diff options
author | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 11:47:26 +0100 |
commit | 2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch) | |
tree | c4fb7d1f51fa51e7677232de806aae150e29e2ac | |
parent | f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff) | |
parent | ecebda56da46a03dafff923d91c382f31faa9eec (diff) |
* New upstream release (http://www.openssh.com/txt/release-6.2).
- Add support for multiple required authentication in SSH protocol 2 via
an AuthenticationMethods option (closes: #195716).
- Fix Sophie Germain formula in moduli(5) (closes: #698612).
- Update ssh-copy-id to Phil Hands' greatly revised version (closes:
#99785, #322228, #620428; LP: #518883, #835901, #1074798).
149 files changed, 7337 insertions, 1927 deletions
@@ -1,3 +1,673 @@ | |||
1 | 20120322 | ||
2 | - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil | ||
3 | Hands' greatly revised version. | ||
4 | - (djm) Release 6.2p1 | ||
5 | |||
6 | 20120318 | ||
7 | - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] | ||
8 | [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's | ||
9 | so mark it as broken. Patch from des AT des.no | ||
10 | |||
11 | 20120317 | ||
12 | - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none | ||
13 | of the bits the configure test looks for. | ||
14 | |||
15 | 20120316 | ||
16 | - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform | ||
17 | is unable to successfully compile them. Based on patch from des AT | ||
18 | des.no | ||
19 | - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] | ||
20 | Add a usleep replacement for platforms that lack it; ok dtucker | ||
21 | - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to | ||
22 | occur after UID switch; patch from John Marshall via des AT des.no; | ||
23 | ok dtucker@ | ||
24 | |||
25 | 20120312 | ||
26 | - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] | ||
27 | Improve portability of cipher-speed test, based mostly on a patch from | ||
28 | Iain Morgan. | ||
29 | - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin") | ||
30 | in addition to root as an owner of system directories on AIX and HP-UX. | ||
31 | ok djm@ | ||
32 | |||
33 | 20130307 | ||
34 | - (dtucker) [INSTALL] Bump documented autoconf version to what we're | ||
35 | currently using. | ||
36 | - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it | ||
37 | was removed in configure.ac rev 1.481 as it was redundant. | ||
38 | - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days | ||
39 | ago. | ||
40 | - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a | ||
41 | chance to complete on broken systems; ok dtucker@ | ||
42 | |||
43 | 20130306 | ||
44 | - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding | ||
45 | connection to start so that the test works on slower machines. | ||
46 | - (dtucker) [configure.ac] test that we can set number of file descriptors | ||
47 | to zero with setrlimit before enabling the rlimit sandbox. This affects | ||
48 | (at least) HPUX 11.11. | ||
49 | |||
50 | 20130305 | ||
51 | - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for | ||
52 | HP/UX. Spotted by Kevin Brott | ||
53 | - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by | ||
54 | Amit Kulkarni and Kevin Brott. | ||
55 | - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure | ||
56 | build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin | ||
57 | Brott. | ||
58 | - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov. | ||
59 | |||
60 | 20130227 | ||
61 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
62 | [contrib/suse/openssh.spec] Crank version numbers | ||
63 | - (tim) [regress/forward-control.sh] use sh in case login shell is csh. | ||
64 | - (tim) [regress/integrity.sh] shell portability fix. | ||
65 | - (tim) [regress/integrity.sh] keep old solaris awk from hanging. | ||
66 | - (tim) [regress/krl.sh] keep old solaris awk from hanging. | ||
67 | |||
68 | 20130226 | ||
69 | - OpenBSD CVS Sync | ||
70 | - djm@cvs.openbsd.org 2013/02/20 08:27:50 | ||
71 | [integrity.sh] | ||
72 | Add an option to modpipe that warns if the modification offset it not | ||
73 | reached in it's stream and turn it on for t-integrity. This should catch | ||
74 | cases where the session is not fuzzed for being too short (cf. my last | ||
75 | "oops" commit) | ||
76 | - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage | ||
77 | for UsePAM=yes configuration | ||
78 | |||
79 | 20130225 | ||
80 | - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed | ||
81 | to use Solaris native GSS libs. Patch from Pierre Ossman. | ||
82 | |||
83 | 20130223 | ||
84 | - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer | ||
85 | bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu. | ||
86 | ok tim | ||
87 | |||
88 | 20130222 | ||
89 | - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to | ||
90 | ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. | ||
91 | - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named | ||
92 | libgss too. Patch from Pierre Ossman, ok djm. | ||
93 | - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux | ||
94 | seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; | ||
95 | ok dtucker | ||
96 | |||
97 | 20130221 | ||
98 | - (tim) [regress/forward-control.sh] shell portability fix. | ||
99 | |||
100 | 20130220 | ||
101 | - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix. | ||
102 | - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded | ||
103 | err.h include from krl.c. Additional portability fixes for modpipe. OK djm | ||
104 | - OpenBSD CVS Sync | ||
105 | - djm@cvs.openbsd.org 2013/02/20 08:27:50 | ||
106 | [regress/integrity.sh regress/modpipe.c] | ||
107 | Add an option to modpipe that warns if the modification offset it not | ||
108 | reached in it's stream and turn it on for t-integrity. This should catch | ||
109 | cases where the session is not fuzzed for being too short (cf. my last | ||
110 | "oops" commit) | ||
111 | - djm@cvs.openbsd.org 2013/02/20 08:29:27 | ||
112 | [regress/modpipe.c] | ||
113 | s/Id/OpenBSD/ in RCS tag | ||
114 | |||
115 | 20130219 | ||
116 | - OpenBSD CVS Sync | ||
117 | - djm@cvs.openbsd.org 2013/02/18 22:26:47 | ||
118 | [integrity.sh] | ||
119 | crank the offset yet again; it was still fuzzing KEX one of Darren's | ||
120 | portable test hosts at 2800 | ||
121 | - djm@cvs.openbsd.org 2013/02/19 02:14:09 | ||
122 | [integrity.sh] | ||
123 | oops, forgot to increase the output of the ssh command to ensure that | ||
124 | we actually reach $offset | ||
125 | - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that | ||
126 | lack support for SHA2. | ||
127 | - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms | ||
128 | that do not have them. | ||
129 | |||
130 | 20130217 | ||
131 | - OpenBSD CVS Sync | ||
132 | - djm@cvs.openbsd.org 2013/02/17 23:16:55 | ||
133 | [integrity.sh] | ||
134 | make the ssh command generates some output to ensure that there are at | ||
135 | least offset+tries bytes in the stream. | ||
136 | |||
137 | 20130216 | ||
138 | - OpenBSD CVS Sync | ||
139 | - djm@cvs.openbsd.org 2013/02/16 06:08:45 | ||
140 | [integrity.sh] | ||
141 | make sure the fuzz offset is actually past the end of KEX for all KEX | ||
142 | types. diffie-hellman-group-exchange-sha256 requires an offset around | ||
143 | 2700. Noticed via test failures in portable OpenSSH on platforms that | ||
144 | lack ECC and this the more byte-frugal ECDH KEX algorithms. | ||
145 | |||
146 | 20130215 | ||
147 | - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from | ||
148 | Iain Morgan | ||
149 | - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] | ||
150 | Use getpgrp() if we don't have getpgid() (old BSDs, maybe others). | ||
151 | - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c | ||
152 | openbsd-compat/openbsd-compat.h] Add strtoull to compat library for | ||
153 | platforms that don't have it. | ||
154 | - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul, | ||
155 | group strto* function prototypes together. | ||
156 | - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes | ||
157 | an argument. Pointed out by djm. | ||
158 | - (djm) OpenBSD CVS Sync | ||
159 | - djm@cvs.openbsd.org 2013/02/14 21:35:59 | ||
160 | [auth2-pubkey.c] | ||
161 | Correct error message that had a typo and was logging the wrong thing; | ||
162 | patch from Petr Lautrbach | ||
163 | - dtucker@cvs.openbsd.org 2013/02/15 00:21:01 | ||
164 | [sshconnect2.c] | ||
165 | Warn more loudly if an IdentityFile provided by the user cannot be read. | ||
166 | bz #1981, ok djm@ | ||
167 | |||
168 | 20130214 | ||
169 | - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC. | ||
170 | - (djm) [regress/krl.sh] typo; found by Iain Morgan | ||
171 | - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead | ||
172 | of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by | ||
173 | Iain Morgan | ||
174 | |||
175 | 20130212 | ||
176 | - (djm) OpenBSD CVS Sync | ||
177 | - djm@cvs.openbsd.org 2013/01/24 21:45:37 | ||
178 | [krl.c] | ||
179 | fix handling of (unused) KRL signatures; skip string in correct buffer | ||
180 | - djm@cvs.openbsd.org 2013/01/24 22:08:56 | ||
181 | [krl.c] | ||
182 | skip serial lookup when cert's serial number is zero | ||
183 | - krw@cvs.openbsd.org 2013/01/25 05:00:27 | ||
184 | [krl.c] | ||
185 | Revert last. Breaks due to likely typo. Let djm@ fix later. | ||
186 | ok djm@ via dlg@ | ||
187 | - djm@cvs.openbsd.org 2013/01/25 10:22:19 | ||
188 | [krl.c] | ||
189 | redo last commit without the vi-vomit that snuck in: | ||
190 | skip serial lookup when cert's serial number is zero | ||
191 | (now with 100% better comment) | ||
192 | - djm@cvs.openbsd.org 2013/01/26 06:11:05 | ||
193 | [Makefile.in acss.c acss.h cipher-acss.c cipher.c] | ||
194 | [openbsd-compat/openssl-compat.h] | ||
195 | remove ACSS, now that it is gone from libcrypto too | ||
196 | - djm@cvs.openbsd.org 2013/01/27 10:06:12 | ||
197 | [krl.c] | ||
198 | actually use the xrealloc() return value; spotted by xi.wang AT gmail.com | ||
199 | - dtucker@cvs.openbsd.org 2013/02/06 00:20:42 | ||
200 | [servconf.c sshd_config sshd_config.5] | ||
201 | Change default of MaxStartups to 10:30:100 to start doing random early | ||
202 | drop at 10 connections up to 100 connections. This will make it harder | ||
203 | to DoS as CPUs have come a long way since the original value was set | ||
204 | back in 2000. Prompted by nion at debian org, ok markus@ | ||
205 | - dtucker@cvs.openbsd.org 2013/02/06 00:22:21 | ||
206 | [auth.c] | ||
207 | Fix comment, from jfree.e1 at gmail | ||
208 | - djm@cvs.openbsd.org 2013/02/08 00:41:12 | ||
209 | [sftp.c] | ||
210 | fix NULL deref when built without libedit and control characters | ||
211 | entered as command; debugging and patch from Iain Morgan an | ||
212 | Loganaden Velvindron in bz#1956 | ||
213 | - markus@cvs.openbsd.org 2013/02/10 21:19:34 | ||
214 | [version.h] | ||
215 | openssh 6.2 | ||
216 | - djm@cvs.openbsd.org 2013/02/10 23:32:10 | ||
217 | [ssh-keygen.c] | ||
218 | append to moduli file when screening candidates rather than overwriting. | ||
219 | allows resumption of interrupted screen; patch from Christophe Garault | ||
220 | in bz#1957; ok dtucker@ | ||
221 | - djm@cvs.openbsd.org 2013/02/10 23:35:24 | ||
222 | [packet.c] | ||
223 | record "Received disconnect" messages at ERROR rather than INFO priority, | ||
224 | since they are abnormal and result in a non-zero ssh exit status; patch | ||
225 | from Iain Morgan in bz#2057; ok dtucker@ | ||
226 | - dtucker@cvs.openbsd.org 2013/02/11 21:21:58 | ||
227 | [sshd.c] | ||
228 | Add openssl version to debug output similar to the client. ok markus@ | ||
229 | - djm@cvs.openbsd.org 2013/02/11 23:58:51 | ||
230 | [regress/try-ciphers.sh] | ||
231 | remove acss here too | ||
232 | - (djm) [regress/try-ciphers.sh] clean up CVS merge botch | ||
233 | |||
234 | 20130211 | ||
235 | - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old | ||
236 | libcrypto that lacks EVP_CIPHER_CTX_ctrl | ||
237 | |||
238 | 20130208 | ||
239 | - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer; | ||
240 | patch from Iain Morgan in bz#2059 | ||
241 | - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows | ||
242 | __attribute__ on return values and work around if necessary. ok djm@ | ||
243 | |||
244 | 20130207 | ||
245 | - (djm) [configure.ac] Don't probe seccomp capability of running kernel | ||
246 | at configure time; the seccomp sandbox will fall back to rlimit at | ||
247 | runtime anyway. Patch from plautrba AT redhat.com in bz#2011 | ||
248 | |||
249 | 20130120 | ||
250 | - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h] | ||
251 | Move prototypes for replacement ciphers to openssl-compat.h; fix EVP | ||
252 | prototypes for openssl-1.0.0-fips. | ||
253 | - (djm) OpenBSD CVS Sync | ||
254 | - jmc@cvs.openbsd.org 2013/01/18 07:57:47 | ||
255 | [ssh-keygen.1] | ||
256 | tweak previous; | ||
257 | - jmc@cvs.openbsd.org 2013/01/18 07:59:46 | ||
258 | [ssh-keygen.c] | ||
259 | -u before -V in usage(); | ||
260 | - jmc@cvs.openbsd.org 2013/01/18 08:00:49 | ||
261 | [sshd_config.5] | ||
262 | tweak previous; | ||
263 | - jmc@cvs.openbsd.org 2013/01/18 08:39:04 | ||
264 | [ssh-keygen.1] | ||
265 | add -Q to the options list; ok djm | ||
266 | - jmc@cvs.openbsd.org 2013/01/18 21:48:43 | ||
267 | [ssh-keygen.1] | ||
268 | command-line (adj.) -> command line (n.); | ||
269 | - jmc@cvs.openbsd.org 2013/01/19 07:13:25 | ||
270 | [ssh-keygen.1] | ||
271 | fix some formatting; ok djm | ||
272 | - markus@cvs.openbsd.org 2013/01/19 12:34:55 | ||
273 | [krl.c] | ||
274 | RB_INSERT does not remove existing elments; ok djm@ | ||
275 | - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer | ||
276 | version. | ||
277 | - (djm) [regress/krl.sh] replacement for jot; most platforms lack it | ||
278 | |||
279 | 20130118 | ||
280 | - (djm) OpenBSD CVS Sync | ||
281 | - djm@cvs.openbsd.org 2013/01/17 23:00:01 | ||
282 | [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] | ||
283 | [krl.c krl.h PROTOCOL.krl] | ||
284 | add support for Key Revocation Lists (KRLs). These are a compact way to | ||
285 | represent lists of revoked keys and certificates, taking as little as | ||
286 | a single bit of incremental cost to revoke a certificate by serial number. | ||
287 | KRLs are loaded via the existing RevokedKeys sshd_config option. | ||
288 | feedback and ok markus@ | ||
289 | - djm@cvs.openbsd.org 2013/01/18 00:45:29 | ||
290 | [regress/Makefile regress/cert-userkey.sh regress/krl.sh] | ||
291 | Tests for Key Revocation Lists (KRLs) | ||
292 | - djm@cvs.openbsd.org 2013/01/18 03:00:32 | ||
293 | [krl.c] | ||
294 | fix KRL generation bug for list sections | ||
295 | |||
296 | 20130117 | ||
297 | - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] | ||
298 | check for GCM support before testing GCM ciphers. | ||
299 | |||
300 | 20130112 | ||
301 | - (djm) OpenBSD CVS Sync | ||
302 | - djm@cvs.openbsd.org 2013/01/12 11:22:04 | ||
303 | [cipher.c] | ||
304 | improve error message for integrity failure in AES-GCM modes; ok markus@ | ||
305 | - djm@cvs.openbsd.org 2013/01/12 11:23:53 | ||
306 | [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] | ||
307 | test AES-GCM modes; feedback markus@ | ||
308 | - (djm) [regress/integrity.sh] repair botched merge | ||
309 | |||
310 | 20130109 | ||
311 | - (djm) OpenBSD CVS Sync | ||
312 | - dtucker@cvs.openbsd.org 2012/12/14 05:26:43 | ||
313 | [auth.c] | ||
314 | use correct string in error message; from rustybsd at gmx.fr | ||
315 | - djm@cvs.openbsd.org 2013/01/02 00:32:07 | ||
316 | [clientloop.c mux.c] | ||
317 | channel_setup_local_fwd_listener() returns 0 on failure, not -ve | ||
318 | bz#2055 reported by mathieu.lacage AT gmail.com | ||
319 | - djm@cvs.openbsd.org 2013/01/02 00:33:49 | ||
320 | [PROTOCOL.agent] | ||
321 | correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED | ||
322 | bz#2051 from david AT lechnology.com | ||
323 | - djm@cvs.openbsd.org 2013/01/03 05:49:36 | ||
324 | [servconf.h] | ||
325 | add a couple of ServerOptions members that should be copied to the privsep | ||
326 | child (for consistency, in this case they happen only to be accessed in | ||
327 | the monitor); ok dtucker@ | ||
328 | - djm@cvs.openbsd.org 2013/01/03 12:49:01 | ||
329 | [PROTOCOL] | ||
330 | fix description of MAC calculation for EtM modes; ok markus@ | ||
331 | - djm@cvs.openbsd.org 2013/01/03 12:54:49 | ||
332 | [sftp-server.8 sftp-server.c] | ||
333 | allow specification of an alternate start directory for sftp-server(8) | ||
334 | "I like this" markus@ | ||
335 | - djm@cvs.openbsd.org 2013/01/03 23:22:58 | ||
336 | [ssh-keygen.c] | ||
337 | allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... | ||
338 | ok markus@ | ||
339 | - jmc@cvs.openbsd.org 2013/01/04 19:26:38 | ||
340 | [sftp-server.8 sftp-server.c] | ||
341 | sftp-server.8: add argument name to -d | ||
342 | sftp-server.c: add -d to usage() | ||
343 | ok djm | ||
344 | - markus@cvs.openbsd.org 2013/01/08 18:49:04 | ||
345 | [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] | ||
346 | [myproposal.h packet.c ssh_config.5 sshd_config.5] | ||
347 | support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) | ||
348 | ok and feedback djm@ | ||
349 | - djm@cvs.openbsd.org 2013/01/09 05:40:17 | ||
350 | [ssh-keygen.c] | ||
351 | correctly initialise fingerprint type for fingerprinting PKCS#11 keys | ||
352 | - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h] | ||
353 | Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little | ||
354 | cipher compat code to openssl-compat.h | ||
355 | |||
356 | 20121217 | ||
357 | - (dtucker) [Makefile.in] Add some scaffolding so that the new regress | ||
358 | tests will work with VPATH directories. | ||
359 | |||
360 | 20121213 | ||
361 | - (djm) OpenBSD CVS Sync | ||
362 | - markus@cvs.openbsd.org 2012/12/12 16:45:52 | ||
363 | [packet.c] | ||
364 | reset incoming_packet buffer for each new packet in EtM-case, too; | ||
365 | this happens if packets are parsed only parially (e.g. ignore | ||
366 | messages sent when su/sudo turn off echo); noted by sthen/millert | ||
367 | - naddy@cvs.openbsd.org 2012/12/12 16:46:10 | ||
368 | [cipher.c] | ||
369 | use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled | ||
370 | counter mode code; ok djm@ | ||
371 | - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our | ||
372 | compat code for older OpenSSL | ||
373 | - (djm) [cipher.c] Fix missing prototype for compat code | ||
374 | |||
375 | 20121212 | ||
376 | - (djm) OpenBSD CVS Sync | ||
377 | - markus@cvs.openbsd.org 2012/12/11 22:16:21 | ||
378 | [monitor.c] | ||
379 | drain the log messages after receiving the keystate from the unpriv | ||
380 | child. otherwise it might block while sending. ok djm@ | ||
381 | - markus@cvs.openbsd.org 2012/12/11 22:31:18 | ||
382 | [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] | ||
383 | [packet.c ssh_config.5 sshd_config.5] | ||
384 | add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms | ||
385 | that change the packet format and compute the MAC over the encrypted | ||
386 | message (including the packet size) instead of the plaintext data; | ||
387 | these EtM modes are considered more secure and used by default. | ||
388 | feedback and ok djm@ | ||
389 | - sthen@cvs.openbsd.org 2012/12/11 22:51:45 | ||
390 | [mac.c] | ||
391 | fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@ | ||
392 | - markus@cvs.openbsd.org 2012/12/11 22:32:56 | ||
393 | [regress/try-ciphers.sh] | ||
394 | add etm modes | ||
395 | - markus@cvs.openbsd.org 2012/12/11 22:42:11 | ||
396 | [regress/Makefile regress/modpipe.c regress/integrity.sh] | ||
397 | test the integrity of the packets; with djm@ | ||
398 | - markus@cvs.openbsd.org 2012/12/11 23:12:13 | ||
399 | [try-ciphers.sh] | ||
400 | add hmac-ripemd160-etm@openssh.com | ||
401 | - (djm) [mac.c] fix merge botch | ||
402 | - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test | ||
403 | work on platforms without 'jot' | ||
404 | - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip | ||
405 | - (djm) [regress/Makefile] fix t-exec rule | ||
406 | |||
407 | 20121207 | ||
408 | - (dtucker) OpenBSD CVS Sync | ||
409 | - dtucker@cvs.openbsd.org 2012/12/06 06:06:54 | ||
410 | [regress/keys-command.sh] | ||
411 | Fix some problems with the keys-command test: | ||
412 | - use string comparison rather than numeric comparison | ||
413 | - check for existing KEY_COMMAND file and don't clobber if it exists | ||
414 | - clean up KEY_COMMAND file if we do create it. | ||
415 | - check that KEY_COMMAND is executable (which it won't be if eg /var/run | ||
416 | is mounted noexec). | ||
417 | ok djm. | ||
418 | - jmc@cvs.openbsd.org 2012/12/03 08:33:03 | ||
419 | [ssh-add.1 sshd_config.5] | ||
420 | tweak previous; | ||
421 | - markus@cvs.openbsd.org 2012/12/05 15:42:52 | ||
422 | [ssh-add.c] | ||
423 | prevent double-free of comment; ok djm@ | ||
424 | - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 | ||
425 | [serverloop.c] | ||
426 | Cast signal to int for logging. A no-op on openbsd (they're always ints) | ||
427 | but will prevent warnings in portable. ok djm@ | ||
428 | |||
429 | 20121205 | ||
430 | - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. | ||
431 | |||
432 | 20121203 | ||
433 | - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get | ||
434 | TAILQ_FOREACH_SAFE needed for upcoming changes. | ||
435 | - (djm) OpenBSD CVS Sync | ||
436 | - djm@cvs.openbsd.org 2012/12/02 20:26:11 | ||
437 | [ssh_config.5 sshconnect2.c] | ||
438 | Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. | ||
439 | This allows control of which keys are offered from tokens using | ||
440 | IdentityFile. ok markus@ | ||
441 | - djm@cvs.openbsd.org 2012/12/02 20:42:15 | ||
442 | [ssh-add.1 ssh-add.c] | ||
443 | make deleting explicit keys "ssh-add -d" symmetric with adding keys - | ||
444 | try to delete the corresponding certificate too and respect the -k option | ||
445 | to allow deleting of the key only; feedback and ok markus@ | ||
446 | - djm@cvs.openbsd.org 2012/12/02 20:46:11 | ||
447 | [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] | ||
448 | [sshd_config.5] | ||
449 | make AllowTcpForwarding accept "local" and "remote" in addition to its | ||
450 | current "yes"/"no" to allow the server to specify whether just local or | ||
451 | remote TCP forwarding is enabled. ok markus@ | ||
452 | - dtucker@cvs.openbsd.org 2012/10/05 02:20:48 | ||
453 | [regress/cipher-speed.sh regress/try-ciphers.sh] | ||
454 | Add umac-128@openssh.com to the list of MACs to be tested | ||
455 | - djm@cvs.openbsd.org 2012/10/19 05:10:42 | ||
456 | [regress/cert-userkey.sh] | ||
457 | include a serial number when generating certs | ||
458 | - djm@cvs.openbsd.org 2012/11/22 22:49:30 | ||
459 | [regress/Makefile regress/keys-command.sh] | ||
460 | regress for AuthorizedKeysCommand; hints from markus@ | ||
461 | - djm@cvs.openbsd.org 2012/12/02 20:47:48 | ||
462 | [Makefile regress/forward-control.sh] | ||
463 | regress for AllowTcpForwarding local/remote; ok markus@ | ||
464 | - djm@cvs.openbsd.org 2012/12/03 00:14:06 | ||
465 | [auth2-chall.c ssh-keygen.c] | ||
466 | Fix compilation with -Wall -Werror (trivial type fixes) | ||
467 | - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation | ||
468 | debugging. ok dtucker@ | ||
469 | - (djm) [configure.ac] Revert previous. configure.ac already does this | ||
470 | for us. | ||
471 | |||
472 | 20121114 | ||
473 | - (djm) OpenBSD CVS Sync | ||
474 | - djm@cvs.openbsd.org 2012/11/14 02:24:27 | ||
475 | [auth2-pubkey.c] | ||
476 | fix username passed to helper program | ||
477 | prepare stdio fds before closefrom() | ||
478 | spotted by landry@ | ||
479 | - djm@cvs.openbsd.org 2012/11/14 02:32:15 | ||
480 | [ssh-keygen.c] | ||
481 | allow the full range of unsigned serial numbers; 'fine' deraadt@ | ||
482 | - djm@cvs.openbsd.org 2012/12/02 20:34:10 | ||
483 | [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] | ||
484 | [monitor.c monitor.h] | ||
485 | Fixes logging of partial authentication when privsep is enabled | ||
486 | Previously, we recorded "Failed xxx" since we reset authenticated before | ||
487 | calling auth_log() in auth2.c. This adds an explcit "Partial" state. | ||
488 | |||
489 | Add a "submethod" to auth_log() to report which submethod is used | ||
490 | for keyboard-interactive. | ||
491 | |||
492 | Fix multiple authentication when one of the methods is | ||
493 | keyboard-interactive. | ||
494 | |||
495 | ok markus@ | ||
496 | - dtucker@cvs.openbsd.org 2012/10/05 02:05:30 | ||
497 | [regress/multiplex.sh] | ||
498 | Use 'kill -0' to test for the presence of a pid since it's more portable | ||
499 | |||
500 | 20121107 | ||
501 | - (djm) OpenBSD CVS Sync | ||
502 | - eric@cvs.openbsd.org 2011/11/28 08:46:27 | ||
503 | [moduli.5] | ||
504 | fix formula | ||
505 | ok djm@ | ||
506 | - jmc@cvs.openbsd.org 2012/09/26 17:34:38 | ||
507 | [moduli.5] | ||
508 | last stage of rfc changes, using consistent Rs/Re blocks, and moving the | ||
509 | references into a STANDARDS section; | ||
510 | |||
511 | 20121105 | ||
512 | - (dtucker) [uidswap.c openbsd-compat/Makefile.in | ||
513 | openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h | ||
514 | openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids | ||
515 | and gids from uidswap.c to the compat library, which allows it to work with | ||
516 | the new setresuid calls in auth2-pubkey. with tim@, ok djm@ | ||
517 | - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that | ||
518 | don't have it. Spotted by tim@. | ||
519 | |||
520 | 20121104 | ||
521 | - (djm) OpenBSD CVS Sync | ||
522 | - jmc@cvs.openbsd.org 2012/10/31 08:04:50 | ||
523 | [sshd_config.5] | ||
524 | tweak previous; | ||
525 | - djm@cvs.openbsd.org 2012/11/04 10:38:43 | ||
526 | [auth2-pubkey.c sshd.c sshd_config.5] | ||
527 | Remove default of AuthorizedCommandUser. Administrators are now expected | ||
528 | to explicitly specify a user. feedback and ok markus@ | ||
529 | - djm@cvs.openbsd.org 2012/11/04 11:09:15 | ||
530 | [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] | ||
531 | [sshd_config.5] | ||
532 | Support multiple required authentication via an AuthenticationMethods | ||
533 | option. This option lists one or more comma-separated lists of | ||
534 | authentication method names. Successful completion of all the methods in | ||
535 | any list is required for authentication to complete; | ||
536 | feedback and ok markus@ | ||
537 | |||
538 | 20121030 | ||
539 | - (djm) OpenBSD CVS Sync | ||
540 | - markus@cvs.openbsd.org 2012/10/05 12:34:39 | ||
541 | [sftp.c] | ||
542 | fix signed vs unsigned warning; feedback & ok: djm@ | ||
543 | - djm@cvs.openbsd.org 2012/10/30 21:29:55 | ||
544 | [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] | ||
545 | [sshd.c sshd_config sshd_config.5] | ||
546 | new sshd_config option AuthorizedKeysCommand to support fetching | ||
547 | authorized_keys from a command in addition to (or instead of) from | ||
548 | the filesystem. The command is run as the target server user unless | ||
549 | another specified via a new AuthorizedKeysCommandUser option. | ||
550 | |||
551 | patch originally by jchadima AT redhat.com, reworked by me; feedback | ||
552 | and ok markus@ | ||
553 | |||
554 | 20121019 | ||
555 | - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in | ||
556 | the generated file as intended. | ||
557 | |||
558 | 20121005 | ||
559 | - (dtucker) OpenBSD CVS Sync | ||
560 | - djm@cvs.openbsd.org 2012/09/17 09:54:44 | ||
561 | [sftp.c] | ||
562 | an XXX for later | ||
563 | - markus@cvs.openbsd.org 2012/09/17 13:04:11 | ||
564 | [packet.c] | ||
565 | clear old keys on rekeing; ok djm | ||
566 | - dtucker@cvs.openbsd.org 2012/09/18 10:36:12 | ||
567 | [sftp.c] | ||
568 | Add bounds check on sftp tab-completion. Part of a patch from from | ||
569 | Jean-Marc Robert via tech@, ok djm | ||
570 | - dtucker@cvs.openbsd.org 2012/09/21 10:53:07 | ||
571 | [sftp.c] | ||
572 | Fix improper handling of absolute paths when PWD is part of the completed | ||
573 | path. Patch from Jean-Marc Robert via tech@, ok djm. | ||
574 | - dtucker@cvs.openbsd.org 2012/09/21 10:55:04 | ||
575 | [sftp.c] | ||
576 | Fix handling of filenames containing escaped globbing characters and | ||
577 | escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm. | ||
578 | - jmc@cvs.openbsd.org 2012/09/26 16:12:13 | ||
579 | [ssh.1] | ||
580 | last stage of rfc changes, using consistent Rs/Re blocks, and moving the | ||
581 | references into a STANDARDS section; | ||
582 | - naddy@cvs.openbsd.org 2012/10/01 13:59:51 | ||
583 | [monitor_wrap.c] | ||
584 | pasto; ok djm@ | ||
585 | - djm@cvs.openbsd.org 2012/10/02 07:07:45 | ||
586 | [ssh-keygen.c] | ||
587 | fix -z option, broken in revision 1.215 | ||
588 | - markus@cvs.openbsd.org 2012/10/04 13:21:50 | ||
589 | [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] | ||
590 | add umac128 variant; ok djm@ at n2k12 | ||
591 | - dtucker@cvs.openbsd.org 2012/09/06 04:11:07 | ||
592 | [regress/try-ciphers.sh] | ||
593 | Restore missing space. (Id sync only). | ||
594 | - dtucker@cvs.openbsd.org 2012/09/09 11:51:25 | ||
595 | [regress/multiplex.sh] | ||
596 | Add test for ssh -Ostop | ||
597 | - dtucker@cvs.openbsd.org 2012/09/10 00:49:21 | ||
598 | [regress/multiplex.sh] | ||
599 | Log -O cmd output to the log file and make logging consistent with the | ||
600 | other tests. Test clean shutdown of an existing channel when testing | ||
601 | "stop". | ||
602 | - dtucker@cvs.openbsd.org 2012/09/10 01:51:19 | ||
603 | [regress/multiplex.sh] | ||
604 | use -Ocheck and waiting for completions by PID to make multiplexing test | ||
605 | less racy and (hopefully) more reliable on slow hardware. | ||
606 | - [Makefile umac.c] Add special-case target to build umac128.o. | ||
607 | - [umac.c] Enforce allowed umac output sizes. From djm@. | ||
608 | - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom". | ||
609 | |||
610 | 20120917 | ||
611 | - (dtucker) OpenBSD CVS Sync | ||
612 | - dtucker@cvs.openbsd.org 2012/09/13 23:37:36 | ||
613 | [servconf.c] | ||
614 | Fix comment line length | ||
615 | - markus@cvs.openbsd.org 2012/09/14 16:51:34 | ||
616 | [sshconnect.c] | ||
617 | remove unused variable | ||
618 | |||
619 | 20120907 | ||
620 | - (dtucker) OpenBSD CVS Sync | ||
621 | - dtucker@cvs.openbsd.org 2012/09/06 09:50:13 | ||
622 | [clientloop.c] | ||
623 | Make the escape command help (~?) context sensitive so that only commands | ||
624 | that will work in the current session are shown. ok markus@ | ||
625 | - jmc@cvs.openbsd.org 2012/09/06 13:57:42 | ||
626 | [ssh.1] | ||
627 | missing letter in previous; | ||
628 | - dtucker@cvs.openbsd.org 2012/09/07 00:30:19 | ||
629 | [clientloop.c] | ||
630 | Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@ | ||
631 | - dtucker@cvs.openbsd.org 2012/09/07 01:10:21 | ||
632 | [clientloop.c] | ||
633 | Merge escape help text for ~v and ~V; ok djm@ | ||
634 | - dtucker@cvs.openbsd.org 2012/09/07 06:34:21 | ||
635 | [clientloop.c] | ||
636 | when muxmaster is run with -N, make it shut down gracefully when a client | ||
637 | sends it "-O stop" rather than hanging around (bz#1985). ok djm@ | ||
638 | |||
639 | 20120906 | ||
640 | - (dtucker) OpenBSD CVS Sync | ||
641 | - jmc@cvs.openbsd.org 2012/08/15 18:25:50 | ||
642 | [ssh-keygen.1] | ||
643 | a little more info on certificate validity; | ||
644 | requested by Ross L Richardson, and provided by djm | ||
645 | - dtucker@cvs.openbsd.org 2012/08/17 00:45:45 | ||
646 | [clientloop.c clientloop.h mux.c] | ||
647 | Force a clean shutdown of ControlMaster client sessions when the ~. escape | ||
648 | sequence is used. This means that ~. should now work in mux clients even | ||
649 | if the server is no longer responding. Found by tedu, ok djm. | ||
650 | - djm@cvs.openbsd.org 2012/08/17 01:22:56 | ||
651 | [kex.c] | ||
652 | add some comments about better handling first-KEX-follows notifications | ||
653 | from the server. Nothing uses these right now. No binary change | ||
654 | - djm@cvs.openbsd.org 2012/08/17 01:25:58 | ||
655 | [ssh-keygen.c] | ||
656 | print details of which host lines were deleted when using | ||
657 | "ssh-keygen -R host"; ok markus@ | ||
658 | - djm@cvs.openbsd.org 2012/08/17 01:30:00 | ||
659 | [compat.c sshconnect.c] | ||
660 | Send client banner immediately, rather than waiting for the server to | ||
661 | move first for SSH protocol 2 connections (the default). Patch based on | ||
662 | one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@ | ||
663 | - dtucker@cvs.openbsd.org 2012/09/06 04:37:39 | ||
664 | [clientloop.c log.c ssh.1 log.h] | ||
665 | Add ~v and ~V escape sequences to raise and lower the logging level | ||
666 | respectively. Man page help from jmc, ok deraadt jmc | ||
667 | |||
668 | 20120830 | ||
669 | - (dtucker) [moduli] Import new moduli file. | ||
670 | |||
1 | 20120828 | 671 | 20120828 |
2 | - (djm) Release openssh-6.1 | 672 | - (djm) Release openssh-6.1 |
3 | 673 | ||
@@ -172,6 +842,7 @@ | |||
172 | [dns.c dns.h key.c key.h ssh-keygen.c] | 842 | [dns.c dns.h key.c key.h ssh-keygen.c] |
173 | add support for RFC6594 SSHFP DNS records for ECDSA key types. | 843 | add support for RFC6594 SSHFP DNS records for ECDSA key types. |
174 | patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ | 844 | patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ |
845 | (Original authors Ondřej Surý, Ondřej Caletka and Daniel Black) | ||
175 | - djm@cvs.openbsd.org 2012/06/01 00:49:35 | 846 | - djm@cvs.openbsd.org 2012/06/01 00:49:35 |
176 | [PROTOCOL.mux] | 847 | [PROTOCOL.mux] |
177 | correct types of port numbers (integers, not strings); bz#2004 from | 848 | correct types of port numbers (integers, not strings); bz#2004 from |
@@ -89,7 +89,7 @@ http://nlnetlabs.nl/projects/ldns/ | |||
89 | Autoconf: | 89 | Autoconf: |
90 | 90 | ||
91 | If you modify configure.ac or configure doesn't exist (eg if you checked | 91 | If you modify configure.ac or configure doesn't exist (eg if you checked |
92 | the code out of CVS yourself) then you will need autoconf-2.61 to rebuild | 92 | the code out of CVS yourself) then you will need autoconf-2.68 to rebuild |
93 | the automatically generated files by running "autoreconf". Earlier | 93 | the automatically generated files by running "autoreconf". Earlier |
94 | versions may also work but this is not guaranteed. | 94 | versions may also work but this is not guaranteed. |
95 | 95 | ||
@@ -266,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at | |||
266 | http://www.openssh.com/ | 266 | http://www.openssh.com/ |
267 | 267 | ||
268 | 268 | ||
269 | $Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $ | 269 | $Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $ |
diff --git a/Makefile.in b/Makefile.in index 9a286a390..5b2431d4a 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $ | 1 | # $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $ |
2 | 2 | ||
3 | # uncomment if you run a non bourne compatable shell. Ie. csh | 3 | # uncomment if you run a non bourne compatable shell. Ie. csh |
4 | #SHELL = @SH@ | 4 | #SHELL = @SH@ |
@@ -39,13 +39,15 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ | |||
39 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | 39 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ |
40 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | 40 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ |
41 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ | 41 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ |
42 | -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ | 42 | -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" |
43 | 43 | ||
44 | CC=@CC@ | 44 | CC=@CC@ |
45 | LD=@LD@ | 45 | LD=@LD@ |
46 | CFLAGS=@CFLAGS@ | 46 | CFLAGS=@CFLAGS@ |
47 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | 47 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
48 | LIBS=@LIBS@ | 48 | LIBS=@LIBS@ |
49 | K5LIBS=@K5LIBS@ | ||
50 | GSSLIBS=@GSSLIBS@ | ||
49 | SSHLIBS=@SSHLIBS@ | 51 | SSHLIBS=@SSHLIBS@ |
50 | SSHDLIBS=@SSHDLIBS@ | 52 | SSHDLIBS=@SSHDLIBS@ |
51 | LIBEDIT=@LIBEDIT@ | 53 | LIBEDIT=@LIBEDIT@ |
@@ -63,8 +65,8 @@ MANFMT=@MANFMT@ | |||
63 | 65 | ||
64 | TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) | 66 | TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) |
65 | 67 | ||
66 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 68 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
67 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | 69 | canohost.o channels.o cipher.o cipher-aes.o \ |
68 | cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ | 70 | cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ |
69 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ | 71 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ |
70 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ | 72 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ |
@@ -73,8 +75,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | |||
73 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 75 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
74 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 76 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
75 | kexgssc.o \ | 77 | kexgssc.o \ |
76 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ | 78 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
77 | schnorr.o ssh-pkcs11.o | 79 | jpake.o schnorr.o ssh-pkcs11.o krl.o |
78 | 80 | ||
79 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 81 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
80 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | 82 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ |
@@ -143,10 +145,10 @@ libssh.a: $(LIBSSH_OBJS) | |||
143 | $(RANLIB) $@ | 145 | $(RANLIB) $@ |
144 | 146 | ||
145 | ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) | 147 | ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) |
146 | $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) | 148 | $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) |
147 | 149 | ||
148 | sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) | 150 | sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) |
149 | $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) | 151 | $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) |
150 | 152 | ||
151 | scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o | 153 | scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |
152 | $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 154 | $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
@@ -202,6 +204,13 @@ $(CONFIGFILES): $(CONFIGFILES_IN) | |||
202 | moduli: | 204 | moduli: |
203 | echo | 205 | echo |
204 | 206 | ||
207 | # special case target for umac128 | ||
208 | umac128.o: umac.c | ||
209 | $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \ | ||
210 | -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \ | ||
211 | -Dumac_update=umac128_update -Dumac_final=umac128_final \ | ||
212 | -Dumac_delete=umac128_delete | ||
213 | |||
205 | clean: regressclean | 214 | clean: regressclean |
206 | rm -f *.o *.a $(TARGETS) logintest config.cache config.log | 215 | rm -f *.o *.a $(TARGETS) logintest config.cache config.log |
207 | rm -f *.out core survey | 216 | rm -f *.out core survey |
@@ -384,7 +393,12 @@ uninstall: | |||
384 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 393 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
385 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 394 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
386 | 395 | ||
387 | tests interop-tests: $(TARGETS) | 396 | regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c |
397 | [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ | ||
398 | $(CC) $(CPPFLAGS) -o $@ $? \ | ||
399 | $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) | ||
400 | |||
401 | tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) | ||
388 | BUILDDIR=`pwd`; \ | 402 | BUILDDIR=`pwd`; \ |
389 | [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ | 403 | [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ |
390 | [ -f `pwd`/regress/Makefile ] || \ | 404 | [ -f `pwd`/regress/Makefile ] || \ |
@@ -51,6 +51,46 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic | |||
51 | curve points encoded using point compression are NOT accepted or | 51 | curve points encoded using point compression are NOT accepted or |
52 | generated. | 52 | generated. |
53 | 53 | ||
54 | 1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms | ||
55 | |||
56 | OpenSSH supports MAC algorithms, whose names contain "-etm", that | ||
57 | perform the calculations in a different order to that defined in RFC | ||
58 | 4253. These variants use the so-called "encrypt then MAC" ordering, | ||
59 | calculating the MAC over the packet ciphertext rather than the | ||
60 | plaintext. This ordering closes a security flaw in the SSH transport | ||
61 | protocol, where decryption of unauthenticated ciphertext provided a | ||
62 | "decryption oracle" that could, in conjunction with cipher flaws, reveal | ||
63 | session plaintext. | ||
64 | |||
65 | Specifically, the "-etm" MAC algorithms modify the transport protocol | ||
66 | to calculate the MAC over the packet ciphertext and to send the packet | ||
67 | length unencrypted. This is necessary for the transport to obtain the | ||
68 | length of the packet and location of the MAC tag so that it may be | ||
69 | verified without decrypting unauthenticated data. | ||
70 | |||
71 | As such, the MAC covers: | ||
72 | |||
73 | mac = MAC(key, sequence_number || packet_length || encrypted_packet) | ||
74 | |||
75 | where "packet_length" is encoded as a uint32 and "encrypted_packet" | ||
76 | contains: | ||
77 | |||
78 | byte padding_length | ||
79 | byte[n1] payload; n1 = packet_length - padding_length - 1 | ||
80 | byte[n2] random padding; n2 = padding_length | ||
81 | |||
82 | 1.6 transport: AES-GCM | ||
83 | |||
84 | OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. | ||
85 | Because of problems with the specification of the key exchange | ||
86 | the behaviour of OpenSSH differs from the RFC as follows: | ||
87 | |||
88 | AES-GCM is only negotiated as the cipher algorithms | ||
89 | "aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as | ||
90 | an MAC algorithm. Additionally, if AES-GCM is selected as the cipher | ||
91 | the exchanged MAC algorithms are ignored and there doesn't have to be | ||
92 | a matching MAC. | ||
93 | |||
54 | 2. Connection protocol changes | 94 | 2. Connection protocol changes |
55 | 95 | ||
56 | 2.1. connection: Channel write close extension "eow@openssh.com" | 96 | 2.1. connection: Channel write close extension "eow@openssh.com" |
@@ -291,4 +331,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. | |||
291 | This extension is advertised in the SSH_FXP_VERSION hello with version | 331 | This extension is advertised in the SSH_FXP_VERSION hello with version |
292 | "1". | 332 | "1". |
293 | 333 | ||
294 | $OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ | 334 | $OpenBSD: PROTOCOL,v 1.20 2013/01/08 18:49:04 markus Exp $ |
diff --git a/PROTOCOL.agent b/PROTOCOL.agent index de94d037d..3fcaa14d4 100644 --- a/PROTOCOL.agent +++ b/PROTOCOL.agent | |||
@@ -152,7 +152,7 @@ fully specified using just rsa_q, rsa_p and rsa_e at the cost of extra | |||
152 | computation. | 152 | computation. |
153 | 153 | ||
154 | "key_constraints" may only be present if the request type is | 154 | "key_constraints" may only be present if the request type is |
155 | SSH_AGENTC_ADD_RSA_IDENTITY. | 155 | SSH_AGENTC_ADD_RSA_ID_CONSTRAINED. |
156 | 156 | ||
157 | The agent will reply with a SSH_AGENT_SUCCESS if the key has been | 157 | The agent will reply with a SSH_AGENT_SUCCESS if the key has been |
158 | successfully added or a SSH_AGENT_FAILURE if an error occurred. | 158 | successfully added or a SSH_AGENT_FAILURE if an error occurred. |
@@ -557,4 +557,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys. | |||
557 | SSH_AGENT_CONSTRAIN_LIFETIME 1 | 557 | SSH_AGENT_CONSTRAIN_LIFETIME 1 |
558 | SSH_AGENT_CONSTRAIN_CONFIRM 2 | 558 | SSH_AGENT_CONSTRAIN_CONFIRM 2 |
559 | 559 | ||
560 | $OpenBSD: PROTOCOL.agent,v 1.6 2010/08/31 11:54:45 djm Exp $ | 560 | $OpenBSD: PROTOCOL.agent,v 1.7 2013/01/02 00:33:49 djm Exp $ |
diff --git a/PROTOCOL.krl b/PROTOCOL.krl new file mode 100644 index 000000000..e8caa4527 --- /dev/null +++ b/PROTOCOL.krl | |||
@@ -0,0 +1,164 @@ | |||
1 | This describes the key/certificate revocation list format for OpenSSH. | ||
2 | |||
3 | 1. Overall format | ||
4 | |||
5 | The KRL consists of a header and zero or more sections. The header is: | ||
6 | |||
7 | #define KRL_MAGIC 0x5353484b524c0a00ULL /* "SSHKRL\n\0" */ | ||
8 | #define KRL_FORMAT_VERSION 1 | ||
9 | |||
10 | uint64 KRL_MAGIC | ||
11 | uint32 KRL_FORMAT_VERSION | ||
12 | uint64 krl_version | ||
13 | uint64 generated_date | ||
14 | uint64 flags | ||
15 | string reserved | ||
16 | string comment | ||
17 | |||
18 | Where "krl_version" is a version number that increases each time the KRL | ||
19 | is modified, "generated_date" is the time in seconds since 1970-01-01 | ||
20 | 00:00:00 UTC that the KRL was generated, "comment" is an optional comment | ||
21 | and "reserved" an extension field whose contents are currently ignored. | ||
22 | No "flags" are currently defined. | ||
23 | |||
24 | Following the header are zero or more sections, each consisting of: | ||
25 | |||
26 | byte section_type | ||
27 | string section_data | ||
28 | |||
29 | Where "section_type" indicates the type of the "section_data". An exception | ||
30 | to this is the KRL_SECTION_SIGNATURE section, that has a slightly different | ||
31 | format (see below). | ||
32 | |||
33 | The available section types are: | ||
34 | |||
35 | #define KRL_SECTION_CERTIFICATES 1 | ||
36 | #define KRL_SECTION_EXPLICIT_KEY 2 | ||
37 | #define KRL_SECTION_FINGERPRINT_SHA1 3 | ||
38 | #define KRL_SECTION_SIGNATURE 4 | ||
39 | |||
40 | 3. Certificate serial section | ||
41 | |||
42 | These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by | ||
43 | serial number or key ID. The consist of the CA key that issued the | ||
44 | certificates to be revoked and a reserved field whose contents is currently | ||
45 | ignored. | ||
46 | |||
47 | string ca_key | ||
48 | string reserved | ||
49 | |||
50 | Followed by one or more sections: | ||
51 | |||
52 | byte cert_section_type | ||
53 | string cert_section_data | ||
54 | |||
55 | The certificate section types are: | ||
56 | |||
57 | #define KRL_SECTION_CERT_SERIAL_LIST 0x20 | ||
58 | #define KRL_SECTION_CERT_SERIAL_RANGE 0x21 | ||
59 | #define KRL_SECTION_CERT_SERIAL_BITMAP 0x22 | ||
60 | #define KRL_SECTION_CERT_KEY_ID 0x23 | ||
61 | |||
62 | 2.1 Certificate serial list section | ||
63 | |||
64 | This section is identified as KRL_SECTION_CERT_SERIAL_LIST. It revokes | ||
65 | certificates by listing their serial numbers. The cert_section_data in this | ||
66 | case contains: | ||
67 | |||
68 | uint64 revoked_cert_serial | ||
69 | uint64 ... | ||
70 | |||
71 | This section may appear multiple times. | ||
72 | |||
73 | 2.2. Certificate serial range section | ||
74 | |||
75 | These sections use type KRL_SECTION_CERT_SERIAL_RANGE and hold | ||
76 | a range of serial numbers of certificates: | ||
77 | |||
78 | uint64 serial_min | ||
79 | uint64 serial_max | ||
80 | |||
81 | All certificates in the range serial_min <= serial <= serial_max are | ||
82 | revoked. | ||
83 | |||
84 | This section may appear multiple times. | ||
85 | |||
86 | 2.3. Certificate serial bitmap section | ||
87 | |||
88 | Bitmap sections use type KRL_SECTION_CERT_SERIAL_BITMAP and revoke keys | ||
89 | by listing their serial number in a bitmap. | ||
90 | |||
91 | uint64 serial_offset | ||
92 | mpint revoked_keys_bitmap | ||
93 | |||
94 | A bit set at index N in the bitmap corresponds to revocation of a keys with | ||
95 | serial number (serial_offset + N). | ||
96 | |||
97 | This section may appear multiple times. | ||
98 | |||
99 | 2.4. Revoked key ID sections | ||
100 | |||
101 | KRL_SECTION_CERT_KEY_ID sections revoke particular certificate "key | ||
102 | ID" strings. This may be useful in revoking all certificates | ||
103 | associated with a particular identity, e.g. a host or a user. | ||
104 | |||
105 | string key_id[0] | ||
106 | ... | ||
107 | |||
108 | This section must contain at least one "key_id". This section may appear | ||
109 | multiple times. | ||
110 | |||
111 | 3. Explicit key sections | ||
112 | |||
113 | These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys | ||
114 | (not certificates). They are less space efficient than serial numbers, | ||
115 | but are able to revoke plain keys. | ||
116 | |||
117 | string public_key_blob[0] | ||
118 | .... | ||
119 | |||
120 | This section must contain at least one "public_key_blob". The blob | ||
121 | must be a raw key (i.e. not a certificate). | ||
122 | |||
123 | This section may appear multiple times. | ||
124 | |||
125 | 4. SHA1 fingerprint sections | ||
126 | |||
127 | These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke | ||
128 | plain keys (i.e. not certificates) by listing their SHA1 hashes: | ||
129 | |||
130 | string public_key_hash[0] | ||
131 | .... | ||
132 | |||
133 | This section must contain at least one "public_key_hash". The hash blob | ||
134 | is obtained by taking the SHA1 hash of the public key blob. Hashes in | ||
135 | this section must appear in numeric order, treating each hash as a big- | ||
136 | endian integer. | ||
137 | |||
138 | This section may appear multiple times. | ||
139 | |||
140 | 5. KRL signature sections | ||
141 | |||
142 | The KRL_SECTION_SIGNATURE section serves a different purpose to the | ||
143 | preceeding ones: to provide cryptographic authentication of a KRL that | ||
144 | is retrieved over a channel that does not provide integrity protection. | ||
145 | Its format is slightly different to the previously-described sections: | ||
146 | in order to simplify the signature generation, it includes as a "body" | ||
147 | two string components instead of one. | ||
148 | |||
149 | byte KRL_SECTION_SIGNATURE | ||
150 | string signature_key | ||
151 | string signature | ||
152 | |||
153 | The signature is calculated over the entire KRL from the KRL_MAGIC | ||
154 | to this subsection's "signature_key", including both and using the | ||
155 | signature generation rules appropriate for the type of "signature_key". | ||
156 | |||
157 | This section must appear last in the KRL. If multiple signature sections | ||
158 | appear, they must appear consecutively at the end of the KRL file. | ||
159 | |||
160 | Implementations that retrieve KRLs over untrusted channels must verify | ||
161 | signatures. Signature sections are optional for KRLs distributed by | ||
162 | trusted means. | ||
163 | |||
164 | $OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $ | ||
@@ -1,4 +1,4 @@ | |||
1 | See http://www.openssh.com/txt/release-6.1 for the release notes. | 1 | See http://www.openssh.com/txt/release-6.2 for the release notes. |
2 | 2 | ||
3 | - A Japanese translation of this document and of the OpenSSH FAQ is | 3 | - A Japanese translation of this document and of the OpenSSH FAQ is |
4 | - available at http://www.unixuser.org/~haruyama/security/openssh/index.html | 4 | - available at http://www.unixuser.org/~haruyama/security/openssh/index.html |
@@ -62,4 +62,4 @@ References - | |||
62 | [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 | 62 | [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 |
63 | [7] http://www.openssh.com/faq.html | 63 | [7] http://www.openssh.com/faq.html |
64 | 64 | ||
65 | $Id: README,v 1.81 2012/08/22 11:57:13 djm Exp $ | 65 | $Id: README,v 1.82 2013/02/26 23:48:19 djm Exp $ |
diff --git a/acss.c b/acss.c deleted file mode 100644 index 86e2c01a8..000000000 --- a/acss.c +++ /dev/null | |||
@@ -1,267 +0,0 @@ | |||
1 | /* $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */ | ||
2 | /* | ||
3 | * Copyright (c) 2004 The OpenBSD project | ||
4 | * | ||
5 | * Permission to use, copy, modify, and distribute this software for any | ||
6 | * purpose with or without fee is hereby granted, provided that the above | ||
7 | * copyright notice and this permission notice appear in all copies. | ||
8 | * | ||
9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
16 | */ | ||
17 | |||
18 | #include "includes.h" | ||
19 | |||
20 | #include <string.h> | ||
21 | |||
22 | #include <openssl/evp.h> | ||
23 | |||
24 | #if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L) | ||
25 | |||
26 | #include "acss.h" | ||
27 | |||
28 | /* decryption sbox */ | ||
29 | static unsigned char sboxdec[] = { | ||
30 | 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76, | ||
31 | 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b, | ||
32 | 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96, | ||
33 | 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b, | ||
34 | 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12, | ||
35 | 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f, | ||
36 | 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90, | ||
37 | 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91, | ||
38 | 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74, | ||
39 | 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75, | ||
40 | 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94, | ||
41 | 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95, | ||
42 | 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10, | ||
43 | 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11, | ||
44 | 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92, | ||
45 | 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f, | ||
46 | 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16, | ||
47 | 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b, | ||
48 | 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6, | ||
49 | 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb, | ||
50 | 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72, | ||
51 | 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f, | ||
52 | 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0, | ||
53 | 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1, | ||
54 | 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14, | ||
55 | 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15, | ||
56 | 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4, | ||
57 | 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5, | ||
58 | 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70, | ||
59 | 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71, | ||
60 | 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2, | ||
61 | 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff | ||
62 | }; | ||
63 | |||
64 | /* encryption sbox */ | ||
65 | static unsigned char sboxenc[] = { | ||
66 | 0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75, | ||
67 | 0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b, | ||
68 | 0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21, | ||
69 | 0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f, | ||
70 | 0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5, | ||
71 | 0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab, | ||
72 | 0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0, | ||
73 | 0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2, | ||
74 | 0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74, | ||
75 | 0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76, | ||
76 | 0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20, | ||
77 | 0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22, | ||
78 | 0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4, | ||
79 | 0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6, | ||
80 | 0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1, | ||
81 | 0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf, | ||
82 | 0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25, | ||
83 | 0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b, | ||
84 | 0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71, | ||
85 | 0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f, | ||
86 | 0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5, | ||
87 | 0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb, | ||
88 | 0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0, | ||
89 | 0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2, | ||
90 | 0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24, | ||
91 | 0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26, | ||
92 | 0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70, | ||
93 | 0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72, | ||
94 | 0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4, | ||
95 | 0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6, | ||
96 | 0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1, | ||
97 | 0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff | ||
98 | }; | ||
99 | |||
100 | static unsigned char reverse[] = { | ||
101 | 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, | ||
102 | 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, | ||
103 | 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, | ||
104 | 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, | ||
105 | 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, | ||
106 | 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, | ||
107 | 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, | ||
108 | 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, | ||
109 | 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, | ||
110 | 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, | ||
111 | 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, | ||
112 | 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, | ||
113 | 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, | ||
114 | 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, | ||
115 | 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, | ||
116 | 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, | ||
117 | 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, | ||
118 | 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, | ||
119 | 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, | ||
120 | 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, | ||
121 | 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, | ||
122 | 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, | ||
123 | 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, | ||
124 | 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, | ||
125 | 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, | ||
126 | 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, | ||
127 | 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, | ||
128 | 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, | ||
129 | 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, | ||
130 | 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, | ||
131 | 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, | ||
132 | 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff | ||
133 | }; | ||
134 | |||
135 | /* | ||
136 | * Two linear feedback shift registers are used: | ||
137 | * | ||
138 | * lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier) | ||
139 | * x^15 + x + 1 | ||
140 | * lfsr25: polynomial of degree 25, not know if primitive modulo 2 | ||
141 | * x^13 + x^5 + x^4 + x^1 + 1 | ||
142 | * | ||
143 | * Output bits are discarded, instead the feedback bits are added to produce | ||
144 | * the cipher stream. Depending on the mode, feedback bytes may be inverted | ||
145 | * bit-wise before addition. | ||
146 | * | ||
147 | * The lfsrs are seeded with bytes from the raw key: | ||
148 | * | ||
149 | * lfsr17: byte 0[0:7] at bit 9 | ||
150 | * byte 1[0:7] at bit 0 | ||
151 | * | ||
152 | * lfsr25: byte 2[0:4] at bit 16 | ||
153 | * byte 2[5:7] at bit 22 | ||
154 | * byte 3[0:7] at bit 8 | ||
155 | * byte 4[0:7] at bit 0 | ||
156 | * | ||
157 | * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in | ||
158 | * lfsr25. | ||
159 | * | ||
160 | */ | ||
161 | |||
162 | int | ||
163 | acss(ACSS_KEY *key, unsigned long len, const unsigned char *in, | ||
164 | unsigned char *out) | ||
165 | { | ||
166 | unsigned long i; | ||
167 | unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp; | ||
168 | |||
169 | lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0; | ||
170 | |||
171 | /* keystream is sum of lfsrs */ | ||
172 | for (i = 0; i < len; i++) { | ||
173 | lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14); | ||
174 | key->lfsr17 = (key->lfsr17 >> 8) | ||
175 | ^ (lfsr17tmp << 9) | ||
176 | ^ (lfsr17tmp << 12) | ||
177 | ^ (lfsr17tmp << 15); | ||
178 | key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */ | ||
179 | |||
180 | lfsr25tmp = key->lfsr25 | ||
181 | ^ (key->lfsr25 >> 3) | ||
182 | ^ (key->lfsr25 >> 4) | ||
183 | ^ (key->lfsr25 >> 12); | ||
184 | key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17); | ||
185 | key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */ | ||
186 | |||
187 | lfsrsumtmp = key->lfsrsum; | ||
188 | |||
189 | /* addition */ | ||
190 | switch (key->mode) { | ||
191 | case ACSS_AUTHENTICATE: | ||
192 | case ACSS_DATA: | ||
193 | key->lfsrsum = 0xff & ~(key->lfsr17 >> 9); | ||
194 | key->lfsrsum += key->lfsr25 >> 17; | ||
195 | break; | ||
196 | case ACSS_SESSIONKEY: | ||
197 | key->lfsrsum = key->lfsr17 >> 9; | ||
198 | key->lfsrsum += key->lfsr25 >> 17; | ||
199 | break; | ||
200 | case ACSS_TITLEKEY: | ||
201 | key->lfsrsum = key->lfsr17 >> 9; | ||
202 | key->lfsrsum += 0xff & ~(key->lfsr25 >> 17); | ||
203 | break; | ||
204 | default: | ||
205 | return 1; | ||
206 | } | ||
207 | key->lfsrsum += (lfsrsumtmp >> 8); | ||
208 | |||
209 | if (key->encrypt) { | ||
210 | out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff]; | ||
211 | } else { | ||
212 | out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff; | ||
213 | } | ||
214 | } | ||
215 | |||
216 | return 0; | ||
217 | } | ||
218 | |||
219 | static void | ||
220 | acss_seed(ACSS_KEY *key) | ||
221 | { | ||
222 | int i; | ||
223 | |||
224 | /* if available, mangle with subkey */ | ||
225 | if (key->subkey_avilable) { | ||
226 | for (i = 0; i < ACSS_KEYSIZE; i++) | ||
227 | key->seed[i] = reverse[key->data[i] ^ key->subkey[i]]; | ||
228 | } else { | ||
229 | for (i = 0; i < ACSS_KEYSIZE; i++) | ||
230 | key->seed[i] = reverse[key->data[i]]; | ||
231 | } | ||
232 | |||
233 | /* seed lfsrs */ | ||
234 | key->lfsr17 = key->seed[1] | ||
235 | | (key->seed[0] << 9) | ||
236 | | (1 << 8); /* inject 1 at bit 9 */ | ||
237 | key->lfsr25 = key->seed[4] | ||
238 | | (key->seed[3] << 8) | ||
239 | | ((key->seed[2] & 0x1f) << 16) | ||
240 | | ((key->seed[2] & 0xe0) << 17) | ||
241 | | (1 << 21); /* inject 1 at bit 22 */ | ||
242 | |||
243 | key->lfsrsum = 0; | ||
244 | } | ||
245 | |||
246 | void | ||
247 | acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode) | ||
248 | { | ||
249 | memcpy(key->data, data, sizeof(key->data)); | ||
250 | memset(key->subkey, 0, sizeof(key->subkey)); | ||
251 | |||
252 | if (enc != -1) | ||
253 | key->encrypt = enc; | ||
254 | key->mode = mode; | ||
255 | key->subkey_avilable = 0; | ||
256 | |||
257 | acss_seed(key); | ||
258 | } | ||
259 | |||
260 | void | ||
261 | acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey) | ||
262 | { | ||
263 | memcpy(key->subkey, subkey, sizeof(key->subkey)); | ||
264 | key->subkey_avilable = 1; | ||
265 | acss_seed(key); | ||
266 | } | ||
267 | #endif | ||
diff --git a/acss.h b/acss.h deleted file mode 100644 index 91b489542..000000000 --- a/acss.h +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | /* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */ | ||
2 | /* | ||
3 | * Copyright (c) 2004 The OpenBSD project | ||
4 | * | ||
5 | * Permission to use, copy, modify, and distribute this software for any | ||
6 | * purpose with or without fee is hereby granted, provided that the above | ||
7 | * copyright notice and this permission notice appear in all copies. | ||
8 | * | ||
9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
16 | */ | ||
17 | |||
18 | #ifndef _ACSS_H_ | ||
19 | #define _ACSS_H_ | ||
20 | |||
21 | /* 40bit key */ | ||
22 | #define ACSS_KEYSIZE 5 | ||
23 | |||
24 | /* modes of acss */ | ||
25 | #define ACSS_AUTHENTICATE 0 | ||
26 | #define ACSS_SESSIONKEY 1 | ||
27 | #define ACSS_TITLEKEY 2 | ||
28 | #define ACSS_DATA 3 | ||
29 | |||
30 | typedef struct acss_key_st { | ||
31 | unsigned int lfsr17; /* current state of lfsrs */ | ||
32 | unsigned int lfsr25; | ||
33 | unsigned int lfsrsum; | ||
34 | unsigned char seed[ACSS_KEYSIZE]; | ||
35 | unsigned char data[ACSS_KEYSIZE]; | ||
36 | unsigned char subkey[ACSS_KEYSIZE]; | ||
37 | int encrypt; /* XXX make these bit flags? */ | ||
38 | int mode; | ||
39 | int seeded; | ||
40 | int subkey_avilable; | ||
41 | } ACSS_KEY; | ||
42 | |||
43 | void acss_setkey(ACSS_KEY *, const unsigned char *, int, int); | ||
44 | void acss_setsubkey(ACSS_KEY *, const unsigned char *); | ||
45 | int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *); | ||
46 | |||
47 | #endif /* ifndef _ACSS_H_ */ | ||
diff --git a/auth-options.c b/auth-options.c index 146b3d174..78e8f3955 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -363,7 +363,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
363 | xfree(patterns); | 363 | xfree(patterns); |
364 | goto bad_option; | 364 | goto bad_option; |
365 | } | 365 | } |
366 | if (options.allow_tcp_forwarding) | 366 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) |
367 | channel_add_permitted_opens(host, port); | 367 | channel_add_permitted_opens(host, port); |
368 | xfree(patterns); | 368 | xfree(patterns); |
369 | goto next_option; | 369 | goto next_option; |
diff --git a/auth-rsa.c b/auth-rsa.c index 99c4e882d..33cdb5dae 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ | 1 | /* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -278,6 +278,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
278 | temporarily_use_uid(pw); | 278 | temporarily_use_uid(pw); |
279 | 279 | ||
280 | for (i = 0; !allowed && i < options.num_authkeys_files; i++) { | 280 | for (i = 0; !allowed && i < options.num_authkeys_files; i++) { |
281 | if (strcasecmp(options.authorized_keys_files[i], "none") == 0) | ||
282 | continue; | ||
281 | file = expand_authorized_keys( | 283 | file = expand_authorized_keys( |
282 | options.authorized_keys_files[i], pw); | 284 | options.authorized_keys_files[i], pw); |
283 | allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); | 285 | allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.96 2012/05/13 01:42:32 dtucker Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -72,6 +72,7 @@ | |||
72 | #endif | 72 | #endif |
73 | #include "authfile.h" | 73 | #include "authfile.h" |
74 | #include "monitor_wrap.h" | 74 | #include "monitor_wrap.h" |
75 | #include "krl.h" | ||
75 | 76 | ||
76 | /* import */ | 77 | /* import */ |
77 | extern ServerOptions options; | 78 | extern ServerOptions options; |
@@ -252,7 +253,8 @@ allowed_user(struct passwd * pw) | |||
252 | } | 253 | } |
253 | 254 | ||
254 | void | 255 | void |
255 | auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | 256 | auth_log(Authctxt *authctxt, int authenticated, int partial, |
257 | const char *method, const char *submethod, const char *info) | ||
256 | { | 258 | { |
257 | void (*authlog) (const char *fmt,...) = verbose; | 259 | void (*authlog) (const char *fmt,...) = verbose; |
258 | char *authmsg; | 260 | char *authmsg; |
@@ -269,12 +271,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
269 | 271 | ||
270 | if (authctxt->postponed) | 272 | if (authctxt->postponed) |
271 | authmsg = "Postponed"; | 273 | authmsg = "Postponed"; |
274 | else if (partial) | ||
275 | authmsg = "Partial"; | ||
272 | else | 276 | else |
273 | authmsg = authenticated ? "Accepted" : "Failed"; | 277 | authmsg = authenticated ? "Accepted" : "Failed"; |
274 | 278 | ||
275 | authlog("%s %s for %s%.100s from %.200s port %d%s", | 279 | authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", |
276 | authmsg, | 280 | authmsg, |
277 | method, | 281 | method, |
282 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, | ||
278 | authctxt->valid ? "" : "invalid user ", | 283 | authctxt->valid ? "" : "invalid user ", |
279 | authctxt->user, | 284 | authctxt->user, |
280 | get_remote_ipaddr(), | 285 | get_remote_ipaddr(), |
@@ -304,7 +309,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
304 | * Check whether root logins are disallowed. | 309 | * Check whether root logins are disallowed. |
305 | */ | 310 | */ |
306 | int | 311 | int |
307 | auth_root_allowed(char *method) | 312 | auth_root_allowed(const char *method) |
308 | { | 313 | { |
309 | switch (options.permit_root_login) { | 314 | switch (options.permit_root_login) { |
310 | case PERMIT_YES: | 315 | case PERMIT_YES: |
@@ -409,40 +414,41 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
409 | return host_status; | 414 | return host_status; |
410 | } | 415 | } |
411 | 416 | ||
412 | |||
413 | /* | 417 | /* |
414 | * Check a given file for security. This is defined as all components | 418 | * Check a given path for security. This is defined as all components |
415 | * of the path to the file must be owned by either the owner of | 419 | * of the path to the file must be owned by either the owner of |
416 | * of the file or root and no directories must be group or world writable. | 420 | * of the file or root and no directories must be group or world writable. |
417 | * | 421 | * |
418 | * XXX Should any specific check be done for sym links ? | 422 | * XXX Should any specific check be done for sym links ? |
419 | * | 423 | * |
420 | * Takes an open file descriptor, the file name, a uid and and | 424 | * Takes a file name, its stat information (preferably from fstat() to |
425 | * avoid races), the uid of the expected owner, their home directory and an | ||
421 | * error buffer plus max size as arguments. | 426 | * error buffer plus max size as arguments. |
422 | * | 427 | * |
423 | * Returns 0 on success and -1 on failure | 428 | * Returns 0 on success and -1 on failure |
424 | */ | 429 | */ |
425 | static int | 430 | int |
426 | secure_filename(FILE *f, const char *file, struct passwd *pw, | 431 | auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
427 | char *err, size_t errlen) | 432 | uid_t uid, char *err, size_t errlen) |
428 | { | 433 | { |
429 | uid_t uid = pw->pw_uid; | ||
430 | char buf[MAXPATHLEN], homedir[MAXPATHLEN]; | 434 | char buf[MAXPATHLEN], homedir[MAXPATHLEN]; |
431 | char *cp; | 435 | char *cp; |
432 | int comparehome = 0; | 436 | int comparehome = 0; |
433 | struct stat st; | 437 | struct stat st; |
434 | 438 | ||
435 | if (realpath(file, buf) == NULL) { | 439 | if (realpath(name, buf) == NULL) { |
436 | snprintf(err, errlen, "realpath %s failed: %s", file, | 440 | snprintf(err, errlen, "realpath %s failed: %s", name, |
437 | strerror(errno)); | 441 | strerror(errno)); |
438 | return -1; | 442 | return -1; |
439 | } | 443 | } |
440 | if (realpath(pw->pw_dir, homedir) != NULL) | 444 | if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL) |
441 | comparehome = 1; | 445 | comparehome = 1; |
442 | 446 | ||
443 | /* check the open file to avoid races */ | 447 | if (!S_ISREG(stp->st_mode)) { |
444 | if (fstat(fileno(f), &st) < 0 || | 448 | snprintf(err, errlen, "%s is not a regular file", buf); |
445 | !secure_permissions(&st, uid)) { | 449 | return -1; |
450 | } | ||
451 | if (!secure_permissions(stp, uid)) { | ||
446 | snprintf(err, errlen, "bad ownership or modes for file %s", | 452 | snprintf(err, errlen, "bad ownership or modes for file %s", |
447 | buf); | 453 | buf); |
448 | return -1; | 454 | return -1; |
@@ -477,6 +483,27 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
477 | return 0; | 483 | return 0; |
478 | } | 484 | } |
479 | 485 | ||
486 | /* | ||
487 | * Version of secure_path() that accepts an open file descriptor to | ||
488 | * avoid races. | ||
489 | * | ||
490 | * Returns 0 on success and -1 on failure | ||
491 | */ | ||
492 | static int | ||
493 | secure_filename(FILE *f, const char *file, struct passwd *pw, | ||
494 | char *err, size_t errlen) | ||
495 | { | ||
496 | struct stat st; | ||
497 | |||
498 | /* check the open file to avoid races */ | ||
499 | if (fstat(fileno(f), &st) < 0) { | ||
500 | snprintf(err, errlen, "cannot stat file %s: %s", | ||
501 | file, strerror(errno)); | ||
502 | return -1; | ||
503 | } | ||
504 | return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen); | ||
505 | } | ||
506 | |||
480 | static FILE * | 507 | static FILE * |
481 | auth_openfile(const char *file, struct passwd *pw, int strict_modes, | 508 | auth_openfile(const char *file, struct passwd *pw, int strict_modes, |
482 | int log_missing, char *file_type) | 509 | int log_missing, char *file_type) |
@@ -636,7 +663,16 @@ auth_key_is_revoked(Key *key, int hostkey) | |||
636 | 663 | ||
637 | if (options.revoked_keys_file == NULL) | 664 | if (options.revoked_keys_file == NULL) |
638 | return 0; | 665 | return 0; |
639 | 666 | switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { | |
667 | case 0: | ||
668 | return 0; /* Not revoked */ | ||
669 | case -2: | ||
670 | break; /* Not a KRL */ | ||
671 | default: | ||
672 | goto revoked; | ||
673 | } | ||
674 | debug3("%s: treating %s as a key list", __func__, | ||
675 | options.revoked_keys_file); | ||
640 | switch (key_in_file(key, options.revoked_keys_file, 0)) { | 676 | switch (key_in_file(key, options.revoked_keys_file, 0)) { |
641 | case 0: | 677 | case 0: |
642 | /* key not revoked */ | 678 | /* key not revoked */ |
@@ -647,6 +683,7 @@ auth_key_is_revoked(Key *key, int hostkey) | |||
647 | "authentication"); | 683 | "authentication"); |
648 | return 1; | 684 | return 1; |
649 | case 1: | 685 | case 1: |
686 | revoked: | ||
650 | /* Key revoked */ | 687 | /* Key revoked */ |
651 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 688 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
652 | error("WARNING: authentication attempt with a revoked " | 689 | error("WARNING: authentication attempt with a revoked " |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.h,v 1.69 2011/05/23 03:30:07 djm Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -65,6 +65,8 @@ struct Authctxt { | |||
65 | #ifdef BSD_AUTH | 65 | #ifdef BSD_AUTH |
66 | auth_session_t *as; | 66 | auth_session_t *as; |
67 | #endif | 67 | #endif |
68 | char **auth_methods; /* modified from server config */ | ||
69 | u_int num_auth_methods; | ||
68 | #ifdef KRB5 | 70 | #ifdef KRB5 |
69 | krb5_context krb5_ctx; | 71 | krb5_context krb5_ctx; |
70 | krb5_ccache krb5_fwd_ccache; | 72 | krb5_ccache krb5_fwd_ccache; |
@@ -121,6 +123,10 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | |||
121 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 123 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
122 | int user_key_allowed(struct passwd *, Key *); | 124 | int user_key_allowed(struct passwd *, Key *); |
123 | 125 | ||
126 | struct stat; | ||
127 | int auth_secure_path(const char *, struct stat *, const char *, uid_t, | ||
128 | char *, size_t); | ||
129 | |||
124 | #ifdef KRB5 | 130 | #ifdef KRB5 |
125 | int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); | 131 | int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); |
126 | int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); | 132 | int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); |
@@ -143,12 +149,17 @@ void disable_forwarding(void); | |||
143 | void do_authentication(Authctxt *); | 149 | void do_authentication(Authctxt *); |
144 | void do_authentication2(Authctxt *); | 150 | void do_authentication2(Authctxt *); |
145 | 151 | ||
146 | void auth_log(Authctxt *, int, char *, char *); | 152 | void auth_log(Authctxt *, int, int, const char *, const char *, |
147 | void userauth_finish(Authctxt *, int, char *); | 153 | const char *); |
154 | void userauth_finish(Authctxt *, int, const char *, const char *); | ||
155 | int auth_root_allowed(const char *); | ||
156 | |||
148 | void userauth_send_banner(const char *); | 157 | void userauth_send_banner(const char *); |
149 | int auth_root_allowed(char *); | ||
150 | 158 | ||
151 | char *auth2_read_banner(void); | 159 | char *auth2_read_banner(void); |
160 | int auth2_methods_valid(const char *, int); | ||
161 | int auth2_update_methods_lists(Authctxt *, const char *); | ||
162 | int auth2_setup_methods_lists(Authctxt *); | ||
152 | 163 | ||
153 | void privsep_challenge_enable(void); | 164 | void privsep_challenge_enable(void); |
154 | 165 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth1.c,v 1.75 2010/08/31 09:58:37 djm Exp $ */ | 1 | /* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt) | |||
253 | if (options.use_pam && (PRIVSEP(do_pam_account()))) | 253 | if (options.use_pam && (PRIVSEP(do_pam_account()))) |
254 | #endif | 254 | #endif |
255 | { | 255 | { |
256 | auth_log(authctxt, 1, "without authentication", ""); | 256 | auth_log(authctxt, 1, 0, "without authentication", |
257 | NULL, ""); | ||
257 | return; | 258 | return; |
258 | } | 259 | } |
259 | } | 260 | } |
@@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt) | |||
352 | 353 | ||
353 | skip: | 354 | skip: |
354 | /* Log before sending the reply */ | 355 | /* Log before sending the reply */ |
355 | auth_log(authctxt, authenticated, get_authname(type), info); | 356 | auth_log(authctxt, authenticated, 0, get_authname(type), |
357 | NULL, info); | ||
356 | 358 | ||
357 | if (client_user != NULL) { | 359 | if (client_user != NULL) { |
358 | xfree(client_user); | 360 | xfree(client_user); |
@@ -412,6 +414,11 @@ do_authentication(Authctxt *authctxt) | |||
412 | authctxt->pw = fakepw(); | 414 | authctxt->pw = fakepw(); |
413 | } | 415 | } |
414 | 416 | ||
417 | /* Configuration may have changed as a result of Match */ | ||
418 | if (options.num_auth_methods != 0) | ||
419 | fatal("AuthenticationMethods is not supported with SSH " | ||
420 | "protocol 1"); | ||
421 | |||
415 | setproctitle("%s%s", authctxt->valid ? user : "unknown", | 422 | setproctitle("%s%s", authctxt->valid ? user : "unknown", |
416 | use_privsep ? " [net]" : ""); | 423 | use_privsep ? " [net]" : ""); |
417 | 424 | ||
diff --git a/auth2-chall.c b/auth2-chall.c index e6dbffe22..6505d4009 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */ | 1 | /* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2001 Per Allansson. All rights reserved. | 4 | * Copyright (c) 2001 Per Allansson. All rights reserved. |
@@ -283,7 +283,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
283 | KbdintAuthctxt *kbdintctxt; | 283 | KbdintAuthctxt *kbdintctxt; |
284 | int authenticated = 0, res; | 284 | int authenticated = 0, res; |
285 | u_int i, nresp; | 285 | u_int i, nresp; |
286 | char **response = NULL, *method; | 286 | const char *devicename = NULL; |
287 | char **response = NULL; | ||
287 | 288 | ||
288 | if (authctxt == NULL) | 289 | if (authctxt == NULL) |
289 | fatal("input_userauth_info_response: no authctxt"); | 290 | fatal("input_userauth_info_response: no authctxt"); |
@@ -329,9 +330,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
329 | /* Failure! */ | 330 | /* Failure! */ |
330 | break; | 331 | break; |
331 | } | 332 | } |
332 | 333 | devicename = kbdintctxt->device->name; | |
333 | xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name); | ||
334 | |||
335 | if (!authctxt->postponed) { | 334 | if (!authctxt->postponed) { |
336 | if (authenticated) { | 335 | if (authenticated) { |
337 | auth2_challenge_stop(authctxt); | 336 | auth2_challenge_stop(authctxt); |
@@ -341,8 +340,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
341 | auth2_challenge_start(authctxt); | 340 | auth2_challenge_start(authctxt); |
342 | } | 341 | } |
343 | } | 342 | } |
344 | userauth_finish(authctxt, authenticated, method); | 343 | userauth_finish(authctxt, authenticated, "keyboard-interactive", |
345 | xfree(method); | 344 | devicename); |
346 | } | 345 | } |
347 | 346 | ||
348 | void | 347 | void |
diff --git a/auth2-gss.c b/auth2-gss.c index 7dc87dba4..17d4a3a84 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
@@ -197,7 +197,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
197 | } | 197 | } |
198 | authctxt->postponed = 0; | 198 | authctxt->postponed = 0; |
199 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 199 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
200 | userauth_finish(authctxt, 0, "gssapi-with-mic"); | 200 | userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); |
201 | } else { | 201 | } else { |
202 | if (send_tok.length != 0) { | 202 | if (send_tok.length != 0) { |
203 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); | 203 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
@@ -286,7 +286,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
286 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 286 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
287 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 287 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
288 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 288 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
289 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 289 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
290 | } | 290 | } |
291 | 291 | ||
292 | static void | 292 | static void |
@@ -327,7 +327,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | |||
327 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 327 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
328 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 328 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
329 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 329 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
330 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 330 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
331 | } | 331 | } |
332 | 332 | ||
333 | Authmethod method_gsskeyex = { | 333 | Authmethod method_gsskeyex = { |
diff --git a/auth2-jpake.c b/auth2-jpake.c index a460e8216..ed0eba47b 100644 --- a/auth2-jpake.c +++ b/auth2-jpake.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */ | 1 | /* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 3 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
4 | * | 4 | * |
@@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt) | |||
556 | authctxt->postponed = 0; | 556 | authctxt->postponed = 0; |
557 | jpake_free(authctxt->jpake_ctx); | 557 | jpake_free(authctxt->jpake_ctx); |
558 | authctxt->jpake_ctx = NULL; | 558 | authctxt->jpake_ctx = NULL; |
559 | userauth_finish(authctxt, authenticated, method_jpake.name); | 559 | userauth_finish(authctxt, authenticated, method_jpake.name, NULL); |
560 | } | 560 | } |
561 | 561 | ||
562 | #endif /* JPAKE */ | 562 | #endif /* JPAKE */ |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index d42ba14b8..f980b0dad 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -27,9 +27,15 @@ | |||
27 | 27 | ||
28 | #include <sys/types.h> | 28 | #include <sys/types.h> |
29 | #include <sys/stat.h> | 29 | #include <sys/stat.h> |
30 | #include <sys/wait.h> | ||
30 | 31 | ||
32 | #include <errno.h> | ||
31 | #include <fcntl.h> | 33 | #include <fcntl.h> |
34 | #ifdef HAVE_PATHS_H | ||
35 | # include <paths.h> | ||
36 | #endif | ||
32 | #include <pwd.h> | 37 | #include <pwd.h> |
38 | #include <signal.h> | ||
33 | #include <stdio.h> | 39 | #include <stdio.h> |
34 | #include <stdarg.h> | 40 | #include <stdarg.h> |
35 | #include <string.h> | 41 | #include <string.h> |
@@ -241,7 +247,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | |||
241 | if (strcmp(cp, cert->principals[i]) == 0) { | 247 | if (strcmp(cp, cert->principals[i]) == 0) { |
242 | debug3("matched principal \"%.100s\" " | 248 | debug3("matched principal \"%.100s\" " |
243 | "from file \"%s\" on line %lu", | 249 | "from file \"%s\" on line %lu", |
244 | cert->principals[i], file, linenum); | 250 | cert->principals[i], file, linenum); |
245 | if (auth_parse_options(pw, line_opts, | 251 | if (auth_parse_options(pw, line_opts, |
246 | file, linenum) != 1) | 252 | file, linenum) != 1) |
247 | continue; | 253 | continue; |
@@ -254,31 +260,22 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | |||
254 | fclose(f); | 260 | fclose(f); |
255 | restore_uid(); | 261 | restore_uid(); |
256 | return 0; | 262 | return 0; |
257 | } | 263 | } |
258 | 264 | ||
259 | /* return 1 if user allows given key */ | 265 | /* |
266 | * Checks whether key is allowed in authorized_keys-format file, | ||
267 | * returns 1 if the key is allowed or 0 otherwise. | ||
268 | */ | ||
260 | static int | 269 | static int |
261 | user_key_allowed2(struct passwd *pw, Key *key, char *file) | 270 | check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) |
262 | { | 271 | { |
263 | char line[SSH_MAX_PUBKEY_BYTES]; | 272 | char line[SSH_MAX_PUBKEY_BYTES]; |
264 | const char *reason; | 273 | const char *reason; |
265 | int found_key = 0; | 274 | int found_key = 0; |
266 | FILE *f; | ||
267 | u_long linenum = 0; | 275 | u_long linenum = 0; |
268 | Key *found; | 276 | Key *found; |
269 | char *fp; | 277 | char *fp; |
270 | 278 | ||
271 | /* Temporarily use the user's uid. */ | ||
272 | temporarily_use_uid(pw); | ||
273 | |||
274 | debug("trying public key file %s", file); | ||
275 | f = auth_openkeyfile(file, pw, options.strict_modes); | ||
276 | |||
277 | if (!f) { | ||
278 | restore_uid(); | ||
279 | return 0; | ||
280 | } | ||
281 | |||
282 | found_key = 0; | 279 | found_key = 0; |
283 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); | 280 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); |
284 | 281 | ||
@@ -373,8 +370,6 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
373 | break; | 370 | break; |
374 | } | 371 | } |
375 | } | 372 | } |
376 | restore_uid(); | ||
377 | fclose(f); | ||
378 | key_free(found); | 373 | key_free(found); |
379 | if (!found_key) | 374 | if (!found_key) |
380 | debug2("key not found"); | 375 | debug2("key not found"); |
@@ -437,7 +432,180 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) | |||
437 | return ret; | 432 | return ret; |
438 | } | 433 | } |
439 | 434 | ||
440 | /* check whether given key is in .ssh/authorized_keys* */ | 435 | /* |
436 | * Checks whether key is allowed in file. | ||
437 | * returns 1 if the key is allowed or 0 otherwise. | ||
438 | */ | ||
439 | static int | ||
440 | user_key_allowed2(struct passwd *pw, Key *key, char *file) | ||
441 | { | ||
442 | FILE *f; | ||
443 | int found_key = 0; | ||
444 | |||
445 | /* Temporarily use the user's uid. */ | ||
446 | temporarily_use_uid(pw); | ||
447 | |||
448 | debug("trying public key file %s", file); | ||
449 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) { | ||
450 | found_key = check_authkeys_file(f, file, key, pw); | ||
451 | fclose(f); | ||
452 | } | ||
453 | |||
454 | restore_uid(); | ||
455 | return found_key; | ||
456 | } | ||
457 | |||
458 | /* | ||
459 | * Checks whether key is allowed in output of command. | ||
460 | * returns 1 if the key is allowed or 0 otherwise. | ||
461 | */ | ||
462 | static int | ||
463 | user_key_command_allowed2(struct passwd *user_pw, Key *key) | ||
464 | { | ||
465 | FILE *f; | ||
466 | int ok, found_key = 0; | ||
467 | struct passwd *pw; | ||
468 | struct stat st; | ||
469 | int status, devnull, p[2], i; | ||
470 | pid_t pid; | ||
471 | char *username, errmsg[512]; | ||
472 | |||
473 | if (options.authorized_keys_command == NULL || | ||
474 | options.authorized_keys_command[0] != '/') | ||
475 | return 0; | ||
476 | |||
477 | if (options.authorized_keys_command_user == NULL) { | ||
478 | error("No user for AuthorizedKeysCommand specified, skipping"); | ||
479 | return 0; | ||
480 | } | ||
481 | |||
482 | username = percent_expand(options.authorized_keys_command_user, | ||
483 | "u", user_pw->pw_name, (char *)NULL); | ||
484 | pw = getpwnam(username); | ||
485 | if (pw == NULL) { | ||
486 | error("AuthorizedKeysCommandUser \"%s\" not found: %s", | ||
487 | username, strerror(errno)); | ||
488 | free(username); | ||
489 | return 0; | ||
490 | } | ||
491 | free(username); | ||
492 | |||
493 | temporarily_use_uid(pw); | ||
494 | |||
495 | if (stat(options.authorized_keys_command, &st) < 0) { | ||
496 | error("Could not stat AuthorizedKeysCommand \"%s\": %s", | ||
497 | options.authorized_keys_command, strerror(errno)); | ||
498 | goto out; | ||
499 | } | ||
500 | if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, | ||
501 | errmsg, sizeof(errmsg)) != 0) { | ||
502 | error("Unsafe AuthorizedKeysCommand: %s", errmsg); | ||
503 | goto out; | ||
504 | } | ||
505 | |||
506 | if (pipe(p) != 0) { | ||
507 | error("%s: pipe: %s", __func__, strerror(errno)); | ||
508 | goto out; | ||
509 | } | ||
510 | |||
511 | debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"", | ||
512 | options.authorized_keys_command, user_pw->pw_name, pw->pw_name); | ||
513 | |||
514 | /* | ||
515 | * Don't want to call this in the child, where it can fatal() and | ||
516 | * run cleanup_exit() code. | ||
517 | */ | ||
518 | restore_uid(); | ||
519 | |||
520 | switch ((pid = fork())) { | ||
521 | case -1: /* error */ | ||
522 | error("%s: fork: %s", __func__, strerror(errno)); | ||
523 | close(p[0]); | ||
524 | close(p[1]); | ||
525 | return 0; | ||
526 | case 0: /* child */ | ||
527 | for (i = 0; i < NSIG; i++) | ||
528 | signal(i, SIG_DFL); | ||
529 | |||
530 | if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { | ||
531 | error("%s: open %s: %s", __func__, _PATH_DEVNULL, | ||
532 | strerror(errno)); | ||
533 | _exit(1); | ||
534 | } | ||
535 | /* Keep stderr around a while longer to catch errors */ | ||
536 | if (dup2(devnull, STDIN_FILENO) == -1 || | ||
537 | dup2(p[1], STDOUT_FILENO) == -1) { | ||
538 | error("%s: dup2: %s", __func__, strerror(errno)); | ||
539 | _exit(1); | ||
540 | } | ||
541 | closefrom(STDERR_FILENO + 1); | ||
542 | |||
543 | /* Don't use permanently_set_uid() here to avoid fatal() */ | ||
544 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { | ||
545 | error("setresgid %u: %s", (u_int)pw->pw_gid, | ||
546 | strerror(errno)); | ||
547 | _exit(1); | ||
548 | } | ||
549 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { | ||
550 | error("setresuid %u: %s", (u_int)pw->pw_uid, | ||
551 | strerror(errno)); | ||
552 | _exit(1); | ||
553 | } | ||
554 | /* stdin is pointed to /dev/null at this point */ | ||
555 | if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { | ||
556 | error("%s: dup2: %s", __func__, strerror(errno)); | ||
557 | _exit(1); | ||
558 | } | ||
559 | |||
560 | execl(options.authorized_keys_command, | ||
561 | options.authorized_keys_command, user_pw->pw_name, NULL); | ||
562 | |||
563 | error("AuthorizedKeysCommand %s exec failed: %s", | ||
564 | options.authorized_keys_command, strerror(errno)); | ||
565 | _exit(127); | ||
566 | default: /* parent */ | ||
567 | break; | ||
568 | } | ||
569 | |||
570 | temporarily_use_uid(pw); | ||
571 | |||
572 | close(p[1]); | ||
573 | if ((f = fdopen(p[0], "r")) == NULL) { | ||
574 | error("%s: fdopen: %s", __func__, strerror(errno)); | ||
575 | close(p[0]); | ||
576 | /* Don't leave zombie child */ | ||
577 | kill(pid, SIGTERM); | ||
578 | while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) | ||
579 | ; | ||
580 | goto out; | ||
581 | } | ||
582 | ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); | ||
583 | fclose(f); | ||
584 | |||
585 | while (waitpid(pid, &status, 0) == -1) { | ||
586 | if (errno != EINTR) { | ||
587 | error("%s: waitpid: %s", __func__, strerror(errno)); | ||
588 | goto out; | ||
589 | } | ||
590 | } | ||
591 | if (WIFSIGNALED(status)) { | ||
592 | error("AuthorizedKeysCommand %s exited on signal %d", | ||
593 | options.authorized_keys_command, WTERMSIG(status)); | ||
594 | goto out; | ||
595 | } else if (WEXITSTATUS(status) != 0) { | ||
596 | error("AuthorizedKeysCommand %s returned status %d", | ||
597 | options.authorized_keys_command, WEXITSTATUS(status)); | ||
598 | goto out; | ||
599 | } | ||
600 | found_key = ok; | ||
601 | out: | ||
602 | restore_uid(); | ||
603 | return found_key; | ||
604 | } | ||
605 | |||
606 | /* | ||
607 | * Check whether key authenticates and authorises the user. | ||
608 | */ | ||
441 | int | 609 | int |
442 | user_key_allowed(struct passwd *pw, Key *key) | 610 | user_key_allowed(struct passwd *pw, Key *key) |
443 | { | 611 | { |
@@ -454,9 +622,17 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
454 | if (success) | 622 | if (success) |
455 | return success; | 623 | return success; |
456 | 624 | ||
625 | success = user_key_command_allowed2(pw, key); | ||
626 | if (success > 0) | ||
627 | return success; | ||
628 | |||
457 | for (i = 0; !success && i < options.num_authkeys_files; i++) { | 629 | for (i = 0; !success && i < options.num_authkeys_files; i++) { |
630 | |||
631 | if (strcasecmp(options.authorized_keys_files[i], "none") == 0) | ||
632 | continue; | ||
458 | file = expand_authorized_keys( | 633 | file = expand_authorized_keys( |
459 | options.authorized_keys_files[i], pw); | 634 | options.authorized_keys_files[i], pw); |
635 | |||
460 | success = user_key_allowed2(pw, key, file); | 636 | success = user_key_allowed2(pw, key, file); |
461 | xfree(file); | 637 | xfree(file); |
462 | } | 638 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */ | 1 | /* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -98,8 +98,10 @@ static void input_service_request(int, u_int32_t, void *); | |||
98 | static void input_userauth_request(int, u_int32_t, void *); | 98 | static void input_userauth_request(int, u_int32_t, void *); |
99 | 99 | ||
100 | /* helper */ | 100 | /* helper */ |
101 | static Authmethod *authmethod_lookup(const char *); | 101 | static Authmethod *authmethod_lookup(Authctxt *, const char *); |
102 | static char *authmethods_get(void); | 102 | static char *authmethods_get(Authctxt *authctxt); |
103 | static int method_allowed(Authctxt *, const char *); | ||
104 | static int list_starts_with(const char *, const char *); | ||
103 | 105 | ||
104 | char * | 106 | char * |
105 | auth2_read_banner(void) | 107 | auth2_read_banner(void) |
@@ -263,6 +265,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
263 | if (use_privsep) | 265 | if (use_privsep) |
264 | mm_inform_authserv(service, style, role); | 266 | mm_inform_authserv(service, style, role); |
265 | userauth_banner(); | 267 | userauth_banner(); |
268 | if (auth2_setup_methods_lists(authctxt) != 0) | ||
269 | packet_disconnect("no authentication methods enabled"); | ||
266 | } else if (strcmp(user, authctxt->user) != 0 || | 270 | } else if (strcmp(user, authctxt->user) != 0 || |
267 | strcmp(service, authctxt->service) != 0) { | 271 | strcmp(service, authctxt->service) != 0) { |
268 | packet_disconnect("Change of username or service not allowed: " | 272 | packet_disconnect("Change of username or service not allowed: " |
@@ -285,12 +289,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
285 | authctxt->server_caused_failure = 0; | 289 | authctxt->server_caused_failure = 0; |
286 | 290 | ||
287 | /* try to authenticate user */ | 291 | /* try to authenticate user */ |
288 | m = authmethod_lookup(method); | 292 | m = authmethod_lookup(authctxt, method); |
289 | if (m != NULL && authctxt->failures < options.max_authtries) { | 293 | if (m != NULL && authctxt->failures < options.max_authtries) { |
290 | debug2("input_userauth_request: try method %s", method); | 294 | debug2("input_userauth_request: try method %s", method); |
291 | authenticated = m->userauth(authctxt); | 295 | authenticated = m->userauth(authctxt); |
292 | } | 296 | } |
293 | userauth_finish(authctxt, authenticated, method); | 297 | userauth_finish(authctxt, authenticated, method, NULL); |
294 | 298 | ||
295 | xfree(service); | 299 | xfree(service); |
296 | xfree(user); | 300 | xfree(user); |
@@ -298,13 +302,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
298 | } | 302 | } |
299 | 303 | ||
300 | void | 304 | void |
301 | userauth_finish(Authctxt *authctxt, int authenticated, char *method) | 305 | userauth_finish(Authctxt *authctxt, int authenticated, const char *method, |
306 | const char *submethod) | ||
302 | { | 307 | { |
303 | char *methods; | 308 | char *methods; |
309 | int partial = 0; | ||
304 | 310 | ||
305 | if (!authctxt->valid && authenticated) | 311 | if (!authctxt->valid && authenticated) |
306 | fatal("INTERNAL ERROR: authenticated invalid user %s", | 312 | fatal("INTERNAL ERROR: authenticated invalid user %s", |
307 | authctxt->user); | 313 | authctxt->user); |
314 | if (authenticated && authctxt->postponed) | ||
315 | fatal("INTERNAL ERROR: authenticated and postponed"); | ||
308 | 316 | ||
309 | /* Special handling for root */ | 317 | /* Special handling for root */ |
310 | if (authenticated && authctxt->pw->pw_uid == 0 && | 318 | if (authenticated && authctxt->pw->pw_uid == 0 && |
@@ -315,6 +323,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
315 | #endif | 323 | #endif |
316 | } | 324 | } |
317 | 325 | ||
326 | if (authenticated && options.num_auth_methods != 0) { | ||
327 | if (!auth2_update_methods_lists(authctxt, method)) { | ||
328 | authenticated = 0; | ||
329 | partial = 1; | ||
330 | } | ||
331 | } | ||
332 | |||
333 | /* Log before sending the reply */ | ||
334 | auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); | ||
335 | |||
336 | if (authctxt->postponed) | ||
337 | return; | ||
338 | |||
318 | #ifdef USE_PAM | 339 | #ifdef USE_PAM |
319 | if (options.use_pam && authenticated) { | 340 | if (options.use_pam && authenticated) { |
320 | if (!PRIVSEP(do_pam_account())) { | 341 | if (!PRIVSEP(do_pam_account())) { |
@@ -333,17 +354,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
333 | #ifdef _UNICOS | 354 | #ifdef _UNICOS |
334 | if (authenticated && cray_access_denied(authctxt->user)) { | 355 | if (authenticated && cray_access_denied(authctxt->user)) { |
335 | authenticated = 0; | 356 | authenticated = 0; |
336 | fatal("Access denied for user %s.",authctxt->user); | 357 | fatal("Access denied for user %s.", authctxt->user); |
337 | } | 358 | } |
338 | #endif /* _UNICOS */ | 359 | #endif /* _UNICOS */ |
339 | 360 | ||
340 | /* Log before sending the reply */ | ||
341 | auth_log(authctxt, authenticated, method, " ssh2"); | ||
342 | |||
343 | if (authctxt->postponed) | ||
344 | return; | ||
345 | |||
346 | /* XXX todo: check if multiple auth methods are needed */ | ||
347 | if (authenticated == 1) { | 361 | if (authenticated == 1) { |
348 | /* turn off userauth */ | 362 | /* turn off userauth */ |
349 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); | 363 | dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); |
@@ -364,34 +378,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
364 | #endif | 378 | #endif |
365 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); | 379 | packet_disconnect(AUTH_FAIL_MSG, authctxt->user); |
366 | } | 380 | } |
367 | methods = authmethods_get(); | 381 | methods = authmethods_get(authctxt); |
382 | debug3("%s: failure partial=%d next methods=\"%s\"", __func__, | ||
383 | partial, methods); | ||
368 | packet_start(SSH2_MSG_USERAUTH_FAILURE); | 384 | packet_start(SSH2_MSG_USERAUTH_FAILURE); |
369 | packet_put_cstring(methods); | 385 | packet_put_cstring(methods); |
370 | packet_put_char(0); /* XXX partial success, unused */ | 386 | packet_put_char(partial); |
371 | packet_send(); | 387 | packet_send(); |
372 | packet_write_wait(); | 388 | packet_write_wait(); |
373 | xfree(methods); | 389 | xfree(methods); |
374 | } | 390 | } |
375 | } | 391 | } |
376 | 392 | ||
393 | /* | ||
394 | * Checks whether method is allowed by at least one AuthenticationMethods | ||
395 | * methods list. Returns 1 if allowed, or no methods lists configured. | ||
396 | * 0 otherwise. | ||
397 | */ | ||
398 | static int | ||
399 | method_allowed(Authctxt *authctxt, const char *method) | ||
400 | { | ||
401 | u_int i; | ||
402 | |||
403 | /* | ||
404 | * NB. authctxt->num_auth_methods might be zero as a result of | ||
405 | * auth2_setup_methods_lists(), so check the configuration. | ||
406 | */ | ||
407 | if (options.num_auth_methods == 0) | ||
408 | return 1; | ||
409 | for (i = 0; i < authctxt->num_auth_methods; i++) { | ||
410 | if (list_starts_with(authctxt->auth_methods[i], method)) | ||
411 | return 1; | ||
412 | } | ||
413 | return 0; | ||
414 | } | ||
415 | |||
377 | static char * | 416 | static char * |
378 | authmethods_get(void) | 417 | authmethods_get(Authctxt *authctxt) |
379 | { | 418 | { |
380 | Buffer b; | 419 | Buffer b; |
381 | char *list; | 420 | char *list; |
382 | int i; | 421 | u_int i; |
383 | 422 | ||
384 | buffer_init(&b); | 423 | buffer_init(&b); |
385 | for (i = 0; authmethods[i] != NULL; i++) { | 424 | for (i = 0; authmethods[i] != NULL; i++) { |
386 | if (strcmp(authmethods[i]->name, "none") == 0) | 425 | if (strcmp(authmethods[i]->name, "none") == 0) |
387 | continue; | 426 | continue; |
388 | if (authmethods[i]->enabled != NULL && | 427 | if (authmethods[i]->enabled == NULL || |
389 | *(authmethods[i]->enabled) != 0) { | 428 | *(authmethods[i]->enabled) == 0) |
390 | if (buffer_len(&b) > 0) | 429 | continue; |
391 | buffer_append(&b, ",", 1); | 430 | if (!method_allowed(authctxt, authmethods[i]->name)) |
392 | buffer_append(&b, authmethods[i]->name, | 431 | continue; |
393 | strlen(authmethods[i]->name)); | 432 | if (buffer_len(&b) > 0) |
394 | } | 433 | buffer_append(&b, ",", 1); |
434 | buffer_append(&b, authmethods[i]->name, | ||
435 | strlen(authmethods[i]->name)); | ||
395 | } | 436 | } |
396 | buffer_append(&b, "\0", 1); | 437 | buffer_append(&b, "\0", 1); |
397 | list = xstrdup(buffer_ptr(&b)); | 438 | list = xstrdup(buffer_ptr(&b)); |
@@ -400,7 +441,7 @@ authmethods_get(void) | |||
400 | } | 441 | } |
401 | 442 | ||
402 | static Authmethod * | 443 | static Authmethod * |
403 | authmethod_lookup(const char *name) | 444 | authmethod_lookup(Authctxt *authctxt, const char *name) |
404 | { | 445 | { |
405 | int i; | 446 | int i; |
406 | 447 | ||
@@ -408,10 +449,154 @@ authmethod_lookup(const char *name) | |||
408 | for (i = 0; authmethods[i] != NULL; i++) | 449 | for (i = 0; authmethods[i] != NULL; i++) |
409 | if (authmethods[i]->enabled != NULL && | 450 | if (authmethods[i]->enabled != NULL && |
410 | *(authmethods[i]->enabled) != 0 && | 451 | *(authmethods[i]->enabled) != 0 && |
411 | strcmp(name, authmethods[i]->name) == 0) | 452 | strcmp(name, authmethods[i]->name) == 0 && |
453 | method_allowed(authctxt, authmethods[i]->name)) | ||
412 | return authmethods[i]; | 454 | return authmethods[i]; |
413 | debug2("Unrecognized authentication method name: %s", | 455 | debug2("Unrecognized authentication method name: %s", |
414 | name ? name : "NULL"); | 456 | name ? name : "NULL"); |
415 | return NULL; | 457 | return NULL; |
416 | } | 458 | } |
417 | 459 | ||
460 | /* | ||
461 | * Check a comma-separated list of methods for validity. Is need_enable is | ||
462 | * non-zero, then also require that the methods are enabled. | ||
463 | * Returns 0 on success or -1 if the methods list is invalid. | ||
464 | */ | ||
465 | int | ||
466 | auth2_methods_valid(const char *_methods, int need_enable) | ||
467 | { | ||
468 | char *methods, *omethods, *method; | ||
469 | u_int i, found; | ||
470 | int ret = -1; | ||
471 | |||
472 | if (*_methods == '\0') { | ||
473 | error("empty authentication method list"); | ||
474 | return -1; | ||
475 | } | ||
476 | omethods = methods = xstrdup(_methods); | ||
477 | while ((method = strsep(&methods, ",")) != NULL) { | ||
478 | for (found = i = 0; !found && authmethods[i] != NULL; i++) { | ||
479 | if (strcmp(method, authmethods[i]->name) != 0) | ||
480 | continue; | ||
481 | if (need_enable) { | ||
482 | if (authmethods[i]->enabled == NULL || | ||
483 | *(authmethods[i]->enabled) == 0) { | ||
484 | error("Disabled method \"%s\" in " | ||
485 | "AuthenticationMethods list \"%s\"", | ||
486 | method, _methods); | ||
487 | goto out; | ||
488 | } | ||
489 | } | ||
490 | found = 1; | ||
491 | break; | ||
492 | } | ||
493 | if (!found) { | ||
494 | error("Unknown authentication method \"%s\" in list", | ||
495 | method); | ||
496 | goto out; | ||
497 | } | ||
498 | } | ||
499 | ret = 0; | ||
500 | out: | ||
501 | free(omethods); | ||
502 | return ret; | ||
503 | } | ||
504 | |||
505 | /* | ||
506 | * Prune the AuthenticationMethods supplied in the configuration, removing | ||
507 | * any methods lists that include disabled methods. Note that this might | ||
508 | * leave authctxt->num_auth_methods == 0, even when multiple required auth | ||
509 | * has been requested. For this reason, all tests for whether multiple is | ||
510 | * enabled should consult options.num_auth_methods directly. | ||
511 | */ | ||
512 | int | ||
513 | auth2_setup_methods_lists(Authctxt *authctxt) | ||
514 | { | ||
515 | u_int i; | ||
516 | |||
517 | if (options.num_auth_methods == 0) | ||
518 | return 0; | ||
519 | debug3("%s: checking methods", __func__); | ||
520 | authctxt->auth_methods = xcalloc(options.num_auth_methods, | ||
521 | sizeof(*authctxt->auth_methods)); | ||
522 | authctxt->num_auth_methods = 0; | ||
523 | for (i = 0; i < options.num_auth_methods; i++) { | ||
524 | if (auth2_methods_valid(options.auth_methods[i], 1) != 0) { | ||
525 | logit("Authentication methods list \"%s\" contains " | ||
526 | "disabled method, skipping", | ||
527 | options.auth_methods[i]); | ||
528 | continue; | ||
529 | } | ||
530 | debug("authentication methods list %d: %s", | ||
531 | authctxt->num_auth_methods, options.auth_methods[i]); | ||
532 | authctxt->auth_methods[authctxt->num_auth_methods++] = | ||
533 | xstrdup(options.auth_methods[i]); | ||
534 | } | ||
535 | if (authctxt->num_auth_methods == 0) { | ||
536 | error("No AuthenticationMethods left after eliminating " | ||
537 | "disabled methods"); | ||
538 | return -1; | ||
539 | } | ||
540 | return 0; | ||
541 | } | ||
542 | |||
543 | static int | ||
544 | list_starts_with(const char *methods, const char *method) | ||
545 | { | ||
546 | size_t l = strlen(method); | ||
547 | |||
548 | if (strncmp(methods, method, l) != 0) | ||
549 | return 0; | ||
550 | if (methods[l] != ',' && methods[l] != '\0') | ||
551 | return 0; | ||
552 | return 1; | ||
553 | } | ||
554 | |||
555 | /* | ||
556 | * Remove method from the start of a comma-separated list of methods. | ||
557 | * Returns 0 if the list of methods did not start with that method or 1 | ||
558 | * if it did. | ||
559 | */ | ||
560 | static int | ||
561 | remove_method(char **methods, const char *method) | ||
562 | { | ||
563 | char *omethods = *methods; | ||
564 | size_t l = strlen(method); | ||
565 | |||
566 | if (!list_starts_with(omethods, method)) | ||
567 | return 0; | ||
568 | *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); | ||
569 | free(omethods); | ||
570 | return 1; | ||
571 | } | ||
572 | |||
573 | /* | ||
574 | * Called after successful authentication. Will remove the successful method | ||
575 | * from the start of each list in which it occurs. If it was the last method | ||
576 | * in any list, then authentication is deemed successful. | ||
577 | * Returns 1 if the method completed any authentication list or 0 otherwise. | ||
578 | */ | ||
579 | int | ||
580 | auth2_update_methods_lists(Authctxt *authctxt, const char *method) | ||
581 | { | ||
582 | u_int i, found = 0; | ||
583 | |||
584 | debug3("%s: updating methods list after \"%s\"", __func__, method); | ||
585 | for (i = 0; i < authctxt->num_auth_methods; i++) { | ||
586 | if (!remove_method(&(authctxt->auth_methods[i]), method)) | ||
587 | continue; | ||
588 | found = 1; | ||
589 | if (*authctxt->auth_methods[i] == '\0') { | ||
590 | debug2("authentication methods list %d complete", i); | ||
591 | return 1; | ||
592 | } | ||
593 | debug3("authentication methods list %d remaining: \"%s\"", | ||
594 | i, authctxt->auth_methods[i]); | ||
595 | } | ||
596 | /* This should not happen, but would be bad if it did */ | ||
597 | if (!found) | ||
598 | fatal("%s: method not in AuthenticationMethods", __func__); | ||
599 | return 0; | ||
600 | } | ||
601 | |||
602 | |||
diff --git a/authfile.c b/authfile.c index b0b4e1272..1ecbda8b1 100644 --- a/authfile.c +++ b/authfile.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */ | 1 | /* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -151,7 +151,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, | |||
151 | cipher_set_key_string(&ciphercontext, cipher, passphrase, | 151 | cipher_set_key_string(&ciphercontext, cipher, passphrase, |
152 | CIPHER_ENCRYPT); | 152 | CIPHER_ENCRYPT); |
153 | cipher_crypt(&ciphercontext, cp, | 153 | cipher_crypt(&ciphercontext, cp, |
154 | buffer_ptr(&buffer), buffer_len(&buffer)); | 154 | buffer_ptr(&buffer), buffer_len(&buffer), 0, 0); |
155 | cipher_cleanup(&ciphercontext); | 155 | cipher_cleanup(&ciphercontext); |
156 | memset(&ciphercontext, 0, sizeof(ciphercontext)); | 156 | memset(&ciphercontext, 0, sizeof(ciphercontext)); |
157 | 157 | ||
@@ -475,7 +475,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) | |||
475 | cipher_set_key_string(&ciphercontext, cipher, passphrase, | 475 | cipher_set_key_string(&ciphercontext, cipher, passphrase, |
476 | CIPHER_DECRYPT); | 476 | CIPHER_DECRYPT); |
477 | cipher_crypt(&ciphercontext, cp, | 477 | cipher_crypt(&ciphercontext, cp, |
478 | buffer_ptr(©), buffer_len(©)); | 478 | buffer_ptr(©), buffer_len(©), 0, 0); |
479 | cipher_cleanup(&ciphercontext); | 479 | cipher_cleanup(&ciphercontext); |
480 | memset(&ciphercontext, 0, sizeof(ciphercontext)); | 480 | memset(&ciphercontext, 0, sizeof(ciphercontext)); |
481 | buffer_free(©); | 481 | buffer_free(©); |
diff --git a/buildpkg.sh.in b/buildpkg.sh.in index 4de9d42e4..4b842b3f7 100644 --- a/buildpkg.sh.in +++ b/buildpkg.sh.in | |||
@@ -337,17 +337,17 @@ then | |||
337 | else | 337 | else |
338 | if [ "\${USE_SYM_LINKS}" = yes ] | 338 | if [ "\${USE_SYM_LINKS}" = yes ] |
339 | then | 339 | then |
340 | [ "$RCS_D" = yes ] && \ | 340 | [ "$RCS_D" = yes ] && \\ |
341 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 341 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
342 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 342 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
343 | [ "$RC1_D" = no ] || \ | 343 | [ "$RC1_D" = no ] || \\ |
344 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 344 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
345 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s | 345 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s |
346 | else | 346 | else |
347 | [ "$RCS_D" = yes ] && \ | 347 | [ "$RCS_D" = yes ] && \\ |
348 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 348 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
349 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 349 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
350 | [ "$RC1_D" = no ] || \ | 350 | [ "$RC1_D" = no ] || \\ |
351 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 351 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
352 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l | 352 | installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l |
353 | fi | 353 | fi |
@@ -538,10 +538,10 @@ then | |||
538 | PRE_INS_STOP=no | 538 | PRE_INS_STOP=no |
539 | POST_INS_START=no | 539 | POST_INS_START=no |
540 | # determine if should restart the daemon | 540 | # determine if should restart the daemon |
541 | if [ -s ${piddir}/sshd.pid ] && \ | 541 | if [ -s ${piddir}/sshd.pid ] && \\ |
542 | /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1 | 542 | /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1 |
543 | then | 543 | then |
544 | ans=\`ckyorn -d n \ | 544 | ans=\`ckyorn -d n \\ |
545 | -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? | 545 | -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? |
546 | case \$ans in | 546 | case \$ans in |
547 | [y,Y]*) PRE_INS_STOP=yes | 547 | [y,Y]*) PRE_INS_STOP=yes |
@@ -552,7 +552,7 @@ then | |||
552 | else | 552 | else |
553 | 553 | ||
554 | # determine if we should start sshd | 554 | # determine if we should start sshd |
555 | ans=\`ckyorn -d n \ | 555 | ans=\`ckyorn -d n \\ |
556 | -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? | 556 | -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? |
557 | case \$ans in | 557 | case \$ans in |
558 | [y,Y]*) POST_INS_START=yes ;; | 558 | [y,Y]*) POST_INS_START=yes ;; |
@@ -573,7 +573,7 @@ USE_SYM_LINKS=no | |||
573 | PRE_INS_STOP=no | 573 | PRE_INS_STOP=no |
574 | POST_INS_START=no | 574 | POST_INS_START=no |
575 | # Use symbolic links? | 575 | # Use symbolic links? |
576 | ans=\`ckyorn -d n \ | 576 | ans=\`ckyorn -d n \\ |
577 | -p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? | 577 | -p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? |
578 | case \$ans in | 578 | case \$ans in |
579 | [y,Y]*) USE_SYM_LINKS=yes ;; | 579 | [y,Y]*) USE_SYM_LINKS=yes ;; |
@@ -582,7 +582,7 @@ esac | |||
582 | # determine if should restart the daemon | 582 | # determine if should restart the daemon |
583 | if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] | 583 | if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] |
584 | then | 584 | then |
585 | ans=\`ckyorn -d n \ | 585 | ans=\`ckyorn -d n \\ |
586 | -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? | 586 | -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? |
587 | case \$ans in | 587 | case \$ans in |
588 | [y,Y]*) PRE_INS_STOP=yes | 588 | [y,Y]*) PRE_INS_STOP=yes |
@@ -593,7 +593,7 @@ then | |||
593 | else | 593 | else |
594 | 594 | ||
595 | # determine if we should start sshd | 595 | # determine if we should start sshd |
596 | ans=\`ckyorn -d n \ | 596 | ans=\`ckyorn -d n \\ |
597 | -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? | 597 | -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? |
598 | case \$ans in | 598 | case \$ans in |
599 | [y,Y]*) POST_INS_START=yes ;; | 599 | [y,Y]*) POST_INS_START=yes ;; |
diff --git a/channels.c b/channels.c index 7791febd7..9cf85a38d 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port) | |||
3165 | void | 3165 | void |
3166 | channel_disable_adm_local_opens(void) | 3166 | channel_disable_adm_local_opens(void) |
3167 | { | 3167 | { |
3168 | if (num_adm_permitted_opens == 0) { | 3168 | channel_clear_adm_permitted_opens(); |
3169 | permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); | 3169 | permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); |
3170 | permitted_adm_opens[num_adm_permitted_opens].host_to_connect | 3170 | permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; |
3171 | = NULL; | 3171 | num_adm_permitted_opens = 1; |
3172 | num_adm_permitted_opens = 1; | ||
3173 | } | ||
3174 | } | 3172 | } |
3175 | 3173 | ||
3176 | void | 3174 | void |
diff --git a/cipher-acss.c b/cipher-acss.c deleted file mode 100644 index e755f92b9..000000000 --- a/cipher-acss.c +++ /dev/null | |||
@@ -1,86 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2004 The OpenBSD project | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | #include "includes.h" | ||
18 | |||
19 | #include <openssl/evp.h> | ||
20 | |||
21 | #include <string.h> | ||
22 | |||
23 | #if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
24 | |||
25 | #include "acss.h" | ||
26 | #include "openbsd-compat/openssl-compat.h" | ||
27 | |||
28 | #define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data) | ||
29 | |||
30 | typedef struct { | ||
31 | ACSS_KEY ks; | ||
32 | } EVP_ACSS_KEY; | ||
33 | |||
34 | #define EVP_CTRL_SET_ACSS_MODE 0xff06 | ||
35 | #define EVP_CTRL_SET_ACSS_SUBKEY 0xff07 | ||
36 | |||
37 | static int | ||
38 | acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, | ||
39 | const unsigned char *iv, int enc) | ||
40 | { | ||
41 | acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA); | ||
42 | return 1; | ||
43 | } | ||
44 | |||
45 | static int | ||
46 | acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, | ||
47 | LIBCRYPTO_EVP_INL_TYPE inl) | ||
48 | { | ||
49 | acss(&data(ctx)->ks,inl,in,out); | ||
50 | return 1; | ||
51 | } | ||
52 | |||
53 | static int | ||
54 | acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) | ||
55 | { | ||
56 | switch(type) { | ||
57 | case EVP_CTRL_SET_ACSS_MODE: | ||
58 | data(ctx)->ks.mode = arg; | ||
59 | return 1; | ||
60 | case EVP_CTRL_SET_ACSS_SUBKEY: | ||
61 | acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr); | ||
62 | return 1; | ||
63 | default: | ||
64 | return -1; | ||
65 | } | ||
66 | } | ||
67 | |||
68 | const EVP_CIPHER * | ||
69 | evp_acss(void) | ||
70 | { | ||
71 | static EVP_CIPHER acss_cipher; | ||
72 | |||
73 | memset(&acss_cipher, 0, sizeof(EVP_CIPHER)); | ||
74 | |||
75 | acss_cipher.nid = NID_undef; | ||
76 | acss_cipher.block_size = 1; | ||
77 | acss_cipher.key_len = 5; | ||
78 | acss_cipher.init = acss_init_key; | ||
79 | acss_cipher.do_cipher = acss_ciph; | ||
80 | acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY); | ||
81 | acss_cipher.ctrl = acss_ctrl; | ||
82 | |||
83 | return (&acss_cipher); | ||
84 | } | ||
85 | #endif | ||
86 | |||
diff --git a/cipher-aes.c b/cipher-aes.c index bfda6d2f2..07ec7aa5d 100644 --- a/cipher-aes.c +++ b/cipher-aes.c | |||
@@ -46,9 +46,6 @@ struct ssh_rijndael_ctx | |||
46 | u_char r_iv[RIJNDAEL_BLOCKSIZE]; | 46 | u_char r_iv[RIJNDAEL_BLOCKSIZE]; |
47 | }; | 47 | }; |
48 | 48 | ||
49 | const EVP_CIPHER * evp_rijndael(void); | ||
50 | void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); | ||
51 | |||
52 | static int | 49 | static int |
53 | ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, | 50 | ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, |
54 | int enc) | 51 | int enc) |
diff --git a/cipher-ctr.c b/cipher-ctr.c index 04975b4b6..d1fe69f57 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c | |||
@@ -16,6 +16,7 @@ | |||
16 | */ | 16 | */ |
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | 18 | ||
19 | #ifndef OPENSSL_HAVE_EVPCTR | ||
19 | #include <sys/types.h> | 20 | #include <sys/types.h> |
20 | 21 | ||
21 | #include <stdarg.h> | 22 | #include <stdarg.h> |
@@ -33,9 +34,6 @@ | |||
33 | #include <openssl/aes.h> | 34 | #include <openssl/aes.h> |
34 | #endif | 35 | #endif |
35 | 36 | ||
36 | const EVP_CIPHER *evp_aes_128_ctr(void); | ||
37 | void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); | ||
38 | |||
39 | struct ssh_aes_ctr_ctx | 37 | struct ssh_aes_ctr_ctx |
40 | { | 38 | { |
41 | AES_KEY aes_ctx; | 39 | AES_KEY aes_ctx; |
@@ -144,3 +142,5 @@ evp_aes_128_ctr(void) | |||
144 | #endif | 142 | #endif |
145 | return (&aes_ctr); | 143 | return (&aes_ctr); |
146 | } | 144 | } |
145 | |||
146 | #endif /* OPENSSL_HAVE_EVPCTR */ | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ | 1 | /* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -54,41 +54,46 @@ | |||
54 | extern const EVP_CIPHER *evp_ssh1_bf(void); | 54 | extern const EVP_CIPHER *evp_ssh1_bf(void); |
55 | extern const EVP_CIPHER *evp_ssh1_3des(void); | 55 | extern const EVP_CIPHER *evp_ssh1_3des(void); |
56 | extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); | 56 | extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); |
57 | extern const EVP_CIPHER *evp_aes_128_ctr(void); | ||
58 | extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); | ||
59 | 57 | ||
60 | struct Cipher { | 58 | struct Cipher { |
61 | char *name; | 59 | char *name; |
62 | int number; /* for ssh1 only */ | 60 | int number; /* for ssh1 only */ |
63 | u_int block_size; | 61 | u_int block_size; |
64 | u_int key_len; | 62 | u_int key_len; |
63 | u_int iv_len; /* defaults to block_size */ | ||
64 | u_int auth_len; | ||
65 | u_int discard_len; | 65 | u_int discard_len; |
66 | u_int cbc_mode; | 66 | u_int cbc_mode; |
67 | const EVP_CIPHER *(*evptype)(void); | 67 | const EVP_CIPHER *(*evptype)(void); |
68 | } ciphers[] = { | 68 | } ciphers[] = { |
69 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, | 69 | { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, |
70 | { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, | 70 | { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, |
71 | { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, | 71 | { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, |
72 | { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, | 72 | { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, |
73 | 73 | ||
74 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, | 74 | { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, |
75 | { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, | 75 | { "blowfish-cbc", |
76 | { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, | 76 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, |
77 | { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, | 77 | { "cast128-cbc", |
78 | { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, | 78 | SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, |
79 | { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, | 79 | { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 }, |
80 | { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, | 80 | { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 }, |
81 | { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, | 81 | { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 }, |
82 | { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, | 82 | { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, |
83 | { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, | ||
84 | { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, | ||
83 | { "rijndael-cbc@lysator.liu.se", | 85 | { "rijndael-cbc@lysator.liu.se", |
84 | SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, | 86 | SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, |
85 | { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, | 87 | { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, |
86 | { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, | 88 | { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, |
87 | { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, | 89 | { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, |
88 | #ifdef USE_CIPHER_ACSS | 90 | #ifdef OPENSSL_HAVE_EVPGCM |
89 | { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, | 91 | { "aes128-gcm@openssh.com", |
92 | SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, | ||
93 | { "aes256-gcm@openssh.com", | ||
94 | SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, | ||
90 | #endif | 95 | #endif |
91 | { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } | 96 | { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } |
92 | }; | 97 | }; |
93 | 98 | ||
94 | /*--*/ | 99 | /*--*/ |
@@ -106,6 +111,18 @@ cipher_keylen(const Cipher *c) | |||
106 | } | 111 | } |
107 | 112 | ||
108 | u_int | 113 | u_int |
114 | cipher_authlen(const Cipher *c) | ||
115 | { | ||
116 | return (c->auth_len); | ||
117 | } | ||
118 | |||
119 | u_int | ||
120 | cipher_ivlen(const Cipher *c) | ||
121 | { | ||
122 | return (c->iv_len ? c->iv_len : c->block_size); | ||
123 | } | ||
124 | |||
125 | u_int | ||
109 | cipher_get_number(const Cipher *c) | 126 | cipher_get_number(const Cipher *c) |
110 | { | 127 | { |
111 | return (c->number); | 128 | return (c->number); |
@@ -224,11 +241,12 @@ cipher_init(CipherContext *cc, Cipher *cipher, | |||
224 | keylen = 8; | 241 | keylen = 8; |
225 | } | 242 | } |
226 | cc->plaintext = (cipher->number == SSH_CIPHER_NONE); | 243 | cc->plaintext = (cipher->number == SSH_CIPHER_NONE); |
244 | cc->encrypt = do_encrypt; | ||
227 | 245 | ||
228 | if (keylen < cipher->key_len) | 246 | if (keylen < cipher->key_len) |
229 | fatal("cipher_init: key length %d is insufficient for %s.", | 247 | fatal("cipher_init: key length %d is insufficient for %s.", |
230 | keylen, cipher->name); | 248 | keylen, cipher->name); |
231 | if (iv != NULL && ivlen < cipher->block_size) | 249 | if (iv != NULL && ivlen < cipher_ivlen(cipher)) |
232 | fatal("cipher_init: iv length %d is insufficient for %s.", | 250 | fatal("cipher_init: iv length %d is insufficient for %s.", |
233 | ivlen, cipher->name); | 251 | ivlen, cipher->name); |
234 | cc->cipher = cipher; | 252 | cc->cipher = cipher; |
@@ -249,6 +267,11 @@ cipher_init(CipherContext *cc, Cipher *cipher, | |||
249 | (do_encrypt == CIPHER_ENCRYPT)) == 0) | 267 | (do_encrypt == CIPHER_ENCRYPT)) == 0) |
250 | fatal("cipher_init: EVP_CipherInit failed for %s", | 268 | fatal("cipher_init: EVP_CipherInit failed for %s", |
251 | cipher->name); | 269 | cipher->name); |
270 | if (cipher_authlen(cipher) && | ||
271 | !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED, | ||
272 | -1, (u_char *)iv)) | ||
273 | fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s", | ||
274 | cipher->name); | ||
252 | klen = EVP_CIPHER_CTX_key_length(&cc->evp); | 275 | klen = EVP_CIPHER_CTX_key_length(&cc->evp); |
253 | if (klen > 0 && keylen != (u_int)klen) { | 276 | if (klen > 0 && keylen != (u_int)klen) { |
254 | debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); | 277 | debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); |
@@ -273,13 +296,59 @@ cipher_init(CipherContext *cc, Cipher *cipher, | |||
273 | } | 296 | } |
274 | } | 297 | } |
275 | 298 | ||
299 | /* | ||
300 | * cipher_crypt() operates as following: | ||
301 | * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. | ||
302 | * Theses bytes are treated as additional authenticated data for | ||
303 | * authenticated encryption modes. | ||
304 | * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. | ||
305 | * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag. | ||
306 | * This tag is written on encryption and verified on decryption. | ||
307 | * Both 'aadlen' and 'authlen' can be set to 0. | ||
308 | */ | ||
276 | void | 309 | void |
277 | cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) | 310 | cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, |
311 | u_int len, u_int aadlen, u_int authlen) | ||
278 | { | 312 | { |
313 | if (authlen) { | ||
314 | u_char lastiv[1]; | ||
315 | |||
316 | if (authlen != cipher_authlen(cc->cipher)) | ||
317 | fatal("%s: authlen mismatch %d", __func__, authlen); | ||
318 | /* increment IV */ | ||
319 | if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN, | ||
320 | 1, lastiv)) | ||
321 | fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__); | ||
322 | /* set tag on decyption */ | ||
323 | if (!cc->encrypt && | ||
324 | !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG, | ||
325 | authlen, (u_char *)src + aadlen + len)) | ||
326 | fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__); | ||
327 | } | ||
328 | if (aadlen) { | ||
329 | if (authlen && | ||
330 | EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0) | ||
331 | fatal("%s: EVP_Cipher(aad) failed", __func__); | ||
332 | memcpy(dest, src, aadlen); | ||
333 | } | ||
279 | if (len % cc->cipher->block_size) | 334 | if (len % cc->cipher->block_size) |
280 | fatal("cipher_encrypt: bad plaintext length %d", len); | 335 | fatal("%s: bad plaintext length %d", __func__, len); |
281 | if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) | 336 | if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen, |
282 | fatal("evp_crypt: EVP_Cipher failed"); | 337 | len) < 0) |
338 | fatal("%s: EVP_Cipher failed", __func__); | ||
339 | if (authlen) { | ||
340 | /* compute tag (on encrypt) or verify tag (on decrypt) */ | ||
341 | if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) { | ||
342 | if (cc->encrypt) | ||
343 | fatal("%s: EVP_Cipher(final) failed", __func__); | ||
344 | else | ||
345 | fatal("Decryption integrity check failed"); | ||
346 | } | ||
347 | if (cc->encrypt && | ||
348 | !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG, | ||
349 | authlen, dest + aadlen + len)) | ||
350 | fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__); | ||
351 | } | ||
283 | } | 352 | } |
284 | 353 | ||
285 | void | 354 | void |
@@ -351,10 +420,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) | |||
351 | ssh_rijndael_iv(&cc->evp, 0, iv, len); | 420 | ssh_rijndael_iv(&cc->evp, 0, iv, len); |
352 | else | 421 | else |
353 | #endif | 422 | #endif |
423 | #ifndef OPENSSL_HAVE_EVPCTR | ||
354 | if (c->evptype == evp_aes_128_ctr) | 424 | if (c->evptype == evp_aes_128_ctr) |
355 | ssh_aes_ctr_iv(&cc->evp, 0, iv, len); | 425 | ssh_aes_ctr_iv(&cc->evp, 0, iv, len); |
356 | else | 426 | else |
357 | memcpy(iv, cc->evp.iv, len); | 427 | #endif |
428 | memcpy(iv, cc->evp.iv, len); | ||
358 | break; | 429 | break; |
359 | case SSH_CIPHER_3DES: | 430 | case SSH_CIPHER_3DES: |
360 | ssh1_3des_iv(&cc->evp, 0, iv, 24); | 431 | ssh1_3des_iv(&cc->evp, 0, iv, 24); |
@@ -382,10 +453,12 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) | |||
382 | ssh_rijndael_iv(&cc->evp, 1, iv, evplen); | 453 | ssh_rijndael_iv(&cc->evp, 1, iv, evplen); |
383 | else | 454 | else |
384 | #endif | 455 | #endif |
456 | #ifndef OPENSSL_HAVE_EVPCTR | ||
385 | if (c->evptype == evp_aes_128_ctr) | 457 | if (c->evptype == evp_aes_128_ctr) |
386 | ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); | 458 | ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); |
387 | else | 459 | else |
388 | memcpy(cc->evp.iv, iv, evplen); | 460 | #endif |
461 | memcpy(cc->evp.iv, iv, evplen); | ||
389 | break; | 462 | break; |
390 | case SSH_CIPHER_3DES: | 463 | case SSH_CIPHER_3DES: |
391 | ssh1_3des_iv(&cc->evp, 1, iv, 24); | 464 | ssh1_3des_iv(&cc->evp, 1, iv, 24); |
@@ -395,21 +468,13 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) | |||
395 | } | 468 | } |
396 | } | 469 | } |
397 | 470 | ||
398 | #if OPENSSL_VERSION_NUMBER < 0x00907000L | ||
399 | #define EVP_X_STATE(evp) &(evp).c | ||
400 | #define EVP_X_STATE_LEN(evp) sizeof((evp).c) | ||
401 | #else | ||
402 | #define EVP_X_STATE(evp) (evp).cipher_data | ||
403 | #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size | ||
404 | #endif | ||
405 | |||
406 | int | 471 | int |
407 | cipher_get_keycontext(const CipherContext *cc, u_char *dat) | 472 | cipher_get_keycontext(const CipherContext *cc, u_char *dat) |
408 | { | 473 | { |
409 | Cipher *c = cc->cipher; | 474 | Cipher *c = cc->cipher; |
410 | int plen = 0; | 475 | int plen = 0; |
411 | 476 | ||
412 | if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { | 477 | if (c->evptype == EVP_rc4) { |
413 | plen = EVP_X_STATE_LEN(cc->evp); | 478 | plen = EVP_X_STATE_LEN(cc->evp); |
414 | if (dat == NULL) | 479 | if (dat == NULL) |
415 | return (plen); | 480 | return (plen); |
@@ -424,7 +489,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat) | |||
424 | Cipher *c = cc->cipher; | 489 | Cipher *c = cc->cipher; |
425 | int plen; | 490 | int plen; |
426 | 491 | ||
427 | if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { | 492 | if (c->evptype == EVP_rc4) { |
428 | plen = EVP_X_STATE_LEN(cc->evp); | 493 | plen = EVP_X_STATE_LEN(cc->evp); |
429 | memcpy(EVP_X_STATE(cc->evp), dat, plen); | 494 | memcpy(EVP_X_STATE(cc->evp), dat, plen); |
430 | } | 495 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */ | 1 | /* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -64,6 +64,7 @@ typedef struct CipherContext CipherContext; | |||
64 | struct Cipher; | 64 | struct Cipher; |
65 | struct CipherContext { | 65 | struct CipherContext { |
66 | int plaintext; | 66 | int plaintext; |
67 | int encrypt; | ||
67 | EVP_CIPHER_CTX evp; | 68 | EVP_CIPHER_CTX evp; |
68 | Cipher *cipher; | 69 | Cipher *cipher; |
69 | }; | 70 | }; |
@@ -76,11 +77,14 @@ char *cipher_name(int); | |||
76 | int ciphers_valid(const char *); | 77 | int ciphers_valid(const char *); |
77 | void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, | 78 | void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, |
78 | const u_char *, u_int, int); | 79 | const u_char *, u_int, int); |
79 | void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); | 80 | void cipher_crypt(CipherContext *, u_char *, const u_char *, |
81 | u_int, u_int, u_int); | ||
80 | void cipher_cleanup(CipherContext *); | 82 | void cipher_cleanup(CipherContext *); |
81 | void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); | 83 | void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); |
82 | u_int cipher_blocksize(const Cipher *); | 84 | u_int cipher_blocksize(const Cipher *); |
83 | u_int cipher_keylen(const Cipher *); | 85 | u_int cipher_keylen(const Cipher *); |
86 | u_int cipher_authlen(const Cipher *); | ||
87 | u_int cipher_ivlen(const Cipher *); | ||
84 | u_int cipher_is_cbc(const Cipher *); | 88 | u_int cipher_is_cbc(const Cipher *); |
85 | 89 | ||
86 | u_int cipher_get_number(const Cipher *); | 90 | u_int cipher_get_number(const Cipher *); |
diff --git a/clientloop.c b/clientloop.c index 5b76b9893..1a16b2525 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -977,9 +977,9 @@ process_cmdline(void) | |||
977 | goto out; | 977 | goto out; |
978 | } | 978 | } |
979 | if (local || dynamic) { | 979 | if (local || dynamic) { |
980 | if (channel_setup_local_fwd_listener(fwd.listen_host, | 980 | if (!channel_setup_local_fwd_listener(fwd.listen_host, |
981 | fwd.listen_port, fwd.connect_host, | 981 | fwd.listen_port, fwd.connect_host, |
982 | fwd.connect_port, options.gateway_ports) < 0) { | 982 | fwd.connect_port, options.gateway_ports)) { |
983 | logit("Port forwarding failed."); | 983 | logit("Port forwarding failed."); |
984 | goto out; | 984 | goto out; |
985 | } | 985 | } |
@@ -1005,6 +1005,63 @@ out: | |||
1005 | xfree(fwd.connect_host); | 1005 | xfree(fwd.connect_host); |
1006 | } | 1006 | } |
1007 | 1007 | ||
1008 | /* reasons to suppress output of an escape command in help output */ | ||
1009 | #define SUPPRESS_NEVER 0 /* never suppress, always show */ | ||
1010 | #define SUPPRESS_PROTO1 1 /* don't show in protocol 1 sessions */ | ||
1011 | #define SUPPRESS_MUXCLIENT 2 /* don't show in mux client sessions */ | ||
1012 | #define SUPPRESS_MUXMASTER 4 /* don't show in mux master sessions */ | ||
1013 | #define SUPPRESS_SYSLOG 8 /* don't show when logging to syslog */ | ||
1014 | struct escape_help_text { | ||
1015 | const char *cmd; | ||
1016 | const char *text; | ||
1017 | unsigned int flags; | ||
1018 | }; | ||
1019 | static struct escape_help_text esc_txt[] = { | ||
1020 | {".", "terminate session", SUPPRESS_MUXMASTER}, | ||
1021 | {".", "terminate connection (and any multiplexed sessions)", | ||
1022 | SUPPRESS_MUXCLIENT}, | ||
1023 | {"B", "send a BREAK to the remote system", SUPPRESS_PROTO1}, | ||
1024 | {"C", "open a command line", SUPPRESS_MUXCLIENT}, | ||
1025 | {"R", "request rekey", SUPPRESS_PROTO1}, | ||
1026 | {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT}, | ||
1027 | {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT}, | ||
1028 | {"#", "list forwarded connections", SUPPRESS_NEVER}, | ||
1029 | {"&", "background ssh (when waiting for connections to terminate)", | ||
1030 | SUPPRESS_MUXCLIENT}, | ||
1031 | {"?", "this message", SUPPRESS_NEVER}, | ||
1032 | }; | ||
1033 | |||
1034 | static void | ||
1035 | print_escape_help(Buffer *b, int escape_char, int protocol2, int mux_client, | ||
1036 | int using_stderr) | ||
1037 | { | ||
1038 | unsigned int i, suppress_flags; | ||
1039 | char string[1024]; | ||
1040 | |||
1041 | snprintf(string, sizeof string, "%c?\r\n" | ||
1042 | "Supported escape sequences:\r\n", escape_char); | ||
1043 | buffer_append(b, string, strlen(string)); | ||
1044 | |||
1045 | suppress_flags = (protocol2 ? 0 : SUPPRESS_PROTO1) | | ||
1046 | (mux_client ? SUPPRESS_MUXCLIENT : 0) | | ||
1047 | (mux_client ? 0 : SUPPRESS_MUXMASTER) | | ||
1048 | (using_stderr ? 0 : SUPPRESS_SYSLOG); | ||
1049 | |||
1050 | for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) { | ||
1051 | if (esc_txt[i].flags & suppress_flags) | ||
1052 | continue; | ||
1053 | snprintf(string, sizeof string, " %c%-3s - %s\r\n", | ||
1054 | escape_char, esc_txt[i].cmd, esc_txt[i].text); | ||
1055 | buffer_append(b, string, strlen(string)); | ||
1056 | } | ||
1057 | |||
1058 | snprintf(string, sizeof string, | ||
1059 | " %c%c - send the escape character by typing it twice\r\n" | ||
1060 | "(Note that escapes are only recognized immediately after " | ||
1061 | "newline.)\r\n", escape_char, escape_char); | ||
1062 | buffer_append(b, string, strlen(string)); | ||
1063 | } | ||
1064 | |||
1008 | /* | 1065 | /* |
1009 | * Process the characters one by one, call with c==NULL for proto1 case. | 1066 | * Process the characters one by one, call with c==NULL for proto1 case. |
1010 | */ | 1067 | */ |
@@ -1055,6 +1112,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, | |||
1055 | if (c && c->ctl_chan != -1) { | 1112 | if (c && c->ctl_chan != -1) { |
1056 | chan_read_failed(c); | 1113 | chan_read_failed(c); |
1057 | chan_write_failed(c); | 1114 | chan_write_failed(c); |
1115 | mux_master_session_cleanup_cb(c->self, | ||
1116 | NULL); | ||
1058 | return 0; | 1117 | return 0; |
1059 | } else | 1118 | } else |
1060 | quit_pending = 1; | 1119 | quit_pending = 1; |
@@ -1063,11 +1122,16 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, | |||
1063 | case 'Z' - 64: | 1122 | case 'Z' - 64: |
1064 | /* XXX support this for mux clients */ | 1123 | /* XXX support this for mux clients */ |
1065 | if (c && c->ctl_chan != -1) { | 1124 | if (c && c->ctl_chan != -1) { |
1125 | char b[16]; | ||
1066 | noescape: | 1126 | noescape: |
1127 | if (ch == 'Z' - 64) | ||
1128 | snprintf(b, sizeof b, "^Z"); | ||
1129 | else | ||
1130 | snprintf(b, sizeof b, "%c", ch); | ||
1067 | snprintf(string, sizeof string, | 1131 | snprintf(string, sizeof string, |
1068 | "%c%c escape not available to " | 1132 | "%c%s escape not available to " |
1069 | "multiplexed sessions\r\n", | 1133 | "multiplexed sessions\r\n", |
1070 | escape_char, ch); | 1134 | escape_char, b); |
1071 | buffer_append(berr, string, | 1135 | buffer_append(berr, string, |
1072 | strlen(string)); | 1136 | strlen(string)); |
1073 | continue; | 1137 | continue; |
@@ -1106,6 +1170,31 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, | |||
1106 | } | 1170 | } |
1107 | continue; | 1171 | continue; |
1108 | 1172 | ||
1173 | case 'V': | ||
1174 | /* FALLTHROUGH */ | ||
1175 | case 'v': | ||
1176 | if (c && c->ctl_chan != -1) | ||
1177 | goto noescape; | ||
1178 | if (!log_is_on_stderr()) { | ||
1179 | snprintf(string, sizeof string, | ||
1180 | "%c%c [Logging to syslog]\r\n", | ||
1181 | escape_char, ch); | ||
1182 | buffer_append(berr, string, | ||
1183 | strlen(string)); | ||
1184 | continue; | ||
1185 | } | ||
1186 | if (ch == 'V' && options.log_level > | ||
1187 | SYSLOG_LEVEL_QUIET) | ||
1188 | log_change_level(--options.log_level); | ||
1189 | if (ch == 'v' && options.log_level < | ||
1190 | SYSLOG_LEVEL_DEBUG3) | ||
1191 | log_change_level(++options.log_level); | ||
1192 | snprintf(string, sizeof string, | ||
1193 | "%c%c [LogLevel %s]\r\n", escape_char, ch, | ||
1194 | log_level_name(options.log_level)); | ||
1195 | buffer_append(berr, string, strlen(string)); | ||
1196 | continue; | ||
1197 | |||
1109 | case '&': | 1198 | case '&': |
1110 | if (c && c->ctl_chan != -1) | 1199 | if (c && c->ctl_chan != -1) |
1111 | goto noescape; | 1200 | goto noescape; |
@@ -1159,43 +1248,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, | |||
1159 | continue; | 1248 | continue; |
1160 | 1249 | ||
1161 | case '?': | 1250 | case '?': |
1162 | if (c && c->ctl_chan != -1) { | 1251 | print_escape_help(berr, escape_char, compat20, |
1163 | snprintf(string, sizeof string, | 1252 | (c && c->ctl_chan != -1), |
1164 | "%c?\r\n\ | 1253 | log_is_on_stderr()); |
1165 | Supported escape sequences:\r\n\ | ||
1166 | %c. - terminate session\r\n\ | ||
1167 | %cB - send a BREAK to the remote system\r\n\ | ||
1168 | %cR - Request rekey (SSH protocol 2 only)\r\n\ | ||
1169 | %c# - list forwarded connections\r\n\ | ||
1170 | %c? - this message\r\n\ | ||
1171 | %c%c - send the escape character by typing it twice\r\n\ | ||
1172 | (Note that escapes are only recognized immediately after newline.)\r\n", | ||
1173 | escape_char, escape_char, | ||
1174 | escape_char, escape_char, | ||
1175 | escape_char, escape_char, | ||
1176 | escape_char, escape_char); | ||
1177 | } else { | ||
1178 | snprintf(string, sizeof string, | ||
1179 | "%c?\r\n\ | ||
1180 | Supported escape sequences:\r\n\ | ||
1181 | %c. - terminate connection (and any multiplexed sessions)\r\n\ | ||
1182 | %cB - send a BREAK to the remote system\r\n\ | ||
1183 | %cC - open a command line\r\n\ | ||
1184 | %cR - Request rekey (SSH protocol 2 only)\r\n\ | ||
1185 | %c^Z - suspend ssh\r\n\ | ||
1186 | %c# - list forwarded connections\r\n\ | ||
1187 | %c& - background ssh (when waiting for connections to terminate)\r\n\ | ||
1188 | %c? - this message\r\n\ | ||
1189 | %c%c - send the escape character by typing it twice\r\n\ | ||
1190 | (Note that escapes are only recognized immediately after newline.)\r\n", | ||
1191 | escape_char, escape_char, | ||
1192 | escape_char, escape_char, | ||
1193 | escape_char, escape_char, | ||
1194 | escape_char, escape_char, | ||
1195 | escape_char, escape_char, | ||
1196 | escape_char); | ||
1197 | } | ||
1198 | buffer_append(berr, string, strlen(string)); | ||
1199 | continue; | 1254 | continue; |
1200 | 1255 | ||
1201 | case '#': | 1256 | case '#': |
@@ -2209,10 +2264,10 @@ client_stop_mux(void) | |||
2209 | if (options.control_path != NULL && muxserver_sock != -1) | 2264 | if (options.control_path != NULL && muxserver_sock != -1) |
2210 | unlink(options.control_path); | 2265 | unlink(options.control_path); |
2211 | /* | 2266 | /* |
2212 | * If we are in persist mode, signal that we should close when all | 2267 | * If we are in persist mode, or don't have a shell, signal that we |
2213 | * active channels are closed. | 2268 | * should close when all active channels are closed. |
2214 | */ | 2269 | */ |
2215 | if (options.control_persist) { | 2270 | if (options.control_persist || no_shell_flag) { |
2216 | session_closed = 1; | 2271 | session_closed = 1; |
2217 | setproctitle("[stopped mux]"); | 2272 | setproctitle("[stopped mux]"); |
2218 | } | 2273 | } |
diff --git a/clientloop.h b/clientloop.h index 3bb794879..d2baa0324 100644 --- a/clientloop.h +++ b/clientloop.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.h,v 1.29 2011/09/09 22:46:44 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -76,4 +76,5 @@ void muxserver_listen(void); | |||
76 | void muxclient(const char *); | 76 | void muxclient(const char *); |
77 | void mux_exit_message(Channel *, int); | 77 | void mux_exit_message(Channel *, int); |
78 | void mux_tty_alloc_failed(Channel *); | 78 | void mux_tty_alloc_failed(Channel *); |
79 | void mux_master_session_cleanup_cb(int, void *); | ||
79 | 80 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: compat.c,v 1.79 2011/09/23 07:45:05 markus Exp $ */ | 1 | /* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -45,6 +45,8 @@ int datafellows = 0; | |||
45 | void | 45 | void |
46 | enable_compat20(void) | 46 | enable_compat20(void) |
47 | { | 47 | { |
48 | if (compat20) | ||
49 | return; | ||
48 | debug("Enabling compatibility mode for protocol 2.0"); | 50 | debug("Enabling compatibility mode for protocol 2.0"); |
49 | compat20 = 1; | 51 | compat20 = 1; |
50 | } | 52 | } |
diff --git a/config.h.in b/config.h.in index 6c4f2272a..67858ef6d 100644 --- a/config.h.in +++ b/config.h.in | |||
@@ -74,6 +74,9 @@ | |||
74 | /* Define if your snprintf is busted */ | 74 | /* Define if your snprintf is busted */ |
75 | #undef BROKEN_SNPRINTF | 75 | #undef BROKEN_SNPRINTF |
76 | 76 | ||
77 | /* FreeBSD strnvis does not do what we need */ | ||
78 | #undef BROKEN_STRNVIS | ||
79 | |||
77 | /* tcgetattr with ICANON may hang */ | 80 | /* tcgetattr with ICANON may hang */ |
78 | #undef BROKEN_TCGETATTR_ICANON | 81 | #undef BROKEN_TCGETATTR_ICANON |
79 | 82 | ||
@@ -215,6 +218,9 @@ | |||
215 | /* Define to 1 if you have the `BN_is_prime_ex' function. */ | 218 | /* Define to 1 if you have the `BN_is_prime_ex' function. */ |
216 | #undef HAVE_BN_IS_PRIME_EX | 219 | #undef HAVE_BN_IS_PRIME_EX |
217 | 220 | ||
221 | /* Define to 1 if you have the <bsd/libutil.h> header file. */ | ||
222 | #undef HAVE_BSD_LIBUTIL_H | ||
223 | |||
218 | /* Define to 1 if you have the <bsm/audit.h> header file. */ | 224 | /* Define to 1 if you have the <bsm/audit.h> header file. */ |
219 | #undef HAVE_BSM_AUDIT_H | 225 | #undef HAVE_BSM_AUDIT_H |
220 | 226 | ||
@@ -256,6 +262,10 @@ | |||
256 | don't. */ | 262 | don't. */ |
257 | #undef HAVE_DECL_GLOB_NOMATCH | 263 | #undef HAVE_DECL_GLOB_NOMATCH |
258 | 264 | ||
265 | /* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE', | ||
266 | and to 0 if you don't. */ | ||
267 | #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE | ||
268 | |||
259 | /* Define to 1 if you have the declaration of `h_errno', and to 0 if you | 269 | /* Define to 1 if you have the declaration of `h_errno', and to 0 if you |
260 | don't. */ | 270 | don't. */ |
261 | #undef HAVE_DECL_H_ERRNO | 271 | #undef HAVE_DECL_H_ERRNO |
@@ -326,6 +336,9 @@ | |||
326 | /* Define to 1 if you have the `DSA_generate_parameters_ex' function. */ | 336 | /* Define to 1 if you have the `DSA_generate_parameters_ex' function. */ |
327 | #undef HAVE_DSA_GENERATE_PARAMETERS_EX | 337 | #undef HAVE_DSA_GENERATE_PARAMETERS_EX |
328 | 338 | ||
339 | /* Define to 1 if you have the <elf.h> header file. */ | ||
340 | #undef HAVE_ELF_H | ||
341 | |||
329 | /* Define to 1 if you have the <endian.h> header file. */ | 342 | /* Define to 1 if you have the <endian.h> header file. */ |
330 | #undef HAVE_ENDIAN_H | 343 | #undef HAVE_ENDIAN_H |
331 | 344 | ||
@@ -338,6 +351,9 @@ | |||
338 | /* Define if your system has /etc/default/login */ | 351 | /* Define if your system has /etc/default/login */ |
339 | #undef HAVE_ETC_DEFAULT_LOGIN | 352 | #undef HAVE_ETC_DEFAULT_LOGIN |
340 | 353 | ||
354 | /* Define if libcrypto has EVP_CIPHER_CTX_ctrl */ | ||
355 | #undef HAVE_EVP_CIPHER_CTX_CTRL | ||
356 | |||
341 | /* Define to 1 if you have the `EVP_sha256' function. */ | 357 | /* Define to 1 if you have the `EVP_sha256' function. */ |
342 | #undef HAVE_EVP_SHA256 | 358 | #undef HAVE_EVP_SHA256 |
343 | 359 | ||
@@ -428,6 +444,12 @@ | |||
428 | /* Define to 1 if you have the `getpeerucred' function. */ | 444 | /* Define to 1 if you have the `getpeerucred' function. */ |
429 | #undef HAVE_GETPEERUCRED | 445 | #undef HAVE_GETPEERUCRED |
430 | 446 | ||
447 | /* Define to 1 if you have the `getpgid' function. */ | ||
448 | #undef HAVE_GETPGID | ||
449 | |||
450 | /* Define to 1 if you have the `getpgrp' function. */ | ||
451 | #undef HAVE_GETPGRP | ||
452 | |||
431 | /* Define to 1 if you have the `getpwanam' function. */ | 453 | /* Define to 1 if you have the `getpwanam' function. */ |
432 | #undef HAVE_GETPWANAM | 454 | #undef HAVE_GETPWANAM |
433 | 455 | ||
@@ -972,6 +994,9 @@ | |||
972 | /* Define to 1 if you have the `strtoul' function. */ | 994 | /* Define to 1 if you have the `strtoul' function. */ |
973 | #undef HAVE_STRTOUL | 995 | #undef HAVE_STRTOUL |
974 | 996 | ||
997 | /* Define to 1 if you have the `strtoull' function. */ | ||
998 | #undef HAVE_STRTOULL | ||
999 | |||
975 | /* define if you have struct addrinfo data type */ | 1000 | /* define if you have struct addrinfo data type */ |
976 | #undef HAVE_STRUCT_ADDRINFO | 1001 | #undef HAVE_STRUCT_ADDRINFO |
977 | 1002 | ||
@@ -1152,6 +1177,9 @@ | |||
1152 | /* Define to 1 if you have the `user_from_uid' function. */ | 1177 | /* Define to 1 if you have the `user_from_uid' function. */ |
1153 | #undef HAVE_USER_FROM_UID | 1178 | #undef HAVE_USER_FROM_UID |
1154 | 1179 | ||
1180 | /* Define to 1 if you have the `usleep' function. */ | ||
1181 | #undef HAVE_USLEEP | ||
1182 | |||
1155 | /* Define to 1 if you have the <util.h> header file. */ | 1183 | /* Define to 1 if you have the <util.h> header file. */ |
1156 | #undef HAVE_UTIL_H | 1184 | #undef HAVE_UTIL_H |
1157 | 1185 | ||
@@ -1307,6 +1335,9 @@ | |||
1307 | /* Need setpgrp to acquire controlling tty */ | 1335 | /* Need setpgrp to acquire controlling tty */ |
1308 | #undef NEED_SETPGRP | 1336 | #undef NEED_SETPGRP |
1309 | 1337 | ||
1338 | /* compiler does not accept __attribute__ on return types */ | ||
1339 | #undef NO_ATTRIBUTE_ON_RETURN_TYPE | ||
1340 | |||
1310 | /* Define if the concept of ports only accessible to superusers isn't known */ | 1341 | /* Define if the concept of ports only accessible to superusers isn't known */ |
1311 | #undef NO_IPPORT_RESERVED_CONCEPT | 1342 | #undef NO_IPPORT_RESERVED_CONCEPT |
1312 | 1343 | ||
@@ -1322,6 +1353,12 @@ | |||
1322 | /* libcrypto includes complete ECC support */ | 1353 | /* libcrypto includes complete ECC support */ |
1323 | #undef OPENSSL_HAS_ECC | 1354 | #undef OPENSSL_HAS_ECC |
1324 | 1355 | ||
1356 | /* libcrypto has EVP AES CTR */ | ||
1357 | #undef OPENSSL_HAVE_EVPCTR | ||
1358 | |||
1359 | /* libcrypto has EVP AES GCM */ | ||
1360 | #undef OPENSSL_HAVE_EVPGCM | ||
1361 | |||
1325 | /* libcrypto is missing AES 192 and 256 bit functions */ | 1362 | /* libcrypto is missing AES 192 and 256 bit functions */ |
1326 | #undef OPENSSL_LOBOTOMISED_AES | 1363 | #undef OPENSSL_LOBOTOMISED_AES |
1327 | 1364 | ||
@@ -1356,6 +1393,9 @@ | |||
1356 | /* must supply username to passwd */ | 1393 | /* must supply username to passwd */ |
1357 | #undef PASSWD_NEEDS_USERNAME | 1394 | #undef PASSWD_NEEDS_USERNAME |
1358 | 1395 | ||
1396 | /* System dirs owned by bin (uid 2) */ | ||
1397 | #undef PLATFORM_SYS_DIR_UID | ||
1398 | |||
1359 | /* Port number of PRNGD/EGD random number socket */ | 1399 | /* Port number of PRNGD/EGD random number socket */ |
1360 | #undef PRNGD_PORT | 1400 | #undef PRNGD_PORT |
1361 | 1401 | ||
@@ -1,5 +1,5 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # From configure.ac Revision: 1.496 . | 2 | # From configure.ac Revision: 1.518 . |
3 | # Guess values for system-dependent variables and create Makefiles. | 3 | # Guess values for system-dependent variables and create Makefiles. |
4 | # Generated by GNU Autoconf 2.68 for OpenSSH Portable. | 4 | # Generated by GNU Autoconf 2.68 for OpenSSH Portable. |
5 | # | 5 | # |
@@ -614,6 +614,8 @@ XAUTH_PATH | |||
614 | STRIP_OPT | 614 | STRIP_OPT |
615 | xauth_path | 615 | xauth_path |
616 | PRIVSEP_PATH | 616 | PRIVSEP_PATH |
617 | K5LIBS | ||
618 | GSSLIBS | ||
617 | KRB5CONF | 619 | KRB5CONF |
618 | SSHDLIBS | 620 | SSHDLIBS |
619 | SSHLIBS | 621 | SSHLIBS |
@@ -5589,60 +5591,6 @@ if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then : | |||
5589 | have_linux_no_new_privs=1 | 5591 | have_linux_no_new_privs=1 |
5590 | fi | 5592 | fi |
5591 | 5593 | ||
5592 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
5593 | ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" " | ||
5594 | #include <sys/types.h> | ||
5595 | #include <linux/seccomp.h> | ||
5596 | |||
5597 | " | ||
5598 | if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then : | ||
5599 | have_seccomp_filter=1 | ||
5600 | fi | ||
5601 | |||
5602 | fi | ||
5603 | if test "x$have_seccomp_filter" = "x1" ; then | ||
5604 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5 | ||
5605 | $as_echo_n "checking kernel for seccomp_filter support... " >&6; } | ||
5606 | if test "$cross_compiling" = yes; then : | ||
5607 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5 | ||
5608 | $as_echo "cross-compiling, assuming yes" >&6; } | ||
5609 | |||
5610 | else | ||
5611 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
5612 | /* end confdefs.h. */ | ||
5613 | |||
5614 | #include <errno.h> | ||
5615 | #include <linux/seccomp.h> | ||
5616 | #include <stdlib.h> | ||
5617 | #include <sys/prctl.h> | ||
5618 | |||
5619 | int | ||
5620 | main () | ||
5621 | { | ||
5622 | errno = 0; | ||
5623 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
5624 | exit(errno == EFAULT ? 0 : 1); | ||
5625 | ; | ||
5626 | return 0; | ||
5627 | } | ||
5628 | _ACEOF | ||
5629 | if ac_fn_c_try_run "$LINENO"; then : | ||
5630 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
5631 | $as_echo "yes" >&6; } | ||
5632 | else | ||
5633 | |||
5634 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
5635 | $as_echo "no" >&6; } | ||
5636 | # Disable seccomp filter as a target | ||
5637 | have_seccomp_filter=0 | ||
5638 | |||
5639 | fi | ||
5640 | rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ | ||
5641 | conftest.$ac_objext conftest.beam conftest.$ac_ext | ||
5642 | fi | ||
5643 | |||
5644 | fi | ||
5645 | |||
5646 | use_stack_protector=1 | 5594 | use_stack_protector=1 |
5647 | 5595 | ||
5648 | # Check whether --with-stackprotect was given. | 5596 | # Check whether --with-stackprotect was given. |
@@ -5998,6 +5946,34 @@ fi | |||
5998 | fi | 5946 | fi |
5999 | fi | 5947 | fi |
6000 | 5948 | ||
5949 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler allows __attribute__ on return types" >&5 | ||
5950 | $as_echo_n "checking if compiler allows __attribute__ on return types... " >&6; } | ||
5951 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
5952 | /* end confdefs.h. */ | ||
5953 | |||
5954 | #include <stdlib.h> | ||
5955 | __attribute__((__unused__)) static void foo(void){return;} | ||
5956 | int | ||
5957 | main () | ||
5958 | { | ||
5959 | exit(0); | ||
5960 | ; | ||
5961 | return 0; | ||
5962 | } | ||
5963 | _ACEOF | ||
5964 | if ac_fn_c_try_compile "$LINENO"; then : | ||
5965 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
5966 | $as_echo "yes" >&6; } | ||
5967 | else | ||
5968 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
5969 | $as_echo "no" >&6; } | ||
5970 | |||
5971 | $as_echo "#define NO_ATTRIBUTE_ON_RETURN_TYPE 1" >>confdefs.h | ||
5972 | |||
5973 | |||
5974 | fi | ||
5975 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
5976 | |||
6001 | if test "x$no_attrib_nonnull" != "x1" ; then | 5977 | if test "x$no_attrib_nonnull" != "x1" ; then |
6002 | 5978 | ||
6003 | $as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h | 5979 | $as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h |
@@ -6089,6 +6065,7 @@ for ac_header in \ | |||
6089 | crypto/sha2.h \ | 6065 | crypto/sha2.h \ |
6090 | dirent.h \ | 6066 | dirent.h \ |
6091 | endian.h \ | 6067 | endian.h \ |
6068 | elf.h \ | ||
6092 | features.h \ | 6069 | features.h \ |
6093 | fcntl.h \ | 6070 | fcntl.h \ |
6094 | floatingpoint.h \ | 6071 | floatingpoint.h \ |
@@ -6515,6 +6492,9 @@ $as_echo "#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1" >>confdefs.h | |||
6515 | 6492 | ||
6516 | $as_echo "#define PTY_ZEROREAD 1" >>confdefs.h | 6493 | $as_echo "#define PTY_ZEROREAD 1" >>confdefs.h |
6517 | 6494 | ||
6495 | |||
6496 | $as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h | ||
6497 | |||
6518 | ;; | 6498 | ;; |
6519 | *-*-cygwin*) | 6499 | *-*-cygwin*) |
6520 | check_for_libcrypt_later=1 | 6500 | check_for_libcrypt_later=1 |
@@ -6779,6 +6759,9 @@ $as_echo "#define LOCKED_PASSWD_STRING \"*\"" >>confdefs.h | |||
6779 | 6759 | ||
6780 | $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h | 6760 | $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h |
6781 | 6761 | ||
6762 | |||
6763 | $as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h | ||
6764 | |||
6782 | maildir="/var/mail" | 6765 | maildir="/var/mail" |
6783 | LIBS="$LIBS -lsec" | 6766 | LIBS="$LIBS -lsec" |
6784 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5 | 6767 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5 |
@@ -7008,22 +6991,32 @@ _ACEOF | |||
7008 | fi | 6991 | fi |
7009 | done | 6992 | done |
7010 | 6993 | ||
7011 | have_seccomp_audit_arch=1 | 6994 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp architecture" >&5 |
6995 | $as_echo_n "checking for seccomp architecture... " >&6; } | ||
6996 | seccomp_audit_arch= | ||
7012 | case "$host" in | 6997 | case "$host" in |
7013 | x86_64-*) | 6998 | x86_64-*) |
7014 | 6999 | seccomp_audit_arch=AUDIT_ARCH_X86_64 | |
7015 | $as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64" >>confdefs.h | ||
7016 | |||
7017 | ;; | 7000 | ;; |
7018 | i*86-*) | 7001 | i*86-*) |
7019 | 7002 | seccomp_audit_arch=AUDIT_ARCH_I386 | |
7020 | $as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386" >>confdefs.h | ||
7021 | |||
7022 | ;; | ||
7023 | *) | ||
7024 | have_seccomp_audit_arch=0 | ||
7025 | ;; | 7003 | ;; |
7004 | arm*-*) | ||
7005 | seccomp_audit_arch=AUDIT_ARCH_ARM | ||
7006 | ;; | ||
7026 | esac | 7007 | esac |
7008 | if test "x$seccomp_audit_arch" != "x" ; then | ||
7009 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$seccomp_audit_arch\"" >&5 | ||
7010 | $as_echo "\"$seccomp_audit_arch\"" >&6; } | ||
7011 | |||
7012 | cat >>confdefs.h <<_ACEOF | ||
7013 | #define SECCOMP_AUDIT_ARCH $seccomp_audit_arch | ||
7014 | _ACEOF | ||
7015 | |||
7016 | else | ||
7017 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: architecture not supported" >&5 | ||
7018 | $as_echo "architecture not supported" >&6; } | ||
7019 | fi | ||
7027 | ;; | 7020 | ;; |
7028 | mips-sony-bsd|mips-sony-newsos4) | 7021 | mips-sony-bsd|mips-sony-newsos4) |
7029 | 7022 | ||
@@ -7074,6 +7067,9 @@ fi | |||
7074 | 7067 | ||
7075 | $as_echo "#define BROKEN_GLOB 1" >>confdefs.h | 7068 | $as_echo "#define BROKEN_GLOB 1" >>confdefs.h |
7076 | 7069 | ||
7070 | |||
7071 | $as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h | ||
7072 | |||
7077 | ;; | 7073 | ;; |
7078 | *-*-bsdi*) | 7074 | *-*-bsdi*) |
7079 | $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h | 7075 | $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h |
@@ -7558,6 +7554,7 @@ done | |||
7558 | 7554 | ||
7559 | MANTYPE=man | 7555 | MANTYPE=man |
7560 | TEST_SHELL=ksh | 7556 | TEST_SHELL=ksh |
7557 | SKIP_DISABLE_LASTLOG_DEFINE=yes | ||
7561 | ;; | 7558 | ;; |
7562 | *-*-unicosmk*) | 7559 | *-*-unicosmk*) |
7563 | 7560 | ||
@@ -8389,12 +8386,13 @@ fi | |||
8389 | done | 8386 | done |
8390 | 8387 | ||
8391 | 8388 | ||
8392 | for ac_header in libutil.h | 8389 | for ac_header in bsd/libutil.h libutil.h |
8393 | do : | 8390 | do : |
8394 | ac_fn_c_check_header_mongrel "$LINENO" "libutil.h" "ac_cv_header_libutil_h" "$ac_includes_default" | 8391 | as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` |
8395 | if test "x$ac_cv_header_libutil_h" = xyes; then : | 8392 | ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" |
8393 | if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : | ||
8396 | cat >>confdefs.h <<_ACEOF | 8394 | cat >>confdefs.h <<_ACEOF |
8397 | #define HAVE_LIBUTIL_H 1 | 8395 | #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 |
8398 | _ACEOF | 8396 | _ACEOF |
8399 | 8397 | ||
8400 | fi | 8398 | fi |
@@ -9584,6 +9582,8 @@ for ac_func in \ | |||
9584 | getopt \ | 9582 | getopt \ |
9585 | getpeereid \ | 9583 | getpeereid \ |
9586 | getpeerucred \ | 9584 | getpeerucred \ |
9585 | getpgid \ | ||
9586 | getpgrp \ | ||
9587 | _getpty \ | 9587 | _getpty \ |
9588 | getrlimit \ | 9588 | getrlimit \ |
9589 | getttyent \ | 9589 | getttyent \ |
@@ -9643,6 +9643,7 @@ for ac_func in \ | |||
9643 | strtonum \ | 9643 | strtonum \ |
9644 | strtoll \ | 9644 | strtoll \ |
9645 | strtoul \ | 9645 | strtoul \ |
9646 | strtoull \ | ||
9646 | swap32 \ | 9647 | swap32 \ |
9647 | sysconf \ | 9648 | sysconf \ |
9648 | tcgetpgrp \ | 9649 | tcgetpgrp \ |
@@ -9651,6 +9652,7 @@ for ac_func in \ | |||
9651 | unsetenv \ | 9652 | unsetenv \ |
9652 | updwtmpx \ | 9653 | updwtmpx \ |
9653 | user_from_uid \ | 9654 | user_from_uid \ |
9655 | usleep \ | ||
9654 | vasprintf \ | 9656 | vasprintf \ |
9655 | vhangup \ | 9657 | vhangup \ |
9656 | vsnprintf \ | 9658 | vsnprintf \ |
@@ -11258,6 +11260,147 @@ fi | |||
11258 | rm -f core conftest.err conftest.$ac_objext \ | 11260 | rm -f core conftest.err conftest.$ac_objext \ |
11259 | conftest$ac_exeext conftest.$ac_ext | 11261 | conftest$ac_exeext conftest.$ac_ext |
11260 | 11262 | ||
11263 | # Check for OpenSSL with EVP_aes_*ctr | ||
11264 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES CTR via EVP" >&5 | ||
11265 | $as_echo_n "checking whether OpenSSL has AES CTR via EVP... " >&6; } | ||
11266 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
11267 | /* end confdefs.h. */ | ||
11268 | |||
11269 | #include <string.h> | ||
11270 | #include <openssl/evp.h> | ||
11271 | |||
11272 | int | ||
11273 | main () | ||
11274 | { | ||
11275 | |||
11276 | exit(EVP_aes_128_ctr() == NULL || | ||
11277 | EVP_aes_192_cbc() == NULL || | ||
11278 | EVP_aes_256_cbc() == NULL); | ||
11279 | |||
11280 | ; | ||
11281 | return 0; | ||
11282 | } | ||
11283 | _ACEOF | ||
11284 | if ac_fn_c_try_link "$LINENO"; then : | ||
11285 | |||
11286 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
11287 | $as_echo "yes" >&6; } | ||
11288 | |||
11289 | $as_echo "#define OPENSSL_HAVE_EVPCTR 1" >>confdefs.h | ||
11290 | |||
11291 | |||
11292 | else | ||
11293 | |||
11294 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
11295 | $as_echo "no" >&6; } | ||
11296 | |||
11297 | |||
11298 | fi | ||
11299 | rm -f core conftest.err conftest.$ac_objext \ | ||
11300 | conftest$ac_exeext conftest.$ac_ext | ||
11301 | |||
11302 | # Check for OpenSSL with EVP_aes_*gcm | ||
11303 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES GCM via EVP" >&5 | ||
11304 | $as_echo_n "checking whether OpenSSL has AES GCM via EVP... " >&6; } | ||
11305 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
11306 | /* end confdefs.h. */ | ||
11307 | |||
11308 | #include <string.h> | ||
11309 | #include <openssl/evp.h> | ||
11310 | |||
11311 | int | ||
11312 | main () | ||
11313 | { | ||
11314 | |||
11315 | exit(EVP_aes_128_gcm() == NULL || | ||
11316 | EVP_aes_256_gcm() == NULL || | ||
11317 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || | ||
11318 | EVP_CTRL_GCM_IV_GEN == 0 || | ||
11319 | EVP_CTRL_GCM_SET_TAG == 0 || | ||
11320 | EVP_CTRL_GCM_GET_TAG == 0 || | ||
11321 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); | ||
11322 | |||
11323 | ; | ||
11324 | return 0; | ||
11325 | } | ||
11326 | _ACEOF | ||
11327 | if ac_fn_c_try_link "$LINENO"; then : | ||
11328 | |||
11329 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
11330 | $as_echo "yes" >&6; } | ||
11331 | |||
11332 | $as_echo "#define OPENSSL_HAVE_EVPGCM 1" >>confdefs.h | ||
11333 | |||
11334 | |||
11335 | else | ||
11336 | |||
11337 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
11338 | $as_echo "no" >&6; } | ||
11339 | |||
11340 | |||
11341 | fi | ||
11342 | rm -f core conftest.err conftest.$ac_objext \ | ||
11343 | conftest$ac_exeext conftest.$ac_ext | ||
11344 | |||
11345 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_ctrl" >&5 | ||
11346 | $as_echo_n "checking for library containing EVP_CIPHER_CTX_ctrl... " >&6; } | ||
11347 | if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then : | ||
11348 | $as_echo_n "(cached) " >&6 | ||
11349 | else | ||
11350 | ac_func_search_save_LIBS=$LIBS | ||
11351 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
11352 | /* end confdefs.h. */ | ||
11353 | |||
11354 | /* Override any GCC internal prototype to avoid an error. | ||
11355 | Use char because int might match the return type of a GCC | ||
11356 | builtin and then its argument prototype would still apply. */ | ||
11357 | #ifdef __cplusplus | ||
11358 | extern "C" | ||
11359 | #endif | ||
11360 | char EVP_CIPHER_CTX_ctrl (); | ||
11361 | int | ||
11362 | main () | ||
11363 | { | ||
11364 | return EVP_CIPHER_CTX_ctrl (); | ||
11365 | ; | ||
11366 | return 0; | ||
11367 | } | ||
11368 | _ACEOF | ||
11369 | for ac_lib in '' crypto; do | ||
11370 | if test -z "$ac_lib"; then | ||
11371 | ac_res="none required" | ||
11372 | else | ||
11373 | ac_res=-l$ac_lib | ||
11374 | LIBS="-l$ac_lib $ac_func_search_save_LIBS" | ||
11375 | fi | ||
11376 | if ac_fn_c_try_link "$LINENO"; then : | ||
11377 | ac_cv_search_EVP_CIPHER_CTX_ctrl=$ac_res | ||
11378 | fi | ||
11379 | rm -f core conftest.err conftest.$ac_objext \ | ||
11380 | conftest$ac_exeext | ||
11381 | if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then : | ||
11382 | break | ||
11383 | fi | ||
11384 | done | ||
11385 | if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then : | ||
11386 | |||
11387 | else | ||
11388 | ac_cv_search_EVP_CIPHER_CTX_ctrl=no | ||
11389 | fi | ||
11390 | rm conftest.$ac_ext | ||
11391 | LIBS=$ac_func_search_save_LIBS | ||
11392 | fi | ||
11393 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_ctrl" >&5 | ||
11394 | $as_echo "$ac_cv_search_EVP_CIPHER_CTX_ctrl" >&6; } | ||
11395 | ac_res=$ac_cv_search_EVP_CIPHER_CTX_ctrl | ||
11396 | if test "$ac_res" != no; then : | ||
11397 | test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" | ||
11398 | |||
11399 | $as_echo "#define HAVE_EVP_CIPHER_CTX_CTRL 1" >>confdefs.h | ||
11400 | |||
11401 | fi | ||
11402 | |||
11403 | |||
11261 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5 | 11404 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5 |
11262 | $as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; } | 11405 | $as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; } |
11263 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | 11406 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
@@ -11887,6 +12030,57 @@ _ACEOF | |||
11887 | 12030 | ||
11888 | 12031 | ||
11889 | 12032 | ||
12033 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
12034 | ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" " | ||
12035 | #include <sys/types.h> | ||
12036 | #include <linux/seccomp.h> | ||
12037 | |||
12038 | " | ||
12039 | if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then : | ||
12040 | have_seccomp_filter=1 | ||
12041 | fi | ||
12042 | |||
12043 | fi | ||
12044 | if test "x$have_seccomp_filter" = "x1" ; then | ||
12045 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5 | ||
12046 | $as_echo_n "checking kernel for seccomp_filter support... " >&6; } | ||
12047 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
12048 | /* end confdefs.h. */ | ||
12049 | |||
12050 | #include <errno.h> | ||
12051 | #include <elf.h> | ||
12052 | #include <linux/audit.h> | ||
12053 | #include <linux/seccomp.h> | ||
12054 | #include <stdlib.h> | ||
12055 | #include <sys/prctl.h> | ||
12056 | |||
12057 | int | ||
12058 | main () | ||
12059 | { | ||
12060 | int i = $seccomp_audit_arch; | ||
12061 | errno = 0; | ||
12062 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
12063 | exit(errno == EFAULT ? 0 : 1); | ||
12064 | ; | ||
12065 | return 0; | ||
12066 | } | ||
12067 | _ACEOF | ||
12068 | if ac_fn_c_try_link "$LINENO"; then : | ||
12069 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
12070 | $as_echo "yes" >&6; } | ||
12071 | else | ||
12072 | |||
12073 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
12074 | $as_echo "no" >&6; } | ||
12075 | # Disable seccomp filter as a target | ||
12076 | have_seccomp_filter=0 | ||
12077 | |||
12078 | |||
12079 | fi | ||
12080 | rm -f core conftest.err conftest.$ac_objext \ | ||
12081 | conftest$ac_exeext conftest.$ac_ext | ||
12082 | fi | ||
12083 | |||
11890 | # Decide which sandbox style to use | 12084 | # Decide which sandbox style to use |
11891 | sandbox_arg="" | 12085 | sandbox_arg="" |
11892 | 12086 | ||
@@ -11935,6 +12129,7 @@ main () | |||
11935 | struct rlimit rl_zero; | 12129 | struct rlimit rl_zero; |
11936 | int fd, r; | 12130 | int fd, r; |
11937 | fd_set fds; | 12131 | fd_set fds; |
12132 | struct timeval tv; | ||
11938 | 12133 | ||
11939 | fd = open("/dev/null", O_RDONLY); | 12134 | fd = open("/dev/null", O_RDONLY); |
11940 | FD_ZERO(&fds); | 12135 | FD_ZERO(&fds); |
@@ -11942,7 +12137,9 @@ main () | |||
11942 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | 12137 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; |
11943 | setrlimit(RLIMIT_FSIZE, &rl_zero); | 12138 | setrlimit(RLIMIT_FSIZE, &rl_zero); |
11944 | setrlimit(RLIMIT_NOFILE, &rl_zero); | 12139 | setrlimit(RLIMIT_NOFILE, &rl_zero); |
11945 | r = select(fd+1, &fds, NULL, NULL, NULL); | 12140 | tv.tv_sec = 1; |
12141 | tv.tv_usec = 0; | ||
12142 | r = select(fd+1, &fds, NULL, NULL, &tv); | ||
11946 | exit (r == -1 ? 1 : 0); | 12143 | exit (r == -1 ? 1 : 0); |
11947 | 12144 | ||
11948 | ; | 12145 | ; |
@@ -11963,6 +12160,54 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ | |||
11963 | fi | 12160 | fi |
11964 | 12161 | ||
11965 | 12162 | ||
12163 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit(RLIMIT_NOFILE,{0,0}) works" >&5 | ||
12164 | $as_echo_n "checking if setrlimit(RLIMIT_NOFILE,{0,0}) works... " >&6; } | ||
12165 | if test "$cross_compiling" = yes; then : | ||
12166 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5 | ||
12167 | $as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;} | ||
12168 | |||
12169 | else | ||
12170 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
12171 | /* end confdefs.h. */ | ||
12172 | |||
12173 | #include <sys/types.h> | ||
12174 | #ifdef HAVE_SYS_TIME_H | ||
12175 | # include <sys/time.h> | ||
12176 | #endif | ||
12177 | #include <sys/resource.h> | ||
12178 | #include <errno.h> | ||
12179 | #include <stdlib.h> | ||
12180 | |||
12181 | int | ||
12182 | main () | ||
12183 | { | ||
12184 | |||
12185 | struct rlimit rl_zero; | ||
12186 | int fd, r; | ||
12187 | fd_set fds; | ||
12188 | |||
12189 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | ||
12190 | r = setrlimit(RLIMIT_NOFILE, &rl_zero); | ||
12191 | exit (r == -1 ? 1 : 0); | ||
12192 | |||
12193 | ; | ||
12194 | return 0; | ||
12195 | } | ||
12196 | _ACEOF | ||
12197 | if ac_fn_c_try_run "$LINENO"; then : | ||
12198 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
12199 | $as_echo "yes" >&6; } | ||
12200 | rlimit_nofile_zero_works=yes | ||
12201 | else | ||
12202 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
12203 | $as_echo "no" >&6; } | ||
12204 | rlimit_nofile_zero_works=no | ||
12205 | fi | ||
12206 | rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ | ||
12207 | conftest.$ac_objext conftest.beam conftest.$ac_ext | ||
12208 | fi | ||
12209 | |||
12210 | |||
11966 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5 | 12211 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5 |
11967 | $as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; } | 12212 | $as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; } |
11968 | if test "$cross_compiling" = yes; then : | 12213 | if test "$cross_compiling" = yes; then : |
@@ -12026,11 +12271,13 @@ $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h | |||
12026 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ | 12271 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ |
12027 | ( test -z "$sandbox_arg" && \ | 12272 | ( test -z "$sandbox_arg" && \ |
12028 | test "x$have_seccomp_filter" = "x1" && \ | 12273 | test "x$have_seccomp_filter" = "x1" && \ |
12274 | test "x$ac_cv_header_elf_h" = "xyes" && \ | ||
12029 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | 12275 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ |
12030 | test "x$have_seccomp_audit_arch" = "x1" && \ | 12276 | test "x$ac_cv_header_linux_filter_h" = "xyes" && \ |
12277 | test "x$seccomp_audit_arch" != "x" && \ | ||
12031 | test "x$have_linux_no_new_privs" = "x1" && \ | 12278 | test "x$have_linux_no_new_privs" = "x1" && \ |
12032 | test "x$ac_cv_func_prctl" = "xyes" ) ; then | 12279 | test "x$ac_cv_func_prctl" = "xyes" ) ; then |
12033 | test "x$have_seccomp_audit_arch" != "x1" && \ | 12280 | test "x$seccomp_audit_arch" = "x" && \ |
12034 | as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5 | 12281 | as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5 |
12035 | test "x$have_linux_no_new_privs" != "x1" && \ | 12282 | test "x$have_linux_no_new_privs" != "x1" && \ |
12036 | as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5 | 12283 | as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5 |
@@ -12044,7 +12291,8 @@ $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h | |||
12044 | 12291 | ||
12045 | elif test "x$sandbox_arg" = "xrlimit" || \ | 12292 | elif test "x$sandbox_arg" = "xrlimit" || \ |
12046 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ | 12293 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ |
12047 | test "x$select_works_with_rlimit" == "xyes" ) ; then | 12294 | test "x$select_works_with_rlimit" = "xyes" && \ |
12295 | test "x$rlimit_nofile_zero_works" = "xyes" ) ; then | ||
12048 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | 12296 | test "x$ac_cv_func_setrlimit" != "xyes" && \ |
12049 | as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 | 12297 | as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 |
12050 | test "x$select_works_with_rlimit" != "xyes" && \ | 12298 | test "x$select_works_with_rlimit" != "xyes" && \ |
@@ -15229,6 +15477,9 @@ fi | |||
15229 | 15477 | ||
15230 | 15478 | ||
15231 | if test -x $KRB5CONF ; then | 15479 | if test -x $KRB5CONF ; then |
15480 | K5CFLAGS="`$KRB5CONF --cflags`" | ||
15481 | K5LIBS="`$KRB5CONF --libs`" | ||
15482 | CPPFLAGS="$CPPFLAGS $K5CFLAGS" | ||
15232 | 15483 | ||
15233 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5 | 15484 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5 |
15234 | $as_echo_n "checking for gssapi support... " >&6; } | 15485 | $as_echo_n "checking for gssapi support... " >&6; } |
@@ -15238,15 +15489,13 @@ $as_echo "yes" >&6; } | |||
15238 | 15489 | ||
15239 | $as_echo "#define GSSAPI 1" >>confdefs.h | 15490 | $as_echo "#define GSSAPI 1" >>confdefs.h |
15240 | 15491 | ||
15241 | k5confopts=gssapi | 15492 | GSSCFLAGS="`$KRB5CONF --cflags gssapi`" |
15493 | GSSLIBS="`$KRB5CONF --libs gssapi`" | ||
15494 | CPPFLAGS="$CPPFLAGS $GSSCFLAGS" | ||
15242 | else | 15495 | else |
15243 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 15496 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
15244 | $as_echo "no" >&6; } | 15497 | $as_echo "no" >&6; } |
15245 | k5confopts="" | ||
15246 | fi | 15498 | fi |
15247 | K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" | ||
15248 | K5LIBS="`$KRB5CONF --libs $k5confopts`" | ||
15249 | CPPFLAGS="$CPPFLAGS $K5CFLAGS" | ||
15250 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 | 15499 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 |
15251 | $as_echo_n "checking whether we are using Heimdal... " >&6; } | 15500 | $as_echo_n "checking whether we are using Heimdal... " >&6; } |
15252 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | 15501 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
@@ -15449,7 +15698,7 @@ if ${ac_cv_lib_gssapi_krb5_gss_init_sec_context+:} false; then : | |||
15449 | $as_echo_n "(cached) " >&6 | 15698 | $as_echo_n "(cached) " >&6 |
15450 | else | 15699 | else |
15451 | ac_check_lib_save_LIBS=$LIBS | 15700 | ac_check_lib_save_LIBS=$LIBS |
15452 | LIBS="-lgssapi_krb5 $K5LIBS $LIBS" | 15701 | LIBS="-lgssapi_krb5 $LIBS" |
15453 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | 15702 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
15454 | /* end confdefs.h. */ | 15703 | /* end confdefs.h. */ |
15455 | 15704 | ||
@@ -15482,7 +15731,7 @@ $as_echo "$ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&6; } | |||
15482 | if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then : | 15731 | if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then : |
15483 | $as_echo "#define GSSAPI 1" >>confdefs.h | 15732 | $as_echo "#define GSSAPI 1" >>confdefs.h |
15484 | 15733 | ||
15485 | K5LIBS="-lgssapi_krb5 $K5LIBS" | 15734 | GSSLIBS="-lgssapi_krb5" |
15486 | else | 15735 | else |
15487 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5 | 15736 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5 |
15488 | $as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; } | 15737 | $as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; } |
@@ -15490,7 +15739,7 @@ if ${ac_cv_lib_gssapi_gss_init_sec_context+:} false; then : | |||
15490 | $as_echo_n "(cached) " >&6 | 15739 | $as_echo_n "(cached) " >&6 |
15491 | else | 15740 | else |
15492 | ac_check_lib_save_LIBS=$LIBS | 15741 | ac_check_lib_save_LIBS=$LIBS |
15493 | LIBS="-lgssapi $K5LIBS $LIBS" | 15742 | LIBS="-lgssapi $LIBS" |
15494 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | 15743 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
15495 | /* end confdefs.h. */ | 15744 | /* end confdefs.h. */ |
15496 | 15745 | ||
@@ -15523,7 +15772,48 @@ $as_echo "$ac_cv_lib_gssapi_gss_init_sec_context" >&6; } | |||
15523 | if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then : | 15772 | if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then : |
15524 | $as_echo "#define GSSAPI 1" >>confdefs.h | 15773 | $as_echo "#define GSSAPI 1" >>confdefs.h |
15525 | 15774 | ||
15526 | K5LIBS="-lgssapi $K5LIBS" | 15775 | GSSLIBS="-lgssapi" |
15776 | else | ||
15777 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgss" >&5 | ||
15778 | $as_echo_n "checking for gss_init_sec_context in -lgss... " >&6; } | ||
15779 | if ${ac_cv_lib_gss_gss_init_sec_context+:} false; then : | ||
15780 | $as_echo_n "(cached) " >&6 | ||
15781 | else | ||
15782 | ac_check_lib_save_LIBS=$LIBS | ||
15783 | LIBS="-lgss $LIBS" | ||
15784 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
15785 | /* end confdefs.h. */ | ||
15786 | |||
15787 | /* Override any GCC internal prototype to avoid an error. | ||
15788 | Use char because int might match the return type of a GCC | ||
15789 | builtin and then its argument prototype would still apply. */ | ||
15790 | #ifdef __cplusplus | ||
15791 | extern "C" | ||
15792 | #endif | ||
15793 | char gss_init_sec_context (); | ||
15794 | int | ||
15795 | main () | ||
15796 | { | ||
15797 | return gss_init_sec_context (); | ||
15798 | ; | ||
15799 | return 0; | ||
15800 | } | ||
15801 | _ACEOF | ||
15802 | if ac_fn_c_try_link "$LINENO"; then : | ||
15803 | ac_cv_lib_gss_gss_init_sec_context=yes | ||
15804 | else | ||
15805 | ac_cv_lib_gss_gss_init_sec_context=no | ||
15806 | fi | ||
15807 | rm -f core conftest.err conftest.$ac_objext \ | ||
15808 | conftest$ac_exeext conftest.$ac_ext | ||
15809 | LIBS=$ac_check_lib_save_LIBS | ||
15810 | fi | ||
15811 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gss_gss_init_sec_context" >&5 | ||
15812 | $as_echo "$ac_cv_lib_gss_gss_init_sec_context" >&6; } | ||
15813 | if test "x$ac_cv_lib_gss_gss_init_sec_context" = xyes; then : | ||
15814 | $as_echo "#define GSSAPI 1" >>confdefs.h | ||
15815 | |||
15816 | GSSLIBS="-lgss" | ||
15527 | else | 15817 | else |
15528 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 | 15818 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 |
15529 | $as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;} | 15819 | $as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;} |
@@ -15533,6 +15823,9 @@ fi | |||
15533 | fi | 15823 | fi |
15534 | 15824 | ||
15535 | 15825 | ||
15826 | fi | ||
15827 | |||
15828 | |||
15536 | ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default" | 15829 | ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default" |
15537 | if test "x$ac_cv_header_gssapi_h" = xyes; then : | 15830 | if test "x$ac_cv_header_gssapi_h" = xyes; then : |
15538 | 15831 | ||
@@ -15620,7 +15913,6 @@ fi | |||
15620 | done | 15913 | done |
15621 | 15914 | ||
15622 | 15915 | ||
15623 | LIBS="$LIBS $K5LIBS" | ||
15624 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5 | 15916 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5 |
15625 | $as_echo_n "checking for library containing k_hasafs... " >&6; } | 15917 | $as_echo_n "checking for library containing k_hasafs... " >&6; } |
15626 | if ${ac_cv_search_k_hasafs+:} false; then : | 15918 | if ${ac_cv_search_k_hasafs+:} false; then : |
@@ -15679,12 +15971,39 @@ $as_echo "#define USE_AFS 1" >>confdefs.h | |||
15679 | 15971 | ||
15680 | fi | 15972 | fi |
15681 | 15973 | ||
15974 | |||
15975 | ac_fn_c_check_decl "$LINENO" "GSS_C_NT_HOSTBASED_SERVICE" "ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" " | ||
15976 | #ifdef HAVE_GSSAPI_H | ||
15977 | # include <gssapi.h> | ||
15978 | #elif defined(HAVE_GSSAPI_GSSAPI_H) | ||
15979 | # include <gssapi/gssapi.h> | ||
15980 | #endif | ||
15981 | |||
15982 | #ifdef HAVE_GSSAPI_GENERIC_H | ||
15983 | # include <gssapi_generic.h> | ||
15984 | #elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) | ||
15985 | # include <gssapi/gssapi_generic.h> | ||
15986 | #endif | ||
15987 | |||
15988 | " | ||
15989 | if test "x$ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" = xyes; then : | ||
15990 | ac_have_decl=1 | ||
15991 | else | ||
15992 | ac_have_decl=0 | ||
15993 | fi | ||
15994 | |||
15995 | cat >>confdefs.h <<_ACEOF | ||
15996 | #define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl | ||
15997 | _ACEOF | ||
15998 | |||
15682 | fi | 15999 | fi |
15683 | 16000 | ||
15684 | 16001 | ||
15685 | fi | 16002 | fi |
15686 | 16003 | ||
15687 | 16004 | ||
16005 | |||
16006 | |||
15688 | # Check whether user wants ConsoleKit support | 16007 | # Check whether user wants ConsoleKit support |
15689 | CONSOLEKIT_MSG="no" | 16008 | CONSOLEKIT_MSG="no" |
15690 | LIBCK_CONNECTOR="" | 16009 | LIBCK_CONNECTOR="" |
@@ -16868,7 +17187,6 @@ _ACEOF | |||
16868 | 17187 | ||
16869 | fi | 17188 | fi |
16870 | 17189 | ||
16871 | |||
16872 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5 | 17190 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5 |
16873 | $as_echo_n "checking if your system defines WTMPX_FILE... " >&6; } | 17191 | $as_echo_n "checking if your system defines WTMPX_FILE... " >&6; } |
16874 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | 17192 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
@@ -16921,6 +17239,60 @@ if test ! -z "$blibpath" ; then | |||
16921 | $as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;} | 17239 | $as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;} |
16922 | fi | 17240 | fi |
16923 | 17241 | ||
17242 | ac_fn_c_check_member "$LINENO" "struct lastlog" "ll_line" "ac_cv_member_struct_lastlog_ll_line" " | ||
17243 | #ifdef HAVE_SYS_TYPES_H | ||
17244 | #include <sys/types.h> | ||
17245 | #endif | ||
17246 | #ifdef HAVE_UTMP_H | ||
17247 | #include <utmp.h> | ||
17248 | #endif | ||
17249 | #ifdef HAVE_UTMPX_H | ||
17250 | #include <utmpx.h> | ||
17251 | #endif | ||
17252 | #ifdef HAVE_LASTLOG_H | ||
17253 | #include <lastlog.h> | ||
17254 | #endif | ||
17255 | |||
17256 | " | ||
17257 | if test "x$ac_cv_member_struct_lastlog_ll_line" = xyes; then : | ||
17258 | |||
17259 | else | ||
17260 | |||
17261 | if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then | ||
17262 | $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h | ||
17263 | |||
17264 | fi | ||
17265 | |||
17266 | fi | ||
17267 | |||
17268 | |||
17269 | ac_fn_c_check_member "$LINENO" "struct utmp" "ut_line" "ac_cv_member_struct_utmp_ut_line" " | ||
17270 | #ifdef HAVE_SYS_TYPES_H | ||
17271 | #include <sys/types.h> | ||
17272 | #endif | ||
17273 | #ifdef HAVE_UTMP_H | ||
17274 | #include <utmp.h> | ||
17275 | #endif | ||
17276 | #ifdef HAVE_UTMPX_H | ||
17277 | #include <utmpx.h> | ||
17278 | #endif | ||
17279 | #ifdef HAVE_LASTLOG_H | ||
17280 | #include <lastlog.h> | ||
17281 | #endif | ||
17282 | |||
17283 | " | ||
17284 | if test "x$ac_cv_member_struct_utmp_ut_line" = xyes; then : | ||
17285 | |||
17286 | else | ||
17287 | |||
17288 | $as_echo "#define DISABLE_UTMP 1" >>confdefs.h | ||
17289 | |||
17290 | $as_echo "#define DISABLE_WTMP 1" >>confdefs.h | ||
17291 | |||
17292 | |||
17293 | fi | ||
17294 | |||
17295 | |||
16924 | CFLAGS="$CFLAGS $werror_flags" | 17296 | CFLAGS="$CFLAGS $werror_flags" |
16925 | 17297 | ||
16926 | if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then | 17298 | if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then |
diff --git a/configure.ac b/configure.ac index fabd3e0f1..198a2056e 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.496 2012/07/06 01:49:29 djm Exp $ | 1 | # $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.496 $) | 18 | AC_REVISION($Revision: 1.518 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -120,32 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
120 | #include <sys/types.h> | 120 | #include <sys/types.h> |
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
124 | AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ | ||
125 | #include <sys/types.h> | ||
126 | #include <linux/seccomp.h> | ||
127 | ]) | ||
128 | fi | ||
129 | if test "x$have_seccomp_filter" = "x1" ; then | ||
130 | AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
131 | AC_RUN_IFELSE([AC_LANG_PROGRAM([[ | ||
132 | #include <errno.h> | ||
133 | #include <linux/seccomp.h> | ||
134 | #include <stdlib.h> | ||
135 | #include <sys/prctl.h> | ||
136 | ]], | ||
137 | [[ errno = 0; | ||
138 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
139 | exit(errno == EFAULT ? 0 : 1); ]])], | ||
140 | [ AC_MSG_RESULT([yes]) ], [ | ||
141 | AC_MSG_RESULT([no]) | ||
142 | # Disable seccomp filter as a target | ||
143 | have_seccomp_filter=0 | ||
144 | ], | ||
145 | [ AC_MSG_RESULT([cross-compiling, assuming yes]) ] | ||
146 | ) | ||
147 | fi | ||
148 | |||
149 | use_stack_protector=1 | 123 | use_stack_protector=1 |
150 | AC_ARG_WITH([stackprotect], | 124 | AC_ARG_WITH([stackprotect], |
151 | [ --without-stackprotect Don't use compiler's stack protection], [ | 125 | [ --without-stackprotect Don't use compiler's stack protection], [ |
@@ -239,6 +213,18 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
239 | fi | 213 | fi |
240 | fi | 214 | fi |
241 | 215 | ||
216 | AC_MSG_CHECKING([if compiler allows __attribute__ on return types]) | ||
217 | AC_COMPILE_IFELSE( | ||
218 | [AC_LANG_PROGRAM([[ | ||
219 | #include <stdlib.h> | ||
220 | __attribute__((__unused__)) static void foo(void){return;}]], | ||
221 | [[ exit(0); ]])], | ||
222 | [ AC_MSG_RESULT([yes]) ], | ||
223 | [ AC_MSG_RESULT([no]) | ||
224 | AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1, | ||
225 | [compiler does not accept __attribute__ on return types]) ] | ||
226 | ) | ||
227 | |||
242 | if test "x$no_attrib_nonnull" != "x1" ; then | 228 | if test "x$no_attrib_nonnull" != "x1" ; then |
243 | AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) | 229 | AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) |
244 | fi | 230 | fi |
@@ -310,6 +296,7 @@ AC_CHECK_HEADERS([ \ | |||
310 | crypto/sha2.h \ | 296 | crypto/sha2.h \ |
311 | dirent.h \ | 297 | dirent.h \ |
312 | endian.h \ | 298 | endian.h \ |
299 | elf.h \ | ||
313 | features.h \ | 300 | features.h \ |
314 | fcntl.h \ | 301 | fcntl.h \ |
315 | floatingpoint.h \ | 302 | floatingpoint.h \ |
@@ -493,6 +480,7 @@ case "$host" in | |||
493 | AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], | 480 | AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], |
494 | [AIX 5.2 and 5.3 (and presumably newer) require this]) | 481 | [AIX 5.2 and 5.3 (and presumably newer) require this]) |
495 | AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) | 482 | AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) |
483 | AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) | ||
496 | ;; | 484 | ;; |
497 | *-*-cygwin*) | 485 | *-*-cygwin*) |
498 | check_for_libcrypt_later=1 | 486 | check_for_libcrypt_later=1 |
@@ -602,6 +590,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
602 | AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], | 590 | AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], |
603 | [String used in /etc/passwd to denote locked account]) | 591 | [String used in /etc/passwd to denote locked account]) |
604 | AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) | 592 | AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) |
593 | AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) | ||
605 | maildir="/var/mail" | 594 | maildir="/var/mail" |
606 | LIBS="$LIBS -lsec" | 595 | LIBS="$LIBS -lsec" |
607 | AC_CHECK_LIB([xnet], [t_error], , | 596 | AC_CHECK_LIB([xnet], [t_error], , |
@@ -713,20 +702,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
713 | AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], | 702 | AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], |
714 | [], [#include <linux/types.h>]) | 703 | [], [#include <linux/types.h>]) |
715 | AC_CHECK_FUNCS([prctl]) | 704 | AC_CHECK_FUNCS([prctl]) |
716 | have_seccomp_audit_arch=1 | 705 | AC_MSG_CHECKING([for seccomp architecture]) |
706 | seccomp_audit_arch= | ||
717 | case "$host" in | 707 | case "$host" in |
718 | x86_64-*) | 708 | x86_64-*) |
719 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], | 709 | seccomp_audit_arch=AUDIT_ARCH_X86_64 |
720 | [Specify the system call convention in use]) | ||
721 | ;; | 710 | ;; |
722 | i*86-*) | 711 | i*86-*) |
723 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], | 712 | seccomp_audit_arch=AUDIT_ARCH_I386 |
724 | [Specify the system call convention in use]) | ||
725 | ;; | ||
726 | *) | ||
727 | have_seccomp_audit_arch=0 | ||
728 | ;; | 713 | ;; |
714 | arm*-*) | ||
715 | seccomp_audit_arch=AUDIT_ARCH_ARM | ||
716 | ;; | ||
729 | esac | 717 | esac |
718 | if test "x$seccomp_audit_arch" != "x" ; then | ||
719 | AC_MSG_RESULT(["$seccomp_audit_arch"]) | ||
720 | AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], | ||
721 | [Specify the system call convention in use]) | ||
722 | else | ||
723 | AC_MSG_RESULT([architecture not supported]) | ||
724 | fi | ||
730 | ;; | 725 | ;; |
731 | mips-sony-bsd|mips-sony-newsos4) | 726 | mips-sony-bsd|mips-sony-newsos4) |
732 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) | 727 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) |
@@ -750,6 +745,7 @@ mips-sony-bsd|mips-sony-newsos4) | |||
750 | AC_CHECK_HEADER([net/if_tap.h], , | 745 | AC_CHECK_HEADER([net/if_tap.h], , |
751 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) | 746 | AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) |
752 | AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) | 747 | AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) |
748 | AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need]) | ||
753 | ;; | 749 | ;; |
754 | *-*-bsdi*) | 750 | *-*-bsdi*) |
755 | AC_DEFINE([SETEUID_BREAKS_SETUID]) | 751 | AC_DEFINE([SETEUID_BREAKS_SETUID]) |
@@ -926,6 +922,7 @@ mips-sony-bsd|mips-sony-newsos4) | |||
926 | AC_CHECK_FUNCS([getluid setluid]) | 922 | AC_CHECK_FUNCS([getluid setluid]) |
927 | MANTYPE=man | 923 | MANTYPE=man |
928 | TEST_SHELL=ksh | 924 | TEST_SHELL=ksh |
925 | SKIP_DISABLE_LASTLOG_DEFINE=yes | ||
929 | ;; | 926 | ;; |
930 | *-*-unicosmk*) | 927 | *-*-unicosmk*) |
931 | AC_DEFINE([NO_SSH_LASTLOG], [1], | 928 | AC_DEFINE([NO_SSH_LASTLOG], [1], |
@@ -1194,7 +1191,7 @@ AC_CHECK_FUNCS([utimes], | |||
1194 | ) | 1191 | ) |
1195 | 1192 | ||
1196 | dnl Checks for libutil functions | 1193 | dnl Checks for libutil functions |
1197 | AC_CHECK_HEADERS([libutil.h]) | 1194 | AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) |
1198 | AC_SEARCH_LIBS([fmt_scaled], [util bsd]) | 1195 | AC_SEARCH_LIBS([fmt_scaled], [util bsd]) |
1199 | AC_SEARCH_LIBS([login], [util bsd]) | 1196 | AC_SEARCH_LIBS([login], [util bsd]) |
1200 | AC_SEARCH_LIBS([logout], [util bsd]) | 1197 | AC_SEARCH_LIBS([logout], [util bsd]) |
@@ -1563,6 +1560,8 @@ AC_CHECK_FUNCS([ \ | |||
1563 | getopt \ | 1560 | getopt \ |
1564 | getpeereid \ | 1561 | getpeereid \ |
1565 | getpeerucred \ | 1562 | getpeerucred \ |
1563 | getpgid \ | ||
1564 | getpgrp \ | ||
1566 | _getpty \ | 1565 | _getpty \ |
1567 | getrlimit \ | 1566 | getrlimit \ |
1568 | getttyent \ | 1567 | getttyent \ |
@@ -1622,6 +1621,7 @@ AC_CHECK_FUNCS([ \ | |||
1622 | strtonum \ | 1621 | strtonum \ |
1623 | strtoll \ | 1622 | strtoll \ |
1624 | strtoul \ | 1623 | strtoul \ |
1624 | strtoull \ | ||
1625 | swap32 \ | 1625 | swap32 \ |
1626 | sysconf \ | 1626 | sysconf \ |
1627 | tcgetpgrp \ | 1627 | tcgetpgrp \ |
@@ -1630,6 +1630,7 @@ AC_CHECK_FUNCS([ \ | |||
1630 | unsetenv \ | 1630 | unsetenv \ |
1631 | updwtmpx \ | 1631 | updwtmpx \ |
1632 | user_from_uid \ | 1632 | user_from_uid \ |
1633 | usleep \ | ||
1633 | vasprintf \ | 1634 | vasprintf \ |
1634 | vhangup \ | 1635 | vhangup \ |
1635 | vsnprintf \ | 1636 | vsnprintf \ |
@@ -2323,6 +2324,56 @@ AC_LINK_IFELSE( | |||
2323 | ] | 2324 | ] |
2324 | ) | 2325 | ) |
2325 | 2326 | ||
2327 | # Check for OpenSSL with EVP_aes_*ctr | ||
2328 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) | ||
2329 | AC_LINK_IFELSE( | ||
2330 | [AC_LANG_PROGRAM([[ | ||
2331 | #include <string.h> | ||
2332 | #include <openssl/evp.h> | ||
2333 | ]], [[ | ||
2334 | exit(EVP_aes_128_ctr() == NULL || | ||
2335 | EVP_aes_192_cbc() == NULL || | ||
2336 | EVP_aes_256_cbc() == NULL); | ||
2337 | ]])], | ||
2338 | [ | ||
2339 | AC_MSG_RESULT([yes]) | ||
2340 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], | ||
2341 | [libcrypto has EVP AES CTR]) | ||
2342 | ], | ||
2343 | [ | ||
2344 | AC_MSG_RESULT([no]) | ||
2345 | ] | ||
2346 | ) | ||
2347 | |||
2348 | # Check for OpenSSL with EVP_aes_*gcm | ||
2349 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) | ||
2350 | AC_LINK_IFELSE( | ||
2351 | [AC_LANG_PROGRAM([[ | ||
2352 | #include <string.h> | ||
2353 | #include <openssl/evp.h> | ||
2354 | ]], [[ | ||
2355 | exit(EVP_aes_128_gcm() == NULL || | ||
2356 | EVP_aes_256_gcm() == NULL || | ||
2357 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || | ||
2358 | EVP_CTRL_GCM_IV_GEN == 0 || | ||
2359 | EVP_CTRL_GCM_SET_TAG == 0 || | ||
2360 | EVP_CTRL_GCM_GET_TAG == 0 || | ||
2361 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); | ||
2362 | ]])], | ||
2363 | [ | ||
2364 | AC_MSG_RESULT([yes]) | ||
2365 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], | ||
2366 | [libcrypto has EVP AES GCM]) | ||
2367 | ], | ||
2368 | [ | ||
2369 | AC_MSG_RESULT([no]) | ||
2370 | ] | ||
2371 | ) | ||
2372 | |||
2373 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], | ||
2374 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], | ||
2375 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) | ||
2376 | |||
2326 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) | 2377 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) |
2327 | AC_LINK_IFELSE( | 2378 | AC_LINK_IFELSE( |
2328 | [AC_LANG_PROGRAM([[ | 2379 | [AC_LANG_PROGRAM([[ |
@@ -2589,6 +2640,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], | |||
2589 | [non-privileged user for privilege separation]) | 2640 | [non-privileged user for privilege separation]) |
2590 | AC_SUBST([SSH_PRIVSEP_USER]) | 2641 | AC_SUBST([SSH_PRIVSEP_USER]) |
2591 | 2642 | ||
2643 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
2644 | AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ | ||
2645 | #include <sys/types.h> | ||
2646 | #include <linux/seccomp.h> | ||
2647 | ]) | ||
2648 | fi | ||
2649 | if test "x$have_seccomp_filter" = "x1" ; then | ||
2650 | AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
2651 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
2652 | #include <errno.h> | ||
2653 | #include <elf.h> | ||
2654 | #include <linux/audit.h> | ||
2655 | #include <linux/seccomp.h> | ||
2656 | #include <stdlib.h> | ||
2657 | #include <sys/prctl.h> | ||
2658 | ]], | ||
2659 | [[ int i = $seccomp_audit_arch; | ||
2660 | errno = 0; | ||
2661 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
2662 | exit(errno == EFAULT ? 0 : 1); ]])], | ||
2663 | [ AC_MSG_RESULT([yes]) ], [ | ||
2664 | AC_MSG_RESULT([no]) | ||
2665 | # Disable seccomp filter as a target | ||
2666 | have_seccomp_filter=0 | ||
2667 | ] | ||
2668 | ) | ||
2669 | fi | ||
2670 | |||
2592 | # Decide which sandbox style to use | 2671 | # Decide which sandbox style to use |
2593 | sandbox_arg="" | 2672 | sandbox_arg="" |
2594 | AC_ARG_WITH([sandbox], | 2673 | AC_ARG_WITH([sandbox], |
@@ -2623,6 +2702,7 @@ AC_RUN_IFELSE( | |||
2623 | struct rlimit rl_zero; | 2702 | struct rlimit rl_zero; |
2624 | int fd, r; | 2703 | int fd, r; |
2625 | fd_set fds; | 2704 | fd_set fds; |
2705 | struct timeval tv; | ||
2626 | 2706 | ||
2627 | fd = open("/dev/null", O_RDONLY); | 2707 | fd = open("/dev/null", O_RDONLY); |
2628 | FD_ZERO(&fds); | 2708 | FD_ZERO(&fds); |
@@ -2630,7 +2710,9 @@ AC_RUN_IFELSE( | |||
2630 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | 2710 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; |
2631 | setrlimit(RLIMIT_FSIZE, &rl_zero); | 2711 | setrlimit(RLIMIT_FSIZE, &rl_zero); |
2632 | setrlimit(RLIMIT_NOFILE, &rl_zero); | 2712 | setrlimit(RLIMIT_NOFILE, &rl_zero); |
2633 | r = select(fd+1, &fds, NULL, NULL, NULL); | 2713 | tv.tv_sec = 1; |
2714 | tv.tv_usec = 0; | ||
2715 | r = select(fd+1, &fds, NULL, NULL, &tv); | ||
2634 | exit (r == -1 ? 1 : 0); | 2716 | exit (r == -1 ? 1 : 0); |
2635 | ]])], | 2717 | ]])], |
2636 | [AC_MSG_RESULT([yes]) | 2718 | [AC_MSG_RESULT([yes]) |
@@ -2640,6 +2722,32 @@ AC_RUN_IFELSE( | |||
2640 | [AC_MSG_WARN([cross compiling: assuming yes])] | 2722 | [AC_MSG_WARN([cross compiling: assuming yes])] |
2641 | ) | 2723 | ) |
2642 | 2724 | ||
2725 | AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) | ||
2726 | AC_RUN_IFELSE( | ||
2727 | [AC_LANG_PROGRAM([[ | ||
2728 | #include <sys/types.h> | ||
2729 | #ifdef HAVE_SYS_TIME_H | ||
2730 | # include <sys/time.h> | ||
2731 | #endif | ||
2732 | #include <sys/resource.h> | ||
2733 | #include <errno.h> | ||
2734 | #include <stdlib.h> | ||
2735 | ]],[[ | ||
2736 | struct rlimit rl_zero; | ||
2737 | int fd, r; | ||
2738 | fd_set fds; | ||
2739 | |||
2740 | rl_zero.rlim_cur = rl_zero.rlim_max = 0; | ||
2741 | r = setrlimit(RLIMIT_NOFILE, &rl_zero); | ||
2742 | exit (r == -1 ? 1 : 0); | ||
2743 | ]])], | ||
2744 | [AC_MSG_RESULT([yes]) | ||
2745 | rlimit_nofile_zero_works=yes], | ||
2746 | [AC_MSG_RESULT([no]) | ||
2747 | rlimit_nofile_zero_works=no], | ||
2748 | [AC_MSG_WARN([cross compiling: assuming yes])] | ||
2749 | ) | ||
2750 | |||
2643 | AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) | 2751 | AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) |
2644 | AC_RUN_IFELSE( | 2752 | AC_RUN_IFELSE( |
2645 | [AC_LANG_PROGRAM([[ | 2753 | [AC_LANG_PROGRAM([[ |
@@ -2676,11 +2784,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ | |||
2676 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ | 2784 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ |
2677 | ( test -z "$sandbox_arg" && \ | 2785 | ( test -z "$sandbox_arg" && \ |
2678 | test "x$have_seccomp_filter" = "x1" && \ | 2786 | test "x$have_seccomp_filter" = "x1" && \ |
2787 | test "x$ac_cv_header_elf_h" = "xyes" && \ | ||
2679 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | 2788 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ |
2680 | test "x$have_seccomp_audit_arch" = "x1" && \ | 2789 | test "x$ac_cv_header_linux_filter_h" = "xyes" && \ |
2790 | test "x$seccomp_audit_arch" != "x" && \ | ||
2681 | test "x$have_linux_no_new_privs" = "x1" && \ | 2791 | test "x$have_linux_no_new_privs" = "x1" && \ |
2682 | test "x$ac_cv_func_prctl" = "xyes" ) ; then | 2792 | test "x$ac_cv_func_prctl" = "xyes" ) ; then |
2683 | test "x$have_seccomp_audit_arch" != "x1" && \ | 2793 | test "x$seccomp_audit_arch" = "x" && \ |
2684 | AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) | 2794 | AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) |
2685 | test "x$have_linux_no_new_privs" != "x1" && \ | 2795 | test "x$have_linux_no_new_privs" != "x1" && \ |
2686 | AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) | 2796 | AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) |
@@ -2692,7 +2802,8 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ | |||
2692 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) | 2802 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) |
2693 | elif test "x$sandbox_arg" = "xrlimit" || \ | 2803 | elif test "x$sandbox_arg" = "xrlimit" || \ |
2694 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ | 2804 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ |
2695 | test "x$select_works_with_rlimit" == "xyes" ) ; then | 2805 | test "x$select_works_with_rlimit" = "xyes" && \ |
2806 | test "x$rlimit_nofile_zero_works" = "xyes" ) ; then | ||
2696 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | 2807 | test "x$ac_cv_func_setrlimit" != "xyes" && \ |
2697 | AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) | 2808 | AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) |
2698 | test "x$select_works_with_rlimit" != "xyes" && \ | 2809 | test "x$select_works_with_rlimit" != "xyes" && \ |
@@ -3584,6 +3695,9 @@ AC_ARG_WITH([kerberos5], | |||
3584 | [$KRB5ROOT/bin/krb5-config], | 3695 | [$KRB5ROOT/bin/krb5-config], |
3585 | [$KRB5ROOT/bin:$PATH]) | 3696 | [$KRB5ROOT/bin:$PATH]) |
3586 | if test -x $KRB5CONF ; then | 3697 | if test -x $KRB5CONF ; then |
3698 | K5CFLAGS="`$KRB5CONF --cflags`" | ||
3699 | K5LIBS="`$KRB5CONF --libs`" | ||
3700 | CPPFLAGS="$CPPFLAGS $K5CFLAGS" | ||
3587 | 3701 | ||
3588 | AC_MSG_CHECKING([for gssapi support]) | 3702 | AC_MSG_CHECKING([for gssapi support]) |
3589 | if $KRB5CONF | grep gssapi >/dev/null ; then | 3703 | if $KRB5CONF | grep gssapi >/dev/null ; then |
@@ -3591,14 +3705,12 @@ AC_ARG_WITH([kerberos5], | |||
3591 | AC_DEFINE([GSSAPI], [1], | 3705 | AC_DEFINE([GSSAPI], [1], |
3592 | [Define this if you want GSSAPI | 3706 | [Define this if you want GSSAPI |
3593 | support in the version 2 protocol]) | 3707 | support in the version 2 protocol]) |
3594 | k5confopts=gssapi | 3708 | GSSCFLAGS="`$KRB5CONF --cflags gssapi`" |
3709 | GSSLIBS="`$KRB5CONF --libs gssapi`" | ||
3710 | CPPFLAGS="$CPPFLAGS $GSSCFLAGS" | ||
3595 | else | 3711 | else |
3596 | AC_MSG_RESULT([no]) | 3712 | AC_MSG_RESULT([no]) |
3597 | k5confopts="" | ||
3598 | fi | 3713 | fi |
3599 | K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" | ||
3600 | K5LIBS="`$KRB5CONF --libs $k5confopts`" | ||
3601 | CPPFLAGS="$CPPFLAGS $K5CFLAGS" | ||
3602 | AC_MSG_CHECKING([whether we are using Heimdal]) | 3714 | AC_MSG_CHECKING([whether we are using Heimdal]) |
3603 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h> | 3715 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h> |
3604 | ]], [[ char *tmp = heimdal_version; ]])], | 3716 | ]], [[ char *tmp = heimdal_version; ]])], |
@@ -3630,14 +3742,16 @@ AC_ARG_WITH([kerberos5], | |||
3630 | 3742 | ||
3631 | AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context], | 3743 | AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context], |
3632 | [ AC_DEFINE([GSSAPI]) | 3744 | [ AC_DEFINE([GSSAPI]) |
3633 | K5LIBS="-lgssapi_krb5 $K5LIBS" ], | 3745 | GSSLIBS="-lgssapi_krb5" ], |
3634 | [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], | 3746 | [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], |
3635 | [ AC_DEFINE([GSSAPI]) | 3747 | [ AC_DEFINE([GSSAPI]) |
3636 | K5LIBS="-lgssapi $K5LIBS" ], | 3748 | GSSLIBS="-lgssapi" ], |
3637 | AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), | 3749 | [ AC_CHECK_LIB([gss], [gss_init_sec_context], |
3638 | $K5LIBS) | 3750 | [ AC_DEFINE([GSSAPI]) |
3639 | ], | 3751 | GSSLIBS="-lgss" ], |
3640 | $K5LIBS) | 3752 | AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail])) |
3753 | ]) | ||
3754 | ]) | ||
3641 | 3755 | ||
3642 | AC_CHECK_HEADER([gssapi.h], , | 3756 | AC_CHECK_HEADER([gssapi.h], , |
3643 | [ unset ac_cv_header_gssapi_h | 3757 | [ unset ac_cv_header_gssapi_h |
@@ -3665,12 +3779,27 @@ AC_ARG_WITH([kerberos5], | |||
3665 | AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h]) | 3779 | AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h]) |
3666 | AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h]) | 3780 | AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h]) |
3667 | 3781 | ||
3668 | LIBS="$LIBS $K5LIBS" | ||
3669 | AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], | 3782 | AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], |
3670 | [Define this if you want to use libkafs' AFS support])]) | 3783 | [Define this if you want to use libkafs' AFS support])]) |
3784 | |||
3785 | AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[ | ||
3786 | #ifdef HAVE_GSSAPI_H | ||
3787 | # include <gssapi.h> | ||
3788 | #elif defined(HAVE_GSSAPI_GSSAPI_H) | ||
3789 | # include <gssapi/gssapi.h> | ||
3790 | #endif | ||
3791 | |||
3792 | #ifdef HAVE_GSSAPI_GENERIC_H | ||
3793 | # include <gssapi_generic.h> | ||
3794 | #elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) | ||
3795 | # include <gssapi/gssapi_generic.h> | ||
3796 | #endif | ||
3797 | ]]) | ||
3671 | fi | 3798 | fi |
3672 | ] | 3799 | ] |
3673 | ) | 3800 | ) |
3801 | AC_SUBST([GSSLIBS]) | ||
3802 | AC_SUBST([K5LIBS]) | ||
3674 | 3803 | ||
3675 | # Check whether user wants ConsoleKit support | 3804 | # Check whether user wants ConsoleKit support |
3676 | CONSOLEKIT_MSG="no" | 3805 | CONSOLEKIT_MSG="no" |
@@ -4361,7 +4490,6 @@ if test -n "$conf_wtmp_location"; then | |||
4361 | [Define if you want to specify the path to your wtmp file]) | 4490 | [Define if you want to specify the path to your wtmp file]) |
4362 | fi | 4491 | fi |
4363 | 4492 | ||
4364 | |||
4365 | dnl wtmpx detection | 4493 | dnl wtmpx detection |
4366 | AC_MSG_CHECKING([if your system defines WTMPX_FILE]) | 4494 | AC_MSG_CHECKING([if your system defines WTMPX_FILE]) |
4367 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 4495 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ |
@@ -4393,6 +4521,43 @@ if test ! -z "$blibpath" ; then | |||
4393 | AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) | 4521 | AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) |
4394 | fi | 4522 | fi |
4395 | 4523 | ||
4524 | AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ | ||
4525 | if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then | ||
4526 | AC_DEFINE([DISABLE_LASTLOG]) | ||
4527 | fi | ||
4528 | ], [ | ||
4529 | #ifdef HAVE_SYS_TYPES_H | ||
4530 | #include <sys/types.h> | ||
4531 | #endif | ||
4532 | #ifdef HAVE_UTMP_H | ||
4533 | #include <utmp.h> | ||
4534 | #endif | ||
4535 | #ifdef HAVE_UTMPX_H | ||
4536 | #include <utmpx.h> | ||
4537 | #endif | ||
4538 | #ifdef HAVE_LASTLOG_H | ||
4539 | #include <lastlog.h> | ||
4540 | #endif | ||
4541 | ]) | ||
4542 | |||
4543 | AC_CHECK_MEMBER([struct utmp.ut_line], [], [ | ||
4544 | AC_DEFINE([DISABLE_UTMP]) | ||
4545 | AC_DEFINE([DISABLE_WTMP]) | ||
4546 | ], [ | ||
4547 | #ifdef HAVE_SYS_TYPES_H | ||
4548 | #include <sys/types.h> | ||
4549 | #endif | ||
4550 | #ifdef HAVE_UTMP_H | ||
4551 | #include <utmp.h> | ||
4552 | #endif | ||
4553 | #ifdef HAVE_UTMPX_H | ||
4554 | #include <utmpx.h> | ||
4555 | #endif | ||
4556 | #ifdef HAVE_LASTLOG_H | ||
4557 | #include <lastlog.h> | ||
4558 | #endif | ||
4559 | ]) | ||
4560 | |||
4396 | dnl Adding -Werror to CFLAGS early prevents configure tests from running. | 4561 | dnl Adding -Werror to CFLAGS early prevents configure tests from running. |
4397 | dnl Add now. | 4562 | dnl Add now. |
4398 | CFLAGS="$CFLAGS $werror_flags" | 4563 | CFLAGS="$CFLAGS $werror_flags" |
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 9fd07953a..196bd7904 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -16,7 +16,7 @@ | |||
16 | 16 | ||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %define version 6.1p1 | 19 | %define version 6.2p1 |
20 | %if %{use_stable} | 20 | %if %{use_stable} |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 1 | 22 | %define release 1 |
@@ -363,4 +363,4 @@ fi | |||
363 | * Mon Jan 01 1998 ... | 363 | * Mon Jan 01 1998 ... |
364 | Template Version: 1.31 | 364 | Template Version: 1.31 |
365 | 365 | ||
366 | $Id: openssh.spec,v 1.78 2012/08/22 11:57:15 djm Exp $ | 366 | $Id: openssh.spec,v 1.79 2013/02/26 23:48:20 djm Exp $ |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index f74ad4486..3898c6c99 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 6.1p1 | 1 | %define ver 6.2p1 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index e9a751796..40c8dfd9f 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init | |||
@@ -29,7 +29,7 @@ do_restart_sanity_check() | |||
29 | { | 29 | { |
30 | $SSHD -t | 30 | $SSHD -t |
31 | RETVAL=$? | 31 | RETVAL=$? |
32 | if [ ! "$RETVAL" = 0 ]; then | 32 | if [ $RETVAL -ne 0 ]; then |
33 | failure $"Configuration file or keys are invalid" | 33 | failure $"Configuration file or keys are invalid" |
34 | echo | 34 | echo |
35 | fi | 35 | fi |
@@ -49,7 +49,7 @@ start() | |||
49 | echo -n $"Starting $prog:" | 49 | echo -n $"Starting $prog:" |
50 | $SSHD $OPTIONS && success || failure | 50 | $SSHD $OPTIONS && success || failure |
51 | RETVAL=$? | 51 | RETVAL=$? |
52 | [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd | 52 | [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd |
53 | echo | 53 | echo |
54 | } | 54 | } |
55 | 55 | ||
@@ -58,7 +58,7 @@ stop() | |||
58 | echo -n $"Stopping $prog:" | 58 | echo -n $"Stopping $prog:" |
59 | killproc $SSHD -TERM | 59 | killproc $SSHD -TERM |
60 | RETVAL=$? | 60 | RETVAL=$? |
61 | [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd | 61 | [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd |
62 | echo | 62 | echo |
63 | } | 63 | } |
64 | 64 | ||
@@ -87,7 +87,7 @@ case "$1" in | |||
87 | condrestart) | 87 | condrestart) |
88 | if [ -f /var/lock/subsys/sshd ] ; then | 88 | if [ -f /var/lock/subsys/sshd ] ; then |
89 | do_restart_sanity_check | 89 | do_restart_sanity_check |
90 | if [ "$RETVAL" = 0 ] ; then | 90 | if [ $RETVAL -eq 0 ] ; then |
91 | stop | 91 | stop |
92 | # avoid race | 92 | # avoid race |
93 | sleep 3 | 93 | sleep 3 |
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 86d037abd..af18a1929 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id | |||
@@ -1,54 +1,293 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | 2 | ||
3 | # Shell script to install your public key on a remote machine | 3 | # Copyright (c) 1999-2013 Philip Hands <phil@hands.com> |
4 | # Takes the remote machine name as an argument. | 4 | # 2013 Martin Kletzander <mkletzan@redhat.com> |
5 | # Obviously, the remote machine must accept password authentication, | 5 | # 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es> |
6 | # or one of the other keys in your ssh-agent, for this to work. | 6 | # 2010 Eric Moret <eric.moret@gmail.com> |
7 | 7 | # 2009 Xr <xr@i-jeuxvideo.com> | |
8 | ID_FILE="${HOME}/.ssh/id_rsa.pub" | 8 | # 2007 Justin Pryzby <justinpryzby@users.sourceforge.net> |
9 | 9 | # 2004 Reini Urban <rurban@x-ray.at> | |
10 | if [ "-i" = "$1" ]; then | 10 | # 2003 Colin Watson <cjwatson@debian.org> |
11 | shift | 11 | # All rights reserved. |
12 | # check if we have 2 parameters left, if so the first is the new ID file | 12 | # |
13 | if [ -n "$2" ]; then | 13 | # Redistribution and use in source and binary forms, with or without |
14 | if expr "$1" : ".*\.pub" > /dev/null ; then | 14 | # modification, are permitted provided that the following conditions |
15 | ID_FILE="$1" | 15 | # are met: |
16 | else | 16 | # 1. Redistributions of source code must retain the above copyright |
17 | ID_FILE="$1.pub" | 17 | # notice, this list of conditions and the following disclaimer. |
18 | fi | 18 | # 2. Redistributions in binary form must reproduce the above copyright |
19 | shift # and this should leave $1 as the target name | 19 | # notice, this list of conditions and the following disclaimer in the |
20 | # documentation and/or other materials provided with the distribution. | ||
21 | # | ||
22 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
23 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
24 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
25 | # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
26 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
27 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
28 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
29 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
30 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
31 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
32 | |||
33 | # Shell script to install your public key(s) on a remote machine | ||
34 | # See the ssh-copy-id(1) man page for details | ||
35 | |||
36 | # check that we have something mildly sane as our shell, or try to find something better | ||
37 | if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0" | ||
38 | then | ||
39 | SANE_SH=${SANE_SH:-/usr/bin/ksh} | ||
40 | if printf 'true ^ false\n' | "$SANE_SH" | ||
41 | then | ||
42 | printf "'%s' seems viable.\n" "$SANE_SH" | ||
43 | exec "$SANE_SH" "$0" "$@" | ||
44 | else | ||
45 | cat <<-EOF | ||
46 | oh dear. | ||
47 | |||
48 | If you have a more recent shell available, that supports \$(...) etc. | ||
49 | please try setting the environment variable SANE_SH to the path of that | ||
50 | shell, and then retry running this script. If that works, please report | ||
51 | a bug describing your setup, and the shell you used to make it work. | ||
52 | |||
53 | EOF | ||
54 | printf "%s: ERROR: Less dimwitted shell required.\n" "$0" | ||
55 | exit 1 | ||
20 | fi | 56 | fi |
21 | else | 57 | fi |
22 | if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then | 58 | |
23 | GET_ID="$GET_ID ssh-add -L" | 59 | DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) |
60 | |||
61 | usage () { | ||
62 | printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2 | ||
63 | exit 1 | ||
64 | } | ||
65 | |||
66 | # escape any single quotes in an argument | ||
67 | quote() { | ||
68 | printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g" | ||
69 | } | ||
70 | |||
71 | use_id_file() { | ||
72 | local L_ID_FILE="$1" | ||
73 | |||
74 | if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then | ||
75 | PUB_ID_FILE="$L_ID_FILE" | ||
76 | else | ||
77 | PUB_ID_FILE="$L_ID_FILE.pub" | ||
24 | fi | 78 | fi |
79 | |||
80 | PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) | ||
81 | |||
82 | # check that the files are readable | ||
83 | for f in $PUB_ID_FILE $PRIV_ID_FILE ; do | ||
84 | ErrMSG=$( { : < $f ; } 2>&1 ) || { | ||
85 | printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')" | ||
86 | exit 1 | ||
87 | } | ||
88 | done | ||
89 | GET_ID="cat \"$PUB_ID_FILE\"" | ||
90 | } | ||
91 | |||
92 | if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then | ||
93 | GET_ID="ssh-add -L" | ||
25 | fi | 94 | fi |
26 | 95 | ||
27 | if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then | 96 | while test "$#" -gt 0 |
28 | GET_ID="cat \"${ID_FILE}\"" | 97 | do |
98 | [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && { | ||
99 | printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0" | ||
100 | usage | ||
101 | } | ||
102 | |||
103 | OPT= OPTARG= | ||
104 | # implement something like getopt to avoid Solaris pain | ||
105 | case "$1" in | ||
106 | -i?*|-o?*|-p?*) | ||
107 | OPT="$(printf -- "$1"|cut -c1-2)" | ||
108 | OPTARG="$(printf -- "$1"|cut -c3-)" | ||
109 | shift | ||
110 | ;; | ||
111 | -o|-p) | ||
112 | OPT="$1" | ||
113 | OPTARG="$2" | ||
114 | shift 2 | ||
115 | ;; | ||
116 | -i) | ||
117 | OPT="$1" | ||
118 | test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || { | ||
119 | OPTARG="$2" | ||
120 | shift | ||
121 | } | ||
122 | shift | ||
123 | ;; | ||
124 | -n|-h|-\?) | ||
125 | OPT="$1" | ||
126 | OPTARG= | ||
127 | shift | ||
128 | ;; | ||
129 | --) | ||
130 | shift | ||
131 | while test "$#" -gt 0 | ||
132 | do | ||
133 | SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'" | ||
134 | shift | ||
135 | done | ||
136 | break | ||
137 | ;; | ||
138 | -*) | ||
139 | printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1" | ||
140 | usage | ||
141 | ;; | ||
142 | *) | ||
143 | SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'" | ||
144 | shift | ||
145 | continue | ||
146 | ;; | ||
147 | esac | ||
148 | |||
149 | case "$OPT" in | ||
150 | -i) | ||
151 | SEEN_OPT_I="yes" | ||
152 | use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}" | ||
153 | ;; | ||
154 | -o|-p) | ||
155 | SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'" | ||
156 | ;; | ||
157 | -n) | ||
158 | DRY_RUN=1 | ||
159 | ;; | ||
160 | -h|-\?) | ||
161 | usage | ||
162 | ;; | ||
163 | esac | ||
164 | done | ||
165 | |||
166 | eval set -- "$SAVEARGS" | ||
167 | |||
168 | if [ $# != 1 ] ; then | ||
169 | printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2 | ||
170 | usage | ||
29 | fi | 171 | fi |
30 | 172 | ||
31 | if [ -z "`eval $GET_ID`" ]; then | 173 | # drop trailing colon |
32 | echo "$0: ERROR: No identities found" >&2 | 174 | USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//') |
33 | exit 1 | 175 | # tack the hostname onto SSH_OPTS |
176 | SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'" | ||
177 | # and populate "$@" for later use (only way to get proper quoting of options) | ||
178 | eval set -- "$SSH_OPTS" | ||
179 | |||
180 | if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then | ||
181 | use_id_file "$PUB_ID_FILE" | ||
34 | fi | 182 | fi |
35 | 183 | ||
36 | if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then | 184 | if [ -z "$(eval $GET_ID)" ] ; then |
37 | echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 | 185 | printf '%s: ERROR: No identities found\n' "$0" >&2 |
38 | exit 1 | 186 | exit 1 |
39 | fi | 187 | fi |
40 | 188 | ||
41 | # strip any trailing colon | 189 | # populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...) |
42 | host=`echo $1 | sed 's/:$//'` | 190 | # and has the side effect of setting $NEW_IDS |
191 | populate_new_ids() { | ||
192 | local L_SUCCESS="$1" | ||
43 | 193 | ||
44 | { eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1 | 194 | # repopulate "$@" inside this function |
195 | eval set -- "$SSH_OPTS" | ||
45 | 196 | ||
46 | cat <<EOF | 197 | umask 0177 |
47 | Now try logging into the machine, with "ssh '$host'", and check in: | 198 | local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) |
199 | trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT | ||
200 | printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 | ||
201 | NEW_IDS=$( | ||
202 | eval $GET_ID | { | ||
203 | while read ID ; do | ||
204 | printf '%s\n' "$ID" > $L_TMP_ID_FILE | ||
48 | 205 | ||
49 | ~/.ssh/authorized_keys | 206 | # the next line assumes $PRIV_ID_FILE only set if using a single id file - this |
207 | # assumption will break if we implement the possibility of multiple -i options. | ||
208 | # The point being that if file based, ssh needs the private key, which it cannot | ||
209 | # find if only given the contents of the .pub file in an unrelated tmpfile | ||
210 | ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ | ||
211 | -o PreferredAuthentications=publickey \ | ||
212 | -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null | ||
213 | if [ "$?" = "$L_SUCCESS" ] ; then | ||
214 | : > $L_TMP_ID_FILE | ||
215 | else | ||
216 | grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || { | ||
217 | sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE | ||
218 | cat >/dev/null #consume the other keys, causing loop to end | ||
219 | } | ||
220 | fi | ||
221 | |||
222 | cat $L_TMP_ID_FILE | ||
223 | done | ||
224 | } | ||
225 | ) | ||
226 | rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT | ||
227 | |||
228 | if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then | ||
229 | printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2 | ||
230 | exit 1 | ||
231 | fi | ||
232 | if [ -z "$NEW_IDS" ] ; then | ||
233 | printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2 | ||
234 | exit 0 | ||
235 | fi | ||
236 | printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 | ||
237 | } | ||
50 | 238 | ||
51 | to make sure we haven't added extra keys that you weren't expecting. | 239 | REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 | |
240 | sed -ne 's/.*remote software version //p') | ||
52 | 241 | ||
53 | EOF | 242 | case "$REMOTE_VERSION" in |
243 | NetScreen*) | ||
244 | populate_new_ids 1 | ||
245 | for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do | ||
246 | KEY_NO=$(($KEY_NO + 1)) | ||
247 | printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || { | ||
248 | printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2 | ||
249 | continue | ||
250 | } | ||
251 | [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1 | ||
252 | if [ $? = 255 ] ; then | ||
253 | printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2 | ||
254 | else | ||
255 | ADDED=$(($ADDED + 1)) | ||
256 | fi | ||
257 | done | ||
258 | if [ -z "$ADDED" ] ; then | ||
259 | exit 1 | ||
260 | fi | ||
261 | ;; | ||
262 | *) | ||
263 | # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect | ||
264 | populate_new_ids 0 | ||
265 | [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " | ||
266 | umask 077 ; | ||
267 | mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; | ||
268 | if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ | ||
269 | || exit 1 | ||
270 | ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) | ||
271 | ;; | ||
272 | esac | ||
273 | |||
274 | if [ "$DRY_RUN" ] ; then | ||
275 | cat <<-EOF | ||
276 | =-=-=-=-=-=-=-= | ||
277 | Would have added the following key(s): | ||
278 | |||
279 | $NEW_IDS | ||
280 | =-=-=-=-=-=-=-= | ||
281 | EOF | ||
282 | else | ||
283 | cat <<-EOF | ||
284 | |||
285 | Number of key(s) added: $ADDED | ||
286 | |||
287 | Now try logging into the machine, with: "ssh $SSH_OPTS" | ||
288 | and check to make sure that only the key(s) you wanted were added. | ||
289 | |||
290 | EOF | ||
291 | fi | ||
54 | 292 | ||
293 | # =-=-=-= | ||
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index cb15ab24d..67a59e492 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 | |||
@@ -1,75 +1,186 @@ | |||
1 | .ig \" -*- nroff -*- | 1 | .ig \" -*- nroff -*- |
2 | Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/> | 2 | Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/> |
3 | 3 | ||
4 | Permission is granted to make and distribute verbatim copies of | 4 | Redistribution and use in source and binary forms, with or without |
5 | this manual provided the copyright notice and this permission notice | 5 | modification, are permitted provided that the following conditions |
6 | are preserved on all copies. | 6 | are met: |
7 | 1. Redistributions of source code must retain the above copyright | ||
8 | notice, this list of conditions and the following disclaimer. | ||
9 | 2. Redistributions in binary form must reproduce the above copyright | ||
10 | notice, this list of conditions and the following disclaimer in the | ||
11 | documentation and/or other materials provided with the distribution. | ||
7 | 12 | ||
8 | Permission is granted to copy and distribute modified versions of this | 13 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
9 | manual under the conditions for verbatim copying, provided that the | 14 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
10 | entire resulting derived work is distributed under the terms of a | 15 | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
11 | permission notice identical to this one. | 16 | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
12 | 17 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
13 | Permission is granted to copy and distribute translations of this | 18 | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
14 | manual into another language, under the above conditions for modified | 19 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
15 | versions, except that this permission notice may be included in | 20 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
16 | translations approved by the Free Software Foundation instead of in | 21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
17 | the original English. | 22 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
18 | .. | 23 | .. |
19 | .TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" | 24 | .Dd $Mdocdate: June 17 2010 $ |
20 | .SH NAME | 25 | .Dt SSH-COPY-ID 1 |
21 | ssh-copy-id \- install your public key in a remote machine's authorized_keys | 26 | .Os |
22 | .SH SYNOPSIS | 27 | .Sh NAME |
23 | .B ssh-copy-id [-i [identity_file]] | 28 | .Nm ssh-copy-id |
24 | .I "[user@]machine" | 29 | .Nd use locally available keys to authorise logins on a remote machine |
30 | .Sh SYNOPSIS | ||
31 | .Nm | ||
32 | .Op Fl n | ||
33 | .Op Fl i Op Ar identity_file | ||
34 | .Op Fl p Ar port | ||
35 | .Op Fl o Ar ssh_option | ||
36 | .Op Ar user Ns @ Ns | ||
37 | .Ar hostname | ||
38 | .Nm | ||
39 | .Fl h | Fl ? | ||
25 | .br | 40 | .br |
26 | .SH DESCRIPTION | 41 | .Sh DESCRIPTION |
27 | .BR ssh-copy-id | 42 | .Nm |
28 | is a script that uses ssh to log into a remote machine and | 43 | is a script that uses |
29 | append the indicated identity file to that machine's | 44 | .Xr ssh 1 |
30 | .B ~/.ssh/authorized_keys | 45 | to log into a remote machine (presumably using a login password, |
31 | file. | 46 | so password authentication should be enabled, unless you've done some |
32 | .PP | 47 | clever use of multiple identities). It assembles a list of one or more |
33 | If the | 48 | fingerprints (as described below) and tries to log in with each key, to |
34 | .B -i | 49 | see if any of them are already installed (of course, if you are not using |
35 | option is given then the identity file (defaults to | 50 | .Xr ssh-agent 1 |
36 | .BR ~/.ssh/id_rsa.pub ) | 51 | this may result in you being repeatedly prompted for pass-phrases). |
37 | is used, regardless of whether there are any keys in your | 52 | It then assembles a list of those that failed to log in, and using ssh, |
38 | .BR ssh-agent . | 53 | enables logins with those keys on the remote server. By default it adds |
39 | Otherwise, if this: | 54 | the keys by appending them to the remote user's |
40 | .PP | 55 | .Pa ~/.ssh/authorized_keys |
41 | .B " ssh-add -L" | 56 | (creating the file, and directory, if necessary). It is also capable |
42 | .PP | 57 | of detecting if the remote system is a NetScreen, and using its |
43 | provides any output, it uses that in preference to the identity file. | 58 | .Ql set ssh pka-dsa key ... |
44 | .PP | 59 | command instead. |
45 | If the | 60 | .Pp |
46 | .B -i | 61 | The options are as follows: |
47 | option is used, or the | 62 | .Bl -tag -width Ds |
48 | .B ssh-add | 63 | .It Fl i Ar identity_file |
49 | produced no output, then it uses the contents of the identity | 64 | Use only the key(s) contained in |
50 | file. Once it has one or more fingerprints (by whatever means) it | 65 | .Ar identity_file |
51 | uses ssh to append them to | 66 | (rather than looking for identities via |
52 | .B ~/.ssh/authorized_keys | 67 | .Xr ssh-add 1 |
53 | on the remote machine (creating the file, and directory, if necessary.) | 68 | or in the |
54 | 69 | .Ic default_ID_file ) . | |
55 | .SH NOTES | 70 | If the filename does not end in |
56 | This program does not modify the permissions of any | 71 | .Pa .pub |
57 | pre-existing files or directories. Therefore, if the remote | 72 | this is added. If the filename is omitted, the |
58 | .B sshd | 73 | .Ic default_ID_file |
59 | has | 74 | is used. |
60 | .B StrictModes | 75 | .Pp |
61 | set in its | 76 | Note that this can be used to ensure that the keys copied have the |
62 | configuration, then the user's home, | 77 | comment one prefers and/or extra options applied, by ensuring that the |
63 | .B ~/.ssh | 78 | key file has these set as preferred before the copy is attempted. |
64 | folder, and | 79 | .It Fl n |
65 | .B ~/.ssh/authorized_keys | 80 | do a dry-run. Instead of installing keys on the remote system simply |
66 | file may need to have group writability disabled manually, e.g. via | 81 | prints the key(s) that would have been installed. |
67 | 82 | .It Fl h , Fl ? | |
68 | .B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys" | 83 | Print Usage summary |
69 | 84 | .It Fl p Ar port , Fl o Ar ssh_option | |
70 | on the remote machine. | 85 | These two options are simply passed through untouched, along with their |
71 | 86 | argument, to allow one to set the port or other | |
72 | .SH "SEE ALSO" | 87 | .Xr ssh 1 |
73 | .BR ssh (1), | 88 | options, respectively. |
74 | .BR ssh-agent (1), | 89 | .Pp |
75 | .BR sshd (8) | 90 | Rather than specifying these as command line options, it is often better to use (per-host) settings in |
91 | .Xr ssh 1 Ns 's | ||
92 | configuration file: | ||
93 | .Xr ssh_config 5 . | ||
94 | .El | ||
95 | .Pp | ||
96 | Default behaviour without | ||
97 | .Fl i , | ||
98 | is to check if | ||
99 | .Ql ssh-add -L | ||
100 | provides any output, and if so those keys are used. Note that this results in | ||
101 | the comment on the key being the filename that was given to | ||
102 | .Xr ssh-add 1 | ||
103 | when the key was loaded into your | ||
104 | .Xr ssh-agent 1 | ||
105 | rather than the comment contained in that file, which is a bit of a shame. | ||
106 | Otherwise, if | ||
107 | .Xr ssh-add 1 | ||
108 | provides no keys contents of the | ||
109 | .Ic default_ID_file | ||
110 | will be used. | ||
111 | .Pp | ||
112 | The | ||
113 | .Ic default_ID_file | ||
114 | is the most recent file that matches: | ||
115 | .Pa ~/.ssh/id*.pub , | ||
116 | (excluding those that match | ||
117 | .Pa ~/.ssh/*-cert.pub ) | ||
118 | so if you create a key that is not the one you want | ||
119 | .Nm | ||
120 | to use, just use | ||
121 | .Xr touch 1 | ||
122 | on your preferred key's | ||
123 | .Pa .pub | ||
124 | file to reinstate it as the most recent. | ||
125 | .Pp | ||
126 | .Sh EXAMPLES | ||
127 | If you have already installed keys from one system on a lot of remote | ||
128 | hosts, and you then create a new key, on a new client machine, say, | ||
129 | it can be difficult to keep track of which systems on which you've | ||
130 | installed the new key. One way of dealing with this is to load both | ||
131 | the new key and old key(s) into your | ||
132 | .Xr ssh-agent 1 . | ||
133 | Load the new key first, without the | ||
134 | .Fl c | ||
135 | option, then load one or more old keys into the agent, possibly by | ||
136 | ssh-ing to the client machine that has that old key, using the | ||
137 | .Fl A | ||
138 | option to allow agent forwarding: | ||
139 | .Pp | ||
140 | .D1 user@newclient$ ssh-add | ||
141 | .D1 user@newclient$ ssh -A old.client | ||
142 | .D1 user@oldl$ ssh-add -c | ||
143 | .D1 No ... prompt for pass-phrase ... | ||
144 | .D1 user@old$ logoff | ||
145 | .D1 user@newclient$ ssh someserver | ||
146 | .Pp | ||
147 | now, if the new key is installed on the server, you'll be allowed in | ||
148 | unprompted, whereas if you only have the old key(s) enabled, you'll be | ||
149 | asked for confirmation, which is your cue to log back out and run | ||
150 | .Pp | ||
151 | .D1 user@newclient$ ssh-copy-id -i someserver | ||
152 | .Pp | ||
153 | The reason you might want to specify the -i option in this case is to | ||
154 | ensure that the comment on the installed key is the one from the | ||
155 | .Pa .pub | ||
156 | file, rather than just the filename that was loaded into you agent. | ||
157 | It also ensures that only the id you intended is installed, rather than | ||
158 | all the keys that you have in your | ||
159 | .Xr ssh-agent 1 . | ||
160 | Of course, you can specify another id, or use the contents of the | ||
161 | .Xr ssh-agent 1 | ||
162 | as you prefer. | ||
163 | .Pp | ||
164 | Having mentioned | ||
165 | .Xr ssh-add 1 Ns 's | ||
166 | .Fl c | ||
167 | option, you might consider using this whenever using agent forwarding | ||
168 | to avoid your key being hijacked, but it is much better to instead use | ||
169 | .Xr ssh 1 Ns 's | ||
170 | .Ar ProxyCommand | ||
171 | and | ||
172 | .Fl W | ||
173 | option, | ||
174 | to bounce through remote servers while always doing direct end-to-end | ||
175 | authentication. This way the middle hop(s) don't get access to your | ||
176 | .Xr ssh-agent 1 . | ||
177 | A web search for | ||
178 | .Ql ssh proxycommand nc | ||
179 | should prove enlightening (N.B. the modern approach is to use the | ||
180 | .Fl W | ||
181 | option, rather than | ||
182 | .Xr nc 1 ) . | ||
183 | .Sh "SEE ALSO" | ||
184 | .Xr ssh 1 , | ||
185 | .Xr ssh-agent 1 , | ||
186 | .Xr sshd 8 | ||
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 3b8abecc8..960feae07 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -13,7 +13,7 @@ | |||
13 | 13 | ||
14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
15 | Name: openssh | 15 | Name: openssh |
16 | Version: 6.1p1 | 16 | Version: 6.2p1 |
17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
18 | Release: 1 | 18 | Release: 1 |
19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index 4a3bc41db..28f28e41d 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd | |||
@@ -49,7 +49,7 @@ case "$1" in | |||
49 | ## Start daemon with startproc(8). If this fails | 49 | ## Start daemon with startproc(8). If this fails |
50 | ## the echo return value is set appropriate. | 50 | ## the echo return value is set appropriate. |
51 | 51 | ||
52 | startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" | 52 | startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" |
53 | 53 | ||
54 | # Remember status and be verbose | 54 | # Remember status and be verbose |
55 | rc_status -v | 55 | rc_status -v |
@@ -59,7 +59,7 @@ case "$1" in | |||
59 | ## Stop daemon with killproc(8) and if this fails | 59 | ## Stop daemon with killproc(8) and if this fails |
60 | ## set echo the echo return value. | 60 | ## set echo the echo return value. |
61 | 61 | ||
62 | killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd | 62 | killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN |
63 | 63 | ||
64 | # Remember status and be verbose | 64 | # Remember status and be verbose |
65 | rc_status -v | 65 | rc_status -v |
@@ -87,7 +87,7 @@ case "$1" in | |||
87 | 87 | ||
88 | echo -n "Reload service sshd" | 88 | echo -n "Reload service sshd" |
89 | 89 | ||
90 | killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd | 90 | killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN |
91 | 91 | ||
92 | rc_status -v | 92 | rc_status -v |
93 | 93 | ||
@@ -103,7 +103,7 @@ case "$1" in | |||
103 | # 2 - service dead, but /var/lock/ lock file exists | 103 | # 2 - service dead, but /var/lock/ lock file exists |
104 | # 3 - service not running | 104 | # 3 - service not running |
105 | 105 | ||
106 | checkproc -p $SSHD_PIDFILE /usr/sbin/sshd | 106 | checkproc -p $SSHD_PIDFILE $SSHD_BIN |
107 | 107 | ||
108 | rc_status -v | 108 | rc_status -v |
109 | ;; | 109 | ;; |
diff --git a/debian/changelog b/debian/changelog index 092837792..174c0c585 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,5 +1,11 @@ | |||
1 | openssh (1:6.1p1-5) UNRELEASED; urgency=low | 1 | openssh (1:6.2p1-1) UNRELEASED; urgency=low |
2 | 2 | ||
3 | * New upstream release (http://www.openssh.com/txt/release-6.2). | ||
4 | - Add support for multiple required authentication in SSH protocol 2 via | ||
5 | an AuthenticationMethods option (closes: #195716). | ||
6 | - Fix Sophie Germain formula in moduli(5) (closes: #698612). | ||
7 | - Update ssh-copy-id to Phil Hands' greatly revised version (closes: | ||
8 | #99785, #322228, #620428; LP: #518883, #835901, #1074798). | ||
3 | * Use dh-autoreconf. | 9 | * Use dh-autoreconf. |
4 | 10 | ||
5 | -- Colin Watson <cjwatson@debian.org> Mon, 06 May 2013 10:47:33 +0100 | 11 | -- Colin Watson <cjwatson@debian.org> Mon, 06 May 2013 10:47:33 +0100 |
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index bc2602306..206967bc9 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used | |||
2 | Author: Colin Watson <cjwatson@debian.org> | 2 | Author: Colin Watson <cjwatson@debian.org> |
3 | Bug-Debian: http://bugs.debian.org/630606 | 3 | Bug-Debian: http://bugs.debian.org/630606 |
4 | Forwarded: no | 4 | Forwarded: no |
5 | Last-Update: 2011-07-28 | 5 | Last-Update: 2013-05-07 |
6 | 6 | ||
7 | Index: b/auth-options.c | 7 | Index: b/auth-options.c |
8 | =================================================================== | 8 | =================================================================== |
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c | |||
96 | =================================================================== | 96 | =================================================================== |
97 | --- a/auth2-pubkey.c | 97 | --- a/auth2-pubkey.c |
98 | +++ b/auth2-pubkey.c | 98 | +++ b/auth2-pubkey.c |
99 | @@ -211,6 +211,7 @@ | 99 | @@ -217,6 +217,7 @@ |
100 | restore_uid(); | 100 | restore_uid(); |
101 | return 0; | 101 | return 0; |
102 | } | 102 | } |
@@ -104,7 +104,7 @@ Index: b/auth2-pubkey.c | |||
104 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 104 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
105 | /* Skip leading whitespace. */ | 105 | /* Skip leading whitespace. */ |
106 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | 106 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) |
107 | @@ -281,6 +282,8 @@ | 107 | @@ -278,6 +279,8 @@ |
108 | found_key = 0; | 108 | found_key = 0; |
109 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); | 109 | found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); |
110 | 110 | ||
@@ -113,7 +113,7 @@ Index: b/auth2-pubkey.c | |||
113 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { | 113 | while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { |
114 | char *cp, *key_options = NULL; | 114 | char *cp, *key_options = NULL; |
115 | 115 | ||
116 | @@ -417,6 +420,7 @@ | 116 | @@ -412,6 +415,7 @@ |
117 | if (key_cert_check_authority(key, 0, 1, | 117 | if (key_cert_check_authority(key, 0, 1, |
118 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) | 118 | principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) |
119 | goto fail_reason; | 119 | goto fail_reason; |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 6ffc716ee..c6a4b64c6 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8) | |||
2 | Author: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | Author: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 | 3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 |
4 | Bug-Debian: http://bugs.debian.org/441817 | 4 | Bug-Debian: http://bugs.debian.org/441817 |
5 | Last-Update: 2010-03-01 | 5 | Last-Update: 2013-05-07 |
6 | 6 | ||
7 | Index: b/Makefile.in | 7 | Index: b/Makefile.in |
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/Makefile.in | 9 | --- a/Makefile.in |
10 | +++ b/Makefile.in | 10 | +++ b/Makefile.in |
11 | @@ -277,6 +277,7 @@ | 11 | @@ -286,6 +286,7 @@ |
12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch index a952e4405..d67123a1e 100644 --- a/debian/patches/consolekit.patch +++ b/debian/patches/consolekit.patch | |||
@@ -1,13 +1,13 @@ | |||
1 | Description: Add support for registering ConsoleKit sessions on login | 1 | Description: Add support for registering ConsoleKit sessions on login |
2 | Author: Colin Watson <cjwatson@ubuntu.com> | 2 | Author: Colin Watson <cjwatson@ubuntu.com> |
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 | 3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 |
4 | Last-Updated: 2012-10-31 | 4 | Last-Updated: 2013-05-07 |
5 | 5 | ||
6 | Index: b/Makefile.in | 6 | Index: b/Makefile.in |
7 | =================================================================== | 7 | =================================================================== |
8 | --- a/Makefile.in | 8 | --- a/Makefile.in |
9 | +++ b/Makefile.in | 9 | +++ b/Makefile.in |
10 | @@ -94,7 +94,8 @@ | 10 | @@ -96,7 +96,8 @@ |
11 | sftp-server.o sftp-common.o \ | 11 | sftp-server.o sftp-common.o \ |
12 | roaming_common.o roaming_serv.o \ | 12 | roaming_common.o roaming_serv.o \ |
13 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 13 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
@@ -21,9 +21,9 @@ Index: b/configure.ac | |||
21 | =================================================================== | 21 | =================================================================== |
22 | --- a/configure.ac | 22 | --- a/configure.ac |
23 | +++ b/configure.ac | 23 | +++ b/configure.ac |
24 | @@ -3672,6 +3672,30 @@ | 24 | @@ -3801,6 +3801,30 @@ |
25 | ] | 25 | AC_SUBST([GSSLIBS]) |
26 | ) | 26 | AC_SUBST([K5LIBS]) |
27 | 27 | ||
28 | +# Check whether user wants ConsoleKit support | 28 | +# Check whether user wants ConsoleKit support |
29 | +CONSOLEKIT_MSG="no" | 29 | +CONSOLEKIT_MSG="no" |
@@ -52,7 +52,7 @@ Index: b/configure.ac | |||
52 | # Looking for programs, paths and files | 52 | # Looking for programs, paths and files |
53 | 53 | ||
54 | PRIVSEP_PATH=/var/empty | 54 | PRIVSEP_PATH=/var/empty |
55 | @@ -4435,6 +4459,7 @@ | 55 | @@ -4600,6 +4624,7 @@ |
56 | echo " libedit support: $LIBEDIT_MSG" | 56 | echo " libedit support: $LIBEDIT_MSG" |
57 | echo " Solaris process contract support: $SPC_MSG" | 57 | echo " Solaris process contract support: $SPC_MSG" |
58 | echo " Solaris project support: $SP_MSG" | 58 | echo " Solaris project support: $SP_MSG" |
@@ -64,7 +64,7 @@ Index: b/configure | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/configure | 65 | --- a/configure |
66 | +++ b/configure | 66 | +++ b/configure |
67 | @@ -735,6 +735,7 @@ | 67 | @@ -737,6 +737,7 @@ |
68 | with_sandbox | 68 | with_sandbox |
69 | with_selinux | 69 | with_selinux |
70 | with_kerberos5 | 70 | with_kerberos5 |
@@ -72,7 +72,7 @@ Index: b/configure | |||
72 | with_privsep_path | 72 | with_privsep_path |
73 | with_xauth | 73 | with_xauth |
74 | enable_strip | 74 | enable_strip |
75 | @@ -1425,6 +1426,7 @@ | 75 | @@ -1427,6 +1428,7 @@ |
76 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) | 76 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) |
77 | --with-selinux Enable SELinux support | 77 | --with-selinux Enable SELinux support |
78 | --with-kerberos5=PATH Enable Kerberos 5 support | 78 | --with-kerberos5=PATH Enable Kerberos 5 support |
@@ -80,8 +80,8 @@ Index: b/configure | |||
80 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) | 80 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) |
81 | --with-xauth=PATH Specify path to xauth program | 81 | --with-xauth=PATH Specify path to xauth program |
82 | --with-maildir=/path/to/mail Specify your system mail directory | 82 | --with-maildir=/path/to/mail Specify your system mail directory |
83 | @@ -15683,6 +15685,135 @@ | 83 | @@ -16002,6 +16004,135 @@ |
84 | fi | 84 | |
85 | 85 | ||
86 | 86 | ||
87 | +# Check whether user wants ConsoleKit support | 87 | +# Check whether user wants ConsoleKit support |
@@ -216,7 +216,7 @@ Index: b/configure | |||
216 | # Looking for programs, paths and files | 216 | # Looking for programs, paths and files |
217 | 217 | ||
218 | PRIVSEP_PATH=/var/empty | 218 | PRIVSEP_PATH=/var/empty |
219 | @@ -18155,6 +18286,7 @@ | 219 | @@ -18527,6 +18658,7 @@ |
220 | echo " libedit support: $LIBEDIT_MSG" | 220 | echo " libedit support: $LIBEDIT_MSG" |
221 | echo " Solaris process contract support: $SPC_MSG" | 221 | echo " Solaris process contract support: $SPC_MSG" |
222 | echo " Solaris project support: $SP_MSG" | 222 | echo " Solaris project support: $SP_MSG" |
@@ -522,7 +522,7 @@ Index: b/monitor.c | |||
522 | static Authctxt *authctxt; | 522 | static Authctxt *authctxt; |
523 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 523 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
524 | 524 | ||
525 | @@ -283,6 +290,9 @@ | 525 | @@ -284,6 +291,9 @@ |
526 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 526 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
527 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, | 527 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, |
528 | #endif | 528 | #endif |
@@ -532,7 +532,7 @@ Index: b/monitor.c | |||
532 | {0, 0, NULL} | 532 | {0, 0, NULL} |
533 | }; | 533 | }; |
534 | 534 | ||
535 | @@ -325,6 +335,9 @@ | 535 | @@ -326,6 +336,9 @@ |
536 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 536 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
537 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 537 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
538 | #endif | 538 | #endif |
@@ -542,7 +542,7 @@ Index: b/monitor.c | |||
542 | {0, 0, NULL} | 542 | {0, 0, NULL} |
543 | }; | 543 | }; |
544 | 544 | ||
545 | @@ -495,6 +508,9 @@ | 545 | @@ -514,6 +527,9 @@ |
546 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 546 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
547 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); | 547 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); |
548 | } | 548 | } |
@@ -552,7 +552,7 @@ Index: b/monitor.c | |||
552 | 552 | ||
553 | for (;;) | 553 | for (;;) |
554 | monitor_read(pmonitor, mon_dispatch, NULL); | 554 | monitor_read(pmonitor, mon_dispatch, NULL); |
555 | @@ -2196,6 +2212,34 @@ | 555 | @@ -2232,6 +2248,34 @@ |
556 | buffer_put_int(m, major); | 556 | buffer_put_int(m, major); |
557 | buffer_put_string(m, hash.value, hash.length); | 557 | buffer_put_string(m, hash.value, hash.length); |
558 | 558 | ||
@@ -591,19 +591,20 @@ Index: b/monitor.h | |||
591 | =================================================================== | 591 | =================================================================== |
592 | --- a/monitor.h | 592 | --- a/monitor.h |
593 | +++ b/monitor.h | 593 | +++ b/monitor.h |
594 | @@ -62,6 +62,7 @@ | 594 | @@ -75,6 +75,8 @@ |
595 | MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, | 595 | |
596 | MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, | 596 | MONITOR_REQ_AUTHROLE = 300, |
597 | MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, | 597 | |
598 | + MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER, | 598 | + MONITOR_REQ_CONSOLEKIT_REGISTER = 400, MONITOR_ANS_CONSOLEKIT_REGISTER = 401, |
599 | MONITOR_REQ_TERM, | 599 | + |
600 | MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, | 600 | }; |
601 | MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, | 601 | |
602 | struct mm_master; | ||
602 | Index: b/monitor_wrap.c | 603 | Index: b/monitor_wrap.c |
603 | =================================================================== | 604 | =================================================================== |
604 | --- a/monitor_wrap.c | 605 | --- a/monitor_wrap.c |
605 | +++ b/monitor_wrap.c | 606 | +++ b/monitor_wrap.c |
606 | @@ -1310,6 +1310,37 @@ | 607 | @@ -1311,6 +1311,37 @@ |
607 | mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) | 608 | mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) |
608 | { | 609 | { |
609 | Buffer m; | 610 | Buffer m; |
@@ -666,7 +667,7 @@ Index: b/session.c | |||
666 | 667 | ||
667 | #if defined(KRB5) && defined(USE_AFS) | 668 | #if defined(KRB5) && defined(USE_AFS) |
668 | #include <kafs.h> | 669 | #include <kafs.h> |
669 | @@ -1129,6 +1130,9 @@ | 670 | @@ -1132,6 +1133,9 @@ |
670 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 671 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
671 | char *path = NULL; | 672 | char *path = NULL; |
672 | #endif | 673 | #endif |
@@ -676,7 +677,7 @@ Index: b/session.c | |||
676 | 677 | ||
677 | /* Initialize the environment. */ | 678 | /* Initialize the environment. */ |
678 | envsize = 100; | 679 | envsize = 100; |
679 | @@ -1273,6 +1277,11 @@ | 680 | @@ -1276,6 +1280,11 @@ |
680 | child_set_env(&env, &envsize, "KRB5CCNAME", | 681 | child_set_env(&env, &envsize, "KRB5CCNAME", |
681 | s->authctxt->krb5_ccname); | 682 | s->authctxt->krb5_ccname); |
682 | #endif | 683 | #endif |
@@ -688,7 +689,7 @@ Index: b/session.c | |||
688 | #ifdef USE_PAM | 689 | #ifdef USE_PAM |
689 | /* | 690 | /* |
690 | * Pull in any environment variables that may have | 691 | * Pull in any environment variables that may have |
691 | @@ -2300,6 +2309,10 @@ | 692 | @@ -2308,6 +2317,10 @@ |
692 | 693 | ||
693 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); | 694 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); |
694 | 695 | ||
diff --git a/debian/patches/copy-id-restorecon.patch b/debian/patches/copy-id-restorecon.patch deleted file mode 100644 index d26680c4a..000000000 --- a/debian/patches/copy-id-restorecon.patch +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | Description: Call restorecon on copied ~/.ssh/authorized_keys if possible | ||
2 | Author: Tomas Mraz <tmraz@fedoraproject.org> | ||
3 | Bug-Debian: http://bugs.debian.org/658675 | ||
4 | Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=739989 | ||
5 | Last-Update: 2012-08-24 | ||
6 | |||
7 | Index: b/contrib/ssh-copy-id | ||
8 | =================================================================== | ||
9 | --- a/contrib/ssh-copy-id | ||
10 | +++ b/contrib/ssh-copy-id | ||
11 | @@ -41,7 +41,7 @@ | ||
12 | # strip any trailing colon | ||
13 | host=`echo $1 | sed 's/:$//'` | ||
14 | |||
15 | -{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 | ||
16 | +{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1 | ||
17 | |||
18 | cat <<EOF | ||
19 | Now try logging into the machine, with "ssh '$host'", and check in: | ||
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 22b1e4c14..d96f2cc59 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option | |||
4 | Author: Kees Cook <kees@debian.org> | 4 | Author: Kees Cook <kees@debian.org> |
5 | Bug-Debian: http://bugs.debian.org/562048 | 5 | Bug-Debian: http://bugs.debian.org/562048 |
6 | Forwarded: not-needed | 6 | Forwarded: not-needed |
7 | Last-Update: 2012-09-07 | 7 | Last-Update: 2013-05-07 |
8 | 8 | ||
9 | Index: b/servconf.c | 9 | Index: b/servconf.c |
10 | =================================================================== | 10 | =================================================================== |
11 | --- a/servconf.c | 11 | --- a/servconf.c |
12 | +++ b/servconf.c | 12 | +++ b/servconf.c |
13 | @@ -146,6 +146,7 @@ | 13 | @@ -150,6 +150,7 @@ |
14 | options->ip_qos_interactive = -1; | 14 | options->ip_qos_interactive = -1; |
15 | options->ip_qos_bulk = -1; | 15 | options->ip_qos_bulk = -1; |
16 | options->version_addendum = NULL; | 16 | options->version_addendum = NULL; |
@@ -18,7 +18,7 @@ Index: b/servconf.c | |||
18 | } | 18 | } |
19 | 19 | ||
20 | void | 20 | void |
21 | @@ -295,6 +296,8 @@ | 21 | @@ -299,6 +300,8 @@ |
22 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 22 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
23 | if (options->version_addendum == NULL) | 23 | if (options->version_addendum == NULL) |
24 | options->version_addendum = xstrdup(""); | 24 | options->version_addendum = xstrdup(""); |
@@ -27,23 +27,23 @@ Index: b/servconf.c | |||
27 | /* Turn privilege separation on by default */ | 27 | /* Turn privilege separation on by default */ |
28 | if (use_privsep == -1) | 28 | if (use_privsep == -1) |
29 | use_privsep = PRIVSEP_NOSANDBOX; | 29 | use_privsep = PRIVSEP_NOSANDBOX; |
30 | @@ -343,6 +346,7 @@ | 30 | @@ -349,6 +352,7 @@ |
31 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | ||
32 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | ||
33 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 31 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
32 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | ||
33 | sAuthenticationMethods, | ||
34 | + sDebianBanner, | 34 | + sDebianBanner, |
35 | sDeprecated, sUnsupported | 35 | sDeprecated, sUnsupported |
36 | } ServerOpCodes; | 36 | } ServerOpCodes; |
37 | 37 | ||
38 | @@ -479,6 +483,7 @@ | 38 | @@ -488,6 +492,7 @@ |
39 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, | 39 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
40 | { "ipqos", sIPQoS, SSHCFG_ALL }, | ||
41 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 40 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
41 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | ||
42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
43 | { NULL, sBadOption, 0 } | 43 | { NULL, sBadOption, 0 } |
44 | }; | 44 | }; |
45 | 45 | ||
46 | @@ -1538,6 +1543,10 @@ | 46 | @@ -1593,6 +1598,10 @@ |
47 | } | 47 | } |
48 | return 0; | 48 | return 0; |
49 | 49 | ||
@@ -58,10 +58,11 @@ Index: b/servconf.h | |||
58 | =================================================================== | 58 | =================================================================== |
59 | --- a/servconf.h | 59 | --- a/servconf.h |
60 | +++ b/servconf.h | 60 | +++ b/servconf.h |
61 | @@ -172,6 +172,7 @@ | 61 | @@ -184,6 +184,8 @@ |
62 | char *authorized_principals_file; | ||
63 | 62 | ||
64 | char *version_addendum; /* Appended to SSH banner */ | 63 | u_int num_auth_methods; |
64 | char *auth_methods[MAX_AUTH_METHODS]; | ||
65 | + | ||
65 | + int debian_banner; | 66 | + int debian_banner; |
66 | } ServerOptions; | 67 | } ServerOptions; |
67 | 68 | ||
@@ -70,7 +71,7 @@ Index: b/sshd.c | |||
70 | =================================================================== | 71 | =================================================================== |
71 | --- a/sshd.c | 72 | --- a/sshd.c |
72 | +++ b/sshd.c | 73 | +++ b/sshd.c |
73 | @@ -425,7 +425,8 @@ | 74 | @@ -434,7 +434,8 @@ |
74 | } | 75 | } |
75 | 76 | ||
76 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 77 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -84,7 +85,7 @@ Index: b/sshd_config.5 | |||
84 | =================================================================== | 85 | =================================================================== |
85 | --- a/sshd_config.5 | 86 | --- a/sshd_config.5 |
86 | +++ b/sshd_config.5 | 87 | +++ b/sshd_config.5 |
87 | @@ -342,6 +342,11 @@ | 88 | @@ -397,6 +397,11 @@ |
88 | .Dq no . | 89 | .Dq no . |
89 | The default is | 90 | The default is |
90 | .Dq delayed . | 91 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 57ebbf540..77e807502 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -18,7 +18,7 @@ Description: Various Debian-specific configuration changes | |||
18 | Author: Colin Watson <cjwatson@debian.org> | 18 | Author: Colin Watson <cjwatson@debian.org> |
19 | Author: Russ Allbery <rra@debian.org> | 19 | Author: Russ Allbery <rra@debian.org> |
20 | Forwarded: not-needed | 20 | Forwarded: not-needed |
21 | Last-Update: 2010-02-28 | 21 | Last-Update: 2013-05-07 |
22 | 22 | ||
23 | Index: b/readconf.c | 23 | Index: b/readconf.c |
24 | =================================================================== | 24 | =================================================================== |
@@ -84,7 +84,7 @@ Index: b/ssh_config.5 | |||
84 | The configuration file has the following format: | 84 | The configuration file has the following format: |
85 | .Pp | 85 | .Pp |
86 | Empty lines and lines starting with | 86 | Empty lines and lines starting with |
87 | @@ -499,7 +515,8 @@ | 87 | @@ -502,7 +518,8 @@ |
88 | Remote clients will be refused access after this time. | 88 | Remote clients will be refused access after this time. |
89 | .Pp | 89 | .Pp |
90 | The default is | 90 | The default is |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index cec6f6639..25201a7d4 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion | |||
2 | Author: Colin Watson <cjwatson@debian.org> | 2 | Author: Colin Watson <cjwatson@debian.org> |
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 | 3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 |
4 | Bug-Debian: http://bugs.debian.org/430154 | 4 | Bug-Debian: http://bugs.debian.org/430154 |
5 | Last-Update: 2010-03-01 | 5 | Last-Update: 2013-05-07 |
6 | 6 | ||
7 | Index: b/ssh_config.5 | 7 | Index: b/ssh_config.5 |
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/ssh_config.5 | 9 | --- a/ssh_config.5 |
10 | +++ b/ssh_config.5 | 10 | +++ b/ssh_config.5 |
11 | @@ -585,6 +585,9 @@ | 11 | @@ -588,6 +588,9 @@ |
12 | will not be converted automatically, | 12 | will not be converted automatically, |
13 | but may be manually hashed using | 13 | but may be manually hashed using |
14 | .Xr ssh-keygen 1 . | 14 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 786500feb..7690e5824 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support | |||
13 | security history. | 13 | security history. |
14 | Author: Simon Wilkinson <simon@sxw.org.uk> | 14 | Author: Simon Wilkinson <simon@sxw.org.uk> |
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
16 | Last-Updated: 2012-09-07 | 16 | Last-Updated: 2013-05-07 |
17 | 17 | ||
18 | Index: b/ChangeLog.gssapi | 18 | Index: b/ChangeLog.gssapi |
19 | =================================================================== | 19 | =================================================================== |
@@ -137,15 +137,15 @@ Index: b/Makefile.in | |||
137 | =================================================================== | 137 | =================================================================== |
138 | --- a/Makefile.in | 138 | --- a/Makefile.in |
139 | +++ b/Makefile.in | 139 | +++ b/Makefile.in |
140 | @@ -70,6 +70,7 @@ | 140 | @@ -72,6 +72,7 @@ |
141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
144 | + kexgssc.o \ | 144 | + kexgssc.o \ |
145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ | 145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
146 | schnorr.o ssh-pkcs11.o | 146 | jpake.o schnorr.o ssh-pkcs11.o krl.o |
147 | 147 | ||
148 | @@ -86,7 +87,7 @@ | 148 | @@ -88,7 +89,7 @@ |
149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
151 | auth-krb5.o \ | 151 | auth-krb5.o \ |
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c | |||
210 | --- a/auth2-gss.c | 210 | --- a/auth2-gss.c |
211 | +++ b/auth2-gss.c | 211 | +++ b/auth2-gss.c |
212 | @@ -1,7 +1,7 @@ | 212 | @@ -1,7 +1,7 @@ |
213 | /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ | 213 | /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ |
214 | 214 | ||
215 | /* | 215 | /* |
216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -280,7 +280,7 @@ Index: b/auth2-gss.c | |||
280 | logit("GSSAPI MIC check failed"); | 280 | logit("GSSAPI MIC check failed"); |
281 | 281 | ||
282 | @@ -294,6 +330,12 @@ | 282 | @@ -294,6 +330,12 @@ |
283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
284 | } | 284 | } |
285 | 285 | ||
286 | +Authmethod method_gsskeyex = { | 286 | +Authmethod method_gsskeyex = { |
@@ -327,7 +327,7 @@ Index: b/clientloop.c | |||
327 | /* import options */ | 327 | /* import options */ |
328 | extern Options options; | 328 | extern Options options; |
329 | 329 | ||
330 | @@ -1544,6 +1548,15 @@ | 330 | @@ -1599,6 +1603,15 @@ |
331 | /* Do channel operations unless rekeying in progress. */ | 331 | /* Do channel operations unless rekeying in progress. */ |
332 | if (!rekeying) { | 332 | if (!rekeying) { |
333 | channel_after_select(readset, writeset); | 333 | channel_after_select(readset, writeset); |
@@ -347,7 +347,7 @@ Index: b/config.h.in | |||
347 | =================================================================== | 347 | =================================================================== |
348 | --- a/config.h.in | 348 | --- a/config.h.in |
349 | +++ b/config.h.in | 349 | +++ b/config.h.in |
350 | @@ -1471,6 +1471,9 @@ | 350 | @@ -1511,6 +1511,9 @@ |
351 | /* Use btmp to log bad logins */ | 351 | /* Use btmp to log bad logins */ |
352 | #undef USE_BTMP | 352 | #undef USE_BTMP |
353 | 353 | ||
@@ -357,7 +357,7 @@ Index: b/config.h.in | |||
357 | /* Use libedit for sftp */ | 357 | /* Use libedit for sftp */ |
358 | #undef USE_LIBEDIT | 358 | #undef USE_LIBEDIT |
359 | 359 | ||
360 | @@ -1486,6 +1489,9 @@ | 360 | @@ -1526,6 +1529,9 @@ |
361 | /* Use PIPES instead of a socketpair() */ | 361 | /* Use PIPES instead of a socketpair() */ |
362 | #undef USE_PIPES | 362 | #undef USE_PIPES |
363 | 363 | ||
@@ -371,7 +371,7 @@ Index: b/configure | |||
371 | =================================================================== | 371 | =================================================================== |
372 | --- a/configure | 372 | --- a/configure |
373 | +++ b/configure | 373 | +++ b/configure |
374 | @@ -6608,6 +6608,63 @@ | 374 | @@ -6588,6 +6588,63 @@ |
375 | 375 | ||
376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
377 | 377 | ||
@@ -439,7 +439,7 @@ Index: b/configure.ac | |||
439 | =================================================================== | 439 | =================================================================== |
440 | --- a/configure.ac | 440 | --- a/configure.ac |
441 | +++ b/configure.ac | 441 | +++ b/configure.ac |
442 | @@ -545,6 +545,30 @@ | 442 | @@ -533,6 +533,30 @@ |
443 | [Use tunnel device compatibility to OpenBSD]) | 443 | [Use tunnel device compatibility to OpenBSD]) |
444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
445 | [Prepend the address family to IP tunnel traffic]) | 445 | [Prepend the address family to IP tunnel traffic]) |
@@ -1277,7 +1277,7 @@ Index: b/kex.c | |||
1277 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1277 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1278 | # if defined(HAVE_EVP_SHA256) | 1278 | # if defined(HAVE_EVP_SHA256) |
1279 | # define evp_ssh_sha256 EVP_sha256 | 1279 | # define evp_ssh_sha256 EVP_sha256 |
1280 | @@ -358,6 +362,20 @@ | 1280 | @@ -369,6 +373,20 @@ |
1281 | k->kex_type = KEX_ECDH_SHA2; | 1281 | k->kex_type = KEX_ECDH_SHA2; |
1282 | k->evp_md = kex_ecdh_name_to_evpmd(k->name); | 1282 | k->evp_md = kex_ecdh_name_to_evpmd(k->name); |
1283 | #endif | 1283 | #endif |
@@ -1312,7 +1312,7 @@ Index: b/kex.h | |||
1312 | KEX_MAX | 1312 | KEX_MAX |
1313 | }; | 1313 | }; |
1314 | 1314 | ||
1315 | @@ -129,6 +132,12 @@ | 1315 | @@ -131,6 +134,12 @@ |
1316 | sig_atomic_t done; | 1316 | sig_atomic_t done; |
1317 | int flags; | 1317 | int flags; |
1318 | const EVP_MD *evp_md; | 1318 | const EVP_MD *evp_md; |
@@ -1325,7 +1325,7 @@ Index: b/kex.h | |||
1325 | char *client_version_string; | 1325 | char *client_version_string; |
1326 | char *server_version_string; | 1326 | char *server_version_string; |
1327 | int (*verify_host_key)(Key *); | 1327 | int (*verify_host_key)(Key *); |
1328 | @@ -156,6 +165,11 @@ | 1328 | @@ -158,6 +167,11 @@ |
1329 | void kexecdh_client(Kex *); | 1329 | void kexecdh_client(Kex *); |
1330 | void kexecdh_server(Kex *); | 1330 | void kexecdh_server(Kex *); |
1331 | 1331 | ||
@@ -2016,7 +2016,7 @@ Index: b/monitor.c | |||
2016 | #endif | 2016 | #endif |
2017 | 2017 | ||
2018 | #ifdef SSH_AUDIT_EVENTS | 2018 | #ifdef SSH_AUDIT_EVENTS |
2019 | @@ -251,6 +253,7 @@ | 2019 | @@ -252,6 +254,7 @@ |
2020 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2020 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2021 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2021 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2022 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2022 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2024,7 +2024,7 @@ Index: b/monitor.c | |||
2024 | #endif | 2024 | #endif |
2025 | #ifdef JPAKE | 2025 | #ifdef JPAKE |
2026 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 2026 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
2027 | @@ -263,6 +266,12 @@ | 2027 | @@ -264,6 +267,12 @@ |
2028 | }; | 2028 | }; |
2029 | 2029 | ||
2030 | struct mon_table mon_dispatch_postauth20[] = { | 2030 | struct mon_table mon_dispatch_postauth20[] = { |
@@ -2037,7 +2037,7 @@ Index: b/monitor.c | |||
2037 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2037 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2038 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2038 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
2039 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2039 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
2040 | @@ -371,6 +380,10 @@ | 2040 | @@ -372,6 +381,10 @@ |
2041 | /* Permit requests for moduli and signatures */ | 2041 | /* Permit requests for moduli and signatures */ |
2042 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2042 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2043 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2043 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2048,7 +2048,7 @@ Index: b/monitor.c | |||
2048 | } else { | 2048 | } else { |
2049 | mon_dispatch = mon_dispatch_proto15; | 2049 | mon_dispatch = mon_dispatch_proto15; |
2050 | 2050 | ||
2051 | @@ -468,6 +481,10 @@ | 2051 | @@ -487,6 +500,10 @@ |
2052 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2052 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2053 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2053 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2054 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2054 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2059,7 +2059,7 @@ Index: b/monitor.c | |||
2059 | } else { | 2059 | } else { |
2060 | mon_dispatch = mon_dispatch_postauth15; | 2060 | mon_dispatch = mon_dispatch_postauth15; |
2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2062 | @@ -1800,6 +1817,13 @@ | 2062 | @@ -1836,6 +1853,13 @@ |
2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2073,7 +2073,7 @@ Index: b/monitor.c | |||
2073 | kex->server = 1; | 2073 | kex->server = 1; |
2074 | kex->hostkey_type = buffer_get_int(m); | 2074 | kex->hostkey_type = buffer_get_int(m); |
2075 | kex->kex_type = buffer_get_int(m); | 2075 | kex->kex_type = buffer_get_int(m); |
2076 | @@ -2006,6 +2030,9 @@ | 2076 | @@ -2042,6 +2066,9 @@ |
2077 | OM_uint32 major; | 2077 | OM_uint32 major; |
2078 | u_int len; | 2078 | u_int len; |
2079 | 2079 | ||
@@ -2083,7 +2083,7 @@ Index: b/monitor.c | |||
2083 | goid.elements = buffer_get_string(m, &len); | 2083 | goid.elements = buffer_get_string(m, &len); |
2084 | goid.length = len; | 2084 | goid.length = len; |
2085 | 2085 | ||
2086 | @@ -2033,6 +2060,9 @@ | 2086 | @@ -2069,6 +2096,9 @@ |
2087 | OM_uint32 flags = 0; /* GSI needs this */ | 2087 | OM_uint32 flags = 0; /* GSI needs this */ |
2088 | u_int len; | 2088 | u_int len; |
2089 | 2089 | ||
@@ -2093,7 +2093,7 @@ Index: b/monitor.c | |||
2093 | in.value = buffer_get_string(m, &len); | 2093 | in.value = buffer_get_string(m, &len); |
2094 | in.length = len; | 2094 | in.length = len; |
2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2096 | @@ -2050,6 +2080,7 @@ | 2096 | @@ -2086,6 +2116,7 @@ |
2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2101,7 +2101,7 @@ Index: b/monitor.c | |||
2101 | } | 2101 | } |
2102 | return (0); | 2102 | return (0); |
2103 | } | 2103 | } |
2104 | @@ -2061,6 +2092,9 @@ | 2104 | @@ -2097,6 +2128,9 @@ |
2105 | OM_uint32 ret; | 2105 | OM_uint32 ret; |
2106 | u_int len; | 2106 | u_int len; |
2107 | 2107 | ||
@@ -2111,7 +2111,7 @@ Index: b/monitor.c | |||
2111 | gssbuf.value = buffer_get_string(m, &len); | 2111 | gssbuf.value = buffer_get_string(m, &len); |
2112 | gssbuf.length = len; | 2112 | gssbuf.length = len; |
2113 | mic.value = buffer_get_string(m, &len); | 2113 | mic.value = buffer_get_string(m, &len); |
2114 | @@ -2087,7 +2121,11 @@ | 2114 | @@ -2123,7 +2157,11 @@ |
2115 | { | 2115 | { |
2116 | int authenticated; | 2116 | int authenticated; |
2117 | 2117 | ||
@@ -2124,7 +2124,7 @@ Index: b/monitor.c | |||
2124 | 2124 | ||
2125 | buffer_clear(m); | 2125 | buffer_clear(m); |
2126 | buffer_put_int(m, authenticated); | 2126 | buffer_put_int(m, authenticated); |
2127 | @@ -2100,6 +2138,74 @@ | 2127 | @@ -2136,6 +2174,74 @@ |
2128 | /* Monitor loop will terminate if authenticated */ | 2128 | /* Monitor loop will terminate if authenticated */ |
2129 | return (authenticated); | 2129 | return (authenticated); |
2130 | } | 2130 | } |
@@ -2203,20 +2203,21 @@ Index: b/monitor.h | |||
2203 | =================================================================== | 2203 | =================================================================== |
2204 | --- a/monitor.h | 2204 | --- a/monitor.h |
2205 | +++ b/monitor.h | 2205 | +++ b/monitor.h |
2206 | @@ -53,6 +53,8 @@ | 2206 | @@ -70,6 +70,9 @@ |
2207 | MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, | 2207 | MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
2208 | MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, | 2208 | MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
2209 | MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, | 2209 | |
2210 | + MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, | 2210 | + MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201, |
2211 | + MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, | 2211 | + MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203, |
2212 | MONITOR_REQ_PAM_START, | 2212 | + |
2213 | MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, | 2213 | }; |
2214 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, | 2214 | |
2215 | struct mm_master; | ||
2215 | Index: b/monitor_wrap.c | 2216 | Index: b/monitor_wrap.c |
2216 | =================================================================== | 2217 | =================================================================== |
2217 | --- a/monitor_wrap.c | 2218 | --- a/monitor_wrap.c |
2218 | +++ b/monitor_wrap.c | 2219 | +++ b/monitor_wrap.c |
2219 | @@ -1270,7 +1270,7 @@ | 2220 | @@ -1271,7 +1271,7 @@ |
2220 | } | 2221 | } |
2221 | 2222 | ||
2222 | int | 2223 | int |
@@ -2225,7 +2226,7 @@ Index: b/monitor_wrap.c | |||
2225 | { | 2226 | { |
2226 | Buffer m; | 2227 | Buffer m; |
2227 | int authenticated = 0; | 2228 | int authenticated = 0; |
2228 | @@ -1287,6 +1287,51 @@ | 2229 | @@ -1288,6 +1288,51 @@ |
2229 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2230 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2230 | return (authenticated); | 2231 | return (authenticated); |
2231 | } | 2232 | } |
@@ -2406,7 +2407,7 @@ Index: b/servconf.c | |||
2406 | =================================================================== | 2407 | =================================================================== |
2407 | --- a/servconf.c | 2408 | --- a/servconf.c |
2408 | +++ b/servconf.c | 2409 | +++ b/servconf.c |
2409 | @@ -100,7 +100,10 @@ | 2410 | @@ -102,7 +102,10 @@ |
2410 | options->kerberos_ticket_cleanup = -1; | 2411 | options->kerberos_ticket_cleanup = -1; |
2411 | options->kerberos_get_afs_token = -1; | 2412 | options->kerberos_get_afs_token = -1; |
2412 | options->gss_authentication=-1; | 2413 | options->gss_authentication=-1; |
@@ -2417,7 +2418,7 @@ Index: b/servconf.c | |||
2417 | options->password_authentication = -1; | 2418 | options->password_authentication = -1; |
2418 | options->kbd_interactive_authentication = -1; | 2419 | options->kbd_interactive_authentication = -1; |
2419 | options->challenge_response_authentication = -1; | 2420 | options->challenge_response_authentication = -1; |
2420 | @@ -229,8 +232,14 @@ | 2421 | @@ -233,8 +236,14 @@ |
2421 | options->kerberos_get_afs_token = 0; | 2422 | options->kerberos_get_afs_token = 0; |
2422 | if (options->gss_authentication == -1) | 2423 | if (options->gss_authentication == -1) |
2423 | options->gss_authentication = 0; | 2424 | options->gss_authentication = 0; |
@@ -2432,7 +2433,7 @@ Index: b/servconf.c | |||
2432 | if (options->password_authentication == -1) | 2433 | if (options->password_authentication == -1) |
2433 | options->password_authentication = 1; | 2434 | options->password_authentication = 1; |
2434 | if (options->kbd_interactive_authentication == -1) | 2435 | if (options->kbd_interactive_authentication == -1) |
2435 | @@ -323,7 +332,9 @@ | 2436 | @@ -327,7 +336,9 @@ |
2436 | sBanner, sUseDNS, sHostbasedAuthentication, | 2437 | sBanner, sUseDNS, sHostbasedAuthentication, |
2437 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2438 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2438 | sClientAliveCountMax, sAuthorizedKeysFile, | 2439 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2443,7 +2444,7 @@ Index: b/servconf.c | |||
2443 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2444 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2444 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2445 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2445 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2446 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2446 | @@ -387,10 +398,20 @@ | 2447 | @@ -393,10 +404,20 @@ |
2447 | #ifdef GSSAPI | 2448 | #ifdef GSSAPI |
2448 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2449 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2449 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2450 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2464,7 +2465,7 @@ Index: b/servconf.c | |||
2464 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2465 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2465 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2466 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2466 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2467 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2467 | @@ -1031,10 +1052,22 @@ | 2468 | @@ -1049,10 +1070,22 @@ |
2468 | intptr = &options->gss_authentication; | 2469 | intptr = &options->gss_authentication; |
2469 | goto parse_flag; | 2470 | goto parse_flag; |
2470 | 2471 | ||
@@ -2487,7 +2488,7 @@ Index: b/servconf.c | |||
2487 | case sPasswordAuthentication: | 2488 | case sPasswordAuthentication: |
2488 | intptr = &options->password_authentication; | 2489 | intptr = &options->password_authentication; |
2489 | goto parse_flag; | 2490 | goto parse_flag; |
2490 | @@ -1868,7 +1901,10 @@ | 2491 | @@ -1927,7 +1960,10 @@ |
2491 | #endif | 2492 | #endif |
2492 | #ifdef GSSAPI | 2493 | #ifdef GSSAPI |
2493 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2494 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2502,7 +2503,7 @@ Index: b/servconf.h | |||
2502 | =================================================================== | 2503 | =================================================================== |
2503 | --- a/servconf.h | 2504 | --- a/servconf.h |
2504 | +++ b/servconf.h | 2505 | +++ b/servconf.h |
2505 | @@ -103,7 +103,10 @@ | 2506 | @@ -110,7 +110,10 @@ |
2506 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2507 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2507 | * authenticated with Kerberos. */ | 2508 | * authenticated with Kerberos. */ |
2508 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2509 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2525,7 +2526,7 @@ Index: b/ssh-gss.h | |||
2525 | * | 2526 | * |
2526 | * Redistribution and use in source and binary forms, with or without | 2527 | * Redistribution and use in source and binary forms, with or without |
2527 | * modification, are permitted provided that the following conditions | 2528 | * modification, are permitted provided that the following conditions |
2528 | @@ -60,10 +60,22 @@ | 2529 | @@ -61,10 +61,22 @@ |
2529 | 2530 | ||
2530 | #define SSH_GSS_OIDTYPE 0x06 | 2531 | #define SSH_GSS_OIDTYPE 0x06 |
2531 | 2532 | ||
@@ -2548,7 +2549,7 @@ Index: b/ssh-gss.h | |||
2548 | void *data; | 2549 | void *data; |
2549 | } ssh_gssapi_ccache; | 2550 | } ssh_gssapi_ccache; |
2550 | 2551 | ||
2551 | @@ -71,8 +83,11 @@ | 2552 | @@ -72,8 +84,11 @@ |
2552 | gss_buffer_desc displayname; | 2553 | gss_buffer_desc displayname; |
2553 | gss_buffer_desc exportedname; | 2554 | gss_buffer_desc exportedname; |
2554 | gss_cred_id_t creds; | 2555 | gss_cred_id_t creds; |
@@ -2560,7 +2561,7 @@ Index: b/ssh-gss.h | |||
2560 | } ssh_gssapi_client; | 2561 | } ssh_gssapi_client; |
2561 | 2562 | ||
2562 | typedef struct ssh_gssapi_mech_struct { | 2563 | typedef struct ssh_gssapi_mech_struct { |
2563 | @@ -83,6 +98,7 @@ | 2564 | @@ -84,6 +99,7 @@ |
2564 | int (*userok) (ssh_gssapi_client *, char *); | 2565 | int (*userok) (ssh_gssapi_client *, char *); |
2565 | int (*localname) (ssh_gssapi_client *, char **); | 2566 | int (*localname) (ssh_gssapi_client *, char **); |
2566 | void (*storecreds) (ssh_gssapi_client *); | 2567 | void (*storecreds) (ssh_gssapi_client *); |
@@ -2568,7 +2569,7 @@ Index: b/ssh-gss.h | |||
2568 | } ssh_gssapi_mech; | 2569 | } ssh_gssapi_mech; |
2569 | 2570 | ||
2570 | typedef struct { | 2571 | typedef struct { |
2571 | @@ -93,10 +109,11 @@ | 2572 | @@ -94,10 +110,11 @@ |
2572 | gss_OID oid; /* client */ | 2573 | gss_OID oid; /* client */ |
2573 | gss_cred_id_t creds; /* server */ | 2574 | gss_cred_id_t creds; /* server */ |
2574 | gss_name_t client; /* server */ | 2575 | gss_name_t client; /* server */ |
@@ -2581,7 +2582,7 @@ Index: b/ssh-gss.h | |||
2581 | 2582 | ||
2582 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 2583 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
2583 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 2584 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
2584 | @@ -116,16 +133,30 @@ | 2585 | @@ -117,16 +134,30 @@ |
2585 | void ssh_gssapi_delete_ctx(Gssctxt **); | 2586 | void ssh_gssapi_delete_ctx(Gssctxt **); |
2586 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 2587 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
2587 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 2588 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
@@ -2631,7 +2632,7 @@ Index: b/ssh_config.5 | |||
2631 | =================================================================== | 2632 | =================================================================== |
2632 | --- a/ssh_config.5 | 2633 | --- a/ssh_config.5 |
2633 | +++ b/ssh_config.5 | 2634 | +++ b/ssh_config.5 |
2634 | @@ -527,11 +527,43 @@ | 2635 | @@ -530,11 +530,43 @@ |
2635 | The default is | 2636 | The default is |
2636 | .Dq no . | 2637 | .Dq no . |
2637 | Note that this option applies to protocol version 2 only. | 2638 | Note that this option applies to protocol version 2 only. |
@@ -2764,7 +2765,7 @@ Index: b/sshconnect2.c | |||
2764 | xxx_kex = kex; | 2765 | xxx_kex = kex; |
2765 | 2766 | ||
2766 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2767 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2767 | @@ -305,6 +361,7 @@ | 2768 | @@ -306,6 +362,7 @@ |
2768 | void input_gssapi_hash(int type, u_int32_t, void *); | 2769 | void input_gssapi_hash(int type, u_int32_t, void *); |
2769 | void input_gssapi_error(int, u_int32_t, void *); | 2770 | void input_gssapi_error(int, u_int32_t, void *); |
2770 | void input_gssapi_errtok(int, u_int32_t, void *); | 2771 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2772,7 +2773,7 @@ Index: b/sshconnect2.c | |||
2772 | #endif | 2773 | #endif |
2773 | 2774 | ||
2774 | void userauth(Authctxt *, char *); | 2775 | void userauth(Authctxt *, char *); |
2775 | @@ -320,6 +377,11 @@ | 2776 | @@ -321,6 +378,11 @@ |
2776 | 2777 | ||
2777 | Authmethod authmethods[] = { | 2778 | Authmethod authmethods[] = { |
2778 | #ifdef GSSAPI | 2779 | #ifdef GSSAPI |
@@ -2784,7 +2785,7 @@ Index: b/sshconnect2.c | |||
2784 | {"gssapi-with-mic", | 2785 | {"gssapi-with-mic", |
2785 | userauth_gssapi, | 2786 | userauth_gssapi, |
2786 | NULL, | 2787 | NULL, |
2787 | @@ -626,19 +688,31 @@ | 2788 | @@ -627,19 +689,31 @@ |
2788 | static u_int mech = 0; | 2789 | static u_int mech = 0; |
2789 | OM_uint32 min; | 2790 | OM_uint32 min; |
2790 | int ok = 0; | 2791 | int ok = 0; |
@@ -2818,7 +2819,7 @@ Index: b/sshconnect2.c | |||
2818 | ok = 1; /* Mechanism works */ | 2819 | ok = 1; /* Mechanism works */ |
2819 | } else { | 2820 | } else { |
2820 | mech++; | 2821 | mech++; |
2821 | @@ -735,8 +809,8 @@ | 2822 | @@ -736,8 +810,8 @@ |
2822 | { | 2823 | { |
2823 | Authctxt *authctxt = ctxt; | 2824 | Authctxt *authctxt = ctxt; |
2824 | Gssctxt *gssctxt; | 2825 | Gssctxt *gssctxt; |
@@ -2829,7 +2830,7 @@ Index: b/sshconnect2.c | |||
2829 | 2830 | ||
2830 | if (authctxt == NULL) | 2831 | if (authctxt == NULL) |
2831 | fatal("input_gssapi_response: no authentication context"); | 2832 | fatal("input_gssapi_response: no authentication context"); |
2832 | @@ -846,6 +920,48 @@ | 2833 | @@ -847,6 +921,48 @@ |
2833 | xfree(msg); | 2834 | xfree(msg); |
2834 | xfree(lang); | 2835 | xfree(lang); |
2835 | } | 2836 | } |
@@ -2893,7 +2894,7 @@ Index: b/sshd.c | |||
2893 | #ifdef LIBWRAP | 2894 | #ifdef LIBWRAP |
2894 | #include <tcpd.h> | 2895 | #include <tcpd.h> |
2895 | #include <syslog.h> | 2896 | #include <syslog.h> |
2896 | @@ -1607,10 +1611,13 @@ | 2897 | @@ -1645,10 +1649,13 @@ |
2897 | logit("Disabling protocol version 1. Could not load host key"); | 2898 | logit("Disabling protocol version 1. Could not load host key"); |
2898 | options.protocol &= ~SSH_PROTO_1; | 2899 | options.protocol &= ~SSH_PROTO_1; |
2899 | } | 2900 | } |
@@ -2907,7 +2908,7 @@ Index: b/sshd.c | |||
2907 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2908 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2908 | logit("sshd: no hostkeys available -- exiting."); | 2909 | logit("sshd: no hostkeys available -- exiting."); |
2909 | exit(1); | 2910 | exit(1); |
2910 | @@ -1938,6 +1945,60 @@ | 2911 | @@ -1976,6 +1983,60 @@ |
2911 | /* Log the connection. */ | 2912 | /* Log the connection. */ |
2912 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2913 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2913 | 2914 | ||
@@ -2968,7 +2969,7 @@ Index: b/sshd.c | |||
2968 | /* | 2969 | /* |
2969 | * We don't want to listen forever unless the other side | 2970 | * We don't want to listen forever unless the other side |
2970 | * successfully authenticates itself. So we set up an alarm which is | 2971 | * successfully authenticates itself. So we set up an alarm which is |
2971 | @@ -2319,6 +2380,48 @@ | 2972 | @@ -2357,6 +2418,48 @@ |
2972 | 2973 | ||
2973 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2974 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2974 | 2975 | ||
@@ -3017,7 +3018,7 @@ Index: b/sshd.c | |||
3017 | /* start key exchange */ | 3018 | /* start key exchange */ |
3018 | kex = kex_setup(myproposal); | 3019 | kex = kex_setup(myproposal); |
3019 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3020 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
3020 | @@ -2326,6 +2429,13 @@ | 3021 | @@ -2364,6 +2467,13 @@ |
3021 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 3022 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
3022 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3023 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
3023 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3024 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -3035,7 +3036,7 @@ Index: b/sshd_config | |||
3035 | =================================================================== | 3036 | =================================================================== |
3036 | --- a/sshd_config | 3037 | --- a/sshd_config |
3037 | +++ b/sshd_config | 3038 | +++ b/sshd_config |
3038 | @@ -77,6 +77,8 @@ | 3039 | @@ -80,6 +80,8 @@ |
3039 | # GSSAPI options | 3040 | # GSSAPI options |
3040 | #GSSAPIAuthentication no | 3041 | #GSSAPIAuthentication no |
3041 | #GSSAPICleanupCredentials yes | 3042 | #GSSAPICleanupCredentials yes |
@@ -3048,7 +3049,7 @@ Index: b/sshd_config.5 | |||
3048 | =================================================================== | 3049 | =================================================================== |
3049 | --- a/sshd_config.5 | 3050 | --- a/sshd_config.5 |
3050 | +++ b/sshd_config.5 | 3051 | +++ b/sshd_config.5 |
3051 | @@ -426,12 +426,40 @@ | 3052 | @@ -481,12 +481,40 @@ |
3052 | The default is | 3053 | The default is |
3053 | .Dq no . | 3054 | .Dq no . |
3054 | Note that this option applies to protocol version 2 only. | 3055 | Note that this option applies to protocol version 2 only. |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 0937a49e6..028bd62e5 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -12,7 +12,7 @@ Author: Richard Kettlewell <rjk@greenend.org.uk> | |||
12 | Author: Ian Jackson <ian@chiark.greenend.org.uk> | 12 | Author: Ian Jackson <ian@chiark.greenend.org.uk> |
13 | Author: Matthew Vernon <matthew@debian.org> | 13 | Author: Matthew Vernon <matthew@debian.org> |
14 | Author: Colin Watson <cjwatson@debian.org> | 14 | Author: Colin Watson <cjwatson@debian.org> |
15 | Last-Update: 2010-02-27 | 15 | Last-Update: 2013-05-07 |
16 | 16 | ||
17 | Index: b/readconf.c | 17 | Index: b/readconf.c |
18 | =================================================================== | 18 | =================================================================== |
@@ -78,7 +78,7 @@ Index: b/ssh_config.5 | |||
78 | The argument must be | 78 | The argument must be |
79 | .Dq yes | 79 | .Dq yes |
80 | or | 80 | or |
81 | @@ -1099,8 +1103,15 @@ | 81 | @@ -1113,8 +1117,15 @@ |
82 | will send a message through the encrypted | 82 | will send a message through the encrypted |
83 | channel to request a response from the server. | 83 | channel to request a response from the server. |
84 | The default | 84 | The default |
@@ -95,7 +95,7 @@ Index: b/ssh_config.5 | |||
95 | .It Cm StrictHostKeyChecking | 95 | .It Cm StrictHostKeyChecking |
96 | If this flag is set to | 96 | If this flag is set to |
97 | .Dq yes , | 97 | .Dq yes , |
98 | @@ -1139,6 +1150,12 @@ | 98 | @@ -1153,6 +1164,12 @@ |
99 | other side. | 99 | other side. |
100 | If they are sent, death of the connection or crash of one | 100 | If they are sent, death of the connection or crash of one |
101 | of the machines will be properly noticed. | 101 | of the machines will be properly noticed. |
@@ -112,7 +112,7 @@ Index: b/sshd_config.5 | |||
112 | =================================================================== | 112 | =================================================================== |
113 | --- a/sshd_config.5 | 113 | --- a/sshd_config.5 |
114 | +++ b/sshd_config.5 | 114 | +++ b/sshd_config.5 |
115 | @@ -1048,6 +1048,9 @@ | 115 | @@ -1122,6 +1122,9 @@ |
116 | .Pp | 116 | .Pp |
117 | To disable TCP keepalive messages, the value should be set to | 117 | To disable TCP keepalive messages, the value should be set to |
118 | .Dq no . | 118 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index ae32969ea..8afabfaba 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks | |||
3 | either way and opted to keep the status quo. We need this patch anyway. | 3 | either way and opted to keep the status quo. We need this patch anyway. |
4 | Author: Colin Watson <cjwatson@debian.org> | 4 | Author: Colin Watson <cjwatson@debian.org> |
5 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 | 5 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 |
6 | Last-Update: 2010-04-10 | 6 | Last-Update: 2013-05-07 |
7 | 7 | ||
8 | Index: b/Makefile.in | 8 | Index: b/Makefile.in |
9 | =================================================================== | 9 | =================================================================== |
10 | --- a/Makefile.in | 10 | --- a/Makefile.in |
11 | +++ b/Makefile.in | 11 | +++ b/Makefile.in |
12 | @@ -284,9 +284,9 @@ | 12 | @@ -293,9 +293,9 @@ |
13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | 14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 |
15 | -rm -f $(DESTDIR)$(bindir)/slogin | 15 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/max-startups-default.patch b/debian/patches/max-startups-default.patch deleted file mode 100644 index 87e690bd1..000000000 --- a/debian/patches/max-startups-default.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | Description: Change default of MaxStartups to 10:30:100 | ||
2 | This causes sshd to start doing random early drop at 10 connections up to | ||
3 | 100 connections. This will make it harder to DoS as CPUs have come a long | ||
4 | way since the original value was set back in 2000. | ||
5 | Author: Darren Tucker | ||
6 | Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 | ||
7 | Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 | ||
8 | Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 | ||
9 | Bug-Debian: http://bugs.debian.org/700102 | ||
10 | Forwarded: not-needed | ||
11 | Last-Update: 2013-02-08 | ||
12 | |||
13 | Index: b/servconf.c | ||
14 | =================================================================== | ||
15 | --- a/servconf.c | ||
16 | +++ b/servconf.c | ||
17 | @@ -264,11 +264,11 @@ | ||
18 | if (options->gateway_ports == -1) | ||
19 | options->gateway_ports = 0; | ||
20 | if (options->max_startups == -1) | ||
21 | - options->max_startups = 10; | ||
22 | + options->max_startups = 100; | ||
23 | if (options->max_startups_rate == -1) | ||
24 | - options->max_startups_rate = 100; /* 100% */ | ||
25 | + options->max_startups_rate = 30; /* 30% */ | ||
26 | if (options->max_startups_begin == -1) | ||
27 | - options->max_startups_begin = options->max_startups; | ||
28 | + options->max_startups_begin = 10; | ||
29 | if (options->max_authtries == -1) | ||
30 | options->max_authtries = DEFAULT_AUTH_FAIL_MAX; | ||
31 | if (options->max_sessions == -1) | ||
32 | Index: b/sshd_config | ||
33 | =================================================================== | ||
34 | --- a/sshd_config | ||
35 | +++ b/sshd_config | ||
36 | @@ -108,7 +108,7 @@ | ||
37 | #ClientAliveCountMax 3 | ||
38 | #UseDNS yes | ||
39 | #PidFile /var/run/sshd.pid | ||
40 | -#MaxStartups 10 | ||
41 | +#MaxStartups 10:30:100 | ||
42 | #PermitTunnel no | ||
43 | #ChrootDirectory none | ||
44 | #VersionAddendum none | ||
45 | Index: b/sshd_config.5 | ||
46 | =================================================================== | ||
47 | --- a/sshd_config.5 | ||
48 | +++ b/sshd_config.5 | ||
49 | @@ -781,7 +781,7 @@ | ||
50 | Additional connections will be dropped until authentication succeeds or the | ||
51 | .Cm LoginGraceTime | ||
52 | expires for a connection. | ||
53 | -The default is 10. | ||
54 | +The default is 10:30:100. | ||
55 | .Pp | ||
56 | Alternatively, random early drop can be enabled by specifying | ||
57 | the three colon separated values | ||
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index 42b32638c..fa7c725b4 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning | |||
2 | Author: Scott Moser <smoser@ubuntu.com> | 2 | Author: Scott Moser <smoser@ubuntu.com> |
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 | 3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 |
4 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 | 4 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 |
5 | Last-Update: 2010-12-14 | 5 | Last-Update: 2013-05-07 |
6 | 6 | ||
7 | Index: b/sshconnect.c | 7 | Index: b/sshconnect.c |
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/sshconnect.c | 9 | --- a/sshconnect.c |
10 | +++ b/sshconnect.c | 10 | +++ b/sshconnect.c |
11 | @@ -956,9 +956,12 @@ | 11 | @@ -975,9 +975,12 @@ |
12 | error("%s. This could either mean that", key_msg); | 12 | error("%s. This could either mean that", key_msg); |
13 | error("DNS SPOOFING is happening or the IP address for the host"); | 13 | error("DNS SPOOFING is happening or the IP address for the host"); |
14 | error("and its host key have changed at the same time."); | 14 | error("and its host key have changed at the same time."); |
@@ -22,7 +22,7 @@ Index: b/sshconnect.c | |||
22 | } | 22 | } |
23 | /* The host key has changed. */ | 23 | /* The host key has changed. */ |
24 | warn_changed_key(host_key); | 24 | warn_changed_key(host_key); |
25 | @@ -966,6 +969,8 @@ | 25 | @@ -985,6 +988,8 @@ |
26 | user_hostfiles[0]); | 26 | user_hostfiles[0]); |
27 | error("Offending %s key in %s:%lu", key_type(host_found->key), | 27 | error("Offending %s key in %s:%lu", key_type(host_found->key), |
28 | host_found->file, host_found->line); | 28 | host_found->file, host_found->line); |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index fe8ebe757..48c3ff598 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages | |||
6 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) | 6 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
7 | Author: Colin Watson <cjwatson@debian.org> | 7 | Author: Colin Watson <cjwatson@debian.org> |
8 | Forwarded: not-needed | 8 | Forwarded: not-needed |
9 | Last-Update: 2010-02-28 | 9 | Last-Update: 2013-05-07 |
10 | 10 | ||
11 | Index: b/moduli.5 | 11 | Index: b/moduli.5 |
12 | =================================================================== | 12 | =================================================================== |
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1 | |||
34 | =================================================================== | 34 | =================================================================== |
35 | --- a/ssh-keygen.1 | 35 | --- a/ssh-keygen.1 |
36 | +++ b/ssh-keygen.1 | 36 | +++ b/ssh-keygen.1 |
37 | @@ -152,9 +152,7 @@ | 37 | @@ -171,9 +171,7 @@ |
38 | .Pa ~/.ssh/id_dsa | 38 | .Pa ~/.ssh/id_dsa |
39 | or | 39 | or |
40 | .Pa ~/.ssh/id_rsa . | 40 | .Pa ~/.ssh/id_rsa . |
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1 | |||
45 | .Pp | 45 | .Pp |
46 | Normally this program generates the key and asks for a file in which | 46 | Normally this program generates the key and asks for a file in which |
47 | to store the private key. | 47 | to store the private key. |
48 | @@ -200,9 +198,7 @@ | 48 | @@ -219,9 +217,7 @@ |
49 | For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys | 49 | For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys |
50 | do not exist, generate the host keys with the default key file path, | 50 | do not exist, generate the host keys with the default key file path, |
51 | an empty passphrase, default bits for the key type, and default comment. | 51 | an empty passphrase, default bits for the key type, and default comment. |
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1 | |||
56 | .It Fl a Ar trials | 56 | .It Fl a Ar trials |
57 | Specifies the number of primality tests to perform when screening DH-GEX | 57 | Specifies the number of primality tests to perform when screening DH-GEX |
58 | candidates using the | 58 | candidates using the |
59 | @@ -556,7 +552,7 @@ | 59 | @@ -606,7 +602,7 @@ |
60 | Valid generator values are 2, 3, and 5. | 60 | Valid generator values are 2, 3, and 5. |
61 | .Pp | 61 | .Pp |
62 | Screened DH groups may be installed in | 62 | Screened DH groups may be installed in |
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1 | |||
65 | It is important that this file contains moduli of a range of bit lengths and | 65 | It is important that this file contains moduli of a range of bit lengths and |
66 | that both ends of a connection share common moduli. | 66 | that both ends of a connection share common moduli. |
67 | .Sh CERTIFICATES | 67 | .Sh CERTIFICATES |
68 | @@ -682,7 +678,7 @@ | 68 | @@ -801,7 +797,7 @@ |
69 | where the user wishes to log in using public key authentication. | 69 | where the user wishes to log in using public key authentication. |
70 | There is no need to keep the contents of this file secret. | 70 | There is no need to keep the contents of this file secret. |
71 | .Pp | 71 | .Pp |
@@ -123,7 +123,7 @@ Index: b/sshd_config.5 | |||
123 | =================================================================== | 123 | =================================================================== |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -224,8 +224,7 @@ | 126 | @@ -276,8 +276,7 @@ |
127 | By default, no banner is displayed. | 127 | By default, no banner is displayed. |
128 | .It Cm ChallengeResponseAuthentication | 128 | .It Cm ChallengeResponseAuthentication |
129 | Specifies whether challenge-response authentication is allowed (e.g. via | 129 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index b396cb116..c337ad671 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -5,26 +5,30 @@ Description: Include the Debian version in our identification | |||
5 | vulnerable-looking version strings. (However, see debian-banner.patch.) | 5 | vulnerable-looking version strings. (However, see debian-banner.patch.) |
6 | Author: Matthew Vernon <matthew@debian.org> | 6 | Author: Matthew Vernon <matthew@debian.org> |
7 | Forwarded: not-needed | 7 | Forwarded: not-needed |
8 | Last-Update: 2012-09-07 | 8 | Last-Update: 2013-05-07 |
9 | 9 | ||
10 | Index: b/sshconnect.c | 10 | Index: b/sshconnect.c |
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/sshconnect.c | 12 | --- a/sshconnect.c |
13 | +++ b/sshconnect.c | 13 | +++ b/sshconnect.c |
14 | @@ -556,7 +556,7 @@ | 14 | @@ -435,10 +435,10 @@ |
15 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", | 15 | /* Send our own protocol version identification. */ |
16 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | 16 | if (compat20) { |
17 | compat20 ? PROTOCOL_MINOR_2 : minor1, | 17 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
18 | - SSH_VERSION, compat20 ? "\r\n" : "\n"); | 18 | - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); |
19 | + SSH_RELEASE, compat20 ? "\r\n" : "\n"); | 19 | + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); |
20 | if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) | 20 | } else { |
21 | != strlen(buf)) | 21 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", |
22 | fatal("write: %.100s", strerror(errno)); | 22 | - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); |
23 | + PROTOCOL_MAJOR_1, minor1, SSH_RELEASE); | ||
24 | } | ||
25 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | ||
26 | strlen(client_version_string)) != strlen(client_version_string)) | ||
23 | Index: b/sshd.c | 27 | Index: b/sshd.c |
24 | =================================================================== | 28 | =================================================================== |
25 | --- a/sshd.c | 29 | --- a/sshd.c |
26 | +++ b/sshd.c | 30 | +++ b/sshd.c |
27 | @@ -425,7 +425,7 @@ | 31 | @@ -434,7 +434,7 @@ |
28 | } | 32 | } |
29 | 33 | ||
30 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 34 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -38,7 +42,7 @@ Index: b/version.h | |||
38 | --- a/version.h | 42 | --- a/version.h |
39 | +++ b/version.h | 43 | +++ b/version.h |
40 | @@ -3,4 +3,9 @@ | 44 | @@ -3,4 +3,9 @@ |
41 | #define SSH_VERSION "OpenSSH_6.1" | 45 | #define SSH_VERSION "OpenSSH_6.2" |
42 | 46 | ||
43 | #define SSH_PORTABLE "p1" | 47 | #define SSH_PORTABLE "p1" |
44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 48 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index e436fe59e..f25ff89d0 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org> | |||
10 | Author: Colin Watson <cjwatson@debian.org> | 10 | Author: Colin Watson <cjwatson@debian.org> |
11 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 | 11 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 |
12 | Bug-Debian: http://bugs.debian.org/313371 | 12 | Bug-Debian: http://bugs.debian.org/313371 |
13 | Last-Update: 2010-02-27 | 13 | Last-Update: 2013-05-07 |
14 | 14 | ||
15 | Index: b/clientloop.c | 15 | Index: b/clientloop.c |
16 | =================================================================== | 16 | =================================================================== |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -1655,8 +1655,10 @@ | 19 | @@ -1710,8 +1710,10 @@ |
20 | exit_status = 0; | 20 | exit_status = 0; |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 80fe3247b..f2f8fcd21 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles | |||
5 | Author: Manoj Srivastava <srivasta@debian.org> | 5 | Author: Manoj Srivastava <srivasta@debian.org> |
6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 | 6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 |
7 | Bug-Debian: http://bugs.debian.org/394795 | 7 | Bug-Debian: http://bugs.debian.org/394795 |
8 | Last-Update: 2010-02-27 | 8 | Last-Update: 2013-05-07 |
9 | 9 | ||
10 | Index: b/auth.h | 10 | Index: b/auth.h |
11 | =================================================================== | 11 | =================================================================== |
@@ -23,7 +23,7 @@ Index: b/auth1.c | |||
23 | =================================================================== | 23 | =================================================================== |
24 | --- a/auth1.c | 24 | --- a/auth1.c |
25 | +++ b/auth1.c | 25 | +++ b/auth1.c |
26 | @@ -383,7 +383,7 @@ | 26 | @@ -385,7 +385,7 @@ |
27 | do_authentication(Authctxt *authctxt) | 27 | do_authentication(Authctxt *authctxt) |
28 | { | 28 | { |
29 | u_int ulen; | 29 | u_int ulen; |
@@ -32,7 +32,7 @@ Index: b/auth1.c | |||
32 | 32 | ||
33 | /* Get the name of the user that we wish to log in as. */ | 33 | /* Get the name of the user that we wish to log in as. */ |
34 | packet_read_expect(SSH_CMSG_USER); | 34 | packet_read_expect(SSH_CMSG_USER); |
35 | @@ -392,11 +392,17 @@ | 35 | @@ -394,11 +394,17 @@ |
36 | user = packet_get_cstring(&ulen); | 36 | user = packet_get_cstring(&ulen); |
37 | packet_check_eom(); | 37 | packet_check_eom(); |
38 | 38 | ||
@@ -54,7 +54,7 @@ Index: b/auth2.c | |||
54 | =================================================================== | 54 | =================================================================== |
55 | --- a/auth2.c | 55 | --- a/auth2.c |
56 | +++ b/auth2.c | 56 | +++ b/auth2.c |
57 | @@ -217,7 +217,7 @@ | 57 | @@ -219,7 +219,7 @@ |
58 | { | 58 | { |
59 | Authctxt *authctxt = ctxt; | 59 | Authctxt *authctxt = ctxt; |
60 | Authmethod *m = NULL; | 60 | Authmethod *m = NULL; |
@@ -63,7 +63,7 @@ Index: b/auth2.c | |||
63 | int authenticated = 0; | 63 | int authenticated = 0; |
64 | 64 | ||
65 | if (authctxt == NULL) | 65 | if (authctxt == NULL) |
66 | @@ -229,8 +229,13 @@ | 66 | @@ -231,8 +231,13 @@ |
67 | debug("userauth-request for user %s service %s method %s", user, service, method); | 67 | debug("userauth-request for user %s service %s method %s", user, service, method); |
68 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 68 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
69 | 69 | ||
@@ -77,7 +77,7 @@ Index: b/auth2.c | |||
77 | 77 | ||
78 | if (authctxt->attempt++ == 0) { | 78 | if (authctxt->attempt++ == 0) { |
79 | /* setup auth context */ | 79 | /* setup auth context */ |
80 | @@ -254,8 +259,9 @@ | 80 | @@ -256,8 +261,9 @@ |
81 | use_privsep ? " [net]" : ""); | 81 | use_privsep ? " [net]" : ""); |
82 | authctxt->service = xstrdup(service); | 82 | authctxt->service = xstrdup(service); |
83 | authctxt->style = style ? xstrdup(style) : NULL; | 83 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -86,8 +86,8 @@ Index: b/auth2.c | |||
86 | - mm_inform_authserv(service, style); | 86 | - mm_inform_authserv(service, style); |
87 | + mm_inform_authserv(service, style, role); | 87 | + mm_inform_authserv(service, style, role); |
88 | userauth_banner(); | 88 | userauth_banner(); |
89 | } else if (strcmp(user, authctxt->user) != 0 || | 89 | if (auth2_setup_methods_lists(authctxt) != 0) |
90 | strcmp(service, authctxt->service) != 0) { | 90 | packet_disconnect("no authentication methods enabled"); |
91 | Index: b/monitor.c | 91 | Index: b/monitor.c |
92 | =================================================================== | 92 | =================================================================== |
93 | --- a/monitor.c | 93 | --- a/monitor.c |
@@ -100,7 +100,7 @@ Index: b/monitor.c | |||
100 | int mm_answer_authpassword(int, Buffer *); | 100 | int mm_answer_authpassword(int, Buffer *); |
101 | int mm_answer_bsdauthquery(int, Buffer *); | 101 | int mm_answer_bsdauthquery(int, Buffer *); |
102 | int mm_answer_bsdauthrespond(int, Buffer *); | 102 | int mm_answer_bsdauthrespond(int, Buffer *); |
103 | @@ -225,6 +226,7 @@ | 103 | @@ -226,6 +227,7 @@ |
104 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 104 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
105 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 105 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
106 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 106 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -108,7 +108,7 @@ Index: b/monitor.c | |||
108 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 108 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
109 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 109 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
110 | #ifdef USE_PAM | 110 | #ifdef USE_PAM |
111 | @@ -808,6 +810,7 @@ | 111 | @@ -837,6 +839,7 @@ |
112 | else { | 112 | else { |
113 | /* Allow service/style information on the auth context */ | 113 | /* Allow service/style information on the auth context */ |
114 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 114 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -116,7 +116,7 @@ Index: b/monitor.c | |||
116 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 116 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
117 | } | 117 | } |
118 | #ifdef USE_PAM | 118 | #ifdef USE_PAM |
119 | @@ -840,14 +843,37 @@ | 119 | @@ -869,14 +872,37 @@ |
120 | 120 | ||
121 | authctxt->service = buffer_get_string(m, NULL); | 121 | authctxt->service = buffer_get_string(m, NULL); |
122 | authctxt->style = buffer_get_string(m, NULL); | 122 | authctxt->style = buffer_get_string(m, NULL); |
@@ -156,7 +156,7 @@ Index: b/monitor.c | |||
156 | return (0); | 156 | return (0); |
157 | } | 157 | } |
158 | 158 | ||
159 | @@ -1435,7 +1461,7 @@ | 159 | @@ -1471,7 +1497,7 @@ |
160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
161 | if (res == 0) | 161 | if (res == 0) |
162 | goto error; | 162 | goto error; |
@@ -169,15 +169,15 @@ Index: b/monitor.h | |||
169 | =================================================================== | 169 | =================================================================== |
170 | --- a/monitor.h | 170 | --- a/monitor.h |
171 | +++ b/monitor.h | 171 | +++ b/monitor.h |
172 | @@ -30,7 +30,7 @@ | 172 | @@ -73,6 +73,8 @@ |
173 | 173 | MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201, | |
174 | enum monitor_reqtype { | 174 | MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203, |
175 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | 175 | |
176 | - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | 176 | + MONITOR_REQ_AUTHROLE = 300, |
177 | + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, | 177 | + |
178 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | 178 | }; |
179 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | 179 | |
180 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | 180 | struct mm_master; |
181 | Index: b/monitor_wrap.c | 181 | Index: b/monitor_wrap.c |
182 | =================================================================== | 182 | =================================================================== |
183 | --- a/monitor_wrap.c | 183 | --- a/monitor_wrap.c |
@@ -369,12 +369,12 @@ Index: b/platform.h | |||
369 | +void platform_setusercontext_post_groups(struct passwd *, const char *); | 369 | +void platform_setusercontext_post_groups(struct passwd *, const char *); |
370 | char *platform_get_krb5_client(const char *); | 370 | char *platform_get_krb5_client(const char *); |
371 | char *platform_krb5_get_principal_name(const char *); | 371 | char *platform_krb5_get_principal_name(const char *); |
372 | 372 | int platform_sys_dir_uid(uid_t); | |
373 | Index: b/session.c | 373 | Index: b/session.c |
374 | =================================================================== | 374 | =================================================================== |
375 | --- a/session.c | 375 | --- a/session.c |
376 | +++ b/session.c | 376 | +++ b/session.c |
377 | @@ -1471,7 +1471,7 @@ | 377 | @@ -1474,7 +1474,7 @@ |
378 | 378 | ||
379 | /* Set login name, uid, gid, and groups. */ | 379 | /* Set login name, uid, gid, and groups. */ |
380 | void | 380 | void |
@@ -383,7 +383,7 @@ Index: b/session.c | |||
383 | { | 383 | { |
384 | char *chroot_path, *tmp; | 384 | char *chroot_path, *tmp; |
385 | 385 | ||
386 | @@ -1499,7 +1499,7 @@ | 386 | @@ -1502,7 +1502,7 @@ |
387 | endgrent(); | 387 | endgrent(); |
388 | #endif | 388 | #endif |
389 | 389 | ||
@@ -392,7 +392,7 @@ Index: b/session.c | |||
392 | 392 | ||
393 | if (options.chroot_directory != NULL && | 393 | if (options.chroot_directory != NULL && |
394 | strcasecmp(options.chroot_directory, "none") != 0) { | 394 | strcasecmp(options.chroot_directory, "none") != 0) { |
395 | @@ -1625,7 +1625,7 @@ | 395 | @@ -1633,7 +1633,7 @@ |
396 | 396 | ||
397 | /* Force a password change */ | 397 | /* Force a password change */ |
398 | if (s->authctxt->force_pwchange) { | 398 | if (s->authctxt->force_pwchange) { |
@@ -401,7 +401,7 @@ Index: b/session.c | |||
401 | child_close_fds(); | 401 | child_close_fds(); |
402 | do_pwchange(s); | 402 | do_pwchange(s); |
403 | exit(1); | 403 | exit(1); |
404 | @@ -1652,7 +1652,7 @@ | 404 | @@ -1660,7 +1660,7 @@ |
405 | /* When PAM is enabled we rely on it to do the nologin check */ | 405 | /* When PAM is enabled we rely on it to do the nologin check */ |
406 | if (!options.use_pam) | 406 | if (!options.use_pam) |
407 | do_nologin(pw); | 407 | do_nologin(pw); |
@@ -410,7 +410,7 @@ Index: b/session.c | |||
410 | /* | 410 | /* |
411 | * PAM session modules in do_setusercontext may have | 411 | * PAM session modules in do_setusercontext may have |
412 | * generated messages, so if this in an interactive | 412 | * generated messages, so if this in an interactive |
413 | @@ -2064,7 +2064,7 @@ | 413 | @@ -2072,7 +2072,7 @@ |
414 | tty_parse_modes(s->ttyfd, &n_bytes); | 414 | tty_parse_modes(s->ttyfd, &n_bytes); |
415 | 415 | ||
416 | if (!use_privsep) | 416 | if (!use_privsep) |
@@ -436,7 +436,7 @@ Index: b/sshd.c | |||
436 | =================================================================== | 436 | =================================================================== |
437 | --- a/sshd.c | 437 | --- a/sshd.c |
438 | +++ b/sshd.c | 438 | +++ b/sshd.c |
439 | @@ -736,7 +736,7 @@ | 439 | @@ -745,7 +745,7 @@ |
440 | RAND_seed(rnd, sizeof(rnd)); | 440 | RAND_seed(rnd, sizeof(rnd)); |
441 | 441 | ||
442 | /* Drop privileges */ | 442 | /* Drop privileges */ |
diff --git a/debian/patches/series b/debian/patches/series index efb2c5432..6f2da2944 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -3,7 +3,6 @@ gssapi.patch | |||
3 | 3 | ||
4 | # SELinux | 4 | # SELinux |
5 | selinux-role.patch | 5 | selinux-role.patch |
6 | copy-id-restorecon.patch | ||
7 | 6 | ||
8 | # Key blacklisting | 7 | # Key blacklisting |
9 | ssh-vulnkey.patch | 8 | ssh-vulnkey.patch |
@@ -27,7 +26,6 @@ shell-path.patch | |||
27 | dnssec-sshfp.patch | 26 | dnssec-sshfp.patch |
28 | auth-log-verbosity.patch | 27 | auth-log-verbosity.patch |
29 | mention-ssh-keygen-on-keychange.patch | 28 | mention-ssh-keygen-on-keychange.patch |
30 | max-startups-default.patch | ||
31 | 29 | ||
32 | # Versioning | 30 | # Versioning |
33 | package-versioning.patch | 31 | package-versioning.patch |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 8c549128b..4c4532e99 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand | |||
4 | Author: Colin Watson <cjwatson@debian.org> | 4 | Author: Colin Watson <cjwatson@debian.org> |
5 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 | 5 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 |
6 | Bug-Debian: http://bugs.debian.org/492728 | 6 | Bug-Debian: http://bugs.debian.org/492728 |
7 | Last-Update: 2010-02-27 | 7 | Last-Update: 2013-05-07 |
8 | 8 | ||
9 | Index: b/sshconnect.c | 9 | Index: b/sshconnect.c |
10 | =================================================================== | 10 | =================================================================== |
@@ -19,7 +19,7 @@ Index: b/sshconnect.c | |||
19 | perror(argv[0]); | 19 | perror(argv[0]); |
20 | exit(1); | 20 | exit(1); |
21 | } | 21 | } |
22 | @@ -1273,7 +1273,7 @@ | 22 | @@ -1292,7 +1292,7 @@ |
23 | if (pid == 0) { | 23 | if (pid == 0) { |
24 | signal(SIGPIPE, SIG_DFL); | 24 | signal(SIGPIPE, SIG_DFL); |
25 | debug3("Executing %s -c \"%s\"", shell, args); | 25 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 3cc1272ec..6f4a3cd9a 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1) | |||
5 | manual page from ssh(1). | 5 | manual page from ssh(1). |
6 | Bug-Debian: http://bugs.debian.org/111341 | 6 | Bug-Debian: http://bugs.debian.org/111341 |
7 | Forwarded: not-needed | 7 | Forwarded: not-needed |
8 | Last-Update: 2010-02-28 | 8 | Last-Update: 2013-05-07 |
9 | 9 | ||
10 | Index: b/ssh.1 | 10 | Index: b/ssh.1 |
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/ssh.1 | 12 | --- a/ssh.1 |
13 | +++ b/ssh.1 | 13 | +++ b/ssh.1 |
14 | @@ -1425,6 +1425,7 @@ | 14 | @@ -1433,6 +1433,7 @@ |
15 | .Xr sftp 1 , | 15 | .Xr sftp 1 , |
16 | .Xr ssh-add 1 , | 16 | .Xr ssh-add 1 , |
17 | .Xr ssh-agent 1 , | 17 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index c13cb3412..b7531cce0 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw | |||
8 | See CVE-2008-0166. | 8 | See CVE-2008-0166. |
9 | Author: Colin Watson <cjwatson@ubuntu.com> | 9 | Author: Colin Watson <cjwatson@ubuntu.com> |
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 |
11 | Last-Update: 2010-02-27 | 11 | Last-Update: 2013-05-07 |
12 | 12 | ||
13 | Index: b/Makefile.in | 13 | Index: b/Makefile.in |
14 | =================================================================== | 14 | =================================================================== |
@@ -22,24 +22,26 @@ Index: b/Makefile.in | |||
22 | PRIVSEP_PATH=@PRIVSEP_PATH@ | 22 | PRIVSEP_PATH=@PRIVSEP_PATH@ |
23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | 23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |
24 | STRIP_OPT=@STRIP_OPT@ | 24 | STRIP_OPT=@STRIP_OPT@ |
25 | @@ -38,6 +39,7 @@ | 25 | @@ -37,7 +38,8 @@ |
26 | -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ | ||
26 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | 27 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ |
27 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | 28 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ |
28 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ | 29 | - -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" |
29 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ | 30 | + -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ |
31 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" | ||
30 | 32 | ||
31 | CC=@CC@ | 33 | CC=@CC@ |
32 | LD=@LD@ | 34 | LD=@LD@ |
33 | @@ -59,7 +61,7 @@ | 35 | @@ -61,7 +63,7 @@ |
34 | EXEEXT=@EXEEXT@ | 36 | EXEEXT=@EXEEXT@ |
35 | MANFMT=@MANFMT@ | 37 | MANFMT=@MANFMT@ |
36 | 38 | ||
37 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) | 39 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) |
38 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) | 40 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) |
39 | 41 | ||
40 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 42 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
41 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | 43 | canohost.o channels.o cipher.o cipher-aes.o \ |
42 | @@ -94,8 +96,8 @@ | 44 | @@ -96,8 +98,8 @@ |
43 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 45 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
44 | sandbox-seccomp-filter.o | 46 | sandbox-seccomp-filter.o |
45 | 47 | ||
@@ -50,7 +52,7 @@ Index: b/Makefile.in | |||
50 | MANTYPE = @MANTYPE@ | 52 | MANTYPE = @MANTYPE@ |
51 | 53 | ||
52 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | 54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out |
53 | @@ -172,6 +174,9 @@ | 55 | @@ -174,6 +176,9 @@ |
54 | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o | 56 | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o |
55 | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) | 57 | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) |
56 | 58 | ||
@@ -60,7 +62,7 @@ Index: b/Makefile.in | |||
60 | # test driver for the loginrec code - not built by default | 62 | # test driver for the loginrec code - not built by default |
61 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | 63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o |
62 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | 64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) |
63 | @@ -260,6 +265,7 @@ | 65 | @@ -269,6 +274,7 @@ |
64 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | 66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |
65 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
66 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
@@ -68,7 +70,7 @@ Index: b/Makefile.in | |||
68 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
69 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | 71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
70 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | 72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
71 | @@ -274,6 +280,7 @@ | 73 | @@ -283,6 +289,7 @@ |
72 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
73 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
74 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
@@ -76,7 +78,7 @@ Index: b/Makefile.in | |||
76 | -rm -f $(DESTDIR)$(bindir)/slogin | 78 | -rm -f $(DESTDIR)$(bindir)/slogin |
77 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | 79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin |
78 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
79 | @@ -355,6 +362,7 @@ | 81 | @@ -364,6 +371,7 @@ |
80 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | 82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) |
81 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | 83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
82 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | 84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
@@ -84,7 +86,7 @@ Index: b/Makefile.in | |||
84 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
85 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | 87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
86 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
87 | @@ -367,6 +375,7 @@ | 89 | @@ -376,6 +384,7 @@ |
88 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | 90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 |
89 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | 91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | 92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 |
@@ -130,7 +132,7 @@ Index: b/auth.c | |||
130 | #include "auth.h" | 132 | #include "auth.h" |
131 | #include "auth-options.h" | 133 | #include "auth-options.h" |
132 | #include "canohost.h" | 134 | #include "canohost.h" |
133 | @@ -608,10 +609,34 @@ | 135 | @@ -635,10 +636,34 @@ |
134 | 136 | ||
135 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
136 | int | 138 | int |
@@ -165,12 +167,12 @@ Index: b/auth.c | |||
165 | + | 167 | + |
166 | if (options.revoked_keys_file == NULL) | 168 | if (options.revoked_keys_file == NULL) |
167 | return 0; | 169 | return 0; |
168 | 170 | switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { | |
169 | Index: b/auth.h | 171 | Index: b/auth.h |
170 | =================================================================== | 172 | =================================================================== |
171 | --- a/auth.h | 173 | --- a/auth.h |
172 | +++ b/auth.h | 174 | +++ b/auth.h |
173 | @@ -174,7 +174,7 @@ | 175 | @@ -185,7 +185,7 @@ |
174 | 176 | ||
175 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 177 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
176 | FILE *auth_openprincipals(const char *, struct passwd *, int); | 178 | FILE *auth_openprincipals(const char *, struct passwd *, int); |
@@ -196,7 +198,7 @@ Index: b/auth2-pubkey.c | |||
196 | =================================================================== | 198 | =================================================================== |
197 | --- a/auth2-pubkey.c | 199 | --- a/auth2-pubkey.c |
198 | +++ b/auth2-pubkey.c | 200 | +++ b/auth2-pubkey.c |
199 | @@ -440,9 +440,10 @@ | 201 | @@ -608,9 +608,10 @@ |
200 | u_int success, i; | 202 | u_int success, i; |
201 | char *file; | 203 | char *file; |
202 | 204 | ||
@@ -462,7 +464,7 @@ Index: b/servconf.c | |||
462 | =================================================================== | 464 | =================================================================== |
463 | --- a/servconf.c | 465 | --- a/servconf.c |
464 | +++ b/servconf.c | 466 | +++ b/servconf.c |
465 | @@ -107,6 +107,7 @@ | 467 | @@ -109,6 +109,7 @@ |
466 | options->password_authentication = -1; | 468 | options->password_authentication = -1; |
467 | options->kbd_interactive_authentication = -1; | 469 | options->kbd_interactive_authentication = -1; |
468 | options->challenge_response_authentication = -1; | 470 | options->challenge_response_authentication = -1; |
@@ -470,7 +472,7 @@ Index: b/servconf.c | |||
470 | options->permit_empty_passwd = -1; | 472 | options->permit_empty_passwd = -1; |
471 | options->permit_user_env = -1; | 473 | options->permit_user_env = -1; |
472 | options->use_login = -1; | 474 | options->use_login = -1; |
473 | @@ -246,6 +247,8 @@ | 475 | @@ -250,6 +251,8 @@ |
474 | options->kbd_interactive_authentication = 0; | 476 | options->kbd_interactive_authentication = 0; |
475 | if (options->challenge_response_authentication == -1) | 477 | if (options->challenge_response_authentication == -1) |
476 | options->challenge_response_authentication = 1; | 478 | options->challenge_response_authentication = 1; |
@@ -479,7 +481,7 @@ Index: b/servconf.c | |||
479 | if (options->permit_empty_passwd == -1) | 481 | if (options->permit_empty_passwd == -1) |
480 | options->permit_empty_passwd = 0; | 482 | options->permit_empty_passwd = 0; |
481 | if (options->permit_user_env == -1) | 483 | if (options->permit_user_env == -1) |
482 | @@ -323,7 +326,7 @@ | 484 | @@ -327,7 +330,7 @@ |
483 | sListenAddress, sAddressFamily, | 485 | sListenAddress, sAddressFamily, |
484 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
485 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -488,7 +490,7 @@ Index: b/servconf.c | |||
488 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
489 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
490 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
491 | @@ -433,6 +436,7 @@ | 493 | @@ -439,6 +442,7 @@ |
492 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
493 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
494 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
@@ -496,7 +498,7 @@ Index: b/servconf.c | |||
496 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
497 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
498 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
499 | @@ -1116,6 +1120,10 @@ | 501 | @@ -1134,6 +1138,10 @@ |
500 | intptr = &options->tcp_keep_alive; | 502 | intptr = &options->tcp_keep_alive; |
501 | goto parse_flag; | 503 | goto parse_flag; |
502 | 504 | ||
@@ -507,7 +509,7 @@ Index: b/servconf.c | |||
507 | case sEmptyPasswd: | 509 | case sEmptyPasswd: |
508 | intptr = &options->permit_empty_passwd; | 510 | intptr = &options->permit_empty_passwd; |
509 | goto parse_flag; | 511 | goto parse_flag; |
510 | @@ -1921,6 +1929,7 @@ | 512 | @@ -1980,6 +1988,7 @@ |
511 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
512 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
513 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
@@ -519,7 +521,7 @@ Index: b/servconf.h | |||
519 | =================================================================== | 521 | =================================================================== |
520 | --- a/servconf.h | 522 | --- a/servconf.h |
521 | +++ b/servconf.h | 523 | +++ b/servconf.h |
522 | @@ -113,6 +113,7 @@ | 524 | @@ -120,6 +120,7 @@ |
523 | int challenge_response_authentication; | 525 | int challenge_response_authentication; |
524 | int zero_knowledge_password_authentication; | 526 | int zero_knowledge_password_authentication; |
525 | /* If true, permit jpake auth */ | 527 | /* If true, permit jpake auth */ |
@@ -554,7 +556,7 @@ Index: b/ssh-add.c | |||
554 | =================================================================== | 556 | =================================================================== |
555 | --- a/ssh-add.c | 557 | --- a/ssh-add.c |
556 | +++ b/ssh-add.c | 558 | +++ b/ssh-add.c |
557 | @@ -142,7 +142,7 @@ | 559 | @@ -167,7 +167,7 @@ |
558 | add_file(AuthenticationConnection *ac, const char *filename, int key_only) | 560 | add_file(AuthenticationConnection *ac, const char *filename, int key_only) |
559 | { | 561 | { |
560 | Key *private, *cert; | 562 | Key *private, *cert; |
@@ -563,7 +565,7 @@ Index: b/ssh-add.c | |||
563 | char msg[1024], *certpath = NULL; | 565 | char msg[1024], *certpath = NULL; |
564 | int fd, perms_ok, ret = -1; | 566 | int fd, perms_ok, ret = -1; |
565 | Buffer keyblob; | 567 | Buffer keyblob; |
566 | @@ -218,6 +218,14 @@ | 568 | @@ -243,6 +243,14 @@ |
567 | } else { | 569 | } else { |
568 | fprintf(stderr, "Could not add identity: %s\n", filename); | 570 | fprintf(stderr, "Could not add identity: %s\n", filename); |
569 | } | 571 | } |
@@ -582,7 +584,7 @@ Index: b/ssh-keygen.1 | |||
582 | =================================================================== | 584 | =================================================================== |
583 | --- a/ssh-keygen.1 | 585 | --- a/ssh-keygen.1 |
584 | +++ b/ssh-keygen.1 | 586 | +++ b/ssh-keygen.1 |
585 | @@ -691,6 +691,7 @@ | 587 | @@ -810,6 +810,7 @@ |
586 | .Xr ssh 1 , | 588 | .Xr ssh 1 , |
587 | .Xr ssh-add 1 , | 589 | .Xr ssh-add 1 , |
588 | .Xr ssh-agent 1 , | 590 | .Xr ssh-agent 1 , |
@@ -1233,7 +1235,7 @@ Index: b/ssh.1 | |||
1233 | =================================================================== | 1235 | =================================================================== |
1234 | --- a/ssh.1 | 1236 | --- a/ssh.1 |
1235 | +++ b/ssh.1 | 1237 | +++ b/ssh.1 |
1236 | @@ -1421,6 +1421,7 @@ | 1238 | @@ -1429,6 +1429,7 @@ |
1237 | .Xr ssh-agent 1 , | 1239 | .Xr ssh-agent 1 , |
1238 | .Xr ssh-keygen 1 , | 1240 | .Xr ssh-keygen 1 , |
1239 | .Xr ssh-keyscan 1 , | 1241 | .Xr ssh-keyscan 1 , |
@@ -1281,7 +1283,7 @@ Index: b/ssh_config.5 | |||
1281 | =================================================================== | 1283 | =================================================================== |
1282 | --- a/ssh_config.5 | 1284 | --- a/ssh_config.5 |
1283 | +++ b/ssh_config.5 | 1285 | +++ b/ssh_config.5 |
1284 | @@ -1187,6 +1187,23 @@ | 1286 | @@ -1201,6 +1201,23 @@ |
1285 | .Dq any . | 1287 | .Dq any . |
1286 | The default is | 1288 | The default is |
1287 | .Dq any:any . | 1289 | .Dq any:any . |
@@ -1309,24 +1311,24 @@ Index: b/sshconnect2.c | |||
1309 | =================================================================== | 1311 | =================================================================== |
1310 | --- a/sshconnect2.c | 1312 | --- a/sshconnect2.c |
1311 | +++ b/sshconnect2.c | 1313 | +++ b/sshconnect2.c |
1312 | @@ -1489,6 +1489,8 @@ | 1314 | @@ -1491,6 +1491,8 @@ |
1313 | 1315 | ||
1314 | /* list of keys stored in the filesystem */ | 1316 | /* list of keys stored in the filesystem and PKCS#11 */ |
1315 | for (i = 0; i < options.num_identity_files; i++) { | 1317 | for (i = 0; i < options.num_identity_files; i++) { |
1316 | + if (options.identity_files[i] == NULL) | 1318 | + if (options.identity_files[i] == NULL) |
1317 | + continue; | 1319 | + continue; |
1318 | key = options.identity_keys[i]; | 1320 | key = options.identity_keys[i]; |
1319 | if (key && key->type == KEY_RSA1) | 1321 | if (key && key->type == KEY_RSA1) |
1320 | continue; | 1322 | continue; |
1321 | @@ -1582,7 +1584,7 @@ | 1323 | @@ -1609,7 +1611,7 @@ |
1322 | debug("Offering %s public key: %s", key_type(id->key), | 1324 | debug("Offering %s public key: %s", key_type(id->key), |
1323 | id->filename); | 1325 | id->filename); |
1324 | sent = send_pubkey_test(authctxt, id); | 1326 | sent = send_pubkey_test(authctxt, id); |
1325 | - } else if (id->key == NULL) { | 1327 | - } else if (id->key == NULL) { |
1326 | + } else if (id->key == NULL && id->filename) { | 1328 | + } else if (id->key == NULL && id->filename) { |
1327 | debug("Trying private key: %s", id->filename); | 1329 | debug("Trying private key: %s", id->filename); |
1328 | id->key = load_identity_file(id->filename); | 1330 | id->key = load_identity_file(id->filename, |
1329 | if (id->key != NULL) { | 1331 | id->userprovided); |
1330 | Index: b/sshd.8 | 1332 | Index: b/sshd.8 |
1331 | =================================================================== | 1333 | =================================================================== |
1332 | --- a/sshd.8 | 1334 | --- a/sshd.8 |
@@ -1343,7 +1345,7 @@ Index: b/sshd.c | |||
1343 | =================================================================== | 1345 | =================================================================== |
1344 | --- a/sshd.c | 1346 | --- a/sshd.c |
1345 | +++ b/sshd.c | 1347 | +++ b/sshd.c |
1346 | @@ -1593,6 +1593,11 @@ | 1348 | @@ -1631,6 +1631,11 @@ |
1347 | sensitive_data.host_keys[i] = NULL; | 1349 | sensitive_data.host_keys[i] = NULL; |
1348 | continue; | 1350 | continue; |
1349 | } | 1351 | } |
@@ -1359,7 +1361,7 @@ Index: b/sshd_config.5 | |||
1359 | =================================================================== | 1361 | =================================================================== |
1360 | --- a/sshd_config.5 | 1362 | --- a/sshd_config.5 |
1361 | +++ b/sshd_config.5 | 1363 | +++ b/sshd_config.5 |
1362 | @@ -803,6 +803,20 @@ | 1364 | @@ -870,6 +870,20 @@ |
1363 | Specifies whether password authentication is allowed. | 1365 | Specifies whether password authentication is allowed. |
1364 | The default is | 1366 | The default is |
1365 | .Dq yes . | 1367 | .Dq yes . |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index b71ff9df9..87211e8a3 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | Description: Partial server keep-alive implementation for SSH1 | 1 | Description: Partial server keep-alive implementation for SSH1 |
2 | Author: Colin Watson <cjwatson@debian.org> | 2 | Author: Colin Watson <cjwatson@debian.org> |
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 | 3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 |
4 | Last-Update: 2010-02-27 | 4 | Last-Update: 2013-05-07 |
5 | 5 | ||
6 | Index: b/clientloop.c | 6 | Index: b/clientloop.c |
7 | =================================================================== | 7 | =================================================================== |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1088,7 +1088,10 @@ | 54 | @@ -1102,7 +1102,10 @@ |
55 | .Cm ServerAliveCountMax | 55 | .Cm ServerAliveCountMax |
56 | is left at the default, if the server becomes unresponsive, | 56 | is left at the default, if the server becomes unresponsive, |
57 | ssh will disconnect after approximately 45 seconds. | 57 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 1368ccb3c..ddedbf79a 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability | |||
9 | Author: Colin Watson <cjwatson@debian.org> | 9 | Author: Colin Watson <cjwatson@debian.org> |
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 |
11 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 | 11 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 |
12 | Last-Update: 2010-02-27 | 12 | Last-Update: 2013-05-07 |
13 | 13 | ||
14 | Index: b/readconf.c | 14 | Index: b/readconf.c |
15 | =================================================================== | 15 | =================================================================== |
@@ -38,7 +38,7 @@ Index: b/ssh.1 | |||
38 | =================================================================== | 38 | =================================================================== |
39 | --- a/ssh.1 | 39 | --- a/ssh.1 |
40 | +++ b/ssh.1 | 40 | +++ b/ssh.1 |
41 | @@ -1312,6 +1312,8 @@ | 41 | @@ -1320,6 +1320,8 @@ |
42 | .Xr ssh_config 5 . | 42 | .Xr ssh_config 5 . |
43 | Because of the potential for abuse, this file must have strict permissions: | 43 | Because of the potential for abuse, this file must have strict permissions: |
44 | read/write for the user, and not accessible by others. | 44 | read/write for the user, and not accessible by others. |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1342,6 +1342,8 @@ | 54 | @@ -1356,6 +1356,8 @@ |
55 | This file is used by the SSH client. | 55 | This file is used by the SSH client. |
56 | Because of the potential for abuse, this file must have strict permissions: | 56 | Because of the potential for abuse, this file must have strict permissions: |
57 | read/write for the user, and not accessible by others. | 57 | read/write for the user, and not accessible by others. |
@@ -64,7 +64,7 @@ Index: b/auth.c | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/auth.c | 65 | --- a/auth.c |
66 | +++ b/auth.c | 66 | +++ b/auth.c |
67 | @@ -381,8 +381,7 @@ | 67 | @@ -386,8 +386,7 @@ |
68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
69 | if (options.strict_modes && | 69 | if (options.strict_modes && |
70 | (stat(user_hostfile, &st) == 0) && | 70 | (stat(user_hostfile, &st) == 0) && |
@@ -74,21 +74,21 @@ Index: b/auth.c | |||
74 | logit("Authentication refused for %.100s: " | 74 | logit("Authentication refused for %.100s: " |
75 | "bad owner or modes for %.200s", | 75 | "bad owner or modes for %.200s", |
76 | pw->pw_name, user_hostfile); | 76 | pw->pw_name, user_hostfile); |
77 | @@ -443,8 +442,7 @@ | 77 | @@ -449,8 +448,7 @@ |
78 | 78 | snprintf(err, errlen, "%s is not a regular file", buf); | |
79 | /* check the open file to avoid races */ | 79 | return -1; |
80 | if (fstat(fileno(f), &st) < 0 || | 80 | } |
81 | - (st.st_uid != 0 && st.st_uid != uid) || | 81 | - if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || |
82 | - (st.st_mode & 022) != 0) { | 82 | - (stp->st_mode & 022) != 0) { |
83 | + !secure_permissions(&st, uid)) { | 83 | + if (!secure_permissions(stp, uid)) { |
84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 84 | snprintf(err, errlen, "bad ownership or modes for file %s", |
85 | buf); | 85 | buf); |
86 | return -1; | 86 | return -1; |
87 | @@ -459,8 +457,7 @@ | 87 | @@ -465,8 +463,7 @@ |
88 | strlcpy(buf, cp, sizeof(buf)); | 88 | strlcpy(buf, cp, sizeof(buf)); |
89 | 89 | ||
90 | if (stat(buf, &st) < 0 || | 90 | if (stat(buf, &st) < 0 || |
91 | - (st.st_uid != 0 && st.st_uid != uid) || | 91 | - (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || |
92 | - (st.st_mode & 022) != 0) { | 92 | - (st.st_mode & 022) != 0) { |
93 | + !secure_permissions(&st, uid)) { | 93 | + !secure_permissions(&st, uid)) { |
94 | snprintf(err, errlen, | 94 | snprintf(err, errlen, |
@@ -115,7 +115,7 @@ Index: b/misc.c | |||
115 | int | 115 | int |
116 | +secure_permissions(struct stat *st, uid_t uid) | 116 | +secure_permissions(struct stat *st, uid_t uid) |
117 | +{ | 117 | +{ |
118 | + if (st->st_uid != 0 && st->st_uid != uid) | 118 | + if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid) |
119 | + return 0; | 119 | + return 0; |
120 | + if ((st->st_mode & 002) != 0) | 120 | + if ((st->st_mode & 002) != 0) |
121 | + return 0; | 121 | + return 0; |
@@ -25,7 +25,7 @@ | |||
25 | #ifndef _DEFINES_H | 25 | #ifndef _DEFINES_H |
26 | #define _DEFINES_H | 26 | #define _DEFINES_H |
27 | 27 | ||
28 | /* $Id: defines.h,v 1.169 2012/02/15 04:13:06 tim Exp $ */ | 28 | /* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ |
29 | 29 | ||
30 | 30 | ||
31 | /* Constants */ | 31 | /* Constants */ |
@@ -227,11 +227,7 @@ typedef uint16_t u_int16_t; | |||
227 | typedef uint32_t u_int32_t; | 227 | typedef uint32_t u_int32_t; |
228 | # define HAVE_U_INTXX_T 1 | 228 | # define HAVE_U_INTXX_T 1 |
229 | # else | 229 | # else |
230 | # if (SIZEOF_CHAR == 1) | ||
231 | typedef unsigned char u_int8_t; | 230 | typedef unsigned char u_int8_t; |
232 | # else | ||
233 | # error "8 bit int type not found." | ||
234 | # endif | ||
235 | # if (SIZEOF_SHORT_INT == 2) | 231 | # if (SIZEOF_SHORT_INT == 2) |
236 | typedef unsigned short int u_int16_t; | 232 | typedef unsigned short int u_int16_t; |
237 | # else | 233 | # else |
@@ -283,6 +279,10 @@ typedef unsigned char u_char; | |||
283 | # define HAVE_U_CHAR | 279 | # define HAVE_U_CHAR |
284 | #endif /* HAVE_U_CHAR */ | 280 | #endif /* HAVE_U_CHAR */ |
285 | 281 | ||
282 | #ifndef ULLONG_MAX | ||
283 | # define ULLONG_MAX ((unsigned long long)-1) | ||
284 | #endif | ||
285 | |||
286 | #ifndef SIZE_T_MAX | 286 | #ifndef SIZE_T_MAX |
287 | #define SIZE_T_MAX ULONG_MAX | 287 | #define SIZE_T_MAX ULONG_MAX |
288 | #endif /* SIZE_T_MAX */ | 288 | #endif /* SIZE_T_MAX */ |
diff --git a/includes.h b/includes.h index b4c53d9b4..3e206c899 100644 --- a/includes.h +++ b/includes.h | |||
@@ -137,8 +137,10 @@ | |||
137 | # include <tmpdir.h> | 137 | # include <tmpdir.h> |
138 | #endif | 138 | #endif |
139 | 139 | ||
140 | #ifdef HAVE_LIBUTIL_H | 140 | #if defined(HAVE_BSD_LIBUTIL_H) |
141 | # include <libutil.h> /* Openpty on FreeBSD at least */ | 141 | # include <bsd/libutil.h> |
142 | #elif defined(HAVE_LIBUTIL_H) | ||
143 | # include <libutil.h> | ||
142 | #endif | 144 | #endif |
143 | 145 | ||
144 | #if defined(KRB5) && defined(USE_AFS) | 146 | #if defined(KRB5) && defined(USE_AFS) |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -246,8 +246,18 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) | |||
246 | packet_get_char(); | 246 | packet_get_char(); |
247 | for (i = 0; i < PROPOSAL_MAX; i++) | 247 | for (i = 0; i < PROPOSAL_MAX; i++) |
248 | xfree(packet_get_string(NULL)); | 248 | xfree(packet_get_string(NULL)); |
249 | (void) packet_get_char(); | 249 | /* |
250 | (void) packet_get_int(); | 250 | * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported |
251 | * KEX method has the server move first, but a server might be using | ||
252 | * a custom method or one that we otherwise don't support. We should | ||
253 | * be prepared to remember first_kex_follows here so we can eat a | ||
254 | * packet later. | ||
255 | * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means | ||
256 | * for cases where the server *doesn't* go first. I guess we should | ||
257 | * ignore it when it is set for these cases, which is what we do now. | ||
258 | */ | ||
259 | (void) packet_get_char(); /* first_kex_follows */ | ||
260 | (void) packet_get_int(); /* reserved */ | ||
251 | packet_check_eom(); | 261 | packet_check_eom(); |
252 | 262 | ||
253 | kex_kexinit_finish(kex); | 263 | kex_kexinit_finish(kex); |
@@ -298,6 +308,7 @@ choose_enc(Enc *enc, char *client, char *server) | |||
298 | enc->name = name; | 308 | enc->name = name; |
299 | enc->enabled = 0; | 309 | enc->enabled = 0; |
300 | enc->iv = NULL; | 310 | enc->iv = NULL; |
311 | enc->iv_len = cipher_ivlen(enc->cipher); | ||
301 | enc->key = NULL; | 312 | enc->key = NULL; |
302 | enc->key_len = cipher_keylen(enc->cipher); | 313 | enc->key_len = cipher_keylen(enc->cipher); |
303 | enc->block_size = cipher_blocksize(enc->cipher); | 314 | enc->block_size = cipher_blocksize(enc->cipher); |
@@ -423,7 +434,7 @@ kex_choose_conf(Kex *kex) | |||
423 | char **my, **peer; | 434 | char **my, **peer; |
424 | char **cprop, **sprop; | 435 | char **cprop, **sprop; |
425 | int nenc, nmac, ncomp; | 436 | int nenc, nmac, ncomp; |
426 | u_int mode, ctos, need; | 437 | u_int mode, ctos, need, authlen; |
427 | int first_kex_follows, type; | 438 | int first_kex_follows, type; |
428 | 439 | ||
429 | my = kex_buf2prop(&kex->my, NULL); | 440 | my = kex_buf2prop(&kex->my, NULL); |
@@ -456,13 +467,16 @@ kex_choose_conf(Kex *kex) | |||
456 | nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; | 467 | nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; |
457 | nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; | 468 | nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; |
458 | ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; | 469 | ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; |
459 | choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); | 470 | choose_enc(&newkeys->enc, cprop[nenc], sprop[nenc]); |
460 | choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); | 471 | /* ignore mac for authenticated encryption */ |
472 | authlen = cipher_authlen(newkeys->enc.cipher); | ||
473 | if (authlen == 0) | ||
474 | choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); | ||
461 | choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); | 475 | choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); |
462 | debug("kex: %s %s %s %s", | 476 | debug("kex: %s %s %s %s", |
463 | ctos ? "client->server" : "server->client", | 477 | ctos ? "client->server" : "server->client", |
464 | newkeys->enc.name, | 478 | newkeys->enc.name, |
465 | newkeys->mac.name, | 479 | authlen == 0 ? newkeys->mac.name : "<implicit>", |
466 | newkeys->comp.name); | 480 | newkeys->comp.name); |
467 | } | 481 | } |
468 | choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); | 482 | choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); |
@@ -475,6 +489,8 @@ kex_choose_conf(Kex *kex) | |||
475 | need = newkeys->enc.key_len; | 489 | need = newkeys->enc.key_len; |
476 | if (need < newkeys->enc.block_size) | 490 | if (need < newkeys->enc.block_size) |
477 | need = newkeys->enc.block_size; | 491 | need = newkeys->enc.block_size; |
492 | if (need < newkeys->enc.iv_len) | ||
493 | need = newkeys->enc.iv_len; | ||
478 | if (need < newkeys->mac.key_len) | 494 | if (need < newkeys->mac.key_len) |
479 | need = newkeys->mac.key_len; | 495 | need = newkeys->mac.key_len; |
480 | } | 496 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -92,6 +92,7 @@ struct Enc { | |||
92 | Cipher *cipher; | 92 | Cipher *cipher; |
93 | int enabled; | 93 | int enabled; |
94 | u_int key_len; | 94 | u_int key_len; |
95 | u_int iv_len; | ||
95 | u_int block_size; | 96 | u_int block_size; |
96 | u_char *key; | 97 | u_char *key; |
97 | u_char *iv; | 98 | u_char *iv; |
@@ -103,6 +104,7 @@ struct Mac { | |||
103 | u_char *key; | 104 | u_char *key; |
104 | u_int key_len; | 105 | u_int key_len; |
105 | int type; | 106 | int type; |
107 | int etm; /* Encrypt-then-MAC */ | ||
106 | const EVP_MD *evp_md; | 108 | const EVP_MD *evp_md; |
107 | HMAC_CTX evp_ctx; | 109 | HMAC_CTX evp_ctx; |
108 | struct umac_ctx *umac_ctx; | 110 | struct umac_ctx *umac_ctx; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * read_bignum(): | 3 | * read_bignum(): |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -55,6 +55,8 @@ | |||
55 | #include "misc.h" | 55 | #include "misc.h" |
56 | #include "ssh2.h" | 56 | #include "ssh2.h" |
57 | 57 | ||
58 | static int to_blob(const Key *, u_char **, u_int *, int); | ||
59 | |||
58 | static struct KeyCert * | 60 | static struct KeyCert * |
59 | cert_new(void) | 61 | cert_new(void) |
60 | { | 62 | { |
@@ -324,14 +326,15 @@ key_equal(const Key *a, const Key *b) | |||
324 | } | 326 | } |
325 | 327 | ||
326 | u_char* | 328 | u_char* |
327 | key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) | 329 | key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
330 | u_int *dgst_raw_length) | ||
328 | { | 331 | { |
329 | const EVP_MD *md = NULL; | 332 | const EVP_MD *md = NULL; |
330 | EVP_MD_CTX ctx; | 333 | EVP_MD_CTX ctx; |
331 | u_char *blob = NULL; | 334 | u_char *blob = NULL; |
332 | u_char *retval = NULL; | 335 | u_char *retval = NULL; |
333 | u_int len = 0; | 336 | u_int len = 0; |
334 | int nlen, elen, otype; | 337 | int nlen, elen; |
335 | 338 | ||
336 | *dgst_raw_length = 0; | 339 | *dgst_raw_length = 0; |
337 | 340 | ||
@@ -371,10 +374,7 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) | |||
371 | case KEY_ECDSA_CERT: | 374 | case KEY_ECDSA_CERT: |
372 | case KEY_RSA_CERT: | 375 | case KEY_RSA_CERT: |
373 | /* We want a fingerprint of the _key_ not of the cert */ | 376 | /* We want a fingerprint of the _key_ not of the cert */ |
374 | otype = k->type; | 377 | to_blob(k, &blob, &len, 1); |
375 | k->type = key_type_plain(k->type); | ||
376 | key_to_blob(k, &blob, &len); | ||
377 | k->type = otype; | ||
378 | break; | 378 | break; |
379 | case KEY_UNSPEC: | 379 | case KEY_UNSPEC: |
380 | return retval; | 380 | return retval; |
@@ -1591,18 +1591,19 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1591 | return key; | 1591 | return key; |
1592 | } | 1592 | } |
1593 | 1593 | ||
1594 | int | 1594 | static int |
1595 | key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | 1595 | to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) |
1596 | { | 1596 | { |
1597 | Buffer b; | 1597 | Buffer b; |
1598 | int len; | 1598 | int len, type; |
1599 | 1599 | ||
1600 | if (key == NULL) { | 1600 | if (key == NULL) { |
1601 | error("key_to_blob: key == NULL"); | 1601 | error("key_to_blob: key == NULL"); |
1602 | return 0; | 1602 | return 0; |
1603 | } | 1603 | } |
1604 | buffer_init(&b); | 1604 | buffer_init(&b); |
1605 | switch (key->type) { | 1605 | type = force_plain ? key_type_plain(key->type) : key->type; |
1606 | switch (type) { | ||
1606 | case KEY_DSA_CERT_V00: | 1607 | case KEY_DSA_CERT_V00: |
1607 | case KEY_RSA_CERT_V00: | 1608 | case KEY_RSA_CERT_V00: |
1608 | case KEY_DSA_CERT: | 1609 | case KEY_DSA_CERT: |
@@ -1613,7 +1614,8 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1613 | buffer_len(&key->cert->certblob)); | 1614 | buffer_len(&key->cert->certblob)); |
1614 | break; | 1615 | break; |
1615 | case KEY_DSA: | 1616 | case KEY_DSA: |
1616 | buffer_put_cstring(&b, key_ssh_name(key)); | 1617 | buffer_put_cstring(&b, |
1618 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
1617 | buffer_put_bignum2(&b, key->dsa->p); | 1619 | buffer_put_bignum2(&b, key->dsa->p); |
1618 | buffer_put_bignum2(&b, key->dsa->q); | 1620 | buffer_put_bignum2(&b, key->dsa->q); |
1619 | buffer_put_bignum2(&b, key->dsa->g); | 1621 | buffer_put_bignum2(&b, key->dsa->g); |
@@ -1621,14 +1623,16 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1621 | break; | 1623 | break; |
1622 | #ifdef OPENSSL_HAS_ECC | 1624 | #ifdef OPENSSL_HAS_ECC |
1623 | case KEY_ECDSA: | 1625 | case KEY_ECDSA: |
1624 | buffer_put_cstring(&b, key_ssh_name(key)); | 1626 | buffer_put_cstring(&b, |
1627 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
1625 | buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); | 1628 | buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); |
1626 | buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), | 1629 | buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), |
1627 | EC_KEY_get0_public_key(key->ecdsa)); | 1630 | EC_KEY_get0_public_key(key->ecdsa)); |
1628 | break; | 1631 | break; |
1629 | #endif | 1632 | #endif |
1630 | case KEY_RSA: | 1633 | case KEY_RSA: |
1631 | buffer_put_cstring(&b, key_ssh_name(key)); | 1634 | buffer_put_cstring(&b, |
1635 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
1632 | buffer_put_bignum2(&b, key->rsa->e); | 1636 | buffer_put_bignum2(&b, key->rsa->e); |
1633 | buffer_put_bignum2(&b, key->rsa->n); | 1637 | buffer_put_bignum2(&b, key->rsa->n); |
1634 | break; | 1638 | break; |
@@ -1650,6 +1654,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1650 | } | 1654 | } |
1651 | 1655 | ||
1652 | int | 1656 | int |
1657 | key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | ||
1658 | { | ||
1659 | return to_blob(key, blobp, lenp, 0); | ||
1660 | } | ||
1661 | |||
1662 | int | ||
1653 | key_sign( | 1663 | key_sign( |
1654 | const Key *key, | 1664 | const Key *key, |
1655 | u_char **sigp, u_int *lenp, | 1665 | u_char **sigp, u_int *lenp, |
@@ -2028,7 +2038,7 @@ key_cert_check_authority(const Key *k, int want_host, int require_principal, | |||
2028 | } | 2038 | } |
2029 | 2039 | ||
2030 | int | 2040 | int |
2031 | key_cert_is_legacy(Key *k) | 2041 | key_cert_is_legacy(const Key *k) |
2032 | { | 2042 | { |
2033 | switch (k->type) { | 2043 | switch (k->type) { |
2034 | case KEY_DSA_CERT_V00: | 2044 | case KEY_DSA_CERT_V00: |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: key.h,v 1.34 2012/05/23 03:28:28 djm Exp $ */ | 1 | /* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -97,7 +97,7 @@ Key *key_demote(const Key *); | |||
97 | int key_equal_public(const Key *, const Key *); | 97 | int key_equal_public(const Key *, const Key *); |
98 | int key_equal(const Key *, const Key *); | 98 | int key_equal(const Key *, const Key *); |
99 | char *key_fingerprint(Key *, enum fp_type, enum fp_rep); | 99 | char *key_fingerprint(Key *, enum fp_type, enum fp_rep); |
100 | u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); | 100 | u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); |
101 | const char *key_type(const Key *); | 101 | const char *key_type(const Key *); |
102 | const char *key_cert_type(const Key *); | 102 | const char *key_cert_type(const Key *); |
103 | int key_write(const Key *, FILE *); | 103 | int key_write(const Key *, FILE *); |
@@ -115,7 +115,7 @@ int key_certify(Key *, Key *); | |||
115 | void key_cert_copy(const Key *, struct Key *); | 115 | void key_cert_copy(const Key *, struct Key *); |
116 | int key_cert_check_authority(const Key *, int, int, const char *, | 116 | int key_cert_check_authority(const Key *, int, int, const char *, |
117 | const char **); | 117 | const char **); |
118 | int key_cert_is_legacy(Key *); | 118 | int key_cert_is_legacy(const Key *); |
119 | 119 | ||
120 | int key_ecdsa_nid_from_name(const char *); | 120 | int key_ecdsa_nid_from_name(const char *); |
121 | int key_curve_name_to_nid(const char *); | 121 | int key_curve_name_to_nid(const char *); |
@@ -0,0 +1,1229 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2012 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: krl.c,v 1.9 2013/01/27 10:06:12 djm Exp $ */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <sys/param.h> | ||
23 | #include <openbsd-compat/sys-tree.h> | ||
24 | #include <openbsd-compat/sys-queue.h> | ||
25 | |||
26 | #include <errno.h> | ||
27 | #include <fcntl.h> | ||
28 | #include <limits.h> | ||
29 | #include <string.h> | ||
30 | #include <time.h> | ||
31 | #include <unistd.h> | ||
32 | |||
33 | #include "buffer.h" | ||
34 | #include "key.h" | ||
35 | #include "authfile.h" | ||
36 | #include "misc.h" | ||
37 | #include "log.h" | ||
38 | #include "xmalloc.h" | ||
39 | |||
40 | #include "krl.h" | ||
41 | |||
42 | /* #define DEBUG_KRL */ | ||
43 | #ifdef DEBUG_KRL | ||
44 | # define KRL_DBG(x) debug3 x | ||
45 | #else | ||
46 | # define KRL_DBG(x) | ||
47 | #endif | ||
48 | |||
49 | /* | ||
50 | * Trees of revoked serial numbers, key IDs and keys. This allows | ||
51 | * quick searching, querying and producing lists in canonical order. | ||
52 | */ | ||
53 | |||
54 | /* Tree of serial numbers. XXX make smarter: really need a real sparse bitmap */ | ||
55 | struct revoked_serial { | ||
56 | u_int64_t lo, hi; | ||
57 | RB_ENTRY(revoked_serial) tree_entry; | ||
58 | }; | ||
59 | static int serial_cmp(struct revoked_serial *a, struct revoked_serial *b); | ||
60 | RB_HEAD(revoked_serial_tree, revoked_serial); | ||
61 | RB_GENERATE_STATIC(revoked_serial_tree, revoked_serial, tree_entry, serial_cmp); | ||
62 | |||
63 | /* Tree of key IDs */ | ||
64 | struct revoked_key_id { | ||
65 | char *key_id; | ||
66 | RB_ENTRY(revoked_key_id) tree_entry; | ||
67 | }; | ||
68 | static int key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b); | ||
69 | RB_HEAD(revoked_key_id_tree, revoked_key_id); | ||
70 | RB_GENERATE_STATIC(revoked_key_id_tree, revoked_key_id, tree_entry, key_id_cmp); | ||
71 | |||
72 | /* Tree of blobs (used for keys and fingerprints) */ | ||
73 | struct revoked_blob { | ||
74 | u_char *blob; | ||
75 | u_int len; | ||
76 | RB_ENTRY(revoked_blob) tree_entry; | ||
77 | }; | ||
78 | static int blob_cmp(struct revoked_blob *a, struct revoked_blob *b); | ||
79 | RB_HEAD(revoked_blob_tree, revoked_blob); | ||
80 | RB_GENERATE_STATIC(revoked_blob_tree, revoked_blob, tree_entry, blob_cmp); | ||
81 | |||
82 | /* Tracks revoked certs for a single CA */ | ||
83 | struct revoked_certs { | ||
84 | Key *ca_key; | ||
85 | struct revoked_serial_tree revoked_serials; | ||
86 | struct revoked_key_id_tree revoked_key_ids; | ||
87 | TAILQ_ENTRY(revoked_certs) entry; | ||
88 | }; | ||
89 | TAILQ_HEAD(revoked_certs_list, revoked_certs); | ||
90 | |||
91 | struct ssh_krl { | ||
92 | u_int64_t krl_version; | ||
93 | u_int64_t generated_date; | ||
94 | u_int64_t flags; | ||
95 | char *comment; | ||
96 | struct revoked_blob_tree revoked_keys; | ||
97 | struct revoked_blob_tree revoked_sha1s; | ||
98 | struct revoked_certs_list revoked_certs; | ||
99 | }; | ||
100 | |||
101 | /* Return equal if a and b overlap */ | ||
102 | static int | ||
103 | serial_cmp(struct revoked_serial *a, struct revoked_serial *b) | ||
104 | { | ||
105 | if (a->hi >= b->lo && a->lo <= b->hi) | ||
106 | return 0; | ||
107 | return a->lo < b->lo ? -1 : 1; | ||
108 | } | ||
109 | |||
110 | static int | ||
111 | key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b) | ||
112 | { | ||
113 | return strcmp(a->key_id, b->key_id); | ||
114 | } | ||
115 | |||
116 | static int | ||
117 | blob_cmp(struct revoked_blob *a, struct revoked_blob *b) | ||
118 | { | ||
119 | int r; | ||
120 | |||
121 | if (a->len != b->len) { | ||
122 | if ((r = memcmp(a->blob, b->blob, MIN(a->len, b->len))) != 0) | ||
123 | return r; | ||
124 | return a->len > b->len ? 1 : -1; | ||
125 | } else | ||
126 | return memcmp(a->blob, b->blob, a->len); | ||
127 | } | ||
128 | |||
129 | struct ssh_krl * | ||
130 | ssh_krl_init(void) | ||
131 | { | ||
132 | struct ssh_krl *krl; | ||
133 | |||
134 | if ((krl = calloc(1, sizeof(*krl))) == NULL) | ||
135 | return NULL; | ||
136 | RB_INIT(&krl->revoked_keys); | ||
137 | RB_INIT(&krl->revoked_sha1s); | ||
138 | TAILQ_INIT(&krl->revoked_certs); | ||
139 | return krl; | ||
140 | } | ||
141 | |||
142 | static void | ||
143 | revoked_certs_free(struct revoked_certs *rc) | ||
144 | { | ||
145 | struct revoked_serial *rs, *trs; | ||
146 | struct revoked_key_id *rki, *trki; | ||
147 | |||
148 | RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) { | ||
149 | RB_REMOVE(revoked_serial_tree, &rc->revoked_serials, rs); | ||
150 | free(rs); | ||
151 | } | ||
152 | RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, trki) { | ||
153 | RB_REMOVE(revoked_key_id_tree, &rc->revoked_key_ids, rki); | ||
154 | free(rki->key_id); | ||
155 | free(rki); | ||
156 | } | ||
157 | if (rc->ca_key != NULL) | ||
158 | key_free(rc->ca_key); | ||
159 | } | ||
160 | |||
161 | void | ||
162 | ssh_krl_free(struct ssh_krl *krl) | ||
163 | { | ||
164 | struct revoked_blob *rb, *trb; | ||
165 | struct revoked_certs *rc, *trc; | ||
166 | |||
167 | if (krl == NULL) | ||
168 | return; | ||
169 | |||
170 | free(krl->comment); | ||
171 | RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) { | ||
172 | RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb); | ||
173 | free(rb->blob); | ||
174 | free(rb); | ||
175 | } | ||
176 | RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) { | ||
177 | RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb); | ||
178 | free(rb->blob); | ||
179 | free(rb); | ||
180 | } | ||
181 | TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) { | ||
182 | TAILQ_REMOVE(&krl->revoked_certs, rc, entry); | ||
183 | revoked_certs_free(rc); | ||
184 | } | ||
185 | } | ||
186 | |||
187 | void | ||
188 | ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version) | ||
189 | { | ||
190 | krl->krl_version = version; | ||
191 | } | ||
192 | |||
193 | void | ||
194 | ssh_krl_set_comment(struct ssh_krl *krl, const char *comment) | ||
195 | { | ||
196 | free(krl->comment); | ||
197 | if ((krl->comment = strdup(comment)) == NULL) | ||
198 | fatal("%s: strdup", __func__); | ||
199 | } | ||
200 | |||
201 | /* | ||
202 | * Find the revoked_certs struct for a CA key. If allow_create is set then | ||
203 | * create a new one in the tree if one did not exist already. | ||
204 | */ | ||
205 | static int | ||
206 | revoked_certs_for_ca_key(struct ssh_krl *krl, const Key *ca_key, | ||
207 | struct revoked_certs **rcp, int allow_create) | ||
208 | { | ||
209 | struct revoked_certs *rc; | ||
210 | |||
211 | *rcp = NULL; | ||
212 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { | ||
213 | if (key_equal(rc->ca_key, ca_key)) { | ||
214 | *rcp = rc; | ||
215 | return 0; | ||
216 | } | ||
217 | } | ||
218 | if (!allow_create) | ||
219 | return 0; | ||
220 | /* If this CA doesn't exist in the list then add it now */ | ||
221 | if ((rc = calloc(1, sizeof(*rc))) == NULL) | ||
222 | return -1; | ||
223 | if ((rc->ca_key = key_from_private(ca_key)) == NULL) { | ||
224 | free(rc); | ||
225 | return -1; | ||
226 | } | ||
227 | RB_INIT(&rc->revoked_serials); | ||
228 | RB_INIT(&rc->revoked_key_ids); | ||
229 | TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); | ||
230 | debug3("%s: new CA %s", __func__, key_type(ca_key)); | ||
231 | *rcp = rc; | ||
232 | return 0; | ||
233 | } | ||
234 | |||
235 | static int | ||
236 | insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) | ||
237 | { | ||
238 | struct revoked_serial rs, *ers, *crs, *irs; | ||
239 | |||
240 | KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi)); | ||
241 | bzero(&rs, sizeof(rs)); | ||
242 | rs.lo = lo; | ||
243 | rs.hi = hi; | ||
244 | ers = RB_NFIND(revoked_serial_tree, rt, &rs); | ||
245 | if (ers == NULL || serial_cmp(ers, &rs) != 0) { | ||
246 | /* No entry matches. Just insert */ | ||
247 | if ((irs = malloc(sizeof(rs))) == NULL) | ||
248 | return -1; | ||
249 | memcpy(irs, &rs, sizeof(*irs)); | ||
250 | ers = RB_INSERT(revoked_serial_tree, rt, irs); | ||
251 | if (ers != NULL) { | ||
252 | KRL_DBG(("%s: bad: ers != NULL", __func__)); | ||
253 | /* Shouldn't happen */ | ||
254 | free(irs); | ||
255 | return -1; | ||
256 | } | ||
257 | ers = irs; | ||
258 | } else { | ||
259 | KRL_DBG(("%s: overlap found %llu:%llu", __func__, | ||
260 | ers->lo, ers->hi)); | ||
261 | /* | ||
262 | * The inserted entry overlaps an existing one. Grow the | ||
263 | * existing entry. | ||
264 | */ | ||
265 | if (ers->lo > lo) | ||
266 | ers->lo = lo; | ||
267 | if (ers->hi < hi) | ||
268 | ers->hi = hi; | ||
269 | } | ||
270 | /* | ||
271 | * The inserted or revised range might overlap or abut adjacent ones; | ||
272 | * coalesce as necessary. | ||
273 | */ | ||
274 | |||
275 | /* Check predecessors */ | ||
276 | while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) { | ||
277 | KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi)); | ||
278 | if (ers->lo != 0 && crs->hi < ers->lo - 1) | ||
279 | break; | ||
280 | /* This entry overlaps. */ | ||
281 | if (crs->lo < ers->lo) { | ||
282 | ers->lo = crs->lo; | ||
283 | KRL_DBG(("%s: pred extend %llu:%llu", __func__, | ||
284 | ers->lo, ers->hi)); | ||
285 | } | ||
286 | RB_REMOVE(revoked_serial_tree, rt, crs); | ||
287 | free(crs); | ||
288 | } | ||
289 | /* Check successors */ | ||
290 | while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) { | ||
291 | KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi)); | ||
292 | if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1) | ||
293 | break; | ||
294 | /* This entry overlaps. */ | ||
295 | if (crs->hi > ers->hi) { | ||
296 | ers->hi = crs->hi; | ||
297 | KRL_DBG(("%s: succ extend %llu:%llu", __func__, | ||
298 | ers->lo, ers->hi)); | ||
299 | } | ||
300 | RB_REMOVE(revoked_serial_tree, rt, crs); | ||
301 | free(crs); | ||
302 | } | ||
303 | KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi)); | ||
304 | return 0; | ||
305 | } | ||
306 | |||
307 | int | ||
308 | ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key, | ||
309 | u_int64_t serial) | ||
310 | { | ||
311 | return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial); | ||
312 | } | ||
313 | |||
314 | int | ||
315 | ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key, | ||
316 | u_int64_t lo, u_int64_t hi) | ||
317 | { | ||
318 | struct revoked_certs *rc; | ||
319 | |||
320 | if (lo > hi || lo == 0) | ||
321 | return -1; | ||
322 | if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0) | ||
323 | return -1; | ||
324 | return insert_serial_range(&rc->revoked_serials, lo, hi); | ||
325 | } | ||
326 | |||
327 | int | ||
328 | ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key, | ||
329 | const char *key_id) | ||
330 | { | ||
331 | struct revoked_key_id *rki, *erki; | ||
332 | struct revoked_certs *rc; | ||
333 | |||
334 | if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0) | ||
335 | return -1; | ||
336 | |||
337 | debug3("%s: revoke %s", __func__, key_id); | ||
338 | if ((rki = calloc(1, sizeof(*rki))) == NULL || | ||
339 | (rki->key_id = strdup(key_id)) == NULL) { | ||
340 | free(rki); | ||
341 | fatal("%s: strdup", __func__); | ||
342 | } | ||
343 | erki = RB_INSERT(revoked_key_id_tree, &rc->revoked_key_ids, rki); | ||
344 | if (erki != NULL) { | ||
345 | free(rki->key_id); | ||
346 | free(rki); | ||
347 | } | ||
348 | return 0; | ||
349 | } | ||
350 | |||
351 | /* Convert "key" to a public key blob without any certificate information */ | ||
352 | static int | ||
353 | plain_key_blob(const Key *key, u_char **blob, u_int *blen) | ||
354 | { | ||
355 | Key *kcopy; | ||
356 | int r; | ||
357 | |||
358 | if ((kcopy = key_from_private(key)) == NULL) | ||
359 | return -1; | ||
360 | if (key_is_cert(kcopy)) { | ||
361 | if (key_drop_cert(kcopy) != 0) { | ||
362 | error("%s: key_drop_cert", __func__); | ||
363 | key_free(kcopy); | ||
364 | return -1; | ||
365 | } | ||
366 | } | ||
367 | r = key_to_blob(kcopy, blob, blen); | ||
368 | free(kcopy); | ||
369 | return r == 0 ? -1 : 0; | ||
370 | } | ||
371 | |||
372 | /* Revoke a key blob. Ownership of blob is transferred to the tree */ | ||
373 | static int | ||
374 | revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) | ||
375 | { | ||
376 | struct revoked_blob *rb, *erb; | ||
377 | |||
378 | if ((rb = calloc(1, sizeof(*rb))) == NULL) | ||
379 | return -1; | ||
380 | rb->blob = blob; | ||
381 | rb->len = len; | ||
382 | erb = RB_INSERT(revoked_blob_tree, rbt, rb); | ||
383 | if (erb != NULL) { | ||
384 | free(rb->blob); | ||
385 | free(rb); | ||
386 | } | ||
387 | return 0; | ||
388 | } | ||
389 | |||
390 | int | ||
391 | ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key) | ||
392 | { | ||
393 | u_char *blob; | ||
394 | u_int len; | ||
395 | |||
396 | debug3("%s: revoke type %s", __func__, key_type(key)); | ||
397 | if (plain_key_blob(key, &blob, &len) != 0) | ||
398 | return -1; | ||
399 | return revoke_blob(&krl->revoked_keys, blob, len); | ||
400 | } | ||
401 | |||
402 | int | ||
403 | ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key) | ||
404 | { | ||
405 | u_char *blob; | ||
406 | u_int len; | ||
407 | |||
408 | debug3("%s: revoke type %s by sha1", __func__, key_type(key)); | ||
409 | if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL) | ||
410 | return -1; | ||
411 | return revoke_blob(&krl->revoked_sha1s, blob, len); | ||
412 | } | ||
413 | |||
414 | int | ||
415 | ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key) | ||
416 | { | ||
417 | if (!key_is_cert(key)) | ||
418 | return ssh_krl_revoke_key_sha1(krl, key); | ||
419 | |||
420 | if (key_cert_is_legacy(key) || key->cert->serial == 0) { | ||
421 | return ssh_krl_revoke_cert_by_key_id(krl, | ||
422 | key->cert->signature_key, | ||
423 | key->cert->key_id); | ||
424 | } else { | ||
425 | return ssh_krl_revoke_cert_by_serial(krl, | ||
426 | key->cert->signature_key, | ||
427 | key->cert->serial); | ||
428 | } | ||
429 | } | ||
430 | |||
431 | /* | ||
432 | * Select a copact next section type to emit in a KRL based on the | ||
433 | * current section type, the run length of contiguous revoked serial | ||
434 | * numbers and the gaps from the last and to the next revoked serial. | ||
435 | * Applies a mostly-accurate bit cost model to select the section type | ||
436 | * that will minimise the size of the resultant KRL. | ||
437 | */ | ||
438 | static int | ||
439 | choose_next_state(int current_state, u_int64_t contig, int final, | ||
440 | u_int64_t last_gap, u_int64_t next_gap, int *force_new_section) | ||
441 | { | ||
442 | int new_state; | ||
443 | u_int64_t cost, cost_list, cost_range, cost_bitmap, cost_bitmap_restart; | ||
444 | |||
445 | /* | ||
446 | * Avoid unsigned overflows. | ||
447 | * The limits are high enough to avoid confusing the calculations. | ||
448 | */ | ||
449 | contig = MIN(contig, 1ULL<<31); | ||
450 | last_gap = MIN(last_gap, 1ULL<<31); | ||
451 | next_gap = MIN(next_gap, 1ULL<<31); | ||
452 | |||
453 | /* | ||
454 | * Calculate the cost to switch from the current state to candidates. | ||
455 | * NB. range sections only ever contain a single range, so their | ||
456 | * switching cost is independent of the current_state. | ||
457 | */ | ||
458 | cost_list = cost_bitmap = cost_bitmap_restart = 0; | ||
459 | cost_range = 8; | ||
460 | switch (current_state) { | ||
461 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
462 | cost_bitmap_restart = cost_bitmap = 8 + 64; | ||
463 | break; | ||
464 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
465 | cost_list = 8; | ||
466 | cost_bitmap_restart = 8 + 64; | ||
467 | break; | ||
468 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
469 | case 0: | ||
470 | cost_bitmap_restart = cost_bitmap = 8 + 64; | ||
471 | cost_list = 8; | ||
472 | } | ||
473 | |||
474 | /* Estimate base cost in bits of each section type */ | ||
475 | cost_list += 64 * contig + (final ? 0 : 8+64); | ||
476 | cost_range += (2 * 64) + (final ? 0 : 8+64); | ||
477 | cost_bitmap += last_gap + contig + (final ? 0 : MIN(next_gap, 8+64)); | ||
478 | cost_bitmap_restart += contig + (final ? 0 : MIN(next_gap, 8+64)); | ||
479 | |||
480 | /* Convert to byte costs for actual comparison */ | ||
481 | cost_list = (cost_list + 7) / 8; | ||
482 | cost_bitmap = (cost_bitmap + 7) / 8; | ||
483 | cost_bitmap_restart = (cost_bitmap_restart + 7) / 8; | ||
484 | cost_range = (cost_range + 7) / 8; | ||
485 | |||
486 | /* Now pick the best choice */ | ||
487 | *force_new_section = 0; | ||
488 | new_state = KRL_SECTION_CERT_SERIAL_BITMAP; | ||
489 | cost = cost_bitmap; | ||
490 | if (cost_range < cost) { | ||
491 | new_state = KRL_SECTION_CERT_SERIAL_RANGE; | ||
492 | cost = cost_range; | ||
493 | } | ||
494 | if (cost_list < cost) { | ||
495 | new_state = KRL_SECTION_CERT_SERIAL_LIST; | ||
496 | cost = cost_list; | ||
497 | } | ||
498 | if (cost_bitmap_restart < cost) { | ||
499 | new_state = KRL_SECTION_CERT_SERIAL_BITMAP; | ||
500 | *force_new_section = 1; | ||
501 | cost = cost_bitmap_restart; | ||
502 | } | ||
503 | debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" | ||
504 | "list %llu range %llu bitmap %llu new bitmap %llu, " | ||
505 | "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, | ||
506 | cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, | ||
507 | *force_new_section ? " restart" : ""); | ||
508 | return new_state; | ||
509 | } | ||
510 | |||
511 | /* Generate a KRL_SECTION_CERTIFICATES KRL section */ | ||
512 | static int | ||
513 | revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) | ||
514 | { | ||
515 | int final, force_new_sect, r = -1; | ||
516 | u_int64_t i, contig, gap, last = 0, bitmap_start = 0; | ||
517 | struct revoked_serial *rs, *nrs; | ||
518 | struct revoked_key_id *rki; | ||
519 | int next_state, state = 0; | ||
520 | Buffer sect; | ||
521 | u_char *kblob = NULL; | ||
522 | u_int klen; | ||
523 | BIGNUM *bitmap = NULL; | ||
524 | |||
525 | /* Prepare CA scope key blob if we have one supplied */ | ||
526 | if (key_to_blob(rc->ca_key, &kblob, &klen) == 0) | ||
527 | return -1; | ||
528 | |||
529 | buffer_init(§); | ||
530 | |||
531 | /* Store the header */ | ||
532 | buffer_put_string(buf, kblob, klen); | ||
533 | buffer_put_string(buf, NULL, 0); /* Reserved */ | ||
534 | |||
535 | free(kblob); | ||
536 | |||
537 | /* Store the revoked serials. */ | ||
538 | for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); | ||
539 | rs != NULL; | ||
540 | rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { | ||
541 | debug3("%s: serial %llu:%llu state 0x%02x", __func__, | ||
542 | rs->lo, rs->hi, state); | ||
543 | |||
544 | /* Check contiguous length and gap to next section (if any) */ | ||
545 | nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); | ||
546 | final = nrs == NULL; | ||
547 | gap = nrs == NULL ? 0 : nrs->lo - rs->hi; | ||
548 | contig = 1 + (rs->hi - rs->lo); | ||
549 | |||
550 | /* Choose next state based on these */ | ||
551 | next_state = choose_next_state(state, contig, final, | ||
552 | state == 0 ? 0 : rs->lo - last, gap, &force_new_sect); | ||
553 | |||
554 | /* | ||
555 | * If the current section is a range section or has a different | ||
556 | * type to the next section, then finish it off now. | ||
557 | */ | ||
558 | if (state != 0 && (force_new_sect || next_state != state || | ||
559 | state == KRL_SECTION_CERT_SERIAL_RANGE)) { | ||
560 | debug3("%s: finish state 0x%02x", __func__, state); | ||
561 | switch (state) { | ||
562 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
563 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
564 | break; | ||
565 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
566 | buffer_put_bignum2(§, bitmap); | ||
567 | BN_free(bitmap); | ||
568 | bitmap = NULL; | ||
569 | break; | ||
570 | } | ||
571 | buffer_put_char(buf, state); | ||
572 | buffer_put_string(buf, | ||
573 | buffer_ptr(§), buffer_len(§)); | ||
574 | } | ||
575 | |||
576 | /* If we are starting a new section then prepare it now */ | ||
577 | if (next_state != state || force_new_sect) { | ||
578 | debug3("%s: start state 0x%02x", __func__, next_state); | ||
579 | state = next_state; | ||
580 | buffer_clear(§); | ||
581 | switch (state) { | ||
582 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
583 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
584 | break; | ||
585 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
586 | if ((bitmap = BN_new()) == NULL) | ||
587 | goto out; | ||
588 | bitmap_start = rs->lo; | ||
589 | buffer_put_int64(§, bitmap_start); | ||
590 | break; | ||
591 | } | ||
592 | } | ||
593 | |||
594 | /* Perform section-specific processing */ | ||
595 | switch (state) { | ||
596 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
597 | for (i = 0; i < contig; i++) | ||
598 | buffer_put_int64(§, rs->lo + i); | ||
599 | break; | ||
600 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
601 | buffer_put_int64(§, rs->lo); | ||
602 | buffer_put_int64(§, rs->hi); | ||
603 | break; | ||
604 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
605 | if (rs->lo - bitmap_start > INT_MAX) { | ||
606 | error("%s: insane bitmap gap", __func__); | ||
607 | goto out; | ||
608 | } | ||
609 | for (i = 0; i < contig; i++) { | ||
610 | if (BN_set_bit(bitmap, | ||
611 | rs->lo + i - bitmap_start) != 1) | ||
612 | goto out; | ||
613 | } | ||
614 | break; | ||
615 | } | ||
616 | last = rs->hi; | ||
617 | } | ||
618 | /* Flush the remaining section, if any */ | ||
619 | if (state != 0) { | ||
620 | debug3("%s: serial final flush for state 0x%02x", | ||
621 | __func__, state); | ||
622 | switch (state) { | ||
623 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
624 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
625 | break; | ||
626 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
627 | buffer_put_bignum2(§, bitmap); | ||
628 | BN_free(bitmap); | ||
629 | bitmap = NULL; | ||
630 | break; | ||
631 | } | ||
632 | buffer_put_char(buf, state); | ||
633 | buffer_put_string(buf, | ||
634 | buffer_ptr(§), buffer_len(§)); | ||
635 | } | ||
636 | debug3("%s: serial done ", __func__); | ||
637 | |||
638 | /* Now output a section for any revocations by key ID */ | ||
639 | buffer_clear(§); | ||
640 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { | ||
641 | debug3("%s: key ID %s", __func__, rki->key_id); | ||
642 | buffer_put_cstring(§, rki->key_id); | ||
643 | } | ||
644 | if (buffer_len(§) != 0) { | ||
645 | buffer_put_char(buf, KRL_SECTION_CERT_KEY_ID); | ||
646 | buffer_put_string(buf, buffer_ptr(§), | ||
647 | buffer_len(§)); | ||
648 | } | ||
649 | r = 0; | ||
650 | out: | ||
651 | if (bitmap != NULL) | ||
652 | BN_free(bitmap); | ||
653 | buffer_free(§); | ||
654 | return r; | ||
655 | } | ||
656 | |||
657 | int | ||
658 | ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, | ||
659 | u_int nsign_keys) | ||
660 | { | ||
661 | int r = -1; | ||
662 | struct revoked_certs *rc; | ||
663 | struct revoked_blob *rb; | ||
664 | Buffer sect; | ||
665 | u_char *kblob = NULL, *sblob = NULL; | ||
666 | u_int klen, slen, i; | ||
667 | |||
668 | if (krl->generated_date == 0) | ||
669 | krl->generated_date = time(NULL); | ||
670 | |||
671 | buffer_init(§); | ||
672 | |||
673 | /* Store the header */ | ||
674 | buffer_append(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1); | ||
675 | buffer_put_int(buf, KRL_FORMAT_VERSION); | ||
676 | buffer_put_int64(buf, krl->krl_version); | ||
677 | buffer_put_int64(buf, krl->generated_date); | ||
678 | buffer_put_int64(buf, krl->flags); | ||
679 | buffer_put_string(buf, NULL, 0); | ||
680 | buffer_put_cstring(buf, krl->comment ? krl->comment : ""); | ||
681 | |||
682 | /* Store sections for revoked certificates */ | ||
683 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { | ||
684 | if (revoked_certs_generate(rc, §) != 0) | ||
685 | goto out; | ||
686 | buffer_put_char(buf, KRL_SECTION_CERTIFICATES); | ||
687 | buffer_put_string(buf, buffer_ptr(§), | ||
688 | buffer_len(§)); | ||
689 | } | ||
690 | |||
691 | /* Finally, output sections for revocations by public key/hash */ | ||
692 | buffer_clear(§); | ||
693 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { | ||
694 | debug3("%s: key len %u ", __func__, rb->len); | ||
695 | buffer_put_string(§, rb->blob, rb->len); | ||
696 | } | ||
697 | if (buffer_len(§) != 0) { | ||
698 | buffer_put_char(buf, KRL_SECTION_EXPLICIT_KEY); | ||
699 | buffer_put_string(buf, buffer_ptr(§), | ||
700 | buffer_len(§)); | ||
701 | } | ||
702 | buffer_clear(§); | ||
703 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { | ||
704 | debug3("%s: hash len %u ", __func__, rb->len); | ||
705 | buffer_put_string(§, rb->blob, rb->len); | ||
706 | } | ||
707 | if (buffer_len(§) != 0) { | ||
708 | buffer_put_char(buf, KRL_SECTION_FINGERPRINT_SHA1); | ||
709 | buffer_put_string(buf, buffer_ptr(§), | ||
710 | buffer_len(§)); | ||
711 | } | ||
712 | |||
713 | for (i = 0; i < nsign_keys; i++) { | ||
714 | if (key_to_blob(sign_keys[i], &kblob, &klen) == 0) | ||
715 | goto out; | ||
716 | |||
717 | debug3("%s: signature key len %u", __func__, klen); | ||
718 | buffer_put_char(buf, KRL_SECTION_SIGNATURE); | ||
719 | buffer_put_string(buf, kblob, klen); | ||
720 | |||
721 | if (key_sign(sign_keys[i], &sblob, &slen, | ||
722 | buffer_ptr(buf), buffer_len(buf)) == -1) | ||
723 | goto out; | ||
724 | debug3("%s: signature sig len %u", __func__, slen); | ||
725 | buffer_put_string(buf, sblob, slen); | ||
726 | } | ||
727 | |||
728 | r = 0; | ||
729 | out: | ||
730 | free(kblob); | ||
731 | free(sblob); | ||
732 | buffer_free(§); | ||
733 | return r; | ||
734 | } | ||
735 | |||
736 | static void | ||
737 | format_timestamp(u_int64_t timestamp, char *ts, size_t nts) | ||
738 | { | ||
739 | time_t t; | ||
740 | struct tm *tm; | ||
741 | |||
742 | t = timestamp; | ||
743 | tm = localtime(&t); | ||
744 | *ts = '\0'; | ||
745 | strftime(ts, nts, "%Y%m%dT%H%M%S", tm); | ||
746 | } | ||
747 | |||
748 | static int | ||
749 | parse_revoked_certs(Buffer *buf, struct ssh_krl *krl) | ||
750 | { | ||
751 | int ret = -1, nbits; | ||
752 | u_char type, *blob; | ||
753 | u_int blen; | ||
754 | Buffer subsect; | ||
755 | u_int64_t serial, serial_lo, serial_hi; | ||
756 | BIGNUM *bitmap = NULL; | ||
757 | char *key_id = NULL; | ||
758 | Key *ca_key = NULL; | ||
759 | |||
760 | buffer_init(&subsect); | ||
761 | |||
762 | if ((blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL || | ||
763 | buffer_get_string_ptr_ret(buf, NULL) == NULL) { /* reserved */ | ||
764 | error("%s: buffer error", __func__); | ||
765 | goto out; | ||
766 | } | ||
767 | if ((ca_key = key_from_blob(blob, blen)) == NULL) | ||
768 | goto out; | ||
769 | |||
770 | while (buffer_len(buf) > 0) { | ||
771 | if (buffer_get_char_ret(&type, buf) != 0 || | ||
772 | (blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL) { | ||
773 | error("%s: buffer error", __func__); | ||
774 | goto out; | ||
775 | } | ||
776 | buffer_clear(&subsect); | ||
777 | buffer_append(&subsect, blob, blen); | ||
778 | debug3("%s: subsection type 0x%02x", __func__, type); | ||
779 | /* buffer_dump(&subsect); */ | ||
780 | |||
781 | switch (type) { | ||
782 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
783 | while (buffer_len(&subsect) > 0) { | ||
784 | if (buffer_get_int64_ret(&serial, | ||
785 | &subsect) != 0) { | ||
786 | error("%s: buffer error", __func__); | ||
787 | goto out; | ||
788 | } | ||
789 | if (ssh_krl_revoke_cert_by_serial(krl, ca_key, | ||
790 | serial) != 0) { | ||
791 | error("%s: update failed", __func__); | ||
792 | goto out; | ||
793 | } | ||
794 | } | ||
795 | break; | ||
796 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
797 | if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 || | ||
798 | buffer_get_int64_ret(&serial_hi, &subsect) != 0) { | ||
799 | error("%s: buffer error", __func__); | ||
800 | goto out; | ||
801 | } | ||
802 | if (ssh_krl_revoke_cert_by_serial_range(krl, ca_key, | ||
803 | serial_lo, serial_hi) != 0) { | ||
804 | error("%s: update failed", __func__); | ||
805 | goto out; | ||
806 | } | ||
807 | break; | ||
808 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
809 | if ((bitmap = BN_new()) == NULL) { | ||
810 | error("%s: BN_new", __func__); | ||
811 | goto out; | ||
812 | } | ||
813 | if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 || | ||
814 | buffer_get_bignum2_ret(&subsect, bitmap) != 0) { | ||
815 | error("%s: buffer error", __func__); | ||
816 | goto out; | ||
817 | } | ||
818 | if ((nbits = BN_num_bits(bitmap)) < 0) { | ||
819 | error("%s: bitmap bits < 0", __func__); | ||
820 | goto out; | ||
821 | } | ||
822 | for (serial = 0; serial < (u_int)nbits; serial++) { | ||
823 | if (serial > 0 && serial_lo + serial == 0) { | ||
824 | error("%s: bitmap wraps u64", __func__); | ||
825 | goto out; | ||
826 | } | ||
827 | if (!BN_is_bit_set(bitmap, serial)) | ||
828 | continue; | ||
829 | if (ssh_krl_revoke_cert_by_serial(krl, ca_key, | ||
830 | serial_lo + serial) != 0) { | ||
831 | error("%s: update failed", __func__); | ||
832 | goto out; | ||
833 | } | ||
834 | } | ||
835 | BN_free(bitmap); | ||
836 | bitmap = NULL; | ||
837 | break; | ||
838 | case KRL_SECTION_CERT_KEY_ID: | ||
839 | while (buffer_len(&subsect) > 0) { | ||
840 | if ((key_id = buffer_get_cstring_ret(&subsect, | ||
841 | NULL)) == NULL) { | ||
842 | error("%s: buffer error", __func__); | ||
843 | goto out; | ||
844 | } | ||
845 | if (ssh_krl_revoke_cert_by_key_id(krl, ca_key, | ||
846 | key_id) != 0) { | ||
847 | error("%s: update failed", __func__); | ||
848 | goto out; | ||
849 | } | ||
850 | free(key_id); | ||
851 | key_id = NULL; | ||
852 | } | ||
853 | break; | ||
854 | default: | ||
855 | error("Unsupported KRL certificate section %u", type); | ||
856 | goto out; | ||
857 | } | ||
858 | if (buffer_len(&subsect) > 0) { | ||
859 | error("KRL certificate section contains unparsed data"); | ||
860 | goto out; | ||
861 | } | ||
862 | } | ||
863 | |||
864 | ret = 0; | ||
865 | out: | ||
866 | if (ca_key != NULL) | ||
867 | key_free(ca_key); | ||
868 | if (bitmap != NULL) | ||
869 | BN_free(bitmap); | ||
870 | free(key_id); | ||
871 | buffer_free(&subsect); | ||
872 | return ret; | ||
873 | } | ||
874 | |||
875 | |||
876 | /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ | ||
877 | int | ||
878 | ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, | ||
879 | const Key **sign_ca_keys, u_int nsign_ca_keys) | ||
880 | { | ||
881 | Buffer copy, sect; | ||
882 | struct ssh_krl *krl; | ||
883 | char timestamp[64]; | ||
884 | int ret = -1, r, sig_seen; | ||
885 | Key *key = NULL, **ca_used = NULL; | ||
886 | u_char type, *blob; | ||
887 | u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; | ||
888 | |||
889 | *krlp = NULL; | ||
890 | if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || | ||
891 | memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { | ||
892 | debug3("%s: not a KRL", __func__); | ||
893 | /* | ||
894 | * Return success but a NULL *krlp here to signal that the | ||
895 | * file might be a simple list of keys. | ||
896 | */ | ||
897 | return 0; | ||
898 | } | ||
899 | |||
900 | /* Take a copy of the KRL buffer so we can verify its signature later */ | ||
901 | buffer_init(©); | ||
902 | buffer_append(©, buffer_ptr(buf), buffer_len(buf)); | ||
903 | |||
904 | buffer_init(§); | ||
905 | buffer_consume(©, sizeof(KRL_MAGIC) - 1); | ||
906 | |||
907 | if ((krl = ssh_krl_init()) == NULL) { | ||
908 | error("%s: alloc failed", __func__); | ||
909 | goto out; | ||
910 | } | ||
911 | |||
912 | if (buffer_get_int_ret(&format_version, ©) != 0) { | ||
913 | error("%s: KRL truncated", __func__); | ||
914 | goto out; | ||
915 | } | ||
916 | if (format_version != KRL_FORMAT_VERSION) { | ||
917 | error("%s: KRL unsupported format version %u", | ||
918 | __func__, format_version); | ||
919 | goto out; | ||
920 | } | ||
921 | if (buffer_get_int64_ret(&krl->krl_version, ©) != 0 || | ||
922 | buffer_get_int64_ret(&krl->generated_date, ©) != 0 || | ||
923 | buffer_get_int64_ret(&krl->flags, ©) != 0 || | ||
924 | buffer_get_string_ptr_ret(©, NULL) == NULL || /* reserved */ | ||
925 | (krl->comment = buffer_get_cstring_ret(©, NULL)) == NULL) { | ||
926 | error("%s: buffer error", __func__); | ||
927 | goto out; | ||
928 | } | ||
929 | |||
930 | format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); | ||
931 | debug("KRL version %llu generated at %s%s%s", krl->krl_version, | ||
932 | timestamp, *krl->comment ? ": " : "", krl->comment); | ||
933 | |||
934 | /* | ||
935 | * 1st pass: verify signatures, if any. This is done to avoid | ||
936 | * detailed parsing of data whose provenance is unverified. | ||
937 | */ | ||
938 | sig_seen = 0; | ||
939 | sects_off = buffer_len(buf) - buffer_len(©); | ||
940 | while (buffer_len(©) > 0) { | ||
941 | if (buffer_get_char_ret(&type, ©) != 0 || | ||
942 | (blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { | ||
943 | error("%s: buffer error", __func__); | ||
944 | goto out; | ||
945 | } | ||
946 | debug3("%s: first pass, section 0x%02x", __func__, type); | ||
947 | if (type != KRL_SECTION_SIGNATURE) { | ||
948 | if (sig_seen) { | ||
949 | error("KRL contains non-signature section " | ||
950 | "after signature"); | ||
951 | goto out; | ||
952 | } | ||
953 | /* Not interested for now. */ | ||
954 | continue; | ||
955 | } | ||
956 | sig_seen = 1; | ||
957 | /* First string component is the signing key */ | ||
958 | if ((key = key_from_blob(blob, blen)) == NULL) { | ||
959 | error("%s: invalid signature key", __func__); | ||
960 | goto out; | ||
961 | } | ||
962 | sig_off = buffer_len(buf) - buffer_len(©); | ||
963 | /* Second string component is the signature itself */ | ||
964 | if ((blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { | ||
965 | error("%s: buffer error", __func__); | ||
966 | goto out; | ||
967 | } | ||
968 | /* Check signature over entire KRL up to this point */ | ||
969 | if (key_verify(key, blob, blen, | ||
970 | buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { | ||
971 | error("bad signaure on KRL"); | ||
972 | goto out; | ||
973 | } | ||
974 | /* Check if this key has already signed this KRL */ | ||
975 | for (i = 0; i < nca_used; i++) { | ||
976 | if (key_equal(ca_used[i], key)) { | ||
977 | error("KRL signed more than once with " | ||
978 | "the same key"); | ||
979 | goto out; | ||
980 | } | ||
981 | } | ||
982 | /* Record keys used to sign the KRL */ | ||
983 | ca_used = xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); | ||
984 | ca_used[nca_used++] = key; | ||
985 | key = NULL; | ||
986 | break; | ||
987 | } | ||
988 | |||
989 | /* | ||
990 | * 2nd pass: parse and load the KRL, skipping the header to the point | ||
991 | * where the section start. | ||
992 | */ | ||
993 | buffer_append(©, (u_char*)buffer_ptr(buf) + sects_off, | ||
994 | buffer_len(buf) - sects_off); | ||
995 | while (buffer_len(©) > 0) { | ||
996 | if (buffer_get_char_ret(&type, ©) != 0 || | ||
997 | (blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { | ||
998 | error("%s: buffer error", __func__); | ||
999 | goto out; | ||
1000 | } | ||
1001 | debug3("%s: second pass, section 0x%02x", __func__, type); | ||
1002 | buffer_clear(§); | ||
1003 | buffer_append(§, blob, blen); | ||
1004 | |||
1005 | switch (type) { | ||
1006 | case KRL_SECTION_CERTIFICATES: | ||
1007 | if ((r = parse_revoked_certs(§, krl)) != 0) | ||
1008 | goto out; | ||
1009 | break; | ||
1010 | case KRL_SECTION_EXPLICIT_KEY: | ||
1011 | case KRL_SECTION_FINGERPRINT_SHA1: | ||
1012 | while (buffer_len(§) > 0) { | ||
1013 | if ((blob = buffer_get_string_ret(§, | ||
1014 | &blen)) == NULL) { | ||
1015 | error("%s: buffer error", __func__); | ||
1016 | goto out; | ||
1017 | } | ||
1018 | if (type == KRL_SECTION_FINGERPRINT_SHA1 && | ||
1019 | blen != 20) { | ||
1020 | error("%s: bad SHA1 length", __func__); | ||
1021 | goto out; | ||
1022 | } | ||
1023 | if (revoke_blob( | ||
1024 | type == KRL_SECTION_EXPLICIT_KEY ? | ||
1025 | &krl->revoked_keys : &krl->revoked_sha1s, | ||
1026 | blob, blen) != 0) | ||
1027 | goto out; /* revoke_blob frees blob */ | ||
1028 | } | ||
1029 | break; | ||
1030 | case KRL_SECTION_SIGNATURE: | ||
1031 | /* Handled above, but still need to stay in synch */ | ||
1032 | buffer_clear(§); | ||
1033 | if ((blob = buffer_get_string_ptr_ret(©, | ||
1034 | &blen)) == NULL) { | ||
1035 | error("%s: buffer error", __func__); | ||
1036 | goto out; | ||
1037 | } | ||
1038 | break; | ||
1039 | default: | ||
1040 | error("Unsupported KRL section %u", type); | ||
1041 | goto out; | ||
1042 | } | ||
1043 | if (buffer_len(§) > 0) { | ||
1044 | error("KRL section contains unparsed data"); | ||
1045 | goto out; | ||
1046 | } | ||
1047 | } | ||
1048 | |||
1049 | /* Check that the key(s) used to sign the KRL weren't revoked */ | ||
1050 | sig_seen = 0; | ||
1051 | for (i = 0; i < nca_used; i++) { | ||
1052 | if (ssh_krl_check_key(krl, ca_used[i]) == 0) | ||
1053 | sig_seen = 1; | ||
1054 | else { | ||
1055 | key_free(ca_used[i]); | ||
1056 | ca_used[i] = NULL; | ||
1057 | } | ||
1058 | } | ||
1059 | if (nca_used && !sig_seen) { | ||
1060 | error("All keys used to sign KRL were revoked"); | ||
1061 | goto out; | ||
1062 | } | ||
1063 | |||
1064 | /* If we have CA keys, then verify that one was used to sign the KRL */ | ||
1065 | if (sig_seen && nsign_ca_keys != 0) { | ||
1066 | sig_seen = 0; | ||
1067 | for (i = 0; !sig_seen && i < nsign_ca_keys; i++) { | ||
1068 | for (j = 0; j < nca_used; j++) { | ||
1069 | if (ca_used[j] == NULL) | ||
1070 | continue; | ||
1071 | if (key_equal(ca_used[j], sign_ca_keys[i])) { | ||
1072 | sig_seen = 1; | ||
1073 | break; | ||
1074 | } | ||
1075 | } | ||
1076 | } | ||
1077 | if (!sig_seen) { | ||
1078 | error("KRL not signed with any trusted key"); | ||
1079 | goto out; | ||
1080 | } | ||
1081 | } | ||
1082 | |||
1083 | *krlp = krl; | ||
1084 | ret = 0; | ||
1085 | out: | ||
1086 | if (ret != 0) | ||
1087 | ssh_krl_free(krl); | ||
1088 | for (i = 0; i < nca_used; i++) { | ||
1089 | if (ca_used[i] != NULL) | ||
1090 | key_free(ca_used[i]); | ||
1091 | } | ||
1092 | free(ca_used); | ||
1093 | if (key != NULL) | ||
1094 | key_free(key); | ||
1095 | buffer_free(©); | ||
1096 | buffer_free(§); | ||
1097 | return ret; | ||
1098 | } | ||
1099 | |||
1100 | /* Checks whether a given key/cert is revoked. Does not check its CA */ | ||
1101 | static int | ||
1102 | is_key_revoked(struct ssh_krl *krl, const Key *key) | ||
1103 | { | ||
1104 | struct revoked_blob rb, *erb; | ||
1105 | struct revoked_serial rs, *ers; | ||
1106 | struct revoked_key_id rki, *erki; | ||
1107 | struct revoked_certs *rc; | ||
1108 | |||
1109 | /* Check explicitly revoked hashes first */ | ||
1110 | bzero(&rb, sizeof(rb)); | ||
1111 | if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL) | ||
1112 | return -1; | ||
1113 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); | ||
1114 | free(rb.blob); | ||
1115 | if (erb != NULL) { | ||
1116 | debug("%s: revoked by key SHA1", __func__); | ||
1117 | return -1; | ||
1118 | } | ||
1119 | |||
1120 | /* Next, explicit keys */ | ||
1121 | bzero(&rb, sizeof(rb)); | ||
1122 | if (plain_key_blob(key, &rb.blob, &rb.len) != 0) | ||
1123 | return -1; | ||
1124 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); | ||
1125 | free(rb.blob); | ||
1126 | if (erb != NULL) { | ||
1127 | debug("%s: revoked by explicit key", __func__); | ||
1128 | return -1; | ||
1129 | } | ||
1130 | |||
1131 | if (!key_is_cert(key)) | ||
1132 | return 0; | ||
1133 | |||
1134 | /* Check cert revocation */ | ||
1135 | if (revoked_certs_for_ca_key(krl, key->cert->signature_key, | ||
1136 | &rc, 0) != 0) | ||
1137 | return -1; | ||
1138 | if (rc == NULL) | ||
1139 | return 0; /* No entry for this CA */ | ||
1140 | |||
1141 | /* Check revocation by cert key ID */ | ||
1142 | bzero(&rki, sizeof(rki)); | ||
1143 | rki.key_id = key->cert->key_id; | ||
1144 | erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); | ||
1145 | if (erki != NULL) { | ||
1146 | debug("%s: revoked by key ID", __func__); | ||
1147 | return -1; | ||
1148 | } | ||
1149 | |||
1150 | /* | ||
1151 | * Legacy cert formats lack serial numbers. Zero serials numbers | ||
1152 | * are ignored (it's the default when the CA doesn't specify one). | ||
1153 | */ | ||
1154 | if (key_cert_is_legacy(key) || key->cert->serial == 0) | ||
1155 | return 0; | ||
1156 | |||
1157 | bzero(&rs, sizeof(rs)); | ||
1158 | rs.lo = rs.hi = key->cert->serial; | ||
1159 | ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); | ||
1160 | if (ers != NULL) { | ||
1161 | KRL_DBG(("%s: %llu matched %llu:%llu", __func__, | ||
1162 | key->cert->serial, ers->lo, ers->hi)); | ||
1163 | debug("%s: revoked by serial", __func__); | ||
1164 | return -1; | ||
1165 | } | ||
1166 | KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); | ||
1167 | |||
1168 | return 0; | ||
1169 | } | ||
1170 | |||
1171 | int | ||
1172 | ssh_krl_check_key(struct ssh_krl *krl, const Key *key) | ||
1173 | { | ||
1174 | int r; | ||
1175 | |||
1176 | debug2("%s: checking key", __func__); | ||
1177 | if ((r = is_key_revoked(krl, key)) != 0) | ||
1178 | return r; | ||
1179 | if (key_is_cert(key)) { | ||
1180 | debug2("%s: checking CA key", __func__); | ||
1181 | if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) | ||
1182 | return r; | ||
1183 | } | ||
1184 | debug3("%s: key okay", __func__); | ||
1185 | return 0; | ||
1186 | } | ||
1187 | |||
1188 | /* Returns 0 on success, -1 on error or key revoked, -2 if path is not a KRL */ | ||
1189 | int | ||
1190 | ssh_krl_file_contains_key(const char *path, const Key *key) | ||
1191 | { | ||
1192 | Buffer krlbuf; | ||
1193 | struct ssh_krl *krl; | ||
1194 | int revoked, fd; | ||
1195 | |||
1196 | if (path == NULL) | ||
1197 | return 0; | ||
1198 | |||
1199 | if ((fd = open(path, O_RDONLY)) == -1) { | ||
1200 | error("open %s: %s", path, strerror(errno)); | ||
1201 | error("Revoked keys file not accessible - refusing public key " | ||
1202 | "authentication"); | ||
1203 | return -1; | ||
1204 | } | ||
1205 | buffer_init(&krlbuf); | ||
1206 | if (!key_load_file(fd, path, &krlbuf)) { | ||
1207 | close(fd); | ||
1208 | buffer_free(&krlbuf); | ||
1209 | error("Revoked keys file not readable - refusing public key " | ||
1210 | "authentication"); | ||
1211 | return -1; | ||
1212 | } | ||
1213 | close(fd); | ||
1214 | if (ssh_krl_from_blob(&krlbuf, &krl, NULL, 0) != 0) { | ||
1215 | buffer_free(&krlbuf); | ||
1216 | error("Invalid KRL, refusing public key " | ||
1217 | "authentication"); | ||
1218 | return -1; | ||
1219 | } | ||
1220 | buffer_free(&krlbuf); | ||
1221 | if (krl == NULL) { | ||
1222 | debug3("%s: %s is not a KRL file", __func__, path); | ||
1223 | return -2; | ||
1224 | } | ||
1225 | debug2("%s: checking KRL %s", __func__, path); | ||
1226 | revoked = ssh_krl_check_key(krl, key) != 0; | ||
1227 | ssh_krl_free(krl); | ||
1228 | return revoked ? -1 : 0; | ||
1229 | } | ||
@@ -0,0 +1,63 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2012 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */ | ||
18 | |||
19 | #ifndef _KRL_H | ||
20 | #define _KRL_H | ||
21 | |||
22 | /* Functions to manage key revocation lists */ | ||
23 | |||
24 | #define KRL_MAGIC "SSHKRL\n\0" | ||
25 | #define KRL_FORMAT_VERSION 1 | ||
26 | |||
27 | /* KRL section types */ | ||
28 | #define KRL_SECTION_CERTIFICATES 1 | ||
29 | #define KRL_SECTION_EXPLICIT_KEY 2 | ||
30 | #define KRL_SECTION_FINGERPRINT_SHA1 3 | ||
31 | #define KRL_SECTION_SIGNATURE 4 | ||
32 | |||
33 | /* KRL_SECTION_CERTIFICATES subsection types */ | ||
34 | #define KRL_SECTION_CERT_SERIAL_LIST 0x20 | ||
35 | #define KRL_SECTION_CERT_SERIAL_RANGE 0x21 | ||
36 | #define KRL_SECTION_CERT_SERIAL_BITMAP 0x22 | ||
37 | #define KRL_SECTION_CERT_KEY_ID 0x23 | ||
38 | |||
39 | struct ssh_krl; | ||
40 | |||
41 | struct ssh_krl *ssh_krl_init(void); | ||
42 | void ssh_krl_free(struct ssh_krl *krl); | ||
43 | void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version); | ||
44 | void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key); | ||
45 | void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment); | ||
46 | int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key, | ||
47 | u_int64_t serial); | ||
48 | int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key, | ||
49 | u_int64_t lo, u_int64_t hi); | ||
50 | int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key, | ||
51 | const char *key_id); | ||
52 | int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key); | ||
53 | int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key); | ||
54 | int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key); | ||
55 | int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, | ||
56 | u_int nsign_keys); | ||
57 | int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, | ||
58 | const Key **sign_ca_keys, u_int nsign_ca_keys); | ||
59 | int ssh_krl_check_key(struct ssh_krl *krl, const Key *key); | ||
60 | int ssh_krl_file_contains_key(const char *path, const Key *key); | ||
61 | |||
62 | #endif /* _KRL_H */ | ||
63 | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: log.c,v 1.42 2011/06/17 21:44:30 djm Exp $ */ | 1 | /* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -45,7 +45,7 @@ | |||
45 | #include <syslog.h> | 45 | #include <syslog.h> |
46 | #include <unistd.h> | 46 | #include <unistd.h> |
47 | #include <errno.h> | 47 | #include <errno.h> |
48 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) | 48 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) |
49 | # include <vis.h> | 49 | # include <vis.h> |
50 | #endif | 50 | #endif |
51 | 51 | ||
@@ -330,6 +330,21 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) | |||
330 | #endif | 330 | #endif |
331 | } | 331 | } |
332 | 332 | ||
333 | void | ||
334 | log_change_level(LogLevel new_log_level) | ||
335 | { | ||
336 | /* no-op if log_init has not been called */ | ||
337 | if (argv0 == NULL) | ||
338 | return; | ||
339 | log_init(argv0, new_log_level, log_facility, log_on_stderr); | ||
340 | } | ||
341 | |||
342 | int | ||
343 | log_is_on_stderr(void) | ||
344 | { | ||
345 | return log_on_stderr; | ||
346 | } | ||
347 | |||
333 | #define MSGBUFSIZ 1024 | 348 | #define MSGBUFSIZ 1024 |
334 | 349 | ||
335 | void | 350 | void |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: log.h,v 1.18 2011/06/17 21:44:30 djm Exp $ */ | 1 | /* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -49,6 +49,8 @@ typedef enum { | |||
49 | typedef void (log_handler_fn)(LogLevel, const char *, void *); | 49 | typedef void (log_handler_fn)(LogLevel, const char *, void *); |
50 | 50 | ||
51 | void log_init(char *, LogLevel, SyslogFacility, int); | 51 | void log_init(char *, LogLevel, SyslogFacility, int); |
52 | void log_change_level(LogLevel); | ||
53 | int log_is_on_stderr(void); | ||
52 | 54 | ||
53 | SyslogFacility log_facility_number(char *); | 55 | SyslogFacility log_facility_number(char *); |
54 | const char * log_facility_name(SyslogFacility); | 56 | const char * log_facility_name(SyslogFacility); |
diff --git a/loginrec.c b/loginrec.c index 32941c985..f9662fa5c 100644 --- a/loginrec.c +++ b/loginrec.c | |||
@@ -180,10 +180,6 @@ | |||
180 | # include <util.h> | 180 | # include <util.h> |
181 | #endif | 181 | #endif |
182 | 182 | ||
183 | #ifdef HAVE_LIBUTIL_H | ||
184 | # include <libutil.h> | ||
185 | #endif | ||
186 | |||
187 | /** | 183 | /** |
188 | ** prototypes for helper functions in this file | 184 | ** prototypes for helper functions in this file |
189 | **/ | 185 | **/ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ | 1 | /* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -48,6 +48,7 @@ | |||
48 | 48 | ||
49 | #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ | 49 | #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ |
50 | #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ | 50 | #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ |
51 | #define SSH_UMAC128 3 | ||
51 | 52 | ||
52 | struct { | 53 | struct { |
53 | char *name; | 54 | char *name; |
@@ -56,19 +57,36 @@ struct { | |||
56 | int truncatebits; /* truncate digest if != 0 */ | 57 | int truncatebits; /* truncate digest if != 0 */ |
57 | int key_len; /* just for UMAC */ | 58 | int key_len; /* just for UMAC */ |
58 | int len; /* just for UMAC */ | 59 | int len; /* just for UMAC */ |
60 | int etm; /* Encrypt-then-MAC */ | ||
59 | } macs[] = { | 61 | } macs[] = { |
60 | { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, | 62 | /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ |
61 | { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, | 63 | { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, |
64 | { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, | ||
62 | #ifdef HAVE_EVP_SHA256 | 65 | #ifdef HAVE_EVP_SHA256 |
63 | { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, | 66 | { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, |
64 | { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, | 67 | { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, |
65 | #endif | 68 | #endif |
66 | { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, | 69 | { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 }, |
67 | { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, | 70 | { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 }, |
68 | { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, | 71 | { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, |
69 | { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, | 72 | { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 }, |
70 | { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, | 73 | { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 }, |
71 | { NULL, 0, NULL, 0, -1, -1 } | 74 | { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 }, |
75 | |||
76 | /* Encrypt-then-MAC variants */ | ||
77 | { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 }, | ||
78 | { "hmac-sha1-96-etm@openssh.com", SSH_EVP, EVP_sha1, 96, 0, 0, 1 }, | ||
79 | #ifdef HAVE_EVP_SHA256 | ||
80 | { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 }, | ||
81 | { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 }, | ||
82 | #endif | ||
83 | { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 }, | ||
84 | { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, | ||
85 | { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, | ||
86 | { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, | ||
87 | { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, | ||
88 | |||
89 | { NULL, 0, NULL, 0, 0, 0, 0 } | ||
72 | }; | 90 | }; |
73 | 91 | ||
74 | static void | 92 | static void |
@@ -88,6 +106,7 @@ mac_setup_by_id(Mac *mac, int which) | |||
88 | } | 106 | } |
89 | if (macs[which].truncatebits != 0) | 107 | if (macs[which].truncatebits != 0) |
90 | mac->mac_len = macs[which].truncatebits / 8; | 108 | mac->mac_len = macs[which].truncatebits / 8; |
109 | mac->etm = macs[which].etm; | ||
91 | } | 110 | } |
92 | 111 | ||
93 | int | 112 | int |
@@ -122,6 +141,9 @@ mac_init(Mac *mac) | |||
122 | case SSH_UMAC: | 141 | case SSH_UMAC: |
123 | mac->umac_ctx = umac_new(mac->key); | 142 | mac->umac_ctx = umac_new(mac->key); |
124 | return 0; | 143 | return 0; |
144 | case SSH_UMAC128: | ||
145 | mac->umac_ctx = umac128_new(mac->key); | ||
146 | return 0; | ||
125 | default: | 147 | default: |
126 | return -1; | 148 | return -1; |
127 | } | 149 | } |
@@ -151,6 +173,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) | |||
151 | umac_update(mac->umac_ctx, data, datalen); | 173 | umac_update(mac->umac_ctx, data, datalen); |
152 | umac_final(mac->umac_ctx, m, nonce); | 174 | umac_final(mac->umac_ctx, m, nonce); |
153 | break; | 175 | break; |
176 | case SSH_UMAC128: | ||
177 | put_u64(nonce, seqno); | ||
178 | umac128_update(mac->umac_ctx, data, datalen); | ||
179 | umac128_final(mac->umac_ctx, m, nonce); | ||
180 | break; | ||
154 | default: | 181 | default: |
155 | fatal("mac_compute: unknown MAC type"); | 182 | fatal("mac_compute: unknown MAC type"); |
156 | } | 183 | } |
@@ -163,6 +190,9 @@ mac_clear(Mac *mac) | |||
163 | if (mac->type == SSH_UMAC) { | 190 | if (mac->type == SSH_UMAC) { |
164 | if (mac->umac_ctx != NULL) | 191 | if (mac->umac_ctx != NULL) |
165 | umac_delete(mac->umac_ctx); | 192 | umac_delete(mac->umac_ctx); |
193 | } else if (mac->type == SSH_UMAC128) { | ||
194 | if (mac->umac_ctx != NULL) | ||
195 | umac128_delete(mac->umac_ctx); | ||
166 | } else if (mac->evp_md != NULL) | 196 | } else if (mac->evp_md != NULL) |
167 | HMAC_cleanup(&mac->evp_ctx); | 197 | HMAC_cleanup(&mac->evp_ctx); |
168 | mac->evp_md = NULL; | 198 | mac->evp_md = NULL; |
@@ -645,7 +645,7 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, | |||
645 | int | 645 | int |
646 | secure_permissions(struct stat *st, uid_t uid) | 646 | secure_permissions(struct stat *st, uid_t uid) |
647 | { | 647 | { |
648 | if (st->st_uid != 0 && st->st_uid != uid) | 648 | if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid) |
649 | return 0; | 649 | return 0; |
650 | if ((st->st_mode & 002) != 0) | 650 | if ((st->st_mode & 002) != 0) |
651 | return 0; | 651 | return 0; |
@@ -1,206 +1,199 @@ | |||
1 | # $OpenBSD: moduli,v 1.7 2012/07/20 00:39:57 dtucker Exp $ | 1 | # $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $ |
2 | # Time Type Tests Tries Size Generator Modulus | 2 | # Time Type Tests Tries Size Generator Modulus |
3 | 20120705004026 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844A94DCF | 3 | 20120821044040 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A770E2EC9F |
4 | 20120705004028 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844B1694B | 4 | 20120821044046 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7711F2C6B |
5 | 20120705004036 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844E34093 | 5 | 20120821044047 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771225323 |
6 | 20120705004039 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F41247 | 6 | 20120821044048 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712507AB |
7 | 20120705004040 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F8B39B | 7 | 20120821044050 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712A2DB3 |
8 | 20120705004042 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284500D22F | 8 | 20120821044051 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712CACEF |
9 | 20120705004044 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284504854B | 9 | 20120821044053 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7713959C3 |
10 | 20120705004047 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451642A3 | 10 | 20120821044057 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7715BBA13 |
11 | 20120705004049 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451B31D3 | 11 | 20120821044103 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77191592F |
12 | 20120705004052 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452B05CB | 12 | 20120821044104 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771938E1F |
13 | 20120705004053 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452BB06B | 13 | 20120821044106 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771A1E127 |
14 | 20120705004057 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284544D6EF | 14 | 20120821044108 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B3CDFB |
15 | 20120705004101 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428454FBFBF | 15 | 20120821044109 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B71913 |
16 | 20120705004103 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284556870F | 16 | 20120821044111 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771C2759F |
17 | 20120705004104 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A1DCF | 17 | 20120821044113 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771CF8ABF |
18 | 20120705004106 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A71F3 | 18 | 20120821044114 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771D2B49B |
19 | 20120705004107 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455C229B | 19 | 20120821044116 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771DF6193 |
20 | 20120705004109 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845624C8F | 20 | 20120821044117 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771E67E33 |
21 | 20120705004111 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845650AD7 | 21 | 20120821044120 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771FA581B |
22 | 20120705004113 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284572AE77 | 22 | 20120821044121 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772027DDB |
23 | 20120705004116 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428457F0DE7 | 23 | 20120821044123 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772093F8B |
24 | 20120705004119 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428458D623F | 24 | 20120821044124 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7720EEF6F |
25 | 20120705004121 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598C1BF | 25 | 20120821044125 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77216CAD7 |
26 | 20120705004122 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598FF9F | 26 | 20120821044126 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77219A90B |
27 | 20120705004127 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845B559BF | 27 | 20120821044129 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7722A0103 |
28 | 20120705004129 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845BA77E7 | 28 | 20120821044130 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772343DBF |
29 | 20120705004131 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C3989F | 29 | 20120821044133 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772460C3F |
30 | 20120705004132 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C5A23F | 30 | 20120821044137 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7726A4E0F |
31 | 20120705004134 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845CAF1DB | 31 | 20120821044138 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772716D8B |
32 | 20120705004136 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D1CB5B | 32 | 20120821044141 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7728D719B |
33 | 20120705004137 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D4528F | 33 | 20120821044143 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77297AA8B |
34 | 20120705004139 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845DCBCB3 | 34 | 20120821044145 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772A8794B |
35 | 20120705004143 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EE91B7 | 35 | 20120821044147 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772B4D6AB |
36 | 20120705004144 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EFF1A7 | 36 | 20120821044149 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BD325F |
37 | 20120705004145 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F363FB | 37 | 20120821044150 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BDAE07 |
38 | 20120705004146 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F3738B | 38 | 20120821044151 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772C95CE3 |
39 | 20120705004148 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F437CF | 39 | 20120821044502 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96361507 |
40 | 20120705004150 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284601A3BF | 40 | 20120821044515 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F965885BF |
41 | 20120705004152 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284603421F | 41 | 20120821044519 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F966006C7 |
42 | 20120705004153 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284605C5B7 | 42 | 20120821044528 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9674A0EB |
43 | 20120705004155 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428460AF7CB | 43 | 20120821044539 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969457F3 |
44 | 20120705004159 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846266533 | 44 | 20120821044544 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969BE79B |
45 | 20120705004201 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846287DD3 | 45 | 20120821044606 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96E1E827 |
46 | 20120705004204 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846397273 | 46 | 20120821044623 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9714284B |
47 | 20120705004206 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284646FA83 | 47 | 20120821044630 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97231CB7 |
48 | 20120705004207 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846475ED3 | 48 | 20120821044636 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F972E01DF |
49 | 20120705004210 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284651649F | 49 | 20120821044647 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974BCED3 |
50 | 20120705004212 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659876B | 50 | 20120821044650 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974C3A43 |
51 | 20120705004213 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659F8F3 | 51 | 20120821044653 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974E8F73 |
52 | 20120705004214 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465BD413 | 52 | 20120821044701 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9763403B |
53 | 20120705004216 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465F222B | 53 | 20120821044705 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9767666B |
54 | 20120705004217 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284660995B | 54 | 20120821044708 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9768D81F |
55 | 20120705004221 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428467B9247 | 55 | 20120821044726 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F979FD437 |
56 | 20120705004227 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468DAF87 | 56 | 20120821044729 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A29BC7 |
57 | 20120705004230 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468E1A13 | 57 | 20120821044732 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A56447 |
58 | 20120705004838 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7205887 | 58 | 20120821044737 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97AEDBDB |
59 | 20120705004853 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F73B39C7 | 59 | 20120821044740 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97B187F3 |
60 | 20120705004937 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7A3E153 | 60 | 20120821044746 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97BC6EE3 |
61 | 20120705005002 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7DB4473 | 61 | 20120821044757 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97DCCDEB |
62 | 20120705005017 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7F7293F | 62 | 20120821044817 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F981975F7 |
63 | 20120705005025 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F802FE8B | 63 | 20120821044831 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F983EC267 |
64 | 20120705005048 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F836B5D3 | 64 | 20120821044841 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F985A032F |
65 | 20120705005117 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F878CDEB | 65 | 20120821044846 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9863B0AB |
66 | 20120705005122 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F87AB3EB | 66 | 20120821044852 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F986E5C7F |
67 | 20120705005140 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F89EAA43 | 67 | 20120821044911 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98A8FF6B |
68 | 20120705005148 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8AA75F3 | 68 | 20120821044917 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98B40E4B |
69 | 20120705005201 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8C2EAAB | 69 | 20120821044924 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98C5840F |
70 | 20120705005215 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8DEAC73 | 70 | 20120821044940 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98F22CEB |
71 | 20120705005221 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8E3C303 | 71 | 20120821044947 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99040FFF |
72 | 20120705005231 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8F51EFF | 72 | 20120821044954 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99139AE3 |
73 | 20120705005246 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F9115B97 | 73 | 20120821045010 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9940BEFB |
74 | 20120705005317 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F95737CF | 74 | 20120821045017 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9954379F |
75 | 20120705005324 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F960A5F7 | 75 | 20120821045020 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99548C23 |
76 | 20120705005339 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F97DBAB3 | 76 | 20120821045023 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99562FC3 |
77 | 20120705005353 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F999A9CF | 77 | 20120821045028 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9960CDCF |
78 | 20120705005453 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA253557 | 78 | 20120821045038 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F997AC0B3 |
79 | 20120705005516 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA597D23 | 79 | 20120821045045 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F998D9B6B |
80 | 20120705005521 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA5B9B1B | 80 | 20120821045050 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9994BB77 |
81 | 20120705005600 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAB57F73 | 81 | 20120821045059 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC001B |
82 | 20120705005606 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FABBBAFB | 82 | 20120821045101 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC5547 |
83 | 20120705005632 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAF58CB3 | 83 | 20120821045107 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99B86567 |
84 | 20120705005640 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB01659B | 84 | 20120821045110 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99BA2677 |
85 | 20120705005645 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB04D9E7 | 85 | 20120821045128 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99EF4523 |
86 | 20120705005659 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB205C67 | 86 | 20120821045154 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A419DAB |
87 | 20120705011229 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DA381EB | 87 | 20120821045214 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A7D1E67 |
88 | 20120705011307 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DAEFA5B | 88 | 20120821045218 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A826443 |
89 | 20120705011647 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E09B2B7 | 89 | 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 |
90 | 20120705011825 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E30C613 | 90 | 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB |
91 | 20120705011957 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E5B7E3F | 91 | 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 |
92 | 20120705012217 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E9ED607 | 92 | 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F |
93 | 20120705012259 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EB4E9E3 | 93 | 20120821050118 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682361D5F |
94 | 20120705012319 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EBDF313 | 94 | 20120821050218 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936828ADA17 |
95 | 20120705012338 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EC9AD5F | 95 | 20120821050243 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682A8A7CB |
96 | 20120705012817 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205F79773F | 96 | 20120821050427 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368341AC87 |
97 | 20120705012947 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FB2897B | 97 | 20120821050515 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936837F8657 |
98 | 20120705013020 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FC0CFAB | 98 | 20120821050545 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A3DFD3 |
99 | 20120705013559 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20606541A3 | 99 | 20120821050554 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A9635F |
100 | 20120705013637 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206078A9DF | 100 | 20120821050636 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683DF582B |
101 | 20120705013859 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060C181BB | 101 | 20120821050648 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683E86803 |
102 | 20120705014010 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060DFB1BB | 102 | 20120821050758 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684495A13 |
103 | 20120705014101 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060F217A3 | 103 | 20120821050807 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936844FAB5B |
104 | 20120705014248 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061182263 | 104 | 20120821050849 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368486D99B |
105 | 20120705014325 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061214FC3 | 105 | 20120821050916 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684A776A7 |
106 | 20120705014539 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206162E447 | 106 | 20120821050942 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684C4FF73 |
107 | 20120705014658 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206186D1F3 | 107 | 20120821051003 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DB980F |
108 | 20120705014856 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061D0EF73 | 108 | 20120821051010 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DD4FBF |
109 | 20120705015000 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062023BFB | 109 | 20120821051158 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685721537 |
110 | 20120705015045 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20621EDDEB | 110 | 20120821051206 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685768253 |
111 | 20120705015234 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062752373 | 111 | 20120821051231 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685930F13 |
112 | 20120705015345 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062B97207 | 112 | 20120821051240 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685987B0B |
113 | 20120705015734 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20636C6B0F | 113 | 20120821051324 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685D5E36B |
114 | 20120705015750 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063752183 | 114 | 20120821051349 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685F3AB7F |
115 | 20120705015806 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20637DAF9B | 115 | 20120821051424 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686206187 |
116 | 20120705015900 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063B134BB | 116 | 20120821051516 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368668EB4B |
117 | 20120705015921 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063C148EB | 117 | 20120821051540 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368686EB87 |
118 | 20120705020044 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20640F2047 | 118 | 20120821051622 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686BCCF13 |
119 | 20120705020232 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20647E3FEB | 119 | 20120821051703 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686F13B9F |
120 | 20120705020339 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2064C2CC83 | 120 | 20120821051715 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686FB2D4F |
121 | 20120705020502 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065162F7B | 121 | 20120821051837 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876ED7DF |
122 | 20120705020512 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065194343 | 122 | 20120821051843 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876F05DB |
123 | 20120705020523 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20651C2E2B | 123 | 20120821051930 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293687AEDE8F |
124 | 20120705020541 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206528BA2F | 124 | 20120821052131 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293688637CFF |
125 | 20120705021818 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165EF071CF | 125 | 20120821053137 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942284EA9F |
126 | 20120705022441 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165F6DCFB7 | 126 | 20120821053209 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94228B7F67 |
127 | 20120705024326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541660E5F72B | 127 | 20120821053317 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9422A2B3C7 |
128 | 20120705025034 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416617271AB | 128 | 20120821053841 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94232DEF87 |
129 | 20120705025525 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661CDD5AF | 129 | 20120821054039 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942359AB7B |
130 | 20120705025705 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661E6A71F | 130 | 20120821054334 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423A371A7 |
131 | 20120705025752 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661EE2413 | 131 | 20120821054455 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423C1CEEF |
132 | 20120705030403 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662662DC7 | 132 | 20120821054844 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424273F1F |
133 | 20120705030432 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416626728EF | 133 | 20120821055307 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424987667 |
134 | 20120705030953 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662CA2463 | 134 | 20120821055436 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424B90BAB |
135 | 20120705031728 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416635CAC93 | 135 | 20120821055700 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424F6C7CF |
136 | 20120705032458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541663EC109F | 136 | 20120821060224 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94258ADCEF |
137 | 20120705032902 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166431CB8F | 137 | 20120821060334 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425A1FCEB |
138 | 20120705033016 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166441BDC3 | 138 | 20120821060420 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425AEBF43 |
139 | 20120705033652 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664BF1503 | 139 | 20120821060927 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942634C34F |
140 | 20120705033740 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664C48A73 | 140 | 20120821061829 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94272F0D4F |
141 | 20120705034025 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664F440CF | 141 | 20120821062020 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94275B00B7 |
142 | 20120705034138 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541665048ECB | 142 | 20120821062241 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9427941F5F |
143 | 20120705034458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416653F1BC7 | 143 | 20120821063416 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9428D5E367 |
144 | 20120705040416 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541666BE5B43 | 144 | 20120821063648 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942917E127 |
145 | 20120705041326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416676F9AD3 | 145 | 20120821064052 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9429825A2B |
146 | 20120705041429 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416677BBDD7 | 146 | 20120821064951 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942A74C4EB |
147 | 20120705041928 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667DA5427 | 147 | 20120821065736 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942B4640D3 |
148 | 20120705042013 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667E0CDA7 | 148 | 20120821071146 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CCD6D1B |
149 | 20120705044833 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A1D45AB | 149 | 20120821071337 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CF9321B |
150 | 20120705045307 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A71DD37 | 150 | 20120821072545 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942E48654F |
151 | 20120705050710 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166B8634A3 | 151 | 20120821075022 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9430F1B6A3 |
152 | 20120705051048 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BC572CB | 152 | 20120821080229 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9432356F63 |
153 | 20120705051219 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BDA113F | 153 | 20120821081230 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94333D9363 |
154 | 20120705051634 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166C28FFCB | 154 | 20120821081746 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C6A7A7 |
155 | 20120705052331 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166CAA425B | 155 | 20120821081811 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C94C93 |
156 | 20120705052812 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166D041A0B | 156 | 20120821084945 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45B27D047 |
157 | 20120705053701 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166DA81DB7 | 157 | 20120821091240 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45C370A33 |
158 | 20120705055127 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166EC251D7 | 158 | 20120821092428 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45CBB9FBB |
159 | 20120705055500 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F01CF6B | 159 | 20120821093047 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45D001E73 |
160 | 20120705055603 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F0EF763 | 160 | 20120821095420 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E104D6F |
161 | 20120705055831 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F39358B | 161 | 20120821095624 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E21E2BF |
162 | 20120705060133 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F5FDC7B | 162 | 20120821102749 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45F9B1B7B |
163 | 20120705060444 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8017B3 | 163 | 20120821105854 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4610E205F |
164 | 20120705060616 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8A763B | 164 | 20120821110658 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461631FBF |
165 | 20120705074615 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E404D4A9FF | 165 | 20120821110744 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461635E3B |
166 | 20120705075624 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405259C43 | 166 | 20120821115206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4636E0DF7 |
167 | 20120705075814 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4052CF1E3 | 167 | 20120821121256 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4645F38B3 |
168 | 20120705082750 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405CAF157 | 168 | 20120821121421 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46467609B |
169 | 20120705091841 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40777DB37 | 169 | 20120821122649 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA464F87D6B |
170 | 20120705094647 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40863BD9B | 170 | 20120821122854 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46508F94B |
171 | 20120705113042 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40BE821C7 | 171 | 20120821125200 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4661CBC5B |
172 | 20120705113614 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C0EADAB | 172 | 20120821130613 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466BC6B33 |
173 | 20120705113856 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C1D4D93 | 173 | 20120821131115 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466ED9CC7 |
174 | 20120705115824 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40CBE3D6B | 174 | 20120821132817 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA467B278B3 |
175 | 20120705122406 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40D792E73 | 175 | 20120821135349 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA468D8351B |
176 | 20120705123711 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40DDA1F9F | 176 | 20120821141206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA469A817A7 |
177 | 20120705124452 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40E149903 | 177 | 20120821144909 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46B488EF7 |
178 | 20120705133408 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F205063 | 178 | 20120821150021 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46BC5D5E7 |
179 | 20120705133854 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F36CB23 | 179 | 20120821153843 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46D774723 |
180 | 20120705140912 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40FF3C14B | 180 | 20120821162006 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46F5488DB |
181 | 20120705151048 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41130009B | 181 | 20120821170404 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47157A067 |
182 | 20120705154517 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E411EA83DB | 182 | 20120821173305 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472A1E94B |
183 | 20120705155613 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4123EC08F | 183 | 20120821173936 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472E0E57F |
184 | 20120705162202 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4130DF347 | 184 | 20120821174533 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4731F7433 |
185 | 20120705162423 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41319263F | 185 | 20120821180053 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA473C7CE3F |
186 | 20120705163533 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4136A686F | 186 | 20120821180952 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4742A8237 |
187 | 20120705170312 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4144BD02B | 187 | 20120821181124 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA474343C5B |
188 | 20120705175100 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E415E0D6BB | 188 | 20120821183540 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4754D89DB |
189 | 20120705190344 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E418110983 | 189 | 20120821183852 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47569B47F |
190 | 20120705191532 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4186E4BE3 | 190 | 20120821184512 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AC57DB |
191 | 20120705193904 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41933A90B | 191 | 20120821184603 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AD78CB |
192 | 20120705201440 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A1607FF | 192 | 20120821184701 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475B0038F |
193 | 20120705202233 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A3C4B5F | 193 | 20120821185939 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4763BD72F |
194 | 20120705204542 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41AFA0127 | 194 | 20120821190630 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476853BB7 |
195 | 20120705205809 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41B59BD9B | 195 | 20120821190945 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476A47843 |
196 | 20120705213138 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41C73B903 | 196 | 20120821195501 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA478A96AEF |
197 | 20120705214528 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41CE1ACFB | ||
198 | 20120705215449 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41D2A1E9B | ||
199 | 20120705225456 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41F236C7F | ||
200 | 20120705231339 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41FB99943 | ||
201 | 20120705232933 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4203D8FB3 | ||
202 | 20120705233827 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420804A5B | ||
203 | 20120705234448 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420AC9D9F | ||
204 | 20120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB | 197 | 20120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB |
205 | 20120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B | 198 | 20120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B |
206 | 20120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477 | 199 | 20120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477 |
@@ -25,7 +25,7 @@ DESCRIPTION | |||
25 | 25 | ||
26 | 0 Unknown, not tested. | 26 | 0 Unknown, not tested. |
27 | 2 "Safe" prime; (p-1)/2 is also prime. | 27 | 2 "Safe" prime; (p-1)/2 is also prime. |
28 | 4 Sophie Germain; (p+1)*2 is also prime. | 28 | 4 Sophie Germain; 2p+1 is also prime. |
29 | 29 | ||
30 | Moduli candidates initially produced by ssh-keygen(1) | 30 | Moduli candidates initially produced by ssh-keygen(1) |
31 | are Sophie Germain primes (type 4). Further primality | 31 | are Sophie Germain primes (type 4). Further primality |
@@ -66,7 +66,9 @@ DESCRIPTION | |||
66 | SEE ALSO | 66 | SEE ALSO |
67 | ssh-keygen(1), sshd(8) | 67 | ssh-keygen(1), sshd(8) |
68 | 68 | ||
69 | Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer | 69 | STANDARDS |
70 | Protocol, RFC 4419, 2006. | 70 | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for |
71 | the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, | ||
72 | 2006. | ||
71 | 73 | ||
72 | OpenBSD 5.2 October 14, 2010 OpenBSD 5.2 | 74 | OpenBSD 5.3 September 26, 2012 OpenBSD 5.3 |
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: moduli.5,v 1.15 2010/10/14 20:41:28 jmc Exp $ | 1 | .\" $OpenBSD: moduli.5,v 1.17 2012/09/26 17:34:38 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2008 Damien Miller <djm@mindrot.org> | 3 | .\" Copyright (c) 2008 Damien Miller <djm@mindrot.org> |
4 | .\" | 4 | .\" |
@@ -13,7 +13,7 @@ | |||
13 | .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | 13 | .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | .Dd $Mdocdate: October 14 2010 $ | 16 | .Dd $Mdocdate: September 26 2012 $ |
17 | .Dt MODULI 5 | 17 | .Dt MODULI 5 |
18 | .Os | 18 | .Os |
19 | .Sh NAME | 19 | .Sh NAME |
@@ -61,7 +61,7 @@ Unknown, not tested. | |||
61 | .It 2 | 61 | .It 2 |
62 | "Safe" prime; (p-1)/2 is also prime. | 62 | "Safe" prime; (p-1)/2 is also prime. |
63 | .It 4 | 63 | .It 4 |
64 | Sophie Germain; (p+1)*2 is also prime. | 64 | Sophie Germain; 2p+1 is also prime. |
65 | .El | 65 | .El |
66 | .Pp | 66 | .Pp |
67 | Moduli candidates initially produced by | 67 | Moduli candidates initially produced by |
@@ -115,8 +115,13 @@ that best meets the size requirement. | |||
115 | .Sh SEE ALSO | 115 | .Sh SEE ALSO |
116 | .Xr ssh-keygen 1 , | 116 | .Xr ssh-keygen 1 , |
117 | .Xr sshd 8 | 117 | .Xr sshd 8 |
118 | .Sh STANDARDS | ||
118 | .Rs | 119 | .Rs |
120 | .%A M. Friedl | ||
121 | .%A N. Provos | ||
122 | .%A W. Simpson | ||
123 | .%D March 2006 | ||
119 | .%R RFC 4419 | 124 | .%R RFC 4419 |
120 | .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" | 125 | .%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol |
121 | .%D 2006 | 126 | .%D 2006 |
122 | .Re | 127 | .Re |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -209,6 +209,7 @@ static int key_blobtype = MM_NOKEY; | |||
209 | static char *hostbased_cuser = NULL; | 209 | static char *hostbased_cuser = NULL; |
210 | static char *hostbased_chost = NULL; | 210 | static char *hostbased_chost = NULL; |
211 | static char *auth_method = "unknown"; | 211 | static char *auth_method = "unknown"; |
212 | static char *auth_submethod = NULL; | ||
212 | static u_int session_id2_len = 0; | 213 | static u_int session_id2_len = 0; |
213 | static u_char *session_id2 = NULL; | 214 | static u_char *session_id2 = NULL; |
214 | static pid_t monitor_child_pid; | 215 | static pid_t monitor_child_pid; |
@@ -376,7 +377,7 @@ void | |||
376 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 377 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
377 | { | 378 | { |
378 | struct mon_table *ent; | 379 | struct mon_table *ent; |
379 | int authenticated = 0; | 380 | int authenticated = 0, partial = 0; |
380 | 381 | ||
381 | debug3("preauth child monitor started"); | 382 | debug3("preauth child monitor started"); |
382 | 383 | ||
@@ -407,8 +408,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
407 | 408 | ||
408 | /* The first few requests do not require asynchronous access */ | 409 | /* The first few requests do not require asynchronous access */ |
409 | while (!authenticated) { | 410 | while (!authenticated) { |
411 | partial = 0; | ||
410 | auth_method = "unknown"; | 412 | auth_method = "unknown"; |
413 | auth_submethod = NULL; | ||
411 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 414 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
415 | |||
416 | /* Special handling for multiple required authentications */ | ||
417 | if (options.num_auth_methods != 0) { | ||
418 | if (!compat20) | ||
419 | fatal("AuthenticationMethods is not supported" | ||
420 | "with SSH protocol 1"); | ||
421 | if (authenticated && | ||
422 | !auth2_update_methods_lists(authctxt, | ||
423 | auth_method)) { | ||
424 | debug3("%s: method %s: partial", __func__, | ||
425 | auth_method); | ||
426 | authenticated = 0; | ||
427 | partial = 1; | ||
428 | } | ||
429 | } | ||
430 | |||
412 | if (authenticated) { | 431 | if (authenticated) { |
413 | if (!(ent->flags & MON_AUTHDECIDE)) | 432 | if (!(ent->flags & MON_AUTHDECIDE)) |
414 | fatal("%s: unexpected authentication from %d", | 433 | fatal("%s: unexpected authentication from %d", |
@@ -429,9 +448,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
429 | } | 448 | } |
430 | #endif | 449 | #endif |
431 | } | 450 | } |
432 | |||
433 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 451 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
434 | auth_log(authctxt, authenticated, auth_method, | 452 | auth_log(authctxt, authenticated, partial, |
453 | auth_method, auth_submethod, | ||
435 | compat20 ? " ssh2" : ""); | 454 | compat20 ? " ssh2" : ""); |
436 | if (!authenticated) | 455 | if (!authenticated) |
437 | authctxt->failures++; | 456 | authctxt->failures++; |
@@ -447,10 +466,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
447 | #endif | 466 | #endif |
448 | } | 467 | } |
449 | 468 | ||
450 | /* Drain any buffered messages from the child */ | ||
451 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
452 | ; | ||
453 | |||
454 | if (!authctxt->valid) | 469 | if (!authctxt->valid) |
455 | fatal("%s: authenticated invalid user", __func__); | 470 | fatal("%s: authenticated invalid user", __func__); |
456 | if (strcmp(auth_method, "unknown") == 0) | 471 | if (strcmp(auth_method, "unknown") == 0) |
@@ -461,6 +476,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
461 | 476 | ||
462 | mm_get_keystate(pmonitor); | 477 | mm_get_keystate(pmonitor); |
463 | 478 | ||
479 | /* Drain any buffered messages from the child */ | ||
480 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
481 | ; | ||
482 | |||
464 | close(pmonitor->m_sendfd); | 483 | close(pmonitor->m_sendfd); |
465 | close(pmonitor->m_log_recvfd); | 484 | close(pmonitor->m_log_recvfd); |
466 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; | 485 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; |
@@ -816,7 +835,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
816 | COPY_MATCH_STRING_OPTS(); | 835 | COPY_MATCH_STRING_OPTS(); |
817 | #undef M_CP_STROPT | 836 | #undef M_CP_STROPT |
818 | #undef M_CP_STRARRAYOPT | 837 | #undef M_CP_STRARRAYOPT |
819 | 838 | ||
839 | /* Create valid auth method lists */ | ||
840 | if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { | ||
841 | /* | ||
842 | * The monitor will continue long enough to let the child | ||
843 | * run to it's packet_disconnect(), but it must not allow any | ||
844 | * authentication to succeed. | ||
845 | */ | ||
846 | debug("%s: no valid authentication method lists", __func__); | ||
847 | } | ||
848 | |||
820 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); | 849 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); |
821 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); | 850 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); |
822 | 851 | ||
@@ -977,7 +1006,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
977 | debug3("%s: sending authenticated: %d", __func__, authok); | 1006 | debug3("%s: sending authenticated: %d", __func__, authok); |
978 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 1007 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
979 | 1008 | ||
980 | auth_method = "bsdauth"; | 1009 | if (compat20) |
1010 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ | ||
1011 | else | ||
1012 | auth_method = "bsdauth"; | ||
981 | 1013 | ||
982 | return (authok != 0); | 1014 | return (authok != 0); |
983 | } | 1015 | } |
@@ -1116,7 +1148,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
1116 | xfree(prompts); | 1148 | xfree(prompts); |
1117 | if (echo_on != NULL) | 1149 | if (echo_on != NULL) |
1118 | xfree(echo_on); | 1150 | xfree(echo_on); |
1119 | auth_method = "keyboard-interactive/pam"; | 1151 | auth_method = "keyboard-interactive"; |
1152 | auth_submethod = "pam"; | ||
1120 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1153 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
1121 | return (0); | 1154 | return (0); |
1122 | } | 1155 | } |
@@ -1145,7 +1178,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1145 | buffer_clear(m); | 1178 | buffer_clear(m); |
1146 | buffer_put_int(m, ret); | 1179 | buffer_put_int(m, ret); |
1147 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1180 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
1148 | auth_method = "keyboard-interactive/pam"; | 1181 | auth_method = "keyboard-interactive"; |
1182 | auth_submethod = "pam"; | ||
1149 | if (ret == 0) | 1183 | if (ret == 0) |
1150 | sshpam_authok = sshpam_ctxt; | 1184 | sshpam_authok = sshpam_ctxt; |
1151 | return (0); | 1185 | return (0); |
@@ -1159,7 +1193,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
1159 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1193 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1160 | buffer_clear(m); | 1194 | buffer_clear(m); |
1161 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1195 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1162 | auth_method = "keyboard-interactive/pam"; | 1196 | auth_method = "keyboard-interactive"; |
1197 | auth_submethod = "pam"; | ||
1163 | return (sshpam_authok == sshpam_ctxt); | 1198 | return (sshpam_authok == sshpam_ctxt); |
1164 | } | 1199 | } |
1165 | #endif | 1200 | #endif |
@@ -1233,7 +1268,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1233 | hostbased_chost = chost; | 1268 | hostbased_chost = chost; |
1234 | } else { | 1269 | } else { |
1235 | /* Log failed attempt */ | 1270 | /* Log failed attempt */ |
1236 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1271 | auth_log(authctxt, 0, 0, auth_method, NULL, |
1272 | compat20 ? " ssh2" : ""); | ||
1237 | xfree(blob); | 1273 | xfree(blob); |
1238 | xfree(cuser); | 1274 | xfree(cuser); |
1239 | xfree(chost); | 1275 | xfree(chost); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -28,47 +28,55 @@ | |||
28 | #ifndef _MONITOR_H_ | 28 | #ifndef _MONITOR_H_ |
29 | #define _MONITOR_H_ | 29 | #define _MONITOR_H_ |
30 | 30 | ||
31 | /* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */ | ||
31 | enum monitor_reqtype { | 32 | enum monitor_reqtype { |
32 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | 33 | MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1, |
33 | MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, | 34 | MONITOR_REQ_FREE = 2, |
34 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | 35 | MONITOR_REQ_AUTHSERV = 4, |
35 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | 36 | MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7, |
36 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | 37 | MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9, |
37 | MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, | 38 | MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11, |
38 | MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, | 39 | MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13, |
39 | MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, | 40 | MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15, |
40 | MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, | 41 | MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17, |
41 | MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, | 42 | MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19, |
42 | MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, | 43 | MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21, |
43 | MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, | 44 | MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23, |
44 | MONITOR_REQ_KEYEXPORT, | 45 | MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25, |
45 | MONITOR_REQ_PTY, MONITOR_ANS_PTY, | 46 | MONITOR_REQ_KEYEXPORT = 26, |
46 | MONITOR_REQ_PTYCLEANUP, | 47 | MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29, |
47 | MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, | 48 | MONITOR_REQ_PTYCLEANUP = 30, |
48 | MONITOR_REQ_SESSID, | 49 | MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33, |
49 | MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, | 50 | MONITOR_REQ_SESSID = 34, |
50 | MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, | 51 | MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37, |
51 | MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, | 52 | MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39, |
52 | MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, | 53 | MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41, |
53 | MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, | 54 | MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43, |
54 | MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, | 55 | MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45, |
55 | MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, | 56 | MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47, |
56 | MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, | 57 | MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, |
57 | MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, | 58 | MONITOR_REQ_TERM = 50, |
58 | MONITOR_REQ_PAM_START, | 59 | MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53, |
59 | MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, | 60 | MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55, |
60 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, | 61 | MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, |
61 | MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, | 62 | MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, |
62 | MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, | 63 | MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61, |
63 | MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, | 64 | |
64 | MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, | 65 | MONITOR_REQ_PAM_START = 100, |
65 | MONITOR_REQ_CONSOLEKIT_REGISTER, MONITOR_ANS_CONSOLEKIT_REGISTER, | 66 | MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, |
66 | MONITOR_REQ_TERM, | 67 | MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, |
67 | MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, | 68 | MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, |
68 | MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, | 69 | MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, |
69 | MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, | 70 | MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, |
70 | MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, | 71 | MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, |
71 | MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, | 72 | |
73 | MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201, | ||
74 | MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203, | ||
75 | |||
76 | MONITOR_REQ_AUTHROLE = 300, | ||
77 | |||
78 | MONITOR_REQ_CONSOLEKIT_REGISTER = 400, MONITOR_ANS_CONSOLEKIT_REGISTER = 401, | ||
79 | |||
72 | }; | 80 | }; |
73 | 81 | ||
74 | struct mm_master; | 82 | struct mm_master; |
diff --git a/monitor_wrap.c b/monitor_wrap.c index b758c9f72..8cc76b380 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -509,25 +509,24 @@ mm_newkeys_from_blob(u_char *blob, int blen) | |||
509 | enc->enabled = buffer_get_int(&b); | 509 | enc->enabled = buffer_get_int(&b); |
510 | enc->block_size = buffer_get_int(&b); | 510 | enc->block_size = buffer_get_int(&b); |
511 | enc->key = buffer_get_string(&b, &enc->key_len); | 511 | enc->key = buffer_get_string(&b, &enc->key_len); |
512 | enc->iv = buffer_get_string(&b, &len); | 512 | enc->iv = buffer_get_string(&b, &enc->iv_len); |
513 | if (len != enc->block_size) | ||
514 | fatal("%s: bad ivlen: expected %u != %u", __func__, | ||
515 | enc->block_size, len); | ||
516 | 513 | ||
517 | if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) | 514 | if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) |
518 | fatal("%s: bad cipher name %s or pointer %p", __func__, | 515 | fatal("%s: bad cipher name %s or pointer %p", __func__, |
519 | enc->name, enc->cipher); | 516 | enc->name, enc->cipher); |
520 | 517 | ||
521 | /* Mac structure */ | 518 | /* Mac structure */ |
522 | mac->name = buffer_get_string(&b, NULL); | 519 | if (cipher_authlen(enc->cipher) == 0) { |
523 | if (mac->name == NULL || mac_setup(mac, mac->name) == -1) | 520 | mac->name = buffer_get_string(&b, NULL); |
524 | fatal("%s: can not setup mac %s", __func__, mac->name); | 521 | if (mac->name == NULL || mac_setup(mac, mac->name) == -1) |
525 | mac->enabled = buffer_get_int(&b); | 522 | fatal("%s: can not setup mac %s", __func__, mac->name); |
526 | mac->key = buffer_get_string(&b, &len); | 523 | mac->enabled = buffer_get_int(&b); |
527 | if (len > mac->key_len) | 524 | mac->key = buffer_get_string(&b, &len); |
528 | fatal("%s: bad mac key length: %u > %d", __func__, len, | 525 | if (len > mac->key_len) |
529 | mac->key_len); | 526 | fatal("%s: bad mac key length: %u > %d", __func__, len, |
530 | mac->key_len = len; | 527 | mac->key_len); |
528 | mac->key_len = len; | ||
529 | } | ||
531 | 530 | ||
532 | /* Comp structure */ | 531 | /* Comp structure */ |
533 | comp->type = buffer_get_int(&b); | 532 | comp->type = buffer_get_int(&b); |
@@ -569,13 +568,15 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp) | |||
569 | buffer_put_int(&b, enc->enabled); | 568 | buffer_put_int(&b, enc->enabled); |
570 | buffer_put_int(&b, enc->block_size); | 569 | buffer_put_int(&b, enc->block_size); |
571 | buffer_put_string(&b, enc->key, enc->key_len); | 570 | buffer_put_string(&b, enc->key, enc->key_len); |
572 | packet_get_keyiv(mode, enc->iv, enc->block_size); | 571 | packet_get_keyiv(mode, enc->iv, enc->iv_len); |
573 | buffer_put_string(&b, enc->iv, enc->block_size); | 572 | buffer_put_string(&b, enc->iv, enc->iv_len); |
574 | 573 | ||
575 | /* Mac structure */ | 574 | /* Mac structure */ |
576 | buffer_put_cstring(&b, mac->name); | 575 | if (cipher_authlen(enc->cipher) == 0) { |
577 | buffer_put_int(&b, mac->enabled); | 576 | buffer_put_cstring(&b, mac->name); |
578 | buffer_put_string(&b, mac->key, mac->key_len); | 577 | buffer_put_int(&b, mac->enabled); |
578 | buffer_put_string(&b, mac->key, mac->key_len); | ||
579 | } | ||
579 | 580 | ||
580 | /* Comp structure */ | 581 | /* Comp structure */ |
581 | buffer_put_int(&b, comp->type); | 582 | buffer_put_int(&b, comp->type); |
@@ -639,7 +640,7 @@ mm_send_keystate(struct monitor *monitor) | |||
639 | ivlen = packet_get_keyiv_len(MODE_OUT); | 640 | ivlen = packet_get_keyiv_len(MODE_OUT); |
640 | packet_get_keyiv(MODE_OUT, iv, ivlen); | 641 | packet_get_keyiv(MODE_OUT, iv, ivlen); |
641 | buffer_put_string(&m, iv, ivlen); | 642 | buffer_put_string(&m, iv, ivlen); |
642 | ivlen = packet_get_keyiv_len(MODE_OUT); | 643 | ivlen = packet_get_keyiv_len(MODE_IN); |
643 | packet_get_keyiv(MODE_IN, iv, ivlen); | 644 | packet_get_keyiv(MODE_IN, iv, ivlen); |
644 | buffer_put_string(&m, iv, ivlen); | 645 | buffer_put_string(&m, iv, ivlen); |
645 | goto skip; | 646 | goto skip; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ | 1 | /* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> | 3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> |
4 | * | 4 | * |
@@ -63,10 +63,6 @@ | |||
63 | # include <util.h> | 63 | # include <util.h> |
64 | #endif | 64 | #endif |
65 | 65 | ||
66 | #ifdef HAVE_LIBUTIL_H | ||
67 | # include <libutil.h> | ||
68 | #endif | ||
69 | |||
70 | #include "openbsd-compat/sys-queue.h" | 66 | #include "openbsd-compat/sys-queue.h" |
71 | #include "xmalloc.h" | 67 | #include "xmalloc.h" |
72 | #include "log.h" | 68 | #include "log.h" |
@@ -188,7 +184,7 @@ static const struct { | |||
188 | 184 | ||
189 | /* Cleanup callback fired on closure of mux slave _session_ channel */ | 185 | /* Cleanup callback fired on closure of mux slave _session_ channel */ |
190 | /* ARGSUSED */ | 186 | /* ARGSUSED */ |
191 | static void | 187 | void |
192 | mux_master_session_cleanup_cb(int cid, void *unused) | 188 | mux_master_session_cleanup_cb(int cid, void *unused) |
193 | { | 189 | { |
194 | Channel *cc, *c = channel_by_id(cid); | 190 | Channel *cc, *c = channel_by_id(cid); |
@@ -738,9 +734,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) | |||
738 | } | 734 | } |
739 | 735 | ||
740 | if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { | 736 | if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { |
741 | if (channel_setup_local_fwd_listener(fwd.listen_host, | 737 | if (!channel_setup_local_fwd_listener(fwd.listen_host, |
742 | fwd.listen_port, fwd.connect_host, fwd.connect_port, | 738 | fwd.listen_port, fwd.connect_host, fwd.connect_port, |
743 | options.gateway_ports) < 0) { | 739 | options.gateway_ports)) { |
744 | fail: | 740 | fail: |
745 | logit("slave-requested %s failed", fwd_desc); | 741 | logit("slave-requested %s failed", fwd_desc); |
746 | buffer_put_int(r, MUX_S_FAILURE); | 742 | buffer_put_int(r, MUX_S_FAILURE); |
diff --git a/myproposal.h b/myproposal.h index b9b819c0a..99d093461 100644 --- a/myproposal.h +++ b/myproposal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -73,6 +73,7 @@ | |||
73 | #define KEX_DEFAULT_ENCRYPT \ | 73 | #define KEX_DEFAULT_ENCRYPT \ |
74 | "aes128-ctr,aes192-ctr,aes256-ctr," \ | 74 | "aes128-ctr,aes192-ctr,aes256-ctr," \ |
75 | "arcfour256,arcfour128," \ | 75 | "arcfour256,arcfour128," \ |
76 | "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ | ||
76 | "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ | 77 | "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ |
77 | "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" | 78 | "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" |
78 | #ifdef HAVE_EVP_SHA256 | 79 | #ifdef HAVE_EVP_SHA256 |
@@ -83,9 +84,19 @@ | |||
83 | # define SHA2_HMAC_MODES | 84 | # define SHA2_HMAC_MODES |
84 | #endif | 85 | #endif |
85 | #define KEX_DEFAULT_MAC \ | 86 | #define KEX_DEFAULT_MAC \ |
87 | "hmac-md5-etm@openssh.com," \ | ||
88 | "hmac-sha1-etm@openssh.com," \ | ||
89 | "umac-64-etm@openssh.com," \ | ||
90 | "umac-128-etm@openssh.com," \ | ||
91 | "hmac-sha2-256-etm@openssh.com," \ | ||
92 | "hmac-sha2-512-etm@openssh.com," \ | ||
93 | "hmac-ripemd160-etm@openssh.com," \ | ||
94 | "hmac-sha1-96-etm@openssh.com," \ | ||
95 | "hmac-md5-96-etm@openssh.com," \ | ||
86 | "hmac-md5," \ | 96 | "hmac-md5," \ |
87 | "hmac-sha1," \ | 97 | "hmac-sha1," \ |
88 | "umac-64@openssh.com," \ | 98 | "umac-64@openssh.com," \ |
99 | "umac-128@openssh.com," \ | ||
89 | SHA2_HMAC_MODES \ | 100 | SHA2_HMAC_MODES \ |
90 | "hmac-ripemd160," \ | 101 | "hmac-ripemd160," \ |
91 | "hmac-ripemd160@openssh.com," \ | 102 | "hmac-ripemd160@openssh.com," \ |
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 196a81d13..e1c3651e8 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $ | 1 | # $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $ |
2 | 2 | ||
3 | sysconfdir=@sysconfdir@ | 3 | sysconfdir=@sysconfdir@ |
4 | piddir=@piddir@ | 4 | piddir=@piddir@ |
@@ -16,9 +16,9 @@ RANLIB=@RANLIB@ | |||
16 | INSTALL=@INSTALL@ | 16 | INSTALL=@INSTALL@ |
17 | LDFLAGS=-L. @LDFLAGS@ | 17 | LDFLAGS=-L. @LDFLAGS@ |
18 | 18 | ||
19 | OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o | 19 | OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o |
20 | 20 | ||
21 | COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o | 21 | COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o |
22 | 22 | ||
23 | PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o | 23 | PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o |
24 | 24 | ||
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 3ef373f56..d75854e83 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c | |||
@@ -165,6 +165,17 @@ int nanosleep(const struct timespec *req, struct timespec *rem) | |||
165 | } | 165 | } |
166 | #endif | 166 | #endif |
167 | 167 | ||
168 | #if !defined(HAVE_USLEEP) | ||
169 | int usleep(unsigned int useconds) | ||
170 | { | ||
171 | struct timespec ts; | ||
172 | |||
173 | ts.tv_sec = useconds / 1000000; | ||
174 | ts.tv_nsec = (useconds % 1000000) * 1000; | ||
175 | return nanosleep(&ts, NULL); | ||
176 | } | ||
177 | #endif | ||
178 | |||
168 | #ifndef HAVE_TCGETPGRP | 179 | #ifndef HAVE_TCGETPGRP |
169 | pid_t | 180 | pid_t |
170 | tcgetpgrp(int fd) | 181 | tcgetpgrp(int fd) |
@@ -242,8 +253,25 @@ strdup(const char *str) | |||
242 | #endif | 253 | #endif |
243 | 254 | ||
244 | #ifndef HAVE_ISBLANK | 255 | #ifndef HAVE_ISBLANK |
245 | int isblank(int c) | 256 | int |
257 | isblank(int c) | ||
246 | { | 258 | { |
247 | return (c == ' ' || c == '\t'); | 259 | return (c == ' ' || c == '\t'); |
248 | } | 260 | } |
249 | #endif | 261 | #endif |
262 | |||
263 | #ifndef HAVE_GETPGID | ||
264 | pid_t | ||
265 | getpgid(pid_t pid) | ||
266 | { | ||
267 | #if defined(HAVE_GETPGRP) && !defined(GETPGRP_VOID) | ||
268 | return getpgrp(pid); | ||
269 | #elif defined(HAVE_GETPGRP) | ||
270 | if (pid == 0) | ||
271 | return getpgrp(); | ||
272 | #endif | ||
273 | |||
274 | errno = ESRCH; | ||
275 | return -1; | ||
276 | } | ||
277 | #endif | ||
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index eac5217ca..430066376 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: bsd-misc.h,v 1.21 2012/07/03 22:50:10 dtucker Exp $ */ | 1 | /* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> | 4 | * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> |
@@ -80,6 +80,10 @@ struct timespec { | |||
80 | int nanosleep(const struct timespec *, struct timespec *); | 80 | int nanosleep(const struct timespec *, struct timespec *); |
81 | #endif | 81 | #endif |
82 | 82 | ||
83 | #ifndef HAVE_USLEEP | ||
84 | int usleep(unsigned int useconds); | ||
85 | #endif | ||
86 | |||
83 | #ifndef HAVE_TCGETPGRP | 87 | #ifndef HAVE_TCGETPGRP |
84 | pid_t tcgetpgrp(int); | 88 | pid_t tcgetpgrp(int); |
85 | #endif | 89 | #endif |
@@ -102,4 +106,8 @@ mysig_t mysignal(int sig, mysig_t act); | |||
102 | int isblank(int); | 106 | int isblank(int); |
103 | #endif | 107 | #endif |
104 | 108 | ||
109 | #ifndef HAVE_GETPGID | ||
110 | pid_t getpgid(pid_t); | ||
111 | #endif | ||
112 | |||
105 | #endif /* _BSD_MISC_H */ | 113 | #endif /* _BSD_MISC_H */ |
diff --git a/openbsd-compat/bsd-setres_id.c b/openbsd-compat/bsd-setres_id.c new file mode 100644 index 000000000..020b214b8 --- /dev/null +++ b/openbsd-compat/bsd-setres_id.c | |||
@@ -0,0 +1,99 @@ | |||
1 | /* $Id: bsd-setres_id.c,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */ | ||
2 | |||
3 | /* | ||
4 | * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). | ||
5 | * | ||
6 | * Permission to use, copy, modify, and distribute this software for any | ||
7 | * purpose with or without fee is hereby granted, provided that the above | ||
8 | * copyright notice and this permission notice appear in all copies. | ||
9 | * | ||
10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
17 | */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | |||
23 | #include <stdarg.h> | ||
24 | #include <unistd.h> | ||
25 | |||
26 | #include "log.h" | ||
27 | |||
28 | #if !defined(HAVE_SETRESGID) || defined(BROKEN_SETRESGID) | ||
29 | int | ||
30 | setresgid(gid_t rgid, gid_t egid, gid_t sgid) | ||
31 | { | ||
32 | int ret = 0, saved_errno; | ||
33 | |||
34 | if (rgid != sgid) { | ||
35 | errno = ENOSYS; | ||
36 | return -1; | ||
37 | } | ||
38 | #if defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) | ||
39 | if (setregid(rgid, egid) < 0) { | ||
40 | saved_errno = errno; | ||
41 | error("setregid %u: %.100s", rgid, strerror(errno)); | ||
42 | errno = saved_errno; | ||
43 | ret = -1; | ||
44 | } | ||
45 | #else | ||
46 | if (setegid(egid) < 0) { | ||
47 | saved_errno = errno; | ||
48 | error("setegid %u: %.100s", (u_int)egid, strerror(errno)); | ||
49 | errno = saved_errno; | ||
50 | ret = -1; | ||
51 | } | ||
52 | if (setgid(rgid) < 0) { | ||
53 | saved_errno = errno; | ||
54 | error("setgid %u: %.100s", rgid, strerror(errno)); | ||
55 | errno = saved_errno; | ||
56 | ret = -1; | ||
57 | } | ||
58 | #endif | ||
59 | return ret; | ||
60 | } | ||
61 | #endif | ||
62 | |||
63 | #if !defined(HAVE_SETRESUID) || defined(BROKEN_SETRESUID) | ||
64 | int | ||
65 | setresuid(uid_t ruid, uid_t euid, uid_t suid) | ||
66 | { | ||
67 | int ret = 0, saved_errno; | ||
68 | |||
69 | if (ruid != suid) { | ||
70 | errno = ENOSYS; | ||
71 | return -1; | ||
72 | } | ||
73 | #if defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) | ||
74 | if (setreuid(ruid, euid) < 0) { | ||
75 | saved_errno = errno; | ||
76 | error("setreuid %u: %.100s", ruid, strerror(errno)); | ||
77 | errno = saved_errno; | ||
78 | ret = -1; | ||
79 | } | ||
80 | #else | ||
81 | |||
82 | # ifndef SETEUID_BREAKS_SETUID | ||
83 | if (seteuid(euid) < 0) { | ||
84 | saved_errno = errno; | ||
85 | error("seteuid %u: %.100s", euid, strerror(errno)); | ||
86 | errno = saved_errno; | ||
87 | ret = -1; | ||
88 | } | ||
89 | # endif | ||
90 | if (setuid(ruid) < 0) { | ||
91 | saved_errno = errno; | ||
92 | error("setuid %u: %.100s", ruid, strerror(errno)); | ||
93 | errno = saved_errno; | ||
94 | ret = -1; | ||
95 | } | ||
96 | #endif | ||
97 | return ret; | ||
98 | } | ||
99 | #endif | ||
diff --git a/openbsd-compat/bsd-setres_id.h b/openbsd-compat/bsd-setres_id.h new file mode 100644 index 000000000..6c269e0b9 --- /dev/null +++ b/openbsd-compat/bsd-setres_id.h | |||
@@ -0,0 +1,24 @@ | |||
1 | /* $Id: bsd-setres_id.h,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */ | ||
2 | |||
3 | /* | ||
4 | * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). | ||
5 | * | ||
6 | * Permission to use, copy, modify, and distribute this software for any | ||
7 | * purpose with or without fee is hereby granted, provided that the above | ||
8 | * copyright notice and this permission notice appear in all copies. | ||
9 | * | ||
10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
17 | */ | ||
18 | |||
19 | #ifndef HAVE_SETRESGID | ||
20 | int setresgid(gid_t, gid_t, gid_t); | ||
21 | #endif | ||
22 | #ifndef HAVE_SETRESUID | ||
23 | int setresuid(uid_t, uid_t, uid_t); | ||
24 | #endif | ||
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 807acf626..a8c579f49 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openbsd-compat.h,v 1.52 2011/09/23 01:16:11 djm Exp $ */ | 1 | /* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. | 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. |
@@ -149,6 +149,7 @@ int writev(int, struct iovec *, int); | |||
149 | 149 | ||
150 | /* Home grown routines */ | 150 | /* Home grown routines */ |
151 | #include "bsd-misc.h" | 151 | #include "bsd-misc.h" |
152 | #include "bsd-setres_id.h" | ||
152 | #include "bsd-statvfs.h" | 153 | #include "bsd-statvfs.h" |
153 | #include "bsd-waitpid.h" | 154 | #include "bsd-waitpid.h" |
154 | #include "bsd-poll.h" | 155 | #include "bsd-poll.h" |
@@ -189,6 +190,14 @@ int snprintf(char *, size_t, SNPRINTF_CONST char *, ...); | |||
189 | long long strtoll(const char *, char **, int); | 190 | long long strtoll(const char *, char **, int); |
190 | #endif | 191 | #endif |
191 | 192 | ||
193 | #ifndef HAVE_STRTOUL | ||
194 | unsigned long strtoul(const char *, char **, int); | ||
195 | #endif | ||
196 | |||
197 | #ifndef HAVE_STRTOULL | ||
198 | unsigned long long strtoull(const char *, char **, int); | ||
199 | #endif | ||
200 | |||
192 | #ifndef HAVE_STRTONUM | 201 | #ifndef HAVE_STRTONUM |
193 | long long strtonum(const char *, long long, long long, const char **); | 202 | long long strtonum(const char *, long long, long long, const char **); |
194 | #endif | 203 | #endif |
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index a151eff38..e7439b4e7 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openssl-compat.h,v 1.20 2012/01/17 03:03:39 dtucker Exp $ */ | 1 | /* $Id: openssl-compat.h,v 1.24 2013/02/12 00:00:40 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> | 4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> |
@@ -40,7 +40,7 @@ | |||
40 | # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) | 40 | # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) |
41 | #endif | 41 | #endif |
42 | 42 | ||
43 | #if OPENSSL_VERSION_NUMBER < 0x1000000fL | 43 | #if OPENSSL_VERSION_NUMBER < 0x10000001L |
44 | # define LIBCRYPTO_EVP_INL_TYPE unsigned int | 44 | # define LIBCRYPTO_EVP_INL_TYPE unsigned int |
45 | #else | 45 | #else |
46 | # define LIBCRYPTO_EVP_INL_TYPE size_t | 46 | # define LIBCRYPTO_EVP_INL_TYPE size_t |
@@ -59,20 +59,43 @@ | |||
59 | # define EVP_aes_128_cbc evp_rijndael | 59 | # define EVP_aes_128_cbc evp_rijndael |
60 | # define EVP_aes_192_cbc evp_rijndael | 60 | # define EVP_aes_192_cbc evp_rijndael |
61 | # define EVP_aes_256_cbc evp_rijndael | 61 | # define EVP_aes_256_cbc evp_rijndael |
62 | extern const EVP_CIPHER *evp_rijndael(void); | 62 | const EVP_CIPHER *evp_rijndael(void); |
63 | extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); | 63 | void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); |
64 | #endif | 64 | #endif |
65 | 65 | ||
66 | #if !defined(EVP_CTRL_SET_ACSS_MODE) | 66 | #ifndef OPENSSL_HAVE_EVPCTR |
67 | # if (OPENSSL_VERSION_NUMBER >= 0x00907000L) | 67 | #define EVP_aes_128_ctr evp_aes_128_ctr |
68 | # define USE_CIPHER_ACSS 1 | 68 | #define EVP_aes_192_ctr evp_aes_128_ctr |
69 | extern const EVP_CIPHER *evp_acss(void); | 69 | #define EVP_aes_256_ctr evp_aes_128_ctr |
70 | # define EVP_acss evp_acss | 70 | const EVP_CIPHER *evp_aes_128_ctr(void); |
71 | void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); | ||
72 | #endif | ||
73 | |||
74 | /* Avoid some #ifdef. Code that uses these is unreachable without GCM */ | ||
75 | #if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED) | ||
76 | # define EVP_CTRL_GCM_SET_IV_FIXED -1 | ||
77 | # define EVP_CTRL_GCM_IV_GEN -1 | ||
78 | # define EVP_CTRL_GCM_SET_TAG -1 | ||
79 | # define EVP_CTRL_GCM_GET_TAG -1 | ||
80 | #endif | ||
81 | |||
82 | /* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */ | ||
83 | #ifndef HAVE_EVP_CIPHER_CTX_CTRL | ||
84 | # ifdef OPENSSL_HAVE_EVPGCM | ||
85 | # error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */ | ||
71 | # else | 86 | # else |
72 | # define EVP_acss NULL | 87 | # define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0) |
73 | # endif | 88 | # endif |
74 | #endif | 89 | #endif |
75 | 90 | ||
91 | #if OPENSSL_VERSION_NUMBER < 0x00907000L | ||
92 | #define EVP_X_STATE(evp) &(evp).c | ||
93 | #define EVP_X_STATE_LEN(evp) sizeof((evp).c) | ||
94 | #else | ||
95 | #define EVP_X_STATE(evp) (evp).cipher_data | ||
96 | #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size | ||
97 | #endif | ||
98 | |||
76 | /* OpenSSL 0.9.8e returns cipher key len not context key len */ | 99 | /* OpenSSL 0.9.8e returns cipher key len not context key len */ |
77 | #if (OPENSSL_VERSION_NUMBER == 0x0090805fL) | 100 | #if (OPENSSL_VERSION_NUMBER == 0x0090805fL) |
78 | # define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) | 101 | # define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) |
diff --git a/openbsd-compat/strtoull.c b/openbsd-compat/strtoull.c new file mode 100644 index 000000000..f7c818c52 --- /dev/null +++ b/openbsd-compat/strtoull.c | |||
@@ -0,0 +1,110 @@ | |||
1 | /* $OpenBSD: strtoull.c,v 1.5 2005/08/08 08:05:37 espie Exp $ */ | ||
2 | /*- | ||
3 | * Copyright (c) 1992 The Regents of the University of California. | ||
4 | * All rights reserved. | ||
5 | * | ||
6 | * Redistribution and use in source and binary forms, with or without | ||
7 | * modification, are permitted provided that the following conditions | ||
8 | * are met: | ||
9 | * 1. Redistributions of source code must retain the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer. | ||
11 | * 2. Redistributions in binary form must reproduce the above copyright | ||
12 | * notice, this list of conditions and the following disclaimer in the | ||
13 | * documentation and/or other materials provided with the distribution. | ||
14 | * 3. Neither the name of the University nor the names of its contributors | ||
15 | * may be used to endorse or promote products derived from this software | ||
16 | * without specific prior written permission. | ||
17 | * | ||
18 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND | ||
19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | ||
22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
23 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
24 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
26 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
27 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
28 | * SUCH DAMAGE. | ||
29 | */ | ||
30 | |||
31 | /* OPENBSD ORIGINAL: lib/libc/stdlib/strtoull.c */ | ||
32 | |||
33 | #include "includes.h" | ||
34 | #ifndef HAVE_STRTOULL | ||
35 | |||
36 | #include <sys/types.h> | ||
37 | |||
38 | #include <ctype.h> | ||
39 | #include <errno.h> | ||
40 | #include <limits.h> | ||
41 | #include <stdlib.h> | ||
42 | |||
43 | /* | ||
44 | * Convert a string to an unsigned long long. | ||
45 | * | ||
46 | * Ignores `locale' stuff. Assumes that the upper and lower case | ||
47 | * alphabets and digits are each contiguous. | ||
48 | */ | ||
49 | unsigned long long | ||
50 | strtoull(const char *nptr, char **endptr, int base) | ||
51 | { | ||
52 | const char *s; | ||
53 | unsigned long long acc, cutoff; | ||
54 | int c; | ||
55 | int neg, any, cutlim; | ||
56 | |||
57 | /* | ||
58 | * See strtoq for comments as to the logic used. | ||
59 | */ | ||
60 | s = nptr; | ||
61 | do { | ||
62 | c = (unsigned char) *s++; | ||
63 | } while (isspace(c)); | ||
64 | if (c == '-') { | ||
65 | neg = 1; | ||
66 | c = *s++; | ||
67 | } else { | ||
68 | neg = 0; | ||
69 | if (c == '+') | ||
70 | c = *s++; | ||
71 | } | ||
72 | if ((base == 0 || base == 16) && | ||
73 | c == '0' && (*s == 'x' || *s == 'X')) { | ||
74 | c = s[1]; | ||
75 | s += 2; | ||
76 | base = 16; | ||
77 | } | ||
78 | if (base == 0) | ||
79 | base = c == '0' ? 8 : 10; | ||
80 | |||
81 | cutoff = ULLONG_MAX / (unsigned long long)base; | ||
82 | cutlim = ULLONG_MAX % (unsigned long long)base; | ||
83 | for (acc = 0, any = 0;; c = (unsigned char) *s++) { | ||
84 | if (isdigit(c)) | ||
85 | c -= '0'; | ||
86 | else if (isalpha(c)) | ||
87 | c -= isupper(c) ? 'A' - 10 : 'a' - 10; | ||
88 | else | ||
89 | break; | ||
90 | if (c >= base) | ||
91 | break; | ||
92 | if (any < 0) | ||
93 | continue; | ||
94 | if (acc > cutoff || (acc == cutoff && c > cutlim)) { | ||
95 | any = -1; | ||
96 | acc = ULLONG_MAX; | ||
97 | errno = ERANGE; | ||
98 | } else { | ||
99 | any = 1; | ||
100 | acc *= (unsigned long long)base; | ||
101 | acc += c; | ||
102 | } | ||
103 | } | ||
104 | if (neg && any > 0) | ||
105 | acc = -acc; | ||
106 | if (endptr != 0) | ||
107 | *endptr = (char *) (any ? s - 1 : nptr); | ||
108 | return (acc); | ||
109 | } | ||
110 | #endif /* !HAVE_STRTOULL */ | ||
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h index 5cf0587bd..28aaaa37a 100644 --- a/openbsd-compat/sys-queue.h +++ b/openbsd-compat/sys-queue.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: queue.h,v 1.32 2007/04/30 18:42:34 pedro Exp $ */ | 1 | /* $OpenBSD: queue.h,v 1.36 2012/04/11 13:29:14 naddy Exp $ */ |
2 | /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ | 2 | /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ |
3 | 3 | ||
4 | /* | 4 | /* |
@@ -202,10 +202,10 @@ struct { \ | |||
202 | (var) != SLIST_END(head); \ | 202 | (var) != SLIST_END(head); \ |
203 | (var) = SLIST_NEXT(var, field)) | 203 | (var) = SLIST_NEXT(var, field)) |
204 | 204 | ||
205 | #define SLIST_FOREACH_PREVPTR(var, varp, head, field) \ | 205 | #define SLIST_FOREACH_SAFE(var, head, field, tvar) \ |
206 | for ((varp) = &SLIST_FIRST((head)); \ | 206 | for ((var) = SLIST_FIRST(head); \ |
207 | ((var) = *(varp)) != SLIST_END(head); \ | 207 | (var) && ((tvar) = SLIST_NEXT(var, field), 1); \ |
208 | (varp) = &SLIST_NEXT((var), field)) | 208 | (var) = (tvar)) |
209 | 209 | ||
210 | /* | 210 | /* |
211 | * Singly-linked List functions. | 211 | * Singly-linked List functions. |
@@ -224,7 +224,7 @@ struct { \ | |||
224 | (head)->slh_first = (elm); \ | 224 | (head)->slh_first = (elm); \ |
225 | } while (0) | 225 | } while (0) |
226 | 226 | ||
227 | #define SLIST_REMOVE_NEXT(head, elm, field) do { \ | 227 | #define SLIST_REMOVE_AFTER(elm, field) do { \ |
228 | (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ | 228 | (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ |
229 | } while (0) | 229 | } while (0) |
230 | 230 | ||
@@ -276,6 +276,11 @@ struct { \ | |||
276 | (var)!= LIST_END(head); \ | 276 | (var)!= LIST_END(head); \ |
277 | (var) = LIST_NEXT(var, field)) | 277 | (var) = LIST_NEXT(var, field)) |
278 | 278 | ||
279 | #define LIST_FOREACH_SAFE(var, head, field, tvar) \ | ||
280 | for ((var) = LIST_FIRST(head); \ | ||
281 | (var) && ((tvar) = LIST_NEXT(var, field), 1); \ | ||
282 | (var) = (tvar)) | ||
283 | |||
279 | /* | 284 | /* |
280 | * List functions. | 285 | * List functions. |
281 | */ | 286 | */ |
@@ -354,6 +359,11 @@ struct { \ | |||
354 | (var) != SIMPLEQ_END(head); \ | 359 | (var) != SIMPLEQ_END(head); \ |
355 | (var) = SIMPLEQ_NEXT(var, field)) | 360 | (var) = SIMPLEQ_NEXT(var, field)) |
356 | 361 | ||
362 | #define SIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \ | ||
363 | for ((var) = SIMPLEQ_FIRST(head); \ | ||
364 | (var) && ((tvar) = SIMPLEQ_NEXT(var, field), 1); \ | ||
365 | (var) = (tvar)) | ||
366 | |||
357 | /* | 367 | /* |
358 | * Simple queue functions. | 368 | * Simple queue functions. |
359 | */ | 369 | */ |
@@ -385,6 +395,12 @@ struct { \ | |||
385 | (head)->sqh_last = &(head)->sqh_first; \ | 395 | (head)->sqh_last = &(head)->sqh_first; \ |
386 | } while (0) | 396 | } while (0) |
387 | 397 | ||
398 | #define SIMPLEQ_REMOVE_AFTER(head, elm, field) do { \ | ||
399 | if (((elm)->field.sqe_next = (elm)->field.sqe_next->field.sqe_next) \ | ||
400 | == NULL) \ | ||
401 | (head)->sqh_last = &(elm)->field.sqe_next; \ | ||
402 | } while (0) | ||
403 | |||
388 | /* | 404 | /* |
389 | * Tail queue definitions. | 405 | * Tail queue definitions. |
390 | */ | 406 | */ |
@@ -422,11 +438,24 @@ struct { \ | |||
422 | (var) != TAILQ_END(head); \ | 438 | (var) != TAILQ_END(head); \ |
423 | (var) = TAILQ_NEXT(var, field)) | 439 | (var) = TAILQ_NEXT(var, field)) |
424 | 440 | ||
441 | #define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ | ||
442 | for ((var) = TAILQ_FIRST(head); \ | ||
443 | (var) != TAILQ_END(head) && \ | ||
444 | ((tvar) = TAILQ_NEXT(var, field), 1); \ | ||
445 | (var) = (tvar)) | ||
446 | |||
447 | |||
425 | #define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ | 448 | #define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ |
426 | for((var) = TAILQ_LAST(head, headname); \ | 449 | for((var) = TAILQ_LAST(head, headname); \ |
427 | (var) != TAILQ_END(head); \ | 450 | (var) != TAILQ_END(head); \ |
428 | (var) = TAILQ_PREV(var, headname, field)) | 451 | (var) = TAILQ_PREV(var, headname, field)) |
429 | 452 | ||
453 | #define TAILQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \ | ||
454 | for ((var) = TAILQ_LAST(head, headname); \ | ||
455 | (var) != TAILQ_END(head) && \ | ||
456 | ((tvar) = TAILQ_PREV(var, headname, field), 1); \ | ||
457 | (var) = (tvar)) | ||
458 | |||
430 | /* | 459 | /* |
431 | * Tail queue functions. | 460 | * Tail queue functions. |
432 | */ | 461 | */ |
@@ -526,11 +555,23 @@ struct { \ | |||
526 | (var) != CIRCLEQ_END(head); \ | 555 | (var) != CIRCLEQ_END(head); \ |
527 | (var) = CIRCLEQ_NEXT(var, field)) | 556 | (var) = CIRCLEQ_NEXT(var, field)) |
528 | 557 | ||
558 | #define CIRCLEQ_FOREACH_SAFE(var, head, field, tvar) \ | ||
559 | for ((var) = CIRCLEQ_FIRST(head); \ | ||
560 | (var) != CIRCLEQ_END(head) && \ | ||
561 | ((tvar) = CIRCLEQ_NEXT(var, field), 1); \ | ||
562 | (var) = (tvar)) | ||
563 | |||
529 | #define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ | 564 | #define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ |
530 | for((var) = CIRCLEQ_LAST(head); \ | 565 | for((var) = CIRCLEQ_LAST(head); \ |
531 | (var) != CIRCLEQ_END(head); \ | 566 | (var) != CIRCLEQ_END(head); \ |
532 | (var) = CIRCLEQ_PREV(var, field)) | 567 | (var) = CIRCLEQ_PREV(var, field)) |
533 | 568 | ||
569 | #define CIRCLEQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \ | ||
570 | for ((var) = CIRCLEQ_LAST(head, headname); \ | ||
571 | (var) != CIRCLEQ_END(head) && \ | ||
572 | ((tvar) = CIRCLEQ_PREV(var, headname, field), 1); \ | ||
573 | (var) = (tvar)) | ||
574 | |||
534 | /* | 575 | /* |
535 | * Circular queue functions. | 576 | * Circular queue functions. |
536 | */ | 577 | */ |
diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h index d4949b5e7..7f7546ecd 100644 --- a/openbsd-compat/sys-tree.h +++ b/openbsd-compat/sys-tree.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: tree.h,v 1.10 2007/10/29 23:49:41 djm Exp $ */ | 1 | /* $OpenBSD: tree.h,v 1.13 2011/07/09 00:19:45 pirofti Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * All rights reserved. | 4 | * All rights reserved. |
@@ -26,6 +26,11 @@ | |||
26 | 26 | ||
27 | /* OPENBSD ORIGINAL: sys/sys/tree.h */ | 27 | /* OPENBSD ORIGINAL: sys/sys/tree.h */ |
28 | 28 | ||
29 | #include "config.h" | ||
30 | #ifdef NO_ATTRIBUTE_ON_RETURN_TYPE | ||
31 | # define __attribute__(x) | ||
32 | #endif | ||
33 | |||
29 | #ifndef _SYS_TREE_H_ | 34 | #ifndef _SYS_TREE_H_ |
30 | #define _SYS_TREE_H_ | 35 | #define _SYS_TREE_H_ |
31 | 36 | ||
@@ -331,7 +336,7 @@ struct { \ | |||
331 | } while (0) | 336 | } while (0) |
332 | 337 | ||
333 | #ifndef RB_AUGMENT | 338 | #ifndef RB_AUGMENT |
334 | #define RB_AUGMENT(x) | 339 | #define RB_AUGMENT(x) do {} while (0) |
335 | #endif | 340 | #endif |
336 | 341 | ||
337 | #define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ | 342 | #define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ |
@@ -375,21 +380,31 @@ struct { \ | |||
375 | } while (0) | 380 | } while (0) |
376 | 381 | ||
377 | /* Generates prototypes and inline functions */ | 382 | /* Generates prototypes and inline functions */ |
378 | #define RB_PROTOTYPE(name, type, field, cmp) \ | 383 | #define RB_PROTOTYPE(name, type, field, cmp) \ |
379 | void name##_RB_INSERT_COLOR(struct name *, struct type *); \ | 384 | RB_PROTOTYPE_INTERNAL(name, type, field, cmp,) |
380 | void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ | 385 | #define RB_PROTOTYPE_STATIC(name, type, field, cmp) \ |
381 | struct type *name##_RB_REMOVE(struct name *, struct type *); \ | 386 | RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) |
382 | struct type *name##_RB_INSERT(struct name *, struct type *); \ | 387 | #define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \ |
383 | struct type *name##_RB_FIND(struct name *, struct type *); \ | 388 | attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \ |
384 | struct type *name##_RB_NEXT(struct type *); \ | 389 | attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ |
385 | struct type *name##_RB_MINMAX(struct name *, int); | 390 | attr struct type *name##_RB_REMOVE(struct name *, struct type *); \ |
386 | 391 | attr struct type *name##_RB_INSERT(struct name *, struct type *); \ | |
392 | attr struct type *name##_RB_FIND(struct name *, struct type *); \ | ||
393 | attr struct type *name##_RB_NFIND(struct name *, struct type *); \ | ||
394 | attr struct type *name##_RB_NEXT(struct type *); \ | ||
395 | attr struct type *name##_RB_PREV(struct type *); \ | ||
396 | attr struct type *name##_RB_MINMAX(struct name *, int); \ | ||
397 | \ | ||
387 | 398 | ||
388 | /* Main rb operation. | 399 | /* Main rb operation. |
389 | * Moves node close to the key of elm to top | 400 | * Moves node close to the key of elm to top |
390 | */ | 401 | */ |
391 | #define RB_GENERATE(name, type, field, cmp) \ | 402 | #define RB_GENERATE(name, type, field, cmp) \ |
392 | void \ | 403 | RB_GENERATE_INTERNAL(name, type, field, cmp,) |
404 | #define RB_GENERATE_STATIC(name, type, field, cmp) \ | ||
405 | RB_GENERATE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) | ||
406 | #define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \ | ||
407 | attr void \ | ||
393 | name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ | 408 | name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ |
394 | { \ | 409 | { \ |
395 | struct type *parent, *gparent, *tmp; \ | 410 | struct type *parent, *gparent, *tmp; \ |
@@ -433,7 +448,7 @@ name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ | |||
433 | RB_COLOR(head->rbh_root, field) = RB_BLACK; \ | 448 | RB_COLOR(head->rbh_root, field) = RB_BLACK; \ |
434 | } \ | 449 | } \ |
435 | \ | 450 | \ |
436 | void \ | 451 | attr void \ |
437 | name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ | 452 | name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ |
438 | { \ | 453 | { \ |
439 | struct type *tmp; \ | 454 | struct type *tmp; \ |
@@ -509,7 +524,7 @@ name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) | |||
509 | RB_COLOR(elm, field) = RB_BLACK; \ | 524 | RB_COLOR(elm, field) = RB_BLACK; \ |
510 | } \ | 525 | } \ |
511 | \ | 526 | \ |
512 | struct type * \ | 527 | attr struct type * \ |
513 | name##_RB_REMOVE(struct name *head, struct type *elm) \ | 528 | name##_RB_REMOVE(struct name *head, struct type *elm) \ |
514 | { \ | 529 | { \ |
515 | struct type *child, *parent, *old = elm; \ | 530 | struct type *child, *parent, *old = elm; \ |
@@ -577,7 +592,7 @@ color: \ | |||
577 | } \ | 592 | } \ |
578 | \ | 593 | \ |
579 | /* Inserts a node into the RB tree */ \ | 594 | /* Inserts a node into the RB tree */ \ |
580 | struct type * \ | 595 | attr struct type * \ |
581 | name##_RB_INSERT(struct name *head, struct type *elm) \ | 596 | name##_RB_INSERT(struct name *head, struct type *elm) \ |
582 | { \ | 597 | { \ |
583 | struct type *tmp; \ | 598 | struct type *tmp; \ |
@@ -608,7 +623,7 @@ name##_RB_INSERT(struct name *head, struct type *elm) \ | |||
608 | } \ | 623 | } \ |
609 | \ | 624 | \ |
610 | /* Finds the node with the same key as elm */ \ | 625 | /* Finds the node with the same key as elm */ \ |
611 | struct type * \ | 626 | attr struct type * \ |
612 | name##_RB_FIND(struct name *head, struct type *elm) \ | 627 | name##_RB_FIND(struct name *head, struct type *elm) \ |
613 | { \ | 628 | { \ |
614 | struct type *tmp = RB_ROOT(head); \ | 629 | struct type *tmp = RB_ROOT(head); \ |
@@ -625,7 +640,29 @@ name##_RB_FIND(struct name *head, struct type *elm) \ | |||
625 | return (NULL); \ | 640 | return (NULL); \ |
626 | } \ | 641 | } \ |
627 | \ | 642 | \ |
628 | struct type * \ | 643 | /* Finds the first node greater than or equal to the search key */ \ |
644 | attr struct type * \ | ||
645 | name##_RB_NFIND(struct name *head, struct type *elm) \ | ||
646 | { \ | ||
647 | struct type *tmp = RB_ROOT(head); \ | ||
648 | struct type *res = NULL; \ | ||
649 | int comp; \ | ||
650 | while (tmp) { \ | ||
651 | comp = cmp(elm, tmp); \ | ||
652 | if (comp < 0) { \ | ||
653 | res = tmp; \ | ||
654 | tmp = RB_LEFT(tmp, field); \ | ||
655 | } \ | ||
656 | else if (comp > 0) \ | ||
657 | tmp = RB_RIGHT(tmp, field); \ | ||
658 | else \ | ||
659 | return (tmp); \ | ||
660 | } \ | ||
661 | return (res); \ | ||
662 | } \ | ||
663 | \ | ||
664 | /* ARGSUSED */ \ | ||
665 | attr struct type * \ | ||
629 | name##_RB_NEXT(struct type *elm) \ | 666 | name##_RB_NEXT(struct type *elm) \ |
630 | { \ | 667 | { \ |
631 | if (RB_RIGHT(elm, field)) { \ | 668 | if (RB_RIGHT(elm, field)) { \ |
@@ -646,7 +683,29 @@ name##_RB_NEXT(struct type *elm) \ | |||
646 | return (elm); \ | 683 | return (elm); \ |
647 | } \ | 684 | } \ |
648 | \ | 685 | \ |
649 | struct type * \ | 686 | /* ARGSUSED */ \ |
687 | attr struct type * \ | ||
688 | name##_RB_PREV(struct type *elm) \ | ||
689 | { \ | ||
690 | if (RB_LEFT(elm, field)) { \ | ||
691 | elm = RB_LEFT(elm, field); \ | ||
692 | while (RB_RIGHT(elm, field)) \ | ||
693 | elm = RB_RIGHT(elm, field); \ | ||
694 | } else { \ | ||
695 | if (RB_PARENT(elm, field) && \ | ||
696 | (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \ | ||
697 | elm = RB_PARENT(elm, field); \ | ||
698 | else { \ | ||
699 | while (RB_PARENT(elm, field) && \ | ||
700 | (elm == RB_LEFT(RB_PARENT(elm, field), field)))\ | ||
701 | elm = RB_PARENT(elm, field); \ | ||
702 | elm = RB_PARENT(elm, field); \ | ||
703 | } \ | ||
704 | } \ | ||
705 | return (elm); \ | ||
706 | } \ | ||
707 | \ | ||
708 | attr struct type * \ | ||
650 | name##_RB_MINMAX(struct name *head, int val) \ | 709 | name##_RB_MINMAX(struct name *head, int val) \ |
651 | { \ | 710 | { \ |
652 | struct type *tmp = RB_ROOT(head); \ | 711 | struct type *tmp = RB_ROOT(head); \ |
@@ -667,7 +726,9 @@ name##_RB_MINMAX(struct name *head, int val) \ | |||
667 | #define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) | 726 | #define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) |
668 | #define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) | 727 | #define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) |
669 | #define RB_FIND(name, x, y) name##_RB_FIND(x, y) | 728 | #define RB_FIND(name, x, y) name##_RB_FIND(x, y) |
729 | #define RB_NFIND(name, x, y) name##_RB_NFIND(x, y) | ||
670 | #define RB_NEXT(name, x, y) name##_RB_NEXT(y) | 730 | #define RB_NEXT(name, x, y) name##_RB_NEXT(y) |
731 | #define RB_PREV(name, x, y) name##_RB_PREV(y) | ||
671 | #define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) | 732 | #define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) |
672 | #define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) | 733 | #define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) |
673 | 734 | ||
@@ -676,4 +737,19 @@ name##_RB_MINMAX(struct name *head, int val) \ | |||
676 | (x) != NULL; \ | 737 | (x) != NULL; \ |
677 | (x) = name##_RB_NEXT(x)) | 738 | (x) = name##_RB_NEXT(x)) |
678 | 739 | ||
740 | #define RB_FOREACH_SAFE(x, name, head, y) \ | ||
741 | for ((x) = RB_MIN(name, head); \ | ||
742 | ((x) != NULL) && ((y) = name##_RB_NEXT(x), 1); \ | ||
743 | (x) = (y)) | ||
744 | |||
745 | #define RB_FOREACH_REVERSE(x, name, head) \ | ||
746 | for ((x) = RB_MAX(name, head); \ | ||
747 | (x) != NULL; \ | ||
748 | (x) = name##_RB_PREV(x)) | ||
749 | |||
750 | #define RB_FOREACH_REVERSE_SAFE(x, name, head, y) \ | ||
751 | for ((x) = RB_MAX(name, head); \ | ||
752 | ((x) != NULL) && ((y) = name##_RB_PREV(x), 1); \ | ||
753 | (x) = (y)) | ||
754 | |||
679 | #endif /* _SYS_TREE_H_ */ | 755 | #endif /* _SYS_TREE_H_ */ |
diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c index 3a087b341..f6f5665c1 100644 --- a/openbsd-compat/vis.c +++ b/openbsd-compat/vis.c | |||
@@ -31,7 +31,7 @@ | |||
31 | /* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ | 31 | /* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ |
32 | 32 | ||
33 | #include "includes.h" | 33 | #include "includes.h" |
34 | #if !defined(HAVE_STRNVIS) | 34 | #if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS) |
35 | 35 | ||
36 | #include <ctype.h> | 36 | #include <ctype.h> |
37 | #include <string.h> | 37 | #include <string.h> |
diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h index 3898a9e70..d1286c99d 100644 --- a/openbsd-compat/vis.h +++ b/openbsd-compat/vis.h | |||
@@ -35,7 +35,7 @@ | |||
35 | /* OPENBSD ORIGINAL: include/vis.h */ | 35 | /* OPENBSD ORIGINAL: include/vis.h */ |
36 | 36 | ||
37 | #include "includes.h" | 37 | #include "includes.h" |
38 | #if !defined(HAVE_STRNVIS) | 38 | #if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS) |
39 | 39 | ||
40 | #ifndef _VIS_H_ | 40 | #ifndef _VIS_H_ |
41 | #define _VIS_H_ | 41 | #define _VIS_H_ |
@@ -92,4 +92,4 @@ ssize_t strnunvis(char *, const char *, size_t) | |||
92 | 92 | ||
93 | #endif /* !_VIS_H_ */ | 93 | #endif /* !_VIS_H_ */ |
94 | 94 | ||
95 | #endif /* !HAVE_STRNVIS */ | 95 | #endif /* !HAVE_STRNVIS || BROKEN_STRNVIS */ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -275,7 +275,7 @@ packet_stop_discard(void) | |||
275 | static void | 275 | static void |
276 | packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard) | 276 | packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard) |
277 | { | 277 | { |
278 | if (enc == NULL || !cipher_is_cbc(enc->cipher)) | 278 | if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm)) |
279 | packet_disconnect("Packet corrupt"); | 279 | packet_disconnect("Packet corrupt"); |
280 | if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled) | 280 | if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled) |
281 | active_state->packet_discard_mac = mac; | 281 | active_state->packet_discard_mac = mac; |
@@ -709,7 +709,7 @@ packet_send1(void) | |||
709 | buffer_len(&active_state->outgoing_packet)); | 709 | buffer_len(&active_state->outgoing_packet)); |
710 | cipher_crypt(&active_state->send_context, cp, | 710 | cipher_crypt(&active_state->send_context, cp, |
711 | buffer_ptr(&active_state->outgoing_packet), | 711 | buffer_ptr(&active_state->outgoing_packet), |
712 | buffer_len(&active_state->outgoing_packet)); | 712 | buffer_len(&active_state->outgoing_packet), 0, 0); |
713 | 713 | ||
714 | #ifdef PACKET_DEBUG | 714 | #ifdef PACKET_DEBUG |
715 | fprintf(stderr, "encrypted: "); | 715 | fprintf(stderr, "encrypted: "); |
@@ -757,6 +757,9 @@ set_newkeys(int mode) | |||
757 | mac = &active_state->newkeys[mode]->mac; | 757 | mac = &active_state->newkeys[mode]->mac; |
758 | comp = &active_state->newkeys[mode]->comp; | 758 | comp = &active_state->newkeys[mode]->comp; |
759 | mac_clear(mac); | 759 | mac_clear(mac); |
760 | memset(enc->iv, 0, enc->iv_len); | ||
761 | memset(enc->key, 0, enc->key_len); | ||
762 | memset(mac->key, 0, mac->key_len); | ||
760 | xfree(enc->name); | 763 | xfree(enc->name); |
761 | xfree(enc->iv); | 764 | xfree(enc->iv); |
762 | xfree(enc->key); | 765 | xfree(enc->key); |
@@ -771,11 +774,11 @@ set_newkeys(int mode) | |||
771 | enc = &active_state->newkeys[mode]->enc; | 774 | enc = &active_state->newkeys[mode]->enc; |
772 | mac = &active_state->newkeys[mode]->mac; | 775 | mac = &active_state->newkeys[mode]->mac; |
773 | comp = &active_state->newkeys[mode]->comp; | 776 | comp = &active_state->newkeys[mode]->comp; |
774 | if (mac_init(mac) == 0) | 777 | if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0) |
775 | mac->enabled = 1; | 778 | mac->enabled = 1; |
776 | DBG(debug("cipher_init_context: %d", mode)); | 779 | DBG(debug("cipher_init_context: %d", mode)); |
777 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, | 780 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, |
778 | enc->iv, enc->block_size, crypt_type); | 781 | enc->iv, enc->iv_len, crypt_type); |
779 | /* Deleting the keys does not gain extra security */ | 782 | /* Deleting the keys does not gain extra security */ |
780 | /* memset(enc->iv, 0, enc->block_size); | 783 | /* memset(enc->iv, 0, enc->block_size); |
781 | memset(enc->key, 0, enc->key_len); | 784 | memset(enc->key, 0, enc->key_len); |
@@ -842,9 +845,8 @@ static void | |||
842 | packet_send2_wrapped(void) | 845 | packet_send2_wrapped(void) |
843 | { | 846 | { |
844 | u_char type, *cp, *macbuf = NULL; | 847 | u_char type, *cp, *macbuf = NULL; |
845 | u_char padlen, pad; | 848 | u_char padlen, pad = 0; |
846 | u_int packet_length = 0; | 849 | u_int i, len, authlen = 0, aadlen = 0; |
847 | u_int i, len; | ||
848 | u_int32_t rnd = 0; | 850 | u_int32_t rnd = 0; |
849 | Enc *enc = NULL; | 851 | Enc *enc = NULL; |
850 | Mac *mac = NULL; | 852 | Mac *mac = NULL; |
@@ -855,8 +857,12 @@ packet_send2_wrapped(void) | |||
855 | enc = &active_state->newkeys[MODE_OUT]->enc; | 857 | enc = &active_state->newkeys[MODE_OUT]->enc; |
856 | mac = &active_state->newkeys[MODE_OUT]->mac; | 858 | mac = &active_state->newkeys[MODE_OUT]->mac; |
857 | comp = &active_state->newkeys[MODE_OUT]->comp; | 859 | comp = &active_state->newkeys[MODE_OUT]->comp; |
860 | /* disable mac for authenticated encryption */ | ||
861 | if ((authlen = cipher_authlen(enc->cipher)) != 0) | ||
862 | mac = NULL; | ||
858 | } | 863 | } |
859 | block_size = enc ? enc->block_size : 8; | 864 | block_size = enc ? enc->block_size : 8; |
865 | aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; | ||
860 | 866 | ||
861 | cp = buffer_ptr(&active_state->outgoing_packet); | 867 | cp = buffer_ptr(&active_state->outgoing_packet); |
862 | type = cp[5]; | 868 | type = cp[5]; |
@@ -889,6 +895,7 @@ packet_send2_wrapped(void) | |||
889 | * calc size of padding, alloc space, get random data, | 895 | * calc size of padding, alloc space, get random data, |
890 | * minimum padding is 4 bytes | 896 | * minimum padding is 4 bytes |
891 | */ | 897 | */ |
898 | len -= aadlen; /* packet length is not encrypted for EtM modes */ | ||
892 | padlen = block_size - (len % block_size); | 899 | padlen = block_size - (len % block_size); |
893 | if (padlen < 4) | 900 | if (padlen < 4) |
894 | padlen += block_size; | 901 | padlen += block_size; |
@@ -916,29 +923,37 @@ packet_send2_wrapped(void) | |||
916 | /* clear padding */ | 923 | /* clear padding */ |
917 | memset(cp, 0, padlen); | 924 | memset(cp, 0, padlen); |
918 | } | 925 | } |
919 | /* packet_length includes payload, padding and padding length field */ | 926 | /* sizeof (packet_len + pad_len + payload + padding) */ |
920 | packet_length = buffer_len(&active_state->outgoing_packet) - 4; | 927 | len = buffer_len(&active_state->outgoing_packet); |
921 | cp = buffer_ptr(&active_state->outgoing_packet); | 928 | cp = buffer_ptr(&active_state->outgoing_packet); |
922 | put_u32(cp, packet_length); | 929 | /* packet_length includes payload, padding and padding length field */ |
930 | put_u32(cp, len - 4); | ||
923 | cp[4] = padlen; | 931 | cp[4] = padlen; |
924 | DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); | 932 | DBG(debug("send: len %d (includes padlen %d, aadlen %d)", |
933 | len, padlen, aadlen)); | ||
925 | 934 | ||
926 | /* compute MAC over seqnr and packet(length fields, payload, padding) */ | 935 | /* compute MAC over seqnr and packet(length fields, payload, padding) */ |
927 | if (mac && mac->enabled) { | 936 | if (mac && mac->enabled && !mac->etm) { |
928 | macbuf = mac_compute(mac, active_state->p_send.seqnr, | 937 | macbuf = mac_compute(mac, active_state->p_send.seqnr, |
929 | buffer_ptr(&active_state->outgoing_packet), | 938 | buffer_ptr(&active_state->outgoing_packet), len); |
930 | buffer_len(&active_state->outgoing_packet)); | ||
931 | DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); | 939 | DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); |
932 | } | 940 | } |
933 | /* encrypt packet and append to output buffer. */ | 941 | /* encrypt packet and append to output buffer. */ |
934 | cp = buffer_append_space(&active_state->output, | 942 | cp = buffer_append_space(&active_state->output, len + authlen); |
935 | buffer_len(&active_state->outgoing_packet)); | ||
936 | cipher_crypt(&active_state->send_context, cp, | 943 | cipher_crypt(&active_state->send_context, cp, |
937 | buffer_ptr(&active_state->outgoing_packet), | 944 | buffer_ptr(&active_state->outgoing_packet), |
938 | buffer_len(&active_state->outgoing_packet)); | 945 | len - aadlen, aadlen, authlen); |
939 | /* append unencrypted MAC */ | 946 | /* append unencrypted MAC */ |
940 | if (mac && mac->enabled) | 947 | if (mac && mac->enabled) { |
948 | if (mac->etm) { | ||
949 | /* EtM: compute mac over aadlen + cipher text */ | ||
950 | macbuf = mac_compute(mac, | ||
951 | active_state->p_send.seqnr, cp, len); | ||
952 | DBG(debug("done calc MAC(EtM) out #%d", | ||
953 | active_state->p_send.seqnr)); | ||
954 | } | ||
941 | buffer_append(&active_state->output, macbuf, mac->mac_len); | 955 | buffer_append(&active_state->output, macbuf, mac->mac_len); |
956 | } | ||
942 | #ifdef PACKET_DEBUG | 957 | #ifdef PACKET_DEBUG |
943 | fprintf(stderr, "encrypted: "); | 958 | fprintf(stderr, "encrypted: "); |
944 | buffer_dump(&active_state->output); | 959 | buffer_dump(&active_state->output); |
@@ -949,8 +964,8 @@ packet_send2_wrapped(void) | |||
949 | if (++active_state->p_send.packets == 0) | 964 | if (++active_state->p_send.packets == 0) |
950 | if (!(datafellows & SSH_BUG_NOREKEY)) | 965 | if (!(datafellows & SSH_BUG_NOREKEY)) |
951 | fatal("XXX too many packets with same key"); | 966 | fatal("XXX too many packets with same key"); |
952 | active_state->p_send.blocks += (packet_length + 4) / block_size; | 967 | active_state->p_send.blocks += len / block_size; |
953 | active_state->p_send.bytes += packet_length + 4; | 968 | active_state->p_send.bytes += len; |
954 | buffer_clear(&active_state->outgoing_packet); | 969 | buffer_clear(&active_state->outgoing_packet); |
955 | 970 | ||
956 | if (type == SSH2_MSG_NEWKEYS) | 971 | if (type == SSH2_MSG_NEWKEYS) |
@@ -1187,7 +1202,7 @@ packet_read_poll1(void) | |||
1187 | buffer_clear(&active_state->incoming_packet); | 1202 | buffer_clear(&active_state->incoming_packet); |
1188 | cp = buffer_append_space(&active_state->incoming_packet, padded_len); | 1203 | cp = buffer_append_space(&active_state->incoming_packet, padded_len); |
1189 | cipher_crypt(&active_state->receive_context, cp, | 1204 | cipher_crypt(&active_state->receive_context, cp, |
1190 | buffer_ptr(&active_state->input), padded_len); | 1205 | buffer_ptr(&active_state->input), padded_len, 0, 0); |
1191 | 1206 | ||
1192 | buffer_consume(&active_state->input, padded_len); | 1207 | buffer_consume(&active_state->input, padded_len); |
1193 | 1208 | ||
@@ -1235,8 +1250,8 @@ static int | |||
1235 | packet_read_poll2(u_int32_t *seqnr_p) | 1250 | packet_read_poll2(u_int32_t *seqnr_p) |
1236 | { | 1251 | { |
1237 | u_int padlen, need; | 1252 | u_int padlen, need; |
1238 | u_char *macbuf, *cp, type; | 1253 | u_char *macbuf = NULL, *cp, type; |
1239 | u_int maclen, block_size; | 1254 | u_int maclen, authlen = 0, aadlen = 0, block_size; |
1240 | Enc *enc = NULL; | 1255 | Enc *enc = NULL; |
1241 | Mac *mac = NULL; | 1256 | Mac *mac = NULL; |
1242 | Comp *comp = NULL; | 1257 | Comp *comp = NULL; |
@@ -1248,11 +1263,29 @@ packet_read_poll2(u_int32_t *seqnr_p) | |||
1248 | enc = &active_state->newkeys[MODE_IN]->enc; | 1263 | enc = &active_state->newkeys[MODE_IN]->enc; |
1249 | mac = &active_state->newkeys[MODE_IN]->mac; | 1264 | mac = &active_state->newkeys[MODE_IN]->mac; |
1250 | comp = &active_state->newkeys[MODE_IN]->comp; | 1265 | comp = &active_state->newkeys[MODE_IN]->comp; |
1266 | /* disable mac for authenticated encryption */ | ||
1267 | if ((authlen = cipher_authlen(enc->cipher)) != 0) | ||
1268 | mac = NULL; | ||
1251 | } | 1269 | } |
1252 | maclen = mac && mac->enabled ? mac->mac_len : 0; | 1270 | maclen = mac && mac->enabled ? mac->mac_len : 0; |
1253 | block_size = enc ? enc->block_size : 8; | 1271 | block_size = enc ? enc->block_size : 8; |
1272 | aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0; | ||
1254 | 1273 | ||
1255 | if (active_state->packlen == 0) { | 1274 | if (aadlen && active_state->packlen == 0) { |
1275 | if (buffer_len(&active_state->input) < 4) | ||
1276 | return SSH_MSG_NONE; | ||
1277 | cp = buffer_ptr(&active_state->input); | ||
1278 | active_state->packlen = get_u32(cp); | ||
1279 | if (active_state->packlen < 1 + 4 || | ||
1280 | active_state->packlen > PACKET_MAX_SIZE) { | ||
1281 | #ifdef PACKET_DEBUG | ||
1282 | buffer_dump(&active_state->input); | ||
1283 | #endif | ||
1284 | logit("Bad packet length %u.", active_state->packlen); | ||
1285 | packet_disconnect("Packet corrupt"); | ||
1286 | } | ||
1287 | buffer_clear(&active_state->incoming_packet); | ||
1288 | } else if (active_state->packlen == 0) { | ||
1256 | /* | 1289 | /* |
1257 | * check if input size is less than the cipher block size, | 1290 | * check if input size is less than the cipher block size, |
1258 | * decrypt first block and extract length of incoming packet | 1291 | * decrypt first block and extract length of incoming packet |
@@ -1263,7 +1296,7 @@ packet_read_poll2(u_int32_t *seqnr_p) | |||
1263 | cp = buffer_append_space(&active_state->incoming_packet, | 1296 | cp = buffer_append_space(&active_state->incoming_packet, |
1264 | block_size); | 1297 | block_size); |
1265 | cipher_crypt(&active_state->receive_context, cp, | 1298 | cipher_crypt(&active_state->receive_context, cp, |
1266 | buffer_ptr(&active_state->input), block_size); | 1299 | buffer_ptr(&active_state->input), block_size, 0, 0); |
1267 | cp = buffer_ptr(&active_state->incoming_packet); | 1300 | cp = buffer_ptr(&active_state->incoming_packet); |
1268 | active_state->packlen = get_u32(cp); | 1301 | active_state->packlen = get_u32(cp); |
1269 | if (active_state->packlen < 1 + 4 || | 1302 | if (active_state->packlen < 1 + 4 || |
@@ -1276,13 +1309,21 @@ packet_read_poll2(u_int32_t *seqnr_p) | |||
1276 | PACKET_MAX_SIZE); | 1309 | PACKET_MAX_SIZE); |
1277 | return SSH_MSG_NONE; | 1310 | return SSH_MSG_NONE; |
1278 | } | 1311 | } |
1279 | DBG(debug("input: packet len %u", active_state->packlen+4)); | ||
1280 | buffer_consume(&active_state->input, block_size); | 1312 | buffer_consume(&active_state->input, block_size); |
1281 | } | 1313 | } |
1282 | /* we have a partial packet of block_size bytes */ | 1314 | DBG(debug("input: packet len %u", active_state->packlen+4)); |
1283 | need = 4 + active_state->packlen - block_size; | 1315 | if (aadlen) { |
1284 | DBG(debug("partial packet %d, need %d, maclen %d", block_size, | 1316 | /* only the payload is encrypted */ |
1285 | need, maclen)); | 1317 | need = active_state->packlen; |
1318 | } else { | ||
1319 | /* | ||
1320 | * the payload size and the payload are encrypted, but we | ||
1321 | * have a partial packet of block_size bytes | ||
1322 | */ | ||
1323 | need = 4 + active_state->packlen - block_size; | ||
1324 | } | ||
1325 | DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d," | ||
1326 | " aadlen %d", block_size, need, maclen, authlen, aadlen)); | ||
1286 | if (need % block_size != 0) { | 1327 | if (need % block_size != 0) { |
1287 | logit("padding error: need %d block %d mod %d", | 1328 | logit("padding error: need %d block %d mod %d", |
1288 | need, block_size, need % block_size); | 1329 | need, block_size, need % block_size); |
@@ -1292,26 +1333,35 @@ packet_read_poll2(u_int32_t *seqnr_p) | |||
1292 | } | 1333 | } |
1293 | /* | 1334 | /* |
1294 | * check if the entire packet has been received and | 1335 | * check if the entire packet has been received and |
1295 | * decrypt into incoming_packet | 1336 | * decrypt into incoming_packet: |
1337 | * 'aadlen' bytes are unencrypted, but authenticated. | ||
1338 | * 'need' bytes are encrypted, followed by either | ||
1339 | * 'authlen' bytes of authentication tag or | ||
1340 | * 'maclen' bytes of message authentication code. | ||
1296 | */ | 1341 | */ |
1297 | if (buffer_len(&active_state->input) < need + maclen) | 1342 | if (buffer_len(&active_state->input) < aadlen + need + authlen + maclen) |
1298 | return SSH_MSG_NONE; | 1343 | return SSH_MSG_NONE; |
1299 | #ifdef PACKET_DEBUG | 1344 | #ifdef PACKET_DEBUG |
1300 | fprintf(stderr, "read_poll enc/full: "); | 1345 | fprintf(stderr, "read_poll enc/full: "); |
1301 | buffer_dump(&active_state->input); | 1346 | buffer_dump(&active_state->input); |
1302 | #endif | 1347 | #endif |
1303 | cp = buffer_append_space(&active_state->incoming_packet, need); | 1348 | /* EtM: compute mac over encrypted input */ |
1349 | if (mac && mac->enabled && mac->etm) | ||
1350 | macbuf = mac_compute(mac, active_state->p_read.seqnr, | ||
1351 | buffer_ptr(&active_state->input), aadlen + need); | ||
1352 | cp = buffer_append_space(&active_state->incoming_packet, aadlen + need); | ||
1304 | cipher_crypt(&active_state->receive_context, cp, | 1353 | cipher_crypt(&active_state->receive_context, cp, |
1305 | buffer_ptr(&active_state->input), need); | 1354 | buffer_ptr(&active_state->input), need, aadlen, authlen); |
1306 | buffer_consume(&active_state->input, need); | 1355 | buffer_consume(&active_state->input, aadlen + need + authlen); |
1307 | /* | 1356 | /* |
1308 | * compute MAC over seqnr and packet, | 1357 | * compute MAC over seqnr and packet, |
1309 | * increment sequence number for incoming packet | 1358 | * increment sequence number for incoming packet |
1310 | */ | 1359 | */ |
1311 | if (mac && mac->enabled) { | 1360 | if (mac && mac->enabled) { |
1312 | macbuf = mac_compute(mac, active_state->p_read.seqnr, | 1361 | if (!mac->etm) |
1313 | buffer_ptr(&active_state->incoming_packet), | 1362 | macbuf = mac_compute(mac, active_state->p_read.seqnr, |
1314 | buffer_len(&active_state->incoming_packet)); | 1363 | buffer_ptr(&active_state->incoming_packet), |
1364 | buffer_len(&active_state->incoming_packet)); | ||
1315 | if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input), | 1365 | if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input), |
1316 | mac->mac_len) != 0) { | 1366 | mac->mac_len) != 0) { |
1317 | logit("Corrupted MAC on input."); | 1367 | logit("Corrupted MAC on input."); |
@@ -1410,7 +1460,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) | |||
1410 | case SSH2_MSG_DISCONNECT: | 1460 | case SSH2_MSG_DISCONNECT: |
1411 | reason = packet_get_int(); | 1461 | reason = packet_get_int(); |
1412 | msg = packet_get_string(NULL); | 1462 | msg = packet_get_string(NULL); |
1413 | logit("Received disconnect from %s: %u: %.400s", | 1463 | error("Received disconnect from %s: %u: %.400s", |
1414 | get_remote_ipaddr(), reason, msg); | 1464 | get_remote_ipaddr(), reason, msg); |
1415 | xfree(msg); | 1465 | xfree(msg); |
1416 | cleanup_exit(255); | 1466 | cleanup_exit(255); |
@@ -1435,7 +1485,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) | |||
1435 | break; | 1485 | break; |
1436 | case SSH_MSG_DISCONNECT: | 1486 | case SSH_MSG_DISCONNECT: |
1437 | msg = packet_get_string(NULL); | 1487 | msg = packet_get_string(NULL); |
1438 | logit("Received disconnect from %s: %.400s", | 1488 | error("Received disconnect from %s: %.400s", |
1439 | get_remote_ipaddr(), msg); | 1489 | get_remote_ipaddr(), msg); |
1440 | cleanup_exit(255); | 1490 | cleanup_exit(255); |
1441 | break; | 1491 | break; |
diff --git a/platform.c b/platform.c index e707aa4c7..a962f15b5 100644 --- a/platform.c +++ b/platform.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: platform.c,v 1.18 2011/01/11 06:02:25 djm Exp $ */ | 1 | /* $Id: platform.c,v 1.19 2013/03/12 00:31:05 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2006 Darren Tucker. All rights reserved. | 4 | * Copyright (c) 2006 Darren Tucker. All rights reserved. |
@@ -194,3 +194,19 @@ platform_krb5_get_principal_name(const char *pw_name) | |||
194 | return NULL; | 194 | return NULL; |
195 | #endif | 195 | #endif |
196 | } | 196 | } |
197 | |||
198 | /* | ||
199 | * return 1 if the specified uid is a uid that may own a system directory | ||
200 | * otherwise 0. | ||
201 | */ | ||
202 | int | ||
203 | platform_sys_dir_uid(uid_t uid) | ||
204 | { | ||
205 | if (uid == 0) | ||
206 | return 1; | ||
207 | #ifdef PLATFORM_SYS_DIR_UID | ||
208 | if (uid == PLATFORM_SYS_DIR_UID) | ||
209 | return 1; | ||
210 | #endif | ||
211 | return 0; | ||
212 | } | ||
diff --git a/platform.h b/platform.h index 7b2d481af..3188a3d7c 100644 --- a/platform.h +++ b/platform.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: platform.h,v 1.7 2010/11/05 03:47:01 dtucker Exp $ */ | 1 | /* $Id: platform.h,v 1.8 2013/03/12 00:31:05 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2006 Darren Tucker. All rights reserved. | 4 | * Copyright (c) 2006 Darren Tucker. All rights reserved. |
@@ -29,5 +29,4 @@ void platform_setusercontext(struct passwd *); | |||
29 | void platform_setusercontext_post_groups(struct passwd *, const char *); | 29 | void platform_setusercontext_post_groups(struct passwd *, const char *); |
30 | char *platform_get_krb5_client(const char *); | 30 | char *platform_get_krb5_client(const char *); |
31 | char *platform_krb5_get_principal_name(const char *); | 31 | char *platform_krb5_get_principal_name(const char *); |
32 | 32 | int platform_sys_dir_uid(uid_t); | |
33 | |||
diff --git a/regress/Makefile b/regress/Makefile index f114c27e9..6ef5d9cce 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile,v 1.58 2011/01/06 22:46:21 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ |
2 | 2 | ||
3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec | 3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec |
4 | tests: $(REGRESS_TARGETS) | 4 | tests: $(REGRESS_TARGETS) |
@@ -57,7 +57,11 @@ LTESTS= connect \ | |||
57 | kextype \ | 57 | kextype \ |
58 | cert-hostkey \ | 58 | cert-hostkey \ |
59 | cert-userkey \ | 59 | cert-userkey \ |
60 | host-expand | 60 | host-expand \ |
61 | keys-command \ | ||
62 | forward-control \ | ||
63 | integrity \ | ||
64 | krl | ||
61 | 65 | ||
62 | INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers | 66 | INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers |
63 | #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp | 67 | #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp |
@@ -67,23 +71,27 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers | |||
67 | USER!= id -un | 71 | USER!= id -un |
68 | CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ | 72 | CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ |
69 | t8.out t8.out.pub t9.out t9.out.pub \ | 73 | t8.out t8.out.pub t9.out t9.out.pub \ |
70 | authorized_keys_${USER} known_hosts pidfile \ | 74 | authorized_keys_${USER} known_hosts pidfile testdata \ |
71 | ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ | 75 | ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ |
72 | rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ | 76 | rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ |
73 | rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ | 77 | rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ |
74 | ls.copy banner.in banner.out empty.in \ | 78 | ls.copy banner.in banner.out empty.in \ |
75 | scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ | 79 | scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ |
76 | sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ | 80 | sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ |
77 | known_hosts-cert host_ca_key* cert_host_key* \ | 81 | known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \ |
78 | putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ | 82 | putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ |
79 | key.rsa-* key.dsa-* key.ecdsa-* \ | 83 | key.rsa-* key.dsa-* key.ecdsa-* \ |
80 | authorized_principals_${USER} expect actual | 84 | authorized_principals_${USER} expect actual ready \ |
85 | sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* | ||
86 | |||
81 | 87 | ||
82 | # Enable all malloc(3) randomisations and checks | 88 | # Enable all malloc(3) randomisations and checks |
83 | TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" | 89 | TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" |
84 | 90 | ||
85 | TEST_SSH_SSHKEYGEN?=ssh-keygen | 91 | TEST_SSH_SSHKEYGEN?=ssh-keygen |
86 | 92 | ||
93 | CPPFLAGS=-I.. | ||
94 | |||
87 | t1: | 95 | t1: |
88 | ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv | 96 | ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv |
89 | tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv | 97 | tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6700db274..3bba9f8f2 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -22,9 +22,8 @@ for ktype in rsa dsa $ecdsa ; do | |||
22 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 22 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
23 | -f $OBJ/cert_user_key_${ktype} || \ | 23 | -f $OBJ/cert_user_key_${ktype} || \ |
24 | fail "ssh-keygen of cert_user_key_${ktype} failed" | 24 | fail "ssh-keygen of cert_user_key_${ktype} failed" |
25 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ | 25 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
26 | "regress user key for $USER" \ | 26 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
27 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | ||
28 | fail "couldn't sign cert_user_key_${ktype}" | 27 | fail "couldn't sign cert_user_key_${ktype}" |
29 | # v00 ecdsa certs do not exist | 28 | # v00 ecdsa certs do not exist |
30 | test "${ktype}" = "ecdsa" && continue | 29 | test "${ktype}" = "ecdsa" && continue |
@@ -185,14 +184,32 @@ basic_tests() { | |||
185 | ( | 184 | ( |
186 | cat $OBJ/sshd_proxy_bak | 185 | cat $OBJ/sshd_proxy_bak |
187 | echo "UsePrivilegeSeparation $privsep" | 186 | echo "UsePrivilegeSeparation $privsep" |
188 | echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" | 187 | echo "RevokedKeys $OBJ/cert_user_key_revoked" |
189 | echo "$extra_sshd" | 188 | echo "$extra_sshd" |
190 | ) > $OBJ/sshd_proxy | 189 | ) > $OBJ/sshd_proxy |
190 | cp $OBJ/cert_user_key_${ktype}.pub \ | ||
191 | $OBJ/cert_user_key_revoked | ||
192 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
193 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
194 | if [ $? -eq 0 ]; then | ||
195 | fail "ssh cert connect succeeded unexpecedly" | ||
196 | fi | ||
197 | verbose "$tid: ${_prefix} revoked via KRL" | ||
198 | rm $OBJ/cert_user_key_revoked | ||
199 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ | ||
200 | $OBJ/cert_user_key_${ktype}.pub | ||
191 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 201 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ |
192 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 202 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
193 | if [ $? -eq 0 ]; then | 203 | if [ $? -eq 0 ]; then |
194 | fail "ssh cert connect succeeded unexpecedly" | 204 | fail "ssh cert connect succeeded unexpecedly" |
195 | fi | 205 | fi |
206 | verbose "$tid: ${_prefix} empty KRL" | ||
207 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked | ||
208 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | ||
209 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
210 | if [ $? -ne 0 ]; then | ||
211 | fail "ssh cert connect failed" | ||
212 | fi | ||
196 | done | 213 | done |
197 | 214 | ||
198 | # Revoked CA | 215 | # Revoked CA |
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 5800f4b09..65e5f35ec 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh | |||
@@ -1,29 +1,31 @@ | |||
1 | # $OpenBSD: cipher-speed.sh,v 1.5 2012/06/28 05:07:45 dtucker Exp $ | 1 | # $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="cipher speed" | 4 | tid="cipher speed" |
5 | 5 | ||
6 | getbytes () | 6 | getbytes () |
7 | { | 7 | { |
8 | sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' | 8 | sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \ |
9 | -e '/copied/s/.*s, \(.* MB.s\).*/\1/p' | ||
9 | } | 10 | } |
10 | 11 | ||
11 | tries="1 2" | 12 | tries="1 2" |
12 | DATA=/bin/ls | ||
13 | DATA=/bsd | ||
14 | 13 | ||
15 | ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc | 14 | ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc |
16 | arcfour128 arcfour256 arcfour | 15 | arcfour128 arcfour256 arcfour |
17 | aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se | 16 | aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se |
18 | aes128-ctr aes192-ctr aes256-ctr" | 17 | aes128-ctr aes192-ctr aes256-ctr" |
19 | macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" | 18 | config_defined OPENSSL_HAVE_EVPGCM && \ |
20 | config_defined HAVE_EVP_SHA256 && | 19 | ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" |
20 | macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com | ||
21 | hmac-sha1-96 hmac-md5-96" | ||
22 | config_defined HAVE_EVP_SHA256 && \ | ||
21 | macs="$macs hmac-sha2-256 hmac-sha2-512" | 23 | macs="$macs hmac-sha2-256 hmac-sha2-512" |
22 | 24 | ||
23 | for c in $ciphers; do for m in $macs; do | 25 | for c in $ciphers; do n=0; for m in $macs; do |
24 | trace "proto 2 cipher $c mac $m" | 26 | trace "proto 2 cipher $c mac $m" |
25 | for x in $tries; do | 27 | for x in $tries; do |
26 | echon "$c/$m:\t" | 28 | printf "%-60s" "$c/$m:" |
27 | ( ${SSH} -o 'compression no' \ | 29 | ( ${SSH} -o 'compression no' \ |
28 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | 30 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ |
29 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | 31 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ |
@@ -33,13 +35,18 @@ for c in $ciphers; do for m in $macs; do | |||
33 | fail "ssh -2 failed with mac $m cipher $c" | 35 | fail "ssh -2 failed with mac $m cipher $c" |
34 | fi | 36 | fi |
35 | done | 37 | done |
38 | # No point trying all MACs for GCM since they are ignored. | ||
39 | case $c in | ||
40 | aes*-gcm@openssh.com) test $n -gt 0 && break;; | ||
41 | esac | ||
42 | n=`expr $n + 1` | ||
36 | done; done | 43 | done; done |
37 | 44 | ||
38 | ciphers="3des blowfish" | 45 | ciphers="3des blowfish" |
39 | for c in $ciphers; do | 46 | for c in $ciphers; do |
40 | trace "proto 1 cipher $c" | 47 | trace "proto 1 cipher $c" |
41 | for x in $tries; do | 48 | for x in $tries; do |
42 | echon "$c:\t" | 49 | printf "%-60s" "$c:" |
43 | ( ${SSH} -o 'compression no' \ | 50 | ( ${SSH} -o 'compression no' \ |
44 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | 51 | -F $OBJ/ssh_proxy -1 -c $c somehost \ |
45 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | 52 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ |
diff --git a/regress/forward-control.sh b/regress/forward-control.sh new file mode 100644 index 000000000..80ddb4167 --- /dev/null +++ b/regress/forward-control.sh | |||
@@ -0,0 +1,168 @@ | |||
1 | # $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="sshd control of local and remote forwarding" | ||
5 | |||
6 | LFWD_PORT=3320 | ||
7 | RFWD_PORT=3321 | ||
8 | CTL=$OBJ/ctl-sock | ||
9 | READY=$OBJ/ready | ||
10 | |||
11 | wait_for_file_to_appear() { | ||
12 | _path=$1 | ||
13 | _n=0 | ||
14 | while test ! -f $_path ; do | ||
15 | test $_n -eq 1 && trace "waiting for $_path to appear" | ||
16 | _n=`expr $_n + 1` | ||
17 | test $_n -ge 20 && return 1 | ||
18 | sleep 1 | ||
19 | done | ||
20 | return 0 | ||
21 | } | ||
22 | |||
23 | wait_for_process_to_exit() { | ||
24 | _pid=$1 | ||
25 | _n=0 | ||
26 | while kill -0 $_pid 2>/dev/null ; do | ||
27 | test $_n -eq 1 && trace "waiting for $_pid to exit" | ||
28 | _n=`expr $_n + 1` | ||
29 | test $_n -ge 20 && return 1 | ||
30 | sleep 1 | ||
31 | done | ||
32 | return 0 | ||
33 | } | ||
34 | |||
35 | # usage: check_lfwd protocol Y|N message | ||
36 | check_lfwd() { | ||
37 | _proto=$1 | ||
38 | _expected=$2 | ||
39 | _message=$3 | ||
40 | rm -f $READY | ||
41 | ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ | ||
42 | -L$LFWD_PORT:127.0.0.1:$PORT \ | ||
43 | -o ExitOnForwardFailure=yes \ | ||
44 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | ||
45 | >/dev/null 2>&1 & | ||
46 | _sshpid=$! | ||
47 | wait_for_file_to_appear $READY || \ | ||
48 | fatal "check_lfwd ssh fail: $_message" | ||
49 | ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \ | ||
50 | -oConnectionAttempts=4 host true >/dev/null 2>&1 | ||
51 | _result=$? | ||
52 | kill $_sshpid `cat $READY` 2>/dev/null | ||
53 | wait_for_process_to_exit $_sshpid | ||
54 | if test "x$_expected" = "xY" -a $_result -ne 0 ; then | ||
55 | fail "check_lfwd failed (expecting success): $_message" | ||
56 | elif test "x$_expected" = "xN" -a $_result -eq 0 ; then | ||
57 | fail "check_lfwd succeeded (expecting failure): $_message" | ||
58 | elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then | ||
59 | fatal "check_lfwd invalid argument \"$_expected\"" | ||
60 | else | ||
61 | verbose "check_lfwd done (expecting $_expected): $_message" | ||
62 | fi | ||
63 | } | ||
64 | |||
65 | # usage: check_rfwd protocol Y|N message | ||
66 | check_rfwd() { | ||
67 | _proto=$1 | ||
68 | _expected=$2 | ||
69 | _message=$3 | ||
70 | rm -f $READY | ||
71 | ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ | ||
72 | -R$RFWD_PORT:127.0.0.1:$PORT \ | ||
73 | -o ExitOnForwardFailure=yes \ | ||
74 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | ||
75 | >/dev/null 2>&1 & | ||
76 | _sshpid=$! | ||
77 | wait_for_file_to_appear $READY | ||
78 | _result=$? | ||
79 | if test $_result -eq 0 ; then | ||
80 | ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \ | ||
81 | -oConnectionAttempts=4 host true >/dev/null 2>&1 | ||
82 | _result=$? | ||
83 | kill $_sshpid `cat $READY` 2>/dev/null | ||
84 | wait_for_process_to_exit $_sshpid | ||
85 | fi | ||
86 | if test "x$_expected" = "xY" -a $_result -ne 0 ; then | ||
87 | fail "check_rfwd failed (expecting success): $_message" | ||
88 | elif test "x$_expected" = "xN" -a $_result -eq 0 ; then | ||
89 | fail "check_rfwd succeeded (expecting failure): $_message" | ||
90 | elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then | ||
91 | fatal "check_rfwd invalid argument \"$_expected\"" | ||
92 | else | ||
93 | verbose "check_rfwd done (expecting $_expected): $_message" | ||
94 | fi | ||
95 | } | ||
96 | |||
97 | start_sshd | ||
98 | cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak | ||
99 | cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak | ||
100 | |||
101 | # Sanity check: ensure the default config allows forwarding | ||
102 | for p in 1 2 ; do | ||
103 | check_lfwd $p Y "proto $p, default configuration" | ||
104 | check_rfwd $p Y "proto $p, default configuration" | ||
105 | done | ||
106 | |||
107 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | ||
108 | all_tests() { | ||
109 | _tcpfwd=$1 | ||
110 | _plain_lfwd=$2 | ||
111 | _plain_rfwd=$3 | ||
112 | _nopermit_lfwd=$4 | ||
113 | _nopermit_rfwd=$5 | ||
114 | _permit_lfwd=$6 | ||
115 | _permit_rfwd=$7 | ||
116 | _badfwd=127.0.0.1:22 | ||
117 | _goodfwd=127.0.0.1:${PORT} | ||
118 | for _proto in 1 2 ; do | ||
119 | cp ${OBJ}/authorized_keys_${USER}.bak \ | ||
120 | ${OBJ}/authorized_keys_${USER} | ||
121 | _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" | ||
122 | # No PermitOpen | ||
123 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
124 | echo "AllowTcpForwarding $_tcpfwd" ) \ | ||
125 | > ${OBJ}/sshd_proxy | ||
126 | check_lfwd $_proto $_plain_lfwd "$_prefix" | ||
127 | check_rfwd $_proto $_plain_rfwd "$_prefix" | ||
128 | # PermitOpen via sshd_config that doesn't match | ||
129 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
130 | echo "AllowTcpForwarding $_tcpfwd" ; | ||
131 | echo "PermitOpen $_badfwd" ) \ | ||
132 | > ${OBJ}/sshd_proxy | ||
133 | check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" | ||
134 | check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" | ||
135 | # PermitOpen via sshd_config that does match | ||
136 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
137 | echo "AllowTcpForwarding $_tcpfwd" ; | ||
138 | echo "PermitOpen $_badfwd $_goodfwd" ) \ | ||
139 | > ${OBJ}/sshd_proxy | ||
140 | # NB. permitopen via authorized_keys should have same | ||
141 | # success/fail as via sshd_config | ||
142 | # permitopen via authorized_keys that doesn't match | ||
143 | sed "s/^/permitopen=\"$_badfwd\" /" \ | ||
144 | < ${OBJ}/authorized_keys_${USER}.bak \ | ||
145 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" | ||
146 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
147 | echo "AllowTcpForwarding $_tcpfwd" ) \ | ||
148 | > ${OBJ}/sshd_proxy | ||
149 | check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" | ||
150 | check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" | ||
151 | # permitopen via authorized_keys that does match | ||
152 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ | ||
153 | < ${OBJ}/authorized_keys_${USER}.bak \ | ||
154 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" | ||
155 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
156 | echo "AllowTcpForwarding $_tcpfwd" ) \ | ||
157 | > ${OBJ}/sshd_proxy | ||
158 | check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" | ||
159 | check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" | ||
160 | done | ||
161 | } | ||
162 | |||
163 | # no-permitopen mismatch-permitopen match-permitopen | ||
164 | # AllowTcpForwarding local remote local remote local remote | ||
165 | all_tests yes Y Y N Y Y Y | ||
166 | all_tests local Y N N N Y N | ||
167 | all_tests remote N Y N Y N Y | ||
168 | all_tests no N N N N N N | ||
diff --git a/regress/integrity.sh b/regress/integrity.sh new file mode 100644 index 000000000..4d46926d5 --- /dev/null +++ b/regress/integrity.sh | |||
@@ -0,0 +1,74 @@ | |||
1 | # $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="integrity" | ||
5 | |||
6 | # start at byte 2900 (i.e. after kex) and corrupt at different offsets | ||
7 | # XXX the test hangs if we modify the low bytes of the packet length | ||
8 | # XXX and ssh tries to read... | ||
9 | tries=10 | ||
10 | startoffset=2900 | ||
11 | macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com | ||
12 | hmac-sha1-96 hmac-md5-96 | ||
13 | hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com | ||
14 | umac-64-etm@openssh.com umac-128-etm@openssh.com | ||
15 | hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com" | ||
16 | config_defined HAVE_EVP_SHA256 && | ||
17 | macs="$macs hmac-sha2-256 hmac-sha2-512 | ||
18 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | ||
19 | # The following are not MACs, but ciphers with integrated integrity. They are | ||
20 | # handled specially below. | ||
21 | config_defined OPENSSL_HAVE_EVPGCM && \ | ||
22 | macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" | ||
23 | |||
24 | # sshd-command for proxy (see test-exec.sh) | ||
25 | cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" | ||
26 | |||
27 | jot() { | ||
28 | awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" | ||
29 | } | ||
30 | |||
31 | for m in $macs; do | ||
32 | trace "test $tid: mac $m" | ||
33 | elen=0 | ||
34 | epad=0 | ||
35 | emac=0 | ||
36 | ecnt=0 | ||
37 | skip=0 | ||
38 | for off in `jot $tries $startoffset`; do | ||
39 | skip=`expr $skip - 1` | ||
40 | if [ $skip -gt 0 ]; then | ||
41 | # avoid modifying the high bytes of the length | ||
42 | continue | ||
43 | fi | ||
44 | # modify output from sshd at offset $off | ||
45 | pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" | ||
46 | case $m in | ||
47 | aes*gcm*) macopt="-c $m";; | ||
48 | *) macopt="-m $m";; | ||
49 | esac | ||
50 | output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ | ||
51 | 999.999.999.999 'printf "%4096s" " "' 2>&1` | ||
52 | if [ $? -eq 0 ]; then | ||
53 | fail "ssh -m $m succeeds with bit-flip at $off" | ||
54 | fi | ||
55 | ecnt=`expr $ecnt + 1` | ||
56 | output=`echo $output | tr -s '\r\n' '.'` | ||
57 | verbose "test $tid: $m @$off $output" | ||
58 | case "$output" in | ||
59 | Bad?packet*) elen=`expr $elen + 1`; skip=3;; | ||
60 | Corrupted?MAC* | Decryption?integrity?check?failed*) | ||
61 | emac=`expr $emac + 1`; skip=0;; | ||
62 | padding*) epad=`expr $epad + 1`; skip=0;; | ||
63 | *) fail "unexpected error mac $m at $off";; | ||
64 | esac | ||
65 | done | ||
66 | verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen" | ||
67 | if [ $emac -eq 0 ]; then | ||
68 | fail "$m: no mac errors" | ||
69 | fi | ||
70 | expect=`expr $ecnt - $epad - $elen` | ||
71 | if [ $emac -ne $expect ]; then | ||
72 | fail "$m: expected $expect mac errors, got $emac" | ||
73 | fi | ||
74 | done | ||
diff --git a/regress/keys-command.sh b/regress/keys-command.sh new file mode 100644 index 000000000..b595a434f --- /dev/null +++ b/regress/keys-command.sh | |||
@@ -0,0 +1,39 @@ | |||
1 | # $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="authorized keys from command" | ||
5 | |||
6 | if test -z "$SUDO" ; then | ||
7 | echo "skipped (SUDO not set)" | ||
8 | echo "need SUDO to create file in /var/run, test won't work without" | ||
9 | exit 0 | ||
10 | fi | ||
11 | |||
12 | # Establish a AuthorizedKeysCommand in /var/run where it will have | ||
13 | # acceptable directory permissions. | ||
14 | KEY_COMMAND="/var/run/keycommand_${LOGNAME}" | ||
15 | cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'" | ||
16 | #!/bin/sh | ||
17 | test "x\$1" != "x${LOGNAME}" && exit 1 | ||
18 | exec cat "$OBJ/authorized_keys_${LOGNAME}" | ||
19 | _EOF | ||
20 | $SUDO chmod 0755 "$KEY_COMMAND" | ||
21 | |||
22 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak | ||
23 | ( | ||
24 | grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak | ||
25 | echo AuthorizedKeysFile none | ||
26 | echo AuthorizedKeysCommand $KEY_COMMAND | ||
27 | echo AuthorizedKeysCommandUser ${LOGNAME} | ||
28 | ) > $OBJ/sshd_proxy | ||
29 | |||
30 | if [ -x $KEY_COMMAND ]; then | ||
31 | ${SSH} -F $OBJ/ssh_proxy somehost true | ||
32 | if [ $? -ne 0 ]; then | ||
33 | fail "connect failed" | ||
34 | fi | ||
35 | else | ||
36 | echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" | ||
37 | fi | ||
38 | |||
39 | $SUDO rm -f $KEY_COMMAND | ||
diff --git a/regress/krl.sh b/regress/krl.sh new file mode 100644 index 000000000..62a239c38 --- /dev/null +++ b/regress/krl.sh | |||
@@ -0,0 +1,161 @@ | |||
1 | # $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="key revocation lists" | ||
5 | |||
6 | # If we don't support ecdsa keys then this tell will be much slower. | ||
7 | ECDSA=ecdsa | ||
8 | if test "x$TEST_SSH_ECC" != "xyes"; then | ||
9 | ECDSA=rsa | ||
10 | fi | ||
11 | |||
12 | # Do most testing with ssh-keygen; it uses the same verification code as sshd. | ||
13 | |||
14 | # Old keys will interfere with ssh-keygen. | ||
15 | rm -f $OBJ/revoked-* $OBJ/krl-* | ||
16 | |||
17 | # Generate a CA key | ||
18 | $SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || | ||
19 | fatal "$SSHKEYGEN CA failed" | ||
20 | |||
21 | # A specification that revokes some certificates by serial numbers | ||
22 | # The serial pattern is chosen to ensure the KRL includes list, range and | ||
23 | # bitmap sections. | ||
24 | cat << EOF >> $OBJ/revoked-serials | ||
25 | serial: 1-4 | ||
26 | serial: 10 | ||
27 | serial: 15 | ||
28 | serial: 30 | ||
29 | serial: 50 | ||
30 | serial: 999 | ||
31 | # The following sum to 500-799 | ||
32 | serial: 500 | ||
33 | serial: 501 | ||
34 | serial: 502 | ||
35 | serial: 503-600 | ||
36 | serial: 700-797 | ||
37 | serial: 798 | ||
38 | serial: 799 | ||
39 | serial: 599-701 | ||
40 | EOF | ||
41 | |||
42 | jot() { | ||
43 | awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" | ||
44 | } | ||
45 | |||
46 | # A specification that revokes some certificated by key ID. | ||
47 | touch $OBJ/revoked-keyid | ||
48 | for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do | ||
49 | # Fill in by-ID revocation spec. | ||
50 | echo "id: revoked $n" >> $OBJ/revoked-keyid | ||
51 | done | ||
52 | |||
53 | keygen() { | ||
54 | N=$1 | ||
55 | f=$OBJ/revoked-`printf "%04d" $N` | ||
56 | # Vary the keytype. We use mostly ECDSA since this is fastest by far. | ||
57 | keytype=$ECDSA | ||
58 | case $N in | ||
59 | 2 | 10 | 510 | 1001) keytype=rsa;; | ||
60 | 4 | 30 | 520 | 1002) keytype=dsa;; | ||
61 | esac | ||
62 | $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ | ||
63 | || fatal "$SSHKEYGEN failed" | ||
64 | # Sign cert | ||
65 | $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \ | ||
66 | || fatal "$SSHKEYGEN sign failed" | ||
67 | echo $f | ||
68 | } | ||
69 | |||
70 | # Generate some keys. | ||
71 | verbose "$tid: generating test keys" | ||
72 | REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" | ||
73 | for n in $REVOKED_SERIALS ; do | ||
74 | f=`keygen $n` | ||
75 | REVOKED_KEYS="$REVOKED_KEYS ${f}.pub" | ||
76 | REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub" | ||
77 | done | ||
78 | NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001" | ||
79 | NOTREVOKED="" | ||
80 | for n in $NOTREVOKED_SERIALS ; do | ||
81 | NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub" | ||
82 | NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub" | ||
83 | done | ||
84 | |||
85 | genkrls() { | ||
86 | OPTS=$1 | ||
87 | $SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \ | ||
88 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
89 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \ | ||
90 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
91 | $SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \ | ||
92 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
93 | $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ | ||
94 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
95 | $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ | ||
96 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
97 | # KRLs from serial/key-id spec need the CA specified. | ||
98 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ | ||
99 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | ||
100 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ | ||
101 | >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" | ||
102 | $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ | ||
103 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
104 | $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ | ||
105 | >/dev/null || fatal "$SSHKEYGEN KRL failed" | ||
106 | } | ||
107 | |||
108 | verbose "$tid: generating KRLs" | ||
109 | genkrls | ||
110 | |||
111 | check_krl() { | ||
112 | KEY=$1 | ||
113 | KRL=$2 | ||
114 | EXPECT_REVOKED=$3 | ||
115 | TAG=$4 | ||
116 | $SSHKEYGEN -Qf $KRL $KEY >/dev/null | ||
117 | result=$? | ||
118 | if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then | ||
119 | fatal "key $KEY not revoked by KRL $KRL: $TAG" | ||
120 | elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then | ||
121 | fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG" | ||
122 | fi | ||
123 | } | ||
124 | test_all() { | ||
125 | FILES=$1 | ||
126 | TAG=$2 | ||
127 | KEYS_RESULT=$3 | ||
128 | ALL_RESULT=$4 | ||
129 | SERIAL_RESULT=$5 | ||
130 | KEYID_RESULT=$6 | ||
131 | CERTS_RESULT=$7 | ||
132 | CA_RESULT=$8 | ||
133 | verbose "$tid: checking revocations for $TAG" | ||
134 | for f in $FILES ; do | ||
135 | check_krl $f $OBJ/krl-empty no "$TAG" | ||
136 | check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG" | ||
137 | check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG" | ||
138 | check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG" | ||
139 | check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG" | ||
140 | check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG" | ||
141 | check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG" | ||
142 | done | ||
143 | } | ||
144 | # keys all serial keyid certs CA | ||
145 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no | ||
146 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no | ||
147 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes | ||
148 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes | ||
149 | |||
150 | # Check update. Results should be identical. | ||
151 | verbose "$tid: testing KRL update" | ||
152 | for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \ | ||
153 | $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do | ||
154 | cp -f $OBJ/krl-empty $f | ||
155 | genkrls -u | ||
156 | done | ||
157 | # keys all serial keyid certs CA | ||
158 | test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no | ||
159 | test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no | ||
160 | test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes | ||
161 | test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes | ||
diff --git a/regress/modpipe.c b/regress/modpipe.c new file mode 100755 index 000000000..9629aa80b --- /dev/null +++ b/regress/modpipe.c | |||
@@ -0,0 +1,175 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2012 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <unistd.h> | ||
23 | #include <stdio.h> | ||
24 | #include <string.h> | ||
25 | #include <stdarg.h> | ||
26 | #include <stdlib.h> | ||
27 | #include <errno.h> | ||
28 | #include "openbsd-compat/getopt.c" | ||
29 | |||
30 | static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); | ||
31 | static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); | ||
32 | |||
33 | static void | ||
34 | err(int r, const char *fmt, ...) | ||
35 | { | ||
36 | va_list args; | ||
37 | |||
38 | va_start(args, fmt); | ||
39 | fprintf(stderr, "%s: ", strerror(errno)); | ||
40 | vfprintf(stderr, fmt, args); | ||
41 | fputc('\n', stderr); | ||
42 | va_end(args); | ||
43 | exit(r); | ||
44 | } | ||
45 | |||
46 | static void | ||
47 | errx(int r, const char *fmt, ...) | ||
48 | { | ||
49 | va_list args; | ||
50 | |||
51 | va_start(args, fmt); | ||
52 | vfprintf(stderr, fmt, args); | ||
53 | fputc('\n', stderr); | ||
54 | va_end(args); | ||
55 | exit(r); | ||
56 | } | ||
57 | |||
58 | static void | ||
59 | usage(void) | ||
60 | { | ||
61 | fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n"); | ||
62 | fprintf(stderr, "modspec is one of:\n"); | ||
63 | fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n"); | ||
64 | fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n"); | ||
65 | exit(1); | ||
66 | } | ||
67 | |||
68 | #define MAX_MODIFICATIONS 256 | ||
69 | struct modification { | ||
70 | enum { MOD_XOR, MOD_AND_OR } what; | ||
71 | u_int64_t offset; | ||
72 | u_int8_t m1, m2; | ||
73 | }; | ||
74 | |||
75 | static void | ||
76 | parse_modification(const char *s, struct modification *m) | ||
77 | { | ||
78 | char what[16+1]; | ||
79 | int n, m1, m2; | ||
80 | |||
81 | bzero(m, sizeof(*m)); | ||
82 | if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", | ||
83 | what, &m->offset, &m1, &m2)) < 3) | ||
84 | errx(1, "Invalid modification spec \"%s\"", s); | ||
85 | if (strcasecmp(what, "xor") == 0) { | ||
86 | if (n > 3) | ||
87 | errx(1, "Invalid modification spec \"%s\"", s); | ||
88 | if (m1 < 0 || m1 > 0xff) | ||
89 | errx(1, "Invalid XOR modification value"); | ||
90 | m->what = MOD_XOR; | ||
91 | m->m1 = m1; | ||
92 | } else if (strcasecmp(what, "andor") == 0) { | ||
93 | if (n != 4) | ||
94 | errx(1, "Invalid modification spec \"%s\"", s); | ||
95 | if (m1 < 0 || m1 > 0xff) | ||
96 | errx(1, "Invalid AND modification value"); | ||
97 | if (m2 < 0 || m2 > 0xff) | ||
98 | errx(1, "Invalid OR modification value"); | ||
99 | m->what = MOD_AND_OR; | ||
100 | m->m1 = m1; | ||
101 | m->m2 = m2; | ||
102 | } else | ||
103 | errx(1, "Invalid modification type \"%s\"", what); | ||
104 | } | ||
105 | |||
106 | int | ||
107 | main(int argc, char **argv) | ||
108 | { | ||
109 | int ch; | ||
110 | u_char buf[8192]; | ||
111 | size_t total; | ||
112 | ssize_t r, s, o; | ||
113 | struct modification mods[MAX_MODIFICATIONS]; | ||
114 | u_int i, wflag = 0, num_mods = 0; | ||
115 | |||
116 | while ((ch = getopt(argc, argv, "wm:")) != -1) { | ||
117 | switch (ch) { | ||
118 | case 'm': | ||
119 | if (num_mods >= MAX_MODIFICATIONS) | ||
120 | errx(1, "Too many modifications"); | ||
121 | parse_modification(optarg, &(mods[num_mods++])); | ||
122 | break; | ||
123 | case 'w': | ||
124 | wflag = 1; | ||
125 | break; | ||
126 | default: | ||
127 | usage(); | ||
128 | /* NOTREACHED */ | ||
129 | } | ||
130 | } | ||
131 | for (total = 0;;) { | ||
132 | r = s = read(STDIN_FILENO, buf, sizeof(buf)); | ||
133 | if (r == 0) | ||
134 | break; | ||
135 | if (r < 0) { | ||
136 | if (errno == EAGAIN || errno == EINTR) | ||
137 | continue; | ||
138 | err(1, "read"); | ||
139 | } | ||
140 | for (i = 0; i < num_mods; i++) { | ||
141 | if (mods[i].offset < total || | ||
142 | mods[i].offset >= total + s) | ||
143 | continue; | ||
144 | switch (mods[i].what) { | ||
145 | case MOD_XOR: | ||
146 | buf[mods[i].offset - total] ^= mods[i].m1; | ||
147 | break; | ||
148 | case MOD_AND_OR: | ||
149 | buf[mods[i].offset - total] &= mods[i].m1; | ||
150 | buf[mods[i].offset - total] |= mods[i].m2; | ||
151 | break; | ||
152 | } | ||
153 | } | ||
154 | for (o = 0; o < s; o += r) { | ||
155 | r = write(STDOUT_FILENO, buf, s - o); | ||
156 | if (r == 0) | ||
157 | break; | ||
158 | if (r < 0) { | ||
159 | if (errno == EAGAIN || errno == EINTR) | ||
160 | continue; | ||
161 | err(1, "write"); | ||
162 | } | ||
163 | } | ||
164 | total += s; | ||
165 | } | ||
166 | /* Warn if modifications not reached in input stream */ | ||
167 | r = 0; | ||
168 | for (i = 0; wflag && i < num_mods; i++) { | ||
169 | if (mods[i].offset < total) | ||
170 | continue; | ||
171 | r = 1; | ||
172 | fprintf(stderr, "modpipe: warning - mod %u not reached\n", i); | ||
173 | } | ||
174 | return r; | ||
175 | } | ||
diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 93e15088f..1e6cc7606 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: multiplex.sh,v 1.13 2012/06/01 00:47:36 djm Exp $ | 1 | # $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | CTL=/tmp/openssh.regress.ctl-sock.$$ | 4 | CTL=/tmp/openssh.regress.ctl-sock.$$ |
@@ -13,14 +13,22 @@ fi | |||
13 | DATA=/bin/ls${EXEEXT} | 13 | DATA=/bin/ls${EXEEXT} |
14 | COPY=$OBJ/ls.copy | 14 | COPY=$OBJ/ls.copy |
15 | 15 | ||
16 | wait_for_mux_master_ready() | ||
17 | { | ||
18 | for i in 1 2 3 4 5; do | ||
19 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \ | ||
20 | >/dev/null 2>&1 && return 0 | ||
21 | sleep $i | ||
22 | done | ||
23 | fatal "mux master never becomes ready" | ||
24 | } | ||
25 | |||
16 | start_sshd | 26 | start_sshd |
17 | 27 | ||
18 | trace "start master, fork to background" | 28 | trace "start master, fork to background" |
19 | ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & | 29 | ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & |
20 | MASTER_PID=$! | 30 | MASTER_PID=$! |
21 | 31 | wait_for_mux_master_ready | |
22 | # Wait for master to start and authenticate | ||
23 | sleep 5 | ||
24 | 32 | ||
25 | verbose "test $tid: envpass" | 33 | verbose "test $tid: envpass" |
26 | trace "env passing over multiplexed connection" | 34 | trace "env passing over multiplexed connection" |
@@ -78,13 +86,35 @@ for s in 0 1 4 5 44; do | |||
78 | fi | 86 | fi |
79 | done | 87 | done |
80 | 88 | ||
81 | trace "test check command" | 89 | verbose "test $tid: cmd check" |
82 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost || fail "check command failed" | 90 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \ |
91 | || fail "check command failed" | ||
83 | 92 | ||
84 | trace "test exit command" | 93 | verbose "test $tid: cmd exit" |
85 | ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost || fail "send exit command failed" | 94 | ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ |
95 | || fail "send exit command failed" | ||
86 | 96 | ||
87 | # Wait for master to exit | 97 | # Wait for master to exit |
88 | sleep 2 | 98 | wait $MASTER_PID |
99 | kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" | ||
89 | 100 | ||
90 | kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" | 101 | # Restart master and test -O stop command with master using -N |
102 | verbose "test $tid: cmd stop" | ||
103 | trace "restart master, fork to background" | ||
104 | ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & | ||
105 | MASTER_PID=$! | ||
106 | wait_for_mux_master_ready | ||
107 | |||
108 | # start a long-running command then immediately request a stop | ||
109 | ${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ | ||
110 | >>$TEST_SSH_LOGFILE 2>&1 & | ||
111 | SLEEP_PID=$! | ||
112 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ | ||
113 | || fail "send stop command failed" | ||
114 | |||
115 | # wait until both long-running command and master have exited. | ||
116 | wait $SLEEP_PID | ||
117 | [ $! != 0 ] || fail "waiting for concurrent command" | ||
118 | wait $MASTER_PID | ||
119 | [ $! != 0 ] || fail "waiting for master stop" | ||
120 | kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed" | ||
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index bdc2c1a49..aa4e6e5c0 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
@@ -140,6 +140,10 @@ if [ "x$TEST_SSH_LOGFILE" = "x" ]; then | |||
140 | TEST_SSH_LOGFILE=/dev/null | 140 | TEST_SSH_LOGFILE=/dev/null |
141 | fi | 141 | fi |
142 | 142 | ||
143 | # Some data for test copies | ||
144 | DATA=$OBJ/testdata | ||
145 | cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA | ||
146 | |||
143 | # these should be used in tests | 147 | # these should be used in tests |
144 | export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP | 148 | export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP |
145 | #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP | 149 | #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP |
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 925863504..084a1457a 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: try-ciphers.sh,v 1.13 2012/06/28 05:07:45 dtucker Exp $ | 1 | # $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="try ciphers" | 4 | tid="try ciphers" |
@@ -7,11 +7,20 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc | |||
7 | arcfour128 arcfour256 arcfour | 7 | arcfour128 arcfour256 arcfour |
8 | aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se | 8 | aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se |
9 | aes128-ctr aes192-ctr aes256-ctr" | 9 | aes128-ctr aes192-ctr aes256-ctr" |
10 | macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" | 10 | config_defined OPENSSL_HAVE_EVPGCM && \ |
11 | ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" | ||
12 | macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com | ||
13 | hmac-sha1-96 hmac-md5-96 | ||
14 | hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com | ||
15 | umac-64-etm@openssh.com umac-128-etm@openssh.com | ||
16 | hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com | ||
17 | hmac-ripemd160-etm@openssh.com" | ||
11 | config_defined HAVE_EVP_SHA256 && | 18 | config_defined HAVE_EVP_SHA256 && |
12 | macs="$macs hmac-sha2-256 hmac-sha2-512" | 19 | macs="$macs hmac-sha2-256 hmac-sha2-512 |
20 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | ||
13 | 21 | ||
14 | for c in $ciphers; do | 22 | for c in $ciphers; do |
23 | n=0 | ||
15 | for m in $macs; do | 24 | for m in $macs; do |
16 | trace "proto 2 cipher $c mac $m" | 25 | trace "proto 2 cipher $c mac $m" |
17 | verbose "test $tid: proto 2 cipher $c mac $m" | 26 | verbose "test $tid: proto 2 cipher $c mac $m" |
@@ -19,6 +28,11 @@ for c in $ciphers; do | |||
19 | if [ $? -ne 0 ]; then | 28 | if [ $? -ne 0 ]; then |
20 | fail "ssh -2 failed with mac $m cipher $c" | 29 | fail "ssh -2 failed with mac $m cipher $c" |
21 | fi | 30 | fi |
31 | # No point trying all MACs for GCM since they are ignored. | ||
32 | case $c in | ||
33 | aes*-gcm@openssh.com) test $n -gt 0 && break;; | ||
34 | esac | ||
35 | n=`expr $n + 1` | ||
22 | done | 36 | done |
23 | done | 37 | done |
24 | 38 | ||
@@ -32,20 +46,3 @@ for c in $ciphers; do | |||
32 | fi | 46 | fi |
33 | done | 47 | done |
34 | 48 | ||
35 | if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null | ||
36 | then | ||
37 | : | ||
38 | else | ||
39 | |||
40 | echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy | ||
41 | c=acss@openssh.org | ||
42 | for m in $macs; do | ||
43 | trace "proto 2 $c mac $m" | ||
44 | verbose "test $tid: proto 2 cipher $c mac $m" | ||
45 | ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true | ||
46 | if [ $? -ne 0 ]; then | ||
47 | fail "ssh -2 failed with mac $m cipher $c" | ||
48 | fi | ||
49 | done | ||
50 | |||
51 | fi | ||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ef2b13c4f..e12418399 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -44,6 +44,7 @@ | |||
44 | #include <linux/audit.h> | 44 | #include <linux/audit.h> |
45 | #include <linux/filter.h> | 45 | #include <linux/filter.h> |
46 | #include <linux/seccomp.h> | 46 | #include <linux/seccomp.h> |
47 | #include <elf.h> | ||
47 | 48 | ||
48 | #include <asm/unistd.h> | 49 | #include <asm/unistd.h> |
49 | 50 | ||
@@ -90,7 +91,9 @@ static const struct sock_filter preauth_insns[] = { | |||
90 | SC_DENY(open, EACCES), | 91 | SC_DENY(open, EACCES), |
91 | SC_ALLOW(getpid), | 92 | SC_ALLOW(getpid), |
92 | SC_ALLOW(gettimeofday), | 93 | SC_ALLOW(gettimeofday), |
94 | #ifdef __NR_time /* not defined on EABI ARM */ | ||
93 | SC_ALLOW(time), | 95 | SC_ALLOW(time), |
96 | #endif | ||
94 | SC_ALLOW(read), | 97 | SC_ALLOW(read), |
95 | SC_ALLOW(write), | 98 | SC_ALLOW(write), |
96 | SC_ALLOW(close), | 99 | SC_ALLOW(close), |
@@ -102,7 +105,12 @@ static const struct sock_filter preauth_insns[] = { | |||
102 | SC_ALLOW(select), | 105 | SC_ALLOW(select), |
103 | #endif | 106 | #endif |
104 | SC_ALLOW(madvise), | 107 | SC_ALLOW(madvise), |
108 | #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ | ||
109 | SC_ALLOW(mmap2), | ||
110 | #endif | ||
111 | #ifdef __NR_mmap | ||
105 | SC_ALLOW(mmap), | 112 | SC_ALLOW(mmap), |
113 | #endif | ||
106 | SC_ALLOW(munmap), | 114 | SC_ALLOW(munmap), |
107 | SC_ALLOW(exit_group), | 115 | SC_ALLOW(exit_group), |
108 | #ifdef __NR_rt_sigprocmask | 116 | #ifdef __NR_rt_sigprocmask |
@@ -155,4 +155,4 @@ AUTHORS | |||
155 | Timo Rinne <tri@iki.fi> | 155 | Timo Rinne <tri@iki.fi> |
156 | Tatu Ylonen <ylo@cs.hut.fi> | 156 | Tatu Ylonen <ylo@cs.hut.fi> |
157 | 157 | ||
158 | OpenBSD 5.2 September 5, 2011 OpenBSD 5.2 | 158 | OpenBSD 5.3 September 5, 2011 OpenBSD 5.3 |
@@ -103,7 +103,7 @@ | |||
103 | #include <string.h> | 103 | #include <string.h> |
104 | #include <time.h> | 104 | #include <time.h> |
105 | #include <unistd.h> | 105 | #include <unistd.h> |
106 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) | 106 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) |
107 | #include <vis.h> | 107 | #include <vis.h> |
108 | #endif | 108 | #endif |
109 | 109 | ||
diff --git a/servconf.c b/servconf.c index 9a8822938..1700d5aa6 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -48,6 +48,8 @@ | |||
48 | #include "groupaccess.h" | 48 | #include "groupaccess.h" |
49 | #include "canohost.h" | 49 | #include "canohost.h" |
50 | #include "packet.h" | 50 | #include "packet.h" |
51 | #include "hostfile.h" | ||
52 | #include "auth.h" | ||
51 | 53 | ||
52 | static void add_listen_addr(ServerOptions *, char *, int); | 54 | static void add_listen_addr(ServerOptions *, char *, int); |
53 | static void add_one_listen_addr(ServerOptions *, char *, int); | 55 | static void add_one_listen_addr(ServerOptions *, char *, int); |
@@ -139,6 +141,8 @@ initialize_server_options(ServerOptions *options) | |||
139 | options->num_permitted_opens = -1; | 141 | options->num_permitted_opens = -1; |
140 | options->adm_forced_command = NULL; | 142 | options->adm_forced_command = NULL; |
141 | options->chroot_directory = NULL; | 143 | options->chroot_directory = NULL; |
144 | options->authorized_keys_command = NULL; | ||
145 | options->authorized_keys_command_user = NULL; | ||
142 | options->zero_knowledge_password_authentication = -1; | 146 | options->zero_knowledge_password_authentication = -1; |
143 | options->revoked_keys_file = NULL; | 147 | options->revoked_keys_file = NULL; |
144 | options->trusted_user_ca_keys = NULL; | 148 | options->trusted_user_ca_keys = NULL; |
@@ -259,7 +263,7 @@ fill_default_server_options(ServerOptions *options) | |||
259 | if (options->compression == -1) | 263 | if (options->compression == -1) |
260 | options->compression = COMP_DELAYED; | 264 | options->compression = COMP_DELAYED; |
261 | if (options->allow_tcp_forwarding == -1) | 265 | if (options->allow_tcp_forwarding == -1) |
262 | options->allow_tcp_forwarding = 1; | 266 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
263 | if (options->allow_agent_forwarding == -1) | 267 | if (options->allow_agent_forwarding == -1) |
264 | options->allow_agent_forwarding = 1; | 268 | options->allow_agent_forwarding = 1; |
265 | if (options->gateway_ports == -1) | 269 | if (options->gateway_ports == -1) |
@@ -346,6 +350,8 @@ typedef enum { | |||
346 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 350 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
347 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 351 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
348 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 352 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
353 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | ||
354 | sAuthenticationMethods, | ||
349 | sDebianBanner, | 355 | sDebianBanner, |
350 | sDeprecated, sUnsupported | 356 | sDeprecated, sUnsupported |
351 | } ServerOpCodes; | 357 | } ServerOpCodes; |
@@ -482,7 +488,10 @@ static struct { | |||
482 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | 488 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
483 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, | 489 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
484 | { "ipqos", sIPQoS, SSHCFG_ALL }, | 490 | { "ipqos", sIPQoS, SSHCFG_ALL }, |
491 | { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, | ||
492 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | ||
485 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 493 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
494 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | ||
486 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 495 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
487 | { NULL, sBadOption, 0 } | 496 | { NULL, sBadOption, 0 } |
488 | }; | 497 | }; |
@@ -648,8 +657,9 @@ out: | |||
648 | } | 657 | } |
649 | 658 | ||
650 | /* | 659 | /* |
651 | * All of the attributes on a single Match line are ANDed together, so we need to check every | 660 | * All of the attributes on a single Match line are ANDed together, so we need |
652 | * attribute and set the result to zero if any attribute does not match. | 661 | * to check every * attribute and set the result to zero if any attribute does |
662 | * not match. | ||
653 | */ | 663 | */ |
654 | static int | 664 | static int |
655 | match_cfg_line(char **condition, int line, struct connection_info *ci) | 665 | match_cfg_line(char **condition, int line, struct connection_info *ci) |
@@ -806,6 +816,14 @@ static const struct multistate multistate_privsep[] = { | |||
806 | { "no", PRIVSEP_OFF }, | 816 | { "no", PRIVSEP_OFF }, |
807 | { NULL, -1 } | 817 | { NULL, -1 } |
808 | }; | 818 | }; |
819 | static const struct multistate multistate_tcpfwd[] = { | ||
820 | { "yes", FORWARD_ALLOW }, | ||
821 | { "all", FORWARD_ALLOW }, | ||
822 | { "no", FORWARD_DENY }, | ||
823 | { "remote", FORWARD_REMOTE }, | ||
824 | { "local", FORWARD_LOCAL }, | ||
825 | { NULL, -1 } | ||
826 | }; | ||
809 | 827 | ||
810 | int | 828 | int |
811 | process_server_config_line(ServerOptions *options, char *line, | 829 | process_server_config_line(ServerOptions *options, char *line, |
@@ -1179,7 +1197,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1179 | 1197 | ||
1180 | case sAllowTcpForwarding: | 1198 | case sAllowTcpForwarding: |
1181 | intptr = &options->allow_tcp_forwarding; | 1199 | intptr = &options->allow_tcp_forwarding; |
1182 | goto parse_flag; | 1200 | multistate_ptr = multistate_tcpfwd; |
1201 | goto parse_multistate; | ||
1183 | 1202 | ||
1184 | case sAllowAgentForwarding: | 1203 | case sAllowAgentForwarding: |
1185 | intptr = &options->allow_agent_forwarding; | 1204 | intptr = &options->allow_agent_forwarding; |
@@ -1459,7 +1478,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1459 | } | 1478 | } |
1460 | if (strcmp(arg, "none") == 0) { | 1479 | if (strcmp(arg, "none") == 0) { |
1461 | if (*activep && n == -1) { | 1480 | if (*activep && n == -1) { |
1462 | channel_clear_adm_permitted_opens(); | ||
1463 | options->num_permitted_opens = 1; | 1481 | options->num_permitted_opens = 1; |
1464 | channel_disable_adm_local_opens(); | 1482 | channel_disable_adm_local_opens(); |
1465 | } | 1483 | } |
@@ -1543,6 +1561,43 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1543 | } | 1561 | } |
1544 | return 0; | 1562 | return 0; |
1545 | 1563 | ||
1564 | case sAuthorizedKeysCommand: | ||
1565 | len = strspn(cp, WHITESPACE); | ||
1566 | if (*activep && options->authorized_keys_command == NULL) { | ||
1567 | if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) | ||
1568 | fatal("%.200s line %d: AuthorizedKeysCommand " | ||
1569 | "must be an absolute path", | ||
1570 | filename, linenum); | ||
1571 | options->authorized_keys_command = xstrdup(cp + len); | ||
1572 | } | ||
1573 | return 0; | ||
1574 | |||
1575 | case sAuthorizedKeysCommandUser: | ||
1576 | charptr = &options->authorized_keys_command_user; | ||
1577 | |||
1578 | arg = strdelim(&cp); | ||
1579 | if (*activep && *charptr == NULL) | ||
1580 | *charptr = xstrdup(arg); | ||
1581 | break; | ||
1582 | |||
1583 | case sAuthenticationMethods: | ||
1584 | if (*activep && options->num_auth_methods == 0) { | ||
1585 | while ((arg = strdelim(&cp)) && *arg != '\0') { | ||
1586 | if (options->num_auth_methods >= | ||
1587 | MAX_AUTH_METHODS) | ||
1588 | fatal("%s line %d: " | ||
1589 | "too many authentication methods.", | ||
1590 | filename, linenum); | ||
1591 | if (auth2_methods_valid(arg, 0) != 0) | ||
1592 | fatal("%s line %d: invalid " | ||
1593 | "authentication method list.", | ||
1594 | filename, linenum); | ||
1595 | options->auth_methods[ | ||
1596 | options->num_auth_methods++] = xstrdup(arg); | ||
1597 | } | ||
1598 | } | ||
1599 | return 0; | ||
1600 | |||
1546 | case sDebianBanner: | 1601 | case sDebianBanner: |
1547 | intptr = &options->debian_banner; | 1602 | intptr = &options->debian_banner; |
1548 | goto parse_int; | 1603 | goto parse_int; |
@@ -1697,6 +1752,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1697 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); | 1752 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); |
1698 | M_CP_INTOPT(kbd_interactive_authentication); | 1753 | M_CP_INTOPT(kbd_interactive_authentication); |
1699 | M_CP_INTOPT(zero_knowledge_password_authentication); | 1754 | M_CP_INTOPT(zero_knowledge_password_authentication); |
1755 | M_CP_STROPT(authorized_keys_command); | ||
1756 | M_CP_STROPT(authorized_keys_command_user); | ||
1700 | M_CP_INTOPT(permit_root_login); | 1757 | M_CP_INTOPT(permit_root_login); |
1701 | M_CP_INTOPT(permit_empty_passwd); | 1758 | M_CP_INTOPT(permit_empty_passwd); |
1702 | 1759 | ||
@@ -1781,6 +1838,8 @@ fmt_intarg(ServerOpCodes code, int val) | |||
1781 | return fmt_multistate_int(val, multistate_compression); | 1838 | return fmt_multistate_int(val, multistate_compression); |
1782 | case sUsePrivilegeSeparation: | 1839 | case sUsePrivilegeSeparation: |
1783 | return fmt_multistate_int(val, multistate_privsep); | 1840 | return fmt_multistate_int(val, multistate_privsep); |
1841 | case sAllowTcpForwarding: | ||
1842 | return fmt_multistate_int(val, multistate_tcpfwd); | ||
1784 | case sProtocol: | 1843 | case sProtocol: |
1785 | switch (val) { | 1844 | switch (val) { |
1786 | case SSH_PROTO_1: | 1845 | case SSH_PROTO_1: |
@@ -1961,6 +2020,8 @@ dump_config(ServerOptions *o) | |||
1961 | dump_cfg_string(sAuthorizedPrincipalsFile, | 2020 | dump_cfg_string(sAuthorizedPrincipalsFile, |
1962 | o->authorized_principals_file); | 2021 | o->authorized_principals_file); |
1963 | dump_cfg_string(sVersionAddendum, o->version_addendum); | 2022 | dump_cfg_string(sVersionAddendum, o->version_addendum); |
2023 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); | ||
2024 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); | ||
1964 | 2025 | ||
1965 | /* string arguments requiring a lookup */ | 2026 | /* string arguments requiring a lookup */ |
1966 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2027 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -1978,6 +2039,8 @@ dump_config(ServerOptions *o) | |||
1978 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); | 2039 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); |
1979 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); | 2040 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); |
1980 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); | 2041 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); |
2042 | dump_cfg_strarray_oneline(sAuthenticationMethods, | ||
2043 | o->num_auth_methods, o->auth_methods); | ||
1981 | 2044 | ||
1982 | /* other arguments */ | 2045 | /* other arguments */ |
1983 | for (i = 0; i < o->num_subsystems; i++) | 2046 | for (i = 0; i < o->num_subsystems; i++) |
diff --git a/servconf.h b/servconf.h index a15f2a7fa..bc0536927 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.103 2012/07/10 02:19:15 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -28,6 +28,7 @@ | |||
28 | #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ | 28 | #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ |
29 | #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ | 29 | #define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ |
30 | #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ | 30 | #define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ |
31 | #define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */ | ||
31 | 32 | ||
32 | /* permit_root_login */ | 33 | /* permit_root_login */ |
33 | #define PERMIT_NOT_SET -1 | 34 | #define PERMIT_NOT_SET -1 |
@@ -41,6 +42,12 @@ | |||
41 | #define PRIVSEP_ON 1 | 42 | #define PRIVSEP_ON 1 |
42 | #define PRIVSEP_NOSANDBOX 2 | 43 | #define PRIVSEP_NOSANDBOX 2 |
43 | 44 | ||
45 | /* AllowTCPForwarding */ | ||
46 | #define FORWARD_DENY 0 | ||
47 | #define FORWARD_REMOTE (1) | ||
48 | #define FORWARD_LOCAL (1<<1) | ||
49 | #define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) | ||
50 | |||
44 | #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ | 51 | #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ |
45 | #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ | 52 | #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ |
46 | 53 | ||
@@ -119,7 +126,7 @@ typedef struct { | |||
119 | int permit_user_env; /* If true, read ~/.ssh/environment */ | 126 | int permit_user_env; /* If true, read ~/.ssh/environment */ |
120 | int use_login; /* If true, login(1) is used */ | 127 | int use_login; /* If true, login(1) is used */ |
121 | int compression; /* If true, compression is allowed */ | 128 | int compression; /* If true, compression is allowed */ |
122 | int allow_tcp_forwarding; | 129 | int allow_tcp_forwarding; /* One of FORWARD_* */ |
123 | int allow_agent_forwarding; | 130 | int allow_agent_forwarding; |
124 | u_int num_allow_users; | 131 | u_int num_allow_users; |
125 | char *allow_users[MAX_ALLOW_USERS]; | 132 | char *allow_users[MAX_ALLOW_USERS]; |
@@ -170,8 +177,14 @@ typedef struct { | |||
170 | char *revoked_keys_file; | 177 | char *revoked_keys_file; |
171 | char *trusted_user_ca_keys; | 178 | char *trusted_user_ca_keys; |
172 | char *authorized_principals_file; | 179 | char *authorized_principals_file; |
180 | char *authorized_keys_command; | ||
181 | char *authorized_keys_command_user; | ||
173 | 182 | ||
174 | char *version_addendum; /* Appended to SSH banner */ | 183 | char *version_addendum; /* Appended to SSH banner */ |
184 | |||
185 | u_int num_auth_methods; | ||
186 | char *auth_methods[MAX_AUTH_METHODS]; | ||
187 | |||
175 | int debian_banner; | 188 | int debian_banner; |
176 | } ServerOptions; | 189 | } ServerOptions; |
177 | 190 | ||
@@ -196,12 +209,15 @@ struct connection_info { | |||
196 | M_CP_STROPT(trusted_user_ca_keys); \ | 209 | M_CP_STROPT(trusted_user_ca_keys); \ |
197 | M_CP_STROPT(revoked_keys_file); \ | 210 | M_CP_STROPT(revoked_keys_file); \ |
198 | M_CP_STROPT(authorized_principals_file); \ | 211 | M_CP_STROPT(authorized_principals_file); \ |
212 | M_CP_STROPT(authorized_keys_command); \ | ||
213 | M_CP_STROPT(authorized_keys_command_user); \ | ||
199 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ | 214 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ |
200 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ | 215 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ |
201 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ | 216 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ |
202 | M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ | 217 | M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ |
203 | M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ | 218 | M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ |
204 | M_CP_STRARRAYOPT(accept_env, num_accept_env); \ | 219 | M_CP_STRARRAYOPT(accept_env, num_accept_env); \ |
220 | M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ | ||
205 | } while (0) | 221 | } while (0) |
206 | 222 | ||
207 | struct connection_info *get_connection_info(int, int); | 223 | struct connection_info *get_connection_info(int, int); |
diff --git a/serverloop.c b/serverloop.c index 0b0f386d9..9e5fa555e 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -708,7 +708,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | |||
708 | &nalloc, max_time_milliseconds); | 708 | &nalloc, max_time_milliseconds); |
709 | 709 | ||
710 | if (received_sigterm) { | 710 | if (received_sigterm) { |
711 | logit("Exiting on signal %d", received_sigterm); | 711 | logit("Exiting on signal %d", (int)received_sigterm); |
712 | /* Clean up sessions, utmp, etc. */ | 712 | /* Clean up sessions, utmp, etc. */ |
713 | cleanup_exit(255); | 713 | cleanup_exit(255); |
714 | } | 714 | } |
@@ -858,7 +858,7 @@ server_loop2(Authctxt *authctxt) | |||
858 | &nalloc, 0); | 858 | &nalloc, 0); |
859 | 859 | ||
860 | if (received_sigterm) { | 860 | if (received_sigterm) { |
861 | logit("Exiting on signal %d", received_sigterm); | 861 | logit("Exiting on signal %d", (int)received_sigterm); |
862 | /* Clean up sessions, utmp, etc. */ | 862 | /* Clean up sessions, utmp, etc. */ |
863 | cleanup_exit(255); | 863 | cleanup_exit(255); |
864 | } | 864 | } |
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) | |||
950 | static Channel * | 950 | static Channel * |
951 | server_request_direct_tcpip(void) | 951 | server_request_direct_tcpip(void) |
952 | { | 952 | { |
953 | Channel *c; | 953 | Channel *c = NULL; |
954 | char *target, *originator; | 954 | char *target, *originator; |
955 | u_short target_port, originator_port; | 955 | u_short target_port, originator_port; |
956 | 956 | ||
@@ -963,9 +963,16 @@ server_request_direct_tcpip(void) | |||
963 | debug("server_request_direct_tcpip: originator %s port %d, target %s " | 963 | debug("server_request_direct_tcpip: originator %s port %d, target %s " |
964 | "port %d", originator, originator_port, target, target_port); | 964 | "port %d", originator, originator_port, target, target_port); |
965 | 965 | ||
966 | /* XXX check permission */ | 966 | /* XXX fine grained permissions */ |
967 | c = channel_connect_to(target, target_port, | 967 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && |
968 | "direct-tcpip", "direct-tcpip"); | 968 | !no_port_forwarding_flag) { |
969 | c = channel_connect_to(target, target_port, | ||
970 | "direct-tcpip", "direct-tcpip"); | ||
971 | } else { | ||
972 | logit("refused local port forward: " | ||
973 | "originator %s port %d, target %s port %d", | ||
974 | originator, originator_port, target, target_port); | ||
975 | } | ||
969 | 976 | ||
970 | xfree(originator); | 977 | xfree(originator); |
971 | xfree(target); | 978 | xfree(target); |
@@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
1126 | listen_address, listen_port); | 1133 | listen_address, listen_port); |
1127 | 1134 | ||
1128 | /* check permissions */ | 1135 | /* check permissions */ |
1129 | if (!options.allow_tcp_forwarding || | 1136 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
1130 | no_port_forwarding_flag || | 1137 | no_port_forwarding_flag || |
1131 | (!want_reply && listen_port == 0) | 1138 | (!want_reply && listen_port == 0) |
1132 | #ifndef NO_IPPORT_RESERVED_CONCEPT | 1139 | #ifndef NO_IPPORT_RESERVED_CONCEPT |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -274,7 +274,10 @@ do_authenticated(Authctxt *authctxt) | |||
274 | setproctitle("%s", authctxt->pw->pw_name); | 274 | setproctitle("%s", authctxt->pw->pw_name); |
275 | 275 | ||
276 | /* setup the channel layer */ | 276 | /* setup the channel layer */ |
277 | if (!no_port_forwarding_flag && options.allow_tcp_forwarding) | 277 | if (no_port_forwarding_flag || |
278 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | ||
279 | channel_disable_adm_local_opens(); | ||
280 | else | ||
278 | channel_permit_all_opens(); | 281 | channel_permit_all_opens(); |
279 | 282 | ||
280 | auth_debug_send(); | 283 | auth_debug_send(); |
@@ -384,7 +387,7 @@ do_authenticated1(Authctxt *authctxt) | |||
384 | debug("Port forwarding not permitted for this authentication."); | 387 | debug("Port forwarding not permitted for this authentication."); |
385 | break; | 388 | break; |
386 | } | 389 | } |
387 | if (!options.allow_tcp_forwarding) { | 390 | if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) { |
388 | debug("Port forwarding not permitted."); | 391 | debug("Port forwarding not permitted."); |
389 | break; | 392 | break; |
390 | } | 393 | } |
@@ -1526,6 +1529,11 @@ do_setusercontext(struct passwd *pw, const char *role) | |||
1526 | perror("unable to set user context (setuser)"); | 1529 | perror("unable to set user context (setuser)"); |
1527 | exit(1); | 1530 | exit(1); |
1528 | } | 1531 | } |
1532 | /* | ||
1533 | * FreeBSD's setusercontext() will not apply the user's | ||
1534 | * own umask setting unless running with the user's UID. | ||
1535 | */ | ||
1536 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); | ||
1529 | #else | 1537 | #else |
1530 | /* Permanently switch to the desired uid. */ | 1538 | /* Permanently switch to the desired uid. */ |
1531 | permanently_set_uid(pw); | 1539 | permanently_set_uid(pw); |
diff --git a/sftp-server.0 b/sftp-server.0 index 340929d75..6beddcc13 100644 --- a/sftp-server.0 +++ b/sftp-server.0 | |||
@@ -4,7 +4,8 @@ NAME | |||
4 | sftp-server - SFTP server subsystem | 4 | sftp-server - SFTP server subsystem |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | sftp-server [-ehR] [-f log_facility] [-l log_level] [-u umask] | 7 | sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level] |
8 | [-u umask] | ||
8 | 9 | ||
9 | DESCRIPTION | 10 | DESCRIPTION |
10 | sftp-server is a program that speaks the server side of SFTP protocol to | 11 | sftp-server is a program that speaks the server side of SFTP protocol to |
@@ -17,6 +18,15 @@ DESCRIPTION | |||
17 | 18 | ||
18 | Valid options are: | 19 | Valid options are: |
19 | 20 | ||
21 | -d start_directory | ||
22 | specifies an alternate starting directory for users. The | ||
23 | pathname may contain the following tokens that are expanded at | ||
24 | runtime: %% is replaced by a literal '%', %h is replaced by the | ||
25 | home directory of the user being authenticated, and %u is | ||
26 | replaced by the username of that user. The default is to use the | ||
27 | user's home directory. This option is useful in conjunction with | ||
28 | the sshd_config(5) ChrootDirectory option. | ||
29 | |||
20 | -e Causes sftp-server to print logging information to stderr instead | 30 | -e Causes sftp-server to print logging information to stderr instead |
21 | of syslog for debugging. | 31 | of syslog for debugging. |
22 | 32 | ||
@@ -61,4 +71,4 @@ HISTORY | |||
61 | AUTHORS | 71 | AUTHORS |
62 | Markus Friedl <markus@openbsd.org> | 72 | Markus Friedl <markus@openbsd.org> |
63 | 73 | ||
64 | OpenBSD 5.2 January 9, 2010 OpenBSD 5.2 | 74 | OpenBSD 5.3 January 4, 2013 OpenBSD 5.3 |
diff --git a/sftp-server.8 b/sftp-server.8 index bb19c15e1..2fd3df20c 100644 --- a/sftp-server.8 +++ b/sftp-server.8 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: sftp-server.8,v 1.19 2010/01/09 03:36:00 jmc Exp $ | 1 | .\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | .\" Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | .\" | 4 | .\" |
@@ -22,7 +22,7 @@ | |||
22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | .\" | 24 | .\" |
25 | .Dd $Mdocdate: January 9 2010 $ | 25 | .Dd $Mdocdate: January 4 2013 $ |
26 | .Dt SFTP-SERVER 8 | 26 | .Dt SFTP-SERVER 8 |
27 | .Os | 27 | .Os |
28 | .Sh NAME | 28 | .Sh NAME |
@@ -31,6 +31,7 @@ | |||
31 | .Sh SYNOPSIS | 31 | .Sh SYNOPSIS |
32 | .Nm sftp-server | 32 | .Nm sftp-server |
33 | .Op Fl ehR | 33 | .Op Fl ehR |
34 | .Op Fl d Ar start_directory | ||
34 | .Op Fl f Ar log_facility | 35 | .Op Fl f Ar log_facility |
35 | .Op Fl l Ar log_level | 36 | .Op Fl l Ar log_level |
36 | .Op Fl u Ar umask | 37 | .Op Fl u Ar umask |
@@ -56,6 +57,17 @@ for more information. | |||
56 | .Pp | 57 | .Pp |
57 | Valid options are: | 58 | Valid options are: |
58 | .Bl -tag -width Ds | 59 | .Bl -tag -width Ds |
60 | .It Fl d Ar start_directory | ||
61 | specifies an alternate starting directory for users. | ||
62 | The pathname may contain the following tokens that are expanded at runtime: | ||
63 | %% is replaced by a literal '%', | ||
64 | %h is replaced by the home directory of the user being authenticated, | ||
65 | and %u is replaced by the username of that user. | ||
66 | The default is to use the user's home directory. | ||
67 | This option is useful in conjunction with the | ||
68 | .Xr sshd_config 5 | ||
69 | .Cm ChrootDirectory | ||
70 | option. | ||
59 | .It Fl e | 71 | .It Fl e |
60 | Causes | 72 | Causes |
61 | .Nm | 73 | .Nm |
diff --git a/sftp-server.c b/sftp-server.c index 9d01c7d79..cce074a56 100644 --- a/sftp-server.c +++ b/sftp-server.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sftp-server.c,v 1.94 2011/06/17 21:46:16 djm Exp $ */ | 1 | /* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -1390,7 +1390,8 @@ sftp_server_usage(void) | |||
1390 | extern char *__progname; | 1390 | extern char *__progname; |
1391 | 1391 | ||
1392 | fprintf(stderr, | 1392 | fprintf(stderr, |
1393 | "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]\n", | 1393 | "usage: %s [-ehR] [-d start_directory] [-f log_facility] " |
1394 | "[-l log_level]\n\t[-u umask]\n", | ||
1394 | __progname); | 1395 | __progname); |
1395 | exit(1); | 1396 | exit(1); |
1396 | } | 1397 | } |
@@ -1402,7 +1403,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) | |||
1402 | int in, out, max, ch, skipargs = 0, log_stderr = 0; | 1403 | int in, out, max, ch, skipargs = 0, log_stderr = 0; |
1403 | ssize_t len, olen, set_size; | 1404 | ssize_t len, olen, set_size; |
1404 | SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; | 1405 | SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; |
1405 | char *cp, buf[4*4096]; | 1406 | char *cp, *homedir = NULL, buf[4*4096]; |
1406 | long mask; | 1407 | long mask; |
1407 | 1408 | ||
1408 | extern char *optarg; | 1409 | extern char *optarg; |
@@ -1411,7 +1412,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) | |||
1411 | __progname = ssh_get_progname(argv[0]); | 1412 | __progname = ssh_get_progname(argv[0]); |
1412 | log_init(__progname, log_level, log_facility, log_stderr); | 1413 | log_init(__progname, log_level, log_facility, log_stderr); |
1413 | 1414 | ||
1414 | while (!skipargs && (ch = getopt(argc, argv, "f:l:u:cehR")) != -1) { | 1415 | pw = pwcopy(user_pw); |
1416 | |||
1417 | while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) { | ||
1415 | switch (ch) { | 1418 | switch (ch) { |
1416 | case 'R': | 1419 | case 'R': |
1417 | readonly = 1; | 1420 | readonly = 1; |
@@ -1436,6 +1439,12 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) | |||
1436 | if (log_facility == SYSLOG_FACILITY_NOT_SET) | 1439 | if (log_facility == SYSLOG_FACILITY_NOT_SET) |
1437 | error("Invalid log facility \"%s\"", optarg); | 1440 | error("Invalid log facility \"%s\"", optarg); |
1438 | break; | 1441 | break; |
1442 | case 'd': | ||
1443 | cp = tilde_expand_filename(optarg, user_pw->pw_uid); | ||
1444 | homedir = percent_expand(cp, "d", user_pw->pw_dir, | ||
1445 | "u", user_pw->pw_name, (char *)NULL); | ||
1446 | free(cp); | ||
1447 | break; | ||
1439 | case 'u': | 1448 | case 'u': |
1440 | errno = 0; | 1449 | errno = 0; |
1441 | mask = strtol(optarg, &cp, 8); | 1450 | mask = strtol(optarg, &cp, 8); |
@@ -1463,8 +1472,6 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) | |||
1463 | } else | 1472 | } else |
1464 | client_addr = xstrdup("UNKNOWN"); | 1473 | client_addr = xstrdup("UNKNOWN"); |
1465 | 1474 | ||
1466 | pw = pwcopy(user_pw); | ||
1467 | |||
1468 | logit("session opened for local user %s from [%s]", | 1475 | logit("session opened for local user %s from [%s]", |
1469 | pw->pw_name, client_addr); | 1476 | pw->pw_name, client_addr); |
1470 | 1477 | ||
@@ -1489,6 +1496,13 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) | |||
1489 | rset = (fd_set *)xmalloc(set_size); | 1496 | rset = (fd_set *)xmalloc(set_size); |
1490 | wset = (fd_set *)xmalloc(set_size); | 1497 | wset = (fd_set *)xmalloc(set_size); |
1491 | 1498 | ||
1499 | if (homedir != NULL) { | ||
1500 | if (chdir(homedir) != 0) { | ||
1501 | error("chdir to \"%s\" failed: %s", homedir, | ||
1502 | strerror(errno)); | ||
1503 | } | ||
1504 | } | ||
1505 | |||
1492 | for (;;) { | 1506 | for (;;) { |
1493 | memset(rset, 0, set_size); | 1507 | memset(rset, 0, set_size); |
1494 | memset(wset, 0, set_size); | 1508 | memset(wset, 0, set_size); |
@@ -336,4 +336,4 @@ SEE ALSO | |||
336 | draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress | 336 | draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress |
337 | material. | 337 | material. |
338 | 338 | ||
339 | OpenBSD 5.2 September 5, 2011 OpenBSD 5.2 | 339 | OpenBSD 5.3 September 5, 2011 OpenBSD 5.3 |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sftp.c,v 1.136 2012/06/22 14:36:33 dtucker Exp $ */ | 1 | /* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> | 3 | * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> |
4 | * | 4 | * |
@@ -54,10 +54,6 @@ typedef void EditLine; | |||
54 | # include <util.h> | 54 | # include <util.h> |
55 | #endif | 55 | #endif |
56 | 56 | ||
57 | #ifdef HAVE_LIBUTIL_H | ||
58 | # include <libutil.h> | ||
59 | #endif | ||
60 | |||
61 | #include "xmalloc.h" | 57 | #include "xmalloc.h" |
62 | #include "log.h" | 58 | #include "log.h" |
63 | #include "pathnames.h" | 59 | #include "pathnames.h" |
@@ -991,6 +987,10 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, | |||
991 | state = MA_START; | 987 | state = MA_START; |
992 | i = j = 0; | 988 | i = j = 0; |
993 | for (;;) { | 989 | for (;;) { |
990 | if ((size_t)argc >= sizeof(argv) / sizeof(*argv)){ | ||
991 | error("Too many arguments."); | ||
992 | return NULL; | ||
993 | } | ||
994 | if (isspace(arg[i])) { | 994 | if (isspace(arg[i])) { |
995 | if (state == MA_UNQUOTED) { | 995 | if (state == MA_UNQUOTED) { |
996 | /* Terminate current argument */ | 996 | /* Terminate current argument */ |
@@ -1141,7 +1141,7 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, | |||
1141 | 1141 | ||
1142 | /* Figure out which command we have */ | 1142 | /* Figure out which command we have */ |
1143 | for (i = 0; cmds[i].c != NULL; i++) { | 1143 | for (i = 0; cmds[i].c != NULL; i++) { |
1144 | if (strcasecmp(cmds[i].c, argv[0]) == 0) | 1144 | if (argv[0] != NULL && strcasecmp(cmds[i].c, argv[0]) == 0) |
1145 | break; | 1145 | break; |
1146 | } | 1146 | } |
1147 | cmdnum = cmds[i].n; | 1147 | cmdnum = cmds[i].n; |
@@ -1695,7 +1695,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, | |||
1695 | { | 1695 | { |
1696 | glob_t g; | 1696 | glob_t g; |
1697 | char *tmp, *tmp2, ins[3]; | 1697 | char *tmp, *tmp2, ins[3]; |
1698 | u_int i, hadglob, pwdlen, len, tmplen, filelen; | 1698 | u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; |
1699 | const LineInfo *lf; | 1699 | const LineInfo *lf; |
1700 | 1700 | ||
1701 | /* Glob from "file" location */ | 1701 | /* Glob from "file" location */ |
@@ -1704,6 +1704,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, | |||
1704 | else | 1704 | else |
1705 | xasprintf(&tmp, "%s*", file); | 1705 | xasprintf(&tmp, "%s*", file); |
1706 | 1706 | ||
1707 | /* Check if the path is absolute. */ | ||
1708 | isabs = tmp[0] == '/'; | ||
1709 | |||
1707 | memset(&g, 0, sizeof(g)); | 1710 | memset(&g, 0, sizeof(g)); |
1708 | if (remote != LOCAL) { | 1711 | if (remote != LOCAL) { |
1709 | tmp = make_absolute(tmp, remote_path); | 1712 | tmp = make_absolute(tmp, remote_path); |
@@ -1738,7 +1741,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, | |||
1738 | goto out; | 1741 | goto out; |
1739 | 1742 | ||
1740 | tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); | 1743 | tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); |
1741 | tmp = path_strip(tmp2, remote_path); | 1744 | tmp = path_strip(tmp2, isabs ? NULL : remote_path); |
1742 | xfree(tmp2); | 1745 | xfree(tmp2); |
1743 | 1746 | ||
1744 | if (tmp == NULL) | 1747 | if (tmp == NULL) |
@@ -1747,8 +1750,18 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, | |||
1747 | tmplen = strlen(tmp); | 1750 | tmplen = strlen(tmp); |
1748 | filelen = strlen(file); | 1751 | filelen = strlen(file); |
1749 | 1752 | ||
1750 | if (tmplen > filelen) { | 1753 | /* Count the number of escaped characters in the input string. */ |
1751 | tmp2 = tmp + filelen; | 1754 | cesc = isesc = 0; |
1755 | for (i = 0; i < filelen; i++) { | ||
1756 | if (!isesc && file[i] == '\\' && i + 1 < filelen){ | ||
1757 | isesc = 1; | ||
1758 | cesc++; | ||
1759 | } else | ||
1760 | isesc = 0; | ||
1761 | } | ||
1762 | |||
1763 | if (tmplen > (filelen - cesc)) { | ||
1764 | tmp2 = tmp + filelen - cesc; | ||
1752 | len = strlen(tmp2); | 1765 | len = strlen(tmp2); |
1753 | /* quote argument on way out */ | 1766 | /* quote argument on way out */ |
1754 | for (i = 0; i < len; i++) { | 1767 | for (i = 0; i < len; i++) { |
@@ -1762,6 +1775,8 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, | |||
1762 | case '\t': | 1775 | case '\t': |
1763 | case '[': | 1776 | case '[': |
1764 | case ' ': | 1777 | case ' ': |
1778 | case '#': | ||
1779 | case '*': | ||
1765 | if (quote == '\0' || tmp2[i] == quote) { | 1780 | if (quote == '\0' || tmp2[i] == quote) { |
1766 | if (el_insertstr(el, ins) == -1) | 1781 | if (el_insertstr(el, ins) == -1) |
1767 | fatal("el_insertstr " | 1782 | fatal("el_insertstr " |
@@ -1917,6 +1932,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) | |||
1917 | return (-1); | 1932 | return (-1); |
1918 | } | 1933 | } |
1919 | } else { | 1934 | } else { |
1935 | /* XXX this is wrong wrt quoting */ | ||
1920 | if (file2 == NULL) | 1936 | if (file2 == NULL) |
1921 | snprintf(cmd, sizeof cmd, "get %s", dir); | 1937 | snprintf(cmd, sizeof cmd, "get %s", dir); |
1922 | else | 1938 | else |
@@ -37,16 +37,17 @@ DESCRIPTION | |||
37 | 37 | ||
38 | -d Instead of adding identities, removes identities from the agent. | 38 | -d Instead of adding identities, removes identities from the agent. |
39 | If ssh-add has been run without arguments, the keys for the | 39 | If ssh-add has been run without arguments, the keys for the |
40 | default identities will be removed. Otherwise, the argument list | 40 | default identities and their corresponding certificates will be |
41 | will be interpreted as a list of paths to public key files and | 41 | removed. Otherwise, the argument list will be interpreted as a |
42 | matching keys will be removed from the agent. If no public key | 42 | list of paths to public key files to specify keys and |
43 | is found at a given path, ssh-add will append .pub and retry. | 43 | certificates to be removed from the agent. If no public key is |
44 | found at a given path, ssh-add will append .pub and retry. | ||
44 | 45 | ||
45 | -e pkcs11 | 46 | -e pkcs11 |
46 | Remove keys provided by the PKCS#11 shared library pkcs11. | 47 | Remove keys provided by the PKCS#11 shared library pkcs11. |
47 | 48 | ||
48 | -k When loading keys into the agent, load plain private keys only | 49 | -k When loading keys into or deleting keys from the agent, process |
49 | and skip certificates. | 50 | plain private keys only and skip certificates. |
50 | 51 | ||
51 | -L Lists public key parameters of all identities currently | 52 | -L Lists public key parameters of all identities currently |
52 | represented by the agent. | 53 | represented by the agent. |
@@ -115,4 +116,4 @@ AUTHORS | |||
115 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 116 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
116 | versions 1.5 and 2.0. | 117 | versions 1.5 and 2.0. |
117 | 118 | ||
118 | OpenBSD 5.2 October 18, 2011 OpenBSD 5.2 | 119 | OpenBSD 5.3 December 3, 2012 OpenBSD 5.3 |
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $ | 1 | .\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: October 18 2011 $ | 38 | .Dd $Mdocdate: December 3 2012 $ |
39 | .Dt SSH-ADD 1 | 39 | .Dt SSH-ADD 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -102,10 +102,10 @@ Deletes all identities from the agent. | |||
102 | Instead of adding identities, removes identities from the agent. | 102 | Instead of adding identities, removes identities from the agent. |
103 | If | 103 | If |
104 | .Nm | 104 | .Nm |
105 | has been run without arguments, the keys for the default identities will | 105 | has been run without arguments, the keys for the default identities and |
106 | be removed. | 106 | their corresponding certificates will be removed. |
107 | Otherwise, the argument list will be interpreted as a list of paths to | 107 | Otherwise, the argument list will be interpreted as a list of paths to |
108 | public key files and matching keys will be removed from the agent. | 108 | public key files to specify keys and certificates to be removed from the agent. |
109 | If no public key is found at a given path, | 109 | If no public key is found at a given path, |
110 | .Nm | 110 | .Nm |
111 | will append | 111 | will append |
@@ -115,8 +115,8 @@ and retry. | |||
115 | Remove keys provided by the PKCS#11 shared library | 115 | Remove keys provided by the PKCS#11 shared library |
116 | .Ar pkcs11 . | 116 | .Ar pkcs11 . |
117 | .It Fl k | 117 | .It Fl k |
118 | When loading keys into the agent, load plain private keys only and skip | 118 | When loading keys into or deleting keys from the agent, process plain private |
119 | certificates. | 119 | keys only and skip certificates. |
120 | .It Fl L | 120 | .It Fl L |
121 | Lists public key parameters of all identities currently represented | 121 | Lists public key parameters of all identities currently represented |
122 | by the agent. | 122 | by the agent. |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */ | 1 | /* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -96,10 +96,10 @@ clear_pass(void) | |||
96 | } | 96 | } |
97 | 97 | ||
98 | static int | 98 | static int |
99 | delete_file(AuthenticationConnection *ac, const char *filename) | 99 | delete_file(AuthenticationConnection *ac, const char *filename, int key_only) |
100 | { | 100 | { |
101 | Key *public; | 101 | Key *public = NULL, *cert = NULL; |
102 | char *comment = NULL; | 102 | char *certpath = NULL, *comment = NULL; |
103 | int ret = -1; | 103 | int ret = -1; |
104 | 104 | ||
105 | public = key_load_public(filename, &comment); | 105 | public = key_load_public(filename, &comment); |
@@ -113,8 +113,33 @@ delete_file(AuthenticationConnection *ac, const char *filename) | |||
113 | } else | 113 | } else |
114 | fprintf(stderr, "Could not remove identity: %s\n", filename); | 114 | fprintf(stderr, "Could not remove identity: %s\n", filename); |
115 | 115 | ||
116 | key_free(public); | 116 | if (key_only) |
117 | xfree(comment); | 117 | goto out; |
118 | |||
119 | /* Now try to delete the corresponding certificate too */ | ||
120 | free(comment); | ||
121 | comment = NULL; | ||
122 | xasprintf(&certpath, "%s-cert.pub", filename); | ||
123 | if ((cert = key_load_public(certpath, &comment)) == NULL) | ||
124 | goto out; | ||
125 | if (!key_equal_public(cert, public)) | ||
126 | fatal("Certificate %s does not match private key %s", | ||
127 | certpath, filename); | ||
128 | |||
129 | if (ssh_remove_identity(ac, cert)) { | ||
130 | fprintf(stderr, "Identity removed: %s (%s)\n", certpath, | ||
131 | comment); | ||
132 | ret = 0; | ||
133 | } else | ||
134 | fprintf(stderr, "Could not remove identity: %s\n", certpath); | ||
135 | |||
136 | out: | ||
137 | if (cert != NULL) | ||
138 | key_free(cert); | ||
139 | if (public != NULL) | ||
140 | key_free(public); | ||
141 | free(certpath); | ||
142 | free(comment); | ||
118 | 143 | ||
119 | return ret; | 144 | return ret; |
120 | } | 145 | } |
@@ -362,7 +387,7 @@ static int | |||
362 | do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) | 387 | do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) |
363 | { | 388 | { |
364 | if (deleting) { | 389 | if (deleting) { |
365 | if (delete_file(ac, file) == -1) | 390 | if (delete_file(ac, file, key_only) == -1) |
366 | return -1; | 391 | return -1; |
367 | } else { | 392 | } else { |
368 | if (add_file(ac, file, key_only) == -1) | 393 | if (add_file(ac, file, key_only) == -1) |
diff --git a/ssh-agent.0 b/ssh-agent.0 index 77930ce42..578984815 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 | |||
@@ -120,4 +120,4 @@ AUTHORS | |||
120 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 120 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
121 | versions 1.5 and 2.0. | 121 | versions 1.5 and 2.0. |
122 | 122 | ||
123 | OpenBSD 5.2 November 21, 2010 OpenBSD 5.2 | 123 | OpenBSD 5.3 November 21, 2010 OpenBSD 5.3 |
@@ -42,12 +42,13 @@ | |||
42 | # include <gssapi/gssapi_generic.h> | 42 | # include <gssapi/gssapi_generic.h> |
43 | # endif | 43 | # endif |
44 | 44 | ||
45 | /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ | 45 | /* Old MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ |
46 | 46 | ||
47 | #ifndef GSS_C_NT_HOSTBASED_SERVICE | 47 | # if !HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE |
48 | #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name | 48 | # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name |
49 | #endif /* GSS_C_NT_... */ | 49 | # endif /* !HAVE_DECL_GSS_C_NT_... */ |
50 | #endif /* !HEIMDAL */ | 50 | |
51 | # endif /* !HEIMDAL */ | ||
51 | #endif /* KRB5 */ | 52 | #endif /* KRB5 */ |
52 | 53 | ||
53 | /* draft-ietf-secsh-gsskeyex-06 */ | 54 | /* draft-ietf-secsh-gsskeyex-06 */ |
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 8f9fbd179..3c7a64753 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -25,6 +25,9 @@ SYNOPSIS | |||
25 | [-O option] [-V validity_interval] [-z serial_number] file ... | 25 | [-O option] [-V validity_interval] [-z serial_number] file ... |
26 | ssh-keygen -L [-f input_keyfile] | 26 | ssh-keygen -L [-f input_keyfile] |
27 | ssh-keygen -A | 27 | ssh-keygen -A |
28 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | ||
29 | file ... | ||
30 | ssh-keygen -Q -f krl_file file ... | ||
28 | 31 | ||
29 | DESCRIPTION | 32 | DESCRIPTION |
30 | ssh-keygen generates, manages and converts authentication keys for | 33 | ssh-keygen generates, manages and converts authentication keys for |
@@ -37,6 +40,10 @@ DESCRIPTION | |||
37 | ssh-keygen is also used to generate groups for use in Diffie-Hellman | 40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman |
38 | group exchange (DH-GEX). See the MODULI GENERATION section for details. | 41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. |
39 | 42 | ||
43 | Finally, ssh-keygen can be used to generate and update Key Revocation | ||
44 | Lists, and to test whether given keys have been revoked by one. See the | ||
45 | KEY REVOCATION LISTS section for details. | ||
46 | |||
40 | Normally each user wishing to use SSH with public key authentication runs | 47 | Normally each user wishing to use SSH with public key authentication runs |
41 | this once to create the authentication key in ~/.ssh/identity, | 48 | this once to create the authentication key in ~/.ssh/identity, |
42 | ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the | 49 | ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the |
@@ -167,6 +174,13 @@ DESCRIPTION | |||
167 | keys from other software, including several commercial SSH | 174 | keys from other software, including several commercial SSH |
168 | implementations. The default import format is ``RFC4716''. | 175 | implementations. The default import format is ``RFC4716''. |
169 | 176 | ||
177 | -k Generate a KRL file. In this mode, ssh-keygen will generate a | ||
178 | KRL file at the location specified via the -f flag that revokes | ||
179 | every key or certificate presented on the command line. | ||
180 | Keys/certificates to be revoked may be specified by public key | ||
181 | file or using the format described in the KEY REVOCATION LISTS | ||
182 | section. | ||
183 | |||
170 | -L Prints the contents of a certificate. | 184 | -L Prints the contents of a certificate. |
171 | 185 | ||
172 | -l Show fingerprint of specified public key file. Private RSA1 keys | 186 | -l Show fingerprint of specified public key file. Private RSA1 keys |
@@ -256,6 +270,8 @@ DESCRIPTION | |||
256 | containing the private key, for the old passphrase, and twice for | 270 | containing the private key, for the old passphrase, and twice for |
257 | the new passphrase. | 271 | the new passphrase. |
258 | 272 | ||
273 | -Q Test whether keys have been revoked in a KRL. | ||
274 | |||
259 | -q Silence ssh-keygen. | 275 | -q Silence ssh-keygen. |
260 | 276 | ||
261 | -R hostname | 277 | -R hostname |
@@ -275,6 +291,10 @@ DESCRIPTION | |||
275 | Certify (sign) a public key using the specified CA key. Please | 291 | Certify (sign) a public key using the specified CA key. Please |
276 | see the CERTIFICATES section for details. | 292 | see the CERTIFICATES section for details. |
277 | 293 | ||
294 | When generating a KRL, -s specifies a path to a CA public key | ||
295 | file used to revoke certificates directly by key ID or serial | ||
296 | number. See the KEY REVOCATION LISTS section for details. | ||
297 | |||
278 | -T output_file | 298 | -T output_file |
279 | Test DH group exchange candidate primes (generated using the -G | 299 | Test DH group exchange candidate primes (generated using the -G |
280 | option) for safety. | 300 | option) for safety. |
@@ -284,6 +304,10 @@ DESCRIPTION | |||
284 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' | 304 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' |
285 | for protocol version 2. | 305 | for protocol version 2. |
286 | 306 | ||
307 | -u Update a KRL. When specified with -k, keys listed via the | ||
308 | command line are added to the existing KRL rather than a new KRL | ||
309 | being created. | ||
310 | |||
287 | -V validity_interval | 311 | -V validity_interval |
288 | Specify a validity interval when signing a certificate. A | 312 | Specify a validity interval when signing a certificate. A |
289 | validity interval may consist of a single time, indicating that | 313 | validity interval may consist of a single time, indicating that |
@@ -321,6 +345,9 @@ DESCRIPTION | |||
321 | distinguish this certificate from others from the same CA. The | 345 | distinguish this certificate from others from the same CA. The |
322 | default serial number is zero. | 346 | default serial number is zero. |
323 | 347 | ||
348 | When generating a KRL, the -z flag is used to specify a KRL | ||
349 | version number. | ||
350 | |||
324 | MODULI GENERATION | 351 | MODULI GENERATION |
325 | ssh-keygen may be used to generate groups for the Diffie-Hellman Group | 352 | ssh-keygen may be used to generate groups for the Diffie-Hellman Group |
326 | Exchange (DH-GEX) protocol. Generating these groups is a two-step | 353 | Exchange (DH-GEX) protocol. Generating these groups is a two-step |
@@ -404,13 +431,64 @@ CERTIFICATES | |||
404 | Finally, certificates may be defined with a validity lifetime. The -V | 431 | Finally, certificates may be defined with a validity lifetime. The -V |
405 | option allows specification of certificate start and end times. A | 432 | option allows specification of certificate start and end times. A |
406 | certificate that is presented at a time outside this range will not be | 433 | certificate that is presented at a time outside this range will not be |
407 | considered valid. By default, certificates have a maximum validity | 434 | considered valid. By default, certificates are valid from UNIX Epoch to |
408 | interval. | 435 | the distant future. |
409 | 436 | ||
410 | For certificates to be used for user or host authentication, the CA | 437 | For certificates to be used for user or host authentication, the CA |
411 | public key must be trusted by sshd(8) or ssh(1). Please refer to those | 438 | public key must be trusted by sshd(8) or ssh(1). Please refer to those |
412 | manual pages for details. | 439 | manual pages for details. |
413 | 440 | ||
441 | KEY REVOCATION LISTS | ||
442 | ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). | ||
443 | These binary files specify keys or certificates to be revoked using a | ||
444 | compact format, taking as little a one bit per certificate if they are | ||
445 | being revoked by serial number. | ||
446 | |||
447 | KRLs may be generated using the -k flag. This option reads one or more | ||
448 | files from the command line and generates a new KRL. The files may | ||
449 | either contain a KRL specification (see below) or public keys, listed one | ||
450 | per line. Plain public keys are revoked by listing their hash or | ||
451 | contents in the KRL and certificates revoked by serial number or key ID | ||
452 | (if the serial is zero or not available). | ||
453 | |||
454 | Revoking keys using a KRL specification offers explicit control over the | ||
455 | types of record used to revoke keys and may be used to directly revoke | ||
456 | certificates by serial number or key ID without having the complete | ||
457 | original certificate on hand. A KRL specification consists of lines | ||
458 | containing one of the following directives followed by a colon and some | ||
459 | directive-specific information. | ||
460 | |||
461 | serial: serial_number[-serial_number] | ||
462 | Revokes a certificate with the specified serial number. Serial | ||
463 | numbers are 64-bit values, not including zero and may be | ||
464 | expressed in decimal, hex or octal. If two serial numbers are | ||
465 | specified separated by a hyphen, then the range of serial numbers | ||
466 | including and between each is revoked. The CA key must have been | ||
467 | specified on the ssh-keygen command line using the -s option. | ||
468 | |||
469 | id: key_id | ||
470 | Revokes a certificate with the specified key ID string. The CA | ||
471 | key must have been specified on the ssh-keygen command line using | ||
472 | the -s option. | ||
473 | |||
474 | key: public_key | ||
475 | Revokes the specified key. If a certificate is listed, then it | ||
476 | is revoked as a plain public key. | ||
477 | |||
478 | sha1: public_key | ||
479 | Revokes the specified key by its SHA1 hash. | ||
480 | |||
481 | KRLs may be updated using the -u flag in addition to -k. When this | ||
482 | option is specified, keys listed via the command line are merged into the | ||
483 | KRL, adding to those already there. | ||
484 | |||
485 | It is also possible, given a KRL, to test whether it revokes a particular | ||
486 | key (or keys). The -Q flag will query an existing KRL, testing each key | ||
487 | specified on the commandline. If any key listed on the command line has | ||
488 | been revoked (or an error encountered) then ssh-keygen will exit with a | ||
489 | non-zero exit status. A zero exit status will only be returned if no key | ||
490 | was revoked. | ||
491 | |||
414 | FILES | 492 | FILES |
415 | ~/.ssh/identity | 493 | ~/.ssh/identity |
416 | Contains the protocol version 1 RSA authentication identity of | 494 | Contains the protocol version 1 RSA authentication identity of |
@@ -465,4 +543,4 @@ AUTHORS | |||
465 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 543 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
466 | versions 1.5 and 2.0. | 544 | versions 1.5 and 2.0. |
467 | 545 | ||
468 | OpenBSD 5.2 July 6, 2012 OpenBSD 5.2 | 546 | OpenBSD 5.3 January 19, 2013 OpenBSD 5.3 |
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index fe26750a4..0d84ebd1e 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: July 6 2012 $ | 38 | .Dd $Mdocdate: January 19 2013 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -122,6 +122,17 @@ | |||
122 | .Op Fl f Ar input_keyfile | 122 | .Op Fl f Ar input_keyfile |
123 | .Nm ssh-keygen | 123 | .Nm ssh-keygen |
124 | .Fl A | 124 | .Fl A |
125 | .Nm ssh-keygen | ||
126 | .Fl k | ||
127 | .Fl f Ar krl_file | ||
128 | .Op Fl u | ||
129 | .Op Fl s Ar ca_public | ||
130 | .Op Fl z Ar version_number | ||
131 | .Ar | ||
132 | .Nm ssh-keygen | ||
133 | .Fl Q | ||
134 | .Fl f Ar krl_file | ||
135 | .Ar | ||
125 | .Ek | 136 | .Ek |
126 | .Sh DESCRIPTION | 137 | .Sh DESCRIPTION |
127 | .Nm | 138 | .Nm |
@@ -144,6 +155,14 @@ See the | |||
144 | .Sx MODULI GENERATION | 155 | .Sx MODULI GENERATION |
145 | section for details. | 156 | section for details. |
146 | .Pp | 157 | .Pp |
158 | Finally, | ||
159 | .Nm | ||
160 | can be used to generate and update Key Revocation Lists, and to test whether | ||
161 | given keys have been revoked by one. | ||
162 | See the | ||
163 | .Sx KEY REVOCATION LISTS | ||
164 | section for details. | ||
165 | .Pp | ||
147 | Normally each user wishing to use SSH | 166 | Normally each user wishing to use SSH |
148 | with public key authentication runs this once to create the authentication | 167 | with public key authentication runs this once to create the authentication |
149 | key in | 168 | key in |
@@ -317,6 +336,17 @@ This option allows importing keys from other software, including several | |||
317 | commercial SSH implementations. | 336 | commercial SSH implementations. |
318 | The default import format is | 337 | The default import format is |
319 | .Dq RFC4716 . | 338 | .Dq RFC4716 . |
339 | .It Fl k | ||
340 | Generate a KRL file. | ||
341 | In this mode, | ||
342 | .Nm | ||
343 | will generate a KRL file at the location specified via the | ||
344 | .Fl f | ||
345 | flag that revokes every key or certificate presented on the command line. | ||
346 | Keys/certificates to be revoked may be specified by public key file or | ||
347 | using the format described in the | ||
348 | .Sx KEY REVOCATION LISTS | ||
349 | section. | ||
320 | .It Fl L | 350 | .It Fl L |
321 | Prints the contents of a certificate. | 351 | Prints the contents of a certificate. |
322 | .It Fl l | 352 | .It Fl l |
@@ -421,6 +451,8 @@ creating a new private key. | |||
421 | The program will prompt for the file | 451 | The program will prompt for the file |
422 | containing the private key, for the old passphrase, and twice for the | 452 | containing the private key, for the old passphrase, and twice for the |
423 | new passphrase. | 453 | new passphrase. |
454 | .It Fl Q | ||
455 | Test whether keys have been revoked in a KRL. | ||
424 | .It Fl q | 456 | .It Fl q |
425 | Silence | 457 | Silence |
426 | .Nm ssh-keygen . | 458 | .Nm ssh-keygen . |
@@ -444,6 +476,14 @@ Certify (sign) a public key using the specified CA key. | |||
444 | Please see the | 476 | Please see the |
445 | .Sx CERTIFICATES | 477 | .Sx CERTIFICATES |
446 | section for details. | 478 | section for details. |
479 | .Pp | ||
480 | When generating a KRL, | ||
481 | .Fl s | ||
482 | specifies a path to a CA public key file used to revoke certificates directly | ||
483 | by key ID or serial number. | ||
484 | See the | ||
485 | .Sx KEY REVOCATION LISTS | ||
486 | section for details. | ||
447 | .It Fl T Ar output_file | 487 | .It Fl T Ar output_file |
448 | Test DH group exchange candidate primes (generated using the | 488 | Test DH group exchange candidate primes (generated using the |
449 | .Fl G | 489 | .Fl G |
@@ -458,6 +498,12 @@ for protocol version 1 and | |||
458 | or | 498 | or |
459 | .Dq rsa | 499 | .Dq rsa |
460 | for protocol version 2. | 500 | for protocol version 2. |
501 | .It Fl u | ||
502 | Update a KRL. | ||
503 | When specified with | ||
504 | .Fl k , | ||
505 | keys listed via the command line are added to the existing KRL rather than | ||
506 | a new KRL being created. | ||
461 | .It Fl V Ar validity_interval | 507 | .It Fl V Ar validity_interval |
462 | Specify a validity interval when signing a certificate. | 508 | Specify a validity interval when signing a certificate. |
463 | A validity interval may consist of a single time, indicating that the | 509 | A validity interval may consist of a single time, indicating that the |
@@ -500,6 +546,10 @@ OpenSSH format file and print an OpenSSH public key to stdout. | |||
500 | Specifies a serial number to be embedded in the certificate to distinguish | 546 | Specifies a serial number to be embedded in the certificate to distinguish |
501 | this certificate from others from the same CA. | 547 | this certificate from others from the same CA. |
502 | The default serial number is zero. | 548 | The default serial number is zero. |
549 | .Pp | ||
550 | When generating a KRL, the | ||
551 | .Fl z | ||
552 | flag is used to specify a KRL version number. | ||
503 | .El | 553 | .El |
504 | .Sh MODULI GENERATION | 554 | .Sh MODULI GENERATION |
505 | .Nm | 555 | .Nm |
@@ -624,7 +674,9 @@ The | |||
624 | option allows specification of certificate start and end times. | 674 | option allows specification of certificate start and end times. |
625 | A certificate that is presented at a time outside this range will not be | 675 | A certificate that is presented at a time outside this range will not be |
626 | considered valid. | 676 | considered valid. |
627 | By default, certificates have a maximum validity interval. | 677 | By default, certificates are valid from |
678 | .Ux | ||
679 | Epoch to the distant future. | ||
628 | .Pp | 680 | .Pp |
629 | For certificates to be used for user or host authentication, the CA | 681 | For certificates to be used for user or host authentication, the CA |
630 | public key must be trusted by | 682 | public key must be trusted by |
@@ -632,6 +684,73 @@ public key must be trusted by | |||
632 | or | 684 | or |
633 | .Xr ssh 1 . | 685 | .Xr ssh 1 . |
634 | Please refer to those manual pages for details. | 686 | Please refer to those manual pages for details. |
687 | .Sh KEY REVOCATION LISTS | ||
688 | .Nm | ||
689 | is able to manage OpenSSH format Key Revocation Lists (KRLs). | ||
690 | These binary files specify keys or certificates to be revoked using a | ||
691 | compact format, taking as little a one bit per certificate if they are being | ||
692 | revoked by serial number. | ||
693 | .Pp | ||
694 | KRLs may be generated using the | ||
695 | .Fl k | ||
696 | flag. | ||
697 | This option reads one or more files from the command line and generates a new | ||
698 | KRL. | ||
699 | The files may either contain a KRL specification (see below) or public keys, | ||
700 | listed one per line. | ||
701 | Plain public keys are revoked by listing their hash or contents in the KRL and | ||
702 | certificates revoked by serial number or key ID (if the serial is zero or | ||
703 | not available). | ||
704 | .Pp | ||
705 | Revoking keys using a KRL specification offers explicit control over the | ||
706 | types of record used to revoke keys and may be used to directly revoke | ||
707 | certificates by serial number or key ID without having the complete original | ||
708 | certificate on hand. | ||
709 | A KRL specification consists of lines containing one of the following directives | ||
710 | followed by a colon and some directive-specific information. | ||
711 | .Bl -tag -width Ds | ||
712 | .It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number | ||
713 | Revokes a certificate with the specified serial number. | ||
714 | Serial numbers are 64-bit values, not including zero and may be expressed | ||
715 | in decimal, hex or octal. | ||
716 | If two serial numbers are specified separated by a hyphen, then the range | ||
717 | of serial numbers including and between each is revoked. | ||
718 | The CA key must have been specified on the | ||
719 | .Nm | ||
720 | command line using the | ||
721 | .Fl s | ||
722 | option. | ||
723 | .It Cm id : Ar key_id | ||
724 | Revokes a certificate with the specified key ID string. | ||
725 | The CA key must have been specified on the | ||
726 | .Nm | ||
727 | command line using the | ||
728 | .Fl s | ||
729 | option. | ||
730 | .It Cm key : Ar public_key | ||
731 | Revokes the specified key. | ||
732 | If a certificate is listed, then it is revoked as a plain public key. | ||
733 | .It Cm sha1 : Ar public_key | ||
734 | Revokes the specified key by its SHA1 hash. | ||
735 | .El | ||
736 | .Pp | ||
737 | KRLs may be updated using the | ||
738 | .Fl u | ||
739 | flag in addition to | ||
740 | .Fl k . | ||
741 | When this option is specified, keys listed via the command line are merged into | ||
742 | the KRL, adding to those already there. | ||
743 | .Pp | ||
744 | It is also possible, given a KRL, to test whether it revokes a particular key | ||
745 | (or keys). | ||
746 | The | ||
747 | .Fl Q | ||
748 | flag will query an existing KRL, testing each key specified on the commandline. | ||
749 | If any key listed on the command line has been revoked (or an error encountered) | ||
750 | then | ||
751 | .Nm | ||
752 | will exit with a non-zero exit status. | ||
753 | A zero exit status will only be returned if no key was revoked. | ||
635 | .Sh FILES | 754 | .Sh FILES |
636 | .Bl -tag -width Ds -compact | 755 | .Bl -tag -width Ds -compact |
637 | .It Pa ~/.ssh/identity | 756 | .It Pa ~/.ssh/identity |
diff --git a/ssh-keygen.c b/ssh-keygen.c index a223ddc81..d1a205e18 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.216 2012/07/06 06:38:03 jmc Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -48,8 +48,11 @@ | |||
48 | #include "match.h" | 48 | #include "match.h" |
49 | #include "hostfile.h" | 49 | #include "hostfile.h" |
50 | #include "dns.h" | 50 | #include "dns.h" |
51 | #include "ssh.h" | ||
51 | #include "ssh2.h" | 52 | #include "ssh2.h" |
52 | #include "ssh-pkcs11.h" | 53 | #include "ssh-pkcs11.h" |
54 | #include "atomicio.h" | ||
55 | #include "krl.h" | ||
53 | 56 | ||
54 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ | 57 | /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ |
55 | #define DEFAULT_BITS 2048 | 58 | #define DEFAULT_BITS 2048 |
@@ -104,7 +107,7 @@ char *identity_comment = NULL; | |||
104 | char *ca_key_path = NULL; | 107 | char *ca_key_path = NULL; |
105 | 108 | ||
106 | /* Certificate serial number */ | 109 | /* Certificate serial number */ |
107 | long long cert_serial = 0; | 110 | unsigned long long cert_serial = 0; |
108 | 111 | ||
109 | /* Key type when certifying */ | 112 | /* Key type when certifying */ |
110 | u_int cert_key_type = SSH2_CERT_TYPE_USER; | 113 | u_int cert_key_type = SSH2_CERT_TYPE_USER; |
@@ -723,15 +726,33 @@ do_download(struct passwd *pw) | |||
723 | #ifdef ENABLE_PKCS11 | 726 | #ifdef ENABLE_PKCS11 |
724 | Key **keys = NULL; | 727 | Key **keys = NULL; |
725 | int i, nkeys; | 728 | int i, nkeys; |
729 | enum fp_rep rep; | ||
730 | enum fp_type fptype; | ||
731 | char *fp, *ra; | ||
732 | |||
733 | fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; | ||
734 | rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; | ||
726 | 735 | ||
727 | pkcs11_init(0); | 736 | pkcs11_init(0); |
728 | nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); | 737 | nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); |
729 | if (nkeys <= 0) | 738 | if (nkeys <= 0) |
730 | fatal("cannot read public key from pkcs11"); | 739 | fatal("cannot read public key from pkcs11"); |
731 | for (i = 0; i < nkeys; i++) { | 740 | for (i = 0; i < nkeys; i++) { |
732 | key_write(keys[i], stdout); | 741 | if (print_fingerprint) { |
742 | fp = key_fingerprint(keys[i], fptype, rep); | ||
743 | ra = key_fingerprint(keys[i], SSH_FP_MD5, | ||
744 | SSH_FP_RANDOMART); | ||
745 | printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), | ||
746 | fp, key_type(keys[i])); | ||
747 | if (log_level >= SYSLOG_LEVEL_VERBOSE) | ||
748 | printf("%s\n", ra); | ||
749 | xfree(ra); | ||
750 | xfree(fp); | ||
751 | } else { | ||
752 | key_write(keys[i], stdout); | ||
753 | fprintf(stdout, "\n"); | ||
754 | } | ||
733 | key_free(keys[i]); | 755 | key_free(keys[i]); |
734 | fprintf(stdout, "\n"); | ||
735 | } | 756 | } |
736 | xfree(keys); | 757 | xfree(keys); |
737 | pkcs11_terminate(); | 758 | pkcs11_terminate(); |
@@ -1088,8 +1109,14 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1088 | ca ? " (CA key)" : ""); | 1109 | ca ? " (CA key)" : ""); |
1089 | printhost(out, cp, pub, ca, 0); | 1110 | printhost(out, cp, pub, ca, 0); |
1090 | } | 1111 | } |
1091 | if (delete_host && !c && !ca) | 1112 | if (delete_host) { |
1092 | printhost(out, cp, pub, ca, 0); | 1113 | if (!c && !ca) |
1114 | printhost(out, cp, pub, ca, 0); | ||
1115 | else | ||
1116 | printf("# Host %s found: " | ||
1117 | "line %d type %s\n", name, | ||
1118 | num, key_type(pub)); | ||
1119 | } | ||
1093 | } else if (hash_hosts) | 1120 | } else if (hash_hosts) |
1094 | printhost(out, cp, pub, ca, 0); | 1121 | printhost(out, cp, pub, ca, 0); |
1095 | } else { | 1122 | } else { |
@@ -1104,8 +1131,14 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1104 | printhost(out, name, pub, | 1131 | printhost(out, name, pub, |
1105 | ca, hash_hosts && !ca); | 1132 | ca, hash_hosts && !ca); |
1106 | } | 1133 | } |
1107 | if (delete_host && !c && !ca) | 1134 | if (delete_host) { |
1108 | printhost(out, cp, pub, ca, 0); | 1135 | if (!c && !ca) |
1136 | printhost(out, cp, pub, ca, 0); | ||
1137 | else | ||
1138 | printf("# Host %s found: " | ||
1139 | "line %d type %s\n", name, | ||
1140 | num, key_type(pub)); | ||
1141 | } | ||
1109 | } else if (hash_hosts) { | 1142 | } else if (hash_hosts) { |
1110 | for (cp2 = strsep(&cp, ","); | 1143 | for (cp2 = strsep(&cp, ","); |
1111 | cp2 != NULL && *cp2 != '\0'; | 1144 | cp2 != NULL && *cp2 != '\0'; |
@@ -1867,6 +1900,226 @@ do_show_cert(struct passwd *pw) | |||
1867 | } | 1900 | } |
1868 | 1901 | ||
1869 | static void | 1902 | static void |
1903 | load_krl(const char *path, struct ssh_krl **krlp) | ||
1904 | { | ||
1905 | Buffer krlbuf; | ||
1906 | int fd; | ||
1907 | |||
1908 | buffer_init(&krlbuf); | ||
1909 | if ((fd = open(path, O_RDONLY)) == -1) | ||
1910 | fatal("open %s: %s", path, strerror(errno)); | ||
1911 | if (!key_load_file(fd, path, &krlbuf)) | ||
1912 | fatal("Unable to load KRL"); | ||
1913 | close(fd); | ||
1914 | /* XXX check sigs */ | ||
1915 | if (ssh_krl_from_blob(&krlbuf, krlp, NULL, 0) != 0 || | ||
1916 | *krlp == NULL) | ||
1917 | fatal("Invalid KRL file"); | ||
1918 | buffer_free(&krlbuf); | ||
1919 | } | ||
1920 | |||
1921 | static void | ||
1922 | update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, | ||
1923 | struct ssh_krl *krl) | ||
1924 | { | ||
1925 | Key *key = NULL; | ||
1926 | u_long lnum = 0; | ||
1927 | char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES]; | ||
1928 | unsigned long long serial, serial2; | ||
1929 | int i, was_explicit_key, was_sha1, r; | ||
1930 | FILE *krl_spec; | ||
1931 | |||
1932 | path = tilde_expand_filename(file, pw->pw_uid); | ||
1933 | if (strcmp(path, "-") == 0) { | ||
1934 | krl_spec = stdin; | ||
1935 | free(path); | ||
1936 | path = xstrdup("(standard input)"); | ||
1937 | } else if ((krl_spec = fopen(path, "r")) == NULL) | ||
1938 | fatal("fopen %s: %s", path, strerror(errno)); | ||
1939 | |||
1940 | if (!quiet) | ||
1941 | printf("Revoking from %s\n", path); | ||
1942 | while (read_keyfile_line(krl_spec, path, line, sizeof(line), | ||
1943 | &lnum) == 0) { | ||
1944 | was_explicit_key = was_sha1 = 0; | ||
1945 | cp = line + strspn(line, " \t"); | ||
1946 | /* Trim trailing space, comments and strip \n */ | ||
1947 | for (i = 0, r = -1; cp[i] != '\0'; i++) { | ||
1948 | if (cp[i] == '#' || cp[i] == '\n') { | ||
1949 | cp[i] = '\0'; | ||
1950 | break; | ||
1951 | } | ||
1952 | if (cp[i] == ' ' || cp[i] == '\t') { | ||
1953 | /* Remember the start of a span of whitespace */ | ||
1954 | if (r == -1) | ||
1955 | r = i; | ||
1956 | } else | ||
1957 | r = -1; | ||
1958 | } | ||
1959 | if (r != -1) | ||
1960 | cp[r] = '\0'; | ||
1961 | if (*cp == '\0') | ||
1962 | continue; | ||
1963 | if (strncasecmp(cp, "serial:", 7) == 0) { | ||
1964 | if (ca == NULL) { | ||
1965 | fatal("revoking certificated by serial number " | ||
1966 | "requires specification of a CA key"); | ||
1967 | } | ||
1968 | cp += 7; | ||
1969 | cp = cp + strspn(cp, " \t"); | ||
1970 | errno = 0; | ||
1971 | serial = strtoull(cp, &ep, 0); | ||
1972 | if (*cp == '\0' || (*ep != '\0' && *ep != '-')) | ||
1973 | fatal("%s:%lu: invalid serial \"%s\"", | ||
1974 | path, lnum, cp); | ||
1975 | if (errno == ERANGE && serial == ULLONG_MAX) | ||
1976 | fatal("%s:%lu: serial out of range", | ||
1977 | path, lnum); | ||
1978 | serial2 = serial; | ||
1979 | if (*ep == '-') { | ||
1980 | cp = ep + 1; | ||
1981 | errno = 0; | ||
1982 | serial2 = strtoull(cp, &ep, 0); | ||
1983 | if (*cp == '\0' || *ep != '\0') | ||
1984 | fatal("%s:%lu: invalid serial \"%s\"", | ||
1985 | path, lnum, cp); | ||
1986 | if (errno == ERANGE && serial2 == ULLONG_MAX) | ||
1987 | fatal("%s:%lu: serial out of range", | ||
1988 | path, lnum); | ||
1989 | if (serial2 <= serial) | ||
1990 | fatal("%s:%lu: invalid serial range " | ||
1991 | "%llu:%llu", path, lnum, | ||
1992 | (unsigned long long)serial, | ||
1993 | (unsigned long long)serial2); | ||
1994 | } | ||
1995 | if (ssh_krl_revoke_cert_by_serial_range(krl, | ||
1996 | ca, serial, serial2) != 0) { | ||
1997 | fatal("%s: revoke serial failed", | ||
1998 | __func__); | ||
1999 | } | ||
2000 | } else if (strncasecmp(cp, "id:", 3) == 0) { | ||
2001 | if (ca == NULL) { | ||
2002 | fatal("revoking certificated by key ID " | ||
2003 | "requires specification of a CA key"); | ||
2004 | } | ||
2005 | cp += 3; | ||
2006 | cp = cp + strspn(cp, " \t"); | ||
2007 | if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0) | ||
2008 | fatal("%s: revoke key ID failed", __func__); | ||
2009 | } else { | ||
2010 | if (strncasecmp(cp, "key:", 4) == 0) { | ||
2011 | cp += 4; | ||
2012 | cp = cp + strspn(cp, " \t"); | ||
2013 | was_explicit_key = 1; | ||
2014 | } else if (strncasecmp(cp, "sha1:", 5) == 0) { | ||
2015 | cp += 5; | ||
2016 | cp = cp + strspn(cp, " \t"); | ||
2017 | was_sha1 = 1; | ||
2018 | } else { | ||
2019 | /* | ||
2020 | * Just try to process the line as a key. | ||
2021 | * Parsing will fail if it isn't. | ||
2022 | */ | ||
2023 | } | ||
2024 | if ((key = key_new(KEY_UNSPEC)) == NULL) | ||
2025 | fatal("key_new"); | ||
2026 | if (key_read(key, &cp) != 1) | ||
2027 | fatal("%s:%lu: invalid key", path, lnum); | ||
2028 | if (was_explicit_key) | ||
2029 | r = ssh_krl_revoke_key_explicit(krl, key); | ||
2030 | else if (was_sha1) | ||
2031 | r = ssh_krl_revoke_key_sha1(krl, key); | ||
2032 | else | ||
2033 | r = ssh_krl_revoke_key(krl, key); | ||
2034 | if (r != 0) | ||
2035 | fatal("%s: revoke key failed", __func__); | ||
2036 | key_free(key); | ||
2037 | } | ||
2038 | } | ||
2039 | if (strcmp(path, "-") != 0) | ||
2040 | fclose(krl_spec); | ||
2041 | } | ||
2042 | |||
2043 | static void | ||
2044 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | ||
2045 | { | ||
2046 | struct ssh_krl *krl; | ||
2047 | struct stat sb; | ||
2048 | Key *ca = NULL; | ||
2049 | int fd, i; | ||
2050 | char *tmp; | ||
2051 | Buffer kbuf; | ||
2052 | |||
2053 | if (*identity_file == '\0') | ||
2054 | fatal("KRL generation requires an output file"); | ||
2055 | if (stat(identity_file, &sb) == -1) { | ||
2056 | if (errno != ENOENT) | ||
2057 | fatal("Cannot access KRL \"%s\": %s", | ||
2058 | identity_file, strerror(errno)); | ||
2059 | if (updating) | ||
2060 | fatal("KRL \"%s\" does not exist", identity_file); | ||
2061 | } | ||
2062 | if (ca_key_path != NULL) { | ||
2063 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); | ||
2064 | if ((ca = key_load_public(tmp, NULL)) == NULL) | ||
2065 | fatal("Cannot load CA public key %s", tmp); | ||
2066 | xfree(tmp); | ||
2067 | } | ||
2068 | |||
2069 | if (updating) | ||
2070 | load_krl(identity_file, &krl); | ||
2071 | else if ((krl = ssh_krl_init()) == NULL) | ||
2072 | fatal("couldn't create KRL"); | ||
2073 | |||
2074 | if (cert_serial != 0) | ||
2075 | ssh_krl_set_version(krl, cert_serial); | ||
2076 | if (identity_comment != NULL) | ||
2077 | ssh_krl_set_comment(krl, identity_comment); | ||
2078 | |||
2079 | for (i = 0; i < argc; i++) | ||
2080 | update_krl_from_file(pw, argv[i], ca, krl); | ||
2081 | |||
2082 | buffer_init(&kbuf); | ||
2083 | if (ssh_krl_to_blob(krl, &kbuf, NULL, 0) != 0) | ||
2084 | fatal("Couldn't generate KRL"); | ||
2085 | if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) | ||
2086 | fatal("open %s: %s", identity_file, strerror(errno)); | ||
2087 | if (atomicio(vwrite, fd, buffer_ptr(&kbuf), buffer_len(&kbuf)) != | ||
2088 | buffer_len(&kbuf)) | ||
2089 | fatal("write %s: %s", identity_file, strerror(errno)); | ||
2090 | close(fd); | ||
2091 | buffer_free(&kbuf); | ||
2092 | ssh_krl_free(krl); | ||
2093 | } | ||
2094 | |||
2095 | static void | ||
2096 | do_check_krl(struct passwd *pw, int argc, char **argv) | ||
2097 | { | ||
2098 | int i, r, ret = 0; | ||
2099 | char *comment; | ||
2100 | struct ssh_krl *krl; | ||
2101 | Key *k; | ||
2102 | |||
2103 | if (*identity_file == '\0') | ||
2104 | fatal("KRL checking requires an input file"); | ||
2105 | load_krl(identity_file, &krl); | ||
2106 | for (i = 0; i < argc; i++) { | ||
2107 | if ((k = key_load_public(argv[i], &comment)) == NULL) | ||
2108 | fatal("Cannot load public key %s", argv[i]); | ||
2109 | r = ssh_krl_check_key(krl, k); | ||
2110 | printf("%s%s%s%s: %s\n", argv[i], | ||
2111 | *comment ? " (" : "", comment, *comment ? ")" : "", | ||
2112 | r == 0 ? "ok" : "REVOKED"); | ||
2113 | if (r != 0) | ||
2114 | ret = 1; | ||
2115 | key_free(k); | ||
2116 | free(comment); | ||
2117 | } | ||
2118 | ssh_krl_free(krl); | ||
2119 | exit(ret); | ||
2120 | } | ||
2121 | |||
2122 | static void | ||
1870 | usage(void) | 2123 | usage(void) |
1871 | { | 2124 | { |
1872 | fprintf(stderr, "usage: %s [options]\n", __progname); | 2125 | fprintf(stderr, "usage: %s [options]\n", __progname); |
@@ -1892,6 +2145,7 @@ usage(void) | |||
1892 | fprintf(stderr, " -J number Screen this number of moduli lines.\n"); | 2145 | fprintf(stderr, " -J number Screen this number of moduli lines.\n"); |
1893 | fprintf(stderr, " -j number Start screening moduli at specified line.\n"); | 2146 | fprintf(stderr, " -j number Start screening moduli at specified line.\n"); |
1894 | fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); | 2147 | fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); |
2148 | fprintf(stderr, " -k Generate a KRL file.\n"); | ||
1895 | fprintf(stderr, " -L Print the contents of a certificate.\n"); | 2149 | fprintf(stderr, " -L Print the contents of a certificate.\n"); |
1896 | fprintf(stderr, " -l Show fingerprint of key file.\n"); | 2150 | fprintf(stderr, " -l Show fingerprint of key file.\n"); |
1897 | fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); | 2151 | fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); |
@@ -1901,6 +2155,7 @@ usage(void) | |||
1901 | fprintf(stderr, " -O option Specify a certificate option.\n"); | 2155 | fprintf(stderr, " -O option Specify a certificate option.\n"); |
1902 | fprintf(stderr, " -P phrase Provide old passphrase.\n"); | 2156 | fprintf(stderr, " -P phrase Provide old passphrase.\n"); |
1903 | fprintf(stderr, " -p Change passphrase of private key file.\n"); | 2157 | fprintf(stderr, " -p Change passphrase of private key file.\n"); |
2158 | fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n"); | ||
1904 | fprintf(stderr, " -q Quiet.\n"); | 2159 | fprintf(stderr, " -q Quiet.\n"); |
1905 | fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); | 2160 | fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); |
1906 | fprintf(stderr, " -r hostname Print DNS resource record.\n"); | 2161 | fprintf(stderr, " -r hostname Print DNS resource record.\n"); |
@@ -1908,6 +2163,7 @@ usage(void) | |||
1908 | fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); | 2163 | fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); |
1909 | fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); | 2164 | fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); |
1910 | fprintf(stderr, " -t type Specify type of key to create.\n"); | 2165 | fprintf(stderr, " -t type Specify type of key to create.\n"); |
2166 | fprintf(stderr, " -u Update KRL rather than creating a new one.\n"); | ||
1911 | fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); | 2167 | fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); |
1912 | fprintf(stderr, " -v Verbose.\n"); | 2168 | fprintf(stderr, " -v Verbose.\n"); |
1913 | fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); | 2169 | fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); |
@@ -1925,14 +2181,14 @@ main(int argc, char **argv) | |||
1925 | { | 2181 | { |
1926 | char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; | 2182 | char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; |
1927 | char *checkpoint = NULL; | 2183 | char *checkpoint = NULL; |
1928 | char out_file[MAXPATHLEN], *rr_hostname = NULL; | 2184 | char out_file[MAXPATHLEN], *ep, *rr_hostname = NULL; |
1929 | Key *private, *public; | 2185 | Key *private, *public; |
1930 | struct passwd *pw; | 2186 | struct passwd *pw; |
1931 | struct stat st; | 2187 | struct stat st; |
1932 | int opt, type, fd; | 2188 | int opt, type, fd; |
1933 | u_int32_t memory = 0, generator_wanted = 0, trials = 100; | 2189 | u_int32_t memory = 0, generator_wanted = 0, trials = 100; |
1934 | int do_gen_candidates = 0, do_screen_candidates = 0; | 2190 | int do_gen_candidates = 0, do_screen_candidates = 0; |
1935 | int gen_all_hostkeys = 0; | 2191 | int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; |
1936 | unsigned long start_lineno = 0, lines_to_process = 0; | 2192 | unsigned long start_lineno = 0, lines_to_process = 0; |
1937 | BIGNUM *start = NULL; | 2193 | BIGNUM *start = NULL; |
1938 | FILE *f; | 2194 | FILE *f; |
@@ -1962,8 +2218,8 @@ main(int argc, char **argv) | |||
1962 | exit(1); | 2218 | exit(1); |
1963 | } | 2219 | } |
1964 | 2220 | ||
1965 | while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:" | 2221 | while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy" |
1966 | "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z")) != -1) { | 2222 | "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { |
1967 | switch (opt) { | 2223 | switch (opt) { |
1968 | case 'A': | 2224 | case 'A': |
1969 | gen_all_hostkeys = 1; | 2225 | gen_all_hostkeys = 1; |
@@ -2042,6 +2298,9 @@ main(int argc, char **argv) | |||
2042 | case 'N': | 2298 | case 'N': |
2043 | identity_new_passphrase = optarg; | 2299 | identity_new_passphrase = optarg; |
2044 | break; | 2300 | break; |
2301 | case 'Q': | ||
2302 | check_krl = 1; | ||
2303 | break; | ||
2045 | case 'O': | 2304 | case 'O': |
2046 | add_cert_option(optarg); | 2305 | add_cert_option(optarg); |
2047 | break; | 2306 | break; |
@@ -2060,6 +2319,9 @@ main(int argc, char **argv) | |||
2060 | cert_key_type = SSH2_CERT_TYPE_HOST; | 2319 | cert_key_type = SSH2_CERT_TYPE_HOST; |
2061 | certflags_flags = 0; | 2320 | certflags_flags = 0; |
2062 | break; | 2321 | break; |
2322 | case 'k': | ||
2323 | gen_krl = 1; | ||
2324 | break; | ||
2063 | case 'i': | 2325 | case 'i': |
2064 | case 'X': | 2326 | case 'X': |
2065 | /* import key */ | 2327 | /* import key */ |
@@ -2077,6 +2339,9 @@ main(int argc, char **argv) | |||
2077 | case 'D': | 2339 | case 'D': |
2078 | pkcs11provider = optarg; | 2340 | pkcs11provider = optarg; |
2079 | break; | 2341 | break; |
2342 | case 'u': | ||
2343 | update_krl = 1; | ||
2344 | break; | ||
2080 | case 'v': | 2345 | case 'v': |
2081 | if (log_level == SYSLOG_LEVEL_INFO) | 2346 | if (log_level == SYSLOG_LEVEL_INFO) |
2082 | log_level = SYSLOG_LEVEL_DEBUG1; | 2347 | log_level = SYSLOG_LEVEL_DEBUG1; |
@@ -2133,9 +2398,11 @@ main(int argc, char **argv) | |||
2133 | parse_cert_times(optarg); | 2398 | parse_cert_times(optarg); |
2134 | break; | 2399 | break; |
2135 | case 'z': | 2400 | case 'z': |
2136 | cert_serial = strtonum(optarg, 0, LLONG_MAX, &errstr); | 2401 | errno = 0; |
2137 | if (errstr) | 2402 | cert_serial = strtoull(optarg, &ep, 10); |
2138 | fatal("Invalid serial number: %s", errstr); | 2403 | if (*optarg < '0' || *optarg > '9' || *ep != '\0' || |
2404 | (errno == ERANGE && cert_serial == ULLONG_MAX)) | ||
2405 | fatal("Invalid serial number \"%s\"", optarg); | ||
2139 | break; | 2406 | break; |
2140 | case '?': | 2407 | case '?': |
2141 | default: | 2408 | default: |
@@ -2150,11 +2417,11 @@ main(int argc, char **argv) | |||
2150 | argc -= optind; | 2417 | argc -= optind; |
2151 | 2418 | ||
2152 | if (ca_key_path != NULL) { | 2419 | if (ca_key_path != NULL) { |
2153 | if (argc < 1) { | 2420 | if (argc < 1 && !gen_krl) { |
2154 | printf("Too few arguments.\n"); | 2421 | printf("Too few arguments.\n"); |
2155 | usage(); | 2422 | usage(); |
2156 | } | 2423 | } |
2157 | } else if (argc > 0) { | 2424 | } else if (argc > 0 && !gen_krl && !check_krl) { |
2158 | printf("Too many arguments.\n"); | 2425 | printf("Too many arguments.\n"); |
2159 | usage(); | 2426 | usage(); |
2160 | } | 2427 | } |
@@ -2163,9 +2430,17 @@ main(int argc, char **argv) | |||
2163 | usage(); | 2430 | usage(); |
2164 | } | 2431 | } |
2165 | if (print_fingerprint && (delete_host || hash_hosts)) { | 2432 | if (print_fingerprint && (delete_host || hash_hosts)) { |
2166 | printf("Cannot use -l with -D or -R.\n"); | 2433 | printf("Cannot use -l with -H or -R.\n"); |
2167 | usage(); | 2434 | usage(); |
2168 | } | 2435 | } |
2436 | if (gen_krl) { | ||
2437 | do_gen_krl(pw, update_krl, argc, argv); | ||
2438 | return (0); | ||
2439 | } | ||
2440 | if (check_krl) { | ||
2441 | do_check_krl(pw, argc, argv); | ||
2442 | return (0); | ||
2443 | } | ||
2169 | if (ca_key_path != NULL) { | 2444 | if (ca_key_path != NULL) { |
2170 | if (cert_key_id == NULL) | 2445 | if (cert_key_id == NULL) |
2171 | fatal("Must specify key id (-I) when certifying"); | 2446 | fatal("Must specify key id (-I) when certifying"); |
@@ -2175,6 +2450,8 @@ main(int argc, char **argv) | |||
2175 | do_show_cert(pw); | 2450 | do_show_cert(pw); |
2176 | if (delete_host || hash_hosts || find_host) | 2451 | if (delete_host || hash_hosts || find_host) |
2177 | do_known_hosts(pw, rr_hostname); | 2452 | do_known_hosts(pw, rr_hostname); |
2453 | if (pkcs11provider != NULL) | ||
2454 | do_download(pw); | ||
2178 | if (print_fingerprint || print_bubblebabble) | 2455 | if (print_fingerprint || print_bubblebabble) |
2179 | do_fingerprint(pw); | 2456 | do_fingerprint(pw); |
2180 | if (change_passphrase) | 2457 | if (change_passphrase) |
@@ -2212,8 +2489,6 @@ main(int argc, char **argv) | |||
2212 | exit(0); | 2489 | exit(0); |
2213 | } | 2490 | } |
2214 | } | 2491 | } |
2215 | if (pkcs11provider != NULL) | ||
2216 | do_download(pw); | ||
2217 | 2492 | ||
2218 | if (do_gen_candidates) { | 2493 | if (do_gen_candidates) { |
2219 | FILE *out = fopen(out_file, "w"); | 2494 | FILE *out = fopen(out_file, "w"); |
@@ -2233,7 +2508,7 @@ main(int argc, char **argv) | |||
2233 | 2508 | ||
2234 | if (do_screen_candidates) { | 2509 | if (do_screen_candidates) { |
2235 | FILE *in; | 2510 | FILE *in; |
2236 | FILE *out = fopen(out_file, "w"); | 2511 | FILE *out = fopen(out_file, "a"); |
2237 | 2512 | ||
2238 | if (have_identity && strcmp(identity_file, "-") != 0) { | 2513 | if (have_identity && strcmp(identity_file, "-") != 0) { |
2239 | if ((in = fopen(identity_file, "r")) == NULL) { | 2514 | if ((in = fopen(identity_file, "r")) == NULL) { |
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index 0d8cf3cf4..559c5a1f4 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 | |||
@@ -106,4 +106,4 @@ BUGS | |||
106 | This is because it opens a connection to the ssh port, reads the public | 106 | This is because it opens a connection to the ssh port, reads the public |
107 | key, and drops the connection as soon as it gets the key. | 107 | key, and drops the connection as soon as it gets the key. |
108 | 108 | ||
109 | OpenBSD 5.2 April 11, 2012 OpenBSD 5.2 | 109 | OpenBSD 5.3 April 11, 2012 OpenBSD 5.3 |
diff --git a/ssh-keysign.0 b/ssh-keysign.0 index 50b7162dc..a2e9eec2b 100644 --- a/ssh-keysign.0 +++ b/ssh-keysign.0 | |||
@@ -48,4 +48,4 @@ HISTORY | |||
48 | AUTHORS | 48 | AUTHORS |
49 | Markus Friedl <markus@openbsd.org> | 49 | Markus Friedl <markus@openbsd.org> |
50 | 50 | ||
51 | OpenBSD 5.2 August 31, 2010 OpenBSD 5.2 | 51 | OpenBSD 5.3 August 31, 2010 OpenBSD 5.3 |
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 index 2f8a674aa..dcfaa222a 100644 --- a/ssh-pkcs11-helper.0 +++ b/ssh-pkcs11-helper.0 | |||
@@ -22,4 +22,4 @@ HISTORY | |||
22 | AUTHORS | 22 | AUTHORS |
23 | Markus Friedl <markus@openbsd.org> | 23 | Markus Friedl <markus@openbsd.org> |
24 | 24 | ||
25 | OpenBSD 5.2 February 10, 2010 OpenBSD 5.2 | 25 | OpenBSD 5.3 February 10, 2010 OpenBSD 5.3 |
@@ -396,8 +396,8 @@ AUTHENTICATION | |||
396 | since it provides additional mechanisms for confidentiality (the traffic | 396 | since it provides additional mechanisms for confidentiality (the traffic |
397 | is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and | 397 | is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and |
398 | integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64, | 398 | integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64, |
399 | hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the | 399 | umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for |
400 | integrity of the connection. | 400 | ensuring the integrity of the connection. |
401 | 401 | ||
402 | The methods available for authentication are: GSSAPI-based | 402 | The methods available for authentication are: GSSAPI-based |
403 | authentication, host-based authentication, public key authentication, | 403 | authentication, host-based authentication, public key authentication, |
@@ -537,6 +537,12 @@ ESCAPE CHARACTERS | |||
537 | ~R Request rekeying of the connection (only useful for SSH protocol | 537 | ~R Request rekeying of the connection (only useful for SSH protocol |
538 | version 2 and if the peer supports it). | 538 | version 2 and if the peer supports it). |
539 | 539 | ||
540 | ~V Decrease the verbosity (LogLevel) when errors are being written | ||
541 | to stderr. | ||
542 | |||
543 | ~v Increase the verbosity (LogLevel) when errors are being written | ||
544 | to stderr. | ||
545 | |||
540 | TCP FORWARDING | 546 | TCP FORWARDING |
541 | Forwarding of arbitrary TCP connections over the secure channel can be | 547 | Forwarding of arbitrary TCP connections over the secure channel can be |
542 | specified either on the command line or in a configuration file. One | 548 | specified either on the command line or in a configuration file. One |
@@ -862,36 +868,45 @@ SEE ALSO | |||
862 | scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), | 868 | scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), |
863 | tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) | 869 | tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) |
864 | 870 | ||
865 | The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006. | 871 | STANDARDS |
872 | S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned | ||
873 | Numbers, RFC 4250, January 2006. | ||
866 | 874 | ||
867 | The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006. | 875 | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, |
876 | RFC 4251, January 2006. | ||
868 | 877 | ||
869 | The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006. | 878 | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol, |
879 | RFC 4252, January 2006. | ||
870 | 880 | ||
871 | The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006. | 881 | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer |
882 | Protocol, RFC 4253, January 2006. | ||
872 | 883 | ||
873 | The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006. | 884 | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC |
885 | 4254, January 2006. | ||
874 | 886 | ||
875 | Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC | 887 | J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell |
876 | 4255, 2006. | 888 | (SSH) Key Fingerprints, RFC 4255, January 2006. |
877 | 889 | ||
878 | Generic Message Exchange Authentication for the Secure Shell Protocol | 890 | F. Cusack and M. Forssen, Generic Message Exchange Authentication for the |
879 | (SSH), RFC 4256, 2006. | 891 | Secure Shell Protocol (SSH), RFC 4256, January 2006. |
880 | 892 | ||
881 | The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006. | 893 | J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break |
894 | Extension, RFC 4335, January 2006. | ||
882 | 895 | ||
883 | The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006. | 896 | M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport |
897 | Layer Encryption Modes, RFC 4344, January 2006. | ||
884 | 898 | ||
885 | Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer | 899 | B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport |
886 | Protocol, RFC 4345, 2006. | 900 | Layer Protocol, RFC 4345, January 2006. |
887 | 901 | ||
888 | Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer | 902 | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for |
889 | Protocol, RFC 4419, 2006. | 903 | the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. |
890 | 904 | ||
891 | The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. | 905 | J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File |
906 | Format, RFC 4716, November 2006. | ||
892 | 907 | ||
893 | Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, | 908 | D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the |
894 | RFC 5656, 2009. | 909 | Secure Shell Transport Layer, RFC 5656, December 2009. |
895 | 910 | ||
896 | A. Perrig and D. Song, Hash Visualization: a New Technique to improve | 911 | A. Perrig and D. Song, Hash Visualization: a New Technique to improve |
897 | Real-World Security, 1999, International Workshop on Cryptographic | 912 | Real-World Security, 1999, International Workshop on Cryptographic |
@@ -904,4 +919,4 @@ AUTHORS | |||
904 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 919 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
905 | versions 1.5 and 2.0. | 920 | versions 1.5 and 2.0. |
906 | 921 | ||
907 | OpenBSD 5.2 June 18, 2012 OpenBSD 5.2 | 922 | OpenBSD 5.3 October 4, 2012 OpenBSD 5.3 |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.326 2012/06/18 12:17:18 dtucker Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ |
37 | .Dd $Mdocdate: June 18 2012 $ | 37 | .Dd $Mdocdate: October 4 2012 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -674,7 +674,7 @@ it provides additional mechanisms for confidentiality | |||
674 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) | 674 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) |
675 | and integrity (hmac-md5, hmac-sha1, | 675 | and integrity (hmac-md5, hmac-sha1, |
676 | hmac-sha2-256, hmac-sha2-512, | 676 | hmac-sha2-256, hmac-sha2-512, |
677 | umac-64, hmac-ripemd160). | 677 | umac-64, umac-128, hmac-ripemd160). |
678 | Protocol 1 lacks a strong mechanism for ensuring the | 678 | Protocol 1 lacks a strong mechanism for ensuring the |
679 | integrity of the connection. | 679 | integrity of the connection. |
680 | .Pp | 680 | .Pp |
@@ -930,6 +930,14 @@ option. | |||
930 | .It Cm ~R | 930 | .It Cm ~R |
931 | Request rekeying of the connection | 931 | Request rekeying of the connection |
932 | (only useful for SSH protocol version 2 and if the peer supports it). | 932 | (only useful for SSH protocol version 2 and if the peer supports it). |
933 | .It Cm ~V | ||
934 | Decrease the verbosity | ||
935 | .Pq Ic LogLevel | ||
936 | when errors are being written to stderr. | ||
937 | .It Cm ~v | ||
938 | Increase the verbosity | ||
939 | .Pq Ic LogLevel | ||
940 | when errors are being written to stderr. | ||
933 | .El | 941 | .El |
934 | .Sh TCP FORWARDING | 942 | .Sh TCP FORWARDING |
935 | Forwarding of arbitrary TCP connections over the secure channel can | 943 | Forwarding of arbitrary TCP connections over the secure channel can |
@@ -1434,77 +1442,118 @@ if an error occurred. | |||
1434 | .Xr ssh_config 5 , | 1442 | .Xr ssh_config 5 , |
1435 | .Xr ssh-keysign 8 , | 1443 | .Xr ssh-keysign 8 , |
1436 | .Xr sshd 8 | 1444 | .Xr sshd 8 |
1445 | .Sh STANDARDS | ||
1437 | .Rs | 1446 | .Rs |
1447 | .%A S. Lehtinen | ||
1448 | .%A C. Lonvick | ||
1449 | .%D January 2006 | ||
1438 | .%R RFC 4250 | 1450 | .%R RFC 4250 |
1439 | .%T "The Secure Shell (SSH) Protocol Assigned Numbers" | 1451 | .%T The Secure Shell (SSH) Protocol Assigned Numbers |
1440 | .%D 2006 | ||
1441 | .Re | 1452 | .Re |
1453 | .Pp | ||
1442 | .Rs | 1454 | .Rs |
1455 | .%A T. Ylonen | ||
1456 | .%A C. Lonvick | ||
1457 | .%D January 2006 | ||
1443 | .%R RFC 4251 | 1458 | .%R RFC 4251 |
1444 | .%T "The Secure Shell (SSH) Protocol Architecture" | 1459 | .%T The Secure Shell (SSH) Protocol Architecture |
1445 | .%D 2006 | ||
1446 | .Re | 1460 | .Re |
1461 | .Pp | ||
1447 | .Rs | 1462 | .Rs |
1463 | .%A T. Ylonen | ||
1464 | .%A C. Lonvick | ||
1465 | .%D January 2006 | ||
1448 | .%R RFC 4252 | 1466 | .%R RFC 4252 |
1449 | .%T "The Secure Shell (SSH) Authentication Protocol" | 1467 | .%T The Secure Shell (SSH) Authentication Protocol |
1450 | .%D 2006 | ||
1451 | .Re | 1468 | .Re |
1469 | .Pp | ||
1452 | .Rs | 1470 | .Rs |
1471 | .%A T. Ylonen | ||
1472 | .%A C. Lonvick | ||
1473 | .%D January 2006 | ||
1453 | .%R RFC 4253 | 1474 | .%R RFC 4253 |
1454 | .%T "The Secure Shell (SSH) Transport Layer Protocol" | 1475 | .%T The Secure Shell (SSH) Transport Layer Protocol |
1455 | .%D 2006 | ||
1456 | .Re | 1476 | .Re |
1477 | .Pp | ||
1457 | .Rs | 1478 | .Rs |
1479 | .%A T. Ylonen | ||
1480 | .%A C. Lonvick | ||
1481 | .%D January 2006 | ||
1458 | .%R RFC 4254 | 1482 | .%R RFC 4254 |
1459 | .%T "The Secure Shell (SSH) Connection Protocol" | 1483 | .%T The Secure Shell (SSH) Connection Protocol |
1460 | .%D 2006 | ||
1461 | .Re | 1484 | .Re |
1485 | .Pp | ||
1462 | .Rs | 1486 | .Rs |
1487 | .%A J. Schlyter | ||
1488 | .%A W. Griffin | ||
1489 | .%D January 2006 | ||
1463 | .%R RFC 4255 | 1490 | .%R RFC 4255 |
1464 | .%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" | 1491 | .%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints |
1465 | .%D 2006 | ||
1466 | .Re | 1492 | .Re |
1493 | .Pp | ||
1467 | .Rs | 1494 | .Rs |
1495 | .%A F. Cusack | ||
1496 | .%A M. Forssen | ||
1497 | .%D January 2006 | ||
1468 | .%R RFC 4256 | 1498 | .%R RFC 4256 |
1469 | .%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)" | 1499 | .%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) |
1470 | .%D 2006 | ||
1471 | .Re | 1500 | .Re |
1501 | .Pp | ||
1472 | .Rs | 1502 | .Rs |
1503 | .%A J. Galbraith | ||
1504 | .%A P. Remaker | ||
1505 | .%D January 2006 | ||
1473 | .%R RFC 4335 | 1506 | .%R RFC 4335 |
1474 | .%T "The Secure Shell (SSH) Session Channel Break Extension" | 1507 | .%T The Secure Shell (SSH) Session Channel Break Extension |
1475 | .%D 2006 | ||
1476 | .Re | 1508 | .Re |
1509 | .Pp | ||
1477 | .Rs | 1510 | .Rs |
1511 | .%A M. Bellare | ||
1512 | .%A T. Kohno | ||
1513 | .%A C. Namprempre | ||
1514 | .%D January 2006 | ||
1478 | .%R RFC 4344 | 1515 | .%R RFC 4344 |
1479 | .%T "The Secure Shell (SSH) Transport Layer Encryption Modes" | 1516 | .%T The Secure Shell (SSH) Transport Layer Encryption Modes |
1480 | .%D 2006 | ||
1481 | .Re | 1517 | .Re |
1518 | .Pp | ||
1482 | .Rs | 1519 | .Rs |
1520 | .%A B. Harris | ||
1521 | .%D January 2006 | ||
1483 | .%R RFC 4345 | 1522 | .%R RFC 4345 |
1484 | .%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol" | 1523 | .%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol |
1485 | .%D 2006 | ||
1486 | .Re | 1524 | .Re |
1525 | .Pp | ||
1487 | .Rs | 1526 | .Rs |
1527 | .%A M. Friedl | ||
1528 | .%A N. Provos | ||
1529 | .%A W. Simpson | ||
1530 | .%D March 2006 | ||
1488 | .%R RFC 4419 | 1531 | .%R RFC 4419 |
1489 | .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" | 1532 | .%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol |
1490 | .%D 2006 | ||
1491 | .Re | 1533 | .Re |
1534 | .Pp | ||
1492 | .Rs | 1535 | .Rs |
1536 | .%A J. Galbraith | ||
1537 | .%A R. Thayer | ||
1538 | .%D November 2006 | ||
1493 | .%R RFC 4716 | 1539 | .%R RFC 4716 |
1494 | .%T "The Secure Shell (SSH) Public Key File Format" | 1540 | .%T The Secure Shell (SSH) Public Key File Format |
1495 | .%D 2006 | ||
1496 | .Re | 1541 | .Re |
1542 | .Pp | ||
1497 | .Rs | 1543 | .Rs |
1544 | .%A D. Stebila | ||
1545 | .%A J. Green | ||
1546 | .%D December 2009 | ||
1498 | .%R RFC 5656 | 1547 | .%R RFC 5656 |
1499 | .%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" | 1548 | .%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer |
1500 | .%D 2009 | ||
1501 | .Re | 1549 | .Re |
1550 | .Pp | ||
1502 | .Rs | 1551 | .Rs |
1503 | .%T "Hash Visualization: a New Technique to improve Real-World Security" | ||
1504 | .%A A. Perrig | 1552 | .%A A. Perrig |
1505 | .%A D. Song | 1553 | .%A D. Song |
1506 | .%D 1999 | 1554 | .%D 1999 |
1507 | .%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" | 1555 | .%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) |
1556 | .%T Hash Visualization: a New Technique to improve Real-World Security | ||
1508 | .Re | 1557 | .Re |
1509 | .Sh AUTHORS | 1558 | .Sh AUTHORS |
1510 | OpenSSH is a derivative of the original and free | 1559 | OpenSSH is a derivative of the original and free |
diff --git a/ssh_config.0 b/ssh_config.0 index d8256d137..164d11817 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -97,10 +97,13 @@ DESCRIPTION | |||
97 | preference. Multiple ciphers must be comma-separated. The | 97 | preference. Multiple ciphers must be comma-separated. The |
98 | supported ciphers are ``3des-cbc'', ``aes128-cbc'', | 98 | supported ciphers are ``3des-cbc'', ``aes128-cbc'', |
99 | ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', | 99 | ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', |
100 | ``aes256-ctr'', ``arcfour128'', ``arcfour256'', ``arcfour'', | 100 | ``aes256-ctr'', ``aes128-gcm@openssh.com'', |
101 | ``blowfish-cbc'', and ``cast128-cbc''. The default is: | 101 | ``aes256-gcm@openssh.com'', ``arcfour128'', ``arcfour256'', |
102 | ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''. The default | ||
103 | is: | ||
102 | 104 | ||
103 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 105 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, |
106 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
104 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 107 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, |
105 | aes256-cbc,arcfour | 108 | aes256-cbc,arcfour |
106 | 109 | ||
@@ -354,11 +357,11 @@ DESCRIPTION | |||
354 | 357 | ||
355 | IdentitiesOnly | 358 | IdentitiesOnly |
356 | Specifies that ssh(1) should only use the authentication identity | 359 | Specifies that ssh(1) should only use the authentication identity |
357 | files configured in the ssh_config files, even if ssh-agent(1) | 360 | files configured in the ssh_config files, even if ssh-agent(1) or |
358 | offers more identities. The argument to this keyword must be | 361 | a PKCS11Provider offers more identities. The argument to this |
359 | ``yes'' or ``no''. This option is intended for situations where | 362 | keyword must be ``yes'' or ``no''. This option is intended for |
360 | ssh-agent offers many different identities. The default is | 363 | situations where ssh-agent offers many different identities. The |
361 | ``no''. | 364 | default is ``no''. |
362 | 365 | ||
363 | IdentityFile | 366 | IdentityFile |
364 | Specifies a file from which the user's DSA, ECDSA or RSA | 367 | Specifies a file from which the user's DSA, ECDSA or RSA |
@@ -460,9 +463,16 @@ DESCRIPTION | |||
460 | MACs Specifies the MAC (message authentication code) algorithms in | 463 | MACs Specifies the MAC (message authentication code) algorithms in |
461 | order of preference. The MAC algorithm is used in protocol | 464 | order of preference. The MAC algorithm is used in protocol |
462 | version 2 for data integrity protection. Multiple algorithms | 465 | version 2 for data integrity protection. Multiple algorithms |
463 | must be comma-separated. The default is: | 466 | must be comma-separated. The algorithms that contain ``-etm'' |
464 | 467 | calculate the MAC after encryption (encrypt-then-mac). These are | |
465 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 468 | considered safer and their use recommended. The default is: |
469 | |||
470 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
471 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
472 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
473 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | ||
474 | hmac-md5-96-etm@openssh.com, | ||
475 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
466 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 476 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, |
467 | hmac-sha1-96,hmac-md5-96 | 477 | hmac-sha1-96,hmac-md5-96 |
468 | 478 | ||
@@ -763,4 +773,4 @@ AUTHORS | |||
763 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 773 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
764 | versions 1.5 and 2.0. | 774 | versions 1.5 and 2.0. |
765 | 775 | ||
766 | OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 | 776 | OpenBSD 5.3 January 8, 2013 OpenBSD 5.3 |
diff --git a/ssh_config.5 b/ssh_config.5 index 9d4b38aa8..fa852acb1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ |
37 | .Dd $Mdocdate: June 29 2012 $ | 37 | .Dd $Mdocdate: January 8 2013 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -224,6 +224,8 @@ The supported ciphers are | |||
224 | .Dq aes128-ctr , | 224 | .Dq aes128-ctr , |
225 | .Dq aes192-ctr , | 225 | .Dq aes192-ctr , |
226 | .Dq aes256-ctr , | 226 | .Dq aes256-ctr , |
227 | .Dq aes128-gcm@openssh.com , | ||
228 | .Dq aes256-gcm@openssh.com , | ||
227 | .Dq arcfour128 , | 229 | .Dq arcfour128 , |
228 | .Dq arcfour256 , | 230 | .Dq arcfour256 , |
229 | .Dq arcfour , | 231 | .Dq arcfour , |
@@ -233,6 +235,7 @@ and | |||
233 | The default is: | 235 | The default is: |
234 | .Bd -literal -offset 3n | 236 | .Bd -literal -offset 3n |
235 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 237 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, |
238 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
236 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 239 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, |
237 | aes256-cbc,arcfour | 240 | aes256-cbc,arcfour |
238 | .Ed | 241 | .Ed |
@@ -658,6 +661,8 @@ should only use the authentication identity files configured in the | |||
658 | files, | 661 | files, |
659 | even if | 662 | even if |
660 | .Xr ssh-agent 1 | 663 | .Xr ssh-agent 1 |
664 | or a | ||
665 | .Cm PKCS11Provider | ||
661 | offers more identities. | 666 | offers more identities. |
662 | The argument to this keyword must be | 667 | The argument to this keyword must be |
663 | .Dq yes | 668 | .Dq yes |
@@ -846,9 +851,18 @@ in order of preference. | |||
846 | The MAC algorithm is used in protocol version 2 | 851 | The MAC algorithm is used in protocol version 2 |
847 | for data integrity protection. | 852 | for data integrity protection. |
848 | Multiple algorithms must be comma-separated. | 853 | Multiple algorithms must be comma-separated. |
854 | The algorithms that contain | ||
855 | .Dq -etm | ||
856 | calculate the MAC after encryption (encrypt-then-mac). | ||
857 | These are considered safer and their use recommended. | ||
849 | The default is: | 858 | The default is: |
850 | .Bd -literal -offset indent | 859 | .Bd -literal -offset indent |
851 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 860 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
861 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
862 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
863 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | ||
864 | hmac-md5-96-etm@openssh.com, | ||
865 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
852 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 866 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, |
853 | hmac-sha1-96,hmac-md5-96 | 867 | hmac-sha1-96,hmac-md5-96 |
854 | .Ed | 868 | .Ed |
diff --git a/sshconnect.c b/sshconnect.c index 2cde2f0a3..ed0e78bfd 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.234 2011/05/24 07:15:47 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -429,6 +429,24 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, | |||
429 | return 0; | 429 | return 0; |
430 | } | 430 | } |
431 | 431 | ||
432 | static void | ||
433 | send_client_banner(int connection_out, int minor1) | ||
434 | { | ||
435 | /* Send our own protocol version identification. */ | ||
436 | if (compat20) { | ||
437 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", | ||
438 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); | ||
439 | } else { | ||
440 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", | ||
441 | PROTOCOL_MAJOR_1, minor1, SSH_RELEASE); | ||
442 | } | ||
443 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | ||
444 | strlen(client_version_string)) != strlen(client_version_string)) | ||
445 | fatal("write: %.100s", strerror(errno)); | ||
446 | chop(client_version_string); | ||
447 | debug("Local version string %.100s", client_version_string); | ||
448 | } | ||
449 | |||
432 | /* | 450 | /* |
433 | * Waits for the server identification string, and sends our own | 451 | * Waits for the server identification string, and sends our own |
434 | * identification string. | 452 | * identification string. |
@@ -440,7 +458,7 @@ ssh_exchange_identification(int timeout_ms) | |||
440 | int remote_major, remote_minor, mismatch; | 458 | int remote_major, remote_minor, mismatch; |
441 | int connection_in = packet_get_connection_in(); | 459 | int connection_in = packet_get_connection_in(); |
442 | int connection_out = packet_get_connection_out(); | 460 | int connection_out = packet_get_connection_out(); |
443 | int minor1 = PROTOCOL_MINOR_1; | 461 | int minor1 = PROTOCOL_MINOR_1, client_banner_sent = 0; |
444 | u_int i, n; | 462 | u_int i, n; |
445 | size_t len; | 463 | size_t len; |
446 | int fdsetsz, remaining, rc; | 464 | int fdsetsz, remaining, rc; |
@@ -450,6 +468,16 @@ ssh_exchange_identification(int timeout_ms) | |||
450 | fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask); | 468 | fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask); |
451 | fdset = xcalloc(1, fdsetsz); | 469 | fdset = xcalloc(1, fdsetsz); |
452 | 470 | ||
471 | /* | ||
472 | * If we are SSH2-only then we can send the banner immediately and | ||
473 | * save a round-trip. | ||
474 | */ | ||
475 | if (options.protocol == SSH_PROTO_2) { | ||
476 | enable_compat20(); | ||
477 | send_client_banner(connection_out, 0); | ||
478 | client_banner_sent = 1; | ||
479 | } | ||
480 | |||
453 | /* Read other side's version identification. */ | 481 | /* Read other side's version identification. */ |
454 | remaining = timeout_ms; | 482 | remaining = timeout_ms; |
455 | for (n = 0;;) { | 483 | for (n = 0;;) { |
@@ -552,18 +580,9 @@ ssh_exchange_identification(int timeout_ms) | |||
552 | fatal("Protocol major versions differ: %d vs. %d", | 580 | fatal("Protocol major versions differ: %d vs. %d", |
553 | (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | 581 | (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, |
554 | remote_major); | 582 | remote_major); |
555 | /* Send our own protocol version identification. */ | 583 | if (!client_banner_sent) |
556 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", | 584 | send_client_banner(connection_out, minor1); |
557 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | ||
558 | compat20 ? PROTOCOL_MINOR_2 : minor1, | ||
559 | SSH_RELEASE, compat20 ? "\r\n" : "\n"); | ||
560 | if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) | ||
561 | != strlen(buf)) | ||
562 | fatal("write: %.100s", strerror(errno)); | ||
563 | client_version_string = xstrdup(buf); | ||
564 | chop(client_version_string); | ||
565 | chop(server_version_string); | 585 | chop(server_version_string); |
566 | debug("Local version string %.100s", client_version_string); | ||
567 | } | 586 | } |
568 | 587 | ||
569 | /* defaults to 'no' */ | 588 | /* defaults to 'no' */ |
diff --git a/sshconnect2.c b/sshconnect2.c index fe68d5c41..378b3200c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -40,7 +40,7 @@ | |||
40 | #include <stdio.h> | 40 | #include <stdio.h> |
41 | #include <string.h> | 41 | #include <string.h> |
42 | #include <unistd.h> | 42 | #include <unistd.h> |
43 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) | 43 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) |
44 | #include <vis.h> | 44 | #include <vis.h> |
45 | #endif | 45 | #endif |
46 | 46 | ||
@@ -304,6 +304,7 @@ struct identity { | |||
304 | char *filename; /* comment for agent-only keys */ | 304 | char *filename; /* comment for agent-only keys */ |
305 | int tried; | 305 | int tried; |
306 | int isprivate; /* key points to the private key */ | 306 | int isprivate; /* key points to the private key */ |
307 | int userprovided; | ||
307 | }; | 308 | }; |
308 | TAILQ_HEAD(idlist, identity); | 309 | TAILQ_HEAD(idlist, identity); |
309 | 310 | ||
@@ -369,7 +370,7 @@ void userauth(Authctxt *, char *); | |||
369 | static int sign_and_send_pubkey(Authctxt *, Identity *); | 370 | static int sign_and_send_pubkey(Authctxt *, Identity *); |
370 | static void pubkey_prepare(Authctxt *); | 371 | static void pubkey_prepare(Authctxt *); |
371 | static void pubkey_cleanup(Authctxt *); | 372 | static void pubkey_cleanup(Authctxt *); |
372 | static Key *load_identity_file(char *); | 373 | static Key *load_identity_file(char *, int); |
373 | 374 | ||
374 | static Authmethod *authmethod_get(char *authlist); | 375 | static Authmethod *authmethod_get(char *authlist); |
375 | static Authmethod *authmethod_lookup(const char *name); | 376 | static Authmethod *authmethod_lookup(const char *name); |
@@ -1302,7 +1303,7 @@ identity_sign(Identity *id, u_char **sigp, u_int *lenp, | |||
1302 | if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) | 1303 | if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) |
1303 | return (key_sign(id->key, sigp, lenp, data, datalen)); | 1304 | return (key_sign(id->key, sigp, lenp, data, datalen)); |
1304 | /* load the private key from the file */ | 1305 | /* load the private key from the file */ |
1305 | if ((prv = load_identity_file(id->filename)) == NULL) | 1306 | if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL) |
1306 | return (-1); | 1307 | return (-1); |
1307 | ret = key_sign(prv, sigp, lenp, data, datalen); | 1308 | ret = key_sign(prv, sigp, lenp, data, datalen); |
1308 | key_free(prv); | 1309 | key_free(prv); |
@@ -1427,7 +1428,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) | |||
1427 | } | 1428 | } |
1428 | 1429 | ||
1429 | static Key * | 1430 | static Key * |
1430 | load_identity_file(char *filename) | 1431 | load_identity_file(char *filename, int userprovided) |
1431 | { | 1432 | { |
1432 | Key *private; | 1433 | Key *private; |
1433 | char prompt[300], *passphrase; | 1434 | char prompt[300], *passphrase; |
@@ -1435,7 +1436,8 @@ load_identity_file(char *filename) | |||
1435 | struct stat st; | 1436 | struct stat st; |
1436 | 1437 | ||
1437 | if (stat(filename, &st) < 0) { | 1438 | if (stat(filename, &st) < 0) { |
1438 | debug3("no such identity: %s", filename); | 1439 | (userprovided ? logit : debug3)("no such identity: %s: %s", |
1440 | filename, strerror(errno)); | ||
1439 | return NULL; | 1441 | return NULL; |
1440 | } | 1442 | } |
1441 | private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); | 1443 | private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); |
@@ -1475,7 +1477,7 @@ load_identity_file(char *filename) | |||
1475 | static void | 1477 | static void |
1476 | pubkey_prepare(Authctxt *authctxt) | 1478 | pubkey_prepare(Authctxt *authctxt) |
1477 | { | 1479 | { |
1478 | Identity *id; | 1480 | Identity *id, *id2, *tmp; |
1479 | Idlist agent, files, *preferred; | 1481 | Idlist agent, files, *preferred; |
1480 | Key *key; | 1482 | Key *key; |
1481 | AuthenticationConnection *ac; | 1483 | AuthenticationConnection *ac; |
@@ -1487,7 +1489,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
1487 | preferred = &authctxt->keys; | 1489 | preferred = &authctxt->keys; |
1488 | TAILQ_INIT(preferred); /* preferred order of keys */ | 1490 | TAILQ_INIT(preferred); /* preferred order of keys */ |
1489 | 1491 | ||
1490 | /* list of keys stored in the filesystem */ | 1492 | /* list of keys stored in the filesystem and PKCS#11 */ |
1491 | for (i = 0; i < options.num_identity_files; i++) { | 1493 | for (i = 0; i < options.num_identity_files; i++) { |
1492 | if (options.identity_files[i] == NULL) | 1494 | if (options.identity_files[i] == NULL) |
1493 | continue; | 1495 | continue; |
@@ -1500,8 +1502,32 @@ pubkey_prepare(Authctxt *authctxt) | |||
1500 | id = xcalloc(1, sizeof(*id)); | 1502 | id = xcalloc(1, sizeof(*id)); |
1501 | id->key = key; | 1503 | id->key = key; |
1502 | id->filename = xstrdup(options.identity_files[i]); | 1504 | id->filename = xstrdup(options.identity_files[i]); |
1505 | id->userprovided = 1; | ||
1503 | TAILQ_INSERT_TAIL(&files, id, next); | 1506 | TAILQ_INSERT_TAIL(&files, id, next); |
1504 | } | 1507 | } |
1508 | /* Prefer PKCS11 keys that are explicitly listed */ | ||
1509 | TAILQ_FOREACH_SAFE(id, &files, next, tmp) { | ||
1510 | if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0) | ||
1511 | continue; | ||
1512 | found = 0; | ||
1513 | TAILQ_FOREACH(id2, &files, next) { | ||
1514 | if (id2->key == NULL || | ||
1515 | (id2->key->flags & KEY_FLAG_EXT) != 0) | ||
1516 | continue; | ||
1517 | if (key_equal(id->key, id2->key)) { | ||
1518 | TAILQ_REMOVE(&files, id, next); | ||
1519 | TAILQ_INSERT_TAIL(preferred, id, next); | ||
1520 | found = 1; | ||
1521 | break; | ||
1522 | } | ||
1523 | } | ||
1524 | /* If IdentitiesOnly set and key not found then don't use it */ | ||
1525 | if (!found && options.identities_only) { | ||
1526 | TAILQ_REMOVE(&files, id, next); | ||
1527 | bzero(id, sizeof(id)); | ||
1528 | free(id); | ||
1529 | } | ||
1530 | } | ||
1505 | /* list of keys supported by the agent */ | 1531 | /* list of keys supported by the agent */ |
1506 | if ((ac = ssh_get_authentication_connection())) { | 1532 | if ((ac = ssh_get_authentication_connection())) { |
1507 | for (key = ssh_get_first_identity(ac, &comment, 2); | 1533 | for (key = ssh_get_first_identity(ac, &comment, 2); |
@@ -1541,7 +1567,8 @@ pubkey_prepare(Authctxt *authctxt) | |||
1541 | TAILQ_INSERT_TAIL(preferred, id, next); | 1567 | TAILQ_INSERT_TAIL(preferred, id, next); |
1542 | } | 1568 | } |
1543 | TAILQ_FOREACH(id, preferred, next) { | 1569 | TAILQ_FOREACH(id, preferred, next) { |
1544 | debug2("key: %s (%p)", id->filename, id->key); | 1570 | debug2("key: %s (%p),%s", id->filename, id->key, |
1571 | id->userprovided ? " explicit" : ""); | ||
1545 | } | 1572 | } |
1546 | } | 1573 | } |
1547 | 1574 | ||
@@ -1586,7 +1613,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
1586 | sent = send_pubkey_test(authctxt, id); | 1613 | sent = send_pubkey_test(authctxt, id); |
1587 | } else if (id->key == NULL && id->filename) { | 1614 | } else if (id->key == NULL && id->filename) { |
1588 | debug("Trying private key: %s", id->filename); | 1615 | debug("Trying private key: %s", id->filename); |
1589 | id->key = load_identity_file(id->filename); | 1616 | id->key = load_identity_file(id->filename, |
1617 | id->userprovided); | ||
1590 | if (id->key != NULL) { | 1618 | if (id->key != NULL) { |
1591 | id->isprivate = 1; | 1619 | id->isprivate = 1; |
1592 | sent = sign_and_send_pubkey(authctxt, id); | 1620 | sent = sign_and_send_pubkey(authctxt, id); |
@@ -169,7 +169,7 @@ AUTHENTICATION | |||
169 | client selects the encryption algorithm to use from those offered by the | 169 | client selects the encryption algorithm to use from those offered by the |
170 | server. Additionally, session integrity is provided through a | 170 | server. Additionally, session integrity is provided through a |
171 | cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, | 171 | cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, |
172 | hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). | 172 | umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). |
173 | 173 | ||
174 | Finally, the server and the client enter an authentication dialog. The | 174 | Finally, the server and the client enter an authentication dialog. The |
175 | client tries to authenticate itself using host-based authentication, | 175 | client tries to authenticate itself using host-based authentication, |
@@ -634,4 +634,4 @@ CAVEATS | |||
634 | System security is not improved unless rshd, rlogind, and rexecd are | 634 | System security is not improved unless rshd, rlogind, and rexecd are |
635 | disabled (thus completely disabling rlogin and rsh into the machine). | 635 | disabled (thus completely disabling rlogin and rsh into the machine). |
636 | 636 | ||
637 | OpenBSD 5.2 June 18, 2012 OpenBSD 5.2 | 637 | OpenBSD 5.3 October 4, 2012 OpenBSD 5.3 |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ |
37 | .Dd $Mdocdate: June 18 2012 $ | 37 | .Dd $Mdocdate: October 4 2012 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -319,7 +319,7 @@ The client selects the encryption algorithm | |||
319 | to use from those offered by the server. | 319 | to use from those offered by the server. |
320 | Additionally, session integrity is provided | 320 | Additionally, session integrity is provided |
321 | through a cryptographic message authentication code | 321 | through a cryptographic message authentication code |
322 | (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, | 322 | (hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, |
323 | hmac-sha2-256 or hmac-sha2-512). | 323 | hmac-sha2-256 or hmac-sha2-512). |
324 | .Pp | 324 | .Pp |
325 | Finally, the server and the client enter an authentication dialog. | 325 | Finally, the server and the client enter an authentication dialog. |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -363,6 +363,15 @@ grace_alarm_handler(int sig) | |||
363 | if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) | 363 | if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) |
364 | kill(pmonitor->m_pid, SIGALRM); | 364 | kill(pmonitor->m_pid, SIGALRM); |
365 | 365 | ||
366 | /* | ||
367 | * Try to kill any processes that we have spawned, E.g. authorized | ||
368 | * keys command helpers. | ||
369 | */ | ||
370 | if (getpgid(0) == getpid()) { | ||
371 | signal(SIGTERM, SIG_IGN); | ||
372 | killpg(0, SIGTERM); | ||
373 | } | ||
374 | |||
366 | /* Log error and exit. */ | 375 | /* Log error and exit. */ |
367 | sigdie("Timeout before authentication for %s", get_remote_ipaddr()); | 376 | sigdie("Timeout before authentication for %s", get_remote_ipaddr()); |
368 | } | 377 | } |
@@ -1333,6 +1342,7 @@ main(int ac, char **av) | |||
1333 | int remote_port; | 1342 | int remote_port; |
1334 | char *line; | 1343 | char *line; |
1335 | int config_s[2] = { -1 , -1 }; | 1344 | int config_s[2] = { -1 , -1 }; |
1345 | u_int n; | ||
1336 | u_int64_t ibytes, obytes; | 1346 | u_int64_t ibytes, obytes; |
1337 | mode_t new_umask; | 1347 | mode_t new_umask; |
1338 | Key *key; | 1348 | Key *key; |
@@ -1555,6 +1565,33 @@ main(int ac, char **av) | |||
1555 | if (options.challenge_response_authentication) | 1565 | if (options.challenge_response_authentication) |
1556 | options.kbd_interactive_authentication = 1; | 1566 | options.kbd_interactive_authentication = 1; |
1557 | 1567 | ||
1568 | /* Check that options are sensible */ | ||
1569 | if (options.authorized_keys_command_user == NULL && | ||
1570 | (options.authorized_keys_command != NULL && | ||
1571 | strcasecmp(options.authorized_keys_command, "none") != 0)) | ||
1572 | fatal("AuthorizedKeysCommand set without " | ||
1573 | "AuthorizedKeysCommandUser"); | ||
1574 | |||
1575 | /* | ||
1576 | * Check whether there is any path through configured auth methods. | ||
1577 | * Unfortunately it is not possible to verify this generally before | ||
1578 | * daemonisation in the presence of Match block, but this catches | ||
1579 | * and warns for trivial misconfigurations that could break login. | ||
1580 | */ | ||
1581 | if (options.num_auth_methods != 0) { | ||
1582 | if ((options.protocol & SSH_PROTO_1)) | ||
1583 | fatal("AuthenticationMethods is not supported with " | ||
1584 | "SSH protocol 1"); | ||
1585 | for (n = 0; n < options.num_auth_methods; n++) { | ||
1586 | if (auth2_methods_valid(options.auth_methods[n], | ||
1587 | 1) == 0) | ||
1588 | break; | ||
1589 | } | ||
1590 | if (n >= options.num_auth_methods) | ||
1591 | fatal("AuthenticationMethods cannot be satisfied by " | ||
1592 | "enabled authentication methods"); | ||
1593 | } | ||
1594 | |||
1558 | /* set default channel AF */ | 1595 | /* set default channel AF */ |
1559 | channel_set_af(options.address_family); | 1596 | channel_set_af(options.address_family); |
1560 | 1597 | ||
@@ -1564,7 +1601,8 @@ main(int ac, char **av) | |||
1564 | exit(1); | 1601 | exit(1); |
1565 | } | 1602 | } |
1566 | 1603 | ||
1567 | debug("sshd version %.100s", SSH_RELEASE); | 1604 | debug("sshd version %s, %s", SSH_VERSION, |
1605 | SSLeay_version(SSLEAY_VERSION)); | ||
1568 | 1606 | ||
1569 | /* Store privilege separation user for later use if required. */ | 1607 | /* Store privilege separation user for later use if required. */ |
1570 | if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { | 1608 | if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { |
diff --git a/sshd_config b/sshd_config index 3ea8e2efc..5de6846ef 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ | 1 | # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -52,6 +52,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
52 | 52 | ||
53 | #AuthorizedPrincipalsFile none | 53 | #AuthorizedPrincipalsFile none |
54 | 54 | ||
55 | #AuthorizedKeysCommand none | ||
56 | #AuthorizedKeysCommandUser nobody | ||
57 | |||
55 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | 58 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
56 | #RhostsRSAAuthentication no | 59 | #RhostsRSAAuthentication no |
57 | # similar for protocol version 2 | 60 | # similar for protocol version 2 |
diff --git a/sshd_config.0 b/sshd_config.0 index d9c87b7a0..2648db3d4 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -53,10 +53,14 @@ DESCRIPTION | |||
53 | See PATTERNS in ssh_config(5) for more information on patterns. | 53 | See PATTERNS in ssh_config(5) for more information on patterns. |
54 | 54 | ||
55 | AllowTcpForwarding | 55 | AllowTcpForwarding |
56 | Specifies whether TCP forwarding is permitted. The default is | 56 | Specifies whether TCP forwarding is permitted. The available |
57 | ``yes''. Note that disabling TCP forwarding does not improve | 57 | options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to |
58 | security unless users are also denied shell access, as they can | 58 | prevent all TCP forwarding, ``local'' to allow local (from the |
59 | always install their own forwarders. | 59 | perspective of ssh(1)) forwarding only or ``remote'' to allow |
60 | remote forwarding only. The default is ``yes''. Note that | ||
61 | disabling TCP forwarding does not improve security unless users | ||
62 | are also denied shell access, as they can always install their | ||
63 | own forwarders. | ||
60 | 64 | ||
61 | AllowUsers | 65 | AllowUsers |
62 | This keyword can be followed by a list of user name patterns, | 66 | This keyword can be followed by a list of user name patterns, |
@@ -71,6 +75,44 @@ DESCRIPTION | |||
71 | 75 | ||
72 | See PATTERNS in ssh_config(5) for more information on patterns. | 76 | See PATTERNS in ssh_config(5) for more information on patterns. |
73 | 77 | ||
78 | AuthenticationMethods | ||
79 | Specifies the authentication methods that must be successfully | ||
80 | completed for a user to be granted access. This option must be | ||
81 | followed by one or more comma-separated lists of authentication | ||
82 | method names. Successful authentication requires completion of | ||
83 | every method in at least one of these lists. | ||
84 | |||
85 | For example, an argument of ``publickey,password | ||
86 | publickey,keyboard-interactive'' would require the user to | ||
87 | complete public key authentication, followed by either password | ||
88 | or keyboard interactive authentication. Only methods that are | ||
89 | next in one or more lists are offered at each stage, so for this | ||
90 | example, it would not be possible to attempt password or | ||
91 | keyboard-interactive authentication before public key. | ||
92 | |||
93 | This option is only available for SSH protocol 2 and will yield a | ||
94 | fatal error if enabled if protocol 1 is also enabled. Note that | ||
95 | each authentication method listed should also be explicitly | ||
96 | enabled in the configuration. The default is not to require | ||
97 | multiple authentication; successful completion of a single | ||
98 | authentication method is sufficient. | ||
99 | |||
100 | AuthorizedKeysCommand | ||
101 | Specifies a program to be used to look up the user's public keys. | ||
102 | The program will be invoked with a single argument of the | ||
103 | username being authenticated, and should produce on standard | ||
104 | output zero or more lines of authorized_keys output (see | ||
105 | AUTHORIZED_KEYS in sshd(8)). If a key supplied by | ||
106 | AuthorizedKeysCommand does not successfully authenticate and | ||
107 | authorize the user then public key authentication continues using | ||
108 | the usual AuthorizedKeysFile files. By default, no | ||
109 | AuthorizedKeysCommand is run. | ||
110 | |||
111 | AuthorizedKeysCommandUser | ||
112 | Specifies the user under whose account the AuthorizedKeysCommand | ||
113 | is run. It is recommended to use a dedicated user that has no | ||
114 | other role on the host than running authorized keys commands. | ||
115 | |||
74 | AuthorizedKeysFile | 116 | AuthorizedKeysFile |
75 | Specifies the file that contains the public keys that can be used | 117 | Specifies the file that contains the public keys that can be used |
76 | for user authentication. The format is described in the | 118 | for user authentication. The format is described in the |
@@ -150,11 +192,13 @@ DESCRIPTION | |||
150 | Specifies the ciphers allowed for protocol version 2. Multiple | 192 | Specifies the ciphers allowed for protocol version 2. Multiple |
151 | ciphers must be comma-separated. The supported ciphers are | 193 | ciphers must be comma-separated. The supported ciphers are |
152 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | 194 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', |
153 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', | 195 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', |
154 | ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and | 196 | ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', |
155 | ``cast128-cbc''. The default is: | 197 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', |
198 | and ``cast128-cbc''. The default is: | ||
156 | 199 | ||
157 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 200 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, |
201 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
158 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 202 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, |
159 | aes256-cbc,arcfour | 203 | aes256-cbc,arcfour |
160 | 204 | ||
@@ -373,9 +417,16 @@ DESCRIPTION | |||
373 | MACs Specifies the available MAC (message authentication code) | 417 | MACs Specifies the available MAC (message authentication code) |
374 | algorithms. The MAC algorithm is used in protocol version 2 for | 418 | algorithms. The MAC algorithm is used in protocol version 2 for |
375 | data integrity protection. Multiple algorithms must be comma- | 419 | data integrity protection. Multiple algorithms must be comma- |
376 | separated. The default is: | 420 | separated. The algorithms that contain ``-etm'' calculate the |
377 | 421 | MAC after encryption (encrypt-then-mac). These are considered | |
378 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 422 | safer and their use recommended. The default is: |
423 | |||
424 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
425 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
426 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
427 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | ||
428 | hmac-md5-96-etm@openssh.com, | ||
429 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
379 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 430 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, |
380 | hmac-sha1-96,hmac-md5-96 | 431 | hmac-sha1-96,hmac-md5-96 |
381 | 432 | ||
@@ -402,15 +453,16 @@ DESCRIPTION | |||
402 | Only a subset of keywords may be used on the lines following a | 453 | Only a subset of keywords may be used on the lines following a |
403 | Match keyword. Available keywords are AcceptEnv, | 454 | Match keyword. Available keywords are AcceptEnv, |
404 | AllowAgentForwarding, AllowGroups, AllowTcpForwarding, | 455 | AllowAgentForwarding, AllowGroups, AllowTcpForwarding, |
405 | AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, | 456 | AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, |
406 | ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, | 457 | AuthorizedKeysCommandUser, AuthorizedKeysFile, |
407 | GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, | 458 | AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups, |
408 | HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, | 459 | DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, |
409 | KerberosAuthentication, MaxAuthTries, MaxSessions, | 460 | HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, |
410 | PasswordAuthentication, PermitEmptyPasswords, PermitOpen, | 461 | KbdInteractiveAuthentication, KerberosAuthentication, |
411 | PermitRootLogin, PermitTunnel, PubkeyAuthentication, | 462 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
412 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | 463 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, |
413 | X11Forwarding and X11UseLocalHost. | 464 | PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, |
465 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. | ||
414 | 466 | ||
415 | MaxAuthTries | 467 | MaxAuthTries |
416 | Specifies the maximum number of authentication attempts permitted | 468 | Specifies the maximum number of authentication attempts permitted |
@@ -425,7 +477,7 @@ DESCRIPTION | |||
425 | Specifies the maximum number of concurrent unauthenticated | 477 | Specifies the maximum number of concurrent unauthenticated |
426 | connections to the SSH daemon. Additional connections will be | 478 | connections to the SSH daemon. Additional connections will be |
427 | dropped until authentication succeeds or the LoginGraceTime | 479 | dropped until authentication succeeds or the LoginGraceTime |
428 | expires for a connection. The default is 10. | 480 | expires for a connection. The default is 10:30:100. |
429 | 481 | ||
430 | Alternatively, random early drop can be enabled by specifying the | 482 | Alternatively, random early drop can be enabled by specifying the |
431 | three colon separated values ``start:rate:full'' (e.g. | 483 | three colon separated values ``start:rate:full'' (e.g. |
@@ -520,10 +572,13 @@ DESCRIPTION | |||
520 | version 2 only. | 572 | version 2 only. |
521 | 573 | ||
522 | RevokedKeys | 574 | RevokedKeys |
523 | Specifies a list of revoked public keys. Keys listed in this | 575 | Specifies revoked public keys. Keys listed in this file will be |
524 | file will be refused for public key authentication. Note that if | 576 | refused for public key authentication. Note that if this file is |
525 | this file is not readable, then public key authentication will be | 577 | not readable, then public key authentication will be refused for |
526 | refused for all users. | 578 | all users. Keys may be specified as a text file, listing one |
579 | public key per line, or as an OpenSSH Key Revocation List (KRL) | ||
580 | as generated by ssh-keygen(1). For more information on KRLs, see | ||
581 | the KEY REVOCATION LISTS section in ssh-keygen(1). | ||
527 | 582 | ||
528 | RhostsRSAAuthentication | 583 | RhostsRSAAuthentication |
529 | Specifies whether rhosts or /etc/hosts.equiv authentication | 584 | Specifies whether rhosts or /etc/hosts.equiv authentication |
@@ -722,4 +777,4 @@ AUTHORS | |||
722 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 777 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
723 | for privilege separation. | 778 | for privilege separation. |
724 | 779 | ||
725 | OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 | 780 | OpenBSD 5.3 February 6, 2013 OpenBSD 5.3 |
diff --git a/sshd_config.5 b/sshd_config.5 index de2b776fd..251d847fd 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ |
37 | .Dd $Mdocdate: June 29 2012 $ | 37 | .Dd $Mdocdate: February 6 2013 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -151,6 +151,19 @@ in | |||
151 | for more information on patterns. | 151 | for more information on patterns. |
152 | .It Cm AllowTcpForwarding | 152 | .It Cm AllowTcpForwarding |
153 | Specifies whether TCP forwarding is permitted. | 153 | Specifies whether TCP forwarding is permitted. |
154 | The available options are | ||
155 | .Dq yes | ||
156 | or | ||
157 | .Dq all | ||
158 | to allow TCP forwarding, | ||
159 | .Dq no | ||
160 | to prevent all TCP forwarding, | ||
161 | .Dq local | ||
162 | to allow local (from the perspective of | ||
163 | .Xr ssh 1 ) | ||
164 | forwarding only or | ||
165 | .Dq remote | ||
166 | to allow remote forwarding only. | ||
154 | The default is | 167 | The default is |
155 | .Dq yes . | 168 | .Dq yes . |
156 | Note that disabling TCP forwarding does not improve security unless | 169 | Note that disabling TCP forwarding does not improve security unless |
@@ -178,6 +191,45 @@ See | |||
178 | in | 191 | in |
179 | .Xr ssh_config 5 | 192 | .Xr ssh_config 5 |
180 | for more information on patterns. | 193 | for more information on patterns. |
194 | .It Cm AuthenticationMethods | ||
195 | Specifies the authentication methods that must be successfully completed | ||
196 | for a user to be granted access. | ||
197 | This option must be followed by one or more comma-separated lists of | ||
198 | authentication method names. | ||
199 | Successful authentication requires completion of every method in at least | ||
200 | one of these lists. | ||
201 | .Pp | ||
202 | For example, an argument of | ||
203 | .Dq publickey,password publickey,keyboard-interactive | ||
204 | would require the user to complete public key authentication, followed by | ||
205 | either password or keyboard interactive authentication. | ||
206 | Only methods that are next in one or more lists are offered at each stage, | ||
207 | so for this example, it would not be possible to attempt password or | ||
208 | keyboard-interactive authentication before public key. | ||
209 | .Pp | ||
210 | This option is only available for SSH protocol 2 and will yield a fatal | ||
211 | error if enabled if protocol 1 is also enabled. | ||
212 | Note that each authentication method listed should also be explicitly enabled | ||
213 | in the configuration. | ||
214 | The default is not to require multiple authentication; successful completion | ||
215 | of a single authentication method is sufficient. | ||
216 | .It Cm AuthorizedKeysCommand | ||
217 | Specifies a program to be used to look up the user's public keys. | ||
218 | The program will be invoked with a single argument of the username | ||
219 | being authenticated, and should produce on standard output zero or | ||
220 | more lines of authorized_keys output (see | ||
221 | .Sx AUTHORIZED_KEYS | ||
222 | in | ||
223 | .Xr sshd 8 ) . | ||
224 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate | ||
225 | and authorize the user then public key authentication continues using the usual | ||
226 | .Cm AuthorizedKeysFile | ||
227 | files. | ||
228 | By default, no AuthorizedKeysCommand is run. | ||
229 | .It Cm AuthorizedKeysCommandUser | ||
230 | Specifies the user under whose account the AuthorizedKeysCommand is run. | ||
231 | It is recommended to use a dedicated user that has no other role on the host | ||
232 | than running authorized keys commands. | ||
181 | .It Cm AuthorizedKeysFile | 233 | .It Cm AuthorizedKeysFile |
182 | Specifies the file that contains the public keys that can be used | 234 | Specifies the file that contains the public keys that can be used |
183 | for user authentication. | 235 | for user authentication. |
@@ -310,6 +362,8 @@ The supported ciphers are | |||
310 | .Dq aes128-ctr , | 362 | .Dq aes128-ctr , |
311 | .Dq aes192-ctr , | 363 | .Dq aes192-ctr , |
312 | .Dq aes256-ctr , | 364 | .Dq aes256-ctr , |
365 | .Dq aes128-gcm@openssh.com , | ||
366 | .Dq aes256-gcm@openssh.com , | ||
313 | .Dq arcfour128 , | 367 | .Dq arcfour128 , |
314 | .Dq arcfour256 , | 368 | .Dq arcfour256 , |
315 | .Dq arcfour , | 369 | .Dq arcfour , |
@@ -319,6 +373,7 @@ and | |||
319 | The default is: | 373 | The default is: |
320 | .Bd -literal -offset 3n | 374 | .Bd -literal -offset 3n |
321 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 375 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, |
376 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | ||
322 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 377 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, |
323 | aes256-cbc,arcfour | 378 | aes256-cbc,arcfour |
324 | .Ed | 379 | .Ed |
@@ -713,9 +768,18 @@ Specifies the available MAC (message authentication code) algorithms. | |||
713 | The MAC algorithm is used in protocol version 2 | 768 | The MAC algorithm is used in protocol version 2 |
714 | for data integrity protection. | 769 | for data integrity protection. |
715 | Multiple algorithms must be comma-separated. | 770 | Multiple algorithms must be comma-separated. |
771 | The algorithms that contain | ||
772 | .Dq -etm | ||
773 | calculate the MAC after encryption (encrypt-then-mac). | ||
774 | These are considered safer and their use recommended. | ||
716 | The default is: | 775 | The default is: |
717 | .Bd -literal -offset indent | 776 | .Bd -literal -offset indent |
718 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 777 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
778 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | ||
779 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | ||
780 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | ||
781 | hmac-md5-96-etm@openssh.com, | ||
782 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | ||
719 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 783 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, |
720 | hmac-sha1-96,hmac-md5-96 | 784 | hmac-sha1-96,hmac-md5-96 |
721 | .Ed | 785 | .Ed |
@@ -770,6 +834,9 @@ Available keywords are | |||
770 | .Cm AllowGroups , | 834 | .Cm AllowGroups , |
771 | .Cm AllowTcpForwarding , | 835 | .Cm AllowTcpForwarding , |
772 | .Cm AllowUsers , | 836 | .Cm AllowUsers , |
837 | .Cm AuthenticationMethods , | ||
838 | .Cm AuthorizedKeysCommand , | ||
839 | .Cm AuthorizedKeysCommandUser , | ||
773 | .Cm AuthorizedKeysFile , | 840 | .Cm AuthorizedKeysFile , |
774 | .Cm AuthorizedPrincipalsFile , | 841 | .Cm AuthorizedPrincipalsFile , |
775 | .Cm Banner , | 842 | .Cm Banner , |
@@ -1000,10 +1067,17 @@ The default is | |||
1000 | .Dq yes . | 1067 | .Dq yes . |
1001 | Note that this option applies to protocol version 2 only. | 1068 | Note that this option applies to protocol version 2 only. |
1002 | .It Cm RevokedKeys | 1069 | .It Cm RevokedKeys |
1003 | Specifies a list of revoked public keys. | 1070 | Specifies revoked public keys. |
1004 | Keys listed in this file will be refused for public key authentication. | 1071 | Keys listed in this file will be refused for public key authentication. |
1005 | Note that if this file is not readable, then public key authentication will | 1072 | Note that if this file is not readable, then public key authentication will |
1006 | be refused for all users. | 1073 | be refused for all users. |
1074 | Keys may be specified as a text file, listing one public key per line, or as | ||
1075 | an OpenSSH Key Revocation List (KRL) as generated by | ||
1076 | .Xr ssh-keygen 1 . | ||
1077 | For more information on KRLs, see the | ||
1078 | .Sx KEY REVOCATION LISTS | ||
1079 | section in | ||
1080 | .Xr ssh-keygen 1 . | ||
1007 | .It Cm RhostsRSAAuthentication | 1081 | .It Cm RhostsRSAAuthentication |
1008 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 1082 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
1009 | with successful RSA host authentication is allowed. | 1083 | with successful RSA host authentication is allowed. |
@@ -138,20 +138,8 @@ permanently_drop_suid(uid_t uid) | |||
138 | uid_t old_uid = getuid(); | 138 | uid_t old_uid = getuid(); |
139 | 139 | ||
140 | debug("permanently_drop_suid: %u", (u_int)uid); | 140 | debug("permanently_drop_suid: %u", (u_int)uid); |
141 | #if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) | ||
142 | if (setresuid(uid, uid, uid) < 0) | 141 | if (setresuid(uid, uid, uid) < 0) |
143 | fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); | 142 | fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); |
144 | #elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) | ||
145 | if (setreuid(uid, uid) < 0) | ||
146 | fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno)); | ||
147 | #else | ||
148 | # ifndef SETEUID_BREAKS_SETUID | ||
149 | if (seteuid(uid) < 0) | ||
150 | fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno)); | ||
151 | # endif | ||
152 | if (setuid(uid) < 0) | ||
153 | fatal("setuid %u: %.100s", (u_int)uid, strerror(errno)); | ||
154 | #endif | ||
155 | 143 | ||
156 | #ifndef HAVE_CYGWIN | 144 | #ifndef HAVE_CYGWIN |
157 | /* Try restoration of UID if changed (test clearing of saved uid) */ | 145 | /* Try restoration of UID if changed (test clearing of saved uid) */ |
@@ -220,18 +208,8 @@ permanently_set_uid(struct passwd *pw) | |||
220 | debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, | 208 | debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, |
221 | (u_int)pw->pw_gid); | 209 | (u_int)pw->pw_gid); |
222 | 210 | ||
223 | #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) | ||
224 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) | 211 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) |
225 | fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | 212 | fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); |
226 | #elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) | ||
227 | if (setregid(pw->pw_gid, pw->pw_gid) < 0) | ||
228 | fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | ||
229 | #else | ||
230 | if (setegid(pw->pw_gid) < 0) | ||
231 | fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | ||
232 | if (setgid(pw->pw_gid) < 0) | ||
233 | fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | ||
234 | #endif | ||
235 | 213 | ||
236 | #ifdef __APPLE__ | 214 | #ifdef __APPLE__ |
237 | /* | 215 | /* |
@@ -243,20 +221,8 @@ permanently_set_uid(struct passwd *pw) | |||
243 | pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); | 221 | pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); |
244 | #endif | 222 | #endif |
245 | 223 | ||
246 | #if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) | ||
247 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) | 224 | if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) |
248 | fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); | 225 | fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); |
249 | #elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) | ||
250 | if (setreuid(pw->pw_uid, pw->pw_uid) < 0) | ||
251 | fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); | ||
252 | #else | ||
253 | # ifndef SETEUID_BREAKS_SETUID | ||
254 | if (seteuid(pw->pw_uid) < 0) | ||
255 | fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); | ||
256 | # endif | ||
257 | if (setuid(pw->pw_uid) < 0) | ||
258 | fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); | ||
259 | #endif | ||
260 | 226 | ||
261 | #ifndef HAVE_CYGWIN | 227 | #ifndef HAVE_CYGWIN |
262 | /* Try restoration of GID if changed (test clearing of saved gid) */ | 228 | /* Try restoration of GID if changed (test clearing of saved gid) */ |
@@ -52,7 +52,15 @@ | |||
52 | /* --- User Switches ---------------------------------------------------- */ | 52 | /* --- User Switches ---------------------------------------------------- */ |
53 | /* ---------------------------------------------------------------------- */ | 53 | /* ---------------------------------------------------------------------- */ |
54 | 54 | ||
55 | #ifndef UMAC_OUTPUT_LEN | ||
55 | #define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ | 56 | #define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ |
57 | #endif | ||
58 | |||
59 | #if UMAC_OUTPUT_LEN != 4 && UMAC_OUTPUT_LEN != 8 && \ | ||
60 | UMAC_OUTPUT_LEN != 12 && UMAC_OUTPUT_LEN != 16 | ||
61 | # error UMAC_OUTPUT_LEN must be defined to 4, 8, 12 or 16 | ||
62 | #endif | ||
63 | |||
56 | /* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ | 64 | /* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ |
57 | /* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ | 65 | /* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ |
58 | /* #define SSE2 0 Is SSE2 is available? */ | 66 | /* #define SSE2 0 Is SSE2 is available? */ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ | 1 | /* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ |
2 | /* ----------------------------------------------------------------------- | 2 | /* ----------------------------------------------------------------------- |
3 | * | 3 | * |
4 | * umac.h -- C Implementation UMAC Message Authentication | 4 | * umac.h -- C Implementation UMAC Message Authentication |
@@ -116,6 +116,12 @@ int uhash(uhash_ctx_t ctx, | |||
116 | 116 | ||
117 | #endif | 117 | #endif |
118 | 118 | ||
119 | /* matching umac-128 API, we reuse umac_ctx, since it's opaque */ | ||
120 | struct umac_ctx *umac128_new(u_char key[]); | ||
121 | int umac128_update(struct umac_ctx *ctx, u_char *input, long len); | ||
122 | int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); | ||
123 | int umac128_delete(struct umac_ctx *ctx); | ||
124 | |||
119 | #ifdef __cplusplus | 125 | #ifdef __cplusplus |
120 | } | 126 | } |
121 | #endif | 127 | #endif |
@@ -1,6 +1,6 @@ | |||
1 | /* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */ | 1 | /* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ |
2 | 2 | ||
3 | #define SSH_VERSION "OpenSSH_6.1" | 3 | #define SSH_VERSION "OpenSSH_6.2" |
4 | 4 | ||
5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p1" |
6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |