, struct iovec *, int);
149 149
150/* Home grown routines */ 150/* Home grown routines */
151#include "bsd-misc.h" 151#include "bsd-misc.h"
152#include "bsd-setres_id.h"
152#include "bsd-statvfs.h" 153#include "bsd-statvfs.h"
153#include "bsd-waitpid.h" 154#include "bsd-waitpid.h"
154#include "bsd-poll.h" 155#include "bsd-poll.h"
@@ -189,6 +190,14 @@ int snprintf(char *, size_t, SNPRINTF_CONST char *, ...);
189long long strtoll(const char *, char **, int); 190long long strtoll(const char *, char **, int);
190#endif 191#endif
191 192
193#ifndef HAVE_STRTOUL
194unsigned long strtoul(const char *, char **, int);
195#endif
196
197#ifndef HAVE_STRTOULL
198unsigned long long strtoull(const char *, char **, int);
199#endif
200
192#ifndef HAVE_STRTONUM 201#ifndef HAVE_STRTONUM
193long long strtonum(const char *, long long, long long, const char **); 202long long strtonum(const char *, long long, long long, const char **);
194#endif 203#endif
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index a151eff38..e7439b4e7 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.20 2012/01/17 03:03:39 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.24 2013/02/12 00:00:40 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -40,7 +40,7 @@
40# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 40# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
41#endif 41#endif
42 42
43#if OPENSSL_VERSION_NUMBER < 0x1000000fL 43#if OPENSSL_VERSION_NUMBER < 0x10000001L
44# define LIBCRYPTO_EVP_INL_TYPE unsigned int 44# define LIBCRYPTO_EVP_INL_TYPE unsigned int
45#else 45#else
46# define LIBCRYPTO_EVP_INL_TYPE size_t 46# define LIBCRYPTO_EVP_INL_TYPE size_t
@@ -59,20 +59,43 @@
59# define EVP_aes_128_cbc evp_rijndael 59# define EVP_aes_128_cbc evp_rijndael
60# define EVP_aes_192_cbc evp_rijndael 60# define EVP_aes_192_cbc evp_rijndael
61# define EVP_aes_256_cbc evp_rijndael 61# define EVP_aes_256_cbc evp_rijndael
62extern const EVP_CIPHER *evp_rijndael(void); 62const EVP_CIPHER *evp_rijndael(void);
63extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 63void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
64#endif 64#endif
65 65
66#if !defined(EVP_CTRL_SET_ACSS_MODE) 66#ifndef OPENSSL_HAVE_EVPCTR
67# if (OPENSSL_VERSION_NUMBER >= 0x00907000L) 67#define EVP_aes_128_ctr evp_aes_128_ctr
68# define USE_CIPHER_ACSS 1 68#define EVP_aes_192_ctr evp_aes_128_ctr
69extern const EVP_CIPHER *evp_acss(void); 69#define EVP_aes_256_ctr evp_aes_128_ctr
70# define EVP_acss evp_acss 70const EVP_CIPHER *evp_aes_128_ctr(void);
71void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
72#endif
73
74/* Avoid some #ifdef. Code that uses these is unreachable without GCM */
75#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED)
76# define EVP_CTRL_GCM_SET_IV_FIXED -1
77# define EVP_CTRL_GCM_IV_GEN -1
78# define EVP_CTRL_GCM_SET_TAG -1
79# define EVP_CTRL_GCM_GET_TAG -1
80#endif
81
82/* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */
83#ifndef HAVE_EVP_CIPHER_CTX_CTRL
84# ifdef OPENSSL_HAVE_EVPGCM
85# error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */
71# else 86# else
72# define EVP_acss NULL 87# define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0)
73# endif 88# endif
74#endif 89#endif
75 90
91#if OPENSSL_VERSION_NUMBER < 0x00907000L
92#define EVP_X_STATE(evp) &(evp).c
93#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
94#else
95#define EVP_X_STATE(evp) (evp).cipher_data
96#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
97#endif
98
76/* OpenSSL 0.9.8e returns cipher key len not context key len */ 99/* OpenSSL 0.9.8e returns cipher key len not context key len */
77#if (OPENSSL_VERSION_NUMBER == 0x0090805fL) 100#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
78# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) 101# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
diff --git a/openbsd-compat/strtoull.c b/openbsd-compat/strtoull.c
new file mode 100644
index 000000000..f7c818c52
--- /dev/null
+++ b/openbsd-compat/strtoull.c
@@ -0,0 +1,110 @@
1/* $OpenBSD: strtoull.c,v 1.5 2005/08/08 08:05:37 espie Exp $ */
2/*-
3 * Copyright (c) 1992 The Regents of the University of California.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the University nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoull.c */
32
33#include "includes.h"
34#ifndef HAVE_STRTOULL
35
36#include <sys/types.h>
37
38#include <ctype.h>
39#include <errno.h>
40#include <limits.h>
41#include <stdlib.h>
42
43/*
44 * Convert a string to an unsigned long long.
45 *
46 * Ignores `locale' stuff. Assumes that the upper and lower case
47 * alphabets and digits are each contiguous.
48 */
49unsigned long long
50strtoull(const char *nptr, char **endptr, int base)
51{
52 const char *s;
53 unsigned long long acc, cutoff;
54 int c;
55 int neg, any, cutlim;
56
57 /*
58 * See strtoq for comments as to the logic used.
59 */
60 s = nptr;
61 do {
62 c = (unsigned char) *s++;
63 } while (isspace(c));
64 if (c == '-') {
65 neg = 1;
66 c = *s++;
67 } else {
68 neg = 0;
69 if (c == '+')
70 c = *s++;
71 }
72 if ((base == 0 || base == 16) &&
73 c == '0' && (*s == 'x' || *s == 'X')) {
74 c = s[1];
75 s += 2;
76 base = 16;
77 }
78 if (base == 0)
79 base = c == '0' ? 8 : 10;
80
81 cutoff = ULLONG_MAX / (unsigned long long)base;
82 cutlim = ULLONG_MAX % (unsigned long long)base;
83 for (acc = 0, any = 0;; c = (unsigned char) *s++) {
84 if (isdigit(c))
85 c -= '0';
86 else if (isalpha(c))
87 c -= isupper(c) ? 'A' - 10 : 'a' - 10;
88 else
89 break;
90 if (c >= base)
91 break;
92 if (any < 0)
93 continue;
94 if (acc > cutoff || (acc == cutoff && c > cutlim)) {
95 any = -1;
96 acc = ULLONG_MAX;
97 errno = ERANGE;
98 } else {
99 any = 1;
100 acc *= (unsigned long long)base;
101 acc += c;
102 }
103 }
104 if (neg && any > 0)
105 acc = -acc;
106 if (endptr != 0)
107 *endptr = (char *) (any ? s - 1 : nptr);
108 return (acc);
109}
110#endif /* !HAVE_STRTOULL */
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h
index 5cf0587bd..28aaaa37a 100644
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: queue.h,v 1.32 2007/04/30 18:42:34 pedro Exp $ */ 1/* $OpenBSD: queue.h,v 1.36 2012/04/11 13:29:14 naddy Exp $ */
2/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ 2/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */
3 3
4/* 4/*
@@ -202,10 +202,10 @@ struct { \
202 (var) != SLIST_END(head); \ 202 (var) != SLIST_END(head); \
203 (var) = SLIST_NEXT(var, field)) 203 (var) = SLIST_NEXT(var, field))
204 204
205#define SLIST_FOREACH_PREVPTR(var, varp, head, field) \ 205#define SLIST_FOREACH_SAFE(var, head, field, tvar) \
206 for ((varp) = &SLIST_FIRST((head)); \ 206 for ((var) = SLIST_FIRST(head); \
207 ((var) = *(varp)) != SLIST_END(head); \ 207 (var) && ((tvar) = SLIST_NEXT(var, field), 1); \
208 (varp) = &SLIST_NEXT((var), field)) 208 (var) = (tvar))
209 209
210/* 210/*
211 * Singly-linked List functions. 211 * Singly-linked List functions.
@@ -224,7 +224,7 @@ struct { \
224 (head)->slh_first = (elm); \ 224 (head)->slh_first = (elm); \
225} while (0) 225} while (0)
226 226
227#define SLIST_REMOVE_NEXT(head, elm, field) do { \ 227#define SLIST_REMOVE_AFTER(elm, field) do { \
228 (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ 228 (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \
229} while (0) 229} while (0)
230 230
@@ -276,6 +276,11 @@ struct { \
276 (var)!= LIST_END(head); \ 276 (var)!= LIST_END(head); \
277 (var) = LIST_NEXT(var, field)) 277 (var) = LIST_NEXT(var, field))
278 278
279#define LIST_FOREACH_SAFE(var, head, field, tvar) \
280 for ((var) = LIST_FIRST(head); \
281 (var) && ((tvar) = LIST_NEXT(var, field), 1); \
282 (var) = (tvar))
283
279/* 284/*
280 * List functions. 285 * List functions.
281 */ 286 */
@@ -354,6 +359,11 @@ struct { \
354 (var) != SIMPLEQ_END(head); \ 359 (var) != SIMPLEQ_END(head); \
355 (var) = SIMPLEQ_NEXT(var, field)) 360 (var) = SIMPLEQ_NEXT(var, field))
356 361
362#define SIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \
363 for ((var) = SIMPLEQ_FIRST(head); \
364 (var) && ((tvar) = SIMPLEQ_NEXT(var, field), 1); \
365 (var) = (tvar))
366
357/* 367/*
358 * Simple queue functions. 368 * Simple queue functions.
359 */ 369 */
@@ -385,6 +395,12 @@ struct { \
385 (head)->sqh_last = &(head)->sqh_first; \ 395 (head)->sqh_last = &(head)->sqh_first; \
386} while (0) 396} while (0)
387 397
398#define SIMPLEQ_REMOVE_AFTER(head, elm, field) do { \
399 if (((elm)->field.sqe_next = (elm)->field.sqe_next->field.sqe_next) \
400 == NULL) \
401 (head)->sqh_last = &(elm)->field.sqe_next; \
402} while (0)
403
388/* 404/*
389 * Tail queue definitions. 405 * Tail queue definitions.
390 */ 406 */
@@ -422,11 +438,24 @@ struct { \
422 (var) != TAILQ_END(head); \ 438 (var) != TAILQ_END(head); \
423 (var) = TAILQ_NEXT(var, field)) 439 (var) = TAILQ_NEXT(var, field))
424 440
441#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
442 for ((var) = TAILQ_FIRST(head); \
443 (var) != TAILQ_END(head) && \
444 ((tvar) = TAILQ_NEXT(var, field), 1); \
445 (var) = (tvar))
446
447
425#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ 448#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \
426 for((var) = TAILQ_LAST(head, headname); \ 449 for((var) = TAILQ_LAST(head, headname); \
427 (var) != TAILQ_END(head); \ 450 (var) != TAILQ_END(head); \
428 (var) = TAILQ_PREV(var, headname, field)) 451 (var) = TAILQ_PREV(var, headname, field))
429 452
453#define TAILQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \
454 for ((var) = TAILQ_LAST(head, headname); \
455 (var) != TAILQ_END(head) && \
456 ((tvar) = TAILQ_PREV(var, headname, field), 1); \
457 (var) = (tvar))
458
430/* 459/*
431 * Tail queue functions. 460 * Tail queue functions.
432 */ 461 */
@@ -526,11 +555,23 @@ struct { \
526 (var) != CIRCLEQ_END(head); \ 555 (var) != CIRCLEQ_END(head); \
527 (var) = CIRCLEQ_NEXT(var, field)) 556 (var) = CIRCLEQ_NEXT(var, field))
528 557
558#define CIRCLEQ_FOREACH_SAFE(var, head, field, tvar) \
559 for ((var) = CIRCLEQ_FIRST(head); \
560 (var) != CIRCLEQ_END(head) && \
561 ((tvar) = CIRCLEQ_NEXT(var, field), 1); \
562 (var) = (tvar))
563
529#define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ 564#define CIRCLEQ_FOREACH_REVERSE(var, head, field) \
530 for((var) = CIRCLEQ_LAST(head); \ 565 for((var) = CIRCLEQ_LAST(head); \
531 (var) != CIRCLEQ_END(head); \ 566 (var) != CIRCLEQ_END(head); \
532 (var) = CIRCLEQ_PREV(var, field)) 567 (var) = CIRCLEQ_PREV(var, field))
533 568
569#define CIRCLEQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \
570 for ((var) = CIRCLEQ_LAST(head, headname); \
571 (var) != CIRCLEQ_END(head) && \
572 ((tvar) = CIRCLEQ_PREV(var, headname, field), 1); \
573 (var) = (tvar))
574
534/* 575/*
535 * Circular queue functions. 576 * Circular queue functions.
536 */ 577 */
diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h
index d4949b5e7..7f7546ecd 100644
--- a/openbsd-compat/sys-tree.h
+++ b/openbsd-compat/sys-tree.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tree.h,v 1.10 2007/10/29 23:49:41 djm Exp $ */ 1/* $OpenBSD: tree.h,v 1.13 2011/07/09 00:19:45 pirofti Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * All rights reserved. 4 * All rights reserved.
@@ -26,6 +26,11 @@
26 26
27/* OPENBSD ORIGINAL: sys/sys/tree.h */ 27/* OPENBSD ORIGINAL: sys/sys/tree.h */
28 28
29#include "config.h"
30#ifdef NO_ATTRIBUTE_ON_RETURN_TYPE
31# define __attribute__(x)
32#endif
33
29#ifndef _SYS_TREE_H_ 34#ifndef _SYS_TREE_H_
30#define _SYS_TREE_H_ 35#define _SYS_TREE_H_
31 36
@@ -331,7 +336,7 @@ struct { \
331} while (0) 336} while (0)
332 337
333#ifndef RB_AUGMENT 338#ifndef RB_AUGMENT
334#define RB_AUGMENT(x) 339#define RB_AUGMENT(x) do {} while (0)
335#endif 340#endif
336 341
337#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ 342#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \
@@ -375,21 +380,31 @@ struct { \
375} while (0) 380} while (0)
376 381
377/* Generates prototypes and inline functions */ 382/* Generates prototypes and inline functions */
378#define RB_PROTOTYPE(name, type, field, cmp) \ 383#define RB_PROTOTYPE(name, type, field, cmp) \
379void name##_RB_INSERT_COLOR(struct name *, struct type *); \ 384 RB_PROTOTYPE_INTERNAL(name, type, field, cmp,)
380void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ 385#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \
381struct type *name##_RB_REMOVE(struct name *, struct type *); \ 386 RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static)
382struct type *name##_RB_INSERT(struct name *, struct type *); \ 387#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \
383struct type *name##_RB_FIND(struct name *, struct type *); \ 388attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \
384struct type *name##_RB_NEXT(struct type *); \ 389attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\
385struct type *name##_RB_MINMAX(struct name *, int); 390attr struct type *name##_RB_REMOVE(struct name *, struct type *); \
386 391attr struct type *name##_RB_INSERT(struct name *, struct type *); \
392attr struct type *name##_RB_FIND(struct name *, struct type *); \
393attr struct type *name##_RB_NFIND(struct name *, struct type *); \
394attr struct type *name##_RB_NEXT(struct type *); \
395attr struct type *name##_RB_PREV(struct type *); \
396attr struct type *name##_RB_MINMAX(struct name *, int); \
397 \
387 398
388/* Main rb operation. 399/* Main rb operation.
389 * Moves node close to the key of elm to top 400 * Moves node close to the key of elm to top
390 */ 401 */
391#define RB_GENERATE(name, type, field, cmp) \ 402#define RB_GENERATE(name, type, field, cmp) \
392void \ 403 RB_GENERATE_INTERNAL(name, type, field, cmp,)
404#define RB_GENERATE_STATIC(name, type, field, cmp) \
405 RB_GENERATE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static)
406#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \
407attr void \
393name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ 408name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \
394{ \ 409{ \
395 struct type *parent, *gparent, *tmp; \ 410 struct type *parent, *gparent, *tmp; \
@@ -433,7 +448,7 @@ name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \
433 RB_COLOR(head->rbh_root, field) = RB_BLACK; \ 448 RB_COLOR(head->rbh_root, field) = RB_BLACK; \
434} \ 449} \
435 \ 450 \
436void \ 451attr void \
437name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ 452name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \
438{ \ 453{ \
439 struct type *tmp; \ 454 struct type *tmp; \
@@ -509,7 +524,7 @@ name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm)
509 RB_COLOR(elm, field) = RB_BLACK; \ 524 RB_COLOR(elm, field) = RB_BLACK; \
510} \ 525} \
511 \ 526 \
512struct type * \ 527attr struct type * \
513name##_RB_REMOVE(struct name *head, struct type *elm) \ 528name##_RB_REMOVE(struct name *head, struct type *elm) \
514{ \ 529{ \
515 struct type *child, *parent, *old = elm; \ 530 struct type *child, *parent, *old = elm; \
@@ -577,7 +592,7 @@ color: \
577} \ 592} \
578 \ 593 \
579/* Inserts a node into the RB tree */ \ 594/* Inserts a node into the RB tree */ \
580struct type * \ 595attr struct type * \
581name##_RB_INSERT(struct name *head, struct type *elm) \ 596name##_RB_INSERT(struct name *head, struct type *elm) \
582{ \ 597{ \
583 struct type *tmp; \ 598 struct type *tmp; \
@@ -608,7 +623,7 @@ name##_RB_INSERT(struct name *head, struct type *elm) \
608} \ 623} \
609 \ 624 \
610/* Finds the node with the same key as elm */ \ 625/* Finds the node with the same key as elm */ \
611struct type * \ 626attr struct type * \
612name##_RB_FIND(struct name *head, struct type *elm) \ 627name##_RB_FIND(struct name *head, struct type *elm) \
613{ \ 628{ \
614 struct type *tmp = RB_ROOT(head); \ 629 struct type *tmp = RB_ROOT(head); \
@@ -625,7 +640,29 @@ name##_RB_FIND(struct name *head, struct type *elm) \
625 return (NULL); \ 640 return (NULL); \
626} \ 641} \
627 \ 642 \
628struct type * \ 643/* Finds the first node greater than or equal to the search key */ \
644attr struct type * \
645name##_RB_NFIND(struct name *head, struct type *elm) \
646{ \
647 struct type *tmp = RB_ROOT(head); \
648 struct type *res = NULL; \
649 int comp; \
650 while (tmp) { \
651 comp = cmp(elm, tmp); \
652 if (comp < 0) { \
653 res = tmp; \
654 tmp = RB_LEFT(tmp, field); \
655 } \
656 else if (comp > 0) \
657 tmp = RB_RIGHT(tmp, field); \
658 else \
659 return (tmp); \
660 } \
661 return (res); \
662} \
663 \
664/* ARGSUSED */ \
665attr struct type * \
629name##_RB_NEXT(struct type *elm) \ 666name##_RB_NEXT(struct type *elm) \
630{ \ 667{ \
631 if (RB_RIGHT(elm, field)) { \ 668 if (RB_RIGHT(elm, field)) { \
@@ -646,7 +683,29 @@ name##_RB_NEXT(struct type *elm) \
646 return (elm); \ 683 return (elm); \
647} \ 684} \
648 \ 685 \
649struct type * \ 686/* ARGSUSED */ \
687attr struct type * \
688name##_RB_PREV(struct type *elm) \
689{ \
690 if (RB_LEFT(elm, field)) { \
691 elm = RB_LEFT(elm, field); \
692 while (RB_RIGHT(elm, field)) \
693 elm = RB_RIGHT(elm, field); \
694 } else { \
695 if (RB_PARENT(elm, field) && \
696 (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \
697 elm = RB_PARENT(elm, field); \
698 else { \
699 while (RB_PARENT(elm, field) && \
700 (elm == RB_LEFT(RB_PARENT(elm, field), field)))\
701 elm = RB_PARENT(elm, field); \
702 elm = RB_PARENT(elm, field); \
703 } \
704 } \
705 return (elm); \
706} \
707 \
708attr struct type * \
650name##_RB_MINMAX(struct name *head, int val) \ 709name##_RB_MINMAX(struct name *head, int val) \
651{ \ 710{ \
652 struct type *tmp = RB_ROOT(head); \ 711 struct type *tmp = RB_ROOT(head); \
@@ -667,7 +726,9 @@ name##_RB_MINMAX(struct name *head, int val) \
667#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) 726#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y)
668#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) 727#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y)
669#define RB_FIND(name, x, y) name##_RB_FIND(x, y) 728#define RB_FIND(name, x, y) name##_RB_FIND(x, y)
729#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y)
670#define RB_NEXT(name, x, y) name##_RB_NEXT(y) 730#define RB_NEXT(name, x, y) name##_RB_NEXT(y)
731#define RB_PREV(name, x, y) name##_RB_PREV(y)
671#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) 732#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF)
672#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) 733#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF)
673 734
@@ -676,4 +737,19 @@ name##_RB_MINMAX(struct name *head, int val) \
676 (x) != NULL; \ 737 (x) != NULL; \
677 (x) = name##_RB_NEXT(x)) 738 (x) = name##_RB_NEXT(x))
678 739
740#define RB_FOREACH_SAFE(x, name, head, y) \
741 for ((x) = RB_MIN(name, head); \
742 ((x) != NULL) && ((y) = name##_RB_NEXT(x), 1); \
743 (x) = (y))
744
745#define RB_FOREACH_REVERSE(x, name, head) \
746 for ((x) = RB_MAX(name, head); \
747 (x) != NULL; \
748 (x) = name##_RB_PREV(x))
749
750#define RB_FOREACH_REVERSE_SAFE(x, name, head, y) \
751 for ((x) = RB_MAX(name, head); \
752 ((x) != NULL) && ((y) = name##_RB_PREV(x), 1); \
753 (x) = (y))
754
679#endif /* _SYS_TREE_H_ */ 755#endif /* _SYS_TREE_H_ */
diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c
index 3a087b341..f6f5665c1 100644
--- a/openbsd-compat/vis.c
+++ b/openbsd-compat/vis.c
@@ -31,7 +31,7 @@
31/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ 31/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
32 32
33#include "includes.h" 33#include "includes.h"
34#if !defined(HAVE_STRNVIS) 34#if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS)
35 35
36#include <ctype.h> 36#include <ctype.h>
37#include <string.h> 37#include <string.h>
diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h
index 3898a9e70..d1286c99d 100644
--- a/openbsd-compat/vis.h
+++ b/openbsd-compat/vis.h
@@ -35,7 +35,7 @@
35/* OPENBSD ORIGINAL: include/vis.h */ 35/* OPENBSD ORIGINAL: include/vis.h */
36 36
37#include "includes.h" 37#include "includes.h"
38#if !defined(HAVE_STRNVIS) 38#if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS)
39 39
40#ifndef _VIS_H_ 40#ifndef _VIS_H_
41#define _VIS_H_ 41#define _VIS_H_
@@ -92,4 +92,4 @@ ssize_t strnunvis(char *, const char *, size_t)
92 92
93#endif /* !_VIS_H_ */ 93#endif /* !_VIS_H_ */
94 94
95#endif /* !HAVE_STRNVIS */ 95#endif /* !HAVE_STRNVIS || BROKEN_STRNVIS */
diff --git a/packet.c b/packet.c
index d0c66fe57..9326ddea6 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */ 1/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -275,7 +275,7 @@ packet_stop_discard(void)
275static void 275static void
276packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard) 276packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard)
277{ 277{
278 if (enc == NULL || !cipher_is_cbc(enc->cipher)) 278 if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm))
279 packet_disconnect("Packet corrupt"); 279 packet_disconnect("Packet corrupt");
280 if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled) 280 if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled)
281 active_state->packet_discard_mac = mac; 281 active_state->packet_discard_mac = mac;
@@ -709,7 +709,7 @@ packet_send1(void)
709 buffer_len(&active_state->outgoing_packet)); 709 buffer_len(&active_state->outgoing_packet));
710 cipher_crypt(&active_state->send_context, cp, 710 cipher_crypt(&active_state->send_context, cp,
711 buffer_ptr(&active_state->outgoing_packet), 711 buffer_ptr(&active_state->outgoing_packet),
712 buffer_len(&active_state->outgoing_packet)); 712 buffer_len(&active_state->outgoing_packet), 0, 0);
713 713
714#ifdef PACKET_DEBUG 714#ifdef PACKET_DEBUG
715 fprintf(stderr, "encrypted: "); 715 fprintf(stderr, "encrypted: ");
@@ -757,6 +757,9 @@ set_newkeys(int mode)
757 mac = &active_state->newkeys[mode]->mac; 757 mac = &active_state->newkeys[mode]->mac;
758 comp = &active_state->newkeys[mode]->comp; 758 comp = &active_state->newkeys[mode]->comp;
759 mac_clear(mac); 759 mac_clear(mac);
760 memset(enc->iv, 0, enc->iv_len);
761 memset(enc->key, 0, enc->key_len);
762 memset(mac->key, 0, mac->key_len);
760 xfree(enc->name); 763 xfree(enc->name);
761 xfree(enc->iv); 764 xfree(enc->iv);
762 xfree(enc->key); 765 xfree(enc->key);
@@ -771,11 +774,11 @@ set_newkeys(int mode)
771 enc = &active_state->newkeys[mode]->enc; 774 enc = &active_state->newkeys[mode]->enc;
772 mac = &active_state->newkeys[mode]->mac; 775 mac = &active_state->newkeys[mode]->mac;
773 comp = &active_state->newkeys[mode]->comp; 776 comp = &active_state->newkeys[mode]->comp;
774 if (mac_init(mac) == 0) 777 if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
775 mac->enabled = 1; 778 mac->enabled = 1;
776 DBG(debug("cipher_init_context: %d", mode)); 779 DBG(debug("cipher_init_context: %d", mode));
777 cipher_init(cc, enc->cipher, enc->key, enc->key_len, 780 cipher_init(cc, enc->cipher, enc->key, enc->key_len,
778 enc->iv, enc->block_size, crypt_type); 781 enc->iv, enc->iv_len, crypt_type);
779 /* Deleting the keys does not gain extra security */ 782 /* Deleting the keys does not gain extra security */
780 /* memset(enc->iv, 0, enc->block_size); 783 /* memset(enc->iv, 0, enc->block_size);
781 memset(enc->key, 0, enc->key_len); 784 memset(enc->key, 0, enc->key_len);
@@ -842,9 +845,8 @@ static void
842packet_send2_wrapped(void) 845packet_send2_wrapped(void)
843{ 846{
844 u_char type, *cp, *macbuf = NULL; 847 u_char type, *cp, *macbuf = NULL;
845 u_char padlen, pad; 848 u_char padlen, pad = 0;
846 u_int packet_length = 0; 849 u_int i, len, authlen = 0, aadlen = 0;
847 u_int i, len;
848 u_int32_t rnd = 0; 850 u_int32_t rnd = 0;
849 Enc *enc = NULL; 851 Enc *enc = NULL;
850 Mac *mac = NULL; 852 Mac *mac = NULL;
@@ -855,8 +857,12 @@ packet_send2_wrapped(void)
855 enc = &active_state->newkeys[MODE_OUT]->enc; 857 enc = &active_state->newkeys[MODE_OUT]->enc;
856 mac = &active_state->newkeys[MODE_OUT]->mac; 858 mac = &active_state->newkeys[MODE_OUT]->mac;
857 comp = &active_state->newkeys[MODE_OUT]->comp; 859 comp = &active_state->newkeys[MODE_OUT]->comp;
860 /* disable mac for authenticated encryption */
861 if ((authlen = cipher_authlen(enc->cipher)) != 0)
862 mac = NULL;
858 } 863 }
859 block_size = enc ? enc->block_size : 8; 864 block_size = enc ? enc->block_size : 8;
865 aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
860 866
861 cp = buffer_ptr(&active_state->outgoing_packet); 867 cp = buffer_ptr(&active_state->outgoing_packet);
862 type = cp[5]; 868 type = cp[5];
@@ -889,6 +895,7 @@ packet_send2_wrapped(void)
889 * calc size of padding, alloc space, get random data, 895 * calc size of padding, alloc space, get random data,
890 * minimum padding is 4 bytes 896 * minimum padding is 4 bytes
891 */ 897 */
898 len -= aadlen; /* packet length is not encrypted for EtM modes */
892 padlen = block_size - (len % block_size); 899 padlen = block_size - (len % block_size);
893 if (padlen < 4) 900 if (padlen < 4)
894 padlen += block_size; 901 padlen += block_size;
@@ -916,29 +923,37 @@ packet_send2_wrapped(void)
916 /* clear padding */ 923 /* clear padding */
917 memset(cp, 0, padlen); 924 memset(cp, 0, padlen);
918 } 925 }
919 /* packet_length includes payload, padding and padding length field */ 926 /* sizeof (packet_len + pad_len + payload + padding) */
920 packet_length = buffer_len(&active_state->outgoing_packet) - 4; 927 len = buffer_len(&active_state->outgoing_packet);
921 cp = buffer_ptr(&active_state->outgoing_packet); 928 cp = buffer_ptr(&active_state->outgoing_packet);
922 put_u32(cp, packet_length); 929 /* packet_length includes payload, padding and padding length field */
930 put_u32(cp, len - 4);
923 cp[4] = padlen; 931 cp[4] = padlen;
924 DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); 932 DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
933 len, padlen, aadlen));
925 934
926 /* compute MAC over seqnr and packet(length fields, payload, padding) */ 935 /* compute MAC over seqnr and packet(length fields, payload, padding) */
927 if (mac && mac->enabled) { 936 if (mac && mac->enabled && !mac->etm) {
928 macbuf = mac_compute(mac, active_state->p_send.seqnr, 937 macbuf = mac_compute(mac, active_state->p_send.seqnr,
929 buffer_ptr(&active_state->outgoing_packet), 938 buffer_ptr(&active_state->outgoing_packet), len);
930 buffer_len(&active_state->outgoing_packet));
931 DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); 939 DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr));
932 } 940 }
933 /* encrypt packet and append to output buffer. */ 941 /* encrypt packet and append to output buffer. */
934 cp = buffer_append_space(&active_state->output, 942 cp = buffer_append_space(&active_state->output, len + authlen);
935 buffer_len(&active_state->outgoing_packet));
936 cipher_crypt(&active_state->send_context, cp, 943 cipher_crypt(&active_state->send_context, cp,
937 buffer_ptr(&active_state->outgoing_packet), 944 buffer_ptr(&active_state->outgoing_packet),
938 buffer_len(&active_state->outgoing_packet)); 945 len - aadlen, aadlen, authlen);
939 /* append unencrypted MAC */ 946 /* append unencrypted MAC */
940 if (mac && mac->enabled) 947 if (mac && mac->enabled) {
948 if (mac->etm) {
949 /* EtM: compute mac over aadlen + cipher text */
950 macbuf = mac_compute(mac,
951 active_state->p_send.seqnr, cp, len);
952 DBG(debug("done calc MAC(EtM) out #%d",
953 active_state->p_send.seqnr));
954 }
941 buffer_append(&active_state->output, macbuf, mac->mac_len); 955 buffer_append(&active_state->output, macbuf, mac->mac_len);
956 }
942#ifdef PACKET_DEBUG 957#ifdef PACKET_DEBUG
943 fprintf(stderr, "encrypted: "); 958 fprintf(stderr, "encrypted: ");
944 buffer_dump(&active_state->output); 959 buffer_dump(&active_state->output);
@@ -949,8 +964,8 @@ packet_send2_wrapped(void)
949 if (++active_state->p_send.packets == 0) 964 if (++active_state->p_send.packets == 0)
950 if (!(datafellows & SSH_BUG_NOREKEY)) 965 if (!(datafellows & SSH_BUG_NOREKEY))
951 fatal("XXX too many packets with same key"); 966 fatal("XXX too many packets with same key");
952 active_state->p_send.blocks += (packet_length + 4) / block_size; 967 active_state->p_send.blocks += len / block_size;
953 active_state->p_send.bytes += packet_length + 4; 968 active_state->p_send.bytes += len;
954 buffer_clear(&active_state->outgoing_packet); 969 buffer_clear(&active_state->outgoing_packet);
955 970
956 if (type == SSH2_MSG_NEWKEYS) 971 if (type == SSH2_MSG_NEWKEYS)
@@ -1187,7 +1202,7 @@ packet_read_poll1(void)
1187 buffer_clear(&active_state->incoming_packet); 1202 buffer_clear(&active_state->incoming_packet);
1188 cp = buffer_append_space(&active_state->incoming_packet, padded_len); 1203 cp = buffer_append_space(&active_state->incoming_packet, padded_len);
1189 cipher_crypt(&active_state->receive_context, cp, 1204 cipher_crypt(&active_state->receive_context, cp,
1190 buffer_ptr(&active_state->input), padded_len); 1205 buffer_ptr(&active_state->input), padded_len, 0, 0);
1191 1206
1192 buffer_consume(&active_state->input, padded_len); 1207 buffer_consume(&active_state->input, padded_len);
1193 1208
@@ -1235,8 +1250,8 @@ static int
1235packet_read_poll2(u_int32_t *seqnr_p) 1250packet_read_poll2(u_int32_t *seqnr_p)
1236{ 1251{
1237 u_int padlen, need; 1252 u_int padlen, need;
1238 u_char *macbuf, *cp, type; 1253 u_char *macbuf = NULL, *cp, type;
1239 u_int maclen, block_size; 1254 u_int maclen, authlen = 0, aadlen = 0, block_size;
1240 Enc *enc = NULL; 1255 Enc *enc = NULL;
1241 Mac *mac = NULL; 1256 Mac *mac = NULL;
1242 Comp *comp = NULL; 1257 Comp *comp = NULL;
@@ -1248,11 +1263,29 @@ packet_read_poll2(u_int32_t *seqnr_p)
1248 enc = &active_state->newkeys[MODE_IN]->enc; 1263 enc = &active_state->newkeys[MODE_IN]->enc;
1249 mac = &active_state->newkeys[MODE_IN]->mac; 1264 mac = &active_state->newkeys[MODE_IN]->mac;
1250 comp = &active_state->newkeys[MODE_IN]->comp; 1265 comp = &active_state->newkeys[MODE_IN]->comp;
1266 /* disable mac for authenticated encryption */
1267 if ((authlen = cipher_authlen(enc->cipher)) != 0)
1268 mac = NULL;
1251 } 1269 }
1252 maclen = mac && mac->enabled ? mac->mac_len : 0; 1270 maclen = mac && mac->enabled ? mac->mac_len : 0;
1253 block_size = enc ? enc->block_size : 8; 1271 block_size = enc ? enc->block_size : 8;
1272 aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1254 1273
1255 if (active_state->packlen == 0) { 1274 if (aadlen && active_state->packlen == 0) {
1275 if (buffer_len(&active_state->input) < 4)
1276 return SSH_MSG_NONE;
1277 cp = buffer_ptr(&active_state->input);
1278 active_state->packlen = get_u32(cp);
1279 if (active_state->packlen < 1 + 4 ||
1280 active_state->packlen > PACKET_MAX_SIZE) {
1281#ifdef PACKET_DEBUG
1282 buffer_dump(&active_state->input);
1283#endif
1284 logit("Bad packet length %u.", active_state->packlen);
1285 packet_disconnect("Packet corrupt");
1286 }
1287 buffer_clear(&active_state->incoming_packet);
1288 } else if (active_state->packlen == 0) {
1256 /* 1289 /*
1257 * check if input size is less than the cipher block size, 1290 * check if input size is less than the cipher block size,
1258 * decrypt first block and extract length of incoming packet 1291 * decrypt first block and extract length of incoming packet
@@ -1263,7 +1296,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
1263 cp = buffer_append_space(&active_state->incoming_packet, 1296 cp = buffer_append_space(&active_state->incoming_packet,
1264 block_size); 1297 block_size);
1265 cipher_crypt(&active_state->receive_context, cp, 1298 cipher_crypt(&active_state->receive_context, cp,
1266 buffer_ptr(&active_state->input), block_size); 1299 buffer_ptr(&active_state->input), block_size, 0, 0);
1267 cp = buffer_ptr(&active_state->incoming_packet); 1300 cp = buffer_ptr(&active_state->incoming_packet);
1268 active_state->packlen = get_u32(cp); 1301 active_state->packlen = get_u32(cp);
1269 if (active_state->packlen < 1 + 4 || 1302 if (active_state->packlen < 1 + 4 ||
@@ -1276,13 +1309,21 @@ packet_read_poll2(u_int32_t *seqnr_p)
1276 PACKET_MAX_SIZE); 1309 PACKET_MAX_SIZE);
1277 return SSH_MSG_NONE; 1310 return SSH_MSG_NONE;
1278 } 1311 }
1279 DBG(debug("input: packet len %u", active_state->packlen+4));
1280 buffer_consume(&active_state->input, block_size); 1312 buffer_consume(&active_state->input, block_size);
1281 } 1313 }
1282 /* we have a partial packet of block_size bytes */ 1314 DBG(debug("input: packet len %u", active_state->packlen+4));
1283 need = 4 + active_state->packlen - block_size; 1315 if (aadlen) {
1284 DBG(debug("partial packet %d, need %d, maclen %d", block_size, 1316 /* only the payload is encrypted */
1285 need, maclen)); 1317 need = active_state->packlen;
1318 } else {
1319 /*
1320 * the payload size and the payload are encrypted, but we
1321 * have a partial packet of block_size bytes
1322 */
1323 need = 4 + active_state->packlen - block_size;
1324 }
1325 DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d,"
1326 " aadlen %d", block_size, need, maclen, authlen, aadlen));
1286 if (need % block_size != 0) { 1327 if (need % block_size != 0) {
1287 logit("padding error: need %d block %d mod %d", 1328 logit("padding error: need %d block %d mod %d",
1288 need, block_size, need % block_size); 1329 need, block_size, need % block_size);
@@ -1292,26 +1333,35 @@ packet_read_poll2(u_int32_t *seqnr_p)
1292 } 1333 }
1293 /* 1334 /*
1294 * check if the entire packet has been received and 1335 * check if the entire packet has been received and
1295 * decrypt into incoming_packet 1336 * decrypt into incoming_packet:
1337 * 'aadlen' bytes are unencrypted, but authenticated.
1338 * 'need' bytes are encrypted, followed by either
1339 * 'authlen' bytes of authentication tag or
1340 * 'maclen' bytes of message authentication code.
1296 */ 1341 */
1297 if (buffer_len(&active_state->input) < need + maclen) 1342 if (buffer_len(&active_state->input) < aadlen + need + authlen + maclen)
1298 return SSH_MSG_NONE; 1343 return SSH_MSG_NONE;
1299#ifdef PACKET_DEBUG 1344#ifdef PACKET_DEBUG
1300 fprintf(stderr, "read_poll enc/full: "); 1345 fprintf(stderr, "read_poll enc/full: ");
1301 buffer_dump(&active_state->input); 1346 buffer_dump(&active_state->input);
1302#endif 1347#endif
1303 cp = buffer_append_space(&active_state->incoming_packet, need); 1348 /* EtM: compute mac over encrypted input */
1349 if (mac && mac->enabled && mac->etm)
1350 macbuf = mac_compute(mac, active_state->p_read.seqnr,
1351 buffer_ptr(&active_state->input), aadlen + need);
1352 cp = buffer_append_space(&active_state->incoming_packet, aadlen + need);
1304 cipher_crypt(&active_state->receive_context, cp, 1353 cipher_crypt(&active_state->receive_context, cp,
1305 buffer_ptr(&active_state->input), need); 1354 buffer_ptr(&active_state->input), need, aadlen, authlen);
1306 buffer_consume(&active_state->input, need); 1355 buffer_consume(&active_state->input, aadlen + need + authlen);
1307 /* 1356 /*
1308 * compute MAC over seqnr and packet, 1357 * compute MAC over seqnr and packet,
1309 * increment sequence number for incoming packet 1358 * increment sequence number for incoming packet
1310 */ 1359 */
1311 if (mac && mac->enabled) { 1360 if (mac && mac->enabled) {
1312 macbuf = mac_compute(mac, active_state->p_read.seqnr, 1361 if (!mac->etm)
1313 buffer_ptr(&active_state->incoming_packet), 1362 macbuf = mac_compute(mac, active_state->p_read.seqnr,
1314 buffer_len(&active_state->incoming_packet)); 1363 buffer_ptr(&active_state->incoming_packet),
1364 buffer_len(&active_state->incoming_packet));
1315 if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input), 1365 if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input),
1316 mac->mac_len) != 0) { 1366 mac->mac_len) != 0) {
1317 logit("Corrupted MAC on input."); 1367 logit("Corrupted MAC on input.");
@@ -1410,7 +1460,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1410 case SSH2_MSG_DISCONNECT: 1460 case SSH2_MSG_DISCONNECT:
1411 reason = packet_get_int(); 1461 reason = packet_get_int();
1412 msg = packet_get_string(NULL); 1462 msg = packet_get_string(NULL);
1413 logit("Received disconnect from %s: %u: %.400s", 1463 error("Received disconnect from %s: %u: %.400s",
1414 get_remote_ipaddr(), reason, msg); 1464 get_remote_ipaddr(), reason, msg);
1415 xfree(msg); 1465 xfree(msg);
1416 cleanup_exit(255); 1466 cleanup_exit(255);
@@ -1435,7 +1485,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1435 break; 1485 break;
1436 case SSH_MSG_DISCONNECT: 1486 case SSH_MSG_DISCONNECT:
1437 msg = packet_get_string(NULL); 1487 msg = packet_get_string(NULL);
1438 logit("Received disconnect from %s: %.400s", 1488 error("Received disconnect from %s: %.400s",
1439 get_remote_ipaddr(), msg); 1489 get_remote_ipaddr(), msg);
1440 cleanup_exit(255); 1490 cleanup_exit(255);
1441 break; 1491 break;
diff --git a/platform.c b/platform.c
index e707aa4c7..a962f15b5 100644
--- a/platform.c
+++ b/platform.c
@@ -1,4 +1,4 @@
1/* $Id: platform.c,v 1.18 2011/01/11 06:02:25 djm Exp $ */ 1/* $Id: platform.c,v 1.19 2013/03/12 00:31:05 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2006 Darren Tucker. All rights reserved. 4 * Copyright (c) 2006 Darren Tucker. All rights reserved.
@@ -194,3 +194,19 @@ platform_krb5_get_principal_name(const char *pw_name)
194 return NULL; 194 return NULL;
195#endif 195#endif
196} 196}
197
198/*
199 * return 1 if the specified uid is a uid that may own a system directory
200 * otherwise 0.
201 */
202int
203platform_sys_dir_uid(uid_t uid)
204{
205 if (uid == 0)
206 return 1;
207#ifdef PLATFORM_SYS_DIR_UID
208 if (uid == PLATFORM_SYS_DIR_UID)
209 return 1;
210#endif
211 return 0;
212}
diff --git a/platform.h b/platform.h
index 7b2d481af..3188a3d7c 100644
--- a/platform.h
+++ b/platform.h
@@ -1,4 +1,4 @@
1/* $Id: platform.h,v 1.7 2010/11/05 03:47:01 dtucker Exp $ */ 1/* $Id: platform.h,v 1.8 2013/03/12 00:31:05 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2006 Darren Tucker. All rights reserved. 4 * Copyright (c) 2006 Darren Tucker. All rights reserved.
@@ -29,5 +29,4 @@ void platform_setusercontext(struct passwd *);
29void platform_setusercontext_post_groups(struct passwd *, const char *); 29void platform_setusercontext_post_groups(struct passwd *, const char *);
30char *platform_get_krb5_client(const char *); 30char *platform_get_krb5_client(const char *);
31char *platform_krb5_get_principal_name(const char *); 31char *platform_krb5_get_principal_name(const char *);
32 32int platform_sys_dir_uid(uid_t);
33
diff --git a/regress/Makefile b/regress/Makefile
index f114c27e9..6ef5d9cce 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.58 2011/01/06 22:46:21 djm Exp $ 1# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -57,7 +57,11 @@ LTESTS= connect \
57 kextype \ 57 kextype \
58 cert-hostkey \ 58 cert-hostkey \
59 cert-userkey \ 59 cert-userkey \
60 host-expand 60 host-expand \
61 keys-command \
62 forward-control \
63 integrity \
64 krl
61 65
62INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers 66INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
63#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 67#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -67,23 +71,27 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
67USER!= id -un 71USER!= id -un
68CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ 72CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
69 t8.out t8.out.pub t9.out t9.out.pub \ 73 t8.out t8.out.pub t9.out t9.out.pub \
70 authorized_keys_${USER} known_hosts pidfile \ 74 authorized_keys_${USER} known_hosts pidfile testdata \
71 ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ 75 ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
72 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ 76 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
73 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ 77 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
74 ls.copy banner.in banner.out empty.in \ 78 ls.copy banner.in banner.out empty.in \
75 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 79 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
76 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 80 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
77 known_hosts-cert host_ca_key* cert_host_key* \ 81 known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
78 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 82 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
79 key.rsa-* key.dsa-* key.ecdsa-* \ 83 key.rsa-* key.dsa-* key.ecdsa-* \
80 authorized_principals_${USER} expect actual 84 authorized_principals_${USER} expect actual ready \
85 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
86
81 87
82# Enable all malloc(3) randomisations and checks 88# Enable all malloc(3) randomisations and checks
83TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 89TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
84 90
85TEST_SSH_SSHKEYGEN?=ssh-keygen 91TEST_SSH_SSHKEYGEN?=ssh-keygen
86 92
93CPPFLAGS=-I..
94
87t1: 95t1:
88 ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv 96 ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
89 tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv 97 tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6700db274..3bba9f8f2 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -22,9 +22,8 @@ for ktype in rsa dsa $ecdsa ; do
22 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 22 ${SSHKEYGEN} -q -N '' -t ${ktype} \
23 -f $OBJ/cert_user_key_${ktype} || \ 23 -f $OBJ/cert_user_key_${ktype} || \
24 fail "ssh-keygen of cert_user_key_${ktype} failed" 24 fail "ssh-keygen of cert_user_key_${ktype} failed"
25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
26 "regress user key for $USER" \ 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
28 fail "couldn't sign cert_user_key_${ktype}" 27 fail "couldn't sign cert_user_key_${ktype}"
29 # v00 ecdsa certs do not exist 28 # v00 ecdsa certs do not exist
30 test "${ktype}" = "ecdsa" && continue 29 test "${ktype}" = "ecdsa" && continue
@@ -185,14 +184,32 @@ basic_tests() {
185 ( 184 (
186 cat $OBJ/sshd_proxy_bak 185 cat $OBJ/sshd_proxy_bak
187 echo "UsePrivilegeSeparation $privsep" 186 echo "UsePrivilegeSeparation $privsep"
188 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" 187 echo "RevokedKeys $OBJ/cert_user_key_revoked"
189 echo "$extra_sshd" 188 echo "$extra_sshd"
190 ) > $OBJ/sshd_proxy 189 ) > $OBJ/sshd_proxy
190 cp $OBJ/cert_user_key_${ktype}.pub \
191 $OBJ/cert_user_key_revoked
192 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
193 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
194 if [ $? -eq 0 ]; then
195 fail "ssh cert connect succeeded unexpecedly"
196 fi
197 verbose "$tid: ${_prefix} revoked via KRL"
198 rm $OBJ/cert_user_key_revoked
199 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
200 $OBJ/cert_user_key_${ktype}.pub
191 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
192 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 202 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
193 if [ $? -eq 0 ]; then 203 if [ $? -eq 0 ]; then
194 fail "ssh cert connect succeeded unexpecedly" 204 fail "ssh cert connect succeeded unexpecedly"
195 fi 205 fi
206 verbose "$tid: ${_prefix} empty KRL"
207 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
208 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
209 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
210 if [ $? -ne 0 ]; then
211 fail "ssh cert connect failed"
212 fi
196 done 213 done
197 214
198 # Revoked CA 215 # Revoked CA
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 5800f4b09..65e5f35ec 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,29 +1,31 @@
1# $OpenBSD: cipher-speed.sh,v 1.5 2012/06/28 05:07:45 dtucker Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
5 5
6getbytes () 6getbytes ()
7{ 7{
8 sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' 8 sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \
9 -e '/copied/s/.*s, \(.* MB.s\).*/\1/p'
9} 10}
10 11
11tries="1 2" 12tries="1 2"
12DATA=/bin/ls
13DATA=/bsd
14 13
15ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 14ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
16 arcfour128 arcfour256 arcfour 15 arcfour128 arcfour256 arcfour
17 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 16 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
18 aes128-ctr aes192-ctr aes256-ctr" 17 aes128-ctr aes192-ctr aes256-ctr"
19macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" 18config_defined OPENSSL_HAVE_EVPGCM && \
20config_defined HAVE_EVP_SHA256 && 19 ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
20macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
21 hmac-sha1-96 hmac-md5-96"
22config_defined HAVE_EVP_SHA256 && \
21 macs="$macs hmac-sha2-256 hmac-sha2-512" 23 macs="$macs hmac-sha2-256 hmac-sha2-512"
22 24
23for c in $ciphers; do for m in $macs; do 25for c in $ciphers; do n=0; for m in $macs; do
24 trace "proto 2 cipher $c mac $m" 26 trace "proto 2 cipher $c mac $m"
25 for x in $tries; do 27 for x in $tries; do
26 echon "$c/$m:\t" 28 printf "%-60s" "$c/$m:"
27 ( ${SSH} -o 'compression no' \ 29 ( ${SSH} -o 'compression no' \
28 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ 30 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
29 exec sh -c \'"dd of=/dev/null obs=32k"\' \ 31 exec sh -c \'"dd of=/dev/null obs=32k"\' \
@@ -33,13 +35,18 @@ for c in $ciphers; do for m in $macs; do
33 fail "ssh -2 failed with mac $m cipher $c" 35 fail "ssh -2 failed with mac $m cipher $c"
34 fi 36 fi
35 done 37 done
38 # No point trying all MACs for GCM since they are ignored.
39 case $c in
40 aes*-gcm@openssh.com) test $n -gt 0 && break;;
41 esac
42 n=`expr $n + 1`
36done; done 43done; done
37 44
38ciphers="3des blowfish" 45ciphers="3des blowfish"
39for c in $ciphers; do 46for c in $ciphers; do
40 trace "proto 1 cipher $c" 47 trace "proto 1 cipher $c"
41 for x in $tries; do 48 for x in $tries; do
42 echon "$c:\t" 49 printf "%-60s" "$c:"
43 ( ${SSH} -o 'compression no' \ 50 ( ${SSH} -o 'compression no' \
44 -F $OBJ/ssh_proxy -1 -c $c somehost \ 51 -F $OBJ/ssh_proxy -1 -c $c somehost \
45 exec sh -c \'"dd of=/dev/null obs=32k"\' \ 52 exec sh -c \'"dd of=/dev/null obs=32k"\' \
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 000000000..80ddb4167
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,168 @@
1# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
2# Placed in the Public Domain.
3
4tid="sshd control of local and remote forwarding"
5
6LFWD_PORT=3320
7RFWD_PORT=3321
8CTL=$OBJ/ctl-sock
9READY=$OBJ/ready
10
11wait_for_file_to_appear() {
12 _path=$1
13 _n=0
14 while test ! -f $_path ; do
15 test $_n -eq 1 && trace "waiting for $_path to appear"
16 _n=`expr $_n + 1`
17 test $_n -ge 20 && return 1
18 sleep 1
19 done
20 return 0
21}
22
23wait_for_process_to_exit() {
24 _pid=$1
25 _n=0
26 while kill -0 $_pid 2>/dev/null ; do
27 test $_n -eq 1 && trace "waiting for $_pid to exit"
28 _n=`expr $_n + 1`
29 test $_n -ge 20 && return 1
30 sleep 1
31 done
32 return 0
33}
34
35# usage: check_lfwd protocol Y|N message
36check_lfwd() {
37 _proto=$1
38 _expected=$2
39 _message=$3
40 rm -f $READY
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \
44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
45 >/dev/null 2>&1 &
46 _sshpid=$!
47 wait_for_file_to_appear $READY || \
48 fatal "check_lfwd ssh fail: $_message"
49 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
50 -oConnectionAttempts=4 host true >/dev/null 2>&1
51 _result=$?
52 kill $_sshpid `cat $READY` 2>/dev/null
53 wait_for_process_to_exit $_sshpid
54 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
55 fail "check_lfwd failed (expecting success): $_message"
56 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
57 fail "check_lfwd succeeded (expecting failure): $_message"
58 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
59 fatal "check_lfwd invalid argument \"$_expected\""
60 else
61 verbose "check_lfwd done (expecting $_expected): $_message"
62 fi
63}
64
65# usage: check_rfwd protocol Y|N message
66check_rfwd() {
67 _proto=$1
68 _expected=$2
69 _message=$3
70 rm -f $READY
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \
74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
75 >/dev/null 2>&1 &
76 _sshpid=$!
77 wait_for_file_to_appear $READY
78 _result=$?
79 if test $_result -eq 0 ; then
80 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
81 -oConnectionAttempts=4 host true >/dev/null 2>&1
82 _result=$?
83 kill $_sshpid `cat $READY` 2>/dev/null
84 wait_for_process_to_exit $_sshpid
85 fi
86 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
87 fail "check_rfwd failed (expecting success): $_message"
88 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
89 fail "check_rfwd succeeded (expecting failure): $_message"
90 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
91 fatal "check_rfwd invalid argument \"$_expected\""
92 else
93 verbose "check_rfwd done (expecting $_expected): $_message"
94 fi
95}
96
97start_sshd
98cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100
101# Sanity check: ensure the default config allows forwarding
102for p in 1 2 ; do
103 check_lfwd $p Y "proto $p, default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
105done
106
107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
108all_tests() {
109 _tcpfwd=$1
110 _plain_lfwd=$2
111 _plain_rfwd=$3
112 _nopermit_lfwd=$4
113 _nopermit_rfwd=$5
114 _permit_lfwd=$6
115 _permit_rfwd=$7
116 _badfwd=127.0.0.1:22
117 _goodfwd=127.0.0.1:${PORT}
118 for _proto in 1 2 ; do
119 cp ${OBJ}/authorized_keys_${USER}.bak \
120 ${OBJ}/authorized_keys_${USER}
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
122 # No PermitOpen
123 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ) \
125 > ${OBJ}/sshd_proxy
126 check_lfwd $_proto $_plain_lfwd "$_prefix"
127 check_rfwd $_proto $_plain_rfwd "$_prefix"
128 # PermitOpen via sshd_config that doesn't match
129 ( cat ${OBJ}/sshd_proxy.bak ;
130 echo "AllowTcpForwarding $_tcpfwd" ;
131 echo "PermitOpen $_badfwd" ) \
132 > ${OBJ}/sshd_proxy
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
135 # PermitOpen via sshd_config that does match
136 ( cat ${OBJ}/sshd_proxy.bak ;
137 echo "AllowTcpForwarding $_tcpfwd" ;
138 echo "PermitOpen $_badfwd $_goodfwd" ) \
139 > ${OBJ}/sshd_proxy
140 # NB. permitopen via authorized_keys should have same
141 # success/fail as via sshd_config
142 # permitopen via authorized_keys that doesn't match
143 sed "s/^/permitopen=\"$_badfwd\" /" \
144 < ${OBJ}/authorized_keys_${USER}.bak \
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
146 ( cat ${OBJ}/sshd_proxy.bak ;
147 echo "AllowTcpForwarding $_tcpfwd" ) \
148 > ${OBJ}/sshd_proxy
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
151 # permitopen via authorized_keys that does match
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
153 < ${OBJ}/authorized_keys_${USER}.bak \
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
155 ( cat ${OBJ}/sshd_proxy.bak ;
156 echo "AllowTcpForwarding $_tcpfwd" ) \
157 > ${OBJ}/sshd_proxy
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
160 done
161}
162
163# no-permitopen mismatch-permitopen match-permitopen
164# AllowTcpForwarding local remote local remote local remote
165all_tests yes Y Y N Y Y Y
166all_tests local Y N N N Y N
167all_tests remote N Y N Y N Y
168all_tests no N N N N N N
diff --git a/regress/integrity.sh b/regress/integrity.sh
new file mode 100644
index 000000000..4d46926d5
--- /dev/null
+++ b/regress/integrity.sh
@@ -0,0 +1,74 @@
1# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $
2# Placed in the Public Domain.
3
4tid="integrity"
5
6# start at byte 2900 (i.e. after kex) and corrupt at different offsets
7# XXX the test hangs if we modify the low bytes of the packet length
8# XXX and ssh tries to read...
9tries=10
10startoffset=2900
11macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
12 hmac-sha1-96 hmac-md5-96
13 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
14 umac-64-etm@openssh.com umac-128-etm@openssh.com
15 hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
16config_defined HAVE_EVP_SHA256 &&
17 macs="$macs hmac-sha2-256 hmac-sha2-512
18 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
19# The following are not MACs, but ciphers with integrated integrity. They are
20# handled specially below.
21config_defined OPENSSL_HAVE_EVPGCM && \
22 macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
23
24# sshd-command for proxy (see test-exec.sh)
25cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy"
26
27jot() {
28 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
29}
30
31for m in $macs; do
32 trace "test $tid: mac $m"
33 elen=0
34 epad=0
35 emac=0
36 ecnt=0
37 skip=0
38 for off in `jot $tries $startoffset`; do
39 skip=`expr $skip - 1`
40 if [ $skip -gt 0 ]; then
41 # avoid modifying the high bytes of the length
42 continue
43 fi
44 # modify output from sshd at offset $off
45 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
46 case $m in
47 aes*gcm*) macopt="-c $m";;
48 *) macopt="-m $m";;
49 esac
50 output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
51 999.999.999.999 'printf "%4096s" " "' 2>&1`
52 if [ $? -eq 0 ]; then
53 fail "ssh -m $m succeeds with bit-flip at $off"
54 fi
55 ecnt=`expr $ecnt + 1`
56 output=`echo $output | tr -s '\r\n' '.'`
57 verbose "test $tid: $m @$off $output"
58 case "$output" in
59 Bad?packet*) elen=`expr $elen + 1`; skip=3;;
60 Corrupted?MAC* | Decryption?integrity?check?failed*)
61 emac=`expr $emac + 1`; skip=0;;
62 padding*) epad=`expr $epad + 1`; skip=0;;
63 *) fail "unexpected error mac $m at $off";;
64 esac
65 done
66 verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
67 if [ $emac -eq 0 ]; then
68 fail "$m: no mac errors"
69 fi
70 expect=`expr $ecnt - $epad - $elen`
71 if [ $emac -ne $expect ]; then
72 fail "$m: expected $expect mac errors, got $emac"
73 fi
74done
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
new file mode 100644
index 000000000..b595a434f
--- /dev/null
+++ b/regress/keys-command.sh
@@ -0,0 +1,39 @@
1# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="authorized keys from command"
5
6if test -z "$SUDO" ; then
7 echo "skipped (SUDO not set)"
8 echo "need SUDO to create file in /var/run, test won't work without"
9 exit 0
10fi
11
12# Establish a AuthorizedKeysCommand in /var/run where it will have
13# acceptable directory permissions.
14KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
15cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
16#!/bin/sh
17test "x\$1" != "x${LOGNAME}" && exit 1
18exec cat "$OBJ/authorized_keys_${LOGNAME}"
19_EOF
20$SUDO chmod 0755 "$KEY_COMMAND"
21
22cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
23(
24 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
25 echo AuthorizedKeysFile none
26 echo AuthorizedKeysCommand $KEY_COMMAND
27 echo AuthorizedKeysCommandUser ${LOGNAME}
28) > $OBJ/sshd_proxy
29
30if [ -x $KEY_COMMAND ]; then
31 ${SSH} -F $OBJ/ssh_proxy somehost true
32 if [ $? -ne 0 ]; then
33 fail "connect failed"
34 fi
35else
36 echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
37fi
38
39$SUDO rm -f $KEY_COMMAND
diff --git a/regress/krl.sh b/regress/krl.sh
new file mode 100644
index 000000000..62a239c38
--- /dev/null
+++ b/regress/krl.sh
@@ -0,0 +1,161 @@
1# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain.
3
4tid="key revocation lists"
5
6# If we don't support ecdsa keys then this tell will be much slower.
7ECDSA=ecdsa
8if test "x$TEST_SSH_ECC" != "xyes"; then
9 ECDSA=rsa
10fi
11
12# Do most testing with ssh-keygen; it uses the same verification code as sshd.
13
14# Old keys will interfere with ssh-keygen.
15rm -f $OBJ/revoked-* $OBJ/krl-*
16
17# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
19 fatal "$SSHKEYGEN CA failed"
20
21# A specification that revokes some certificates by serial numbers
22# The serial pattern is chosen to ensure the KRL includes list, range and
23# bitmap sections.
24cat << EOF >> $OBJ/revoked-serials
25serial: 1-4
26serial: 10
27serial: 15
28serial: 30
29serial: 50
30serial: 999
31# The following sum to 500-799
32serial: 500
33serial: 501
34serial: 502
35serial: 503-600
36serial: 700-797
37serial: 798
38serial: 799
39serial: 599-701
40EOF
41
42jot() {
43 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
44}
45
46# A specification that revokes some certificated by key ID.
47touch $OBJ/revoked-keyid
48for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
49 # Fill in by-ID revocation spec.
50 echo "id: revoked $n" >> $OBJ/revoked-keyid
51done
52
53keygen() {
54 N=$1
55 f=$OBJ/revoked-`printf "%04d" $N`
56 # Vary the keytype. We use mostly ECDSA since this is fastest by far.
57 keytype=$ECDSA
58 case $N in
59 2 | 10 | 510 | 1001) keytype=rsa;;
60 4 | 30 | 520 | 1002) keytype=dsa;;
61 esac
62 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
63 || fatal "$SSHKEYGEN failed"
64 # Sign cert
65 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
66 || fatal "$SSHKEYGEN sign failed"
67 echo $f
68}
69
70# Generate some keys.
71verbose "$tid: generating test keys"
72REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
73for n in $REVOKED_SERIALS ; do
74 f=`keygen $n`
75 REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
76 REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
77done
78NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
79NOTREVOKED=""
80for n in $NOTREVOKED_SERIALS ; do
81 NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
82 NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
83done
84
85genkrls() {
86 OPTS=$1
87$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
88 >/dev/null || fatal "$SSHKEYGEN KRL failed"
89$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
90 >/dev/null || fatal "$SSHKEYGEN KRL failed"
91$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
92 >/dev/null || fatal "$SSHKEYGEN KRL failed"
93$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
94 >/dev/null || fatal "$SSHKEYGEN KRL failed"
95$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
96 >/dev/null || fatal "$SSHKEYGEN KRL failed"
97# KRLs from serial/key-id spec need the CA specified.
98$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
99 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
100$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
101 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
102$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
103 >/dev/null || fatal "$SSHKEYGEN KRL failed"
104$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
105 >/dev/null || fatal "$SSHKEYGEN KRL failed"
106}
107
108verbose "$tid: generating KRLs"
109genkrls
110
111check_krl() {
112 KEY=$1
113 KRL=$2
114 EXPECT_REVOKED=$3
115 TAG=$4
116 $SSHKEYGEN -Qf $KRL $KEY >/dev/null
117 result=$?
118 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
119 fatal "key $KEY not revoked by KRL $KRL: $TAG"
120 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
121 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
122 fi
123}
124test_all() {
125 FILES=$1
126 TAG=$2
127 KEYS_RESULT=$3
128 ALL_RESULT=$4
129 SERIAL_RESULT=$5
130 KEYID_RESULT=$6
131 CERTS_RESULT=$7
132 CA_RESULT=$8
133 verbose "$tid: checking revocations for $TAG"
134 for f in $FILES ; do
135 check_krl $f $OBJ/krl-empty no "$TAG"
136 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
137 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
138 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
139 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
140 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
141 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
142 done
143}
144# keys all serial keyid certs CA
145test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
146test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
147test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
148test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
149
150# Check update. Results should be identical.
151verbose "$tid: testing KRL update"
152for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
153 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
154 cp -f $OBJ/krl-empty $f
155 genkrls -u
156done
157# keys all serial keyid certs CA
158test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
159test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
160test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
161test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
diff --git a/regress/modpipe.c b/regress/modpipe.c
new file mode 100755
index 000000000..9629aa80b
--- /dev/null
+++ b/regress/modpipe.c
@@ -0,0 +1,175 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */
18
19#include "includes.h"
20
21#include <sys/types.h>
22#include <unistd.h>
23#include <stdio.h>
24#include <string.h>
25#include <stdarg.h>
26#include <stdlib.h>
27#include <errno.h>
28#include "openbsd-compat/getopt.c"
29
30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
32
33static void
34err(int r, const char *fmt, ...)
35{
36 va_list args;
37
38 va_start(args, fmt);
39 fprintf(stderr, "%s: ", strerror(errno));
40 vfprintf(stderr, fmt, args);
41 fputc('\n', stderr);
42 va_end(args);
43 exit(r);
44}
45
46static void
47errx(int r, const char *fmt, ...)
48{
49 va_list args;
50
51 va_start(args, fmt);
52 vfprintf(stderr, fmt, args);
53 fputc('\n', stderr);
54 va_end(args);
55 exit(r);
56}
57
58static void
59usage(void)
60{
61 fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n");
62 fprintf(stderr, "modspec is one of:\n");
63 fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n");
64 fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n");
65 exit(1);
66}
67
68#define MAX_MODIFICATIONS 256
69struct modification {
70 enum { MOD_XOR, MOD_AND_OR } what;
71 u_int64_t offset;
72 u_int8_t m1, m2;
73};
74
75static void
76parse_modification(const char *s, struct modification *m)
77{
78 char what[16+1];
79 int n, m1, m2;
80
81 bzero(m, sizeof(*m));
82 if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
83 what, &m->offset, &m1, &m2)) < 3)
84 errx(1, "Invalid modification spec \"%s\"", s);
85 if (strcasecmp(what, "xor") == 0) {
86 if (n > 3)
87 errx(1, "Invalid modification spec \"%s\"", s);
88 if (m1 < 0 || m1 > 0xff)
89 errx(1, "Invalid XOR modification value");
90 m->what = MOD_XOR;
91 m->m1 = m1;
92 } else if (strcasecmp(what, "andor") == 0) {
93 if (n != 4)
94 errx(1, "Invalid modification spec \"%s\"", s);
95 if (m1 < 0 || m1 > 0xff)
96 errx(1, "Invalid AND modification value");
97 if (m2 < 0 || m2 > 0xff)
98 errx(1, "Invalid OR modification value");
99 m->what = MOD_AND_OR;
100 m->m1 = m1;
101 m->m2 = m2;
102 } else
103 errx(1, "Invalid modification type \"%s\"", what);
104}
105
106int
107main(int argc, char **argv)
108{
109 int ch;
110 u_char buf[8192];
111 size_t total;
112 ssize_t r, s, o;
113 struct modification mods[MAX_MODIFICATIONS];
114 u_int i, wflag = 0, num_mods = 0;
115
116 while ((ch = getopt(argc, argv, "wm:")) != -1) {
117 switch (ch) {
118 case 'm':
119 if (num_mods >= MAX_MODIFICATIONS)
120 errx(1, "Too many modifications");
121 parse_modification(optarg, &(mods[num_mods++]));
122 break;
123 case 'w':
124 wflag = 1;
125 break;
126 default:
127 usage();
128 /* NOTREACHED */
129 }
130 }
131 for (total = 0;;) {
132 r = s = read(STDIN_FILENO, buf, sizeof(buf));
133 if (r == 0)
134 break;
135 if (r < 0) {
136 if (errno == EAGAIN || errno == EINTR)
137 continue;
138 err(1, "read");
139 }
140 for (i = 0; i < num_mods; i++) {
141 if (mods[i].offset < total ||
142 mods[i].offset >= total + s)
143 continue;
144 switch (mods[i].what) {
145 case MOD_XOR:
146 buf[mods[i].offset - total] ^= mods[i].m1;
147 break;
148 case MOD_AND_OR:
149 buf[mods[i].offset - total] &= mods[i].m1;
150 buf[mods[i].offset - total] |= mods[i].m2;
151 break;
152 }
153 }
154 for (o = 0; o < s; o += r) {
155 r = write(STDOUT_FILENO, buf, s - o);
156 if (r == 0)
157 break;
158 if (r < 0) {
159 if (errno == EAGAIN || errno == EINTR)
160 continue;
161 err(1, "write");
162 }
163 }
164 total += s;
165 }
166 /* Warn if modifications not reached in input stream */
167 r = 0;
168 for (i = 0; wflag && i < num_mods; i++) {
169 if (mods[i].offset < total)
170 continue;
171 r = 1;
172 fprintf(stderr, "modpipe: warning - mod %u not reached\n", i);
173 }
174 return r;
175}
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 93e15088f..1e6cc7606 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.13 2012/06/01 00:47:36 djm Exp $ 1# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -13,14 +13,22 @@ fi
13DATA=/bin/ls${EXEEXT} 13DATA=/bin/ls${EXEEXT}
14COPY=$OBJ/ls.copy 14COPY=$OBJ/ls.copy
15 15
16wait_for_mux_master_ready()
17{
18 for i in 1 2 3 4 5; do
19 ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \
20 >/dev/null 2>&1 && return 0
21 sleep $i
22 done
23 fatal "mux master never becomes ready"
24}
25
16start_sshd 26start_sshd
17 27
18trace "start master, fork to background" 28trace "start master, fork to background"
19${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & 29${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
20MASTER_PID=$! 30MASTER_PID=$!
21 31wait_for_mux_master_ready
22# Wait for master to start and authenticate
23sleep 5
24 32
25verbose "test $tid: envpass" 33verbose "test $tid: envpass"
26trace "env passing over multiplexed connection" 34trace "env passing over multiplexed connection"
@@ -78,13 +86,35 @@ for s in 0 1 4 5 44; do
78 fi 86 fi
79done 87done
80 88
81trace "test check command" 89verbose "test $tid: cmd check"
82${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost || fail "check command failed" 90${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \
91 || fail "check command failed"
83 92
84trace "test exit command" 93verbose "test $tid: cmd exit"
85${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost || fail "send exit command failed" 94${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \
95 || fail "send exit command failed"
86 96
87# Wait for master to exit 97# Wait for master to exit
88sleep 2 98wait $MASTER_PID
99kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
89 100
90kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" 101# Restart master and test -O stop command with master using -N
102verbose "test $tid: cmd stop"
103trace "restart master, fork to background"
104${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
105MASTER_PID=$!
106wait_for_mux_master_ready
107
108# start a long-running command then immediately request a stop
109${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
110 >>$TEST_SSH_LOGFILE 2>&1 &
111SLEEP_PID=$!
112${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \
113 || fail "send stop command failed"
114
115# wait until both long-running command and master have exited.
116wait $SLEEP_PID
117[ $! != 0 ] || fail "waiting for concurrent command"
118wait $MASTER_PID
119[ $! != 0 ] || fail "waiting for master stop"
120kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index bdc2c1a49..aa4e6e5c0 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -140,6 +140,10 @@ if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
140 TEST_SSH_LOGFILE=/dev/null 140 TEST_SSH_LOGFILE=/dev/null
141fi 141fi
142 142
143# Some data for test copies
144DATA=$OBJ/testdata
145cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA
146
143# these should be used in tests 147# these should be used in tests
144export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 148export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
145#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 149#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 925863504..084a1457a 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.13 2012/06/28 05:07:45 dtucker Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
@@ -7,11 +7,20 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
7 arcfour128 arcfour256 arcfour 7 arcfour128 arcfour256 arcfour
8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
9 aes128-ctr aes192-ctr aes256-ctr" 9 aes128-ctr aes192-ctr aes256-ctr"
10macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" 10config_defined OPENSSL_HAVE_EVPGCM && \
11 ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
12macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
13 hmac-sha1-96 hmac-md5-96
14 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
15 umac-64-etm@openssh.com umac-128-etm@openssh.com
16 hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com
17 hmac-ripemd160-etm@openssh.com"
11config_defined HAVE_EVP_SHA256 && 18config_defined HAVE_EVP_SHA256 &&
12 macs="$macs hmac-sha2-256 hmac-sha2-512" 19 macs="$macs hmac-sha2-256 hmac-sha2-512
20 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
13 21
14for c in $ciphers; do 22for c in $ciphers; do
23 n=0
15 for m in $macs; do 24 for m in $macs; do
16 trace "proto 2 cipher $c mac $m" 25 trace "proto 2 cipher $c mac $m"
17 verbose "test $tid: proto 2 cipher $c mac $m" 26 verbose "test $tid: proto 2 cipher $c mac $m"
@@ -19,6 +28,11 @@ for c in $ciphers; do
19 if [ $? -ne 0 ]; then 28 if [ $? -ne 0 ]; then
20 fail "ssh -2 failed with mac $m cipher $c" 29 fail "ssh -2 failed with mac $m cipher $c"
21 fi 30 fi
31 # No point trying all MACs for GCM since they are ignored.
32 case $c in
33 aes*-gcm@openssh.com) test $n -gt 0 && break;;
34 esac
35 n=`expr $n + 1`
22 done 36 done
23done 37done
24 38
@@ -32,20 +46,3 @@ for c in $ciphers; do
32 fi 46 fi
33done 47done
34 48
35if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null
36then
37 :
38else
39
40echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy
41c=acss@openssh.org
42for m in $macs; do
43 trace "proto 2 $c mac $m"
44 verbose "test $tid: proto 2 cipher $c mac $m"
45 ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
46 if [ $? -ne 0 ]; then
47 fail "ssh -2 failed with mac $m cipher $c"
48 fi
49done
50
51fi
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ef2b13c4f..e12418399 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -44,6 +44,7 @@
44#include <linux/audit.h> 44#include <linux/audit.h>
45#include <linux/filter.h> 45#include <linux/filter.h>
46#include <linux/seccomp.h> 46#include <linux/seccomp.h>
47#include <elf.h>
47 48
48#include <asm/unistd.h> 49#include <asm/unistd.h>
49 50
@@ -90,7 +91,9 @@ static const struct sock_filter preauth_insns[] = {
90 SC_DENY(open, EACCES), 91 SC_DENY(open, EACCES),
91 SC_ALLOW(getpid), 92 SC_ALLOW(getpid),
92 SC_ALLOW(gettimeofday), 93 SC_ALLOW(gettimeofday),
94#ifdef __NR_time /* not defined on EABI ARM */
93 SC_ALLOW(time), 95 SC_ALLOW(time),
96#endif
94 SC_ALLOW(read), 97 SC_ALLOW(read),
95 SC_ALLOW(write), 98 SC_ALLOW(write),
96 SC_ALLOW(close), 99 SC_ALLOW(close),
@@ -102,7 +105,12 @@ static const struct sock_filter preauth_insns[] = {
102 SC_ALLOW(select), 105 SC_ALLOW(select),
103#endif 106#endif
104 SC_ALLOW(madvise), 107 SC_ALLOW(madvise),
108#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
109 SC_ALLOW(mmap2),
110#endif
111#ifdef __NR_mmap
105 SC_ALLOW(mmap), 112 SC_ALLOW(mmap),
113#endif
106 SC_ALLOW(munmap), 114 SC_ALLOW(munmap),
107 SC_ALLOW(exit_group), 115 SC_ALLOW(exit_group),
108#ifdef __NR_rt_sigprocmask 116#ifdef __NR_rt_sigprocmask
diff --git a/scp.0 b/scp.0
index e612d30ef..119d9293b 100644
--- a/scp.0
+++ b/scp.0
@@ -155,4 +155,4 @@ AUTHORS
155 Timo Rinne <tri@iki.fi> 155 Timo Rinne <tri@iki.fi>
156 Tatu Ylonen <ylo@cs.hut.fi> 156 Tatu Ylonen <ylo@cs.hut.fi>
157 157
158OpenBSD 5.2 September 5, 2011 OpenBSD 5.2 158OpenBSD 5.3 September 5, 2011 OpenBSD 5.3
diff --git a/scp.c b/scp.c
index c08d122ea..e1fdd3985 100644
--- a/scp.c
+++ b/scp.c
@@ -103,7 +103,7 @@
103#include <string.h> 103#include <string.h>
104#include <time.h> 104#include <time.h>
105#include <unistd.h> 105#include <unistd.h>
106#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) 106#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
107#include <vis.h> 107#include <vis.h>
108#endif 108#endif
109 109
diff --git a/servconf.c b/servconf.c
index 9a8822938..1700d5aa6 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -48,6 +48,8 @@
48#include "groupaccess.h" 48#include "groupaccess.h"
49#include "canohost.h" 49#include "canohost.h"
50#include "packet.h" 50#include "packet.h"
51#include "hostfile.h"
52#include "auth.h"
51 53
52static void add_listen_addr(ServerOptions *, char *, int); 54static void add_listen_addr(ServerOptions *, char *, int);
53static void add_one_listen_addr(ServerOptions *, char *, int); 55static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -139,6 +141,8 @@ initialize_server_options(ServerOptions *options)
139 options->num_permitted_opens = -1; 141 options->num_permitted_opens = -1;
140 options->adm_forced_command = NULL; 142 options->adm_forced_command = NULL;
141 options->chroot_directory = NULL; 143 options->chroot_directory = NULL;
144 options->authorized_keys_command = NULL;
145 options->authorized_keys_command_user = NULL;
142 options->zero_knowledge_password_authentication = -1; 146 options->zero_knowledge_password_authentication = -1;
143 options->revoked_keys_file = NULL; 147 options->revoked_keys_file = NULL;
144 options->trusted_user_ca_keys = NULL; 148 options->trusted_user_ca_keys = NULL;
@@ -259,7 +263,7 @@ fill_default_server_options(ServerOptions *options)
259 if (options->compression == -1) 263 if (options->compression == -1)
260 options->compression = COMP_DELAYED; 264 options->compression = COMP_DELAYED;
261 if (options->allow_tcp_forwarding == -1) 265 if (options->allow_tcp_forwarding == -1)
262 options->allow_tcp_forwarding = 1; 266 options->allow_tcp_forwarding = FORWARD_ALLOW;
263 if (options->allow_agent_forwarding == -1) 267 if (options->allow_agent_forwarding == -1)
264 options->allow_agent_forwarding = 1; 268 options->allow_agent_forwarding = 1;
265 if (options->gateway_ports == -1) 269 if (options->gateway_ports == -1)
@@ -346,6 +350,8 @@ typedef enum {
346 sZeroKnowledgePasswordAuthentication, sHostCertificate, 350 sZeroKnowledgePasswordAuthentication, sHostCertificate,
347 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 351 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
348 sKexAlgorithms, sIPQoS, sVersionAddendum, 352 sKexAlgorithms, sIPQoS, sVersionAddendum,
353 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
354 sAuthenticationMethods,
349 sDebianBanner, 355 sDebianBanner,
350 sDeprecated, sUnsupported 356 sDeprecated, sUnsupported
351} ServerOpCodes; 357} ServerOpCodes;
@@ -482,7 +488,10 @@ static struct {
482 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 488 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
483 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 489 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
484 { "ipqos", sIPQoS, SSHCFG_ALL }, 490 { "ipqos", sIPQoS, SSHCFG_ALL },
491 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
492 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
485 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 493 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
494 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
486 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 495 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
487 { NULL, sBadOption, 0 } 496 { NULL, sBadOption, 0 }
488}; 497};
@@ -648,8 +657,9 @@ out:
648} 657}
649 658
650/* 659/*
651 * All of the attributes on a single Match line are ANDed together, so we need to check every 660 * All of the attributes on a single Match line are ANDed together, so we need
652 * attribute and set the result to zero if any attribute does not match. 661 * to check every * attribute and set the result to zero if any attribute does
662 * not match.
653 */ 663 */
654static int 664static int
655match_cfg_line(char **condition, int line, struct connection_info *ci) 665match_cfg_line(char **condition, int line, struct connection_info *ci)
@@ -806,6 +816,14 @@ static const struct multistate multistate_privsep[] = {
806 { "no", PRIVSEP_OFF }, 816 { "no", PRIVSEP_OFF },
807 { NULL, -1 } 817 { NULL, -1 }
808}; 818};
819static const struct multistate multistate_tcpfwd[] = {
820 { "yes", FORWARD_ALLOW },
821 { "all", FORWARD_ALLOW },
822 { "no", FORWARD_DENY },
823 { "remote", FORWARD_REMOTE },
824 { "local", FORWARD_LOCAL },
825 { NULL, -1 }
826};
809 827
810int 828int
811process_server_config_line(ServerOptions *options, char *line, 829process_server_config_line(ServerOptions *options, char *line,
@@ -1179,7 +1197,8 @@ process_server_config_line(ServerOptions *options, char *line,
1179 1197
1180 case sAllowTcpForwarding: 1198 case sAllowTcpForwarding:
1181 intptr = &options->allow_tcp_forwarding; 1199 intptr = &options->allow_tcp_forwarding;
1182 goto parse_flag; 1200 multistate_ptr = multistate_tcpfwd;
1201 goto parse_multistate;
1183 1202
1184 case sAllowAgentForwarding: 1203 case sAllowAgentForwarding:
1185 intptr = &options->allow_agent_forwarding; 1204 intptr = &options->allow_agent_forwarding;
@@ -1459,7 +1478,6 @@ process_server_config_line(ServerOptions *options, char *line,
1459 } 1478 }
1460 if (strcmp(arg, "none") == 0) { 1479 if (strcmp(arg, "none") == 0) {
1461 if (*activep && n == -1) { 1480 if (*activep && n == -1) {
1462 channel_clear_adm_permitted_opens();
1463 options->num_permitted_opens = 1; 1481 options->num_permitted_opens = 1;
1464 channel_disable_adm_local_opens(); 1482 channel_disable_adm_local_opens();
1465 } 1483 }
@@ -1543,6 +1561,43 @@ process_server_config_line(ServerOptions *options, char *line,
1543 } 1561 }
1544 return 0; 1562 return 0;
1545 1563
1564 case sAuthorizedKeysCommand:
1565 len = strspn(cp, WHITESPACE);
1566 if (*activep && options->authorized_keys_command == NULL) {
1567 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1568 fatal("%.200s line %d: AuthorizedKeysCommand "
1569 "must be an absolute path",
1570 filename, linenum);
1571 options->authorized_keys_command = xstrdup(cp + len);
1572 }
1573 return 0;
1574
1575 case sAuthorizedKeysCommandUser:
1576 charptr = &options->authorized_keys_command_user;
1577
1578 arg = strdelim(&cp);
1579 if (*activep && *charptr == NULL)
1580 *charptr = xstrdup(arg);
1581 break;
1582
1583 case sAuthenticationMethods:
1584 if (*activep && options->num_auth_methods == 0) {
1585 while ((arg = strdelim(&cp)) && *arg != '\0') {
1586 if (options->num_auth_methods >=
1587 MAX_AUTH_METHODS)
1588 fatal("%s line %d: "
1589 "too many authentication methods.",
1590 filename, linenum);
1591 if (auth2_methods_valid(arg, 0) != 0)
1592 fatal("%s line %d: invalid "
1593 "authentication method list.",
1594 filename, linenum);
1595 options->auth_methods[
1596 options->num_auth_methods++] = xstrdup(arg);
1597 }
1598 }
1599 return 0;
1600
1546 case sDebianBanner: 1601 case sDebianBanner:
1547 intptr = &options->debian_banner; 1602 intptr = &options->debian_banner;
1548 goto parse_int; 1603 goto parse_int;
@@ -1697,6 +1752,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1697 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1752 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1698 M_CP_INTOPT(kbd_interactive_authentication); 1753 M_CP_INTOPT(kbd_interactive_authentication);
1699 M_CP_INTOPT(zero_knowledge_password_authentication); 1754 M_CP_INTOPT(zero_knowledge_password_authentication);
1755 M_CP_STROPT(authorized_keys_command);
1756 M_CP_STROPT(authorized_keys_command_user);
1700 M_CP_INTOPT(permit_root_login); 1757 M_CP_INTOPT(permit_root_login);
1701 M_CP_INTOPT(permit_empty_passwd); 1758 M_CP_INTOPT(permit_empty_passwd);
1702 1759
@@ -1781,6 +1838,8 @@ fmt_intarg(ServerOpCodes code, int val)
1781 return fmt_multistate_int(val, multistate_compression); 1838 return fmt_multistate_int(val, multistate_compression);
1782 case sUsePrivilegeSeparation: 1839 case sUsePrivilegeSeparation:
1783 return fmt_multistate_int(val, multistate_privsep); 1840 return fmt_multistate_int(val, multistate_privsep);
1841 case sAllowTcpForwarding:
1842 return fmt_multistate_int(val, multistate_tcpfwd);
1784 case sProtocol: 1843 case sProtocol:
1785 switch (val) { 1844 switch (val) {
1786 case SSH_PROTO_1: 1845 case SSH_PROTO_1:
@@ -1961,6 +2020,8 @@ dump_config(ServerOptions *o)
1961 dump_cfg_string(sAuthorizedPrincipalsFile, 2020 dump_cfg_string(sAuthorizedPrincipalsFile,
1962 o->authorized_principals_file); 2021 o->authorized_principals_file);
1963 dump_cfg_string(sVersionAddendum, o->version_addendum); 2022 dump_cfg_string(sVersionAddendum, o->version_addendum);
2023 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2024 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
1964 2025
1965 /* string arguments requiring a lookup */ 2026 /* string arguments requiring a lookup */
1966 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2027 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -1978,6 +2039,8 @@ dump_config(ServerOptions *o)
1978 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2039 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1979 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2040 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1980 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2041 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2042 dump_cfg_strarray_oneline(sAuthenticationMethods,
2043 o->num_auth_methods, o->auth_methods);
1981 2044
1982 /* other arguments */ 2045 /* other arguments */
1983 for (i = 0; i < o->num_subsystems; i++) 2046 for (i = 0; i < o->num_subsystems; i++)
diff --git a/servconf.h b/servconf.h
index a15f2a7fa..bc0536927 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.103 2012/07/10 02:19:15 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -28,6 +28,7 @@
28#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ 28#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
29#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ 29#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */
30#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ 30#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */
31#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */
31 32
32/* permit_root_login */ 33/* permit_root_login */
33#define PERMIT_NOT_SET -1 34#define PERMIT_NOT_SET -1
@@ -41,6 +42,12 @@
41#define PRIVSEP_ON 1 42#define PRIVSEP_ON 1
42#define PRIVSEP_NOSANDBOX 2 43#define PRIVSEP_NOSANDBOX 2
43 44
45/* AllowTCPForwarding */
46#define FORWARD_DENY 0
47#define FORWARD_REMOTE (1)
48#define FORWARD_LOCAL (1<<1)
49#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
50
44#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ 51#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
45#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ 52#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
46 53
@@ -119,7 +126,7 @@ typedef struct {
119 int permit_user_env; /* If true, read ~/.ssh/environment */ 126 int permit_user_env; /* If true, read ~/.ssh/environment */
120 int use_login; /* If true, login(1) is used */ 127 int use_login; /* If true, login(1) is used */
121 int compression; /* If true, compression is allowed */ 128 int compression; /* If true, compression is allowed */
122 int allow_tcp_forwarding; 129 int allow_tcp_forwarding; /* One of FORWARD_* */
123 int allow_agent_forwarding; 130 int allow_agent_forwarding;
124 u_int num_allow_users; 131 u_int num_allow_users;
125 char *allow_users[MAX_ALLOW_USERS]; 132 char *allow_users[MAX_ALLOW_USERS];
@@ -170,8 +177,14 @@ typedef struct {
170 char *revoked_keys_file; 177 char *revoked_keys_file;
171 char *trusted_user_ca_keys; 178 char *trusted_user_ca_keys;
172 char *authorized_principals_file; 179 char *authorized_principals_file;
180 char *authorized_keys_command;
181 char *authorized_keys_command_user;
173 182
174 char *version_addendum; /* Appended to SSH banner */ 183 char *version_addendum; /* Appended to SSH banner */
184
185 u_int num_auth_methods;
186 char *auth_methods[MAX_AUTH_METHODS];
187
175 int debian_banner; 188 int debian_banner;
176} ServerOptions; 189} ServerOptions;
177 190
@@ -196,12 +209,15 @@ struct connection_info {
196 M_CP_STROPT(trusted_user_ca_keys); \ 209 M_CP_STROPT(trusted_user_ca_keys); \
197 M_CP_STROPT(revoked_keys_file); \ 210 M_CP_STROPT(revoked_keys_file); \
198 M_CP_STROPT(authorized_principals_file); \ 211 M_CP_STROPT(authorized_principals_file); \
212 M_CP_STROPT(authorized_keys_command); \
213 M_CP_STROPT(authorized_keys_command_user); \
199 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ 214 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
200 M_CP_STRARRAYOPT(allow_users, num_allow_users); \ 215 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
201 M_CP_STRARRAYOPT(deny_users, num_deny_users); \ 216 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
202 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ 217 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
203 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ 218 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
204 M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 219 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
220 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
205 } while (0) 221 } while (0)
206 222
207struct connection_info *get_connection_info(int, int); 223struct connection_info *get_connection_info(int, int);
diff --git a/serverloop.c b/serverloop.c
index 0b0f386d9..9e5fa555e 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ 1/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -708,7 +708,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
708 &nalloc, max_time_milliseconds); 708 &nalloc, max_time_milliseconds);
709 709
710 if (received_sigterm) { 710 if (received_sigterm) {
711 logit("Exiting on signal %d", received_sigterm); 711 logit("Exiting on signal %d", (int)received_sigterm);
712 /* Clean up sessions, utmp, etc. */ 712 /* Clean up sessions, utmp, etc. */
713 cleanup_exit(255); 713 cleanup_exit(255);
714 } 714 }
@@ -858,7 +858,7 @@ server_loop2(Authctxt *authctxt)
858 &nalloc, 0); 858 &nalloc, 0);
859 859
860 if (received_sigterm) { 860 if (received_sigterm) {
861 logit("Exiting on signal %d", received_sigterm); 861 logit("Exiting on signal %d", (int)received_sigterm);
862 /* Clean up sessions, utmp, etc. */ 862 /* Clean up sessions, utmp, etc. */
863 cleanup_exit(255); 863 cleanup_exit(255);
864 } 864 }
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
950static Channel * 950static Channel *
951server_request_direct_tcpip(void) 951server_request_direct_tcpip(void)
952{ 952{
953 Channel *c; 953 Channel *c = NULL;
954 char *target, *originator; 954 char *target, *originator;
955 u_short target_port, originator_port; 955 u_short target_port, originator_port;
956 956
@@ -963,9 +963,16 @@ server_request_direct_tcpip(void)
963 debug("server_request_direct_tcpip: originator %s port %d, target %s " 963 debug("server_request_direct_tcpip: originator %s port %d, target %s "
964 "port %d", originator, originator_port, target, target_port); 964 "port %d", originator, originator_port, target, target_port);
965 965
966 /* XXX check permission */ 966 /* XXX fine grained permissions */
967 c = channel_connect_to(target, target_port, 967 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
968 "direct-tcpip", "direct-tcpip"); 968 !no_port_forwarding_flag) {
969 c = channel_connect_to(target, target_port,
970 "direct-tcpip", "direct-tcpip");
971 } else {
972 logit("refused local port forward: "
973 "originator %s port %d, target %s port %d",
974 originator, originator_port, target, target_port);
975 }
969 976
970 xfree(originator); 977 xfree(originator);
971 xfree(target); 978 xfree(target);
@@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1126 listen_address, listen_port); 1133 listen_address, listen_port);
1127 1134
1128 /* check permissions */ 1135 /* check permissions */
1129 if (!options.allow_tcp_forwarding || 1136 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
1130 no_port_forwarding_flag || 1137 no_port_forwarding_flag ||
1131 (!want_reply && listen_port == 0) 1138 (!want_reply && listen_port == 0)
1132#ifndef NO_IPPORT_RESERVED_CONCEPT 1139#ifndef NO_IPPORT_RESERVED_CONCEPT
diff --git a/session.c b/session.c
index 1bffa6b06..cff14cd5a 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ 1/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -274,7 +274,10 @@ do_authenticated(Authctxt *authctxt)
274 setproctitle("%s", authctxt->pw->pw_name); 274 setproctitle("%s", authctxt->pw->pw_name);
275 275
276 /* setup the channel layer */ 276 /* setup the channel layer */
277 if (!no_port_forwarding_flag && options.allow_tcp_forwarding) 277 if (no_port_forwarding_flag ||
278 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
279 channel_disable_adm_local_opens();
280 else
278 channel_permit_all_opens(); 281 channel_permit_all_opens();
279 282
280 auth_debug_send(); 283 auth_debug_send();
@@ -384,7 +387,7 @@ do_authenticated1(Authctxt *authctxt)
384 debug("Port forwarding not permitted for this authentication."); 387 debug("Port forwarding not permitted for this authentication.");
385 break; 388 break;
386 } 389 }
387 if (!options.allow_tcp_forwarding) { 390 if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) {
388 debug("Port forwarding not permitted."); 391 debug("Port forwarding not permitted.");
389 break; 392 break;
390 } 393 }
@@ -1526,6 +1529,11 @@ do_setusercontext(struct passwd *pw, const char *role)
1526 perror("unable to set user context (setuser)"); 1529 perror("unable to set user context (setuser)");
1527 exit(1); 1530 exit(1);
1528 } 1531 }
1532 /*
1533 * FreeBSD's setusercontext() will not apply the user's
1534 * own umask setting unless running with the user's UID.
1535 */
1536 (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
1529#else 1537#else
1530 /* Permanently switch to the desired uid. */ 1538 /* Permanently switch to the desired uid. */
1531 permanently_set_uid(pw); 1539 permanently_set_uid(pw);
diff --git a/sftp-server.0 b/sftp-server.0
index 340929d75..6beddcc13 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -4,7 +4,8 @@ NAME
4 sftp-server - SFTP server subsystem 4 sftp-server - SFTP server subsystem
5 5
6SYNOPSIS 6SYNOPSIS
7 sftp-server [-ehR] [-f log_facility] [-l log_level] [-u umask] 7 sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
8 [-u umask]
8 9
9DESCRIPTION 10DESCRIPTION
10 sftp-server is a program that speaks the server side of SFTP protocol to 11 sftp-server is a program that speaks the server side of SFTP protocol to
@@ -17,6 +18,15 @@ DESCRIPTION
17 18
18 Valid options are: 19 Valid options are:
19 20
21 -d start_directory
22 specifies an alternate starting directory for users. The
23 pathname may contain the following tokens that are expanded at
24 runtime: %% is replaced by a literal '%', %h is replaced by the
25 home directory of the user being authenticated, and %u is
26 replaced by the username of that user. The default is to use the
27 user's home directory. This option is useful in conjunction with
28 the sshd_config(5) ChrootDirectory option.
29
20 -e Causes sftp-server to print logging information to stderr instead 30 -e Causes sftp-server to print logging information to stderr instead
21 of syslog for debugging. 31 of syslog for debugging.
22 32
@@ -61,4 +71,4 @@ HISTORY
61AUTHORS 71AUTHORS
62 Markus Friedl <markus@openbsd.org> 72 Markus Friedl <markus@openbsd.org>
63 73
64OpenBSD 5.2 January 9, 2010 OpenBSD 5.2 74OpenBSD 5.3 January 4, 2013 OpenBSD 5.3
diff --git a/sftp-server.8 b/sftp-server.8
index bb19c15e1..2fd3df20c 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp-server.8,v 1.19 2010/01/09 03:36:00 jmc Exp $ 1.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $
2.\" 2.\"
3.\" Copyright (c) 2000 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: January 9 2010 $ 25.Dd $Mdocdate: January 4 2013 $
26.Dt SFTP-SERVER 8 26.Dt SFTP-SERVER 8
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -31,6 +31,7 @@
31.Sh SYNOPSIS 31.Sh SYNOPSIS
32.Nm sftp-server 32.Nm sftp-server
33.Op Fl ehR 33.Op Fl ehR
34.Op Fl d Ar start_directory
34.Op Fl f Ar log_facility 35.Op Fl f Ar log_facility
35.Op Fl l Ar log_level 36.Op Fl l Ar log_level
36.Op Fl u Ar umask 37.Op Fl u Ar umask
@@ -56,6 +57,17 @@ for more information.
56.Pp 57.Pp
57Valid options are: 58Valid options are:
58.Bl -tag -width Ds 59.Bl -tag -width Ds
60.It Fl d Ar start_directory
61specifies an alternate starting directory for users.
62The pathname may contain the following tokens that are expanded at runtime:
63%% is replaced by a literal '%',
64%h is replaced by the home directory of the user being authenticated,
65and %u is replaced by the username of that user.
66The default is to use the user's home directory.
67This option is useful in conjunction with the
68.Xr sshd_config 5
69.Cm ChrootDirectory
70option.
59.It Fl e 71.It Fl e
60Causes 72Causes
61.Nm 73.Nm
diff --git a/sftp-server.c b/sftp-server.c
index 9d01c7d79..cce074a56 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-server.c,v 1.94 2011/06/17 21:46:16 djm Exp $ */ 1/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */
2/* 2/*
3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
4 * 4 *
@@ -1390,7 +1390,8 @@ sftp_server_usage(void)
1390 extern char *__progname; 1390 extern char *__progname;
1391 1391
1392 fprintf(stderr, 1392 fprintf(stderr,
1393 "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]\n", 1393 "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
1394 "[-l log_level]\n\t[-u umask]\n",
1394 __progname); 1395 __progname);
1395 exit(1); 1396 exit(1);
1396} 1397}
@@ -1402,7 +1403,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1402 int in, out, max, ch, skipargs = 0, log_stderr = 0; 1403 int in, out, max, ch, skipargs = 0, log_stderr = 0;
1403 ssize_t len, olen, set_size; 1404 ssize_t len, olen, set_size;
1404 SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; 1405 SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
1405 char *cp, buf[4*4096]; 1406 char *cp, *homedir = NULL, buf[4*4096];
1406 long mask; 1407 long mask;
1407 1408
1408 extern char *optarg; 1409 extern char *optarg;
@@ -1411,7 +1412,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1411 __progname = ssh_get_progname(argv[0]); 1412 __progname = ssh_get_progname(argv[0]);
1412 log_init(__progname, log_level, log_facility, log_stderr); 1413 log_init(__progname, log_level, log_facility, log_stderr);
1413 1414
1414 while (!skipargs && (ch = getopt(argc, argv, "f:l:u:cehR")) != -1) { 1415 pw = pwcopy(user_pw);
1416
1417 while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) {
1415 switch (ch) { 1418 switch (ch) {
1416 case 'R': 1419 case 'R':
1417 readonly = 1; 1420 readonly = 1;
@@ -1436,6 +1439,12 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1436 if (log_facility == SYSLOG_FACILITY_NOT_SET) 1439 if (log_facility == SYSLOG_FACILITY_NOT_SET)
1437 error("Invalid log facility \"%s\"", optarg); 1440 error("Invalid log facility \"%s\"", optarg);
1438 break; 1441 break;
1442 case 'd':
1443 cp = tilde_expand_filename(optarg, user_pw->pw_uid);
1444 homedir = percent_expand(cp, "d", user_pw->pw_dir,
1445 "u", user_pw->pw_name, (char *)NULL);
1446 free(cp);
1447 break;
1439 case 'u': 1448 case 'u':
1440 errno = 0; 1449 errno = 0;
1441 mask = strtol(optarg, &cp, 8); 1450 mask = strtol(optarg, &cp, 8);
@@ -1463,8 +1472,6 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1463 } else 1472 } else
1464 client_addr = xstrdup("UNKNOWN"); 1473 client_addr = xstrdup("UNKNOWN");
1465 1474
1466 pw = pwcopy(user_pw);
1467
1468 logit("session opened for local user %s from [%s]", 1475 logit("session opened for local user %s from [%s]",
1469 pw->pw_name, client_addr); 1476 pw->pw_name, client_addr);
1470 1477
@@ -1489,6 +1496,13 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1489 rset = (fd_set *)xmalloc(set_size); 1496 rset = (fd_set *)xmalloc(set_size);
1490 wset = (fd_set *)xmalloc(set_size); 1497 wset = (fd_set *)xmalloc(set_size);
1491 1498
1499 if (homedir != NULL) {
1500 if (chdir(homedir) != 0) {
1501 error("chdir to \"%s\" failed: %s", homedir,
1502 strerror(errno));
1503 }
1504 }
1505
1492 for (;;) { 1506 for (;;) {
1493 memset(rset, 0, set_size); 1507 memset(rset, 0, set_size);
1494 memset(wset, 0, set_size); 1508 memset(wset, 0, set_size);
diff --git a/sftp.0 b/sftp.0
index e67b64c48..dd1da5241 100644
--- a/sftp.0
+++ b/sftp.0
@@ -336,4 +336,4 @@ SEE ALSO
336 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress 336 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
337 material. 337 material.
338 338
339OpenBSD 5.2 September 5, 2011 OpenBSD 5.2 339OpenBSD 5.3 September 5, 2011 OpenBSD 5.3
diff --git a/sftp.c b/sftp.c
index 235c6ad04..342ae7efc 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp.c,v 1.136 2012/06/22 14:36:33 dtucker Exp $ */ 1/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -54,10 +54,6 @@ typedef void EditLine;
54# include <util.h> 54# include <util.h>
55#endif 55#endif
56 56
57#ifdef HAVE_LIBUTIL_H
58# include <libutil.h>
59#endif
60
61#include "xmalloc.h" 57#include "xmalloc.h"
62#include "log.h" 58#include "log.h"
63#include "pathnames.h" 59#include "pathnames.h"
@@ -991,6 +987,10 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
991 state = MA_START; 987 state = MA_START;
992 i = j = 0; 988 i = j = 0;
993 for (;;) { 989 for (;;) {
990 if ((size_t)argc >= sizeof(argv) / sizeof(*argv)){
991 error("Too many arguments.");
992 return NULL;
993 }
994 if (isspace(arg[i])) { 994 if (isspace(arg[i])) {
995 if (state == MA_UNQUOTED) { 995 if (state == MA_UNQUOTED) {
996 /* Terminate current argument */ 996 /* Terminate current argument */
@@ -1141,7 +1141,7 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag,
1141 1141
1142 /* Figure out which command we have */ 1142 /* Figure out which command we have */
1143 for (i = 0; cmds[i].c != NULL; i++) { 1143 for (i = 0; cmds[i].c != NULL; i++) {
1144 if (strcasecmp(cmds[i].c, argv[0]) == 0) 1144 if (argv[0] != NULL && strcasecmp(cmds[i].c, argv[0]) == 0)
1145 break; 1145 break;
1146 } 1146 }
1147 cmdnum = cmds[i].n; 1147 cmdnum = cmds[i].n;
@@ -1695,7 +1695,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1695{ 1695{
1696 glob_t g; 1696 glob_t g;
1697 char *tmp, *tmp2, ins[3]; 1697 char *tmp, *tmp2, ins[3];
1698 u_int i, hadglob, pwdlen, len, tmplen, filelen; 1698 u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
1699 const LineInfo *lf; 1699 const LineInfo *lf;
1700 1700
1701 /* Glob from "file" location */ 1701 /* Glob from "file" location */
@@ -1704,6 +1704,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1704 else 1704 else
1705 xasprintf(&tmp, "%s*", file); 1705 xasprintf(&tmp, "%s*", file);
1706 1706
1707 /* Check if the path is absolute. */
1708 isabs = tmp[0] == '/';
1709
1707 memset(&g, 0, sizeof(g)); 1710 memset(&g, 0, sizeof(g));
1708 if (remote != LOCAL) { 1711 if (remote != LOCAL) {
1709 tmp = make_absolute(tmp, remote_path); 1712 tmp = make_absolute(tmp, remote_path);
@@ -1738,7 +1741,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1738 goto out; 1741 goto out;
1739 1742
1740 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); 1743 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc);
1741 tmp = path_strip(tmp2, remote_path); 1744 tmp = path_strip(tmp2, isabs ? NULL : remote_path);
1742 xfree(tmp2); 1745 xfree(tmp2);
1743 1746
1744 if (tmp == NULL) 1747 if (tmp == NULL)
@@ -1747,8 +1750,18 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1747 tmplen = strlen(tmp); 1750 tmplen = strlen(tmp);
1748 filelen = strlen(file); 1751 filelen = strlen(file);
1749 1752
1750 if (tmplen > filelen) { 1753 /* Count the number of escaped characters in the input string. */
1751 tmp2 = tmp + filelen; 1754 cesc = isesc = 0;
1755 for (i = 0; i < filelen; i++) {
1756 if (!isesc && file[i] == '\\' && i + 1 < filelen){
1757 isesc = 1;
1758 cesc++;
1759 } else
1760 isesc = 0;
1761 }
1762
1763 if (tmplen > (filelen - cesc)) {
1764 tmp2 = tmp + filelen - cesc;
1752 len = strlen(tmp2); 1765 len = strlen(tmp2);
1753 /* quote argument on way out */ 1766 /* quote argument on way out */
1754 for (i = 0; i < len; i++) { 1767 for (i = 0; i < len; i++) {
@@ -1762,6 +1775,8 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1762 case '\t': 1775 case '\t':
1763 case '[': 1776 case '[':
1764 case ' ': 1777 case ' ':
1778 case '#':
1779 case '*':
1765 if (quote == '\0' || tmp2[i] == quote) { 1780 if (quote == '\0' || tmp2[i] == quote) {
1766 if (el_insertstr(el, ins) == -1) 1781 if (el_insertstr(el, ins) == -1)
1767 fatal("el_insertstr " 1782 fatal("el_insertstr "
@@ -1917,6 +1932,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
1917 return (-1); 1932 return (-1);
1918 } 1933 }
1919 } else { 1934 } else {
1935 /* XXX this is wrong wrt quoting */
1920 if (file2 == NULL) 1936 if (file2 == NULL)
1921 snprintf(cmd, sizeof cmd, "get %s", dir); 1937 snprintf(cmd, sizeof cmd, "get %s", dir);
1922 else 1938 else
diff --git a/ssh-add.0 b/ssh-add.0
index 2ed59c10e..ed43dc8cc 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -37,16 +37,17 @@ DESCRIPTION
37 37
38 -d Instead of adding identities, removes identities from the agent. 38 -d Instead of adding identities, removes identities from the agent.
39 If ssh-add has been run without arguments, the keys for the 39 If ssh-add has been run without arguments, the keys for the
40 default identities will be removed. Otherwise, the argument list 40 default identities and their corresponding certificates will be
41 will be interpreted as a list of paths to public key files and 41 removed. Otherwise, the argument list will be interpreted as a
42 matching keys will be removed from the agent. If no public key 42 list of paths to public key files to specify keys and
43 is found at a given path, ssh-add will append .pub and retry. 43 certificates to be removed from the agent. If no public key is
44 found at a given path, ssh-add will append .pub and retry.
44 45
45 -e pkcs11 46 -e pkcs11
46 Remove keys provided by the PKCS#11 shared library pkcs11. 47 Remove keys provided by the PKCS#11 shared library pkcs11.
47 48
48 -k When loading keys into the agent, load plain private keys only 49 -k When loading keys into or deleting keys from the agent, process
49 and skip certificates. 50 plain private keys only and skip certificates.
50 51
51 -L Lists public key parameters of all identities currently 52 -L Lists public key parameters of all identities currently
52 represented by the agent. 53 represented by the agent.
@@ -115,4 +116,4 @@ AUTHORS
115 created OpenSSH. Markus Friedl contributed the support for SSH protocol 116 created OpenSSH. Markus Friedl contributed the support for SSH protocol
116 versions 1.5 and 2.0. 117 versions 1.5 and 2.0.
117 118
118OpenBSD 5.2 October 18, 2011 OpenBSD 5.2 119OpenBSD 5.3 December 3, 2012 OpenBSD 5.3
diff --git a/ssh-add.1 b/ssh-add.1
index 64e21bb51..d394b2696 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $ 1.\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: October 18 2011 $ 38.Dd $Mdocdate: December 3 2012 $
39.Dt SSH-ADD 1 39.Dt SSH-ADD 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -102,10 +102,10 @@ Deletes all identities from the agent.
102Instead of adding identities, removes identities from the agent. 102Instead of adding identities, removes identities from the agent.
103If 103If
104.Nm 104.Nm
105has been run without arguments, the keys for the default identities will 105has been run without arguments, the keys for the default identities and
106be removed. 106their corresponding certificates will be removed.
107Otherwise, the argument list will be interpreted as a list of paths to 107Otherwise, the argument list will be interpreted as a list of paths to
108public key files and matching keys will be removed from the agent. 108public key files to specify keys and certificates to be removed from the agent.
109If no public key is found at a given path, 109If no public key is found at a given path,
110.Nm 110.Nm
111will append 111will append
@@ -115,8 +115,8 @@ and retry.
115Remove keys provided by the PKCS#11 shared library 115Remove keys provided by the PKCS#11 shared library
116.Ar pkcs11 . 116.Ar pkcs11 .
117.It Fl k 117.It Fl k
118When loading keys into the agent, load plain private keys only and skip 118When loading keys into or deleting keys from the agent, process plain private
119certificates. 119keys only and skip certificates.
120.It Fl L 120.It Fl L
121Lists public key parameters of all identities currently represented 121Lists public key parameters of all identities currently represented
122by the agent. 122by the agent.
diff --git a/ssh-add.c b/ssh-add.c
index 0111b7793..b9c7a0211 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -96,10 +96,10 @@ clear_pass(void)
96} 96}
97 97
98static int 98static int
99delete_file(AuthenticationConnection *ac, const char *filename) 99delete_file(AuthenticationConnection *ac, const char *filename, int key_only)
100{ 100{
101 Key *public; 101 Key *public = NULL, *cert = NULL;
102 char *comment = NULL; 102 char *certpath = NULL, *comment = NULL;
103 int ret = -1; 103 int ret = -1;
104 104
105 public = key_load_public(filename, &comment); 105 public = key_load_public(filename, &comment);
@@ -113,8 +113,33 @@ delete_file(AuthenticationConnection *ac, const char *filename)
113 } else 113 } else
114 fprintf(stderr, "Could not remove identity: %s\n", filename); 114 fprintf(stderr, "Could not remove identity: %s\n", filename);
115 115
116 key_free(public); 116 if (key_only)
117 xfree(comment); 117 goto out;
118
119 /* Now try to delete the corresponding certificate too */
120 free(comment);
121 comment = NULL;
122 xasprintf(&certpath, "%s-cert.pub", filename);
123 if ((cert = key_load_public(certpath, &comment)) == NULL)
124 goto out;
125 if (!key_equal_public(cert, public))
126 fatal("Certificate %s does not match private key %s",
127 certpath, filename);
128
129 if (ssh_remove_identity(ac, cert)) {
130 fprintf(stderr, "Identity removed: %s (%s)\n", certpath,
131 comment);
132 ret = 0;
133 } else
134 fprintf(stderr, "Could not remove identity: %s\n", certpath);
135
136 out:
137 if (cert != NULL)
138 key_free(cert);
139 if (public != NULL)
140 key_free(public);
141 free(certpath);
142 free(comment);
118 143
119 return ret; 144 return ret;
120} 145}
@@ -362,7 +387,7 @@ static int
362do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) 387do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file)
363{ 388{
364 if (deleting) { 389 if (deleting) {
365 if (delete_file(ac, file) == -1) 390 if (delete_file(ac, file, key_only) == -1)
366 return -1; 391 return -1;
367 } else { 392 } else {
368 if (add_file(ac, file, key_only) == -1) 393 if (add_file(ac, file, key_only) == -1)
diff --git a/ssh-agent.0 b/ssh-agent.0
index 77930ce42..578984815 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -120,4 +120,4 @@ AUTHORS
120 created OpenSSH. Markus Friedl contributed the support for SSH protocol 120 created OpenSSH. Markus Friedl contributed the support for SSH protocol
121 versions 1.5 and 2.0. 121 versions 1.5 and 2.0.
122 122
123OpenBSD 5.2 November 21, 2010 OpenBSD 5.2 123OpenBSD 5.3 November 21, 2010 OpenBSD 5.3
diff --git a/ssh-gss.h b/ssh-gss.h
index 31d5a0835..bc6e8f946 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -42,12 +42,13 @@
42# include <gssapi/gssapi_generic.h> 42# include <gssapi/gssapi_generic.h>
43# endif 43# endif
44 44
45/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ 45/* Old MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
46 46
47#ifndef GSS_C_NT_HOSTBASED_SERVICE 47# if !HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
48#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name 48# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
49#endif /* GSS_C_NT_... */ 49# endif /* !HAVE_DECL_GSS_C_NT_... */
50#endif /* !HEIMDAL */ 50
51# endif /* !HEIMDAL */
51#endif /* KRB5 */ 52#endif /* KRB5 */
52 53
53/* draft-ietf-secsh-gsskeyex-06 */ 54/* draft-ietf-secsh-gsskeyex-06 */
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 8f9fbd179..3c7a64753 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -25,6 +25,9 @@ SYNOPSIS
25 [-O option] [-V validity_interval] [-z serial_number] file ... 25 [-O option] [-V validity_interval] [-z serial_number] file ...
26 ssh-keygen -L [-f input_keyfile] 26 ssh-keygen -L [-f input_keyfile]
27 ssh-keygen -A 27 ssh-keygen -A
28 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
29 file ...
30 ssh-keygen -Q -f krl_file file ...
28 31
29DESCRIPTION 32DESCRIPTION
30 ssh-keygen generates, manages and converts authentication keys for 33 ssh-keygen generates, manages and converts authentication keys for
@@ -37,6 +40,10 @@ DESCRIPTION
37 ssh-keygen is also used to generate groups for use in Diffie-Hellman 40 ssh-keygen is also used to generate groups for use in Diffie-Hellman
38 group exchange (DH-GEX). See the MODULI GENERATION section for details. 41 group exchange (DH-GEX). See the MODULI GENERATION section for details.
39 42
43 Finally, ssh-keygen can be used to generate and update Key Revocation
44 Lists, and to test whether given keys have been revoked by one. See the
45 KEY REVOCATION LISTS section for details.
46
40 Normally each user wishing to use SSH with public key authentication runs 47 Normally each user wishing to use SSH with public key authentication runs
41 this once to create the authentication key in ~/.ssh/identity, 48 this once to create the authentication key in ~/.ssh/identity,
42 ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the 49 ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the
@@ -167,6 +174,13 @@ DESCRIPTION
167 keys from other software, including several commercial SSH 174 keys from other software, including several commercial SSH
168 implementations. The default import format is ``RFC4716''. 175 implementations. The default import format is ``RFC4716''.
169 176
177 -k Generate a KRL file. In this mode, ssh-keygen will generate a
178 KRL file at the location specified via the -f flag that revokes
179 every key or certificate presented on the command line.
180 Keys/certificates to be revoked may be specified by public key
181 file or using the format described in the KEY REVOCATION LISTS
182 section.
183
170 -L Prints the contents of a certificate. 184 -L Prints the contents of a certificate.
171 185
172 -l Show fingerprint of specified public key file. Private RSA1 keys 186 -l Show fingerprint of specified public key file. Private RSA1 keys
@@ -256,6 +270,8 @@ DESCRIPTION
256 containing the private key, for the old passphrase, and twice for 270 containing the private key, for the old passphrase, and twice for
257 the new passphrase. 271 the new passphrase.
258 272
273 -Q Test whether keys have been revoked in a KRL.
274
259 -q Silence ssh-keygen. 275 -q Silence ssh-keygen.
260 276
261 -R hostname 277 -R hostname
@@ -275,6 +291,10 @@ DESCRIPTION
275 Certify (sign) a public key using the specified CA key. Please 291 Certify (sign) a public key using the specified CA key. Please
276 see the CERTIFICATES section for details. 292 see the CERTIFICATES section for details.
277 293
294 When generating a KRL, -s specifies a path to a CA public key
295 file used to revoke certificates directly by key ID or serial
296 number. See the KEY REVOCATION LISTS section for details.
297
278 -T output_file 298 -T output_file
279 Test DH group exchange candidate primes (generated using the -G 299 Test DH group exchange candidate primes (generated using the -G
280 option) for safety. 300 option) for safety.
@@ -284,6 +304,10 @@ DESCRIPTION
284 ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' 304 ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa''
285 for protocol version 2. 305 for protocol version 2.
286 306
307 -u Update a KRL. When specified with -k, keys listed via the
308 command line are added to the existing KRL rather than a new KRL
309 being created.
310
287 -V validity_interval 311 -V validity_interval
288 Specify a validity interval when signing a certificate. A 312 Specify a validity interval when signing a certificate. A
289 validity interval may consist of a single time, indicating that 313 validity interval may consist of a single time, indicating that
@@ -321,6 +345,9 @@ DESCRIPTION
321 distinguish this certificate from others from the same CA. The 345 distinguish this certificate from others from the same CA. The
322 default serial number is zero. 346 default serial number is zero.
323 347
348 When generating a KRL, the -z flag is used to specify a KRL
349 version number.
350
324MODULI GENERATION 351MODULI GENERATION
325 ssh-keygen may be used to generate groups for the Diffie-Hellman Group 352 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
326 Exchange (DH-GEX) protocol. Generating these groups is a two-step 353 Exchange (DH-GEX) protocol. Generating these groups is a two-step
@@ -404,13 +431,64 @@ CERTIFICATES
404 Finally, certificates may be defined with a validity lifetime. The -V 431 Finally, certificates may be defined with a validity lifetime. The -V
405 option allows specification of certificate start and end times. A 432 option allows specification of certificate start and end times. A
406 certificate that is presented at a time outside this range will not be 433 certificate that is presented at a time outside this range will not be
407 considered valid. By default, certificates have a maximum validity 434 considered valid. By default, certificates are valid from UNIX Epoch to
408 interval. 435 the distant future.
409 436
410 For certificates to be used for user or host authentication, the CA 437 For certificates to be used for user or host authentication, the CA
411 public key must be trusted by sshd(8) or ssh(1). Please refer to those 438 public key must be trusted by sshd(8) or ssh(1). Please refer to those
412 manual pages for details. 439 manual pages for details.
413 440
441KEY REVOCATION LISTS
442 ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
443 These binary files specify keys or certificates to be revoked using a
444 compact format, taking as little a one bit per certificate if they are
445 being revoked by serial number.
446
447 KRLs may be generated using the -k flag. This option reads one or more
448 files from the command line and generates a new KRL. The files may
449 either contain a KRL specification (see below) or public keys, listed one
450 per line. Plain public keys are revoked by listing their hash or
451 contents in the KRL and certificates revoked by serial number or key ID
452 (if the serial is zero or not available).
453
454 Revoking keys using a KRL specification offers explicit control over the
455 types of record used to revoke keys and may be used to directly revoke
456 certificates by serial number or key ID without having the complete
457 original certificate on hand. A KRL specification consists of lines
458 containing one of the following directives followed by a colon and some
459 directive-specific information.
460
461 serial: serial_number[-serial_number]
462 Revokes a certificate with the specified serial number. Serial
463 numbers are 64-bit values, not including zero and may be
464 expressed in decimal, hex or octal. If two serial numbers are
465 specified separated by a hyphen, then the range of serial numbers
466 including and between each is revoked. The CA key must have been
467 specified on the ssh-keygen command line using the -s option.
468
469 id: key_id
470 Revokes a certificate with the specified key ID string. The CA
471 key must have been specified on the ssh-keygen command line using
472 the -s option.
473
474 key: public_key
475 Revokes the specified key. If a certificate is listed, then it
476 is revoked as a plain public key.
477
478 sha1: public_key
479 Revokes the specified key by its SHA1 hash.
480
481 KRLs may be updated using the -u flag in addition to -k. When this
482 option is specified, keys listed via the command line are merged into the
483 KRL, adding to those already there.
484
485 It is also possible, given a KRL, to test whether it revokes a particular
486 key (or keys). The -Q flag will query an existing KRL, testing each key
487 specified on the commandline. If any key listed on the command line has
488 been revoked (or an error encountered) then ssh-keygen will exit with a
489 non-zero exit status. A zero exit status will only be returned if no key
490 was revoked.
491
414FILES 492FILES
415 ~/.ssh/identity 493 ~/.ssh/identity
416 Contains the protocol version 1 RSA authentication identity of 494 Contains the protocol version 1 RSA authentication identity of
@@ -465,4 +543,4 @@ AUTHORS
465 created OpenSSH. Markus Friedl contributed the support for SSH protocol 543 created OpenSSH. Markus Friedl contributed the support for SSH protocol
466 versions 1.5 and 2.0. 544 versions 1.5 and 2.0.
467 545
468OpenBSD 5.2 July 6, 2012 OpenBSD 5.2 546OpenBSD 5.3 January 19, 2013 OpenBSD 5.3
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index fe26750a4..0d84ebd1e 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: July 6 2012 $ 38.Dd $Mdocdate: January 19 2013 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -122,6 +122,17 @@
122.Op Fl f Ar input_keyfile 122.Op Fl f Ar input_keyfile
123.Nm ssh-keygen 123.Nm ssh-keygen
124.Fl A 124.Fl A
125.Nm ssh-keygen
126.Fl k
127.Fl f Ar krl_file
128.Op Fl u
129.Op Fl s Ar ca_public
130.Op Fl z Ar version_number
131.Ar
132.Nm ssh-keygen
133.Fl Q
134.Fl f Ar krl_file
135.Ar
125.Ek 136.Ek
126.Sh DESCRIPTION 137.Sh DESCRIPTION
127.Nm 138.Nm
@@ -144,6 +155,14 @@ See the
144.Sx MODULI GENERATION 155.Sx MODULI GENERATION
145section for details. 156section for details.
146.Pp 157.Pp
158Finally,
159.Nm
160can be used to generate and update Key Revocation Lists, and to test whether
161given keys have been revoked by one.
162See the
163.Sx KEY REVOCATION LISTS
164section for details.
165.Pp
147Normally each user wishing to use SSH 166Normally each user wishing to use SSH
148with public key authentication runs this once to create the authentication 167with public key authentication runs this once to create the authentication
149key in 168key in
@@ -317,6 +336,17 @@ This option allows importing keys from other software, including several
317commercial SSH implementations. 336commercial SSH implementations.
318The default import format is 337The default import format is
319.Dq RFC4716 . 338.Dq RFC4716 .
339.It Fl k
340Generate a KRL file.
341In this mode,
342.Nm
343will generate a KRL file at the location specified via the
344.Fl f
345flag that revokes every key or certificate presented on the command line.
346Keys/certificates to be revoked may be specified by public key file or
347using the format described in the
348.Sx KEY REVOCATION LISTS
349section.
320.It Fl L 350.It Fl L
321Prints the contents of a certificate. 351Prints the contents of a certificate.
322.It Fl l 352.It Fl l
@@ -421,6 +451,8 @@ creating a new private key.
421The program will prompt for the file 451The program will prompt for the file
422containing the private key, for the old passphrase, and twice for the 452containing the private key, for the old passphrase, and twice for the
423new passphrase. 453new passphrase.
454.It Fl Q
455Test whether keys have been revoked in a KRL.
424.It Fl q 456.It Fl q
425Silence 457Silence
426.Nm ssh-keygen . 458.Nm ssh-keygen .
@@ -444,6 +476,14 @@ Certify (sign) a public key using the specified CA key.
444Please see the 476Please see the
445.Sx CERTIFICATES 477.Sx CERTIFICATES
446section for details. 478section for details.
479.Pp
480When generating a KRL,
481.Fl s
482specifies a path to a CA public key file used to revoke certificates directly
483by key ID or serial number.
484See the
485.Sx KEY REVOCATION LISTS
486section for details.
447.It Fl T Ar output_file 487.It Fl T Ar output_file
448Test DH group exchange candidate primes (generated using the 488Test DH group exchange candidate primes (generated using the
449.Fl G 489.Fl G
@@ -458,6 +498,12 @@ for protocol version 1 and
458or 498or
459.Dq rsa 499.Dq rsa
460for protocol version 2. 500for protocol version 2.
501.It Fl u
502Update a KRL.
503When specified with
504.Fl k ,
505keys listed via the command line are added to the existing KRL rather than
506a new KRL being created.
461.It Fl V Ar validity_interval 507.It Fl V Ar validity_interval
462Specify a validity interval when signing a certificate. 508Specify a validity interval when signing a certificate.
463A validity interval may consist of a single time, indicating that the 509A validity interval may consist of a single time, indicating that the
@@ -500,6 +546,10 @@ OpenSSH format file and print an OpenSSH public key to stdout.
500Specifies a serial number to be embedded in the certificate to distinguish 546Specifies a serial number to be embedded in the certificate to distinguish
501this certificate from others from the same CA. 547this certificate from others from the same CA.
502The default serial number is zero. 548The default serial number is zero.
549.Pp
550When generating a KRL, the
551.Fl z
552flag is used to specify a KRL version number.
503.El 553.El
504.Sh MODULI GENERATION 554.Sh MODULI GENERATION
505.Nm 555.Nm
@@ -624,7 +674,9 @@ The
624option allows specification of certificate start and end times. 674option allows specification of certificate start and end times.
625A certificate that is presented at a time outside this range will not be 675A certificate that is presented at a time outside this range will not be
626considered valid. 676considered valid.
627By default, certificates have a maximum validity interval. 677By default, certificates are valid from
678.Ux
679Epoch to the distant future.
628.Pp 680.Pp
629For certificates to be used for user or host authentication, the CA 681For certificates to be used for user or host authentication, the CA
630public key must be trusted by 682public key must be trusted by
@@ -632,6 +684,73 @@ public key must be trusted by
632or 684or
633.Xr ssh 1 . 685.Xr ssh 1 .
634Please refer to those manual pages for details. 686Please refer to those manual pages for details.
687.Sh KEY REVOCATION LISTS
688.Nm
689is able to manage OpenSSH format Key Revocation Lists (KRLs).
690These binary files specify keys or certificates to be revoked using a
691compact format, taking as little a one bit per certificate if they are being
692revoked by serial number.
693.Pp
694KRLs may be generated using the
695.Fl k
696flag.
697This option reads one or more files from the command line and generates a new
698KRL.
699The files may either contain a KRL specification (see below) or public keys,
700listed one per line.
701Plain public keys are revoked by listing their hash or contents in the KRL and
702certificates revoked by serial number or key ID (if the serial is zero or
703not available).
704.Pp
705Revoking keys using a KRL specification offers explicit control over the
706types of record used to revoke keys and may be used to directly revoke
707certificates by serial number or key ID without having the complete original
708certificate on hand.
709A KRL specification consists of lines containing one of the following directives
710followed by a colon and some directive-specific information.
711.Bl -tag -width Ds
712.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
713Revokes a certificate with the specified serial number.
714Serial numbers are 64-bit values, not including zero and may be expressed
715in decimal, hex or octal.
716If two serial numbers are specified separated by a hyphen, then the range
717of serial numbers including and between each is revoked.
718The CA key must have been specified on the
719.Nm
720command line using the
721.Fl s
722option.
723.It Cm id : Ar key_id
724Revokes a certificate with the specified key ID string.
725The CA key must have been specified on the
726.Nm
727command line using the
728.Fl s
729option.
730.It Cm key : Ar public_key
731Revokes the specified key.
732If a certificate is listed, then it is revoked as a plain public key.
733.It Cm sha1 : Ar public_key
734Revokes the specified key by its SHA1 hash.
735.El
736.Pp
737KRLs may be updated using the
738.Fl u
739flag in addition to
740.Fl k .
741When this option is specified, keys listed via the command line are merged into
742the KRL, adding to those already there.
743.Pp
744It is also possible, given a KRL, to test whether it revokes a particular key
745(or keys).
746The
747.Fl Q
748flag will query an existing KRL, testing each key specified on the commandline.
749If any key listed on the command line has been revoked (or an error encountered)
750then
751.Nm
752will exit with a non-zero exit status.
753A zero exit status will only be returned if no key was revoked.
635.Sh FILES 754.Sh FILES
636.Bl -tag -width Ds -compact 755.Bl -tag -width Ds -compact
637.It Pa ~/.ssh/identity 756.It Pa ~/.ssh/identity
diff --git a/ssh-keygen.c b/ssh-keygen.c
index a223ddc81..d1a205e18 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.216 2012/07/06 06:38:03 jmc Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -48,8 +48,11 @@
48#include "match.h" 48#include "match.h"
49#include "hostfile.h" 49#include "hostfile.h"
50#include "dns.h" 50#include "dns.h"
51#include "ssh.h"
51#include "ssh2.h" 52#include "ssh2.h"
52#include "ssh-pkcs11.h" 53#include "ssh-pkcs11.h"
54#include "atomicio.h"
55#include "krl.h"
53 56
54/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ 57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
55#define DEFAULT_BITS 2048 58#define DEFAULT_BITS 2048
@@ -104,7 +107,7 @@ char *identity_comment = NULL;
104char *ca_key_path = NULL; 107char *ca_key_path = NULL;
105 108
106/* Certificate serial number */ 109/* Certificate serial number */
107long long cert_serial = 0; 110unsigned long long cert_serial = 0;
108 111
109/* Key type when certifying */ 112/* Key type when certifying */
110u_int cert_key_type = SSH2_CERT_TYPE_USER; 113u_int cert_key_type = SSH2_CERT_TYPE_USER;
@@ -723,15 +726,33 @@ do_download(struct passwd *pw)
723#ifdef ENABLE_PKCS11 726#ifdef ENABLE_PKCS11
724 Key **keys = NULL; 727 Key **keys = NULL;
725 int i, nkeys; 728 int i, nkeys;
729 enum fp_rep rep;
730 enum fp_type fptype;
731 char *fp, *ra;
732
733 fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
734 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
726 735
727 pkcs11_init(0); 736 pkcs11_init(0);
728 nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); 737 nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
729 if (nkeys <= 0) 738 if (nkeys <= 0)
730 fatal("cannot read public key from pkcs11"); 739 fatal("cannot read public key from pkcs11");
731 for (i = 0; i < nkeys; i++) { 740 for (i = 0; i < nkeys; i++) {
732 key_write(keys[i], stdout); 741 if (print_fingerprint) {
742 fp = key_fingerprint(keys[i], fptype, rep);
743 ra = key_fingerprint(keys[i], SSH_FP_MD5,
744 SSH_FP_RANDOMART);
745 printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
746 fp, key_type(keys[i]));
747 if (log_level >= SYSLOG_LEVEL_VERBOSE)
748 printf("%s\n", ra);
749 xfree(ra);
750 xfree(fp);
751 } else {
752 key_write(keys[i], stdout);
753 fprintf(stdout, "\n");
754 }
733 key_free(keys[i]); 755 key_free(keys[i]);
734 fprintf(stdout, "\n");
735 } 756 }
736 xfree(keys); 757 xfree(keys);
737 pkcs11_terminate(); 758 pkcs11_terminate();
@@ -1088,8 +1109,14 @@ do_known_hosts(struct passwd *pw, const char *name)
1088 ca ? " (CA key)" : ""); 1109 ca ? " (CA key)" : "");
1089 printhost(out, cp, pub, ca, 0); 1110 printhost(out, cp, pub, ca, 0);
1090 } 1111 }
1091 if (delete_host && !c && !ca) 1112 if (delete_host) {
1092 printhost(out, cp, pub, ca, 0); 1113 if (!c && !ca)
1114 printhost(out, cp, pub, ca, 0);
1115 else
1116 printf("# Host %s found: "
1117 "line %d type %s\n", name,
1118 num, key_type(pub));
1119 }
1093 } else if (hash_hosts) 1120 } else if (hash_hosts)
1094 printhost(out, cp, pub, ca, 0); 1121 printhost(out, cp, pub, ca, 0);
1095 } else { 1122 } else {
@@ -1104,8 +1131,14 @@ do_known_hosts(struct passwd *pw, const char *name)
1104 printhost(out, name, pub, 1131 printhost(out, name, pub,
1105 ca, hash_hosts && !ca); 1132 ca, hash_hosts && !ca);
1106 } 1133 }
1107 if (delete_host && !c && !ca) 1134 if (delete_host) {
1108 printhost(out, cp, pub, ca, 0); 1135 if (!c && !ca)
1136 printhost(out, cp, pub, ca, 0);
1137 else
1138 printf("# Host %s found: "
1139 "line %d type %s\n", name,
1140 num, key_type(pub));
1141 }
1109 } else if (hash_hosts) { 1142 } else if (hash_hosts) {
1110 for (cp2 = strsep(&cp, ","); 1143 for (cp2 = strsep(&cp, ",");
1111 cp2 != NULL && *cp2 != '\0'; 1144 cp2 != NULL && *cp2 != '\0';
@@ -1867,6 +1900,226 @@ do_show_cert(struct passwd *pw)
1867} 1900}
1868 1901
1869static void 1902static void
1903load_krl(const char *path, struct ssh_krl **krlp)
1904{
1905 Buffer krlbuf;
1906 int fd;
1907
1908 buffer_init(&krlbuf);
1909 if ((fd = open(path, O_RDONLY)) == -1)
1910 fatal("open %s: %s", path, strerror(errno));
1911 if (!key_load_file(fd, path, &krlbuf))
1912 fatal("Unable to load KRL");
1913 close(fd);
1914 /* XXX check sigs */
1915 if (ssh_krl_from_blob(&krlbuf, krlp, NULL, 0) != 0 ||
1916 *krlp == NULL)
1917 fatal("Invalid KRL file");
1918 buffer_free(&krlbuf);
1919}
1920
1921static void
1922update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
1923 struct ssh_krl *krl)
1924{
1925 Key *key = NULL;
1926 u_long lnum = 0;
1927 char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];
1928 unsigned long long serial, serial2;
1929 int i, was_explicit_key, was_sha1, r;
1930 FILE *krl_spec;
1931
1932 path = tilde_expand_filename(file, pw->pw_uid);
1933 if (strcmp(path, "-") == 0) {
1934 krl_spec = stdin;
1935 free(path);
1936 path = xstrdup("(standard input)");
1937 } else if ((krl_spec = fopen(path, "r")) == NULL)
1938 fatal("fopen %s: %s", path, strerror(errno));
1939
1940 if (!quiet)
1941 printf("Revoking from %s\n", path);
1942 while (read_keyfile_line(krl_spec, path, line, sizeof(line),
1943 &lnum) == 0) {
1944 was_explicit_key = was_sha1 = 0;
1945 cp = line + strspn(line, " \t");
1946 /* Trim trailing space, comments and strip \n */
1947 for (i = 0, r = -1; cp[i] != '\0'; i++) {
1948 if (cp[i] == '#' || cp[i] == '\n') {
1949 cp[i] = '\0';
1950 break;
1951 }
1952 if (cp[i] == ' ' || cp[i] == '\t') {
1953 /* Remember the start of a span of whitespace */
1954 if (r == -1)
1955 r = i;
1956 } else
1957 r = -1;
1958 }
1959 if (r != -1)
1960 cp[r] = '\0';
1961 if (*cp == '\0')
1962 continue;
1963 if (strncasecmp(cp, "serial:", 7) == 0) {
1964 if (ca == NULL) {
1965 fatal("revoking certificated by serial number "
1966 "requires specification of a CA key");
1967 }
1968 cp += 7;
1969 cp = cp + strspn(cp, " \t");
1970 errno = 0;
1971 serial = strtoull(cp, &ep, 0);
1972 if (*cp == '\0' || (*ep != '\0' && *ep != '-'))
1973 fatal("%s:%lu: invalid serial \"%s\"",
1974 path, lnum, cp);
1975 if (errno == ERANGE && serial == ULLONG_MAX)
1976 fatal("%s:%lu: serial out of range",
1977 path, lnum);
1978 serial2 = serial;
1979 if (*ep == '-') {
1980 cp = ep + 1;
1981 errno = 0;
1982 serial2 = strtoull(cp, &ep, 0);
1983 if (*cp == '\0' || *ep != '\0')
1984 fatal("%s:%lu: invalid serial \"%s\"",
1985 path, lnum, cp);
1986 if (errno == ERANGE && serial2 == ULLONG_MAX)
1987 fatal("%s:%lu: serial out of range",
1988 path, lnum);
1989 if (serial2 <= serial)
1990 fatal("%s:%lu: invalid serial range "
1991 "%llu:%llu", path, lnum,
1992 (unsigned long long)serial,
1993 (unsigned long long)serial2);
1994 }
1995 if (ssh_krl_revoke_cert_by_serial_range(krl,
1996 ca, serial, serial2) != 0) {
1997 fatal("%s: revoke serial failed",
1998 __func__);
1999 }
2000 } else if (strncasecmp(cp, "id:", 3) == 0) {
2001 if (ca == NULL) {
2002 fatal("revoking certificated by key ID "
2003 "requires specification of a CA key");
2004 }
2005 cp += 3;
2006 cp = cp + strspn(cp, " \t");
2007 if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0)
2008 fatal("%s: revoke key ID failed", __func__);
2009 } else {
2010 if (strncasecmp(cp, "key:", 4) == 0) {
2011 cp += 4;
2012 cp = cp + strspn(cp, " \t");
2013 was_explicit_key = 1;
2014 } else if (strncasecmp(cp, "sha1:", 5) == 0) {
2015 cp += 5;
2016 cp = cp + strspn(cp, " \t");
2017 was_sha1 = 1;
2018 } else {
2019 /*
2020 * Just try to process the line as a key.
2021 * Parsing will fail if it isn't.
2022 */
2023 }
2024 if ((key = key_new(KEY_UNSPEC)) == NULL)
2025 fatal("key_new");
2026 if (key_read(key, &cp) != 1)
2027 fatal("%s:%lu: invalid key", path, lnum);
2028 if (was_explicit_key)
2029 r = ssh_krl_revoke_key_explicit(krl, key);
2030 else if (was_sha1)
2031 r = ssh_krl_revoke_key_sha1(krl, key);
2032 else
2033 r = ssh_krl_revoke_key(krl, key);
2034 if (r != 0)
2035 fatal("%s: revoke key failed", __func__);
2036 key_free(key);
2037 }
2038 }
2039 if (strcmp(path, "-") != 0)
2040 fclose(krl_spec);
2041}
2042
2043static void
2044do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2045{
2046 struct ssh_krl *krl;
2047 struct stat sb;
2048 Key *ca = NULL;
2049 int fd, i;
2050 char *tmp;
2051 Buffer kbuf;
2052
2053 if (*identity_file == '\0')
2054 fatal("KRL generation requires an output file");
2055 if (stat(identity_file, &sb) == -1) {
2056 if (errno != ENOENT)
2057 fatal("Cannot access KRL \"%s\": %s",
2058 identity_file, strerror(errno));
2059 if (updating)
2060 fatal("KRL \"%s\" does not exist", identity_file);
2061 }
2062 if (ca_key_path != NULL) {
2063 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
2064 if ((ca = key_load_public(tmp, NULL)) == NULL)
2065 fatal("Cannot load CA public key %s", tmp);
2066 xfree(tmp);
2067 }
2068
2069 if (updating)
2070 load_krl(identity_file, &krl);
2071 else if ((krl = ssh_krl_init()) == NULL)
2072 fatal("couldn't create KRL");
2073
2074 if (cert_serial != 0)
2075 ssh_krl_set_version(krl, cert_serial);
2076 if (identity_comment != NULL)
2077 ssh_krl_set_comment(krl, identity_comment);
2078
2079 for (i = 0; i < argc; i++)
2080 update_krl_from_file(pw, argv[i], ca, krl);
2081
2082 buffer_init(&kbuf);
2083 if (ssh_krl_to_blob(krl, &kbuf, NULL, 0) != 0)
2084 fatal("Couldn't generate KRL");
2085 if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
2086 fatal("open %s: %s", identity_file, strerror(errno));
2087 if (atomicio(vwrite, fd, buffer_ptr(&kbuf), buffer_len(&kbuf)) !=
2088 buffer_len(&kbuf))
2089 fatal("write %s: %s", identity_file, strerror(errno));
2090 close(fd);
2091 buffer_free(&kbuf);
2092 ssh_krl_free(krl);
2093}
2094
2095static void
2096do_check_krl(struct passwd *pw, int argc, char **argv)
2097{
2098 int i, r, ret = 0;
2099 char *comment;
2100 struct ssh_krl *krl;
2101 Key *k;
2102
2103 if (*identity_file == '\0')
2104 fatal("KRL checking requires an input file");
2105 load_krl(identity_file, &krl);
2106 for (i = 0; i < argc; i++) {
2107 if ((k = key_load_public(argv[i], &comment)) == NULL)
2108 fatal("Cannot load public key %s", argv[i]);
2109 r = ssh_krl_check_key(krl, k);
2110 printf("%s%s%s%s: %s\n", argv[i],
2111 *comment ? " (" : "", comment, *comment ? ")" : "",
2112 r == 0 ? "ok" : "REVOKED");
2113 if (r != 0)
2114 ret = 1;
2115 key_free(k);
2116 free(comment);
2117 }
2118 ssh_krl_free(krl);
2119 exit(ret);
2120}
2121
2122static void
1870usage(void) 2123usage(void)
1871{ 2124{
1872 fprintf(stderr, "usage: %s [options]\n", __progname); 2125 fprintf(stderr, "usage: %s [options]\n", __progname);
@@ -1892,6 +2145,7 @@ usage(void)
1892 fprintf(stderr, " -J number Screen this number of moduli lines.\n"); 2145 fprintf(stderr, " -J number Screen this number of moduli lines.\n");
1893 fprintf(stderr, " -j number Start screening moduli at specified line.\n"); 2146 fprintf(stderr, " -j number Start screening moduli at specified line.\n");
1894 fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); 2147 fprintf(stderr, " -K checkpt Write checkpoints to this file.\n");
2148 fprintf(stderr, " -k Generate a KRL file.\n");
1895 fprintf(stderr, " -L Print the contents of a certificate.\n"); 2149 fprintf(stderr, " -L Print the contents of a certificate.\n");
1896 fprintf(stderr, " -l Show fingerprint of key file.\n"); 2150 fprintf(stderr, " -l Show fingerprint of key file.\n");
1897 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); 2151 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
@@ -1901,6 +2155,7 @@ usage(void)
1901 fprintf(stderr, " -O option Specify a certificate option.\n"); 2155 fprintf(stderr, " -O option Specify a certificate option.\n");
1902 fprintf(stderr, " -P phrase Provide old passphrase.\n"); 2156 fprintf(stderr, " -P phrase Provide old passphrase.\n");
1903 fprintf(stderr, " -p Change passphrase of private key file.\n"); 2157 fprintf(stderr, " -p Change passphrase of private key file.\n");
2158 fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n");
1904 fprintf(stderr, " -q Quiet.\n"); 2159 fprintf(stderr, " -q Quiet.\n");
1905 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); 2160 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
1906 fprintf(stderr, " -r hostname Print DNS resource record.\n"); 2161 fprintf(stderr, " -r hostname Print DNS resource record.\n");
@@ -1908,6 +2163,7 @@ usage(void)
1908 fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); 2163 fprintf(stderr, " -s ca_key Certify keys with CA key.\n");
1909 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); 2164 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
1910 fprintf(stderr, " -t type Specify type of key to create.\n"); 2165 fprintf(stderr, " -t type Specify type of key to create.\n");
2166 fprintf(stderr, " -u Update KRL rather than creating a new one.\n");
1911 fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); 2167 fprintf(stderr, " -V from:to Specify certificate validity interval.\n");
1912 fprintf(stderr, " -v Verbose.\n"); 2168 fprintf(stderr, " -v Verbose.\n");
1913 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); 2169 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
@@ -1925,14 +2181,14 @@ main(int argc, char **argv)
1925{ 2181{
1926 char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; 2182 char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
1927 char *checkpoint = NULL; 2183 char *checkpoint = NULL;
1928 char out_file[MAXPATHLEN], *rr_hostname = NULL; 2184 char out_file[MAXPATHLEN], *ep, *rr_hostname = NULL;
1929 Key *private, *public; 2185 Key *private, *public;
1930 struct passwd *pw; 2186 struct passwd *pw;
1931 struct stat st; 2187 struct stat st;
1932 int opt, type, fd; 2188 int opt, type, fd;
1933 u_int32_t memory = 0, generator_wanted = 0, trials = 100; 2189 u_int32_t memory = 0, generator_wanted = 0, trials = 100;
1934 int do_gen_candidates = 0, do_screen_candidates = 0; 2190 int do_gen_candidates = 0, do_screen_candidates = 0;
1935 int gen_all_hostkeys = 0; 2191 int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
1936 unsigned long start_lineno = 0, lines_to_process = 0; 2192 unsigned long start_lineno = 0, lines_to_process = 0;
1937 BIGNUM *start = NULL; 2193 BIGNUM *start = NULL;
1938 FILE *f; 2194 FILE *f;
@@ -1962,8 +2218,8 @@ main(int argc, char **argv)
1962 exit(1); 2218 exit(1);
1963 } 2219 }
1964 2220
1965 while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:" 2221 while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy"
1966 "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z")) != -1) { 2222 "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
1967 switch (opt) { 2223 switch (opt) {
1968 case 'A': 2224 case 'A':
1969 gen_all_hostkeys = 1; 2225 gen_all_hostkeys = 1;
@@ -2042,6 +2298,9 @@ main(int argc, char **argv)
2042 case 'N': 2298 case 'N':
2043 identity_new_passphrase = optarg; 2299 identity_new_passphrase = optarg;
2044 break; 2300 break;
2301 case 'Q':
2302 check_krl = 1;
2303 break;
2045 case 'O': 2304 case 'O':
2046 add_cert_option(optarg); 2305 add_cert_option(optarg);
2047 break; 2306 break;
@@ -2060,6 +2319,9 @@ main(int argc, char **argv)
2060 cert_key_type = SSH2_CERT_TYPE_HOST; 2319 cert_key_type = SSH2_CERT_TYPE_HOST;
2061 certflags_flags = 0; 2320 certflags_flags = 0;
2062 break; 2321 break;
2322 case 'k':
2323 gen_krl = 1;
2324 break;
2063 case 'i': 2325 case 'i':
2064 case 'X': 2326 case 'X':
2065 /* import key */ 2327 /* import key */
@@ -2077,6 +2339,9 @@ main(int argc, char **argv)
2077 case 'D': 2339 case 'D':
2078 pkcs11provider = optarg; 2340 pkcs11provider = optarg;
2079 break; 2341 break;
2342 case 'u':
2343 update_krl = 1;
2344 break;
2080 case 'v': 2345 case 'v':
2081 if (log_level == SYSLOG_LEVEL_INFO) 2346 if (log_level == SYSLOG_LEVEL_INFO)
2082 log_level = SYSLOG_LEVEL_DEBUG1; 2347 log_level = SYSLOG_LEVEL_DEBUG1;
@@ -2133,9 +2398,11 @@ main(int argc, char **argv)
2133 parse_cert_times(optarg); 2398 parse_cert_times(optarg);
2134 break; 2399 break;
2135 case 'z': 2400 case 'z':
2136 cert_serial = strtonum(optarg, 0, LLONG_MAX, &errstr); 2401 errno = 0;
2137 if (errstr) 2402 cert_serial = strtoull(optarg, &ep, 10);
2138 fatal("Invalid serial number: %s", errstr); 2403 if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
2404 (errno == ERANGE && cert_serial == ULLONG_MAX))
2405 fatal("Invalid serial number \"%s\"", optarg);
2139 break; 2406 break;
2140 case '?': 2407 case '?':
2141 default: 2408 default:
@@ -2150,11 +2417,11 @@ main(int argc, char **argv)
2150 argc -= optind; 2417 argc -= optind;
2151 2418
2152 if (ca_key_path != NULL) { 2419 if (ca_key_path != NULL) {
2153 if (argc < 1) { 2420 if (argc < 1 && !gen_krl) {
2154 printf("Too few arguments.\n"); 2421 printf("Too few arguments.\n");
2155 usage(); 2422 usage();
2156 } 2423 }
2157 } else if (argc > 0) { 2424 } else if (argc > 0 && !gen_krl && !check_krl) {
2158 printf("Too many arguments.\n"); 2425 printf("Too many arguments.\n");
2159 usage(); 2426 usage();
2160 } 2427 }
@@ -2163,9 +2430,17 @@ main(int argc, char **argv)
2163 usage(); 2430 usage();
2164 } 2431 }
2165 if (print_fingerprint && (delete_host || hash_hosts)) { 2432 if (print_fingerprint && (delete_host || hash_hosts)) {
2166 printf("Cannot use -l with -D or -R.\n"); 2433 printf("Cannot use -l with -H or -R.\n");
2167 usage(); 2434 usage();
2168 } 2435 }
2436 if (gen_krl) {
2437 do_gen_krl(pw, update_krl, argc, argv);
2438 return (0);
2439 }
2440 if (check_krl) {
2441 do_check_krl(pw, argc, argv);
2442 return (0);
2443 }
2169 if (ca_key_path != NULL) { 2444 if (ca_key_path != NULL) {
2170 if (cert_key_id == NULL) 2445 if (cert_key_id == NULL)
2171 fatal("Must specify key id (-I) when certifying"); 2446 fatal("Must specify key id (-I) when certifying");
@@ -2175,6 +2450,8 @@ main(int argc, char **argv)
2175 do_show_cert(pw); 2450 do_show_cert(pw);
2176 if (delete_host || hash_hosts || find_host) 2451 if (delete_host || hash_hosts || find_host)
2177 do_known_hosts(pw, rr_hostname); 2452 do_known_hosts(pw, rr_hostname);
2453 if (pkcs11provider != NULL)
2454 do_download(pw);
2178 if (print_fingerprint || print_bubblebabble) 2455 if (print_fingerprint || print_bubblebabble)
2179 do_fingerprint(pw); 2456 do_fingerprint(pw);
2180 if (change_passphrase) 2457 if (change_passphrase)
@@ -2212,8 +2489,6 @@ main(int argc, char **argv)
2212 exit(0); 2489 exit(0);
2213 } 2490 }
2214 } 2491 }
2215 if (pkcs11provider != NULL)
2216 do_download(pw);
2217 2492
2218 if (do_gen_candidates) { 2493 if (do_gen_candidates) {
2219 FILE *out = fopen(out_file, "w"); 2494 FILE *out = fopen(out_file, "w");
@@ -2233,7 +2508,7 @@ main(int argc, char **argv)
2233 2508
2234 if (do_screen_candidates) { 2509 if (do_screen_candidates) {
2235 FILE *in; 2510 FILE *in;
2236 FILE *out = fopen(out_file, "w"); 2511 FILE *out = fopen(out_file, "a");
2237 2512
2238 if (have_identity && strcmp(identity_file, "-") != 0) { 2513 if (have_identity && strcmp(identity_file, "-") != 0) {
2239 if ((in = fopen(identity_file, "r")) == NULL) { 2514 if ((in = fopen(identity_file, "r")) == NULL) {
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 0d8cf3cf4..559c5a1f4 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -106,4 +106,4 @@ BUGS
106 This is because it opens a connection to the ssh port, reads the public 106 This is because it opens a connection to the ssh port, reads the public
107 key, and drops the connection as soon as it gets the key. 107 key, and drops the connection as soon as it gets the key.
108 108
109OpenBSD 5.2 April 11, 2012 OpenBSD 5.2 109OpenBSD 5.3 April 11, 2012 OpenBSD 5.3
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 50b7162dc..a2e9eec2b 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -48,4 +48,4 @@ HISTORY
48AUTHORS 48AUTHORS
49 Markus Friedl <markus@openbsd.org> 49 Markus Friedl <markus@openbsd.org>
50 50
51OpenBSD 5.2 August 31, 2010 OpenBSD 5.2 51OpenBSD 5.3 August 31, 2010 OpenBSD 5.3
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 2f8a674aa..dcfaa222a 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
22AUTHORS 22AUTHORS
23 Markus Friedl <markus@openbsd.org> 23 Markus Friedl <markus@openbsd.org>
24 24
25OpenBSD 5.2 February 10, 2010 OpenBSD 5.2 25OpenBSD 5.3 February 10, 2010 OpenBSD 5.3
diff --git a/ssh.0 b/ssh.0
index 7d43f8879..f6b642bc8 100644
--- a/ssh.0
+++ b/ssh.0
@@ -396,8 +396,8 @@ AUTHENTICATION
396 since it provides additional mechanisms for confidentiality (the traffic 396 since it provides additional mechanisms for confidentiality (the traffic
397 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and 397 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
398 integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64, 398 integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64,
399 hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the 399 umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for
400 integrity of the connection. 400 ensuring the integrity of the connection.
401 401
402 The methods available for authentication are: GSSAPI-based 402 The methods available for authentication are: GSSAPI-based
403 authentication, host-based authentication, public key authentication, 403 authentication, host-based authentication, public key authentication,
@@ -537,6 +537,12 @@ ESCAPE CHARACTERS
537 ~R Request rekeying of the connection (only useful for SSH protocol 537 ~R Request rekeying of the connection (only useful for SSH protocol
538 version 2 and if the peer supports it). 538 version 2 and if the peer supports it).
539 539
540 ~V Decrease the verbosity (LogLevel) when errors are being written
541 to stderr.
542
543 ~v Increase the verbosity (LogLevel) when errors are being written
544 to stderr.
545
540TCP FORWARDING 546TCP FORWARDING
541 Forwarding of arbitrary TCP connections over the secure channel can be 547 Forwarding of arbitrary TCP connections over the secure channel can be
542 specified either on the command line or in a configuration file. One 548 specified either on the command line or in a configuration file. One
@@ -862,36 +868,45 @@ SEE ALSO
862 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), 868 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
863 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) 869 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
864 870
865 The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006. 871STANDARDS
872 S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned
873 Numbers, RFC 4250, January 2006.
866 874
867 The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006. 875 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture,
876 RFC 4251, January 2006.
868 877
869 The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006. 878 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol,
879 RFC 4252, January 2006.
870 880
871 The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006. 881 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer
882 Protocol, RFC 4253, January 2006.
872 883
873 The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006. 884 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC
885 4254, January 2006.
874 886
875 Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC 887 J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell
876 4255, 2006. 888 (SSH) Key Fingerprints, RFC 4255, January 2006.
877 889
878 Generic Message Exchange Authentication for the Secure Shell Protocol 890 F. Cusack and M. Forssen, Generic Message Exchange Authentication for the
879 (SSH), RFC 4256, 2006. 891 Secure Shell Protocol (SSH), RFC 4256, January 2006.
880 892
881 The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006. 893 J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break
894 Extension, RFC 4335, January 2006.
882 895
883 The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006. 896 M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport
897 Layer Encryption Modes, RFC 4344, January 2006.
884 898
885 Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer 899 B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport
886 Protocol, RFC 4345, 2006. 900 Layer Protocol, RFC 4345, January 2006.
887 901
888 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer 902 M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
889 Protocol, RFC 4419, 2006. 903 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
890 904
891 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. 905 J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File
906 Format, RFC 4716, November 2006.
892 907
893 Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, 908 D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the
894 RFC 5656, 2009. 909 Secure Shell Transport Layer, RFC 5656, December 2009.
895 910
896 A. Perrig and D. Song, Hash Visualization: a New Technique to improve 911 A. Perrig and D. Song, Hash Visualization: a New Technique to improve
897 Real-World Security, 1999, International Workshop on Cryptographic 912 Real-World Security, 1999, International Workshop on Cryptographic
@@ -904,4 +919,4 @@ AUTHORS
904 created OpenSSH. Markus Friedl contributed the support for SSH protocol 919 created OpenSSH. Markus Friedl contributed the support for SSH protocol
905 versions 1.5 and 2.0. 920 versions 1.5 and 2.0.
906 921
907OpenBSD 5.2 June 18, 2012 OpenBSD 5.2 922OpenBSD 5.3 October 4, 2012 OpenBSD 5.3
diff --git a/ssh.1 b/ssh.1
index 4c789fcf4..5ac75e992 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.326 2012/06/18 12:17:18 dtucker Exp $ 36.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $
37.Dd $Mdocdate: June 18 2012 $ 37.Dd $Mdocdate: October 4 2012 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -674,7 +674,7 @@ it provides additional mechanisms for confidentiality
674(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) 674(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
675and integrity (hmac-md5, hmac-sha1, 675and integrity (hmac-md5, hmac-sha1,
676hmac-sha2-256, hmac-sha2-512, 676hmac-sha2-256, hmac-sha2-512,
677umac-64, hmac-ripemd160). 677umac-64, umac-128, hmac-ripemd160).
678Protocol 1 lacks a strong mechanism for ensuring the 678Protocol 1 lacks a strong mechanism for ensuring the
679integrity of the connection. 679integrity of the connection.
680.Pp 680.Pp
@@ -930,6 +930,14 @@ option.
930.It Cm ~R 930.It Cm ~R
931Request rekeying of the connection 931Request rekeying of the connection
932(only useful for SSH protocol version 2 and if the peer supports it). 932(only useful for SSH protocol version 2 and if the peer supports it).
933.It Cm ~V
934Decrease the verbosity
935.Pq Ic LogLevel
936when errors are being written to stderr.
937.It Cm ~v
938Increase the verbosity
939.Pq Ic LogLevel
940when errors are being written to stderr.
933.El 941.El
934.Sh TCP FORWARDING 942.Sh TCP FORWARDING
935Forwarding of arbitrary TCP connections over the secure channel can 943Forwarding of arbitrary TCP connections over the secure channel can
@@ -1434,77 +1442,118 @@ if an error occurred.
1434.Xr ssh_config 5 , 1442.Xr ssh_config 5 ,
1435.Xr ssh-keysign 8 , 1443.Xr ssh-keysign 8 ,
1436.Xr sshd 8 1444.Xr sshd 8
1445.Sh STANDARDS
1437.Rs 1446.Rs
1447.%A S. Lehtinen
1448.%A C. Lonvick
1449.%D January 2006
1438.%R RFC 4250 1450.%R RFC 4250
1439.%T "The Secure Shell (SSH) Protocol Assigned Numbers" 1451.%T The Secure Shell (SSH) Protocol Assigned Numbers
1440.%D 2006
1441.Re 1452.Re
1453.Pp
1442.Rs 1454.Rs
1455.%A T. Ylonen
1456.%A C. Lonvick
1457.%D January 2006
1443.%R RFC 4251 1458.%R RFC 4251
1444.%T "The Secure Shell (SSH) Protocol Architecture" 1459.%T The Secure Shell (SSH) Protocol Architecture
1445.%D 2006
1446.Re 1460.Re
1461.Pp
1447.Rs 1462.Rs
1463.%A T. Ylonen
1464.%A C. Lonvick
1465.%D January 2006
1448.%R RFC 4252 1466.%R RFC 4252
1449.%T "The Secure Shell (SSH) Authentication Protocol" 1467.%T The Secure Shell (SSH) Authentication Protocol
1450.%D 2006
1451.Re 1468.Re
1469.Pp
1452.Rs 1470.Rs
1471.%A T. Ylonen
1472.%A C. Lonvick
1473.%D January 2006
1453.%R RFC 4253 1474.%R RFC 4253
1454.%T "The Secure Shell (SSH) Transport Layer Protocol" 1475.%T The Secure Shell (SSH) Transport Layer Protocol
1455.%D 2006
1456.Re 1476.Re
1477.Pp
1457.Rs 1478.Rs
1479.%A T. Ylonen
1480.%A C. Lonvick
1481.%D January 2006
1458.%R RFC 4254 1482.%R RFC 4254
1459.%T "The Secure Shell (SSH) Connection Protocol" 1483.%T The Secure Shell (SSH) Connection Protocol
1460.%D 2006
1461.Re 1484.Re
1485.Pp
1462.Rs 1486.Rs
1487.%A J. Schlyter
1488.%A W. Griffin
1489.%D January 2006
1463.%R RFC 4255 1490.%R RFC 4255
1464.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" 1491.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
1465.%D 2006
1466.Re 1492.Re
1493.Pp
1467.Rs 1494.Rs
1495.%A F. Cusack
1496.%A M. Forssen
1497.%D January 2006
1468.%R RFC 4256 1498.%R RFC 4256
1469.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)" 1499.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
1470.%D 2006
1471.Re 1500.Re
1501.Pp
1472.Rs 1502.Rs
1503.%A J. Galbraith
1504.%A P. Remaker
1505.%D January 2006
1473.%R RFC 4335 1506.%R RFC 4335
1474.%T "The Secure Shell (SSH) Session Channel Break Extension" 1507.%T The Secure Shell (SSH) Session Channel Break Extension
1475.%D 2006
1476.Re 1508.Re
1509.Pp
1477.Rs 1510.Rs
1511.%A M. Bellare
1512.%A T. Kohno
1513.%A C. Namprempre
1514.%D January 2006
1478.%R RFC 4344 1515.%R RFC 4344
1479.%T "The Secure Shell (SSH) Transport Layer Encryption Modes" 1516.%T The Secure Shell (SSH) Transport Layer Encryption Modes
1480.%D 2006
1481.Re 1517.Re
1518.Pp
1482.Rs 1519.Rs
1520.%A B. Harris
1521.%D January 2006
1483.%R RFC 4345 1522.%R RFC 4345
1484.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol" 1523.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1485.%D 2006
1486.Re 1524.Re
1525.Pp
1487.Rs 1526.Rs
1527.%A M. Friedl
1528.%A N. Provos
1529.%A W. Simpson
1530.%D March 2006
1488.%R RFC 4419 1531.%R RFC 4419
1489.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" 1532.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
1490.%D 2006
1491.Re 1533.Re
1534.Pp
1492.Rs 1535.Rs
1536.%A J. Galbraith
1537.%A R. Thayer
1538.%D November 2006
1493.%R RFC 4716 1539.%R RFC 4716
1494.%T "The Secure Shell (SSH) Public Key File Format" 1540.%T The Secure Shell (SSH) Public Key File Format
1495.%D 2006
1496.Re 1541.Re
1542.Pp
1497.Rs 1543.Rs
1544.%A D. Stebila
1545.%A J. Green
1546.%D December 2009
1498.%R RFC 5656 1547.%R RFC 5656
1499.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" 1548.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
1500.%D 2009
1501.Re 1549.Re
1550.Pp
1502.Rs 1551.Rs
1503.%T "Hash Visualization: a New Technique to improve Real-World Security"
1504.%A A. Perrig 1552.%A A. Perrig
1505.%A D. Song 1553.%A D. Song
1506.%D 1999 1554.%D 1999
1507.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" 1555.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)
1556.%T Hash Visualization: a New Technique to improve Real-World Security
1508.Re 1557.Re
1509.Sh AUTHORS 1558.Sh AUTHORS
1510OpenSSH is a derivative of the original and free 1559OpenSSH is a derivative of the original and free
diff --git a/ssh_config.0 b/ssh_config.0
index d8256d137..164d11817 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -97,10 +97,13 @@ DESCRIPTION
97 preference. Multiple ciphers must be comma-separated. The 97 preference. Multiple ciphers must be comma-separated. The
98 supported ciphers are ``3des-cbc'', ``aes128-cbc'', 98 supported ciphers are ``3des-cbc'', ``aes128-cbc'',
99 ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', 99 ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'',
100 ``aes256-ctr'', ``arcfour128'', ``arcfour256'', ``arcfour'', 100 ``aes256-ctr'', ``aes128-gcm@openssh.com'',
101 ``blowfish-cbc'', and ``cast128-cbc''. The default is: 101 ``aes256-gcm@openssh.com'', ``arcfour128'', ``arcfour256'',
102 ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''. The default
103 is:
102 104
103 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 105 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
106 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
104 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 107 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
105 aes256-cbc,arcfour 108 aes256-cbc,arcfour
106 109
@@ -354,11 +357,11 @@ DESCRIPTION
354 357
355 IdentitiesOnly 358 IdentitiesOnly
356 Specifies that ssh(1) should only use the authentication identity 359 Specifies that ssh(1) should only use the authentication identity
357 files configured in the ssh_config files, even if ssh-agent(1) 360 files configured in the ssh_config files, even if ssh-agent(1) or
358 offers more identities. The argument to this keyword must be 361 a PKCS11Provider offers more identities. The argument to this
359 ``yes'' or ``no''. This option is intended for situations where 362 keyword must be ``yes'' or ``no''. This option is intended for
360 ssh-agent offers many different identities. The default is 363 situations where ssh-agent offers many different identities. The
361 ``no''. 364 default is ``no''.
362 365
363 IdentityFile 366 IdentityFile
364 Specifies a file from which the user's DSA, ECDSA or RSA 367 Specifies a file from which the user's DSA, ECDSA or RSA
@@ -460,9 +463,16 @@ DESCRIPTION
460 MACs Specifies the MAC (message authentication code) algorithms in 463 MACs Specifies the MAC (message authentication code) algorithms in
461 order of preference. The MAC algorithm is used in protocol 464 order of preference. The MAC algorithm is used in protocol
462 version 2 for data integrity protection. Multiple algorithms 465 version 2 for data integrity protection. Multiple algorithms
463 must be comma-separated. The default is: 466 must be comma-separated. The algorithms that contain ``-etm''
464 467 calculate the MAC after encryption (encrypt-then-mac). These are
465 hmac-md5,hmac-sha1,umac-64@openssh.com, 468 considered safer and their use recommended. The default is:
469
470 hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
471 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
472 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
473 hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
474 hmac-md5-96-etm@openssh.com,
475 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
466 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 476 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
467 hmac-sha1-96,hmac-md5-96 477 hmac-sha1-96,hmac-md5-96
468 478
@@ -763,4 +773,4 @@ AUTHORS
763 created OpenSSH. Markus Friedl contributed the support for SSH protocol 773 created OpenSSH. Markus Friedl contributed the support for SSH protocol
764 versions 1.5 and 2.0. 774 versions 1.5 and 2.0.
765 775
766OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 776OpenBSD 5.3 January 8, 2013 OpenBSD 5.3
diff --git a/ssh_config.5 b/ssh_config.5
index 9d4b38aa8..fa852acb1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $
37.Dd $Mdocdate: June 29 2012 $ 37.Dd $Mdocdate: January 8 2013 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -224,6 +224,8 @@ The supported ciphers are
224.Dq aes128-ctr , 224.Dq aes128-ctr ,
225.Dq aes192-ctr , 225.Dq aes192-ctr ,
226.Dq aes256-ctr , 226.Dq aes256-ctr ,
227.Dq aes128-gcm@openssh.com ,
228.Dq aes256-gcm@openssh.com ,
227.Dq arcfour128 , 229.Dq arcfour128 ,
228.Dq arcfour256 , 230.Dq arcfour256 ,
229.Dq arcfour , 231.Dq arcfour ,
@@ -233,6 +235,7 @@ and
233The default is: 235The default is:
234.Bd -literal -offset 3n 236.Bd -literal -offset 3n
235aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 237aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
238aes128-gcm@openssh.com,aes256-gcm@openssh.com,
236aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 239aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
237aes256-cbc,arcfour 240aes256-cbc,arcfour
238.Ed 241.Ed
@@ -658,6 +661,8 @@ should only use the authentication identity files configured in the
658files, 661files,
659even if 662even if
660.Xr ssh-agent 1 663.Xr ssh-agent 1
664or a
665.Cm PKCS11Provider
661offers more identities. 666offers more identities.
662The argument to this keyword must be 667The argument to this keyword must be
663.Dq yes 668.Dq yes
@@ -846,9 +851,18 @@ in order of preference.
846The MAC algorithm is used in protocol version 2 851The MAC algorithm is used in protocol version 2
847for data integrity protection. 852for data integrity protection.
848Multiple algorithms must be comma-separated. 853Multiple algorithms must be comma-separated.
854The algorithms that contain
855.Dq -etm
856calculate the MAC after encryption (encrypt-then-mac).
857These are considered safer and their use recommended.
849The default is: 858The default is:
850.Bd -literal -offset indent 859.Bd -literal -offset indent
851hmac-md5,hmac-sha1,umac-64@openssh.com, 860hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
861umac-64-etm@openssh.com,umac-128-etm@openssh.com,
862hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
863hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
864hmac-md5-96-etm@openssh.com,
865hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
852hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 866hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
853hmac-sha1-96,hmac-md5-96 867hmac-sha1-96,hmac-md5-96
854.Ed 868.Ed
diff --git a/sshconnect.c b/sshconnect.c
index 2cde2f0a3..ed0e78bfd 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.234 2011/05/24 07:15:47 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -429,6 +429,24 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
429 return 0; 429 return 0;
430} 430}
431 431
432static void
433send_client_banner(int connection_out, int minor1)
434{
435 /* Send our own protocol version identification. */
436 if (compat20) {
437 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
438 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
439 } else {
440 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
441 PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
442 }
443 if (roaming_atomicio(vwrite, connection_out, client_version_string,
444 strlen(client_version_string)) != strlen(client_version_string))
445 fatal("write: %.100s", strerror(errno));
446 chop(client_version_string);
447 debug("Local version string %.100s", client_version_string);
448}
449
432/* 450/*
433 * Waits for the server identification string, and sends our own 451 * Waits for the server identification string, and sends our own
434 * identification string. 452 * identification string.
@@ -440,7 +458,7 @@ ssh_exchange_identification(int timeout_ms)
440 int remote_major, remote_minor, mismatch; 458 int remote_major, remote_minor, mismatch;
441 int connection_in = packet_get_connection_in(); 459 int connection_in = packet_get_connection_in();
442 int connection_out = packet_get_connection_out(); 460 int connection_out = packet_get_connection_out();
443 int minor1 = PROTOCOL_MINOR_1; 461 int minor1 = PROTOCOL_MINOR_1, client_banner_sent = 0;
444 u_int i, n; 462 u_int i, n;
445 size_t len; 463 size_t len;
446 int fdsetsz, remaining, rc; 464 int fdsetsz, remaining, rc;
@@ -450,6 +468,16 @@ ssh_exchange_identification(int timeout_ms)
450 fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask); 468 fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask);
451 fdset = xcalloc(1, fdsetsz); 469 fdset = xcalloc(1, fdsetsz);
452 470
471 /*
472 * If we are SSH2-only then we can send the banner immediately and
473 * save a round-trip.
474 */
475 if (options.protocol == SSH_PROTO_2) {
476 enable_compat20();
477 send_client_banner(connection_out, 0);
478 client_banner_sent = 1;
479 }
480
453 /* Read other side's version identification. */ 481 /* Read other side's version identification. */
454 remaining = timeout_ms; 482 remaining = timeout_ms;
455 for (n = 0;;) { 483 for (n = 0;;) {
@@ -552,18 +580,9 @@ ssh_exchange_identification(int timeout_ms)
552 fatal("Protocol major versions differ: %d vs. %d", 580 fatal("Protocol major versions differ: %d vs. %d",
553 (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, 581 (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
554 remote_major); 582 remote_major);
555 /* Send our own protocol version identification. */ 583 if (!client_banner_sent)
556 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", 584 send_client_banner(connection_out, minor1);
557 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
558 compat20 ? PROTOCOL_MINOR_2 : minor1,
559 SSH_RELEASE, compat20 ? "\r\n" : "\n");
560 if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
561 != strlen(buf))
562 fatal("write: %.100s", strerror(errno));
563 client_version_string = xstrdup(buf);
564 chop(client_version_string);
565 chop(server_version_string); 585 chop(server_version_string);
566 debug("Local version string %.100s", client_version_string);
567} 586}
568 587
569/* defaults to 'no' */ 588/* defaults to 'no' */
diff --git a/sshconnect2.c b/sshconnect2.c
index fe68d5c41..378b3200c 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -40,7 +40,7 @@
40#include <stdio.h> 40#include <stdio.h>
41#include <string.h> 41#include <string.h>
42#include <unistd.h> 42#include <unistd.h>
43#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) 43#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
44#include <vis.h> 44#include <vis.h>
45#endif 45#endif
46 46
@@ -304,6 +304,7 @@ struct identity {
304 char *filename; /* comment for agent-only keys */ 304 char *filename; /* comment for agent-only keys */
305 int tried; 305 int tried;
306 int isprivate; /* key points to the private key */ 306 int isprivate; /* key points to the private key */
307 int userprovided;
307}; 308};
308TAILQ_HEAD(idlist, identity); 309TAILQ_HEAD(idlist, identity);
309 310
@@ -369,7 +370,7 @@ void userauth(Authctxt *, char *);
369static int sign_and_send_pubkey(Authctxt *, Identity *); 370static int sign_and_send_pubkey(Authctxt *, Identity *);
370static void pubkey_prepare(Authctxt *); 371static void pubkey_prepare(Authctxt *);
371static void pubkey_cleanup(Authctxt *); 372static void pubkey_cleanup(Authctxt *);
372static Key *load_identity_file(char *); 373static Key *load_identity_file(char *, int);
373 374
374static Authmethod *authmethod_get(char *authlist); 375static Authmethod *authmethod_get(char *authlist);
375static Authmethod *authmethod_lookup(const char *name); 376static Authmethod *authmethod_lookup(const char *name);
@@ -1302,7 +1303,7 @@ identity_sign(Identity *id, u_char **sigp, u_int *lenp,
1302 if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) 1303 if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
1303 return (key_sign(id->key, sigp, lenp, data, datalen)); 1304 return (key_sign(id->key, sigp, lenp, data, datalen));
1304 /* load the private key from the file */ 1305 /* load the private key from the file */
1305 if ((prv = load_identity_file(id->filename)) == NULL) 1306 if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL)
1306 return (-1); 1307 return (-1);
1307 ret = key_sign(prv, sigp, lenp, data, datalen); 1308 ret = key_sign(prv, sigp, lenp, data, datalen);
1308 key_free(prv); 1309 key_free(prv);
@@ -1427,7 +1428,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
1427} 1428}
1428 1429
1429static Key * 1430static Key *
1430load_identity_file(char *filename) 1431load_identity_file(char *filename, int userprovided)
1431{ 1432{
1432 Key *private; 1433 Key *private;
1433 char prompt[300], *passphrase; 1434 char prompt[300], *passphrase;
@@ -1435,7 +1436,8 @@ load_identity_file(char *filename)
1435 struct stat st; 1436 struct stat st;
1436 1437
1437 if (stat(filename, &st) < 0) { 1438 if (stat(filename, &st) < 0) {
1438 debug3("no such identity: %s", filename); 1439 (userprovided ? logit : debug3)("no such identity: %s: %s",
1440 filename, strerror(errno));
1439 return NULL; 1441 return NULL;
1440 } 1442 }
1441 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); 1443 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
@@ -1475,7 +1477,7 @@ load_identity_file(char *filename)
1475static void 1477static void
1476pubkey_prepare(Authctxt *authctxt) 1478pubkey_prepare(Authctxt *authctxt)
1477{ 1479{
1478 Identity *id; 1480 Identity *id, *id2, *tmp;
1479 Idlist agent, files, *preferred; 1481 Idlist agent, files, *preferred;
1480 Key *key; 1482 Key *key;
1481 AuthenticationConnection *ac; 1483 AuthenticationConnection *ac;
@@ -1487,7 +1489,7 @@ pubkey_prepare(Authctxt *authctxt)
1487 preferred = &authctxt->keys; 1489 preferred = &authctxt->keys;
1488 TAILQ_INIT(preferred); /* preferred order of keys */ 1490 TAILQ_INIT(preferred); /* preferred order of keys */
1489 1491
1490 /* list of keys stored in the filesystem */ 1492 /* list of keys stored in the filesystem and PKCS#11 */
1491 for (i = 0; i < options.num_identity_files; i++) { 1493 for (i = 0; i < options.num_identity_files; i++) {
1492 if (options.identity_files[i] == NULL) 1494 if (options.identity_files[i] == NULL)
1493 continue; 1495 continue;
@@ -1500,8 +1502,32 @@ pubkey_prepare(Authctxt *authctxt)
1500 id = xcalloc(1, sizeof(*id)); 1502 id = xcalloc(1, sizeof(*id));
1501 id->key = key; 1503 id->key = key;
1502 id->filename = xstrdup(options.identity_files[i]); 1504 id->filename = xstrdup(options.identity_files[i]);
1505 id->userprovided = 1;
1503 TAILQ_INSERT_TAIL(&files, id, next); 1506 TAILQ_INSERT_TAIL(&files, id, next);
1504 } 1507 }
1508 /* Prefer PKCS11 keys that are explicitly listed */
1509 TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
1510 if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0)
1511 continue;
1512 found = 0;
1513 TAILQ_FOREACH(id2, &files, next) {
1514 if (id2->key == NULL ||
1515 (id2->key->flags & KEY_FLAG_EXT) != 0)
1516 continue;
1517 if (key_equal(id->key, id2->key)) {
1518 TAILQ_REMOVE(&files, id, next);
1519 TAILQ_INSERT_TAIL(preferred, id, next);
1520 found = 1;
1521 break;
1522 }
1523 }
1524 /* If IdentitiesOnly set and key not found then don't use it */
1525 if (!found && options.identities_only) {
1526 TAILQ_REMOVE(&files, id, next);
1527 bzero(id, sizeof(id));
1528 free(id);
1529 }
1530 }
1505 /* list of keys supported by the agent */ 1531 /* list of keys supported by the agent */
1506 if ((ac = ssh_get_authentication_connection())) { 1532 if ((ac = ssh_get_authentication_connection())) {
1507 for (key = ssh_get_first_identity(ac, &comment, 2); 1533 for (key = ssh_get_first_identity(ac, &comment, 2);
@@ -1541,7 +1567,8 @@ pubkey_prepare(Authctxt *authctxt)
1541 TAILQ_INSERT_TAIL(preferred, id, next); 1567 TAILQ_INSERT_TAIL(preferred, id, next);
1542 } 1568 }
1543 TAILQ_FOREACH(id, preferred, next) { 1569 TAILQ_FOREACH(id, preferred, next) {
1544 debug2("key: %s (%p)", id->filename, id->key); 1570 debug2("key: %s (%p),%s", id->filename, id->key,
1571 id->userprovided ? " explicit" : "");
1545 } 1572 }
1546} 1573}
1547 1574
@@ -1586,7 +1613,8 @@ userauth_pubkey(Authctxt *authctxt)
1586 sent = send_pubkey_test(authctxt, id); 1613 sent = send_pubkey_test(authctxt, id);
1587 } else if (id->key == NULL && id->filename) { 1614 } else if (id->key == NULL && id->filename) {
1588 debug("Trying private key: %s", id->filename); 1615 debug("Trying private key: %s", id->filename);
1589 id->key = load_identity_file(id->filename); 1616 id->key = load_identity_file(id->filename,
1617 id->userprovided);
1590 if (id->key != NULL) { 1618 if (id->key != NULL) {
1591 id->isprivate = 1; 1619 id->isprivate = 1;
1592 sent = sign_and_send_pubkey(authctxt, id); 1620 sent = sign_and_send_pubkey(authctxt, id);
diff --git a/sshd.0 b/sshd.0
index 35093337d..83f9a881b 100644
--- a/sshd.0
+++ b/sshd.0
@@ -169,7 +169,7 @@ AUTHENTICATION
169 client selects the encryption algorithm to use from those offered by the 169 client selects the encryption algorithm to use from those offered by the
170 server. Additionally, session integrity is provided through a 170 server. Additionally, session integrity is provided through a
171 cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, 171 cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
172 hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). 172 umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512).
173 173
174 Finally, the server and the client enter an authentication dialog. The 174 Finally, the server and the client enter an authentication dialog. The
175 client tries to authenticate itself using host-based authentication, 175 client tries to authenticate itself using host-based authentication,
@@ -634,4 +634,4 @@ CAVEATS
634 System security is not improved unless rshd, rlogind, and rexecd are 634 System security is not improved unless rshd, rlogind, and rexecd are
635 disabled (thus completely disabling rlogin and rsh into the machine). 635 disabled (thus completely disabling rlogin and rsh into the machine).
636 636
637OpenBSD 5.2 June 18, 2012 OpenBSD 5.2 637OpenBSD 5.3 October 4, 2012 OpenBSD 5.3
diff --git a/sshd.8 b/sshd.8
index b74ab47c0..e7ec82e64 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ 36.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $
37.Dd $Mdocdate: June 18 2012 $ 37.Dd $Mdocdate: October 4 2012 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -319,7 +319,7 @@ The client selects the encryption algorithm
319to use from those offered by the server. 319to use from those offered by the server.
320Additionally, session integrity is provided 320Additionally, session integrity is provided
321through a cryptographic message authentication code 321through a cryptographic message authentication code
322(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, 322(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
323hmac-sha2-256 or hmac-sha2-512). 323hmac-sha2-256 or hmac-sha2-512).
324.Pp 324.Pp
325Finally, the server and the client enter an authentication dialog. 325Finally, the server and the client enter an authentication dialog.
diff --git a/sshd.c b/sshd.c
index 101c31671..64c564236 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -363,6 +363,15 @@ grace_alarm_handler(int sig)
363 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) 363 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
364 kill(pmonitor->m_pid, SIGALRM); 364 kill(pmonitor->m_pid, SIGALRM);
365 365
366 /*
367 * Try to kill any processes that we have spawned, E.g. authorized
368 * keys command helpers.
369 */
370 if (getpgid(0) == getpid()) {
371 signal(SIGTERM, SIG_IGN);
372 killpg(0, SIGTERM);
373 }
374
366 /* Log error and exit. */ 375 /* Log error and exit. */
367 sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 376 sigdie("Timeout before authentication for %s", get_remote_ipaddr());
368} 377}
@@ -1333,6 +1342,7 @@ main(int ac, char **av)
1333 int remote_port; 1342 int remote_port;
1334 char *line; 1343 char *line;
1335 int config_s[2] = { -1 , -1 }; 1344 int config_s[2] = { -1 , -1 };
1345 u_int n;
1336 u_int64_t ibytes, obytes; 1346 u_int64_t ibytes, obytes;
1337 mode_t new_umask; 1347 mode_t new_umask;
1338 Key *key; 1348 Key *key;
@@ -1555,6 +1565,33 @@ main(int ac, char **av)
1555 if (options.challenge_response_authentication) 1565 if (options.challenge_response_authentication)
1556 options.kbd_interactive_authentication = 1; 1566 options.kbd_interactive_authentication = 1;
1557 1567
1568 /* Check that options are sensible */
1569 if (options.authorized_keys_command_user == NULL &&
1570 (options.authorized_keys_command != NULL &&
1571 strcasecmp(options.authorized_keys_command, "none") != 0))
1572 fatal("AuthorizedKeysCommand set without "
1573 "AuthorizedKeysCommandUser");
1574
1575 /*
1576 * Check whether there is any path through configured auth methods.
1577 * Unfortunately it is not possible to verify this generally before
1578 * daemonisation in the presence of Match block, but this catches
1579 * and warns for trivial misconfigurations that could break login.
1580 */
1581 if (options.num_auth_methods != 0) {
1582 if ((options.protocol & SSH_PROTO_1))
1583 fatal("AuthenticationMethods is not supported with "
1584 "SSH protocol 1");
1585 for (n = 0; n < options.num_auth_methods; n++) {
1586 if (auth2_methods_valid(options.auth_methods[n],
1587 1) == 0)
1588 break;
1589 }
1590 if (n >= options.num_auth_methods)
1591 fatal("AuthenticationMethods cannot be satisfied by "
1592 "enabled authentication methods");
1593 }
1594
1558 /* set default channel AF */ 1595 /* set default channel AF */
1559 channel_set_af(options.address_family); 1596 channel_set_af(options.address_family);
1560 1597
@@ -1564,7 +1601,8 @@ main(int ac, char **av)
1564 exit(1); 1601 exit(1);
1565 } 1602 }
1566 1603
1567 debug("sshd version %.100s", SSH_RELEASE); 1604 debug("sshd version %s, %s", SSH_VERSION,
1605 SSLeay_version(SSLEAY_VERSION));
1568 1606
1569 /* Store privilege separation user for later use if required. */ 1607 /* Store privilege separation user for later use if required. */
1570 if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { 1608 if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
diff --git a/sshd_config b/sshd_config
index 3ea8e2efc..5de6846ef 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ 1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -52,6 +52,9 @@ AuthorizedKeysFile .ssh/authorized_keys
52 52
53#AuthorizedPrincipalsFile none 53#AuthorizedPrincipalsFile none
54 54
55#AuthorizedKeysCommand none
56#AuthorizedKeysCommandUser nobody
57
55# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 58# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
56#RhostsRSAAuthentication no 59#RhostsRSAAuthentication no
57# similar for protocol version 2 60# similar for protocol version 2
diff --git a/sshd_config.0 b/sshd_config.0
index d9c87b7a0..2648db3d4 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -53,10 +53,14 @@ DESCRIPTION
53 See PATTERNS in ssh_config(5) for more information on patterns. 53 See PATTERNS in ssh_config(5) for more information on patterns.
54 54
55 AllowTcpForwarding 55 AllowTcpForwarding
56 Specifies whether TCP forwarding is permitted. The default is 56 Specifies whether TCP forwarding is permitted. The available
57 ``yes''. Note that disabling TCP forwarding does not improve 57 options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to
58 security unless users are also denied shell access, as they can 58 prevent all TCP forwarding, ``local'' to allow local (from the
59 always install their own forwarders. 59 perspective of ssh(1)) forwarding only or ``remote'' to allow
60 remote forwarding only. The default is ``yes''. Note that
61 disabling TCP forwarding does not improve security unless users
62 are also denied shell access, as they can always install their
63 own forwarders.
60 64
61 AllowUsers 65 AllowUsers
62 This keyword can be followed by a list of user name patterns, 66 This keyword can be followed by a list of user name patterns,
@@ -71,6 +75,44 @@ DESCRIPTION
71 75
72 See PATTERNS in ssh_config(5) for more information on patterns. 76 See PATTERNS in ssh_config(5) for more information on patterns.
73 77
78 AuthenticationMethods
79 Specifies the authentication methods that must be successfully
80 completed for a user to be granted access. This option must be
81 followed by one or more comma-separated lists of authentication
82 method names. Successful authentication requires completion of
83 every method in at least one of these lists.
84
85 For example, an argument of ``publickey,password
86 publickey,keyboard-interactive'' would require the user to
87 complete public key authentication, followed by either password
88 or keyboard interactive authentication. Only methods that are
89 next in one or more lists are offered at each stage, so for this
90 example, it would not be possible to attempt password or
91 keyboard-interactive authentication before public key.
92
93 This option is only available for SSH protocol 2 and will yield a
94 fatal error if enabled if protocol 1 is also enabled. Note that
95 each authentication method listed should also be explicitly
96 enabled in the configuration. The default is not to require
97 multiple authentication; successful completion of a single
98 authentication method is sufficient.
99
100 AuthorizedKeysCommand
101 Specifies a program to be used to look up the user's public keys.
102 The program will be invoked with a single argument of the
103 username being authenticated, and should produce on standard
104 output zero or more lines of authorized_keys output (see
105 AUTHORIZED_KEYS in sshd(8)). If a key supplied by
106 AuthorizedKeysCommand does not successfully authenticate and
107 authorize the user then public key authentication continues using
108 the usual AuthorizedKeysFile files. By default, no
109 AuthorizedKeysCommand is run.
110
111 AuthorizedKeysCommandUser
112 Specifies the user under whose account the AuthorizedKeysCommand
113 is run. It is recommended to use a dedicated user that has no
114 other role on the host than running authorized keys commands.
115
74 AuthorizedKeysFile 116 AuthorizedKeysFile
75 Specifies the file that contains the public keys that can be used 117 Specifies the file that contains the public keys that can be used
76 for user authentication. The format is described in the 118 for user authentication. The format is described in the
@@ -150,11 +192,13 @@ DESCRIPTION
150 Specifies the ciphers allowed for protocol version 2. Multiple 192 Specifies the ciphers allowed for protocol version 2. Multiple
151 ciphers must be comma-separated. The supported ciphers are 193 ciphers must be comma-separated. The supported ciphers are
152 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 194 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
153 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 195 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
154 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 196 ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
155 ``cast128-cbc''. The default is: 197 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
198 and ``cast128-cbc''. The default is:
156 199
157 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 200 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
201 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
158 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 202 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
159 aes256-cbc,arcfour 203 aes256-cbc,arcfour
160 204
@@ -373,9 +417,16 @@ DESCRIPTION
373 MACs Specifies the available MAC (message authentication code) 417 MACs Specifies the available MAC (message authentication code)
374 algorithms. The MAC algorithm is used in protocol version 2 for 418 algorithms. The MAC algorithm is used in protocol version 2 for
375 data integrity protection. Multiple algorithms must be comma- 419 data integrity protection. Multiple algorithms must be comma-
376 separated. The default is: 420 separated. The algorithms that contain ``-etm'' calculate the
377 421 MAC after encryption (encrypt-then-mac). These are considered
378 hmac-md5,hmac-sha1,umac-64@openssh.com, 422 safer and their use recommended. The default is:
423
424 hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
425 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
426 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
427 hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
428 hmac-md5-96-etm@openssh.com,
429 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
379 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 430 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
380 hmac-sha1-96,hmac-md5-96 431 hmac-sha1-96,hmac-md5-96
381 432
@@ -402,15 +453,16 @@ DESCRIPTION
402 Only a subset of keywords may be used on the lines following a 453 Only a subset of keywords may be used on the lines following a
403 Match keyword. Available keywords are AcceptEnv, 454 Match keyword. Available keywords are AcceptEnv,
404 AllowAgentForwarding, AllowGroups, AllowTcpForwarding, 455 AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
405 AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, 456 AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
406 ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, 457 AuthorizedKeysCommandUser, AuthorizedKeysFile,
407 GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, 458 AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
408 HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, 459 DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
409 KerberosAuthentication, MaxAuthTries, MaxSessions, 460 HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
410 PasswordAuthentication, PermitEmptyPasswords, PermitOpen, 461 KbdInteractiveAuthentication, KerberosAuthentication,
411 PermitRootLogin, PermitTunnel, PubkeyAuthentication, 462 MaxAuthTries, MaxSessions, PasswordAuthentication,
412 RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, 463 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
413 X11Forwarding and X11UseLocalHost. 464 PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
465 X11DisplayOffset, X11Forwarding and X11UseLocalHost.
414 466
415 MaxAuthTries 467 MaxAuthTries
416 Specifies the maximum number of authentication attempts permitted 468 Specifies the maximum number of authentication attempts permitted
@@ -425,7 +477,7 @@ DESCRIPTION
425 Specifies the maximum number of concurrent unauthenticated 477 Specifies the maximum number of concurrent unauthenticated
426 connections to the SSH daemon. Additional connections will be 478 connections to the SSH daemon. Additional connections will be
427 dropped until authentication succeeds or the LoginGraceTime 479 dropped until authentication succeeds or the LoginGraceTime
428 expires for a connection. The default is 10. 480 expires for a connection. The default is 10:30:100.
429 481
430 Alternatively, random early drop can be enabled by specifying the 482 Alternatively, random early drop can be enabled by specifying the
431 three colon separated values ``start:rate:full'' (e.g. 483 three colon separated values ``start:rate:full'' (e.g.
@@ -520,10 +572,13 @@ DESCRIPTION
520 version 2 only. 572 version 2 only.
521 573
522 RevokedKeys 574 RevokedKeys
523 Specifies a list of revoked public keys. Keys listed in this 575 Specifies revoked public keys. Keys listed in this file will be
524 file will be refused for public key authentication. Note that if 576 refused for public key authentication. Note that if this file is
525 this file is not readable, then public key authentication will be 577 not readable, then public key authentication will be refused for
526 refused for all users. 578 all users. Keys may be specified as a text file, listing one
579 public key per line, or as an OpenSSH Key Revocation List (KRL)
580 as generated by ssh-keygen(1). For more information on KRLs, see
581 the KEY REVOCATION LISTS section in ssh-keygen(1).
527 582
528 RhostsRSAAuthentication 583 RhostsRSAAuthentication
529 Specifies whether rhosts or /etc/hosts.equiv authentication 584 Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -722,4 +777,4 @@ AUTHORS
722 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 777 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
723 for privilege separation. 778 for privilege separation.
724 779
725OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 780OpenBSD 5.3 February 6, 2013 OpenBSD 5.3
diff --git a/sshd_config.5 b/sshd_config.5
index de2b776fd..251d847fd 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
37.Dd $Mdocdate: June 29 2012 $ 37.Dd $Mdocdate: February 6 2013 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -151,6 +151,19 @@ in
151for more information on patterns. 151for more information on patterns.
152.It Cm AllowTcpForwarding 152.It Cm AllowTcpForwarding
153Specifies whether TCP forwarding is permitted. 153Specifies whether TCP forwarding is permitted.
154The available options are
155.Dq yes
156or
157.Dq all
158to allow TCP forwarding,
159.Dq no
160to prevent all TCP forwarding,
161.Dq local
162to allow local (from the perspective of
163.Xr ssh 1 )
164forwarding only or
165.Dq remote
166to allow remote forwarding only.
154The default is 167The default is
155.Dq yes . 168.Dq yes .
156Note that disabling TCP forwarding does not improve security unless 169Note that disabling TCP forwarding does not improve security unless
@@ -178,6 +191,45 @@ See
178in 191in
179.Xr ssh_config 5 192.Xr ssh_config 5
180for more information on patterns. 193for more information on patterns.
194.It Cm AuthenticationMethods
195Specifies the authentication methods that must be successfully completed
196for a user to be granted access.
197This option must be followed by one or more comma-separated lists of
198authentication method names.
199Successful authentication requires completion of every method in at least
200one of these lists.
201.Pp
202For example, an argument of
203.Dq publickey,password publickey,keyboard-interactive
204would require the user to complete public key authentication, followed by
205either password or keyboard interactive authentication.
206Only methods that are next in one or more lists are offered at each stage,
207so for this example, it would not be possible to attempt password or
208keyboard-interactive authentication before public key.
209.Pp
210This option is only available for SSH protocol 2 and will yield a fatal
211error if enabled if protocol 1 is also enabled.
212Note that each authentication method listed should also be explicitly enabled
213in the configuration.
214The default is not to require multiple authentication; successful completion
215of a single authentication method is sufficient.
216.It Cm AuthorizedKeysCommand
217Specifies a program to be used to look up the user's public keys.
218The program will be invoked with a single argument of the username
219being authenticated, and should produce on standard output zero or
220more lines of authorized_keys output (see
221.Sx AUTHORIZED_KEYS
222in
223.Xr sshd 8 ) .
224If a key supplied by AuthorizedKeysCommand does not successfully authenticate
225and authorize the user then public key authentication continues using the usual
226.Cm AuthorizedKeysFile
227files.
228By default, no AuthorizedKeysCommand is run.
229.It Cm AuthorizedKeysCommandUser
230Specifies the user under whose account the AuthorizedKeysCommand is run.
231It is recommended to use a dedicated user that has no other role on the host
232than running authorized keys commands.
181.It Cm AuthorizedKeysFile 233.It Cm AuthorizedKeysFile
182Specifies the file that contains the public keys that can be used 234Specifies the file that contains the public keys that can be used
183for user authentication. 235for user authentication.
@@ -310,6 +362,8 @@ The supported ciphers are
310.Dq aes128-ctr , 362.Dq aes128-ctr ,
311.Dq aes192-ctr , 363.Dq aes192-ctr ,
312.Dq aes256-ctr , 364.Dq aes256-ctr ,
365.Dq aes128-gcm@openssh.com ,
366.Dq aes256-gcm@openssh.com ,
313.Dq arcfour128 , 367.Dq arcfour128 ,
314.Dq arcfour256 , 368.Dq arcfour256 ,
315.Dq arcfour , 369.Dq arcfour ,
@@ -319,6 +373,7 @@ and
319The default is: 373The default is:
320.Bd -literal -offset 3n 374.Bd -literal -offset 3n
321aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 375aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
376aes128-gcm@openssh.com,aes256-gcm@openssh.com,
322aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 377aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
323aes256-cbc,arcfour 378aes256-cbc,arcfour
324.Ed 379.Ed
@@ -713,9 +768,18 @@ Specifies the available MAC (message authentication code) algorithms.
713The MAC algorithm is used in protocol version 2 768The MAC algorithm is used in protocol version 2
714for data integrity protection. 769for data integrity protection.
715Multiple algorithms must be comma-separated. 770Multiple algorithms must be comma-separated.
771The algorithms that contain
772.Dq -etm
773calculate the MAC after encryption (encrypt-then-mac).
774These are considered safer and their use recommended.
716The default is: 775The default is:
717.Bd -literal -offset indent 776.Bd -literal -offset indent
718hmac-md5,hmac-sha1,umac-64@openssh.com, 777hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
778umac-64-etm@openssh.com,umac-128-etm@openssh.com,
779hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
780hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
781hmac-md5-96-etm@openssh.com,
782hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
719hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 783hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
720hmac-sha1-96,hmac-md5-96 784hmac-sha1-96,hmac-md5-96
721.Ed 785.Ed
@@ -770,6 +834,9 @@ Available keywords are
770.Cm AllowGroups , 834.Cm AllowGroups ,
771.Cm AllowTcpForwarding , 835.Cm AllowTcpForwarding ,
772.Cm AllowUsers , 836.Cm AllowUsers ,
837.Cm AuthenticationMethods ,
838.Cm AuthorizedKeysCommand ,
839.Cm AuthorizedKeysCommandUser ,
773.Cm AuthorizedKeysFile , 840.Cm AuthorizedKeysFile ,
774.Cm AuthorizedPrincipalsFile , 841.Cm AuthorizedPrincipalsFile ,
775.Cm Banner , 842.Cm Banner ,
@@ -1000,10 +1067,17 @@ The default is
1000.Dq yes . 1067.Dq yes .
1001Note that this option applies to protocol version 2 only. 1068Note that this option applies to protocol version 2 only.
1002.It Cm RevokedKeys 1069.It Cm RevokedKeys
1003Specifies a list of revoked public keys. 1070Specifies revoked public keys.
1004Keys listed in this file will be refused for public key authentication. 1071Keys listed in this file will be refused for public key authentication.
1005Note that if this file is not readable, then public key authentication will 1072Note that if this file is not readable, then public key authentication will
1006be refused for all users. 1073be refused for all users.
1074Keys may be specified as a text file, listing one public key per line, or as
1075an OpenSSH Key Revocation List (KRL) as generated by
1076.Xr ssh-keygen 1 .
1077For more information on KRLs, see the
1078.Sx KEY REVOCATION LISTS
1079section in
1080.Xr ssh-keygen 1 .
1007.It Cm RhostsRSAAuthentication 1081.It Cm RhostsRSAAuthentication
1008Specifies whether rhosts or /etc/hosts.equiv authentication together 1082Specifies whether rhosts or /etc/hosts.equiv authentication together
1009with successful RSA host authentication is allowed. 1083with successful RSA host authentication is allowed.
diff --git a/uidswap.c b/uidswap.c
index 837648396..cdd7309e3 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -138,20 +138,8 @@ permanently_drop_suid(uid_t uid)
138 uid_t old_uid = getuid(); 138 uid_t old_uid = getuid();
139 139
140 debug("permanently_drop_suid: %u", (u_int)uid); 140 debug("permanently_drop_suid: %u", (u_int)uid);
141#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
142 if (setresuid(uid, uid, uid) < 0) 141 if (setresuid(uid, uid, uid) < 0)
143 fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); 142 fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
144#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
145 if (setreuid(uid, uid) < 0)
146 fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
147#else
148# ifndef SETEUID_BREAKS_SETUID
149 if (seteuid(uid) < 0)
150 fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
151# endif
152 if (setuid(uid) < 0)
153 fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
154#endif
155 143
156#ifndef HAVE_CYGWIN 144#ifndef HAVE_CYGWIN
157 /* Try restoration of UID if changed (test clearing of saved uid) */ 145 /* Try restoration of UID if changed (test clearing of saved uid) */
@@ -220,18 +208,8 @@ permanently_set_uid(struct passwd *pw)
220 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, 208 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
221 (u_int)pw->pw_gid); 209 (u_int)pw->pw_gid);
222 210
223#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
224 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) 211 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
225 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); 212 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
226#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
227 if (setregid(pw->pw_gid, pw->pw_gid) < 0)
228 fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
229#else
230 if (setegid(pw->pw_gid) < 0)
231 fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
232 if (setgid(pw->pw_gid) < 0)
233 fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
234#endif
235 213
236#ifdef __APPLE__ 214#ifdef __APPLE__
237 /* 215 /*
@@ -243,20 +221,8 @@ permanently_set_uid(struct passwd *pw)
243 pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); 221 pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
244#endif 222#endif
245 223
246#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
247 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) 224 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
248 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); 225 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
249#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
250 if (setreuid(pw->pw_uid, pw->pw_uid) < 0)
251 fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
252#else
253# ifndef SETEUID_BREAKS_SETUID
254 if (seteuid(pw->pw_uid) < 0)
255 fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
256# endif
257 if (setuid(pw->pw_uid) < 0)
258 fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
259#endif
260 226
261#ifndef HAVE_CYGWIN 227#ifndef HAVE_CYGWIN
262 /* Try restoration of GID if changed (test clearing of saved gid) */ 228 /* Try restoration of GID if changed (test clearing of saved gid) */
diff --git a/umac.c b/umac.c
index e78d2cc5f..0567c37f9 100644
--- a/umac.c
+++ b/umac.c
@@ -52,7 +52,15 @@
52/* --- User Switches ---------------------------------------------------- */ 52/* --- User Switches ---------------------------------------------------- */
53/* ---------------------------------------------------------------------- */ 53/* ---------------------------------------------------------------------- */
54 54
55#ifndef UMAC_OUTPUT_LEN
55#define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ 56#define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */
57#endif
58
59#if UMAC_OUTPUT_LEN != 4 && UMAC_OUTPUT_LEN != 8 && \
60 UMAC_OUTPUT_LEN != 12 && UMAC_OUTPUT_LEN != 16
61# error UMAC_OUTPUT_LEN must be defined to 4, 8, 12 or 16
62#endif
63
56/* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ 64/* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */
57/* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ 65/* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */
58/* #define SSE2 0 Is SSE2 is available? */ 66/* #define SSE2 0 Is SSE2 is available? */
diff --git a/umac.h b/umac.h
index 055c705f8..6795112a3 100644
--- a/umac.h
+++ b/umac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ 1/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.h -- C Implementation UMAC Message Authentication 4 * umac.h -- C Implementation UMAC Message Authentication
@@ -116,6 +116,12 @@ int uhash(uhash_ctx_t ctx,
116 116
117#endif 117#endif
118 118
119/* matching umac-128 API, we reuse umac_ctx, since it's opaque */
120struct umac_ctx *umac128_new(u_char key[]);
121int umac128_update(struct umac_ctx *ctx, u_char *input, long len);
122int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]);
123int umac128_delete(struct umac_ctx *ctx);
124
119#ifdef __cplusplus 125#ifdef __cplusplus
120 } 126 }
121#endif 127#endif
diff --git a/version.h b/version.h
index 09e8f6099..82061d88a 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
1/* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */ 1/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_6.1" 3#define SSH_VERSION "OpenSSH_6.2"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p1"
6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE