summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
commitecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree449614b6c06a2622c74a609b31fcc46c60037c56
parentc6a2c0334e45419875687d250aed9bea78480f2e (diff)
parentffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat
-rw-r--r--ChangeLog671
-rw-r--r--INSTALL4
-rw-r--r--Makefile.in32
-rw-r--r--PROTOCOL42
-rw-r--r--PROTOCOL.agent4
-rw-r--r--PROTOCOL.krl164
-rw-r--r--README4
-rw-r--r--acss.c267
-rw-r--r--acss.h47
-rw-r--r--auth-options.c4
-rw-r--r--auth-rsa.c4
-rw-r--r--auth.c77
-rw-r--r--auth.h19
-rw-r--r--auth1.c13
-rw-r--r--auth2-chall.c13
-rw-r--r--auth2-gss.c8
-rw-r--r--auth2-jpake.c4
-rw-r--r--auth2-pubkey.c216
-rw-r--r--auth2.c239
-rw-r--r--authfile.c6
-rw-r--r--buildpkg.sh.in20
-rw-r--r--channels.c12
-rw-r--r--cipher-acss.c86
-rw-r--r--cipher-aes.c3
-rw-r--r--cipher-ctr.c6
-rw-r--r--cipher.c147
-rw-r--r--cipher.h8
-rw-r--r--clientloop.c145
-rw-r--r--clientloop.h3
-rw-r--r--compat.c4
-rw-r--r--config.h.in40
-rwxr-xr-xconfigure540
-rw-r--r--configure.ac273
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/redhat/openssh.spec2
-rwxr-xr-xcontrib/redhat/sshd.init8
-rw-r--r--contrib/ssh-copy-id309
-rw-r--r--contrib/ssh-copy-id.1251
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--contrib/suse/rc.sshd8
-rw-r--r--defines.h10
-rw-r--r--includes.h6
-rw-r--r--kex.c30
-rw-r--r--kex.h4
-rw-r--r--key.c40
-rw-r--r--key.h6
-rw-r--r--krl.c1229
-rw-r--r--krl.h63
-rw-r--r--log.c19
-rw-r--r--log.h4
-rw-r--r--loginrec.c4
-rw-r--r--mac.c52
-rw-r--r--moduli397
-rw-r--r--moduli.010
-rw-r--r--moduli.513
-rw-r--r--monitor.c64
-rw-r--r--monitor.h85
-rw-r--r--monitor_wrap.c41
-rw-r--r--mux.c12
-rw-r--r--myproposal.h13
-rw-r--r--openbsd-compat/Makefile.in6
-rw-r--r--openbsd-compat/bsd-misc.c30
-rw-r--r--openbsd-compat/bsd-misc.h10
-rw-r--r--openbsd-compat/bsd-setres_id.c99
-rw-r--r--openbsd-compat/bsd-setres_id.h24
-rw-r--r--openbsd-compat/openbsd-compat.h11
-rw-r--r--openbsd-compat/openssl-compat.h43
-rw-r--r--openbsd-compat/strtoull.c110
-rw-r--r--openbsd-compat/sys-queue.h53
-rw-r--r--openbsd-compat/sys-tree.h114
-rw-r--r--openbsd-compat/vis.c2
-rw-r--r--openbsd-compat/vis.h4
-rw-r--r--packet.c132
-rw-r--r--platform.c18
-rw-r--r--platform.h5
-rw-r--r--regress/Makefile18
-rw-r--r--regress/cert-userkey.sh27
-rw-r--r--regress/cipher-speed.sh25
-rw-r--r--regress/forward-control.sh168
-rw-r--r--regress/integrity.sh74
-rw-r--r--regress/keys-command.sh39
-rw-r--r--regress/krl.sh161
-rwxr-xr-xregress/modpipe.c175
-rw-r--r--regress/multiplex.sh50
-rw-r--r--regress/test-exec.sh4
-rw-r--r--regress/try-ciphers.sh37
-rw-r--r--sandbox-seccomp-filter.c8
-rw-r--r--scp.02
-rw-r--r--scp.c2
-rw-r--r--servconf.c81
-rw-r--r--servconf.h19
-rw-r--r--serverloop.c23
-rw-r--r--session.c14
-rw-r--r--sftp-server.014
-rw-r--r--sftp-server.816
-rw-r--r--sftp-server.c26
-rw-r--r--sftp.02
-rw-r--r--sftp.c36
-rw-r--r--ssh-add.015
-rw-r--r--ssh-add.114
-rw-r--r--ssh-add.c39
-rw-r--r--ssh-agent.02
-rw-r--r--ssh-gss.h11
-rw-r--r--ssh-keygen.084
-rw-r--r--ssh-keygen.1125
-rw-r--r--ssh-keygen.c317
-rw-r--r--ssh-keyscan.02
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-pkcs11-helper.02
-rw-r--r--ssh.057
-rw-r--r--ssh.1111
-rw-r--r--ssh_config.032
-rw-r--r--ssh_config.520
-rw-r--r--sshconnect.c45
-rw-r--r--sshconnect2.c48
-rw-r--r--sshd.04
-rw-r--r--sshd.86
-rw-r--r--sshd.c42
-rw-r--r--sshd_config7
-rw-r--r--sshd_config.0105
-rw-r--r--sshd_config.584
-rw-r--r--uidswap.c34
-rw-r--r--umac.c8
-rw-r--r--umac.h8
-rw-r--r--version.h4
125 files changed, 7095 insertions, 1626 deletions
diff --git a/ChangeLog b/ChangeLog
index f8e600847..dbd8b0aa9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,673 @@
120120322
2 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
3 Hands' greatly revised version.
4 - (djm) Release 6.2p1
5
620120318
7 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
8 [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
9 so mark it as broken. Patch from des AT des.no
10
1120120317
12 - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none
13 of the bits the configure test looks for.
14
1520120316
16 - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
17 is unable to successfully compile them. Based on patch from des AT
18 des.no
19 - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
20 Add a usleep replacement for platforms that lack it; ok dtucker
21 - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
22 occur after UID switch; patch from John Marshall via des AT des.no;
23 ok dtucker@
24
2520120312
26 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh]
27 Improve portability of cipher-speed test, based mostly on a patch from
28 Iain Morgan.
29 - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin")
30 in addition to root as an owner of system directories on AIX and HP-UX.
31 ok djm@
32
3320130307
34 - (dtucker) [INSTALL] Bump documented autoconf version to what we're
35 currently using.
36 - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it
37 was removed in configure.ac rev 1.481 as it was redundant.
38 - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days
39 ago.
40 - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a
41 chance to complete on broken systems; ok dtucker@
42
4320130306
44 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding
45 connection to start so that the test works on slower machines.
46 - (dtucker) [configure.ac] test that we can set number of file descriptors
47 to zero with setrlimit before enabling the rlimit sandbox. This affects
48 (at least) HPUX 11.11.
49
5020130305
51 - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for
52 HP/UX. Spotted by Kevin Brott
53 - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by
54 Amit Kulkarni and Kevin Brott.
55 - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure
56 build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin
57 Brott.
58 - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov.
59
6020130227
61 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
62 [contrib/suse/openssh.spec] Crank version numbers
63 - (tim) [regress/forward-control.sh] use sh in case login shell is csh.
64 - (tim) [regress/integrity.sh] shell portability fix.
65 - (tim) [regress/integrity.sh] keep old solaris awk from hanging.
66 - (tim) [regress/krl.sh] keep old solaris awk from hanging.
67
6820130226
69 - OpenBSD CVS Sync
70 - djm@cvs.openbsd.org 2013/02/20 08:27:50
71 [integrity.sh]
72 Add an option to modpipe that warns if the modification offset it not
73 reached in it's stream and turn it on for t-integrity. This should catch
74 cases where the session is not fuzzed for being too short (cf. my last
75 "oops" commit)
76 - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage
77 for UsePAM=yes configuration
78
7920130225
80 - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed
81 to use Solaris native GSS libs. Patch from Pierre Ossman.
82
8320130223
84 - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer
85 bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu.
86 ok tim
87
8820130222
89 - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to
90 ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm.
91 - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
92 libgss too. Patch from Pierre Ossman, ok djm.
93 - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
94 seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
95 ok dtucker
96
9720130221
98 - (tim) [regress/forward-control.sh] shell portability fix.
99
10020130220
101 - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix.
102 - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded
103 err.h include from krl.c. Additional portability fixes for modpipe. OK djm
104 - OpenBSD CVS Sync
105 - djm@cvs.openbsd.org 2013/02/20 08:27:50
106 [regress/integrity.sh regress/modpipe.c]
107 Add an option to modpipe that warns if the modification offset it not
108 reached in it's stream and turn it on for t-integrity. This should catch
109 cases where the session is not fuzzed for being too short (cf. my last
110 "oops" commit)
111 - djm@cvs.openbsd.org 2013/02/20 08:29:27
112 [regress/modpipe.c]
113 s/Id/OpenBSD/ in RCS tag
114
11520130219
116 - OpenBSD CVS Sync
117 - djm@cvs.openbsd.org 2013/02/18 22:26:47
118 [integrity.sh]
119 crank the offset yet again; it was still fuzzing KEX one of Darren's
120 portable test hosts at 2800
121 - djm@cvs.openbsd.org 2013/02/19 02:14:09
122 [integrity.sh]
123 oops, forgot to increase the output of the ssh command to ensure that
124 we actually reach $offset
125 - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that
126 lack support for SHA2.
127 - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms
128 that do not have them.
129
13020130217
131 - OpenBSD CVS Sync
132 - djm@cvs.openbsd.org 2013/02/17 23:16:55
133 [integrity.sh]
134 make the ssh command generates some output to ensure that there are at
135 least offset+tries bytes in the stream.
136
13720130216
138 - OpenBSD CVS Sync
139 - djm@cvs.openbsd.org 2013/02/16 06:08:45
140 [integrity.sh]
141 make sure the fuzz offset is actually past the end of KEX for all KEX
142 types. diffie-hellman-group-exchange-sha256 requires an offset around
143 2700. Noticed via test failures in portable OpenSSH on platforms that
144 lack ECC and this the more byte-frugal ECDH KEX algorithms.
145
14620130215
147 - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from
148 Iain Morgan
149 - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
150 Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
151 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c
152 openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
153 platforms that don't have it.
154 - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul,
155 group strto* function prototypes together.
156 - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes
157 an argument. Pointed out by djm.
158 - (djm) OpenBSD CVS Sync
159 - djm@cvs.openbsd.org 2013/02/14 21:35:59
160 [auth2-pubkey.c]
161 Correct error message that had a typo and was logging the wrong thing;
162 patch from Petr Lautrbach
163 - dtucker@cvs.openbsd.org 2013/02/15 00:21:01
164 [sshconnect2.c]
165 Warn more loudly if an IdentityFile provided by the user cannot be read.
166 bz #1981, ok djm@
167
16820130214
169 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC.
170 - (djm) [regress/krl.sh] typo; found by Iain Morgan
171 - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead
172 of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
173 Iain Morgan
174
17520130212
176 - (djm) OpenBSD CVS Sync
177 - djm@cvs.openbsd.org 2013/01/24 21:45:37
178 [krl.c]
179 fix handling of (unused) KRL signatures; skip string in correct buffer
180 - djm@cvs.openbsd.org 2013/01/24 22:08:56
181 [krl.c]
182 skip serial lookup when cert's serial number is zero
183 - krw@cvs.openbsd.org 2013/01/25 05:00:27
184 [krl.c]
185 Revert last. Breaks due to likely typo. Let djm@ fix later.
186 ok djm@ via dlg@
187 - djm@cvs.openbsd.org 2013/01/25 10:22:19
188 [krl.c]
189 redo last commit without the vi-vomit that snuck in:
190 skip serial lookup when cert's serial number is zero
191 (now with 100% better comment)
192 - djm@cvs.openbsd.org 2013/01/26 06:11:05
193 [Makefile.in acss.c acss.h cipher-acss.c cipher.c]
194 [openbsd-compat/openssl-compat.h]
195 remove ACSS, now that it is gone from libcrypto too
196 - djm@cvs.openbsd.org 2013/01/27 10:06:12
197 [krl.c]
198 actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
199 - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
200 [servconf.c sshd_config sshd_config.5]
201 Change default of MaxStartups to 10:30:100 to start doing random early
202 drop at 10 connections up to 100 connections. This will make it harder
203 to DoS as CPUs have come a long way since the original value was set
204 back in 2000. Prompted by nion at debian org, ok markus@
205 - dtucker@cvs.openbsd.org 2013/02/06 00:22:21
206 [auth.c]
207 Fix comment, from jfree.e1 at gmail
208 - djm@cvs.openbsd.org 2013/02/08 00:41:12
209 [sftp.c]
210 fix NULL deref when built without libedit and control characters
211 entered as command; debugging and patch from Iain Morgan an
212 Loganaden Velvindron in bz#1956
213 - markus@cvs.openbsd.org 2013/02/10 21:19:34
214 [version.h]
215 openssh 6.2
216 - djm@cvs.openbsd.org 2013/02/10 23:32:10
217 [ssh-keygen.c]
218 append to moduli file when screening candidates rather than overwriting.
219 allows resumption of interrupted screen; patch from Christophe Garault
220 in bz#1957; ok dtucker@
221 - djm@cvs.openbsd.org 2013/02/10 23:35:24
222 [packet.c]
223 record "Received disconnect" messages at ERROR rather than INFO priority,
224 since they are abnormal and result in a non-zero ssh exit status; patch
225 from Iain Morgan in bz#2057; ok dtucker@
226 - dtucker@cvs.openbsd.org 2013/02/11 21:21:58
227 [sshd.c]
228 Add openssl version to debug output similar to the client. ok markus@
229 - djm@cvs.openbsd.org 2013/02/11 23:58:51
230 [regress/try-ciphers.sh]
231 remove acss here too
232 - (djm) [regress/try-ciphers.sh] clean up CVS merge botch
233
23420130211
235 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
236 libcrypto that lacks EVP_CIPHER_CTX_ctrl
237
23820130208
239 - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
240 patch from Iain Morgan in bz#2059
241 - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
242 __attribute__ on return values and work around if necessary. ok djm@
243
24420130207
245 - (djm) [configure.ac] Don't probe seccomp capability of running kernel
246 at configure time; the seccomp sandbox will fall back to rlimit at
247 runtime anyway. Patch from plautrba AT redhat.com in bz#2011
248
24920130120
250 - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
251 Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
252 prototypes for openssl-1.0.0-fips.
253 - (djm) OpenBSD CVS Sync
254 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
255 [ssh-keygen.1]
256 tweak previous;
257 - jmc@cvs.openbsd.org 2013/01/18 07:59:46
258 [ssh-keygen.c]
259 -u before -V in usage();
260 - jmc@cvs.openbsd.org 2013/01/18 08:00:49
261 [sshd_config.5]
262 tweak previous;
263 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
264 [ssh-keygen.1]
265 add -Q to the options list; ok djm
266 - jmc@cvs.openbsd.org 2013/01/18 21:48:43
267 [ssh-keygen.1]
268 command-line (adj.) -> command line (n.);
269 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
270 [ssh-keygen.1]
271 fix some formatting; ok djm
272 - markus@cvs.openbsd.org 2013/01/19 12:34:55
273 [krl.c]
274 RB_INSERT does not remove existing elments; ok djm@
275 - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
276 version.
277 - (djm) [regress/krl.sh] replacement for jot; most platforms lack it
278
27920130118
280 - (djm) OpenBSD CVS Sync
281 - djm@cvs.openbsd.org 2013/01/17 23:00:01
282 [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
283 [krl.c krl.h PROTOCOL.krl]
284 add support for Key Revocation Lists (KRLs). These are a compact way to
285 represent lists of revoked keys and certificates, taking as little as
286 a single bit of incremental cost to revoke a certificate by serial number.
287 KRLs are loaded via the existing RevokedKeys sshd_config option.
288 feedback and ok markus@
289 - djm@cvs.openbsd.org 2013/01/18 00:45:29
290 [regress/Makefile regress/cert-userkey.sh regress/krl.sh]
291 Tests for Key Revocation Lists (KRLs)
292 - djm@cvs.openbsd.org 2013/01/18 03:00:32
293 [krl.c]
294 fix KRL generation bug for list sections
295
29620130117
297 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
298 check for GCM support before testing GCM ciphers.
299
30020130112
301 - (djm) OpenBSD CVS Sync
302 - djm@cvs.openbsd.org 2013/01/12 11:22:04
303 [cipher.c]
304 improve error message for integrity failure in AES-GCM modes; ok markus@
305 - djm@cvs.openbsd.org 2013/01/12 11:23:53
306 [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
307 test AES-GCM modes; feedback markus@
308 - (djm) [regress/integrity.sh] repair botched merge
309
31020130109
311 - (djm) OpenBSD CVS Sync
312 - dtucker@cvs.openbsd.org 2012/12/14 05:26:43
313 [auth.c]
314 use correct string in error message; from rustybsd at gmx.fr
315 - djm@cvs.openbsd.org 2013/01/02 00:32:07
316 [clientloop.c mux.c]
317 channel_setup_local_fwd_listener() returns 0 on failure, not -ve
318 bz#2055 reported by mathieu.lacage AT gmail.com
319 - djm@cvs.openbsd.org 2013/01/02 00:33:49
320 [PROTOCOL.agent]
321 correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
322 bz#2051 from david AT lechnology.com
323 - djm@cvs.openbsd.org 2013/01/03 05:49:36
324 [servconf.h]
325 add a couple of ServerOptions members that should be copied to the privsep
326 child (for consistency, in this case they happen only to be accessed in
327 the monitor); ok dtucker@
328 - djm@cvs.openbsd.org 2013/01/03 12:49:01
329 [PROTOCOL]
330 fix description of MAC calculation for EtM modes; ok markus@
331 - djm@cvs.openbsd.org 2013/01/03 12:54:49
332 [sftp-server.8 sftp-server.c]
333 allow specification of an alternate start directory for sftp-server(8)
334 "I like this" markus@
335 - djm@cvs.openbsd.org 2013/01/03 23:22:58
336 [ssh-keygen.c]
337 allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
338 ok markus@
339 - jmc@cvs.openbsd.org 2013/01/04 19:26:38
340 [sftp-server.8 sftp-server.c]
341 sftp-server.8: add argument name to -d
342 sftp-server.c: add -d to usage()
343 ok djm
344 - markus@cvs.openbsd.org 2013/01/08 18:49:04
345 [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
346 [myproposal.h packet.c ssh_config.5 sshd_config.5]
347 support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
348 ok and feedback djm@
349 - djm@cvs.openbsd.org 2013/01/09 05:40:17
350 [ssh-keygen.c]
351 correctly initialise fingerprint type for fingerprinting PKCS#11 keys
352 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
353 Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
354 cipher compat code to openssl-compat.h
355
35620121217
357 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress
358 tests will work with VPATH directories.
359
36020121213
361 - (djm) OpenBSD CVS Sync
362 - markus@cvs.openbsd.org 2012/12/12 16:45:52
363 [packet.c]
364 reset incoming_packet buffer for each new packet in EtM-case, too;
365 this happens if packets are parsed only parially (e.g. ignore
366 messages sent when su/sudo turn off echo); noted by sthen/millert
367 - naddy@cvs.openbsd.org 2012/12/12 16:46:10
368 [cipher.c]
369 use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled
370 counter mode code; ok djm@
371 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
372 compat code for older OpenSSL
373 - (djm) [cipher.c] Fix missing prototype for compat code
374
37520121212
376 - (djm) OpenBSD CVS Sync
377 - markus@cvs.openbsd.org 2012/12/11 22:16:21
378 [monitor.c]
379 drain the log messages after receiving the keystate from the unpriv
380 child. otherwise it might block while sending. ok djm@
381 - markus@cvs.openbsd.org 2012/12/11 22:31:18
382 [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
383 [packet.c ssh_config.5 sshd_config.5]
384 add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
385 that change the packet format and compute the MAC over the encrypted
386 message (including the packet size) instead of the plaintext data;
387 these EtM modes are considered more secure and used by default.
388 feedback and ok djm@
389 - sthen@cvs.openbsd.org 2012/12/11 22:51:45
390 [mac.c]
391 fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
392 - markus@cvs.openbsd.org 2012/12/11 22:32:56
393 [regress/try-ciphers.sh]
394 add etm modes
395 - markus@cvs.openbsd.org 2012/12/11 22:42:11
396 [regress/Makefile regress/modpipe.c regress/integrity.sh]
397 test the integrity of the packets; with djm@
398 - markus@cvs.openbsd.org 2012/12/11 23:12:13
399 [try-ciphers.sh]
400 add hmac-ripemd160-etm@openssh.com
401 - (djm) [mac.c] fix merge botch
402 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test
403 work on platforms without 'jot'
404 - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip
405 - (djm) [regress/Makefile] fix t-exec rule
406
40720121207
408 - (dtucker) OpenBSD CVS Sync
409 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
410 [regress/keys-command.sh]
411 Fix some problems with the keys-command test:
412 - use string comparison rather than numeric comparison
413 - check for existing KEY_COMMAND file and don't clobber if it exists
414 - clean up KEY_COMMAND file if we do create it.
415 - check that KEY_COMMAND is executable (which it won't be if eg /var/run
416 is mounted noexec).
417 ok djm.
418 - jmc@cvs.openbsd.org 2012/12/03 08:33:03
419 [ssh-add.1 sshd_config.5]
420 tweak previous;
421 - markus@cvs.openbsd.org 2012/12/05 15:42:52
422 [ssh-add.c]
423 prevent double-free of comment; ok djm@
424 - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
425 [serverloop.c]
426 Cast signal to int for logging. A no-op on openbsd (they're always ints)
427 but will prevent warnings in portable. ok djm@
428
42920121205
430 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
431
43220121203
433 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
434 TAILQ_FOREACH_SAFE needed for upcoming changes.
435 - (djm) OpenBSD CVS Sync
436 - djm@cvs.openbsd.org 2012/12/02 20:26:11
437 [ssh_config.5 sshconnect2.c]
438 Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
439 This allows control of which keys are offered from tokens using
440 IdentityFile. ok markus@
441 - djm@cvs.openbsd.org 2012/12/02 20:42:15
442 [ssh-add.1 ssh-add.c]
443 make deleting explicit keys "ssh-add -d" symmetric with adding keys -
444 try to delete the corresponding certificate too and respect the -k option
445 to allow deleting of the key only; feedback and ok markus@
446 - djm@cvs.openbsd.org 2012/12/02 20:46:11
447 [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
448 [sshd_config.5]
449 make AllowTcpForwarding accept "local" and "remote" in addition to its
450 current "yes"/"no" to allow the server to specify whether just local or
451 remote TCP forwarding is enabled. ok markus@
452 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
453 [regress/cipher-speed.sh regress/try-ciphers.sh]
454 Add umac-128@openssh.com to the list of MACs to be tested
455 - djm@cvs.openbsd.org 2012/10/19 05:10:42
456 [regress/cert-userkey.sh]
457 include a serial number when generating certs
458 - djm@cvs.openbsd.org 2012/11/22 22:49:30
459 [regress/Makefile regress/keys-command.sh]
460 regress for AuthorizedKeysCommand; hints from markus@
461 - djm@cvs.openbsd.org 2012/12/02 20:47:48
462 [Makefile regress/forward-control.sh]
463 regress for AllowTcpForwarding local/remote; ok markus@
464 - djm@cvs.openbsd.org 2012/12/03 00:14:06
465 [auth2-chall.c ssh-keygen.c]
466 Fix compilation with -Wall -Werror (trivial type fixes)
467 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
468 debugging. ok dtucker@
469 - (djm) [configure.ac] Revert previous. configure.ac already does this
470 for us.
471
47220121114
473 - (djm) OpenBSD CVS Sync
474 - djm@cvs.openbsd.org 2012/11/14 02:24:27
475 [auth2-pubkey.c]
476 fix username passed to helper program
477 prepare stdio fds before closefrom()
478 spotted by landry@
479 - djm@cvs.openbsd.org 2012/11/14 02:32:15
480 [ssh-keygen.c]
481 allow the full range of unsigned serial numbers; 'fine' deraadt@
482 - djm@cvs.openbsd.org 2012/12/02 20:34:10
483 [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
484 [monitor.c monitor.h]
485 Fixes logging of partial authentication when privsep is enabled
486 Previously, we recorded "Failed xxx" since we reset authenticated before
487 calling auth_log() in auth2.c. This adds an explcit "Partial" state.
488
489 Add a "submethod" to auth_log() to report which submethod is used
490 for keyboard-interactive.
491
492 Fix multiple authentication when one of the methods is
493 keyboard-interactive.
494
495 ok markus@
496 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
497 [regress/multiplex.sh]
498 Use 'kill -0' to test for the presence of a pid since it's more portable
499
50020121107
501 - (djm) OpenBSD CVS Sync
502 - eric@cvs.openbsd.org 2011/11/28 08:46:27
503 [moduli.5]
504 fix formula
505 ok djm@
506 - jmc@cvs.openbsd.org 2012/09/26 17:34:38
507 [moduli.5]
508 last stage of rfc changes, using consistent Rs/Re blocks, and moving the
509 references into a STANDARDS section;
510
51120121105
512 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
513 openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
514 openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids
515 and gids from uidswap.c to the compat library, which allows it to work with
516 the new setresuid calls in auth2-pubkey. with tim@, ok djm@
517 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
518 don't have it. Spotted by tim@.
519
52020121104
521 - (djm) OpenBSD CVS Sync
522 - jmc@cvs.openbsd.org 2012/10/31 08:04:50
523 [sshd_config.5]
524 tweak previous;
525 - djm@cvs.openbsd.org 2012/11/04 10:38:43
526 [auth2-pubkey.c sshd.c sshd_config.5]
527 Remove default of AuthorizedCommandUser. Administrators are now expected
528 to explicitly specify a user. feedback and ok markus@
529 - djm@cvs.openbsd.org 2012/11/04 11:09:15
530 [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
531 [sshd_config.5]
532 Support multiple required authentication via an AuthenticationMethods
533 option. This option lists one or more comma-separated lists of
534 authentication method names. Successful completion of all the methods in
535 any list is required for authentication to complete;
536 feedback and ok markus@
537
53820121030
539 - (djm) OpenBSD CVS Sync
540 - markus@cvs.openbsd.org 2012/10/05 12:34:39
541 [sftp.c]
542 fix signed vs unsigned warning; feedback & ok: djm@
543 - djm@cvs.openbsd.org 2012/10/30 21:29:55
544 [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
545 [sshd.c sshd_config sshd_config.5]
546 new sshd_config option AuthorizedKeysCommand to support fetching
547 authorized_keys from a command in addition to (or instead of) from
548 the filesystem. The command is run as the target server user unless
549 another specified via a new AuthorizedKeysCommandUser option.
550
551 patch originally by jchadima AT redhat.com, reworked by me; feedback
552 and ok markus@
553
55420121019
555 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
556 the generated file as intended.
557
55820121005
559 - (dtucker) OpenBSD CVS Sync
560 - djm@cvs.openbsd.org 2012/09/17 09:54:44
561 [sftp.c]
562 an XXX for later
563 - markus@cvs.openbsd.org 2012/09/17 13:04:11
564 [packet.c]
565 clear old keys on rekeing; ok djm
566 - dtucker@cvs.openbsd.org 2012/09/18 10:36:12
567 [sftp.c]
568 Add bounds check on sftp tab-completion. Part of a patch from from
569 Jean-Marc Robert via tech@, ok djm
570 - dtucker@cvs.openbsd.org 2012/09/21 10:53:07
571 [sftp.c]
572 Fix improper handling of absolute paths when PWD is part of the completed
573 path. Patch from Jean-Marc Robert via tech@, ok djm.
574 - dtucker@cvs.openbsd.org 2012/09/21 10:55:04
575 [sftp.c]
576 Fix handling of filenames containing escaped globbing characters and
577 escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.
578 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
579 [ssh.1]
580 last stage of rfc changes, using consistent Rs/Re blocks, and moving the
581 references into a STANDARDS section;
582 - naddy@cvs.openbsd.org 2012/10/01 13:59:51
583 [monitor_wrap.c]
584 pasto; ok djm@
585 - djm@cvs.openbsd.org 2012/10/02 07:07:45
586 [ssh-keygen.c]
587 fix -z option, broken in revision 1.215
588 - markus@cvs.openbsd.org 2012/10/04 13:21:50
589 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
590 add umac128 variant; ok djm@ at n2k12
591 - dtucker@cvs.openbsd.org 2012/09/06 04:11:07
592 [regress/try-ciphers.sh]
593 Restore missing space. (Id sync only).
594 - dtucker@cvs.openbsd.org 2012/09/09 11:51:25
595 [regress/multiplex.sh]
596 Add test for ssh -Ostop
597 - dtucker@cvs.openbsd.org 2012/09/10 00:49:21
598 [regress/multiplex.sh]
599 Log -O cmd output to the log file and make logging consistent with the
600 other tests. Test clean shutdown of an existing channel when testing
601 "stop".
602 - dtucker@cvs.openbsd.org 2012/09/10 01:51:19
603 [regress/multiplex.sh]
604 use -Ocheck and waiting for completions by PID to make multiplexing test
605 less racy and (hopefully) more reliable on slow hardware.
606 - [Makefile umac.c] Add special-case target to build umac128.o.
607 - [umac.c] Enforce allowed umac output sizes. From djm@.
608 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom".
609
61020120917
611 - (dtucker) OpenBSD CVS Sync
612 - dtucker@cvs.openbsd.org 2012/09/13 23:37:36
613 [servconf.c]
614 Fix comment line length
615 - markus@cvs.openbsd.org 2012/09/14 16:51:34
616 [sshconnect.c]
617 remove unused variable
618
61920120907
620 - (dtucker) OpenBSD CVS Sync
621 - dtucker@cvs.openbsd.org 2012/09/06 09:50:13
622 [clientloop.c]
623 Make the escape command help (~?) context sensitive so that only commands
624 that will work in the current session are shown. ok markus@
625 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
626 [ssh.1]
627 missing letter in previous;
628 - dtucker@cvs.openbsd.org 2012/09/07 00:30:19
629 [clientloop.c]
630 Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@
631 - dtucker@cvs.openbsd.org 2012/09/07 01:10:21
632 [clientloop.c]
633 Merge escape help text for ~v and ~V; ok djm@
634 - dtucker@cvs.openbsd.org 2012/09/07 06:34:21
635 [clientloop.c]
636 when muxmaster is run with -N, make it shut down gracefully when a client
637 sends it "-O stop" rather than hanging around (bz#1985). ok djm@
638
63920120906
640 - (dtucker) OpenBSD CVS Sync
641 - jmc@cvs.openbsd.org 2012/08/15 18:25:50
642 [ssh-keygen.1]
643 a little more info on certificate validity;
644 requested by Ross L Richardson, and provided by djm
645 - dtucker@cvs.openbsd.org 2012/08/17 00:45:45
646 [clientloop.c clientloop.h mux.c]
647 Force a clean shutdown of ControlMaster client sessions when the ~. escape
648 sequence is used. This means that ~. should now work in mux clients even
649 if the server is no longer responding. Found by tedu, ok djm.
650 - djm@cvs.openbsd.org 2012/08/17 01:22:56
651 [kex.c]
652 add some comments about better handling first-KEX-follows notifications
653 from the server. Nothing uses these right now. No binary change
654 - djm@cvs.openbsd.org 2012/08/17 01:25:58
655 [ssh-keygen.c]
656 print details of which host lines were deleted when using
657 "ssh-keygen -R host"; ok markus@
658 - djm@cvs.openbsd.org 2012/08/17 01:30:00
659 [compat.c sshconnect.c]
660 Send client banner immediately, rather than waiting for the server to
661 move first for SSH protocol 2 connections (the default). Patch based on
662 one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
663 - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
664 [clientloop.c log.c ssh.1 log.h]
665 Add ~v and ~V escape sequences to raise and lower the logging level
666 respectively. Man page help from jmc, ok deraadt jmc
667
66820120830
669 - (dtucker) [moduli] Import new moduli file.
670
120120828 67120120828
2 - (djm) Release openssh-6.1 672 - (djm) Release openssh-6.1
3 673
@@ -172,6 +842,7 @@
172 [dns.c dns.h key.c key.h ssh-keygen.c] 842 [dns.c dns.h key.c key.h ssh-keygen.c]
173 add support for RFC6594 SSHFP DNS records for ECDSA key types. 843 add support for RFC6594 SSHFP DNS records for ECDSA key types.
174 patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ 844 patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
845 (Original authors Ondřej Surý, Ondřej Caletka and Daniel Black)
175 - djm@cvs.openbsd.org 2012/06/01 00:49:35 846 - djm@cvs.openbsd.org 2012/06/01 00:49:35
176 [PROTOCOL.mux] 847 [PROTOCOL.mux]
177 correct types of port numbers (integers, not strings); bz#2004 from 848 correct types of port numbers (integers, not strings); bz#2004 from
diff --git a/INSTALL b/INSTALL
index 7c6046932..576723048 100644
--- a/INSTALL
+++ b/INSTALL
@@ -89,7 +89,7 @@ http://nlnetlabs.nl/projects/ldns/
89Autoconf: 89Autoconf:
90 90
91If you modify configure.ac or configure doesn't exist (eg if you checked 91If you modify configure.ac or configure doesn't exist (eg if you checked
92the code out of CVS yourself) then you will need autoconf-2.61 to rebuild 92the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
93the automatically generated files by running "autoreconf". Earlier 93the automatically generated files by running "autoreconf". Earlier
94versions may also work but this is not guaranteed. 94versions may also work but this is not guaranteed.
95 95
@@ -266,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at
266http://www.openssh.com/ 266http://www.openssh.com/
267 267
268 268
269$Id: INSTALL,v 1.87 2011/11/04 00:25:25 dtucker Exp $ 269$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index 5081c4bf3..dd0502e63 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.326 2012/04/04 01:27:57 djm Exp $ 1# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -37,13 +37,15 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
37 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ 37 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
38 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 38 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
39 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 39 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
40 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ 40 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
41 41
42CC=@CC@ 42CC=@CC@
43LD=@LD@ 43LD=@LD@
44CFLAGS=@CFLAGS@ 44CFLAGS=@CFLAGS@
45CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ 45CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
46LIBS=@LIBS@ 46LIBS=@LIBS@
47K5LIBS=@K5LIBS@
48GSSLIBS=@GSSLIBS@
47SSHLIBS=@SSHLIBS@ 49SSHLIBS=@SSHLIBS@
48SSHDLIBS=@SSHDLIBS@ 50SSHDLIBS=@SSHDLIBS@
49LIBEDIT=@LIBEDIT@ 51LIBEDIT=@LIBEDIT@
@@ -61,8 +63,8 @@ MANFMT=@MANFMT@
61 63
62TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) 64TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
63 65
64LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 66LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
65 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 67 canohost.o channels.o cipher.o cipher-aes.o \
66 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ 68 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
67 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ 69 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
68 log.o match.o md-sha256.o moduli.o nchan.o packet.o \ 70 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
@@ -71,8 +73,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
71 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 73 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
72 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 74 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
73 kexgssc.o \ 75 kexgssc.o \
74 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ 76 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
75 schnorr.o ssh-pkcs11.o 77 jpake.o schnorr.o ssh-pkcs11.o krl.o
76 78
77SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 79SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
78 sshconnect.o sshconnect1.o sshconnect2.o mux.o \ 80 sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -140,10 +142,10 @@ libssh.a: $(LIBSSH_OBJS)
140 $(RANLIB) $@ 142 $(RANLIB) $@
141 143
142ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) 144ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
143 $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) 145 $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
144 146
145sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) 147sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
146 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) 148 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
147 149
148scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 150scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
149 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 151 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -196,6 +198,13 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
196moduli: 198moduli:
197 echo 199 echo
198 200
201# special case target for umac128
202umac128.o: umac.c
203 $(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
204 -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
205 -Dumac_update=umac128_update -Dumac_final=umac128_final \
206 -Dumac_delete=umac128_delete
207
199clean: regressclean 208clean: regressclean
200 rm -f *.o *.a $(TARGETS) logintest config.cache config.log 209 rm -f *.o *.a $(TARGETS) logintest config.cache config.log
201 rm -f *.out core survey 210 rm -f *.out core survey
@@ -373,7 +382,12 @@ uninstall:
373 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 382 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
374 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 383 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
375 384
376tests interop-tests: $(TARGETS) 385regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
386 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
387 $(CC) $(CPPFLAGS) -o $@ $? \
388 $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
389
390tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
377 BUILDDIR=`pwd`; \ 391 BUILDDIR=`pwd`; \
378 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ 392 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
379 [ -f `pwd`/regress/Makefile ] || \ 393 [ -f `pwd`/regress/Makefile ] || \
diff --git a/PROTOCOL b/PROTOCOL
index c28196011..48b3a4400 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -51,6 +51,46 @@ and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or 51curve points encoded using point compression are NOT accepted or
52generated. 52generated.
53 53
541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56OpenSSH supports MAC algorithms, whose names contain "-etm", that
57perform the calculations in a different order to that defined in RFC
584253. These variants use the so-called "encrypt then MAC" ordering,
59calculating the MAC over the packet ciphertext rather than the
60plaintext. This ordering closes a security flaw in the SSH transport
61protocol, where decryption of unauthenticated ciphertext provided a
62"decryption oracle" that could, in conjunction with cipher flaws, reveal
63session plaintext.
64
65Specifically, the "-etm" MAC algorithms modify the transport protocol
66to calculate the MAC over the packet ciphertext and to send the packet
67length unencrypted. This is necessary for the transport to obtain the
68length of the packet and location of the MAC tag so that it may be
69verified without decrypting unauthenticated data.
70
71As such, the MAC covers:
72
73 mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75where "packet_length" is encoded as a uint32 and "encrypted_packet"
76contains:
77
78 byte padding_length
79 byte[n1] payload; n1 = packet_length - padding_length - 1
80 byte[n2] random padding; n2 = padding_length
81
821.6 transport: AES-GCM
83
84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85Because of problems with the specification of the key exchange
86the behaviour of OpenSSH differs from the RFC as follows:
87
88AES-GCM is only negotiated as the cipher algorithms
89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91the exchanged MAC algorithms are ignored and there doesn't have to be
92a matching MAC.
93
542. Connection protocol changes 942. Connection protocol changes
55 95
562.1. connection: Channel write close extension "eow@openssh.com" 962.1. connection: Channel write close extension "eow@openssh.com"
@@ -291,4 +331,4 @@ link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
291This extension is advertised in the SSH_FXP_VERSION hello with version 331This extension is advertised in the SSH_FXP_VERSION hello with version
292"1". 332"1".
293 333
294$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ 334$OpenBSD: PROTOCOL,v 1.20 2013/01/08 18:49:04 markus Exp $
diff --git a/PROTOCOL.agent b/PROTOCOL.agent
index de94d037d..3fcaa14d4 100644
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@@ -152,7 +152,7 @@ fully specified using just rsa_q, rsa_p and rsa_e at the cost of extra
152computation. 152computation.
153 153
154"key_constraints" may only be present if the request type is 154"key_constraints" may only be present if the request type is
155SSH_AGENTC_ADD_RSA_IDENTITY. 155SSH_AGENTC_ADD_RSA_ID_CONSTRAINED.
156 156
157The agent will reply with a SSH_AGENT_SUCCESS if the key has been 157The agent will reply with a SSH_AGENT_SUCCESS if the key has been
158successfully added or a SSH_AGENT_FAILURE if an error occurred. 158successfully added or a SSH_AGENT_FAILURE if an error occurred.
@@ -557,4 +557,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
557 SSH_AGENT_CONSTRAIN_LIFETIME 1 557 SSH_AGENT_CONSTRAIN_LIFETIME 1
558 SSH_AGENT_CONSTRAIN_CONFIRM 2 558 SSH_AGENT_CONSTRAIN_CONFIRM 2
559 559
560$OpenBSD: PROTOCOL.agent,v 1.6 2010/08/31 11:54:45 djm Exp $ 560$OpenBSD: PROTOCOL.agent,v 1.7 2013/01/02 00:33:49 djm Exp $
diff --git a/PROTOCOL.krl b/PROTOCOL.krl
new file mode 100644
index 000000000..e8caa4527
--- /dev/null
+++ b/PROTOCOL.krl
@@ -0,0 +1,164 @@
1This describes the key/certificate revocation list format for OpenSSH.
2
31. Overall format
4
5The KRL consists of a header and zero or more sections. The header is:
6
7#define KRL_MAGIC 0x5353484b524c0a00ULL /* "SSHKRL\n\0" */
8#define KRL_FORMAT_VERSION 1
9
10 uint64 KRL_MAGIC
11 uint32 KRL_FORMAT_VERSION
12 uint64 krl_version
13 uint64 generated_date
14 uint64 flags
15 string reserved
16 string comment
17
18Where "krl_version" is a version number that increases each time the KRL
19is modified, "generated_date" is the time in seconds since 1970-01-01
2000:00:00 UTC that the KRL was generated, "comment" is an optional comment
21and "reserved" an extension field whose contents are currently ignored.
22No "flags" are currently defined.
23
24Following the header are zero or more sections, each consisting of:
25
26 byte section_type
27 string section_data
28
29Where "section_type" indicates the type of the "section_data". An exception
30to this is the KRL_SECTION_SIGNATURE section, that has a slightly different
31format (see below).
32
33The available section types are:
34
35#define KRL_SECTION_CERTIFICATES 1
36#define KRL_SECTION_EXPLICIT_KEY 2
37#define KRL_SECTION_FINGERPRINT_SHA1 3
38#define KRL_SECTION_SIGNATURE 4
39
403. Certificate serial section
41
42These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
43serial number or key ID. The consist of the CA key that issued the
44certificates to be revoked and a reserved field whose contents is currently
45ignored.
46
47 string ca_key
48 string reserved
49
50Followed by one or more sections:
51
52 byte cert_section_type
53 string cert_section_data
54
55The certificate section types are:
56
57#define KRL_SECTION_CERT_SERIAL_LIST 0x20
58#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
59#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
60#define KRL_SECTION_CERT_KEY_ID 0x23
61
622.1 Certificate serial list section
63
64This section is identified as KRL_SECTION_CERT_SERIAL_LIST. It revokes
65certificates by listing their serial numbers. The cert_section_data in this
66case contains:
67
68 uint64 revoked_cert_serial
69 uint64 ...
70
71This section may appear multiple times.
72
732.2. Certificate serial range section
74
75These sections use type KRL_SECTION_CERT_SERIAL_RANGE and hold
76a range of serial numbers of certificates:
77
78 uint64 serial_min
79 uint64 serial_max
80
81All certificates in the range serial_min <= serial <= serial_max are
82revoked.
83
84This section may appear multiple times.
85
862.3. Certificate serial bitmap section
87
88Bitmap sections use type KRL_SECTION_CERT_SERIAL_BITMAP and revoke keys
89by listing their serial number in a bitmap.
90
91 uint64 serial_offset
92 mpint revoked_keys_bitmap
93
94A bit set at index N in the bitmap corresponds to revocation of a keys with
95serial number (serial_offset + N).
96
97This section may appear multiple times.
98
992.4. Revoked key ID sections
100
101KRL_SECTION_CERT_KEY_ID sections revoke particular certificate "key
102ID" strings. This may be useful in revoking all certificates
103associated with a particular identity, e.g. a host or a user.
104
105 string key_id[0]
106 ...
107
108This section must contain at least one "key_id". This section may appear
109multiple times.
110
1113. Explicit key sections
112
113These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys
114(not certificates). They are less space efficient than serial numbers,
115but are able to revoke plain keys.
116
117 string public_key_blob[0]
118 ....
119
120This section must contain at least one "public_key_blob". The blob
121must be a raw key (i.e. not a certificate).
122
123This section may appear multiple times.
124
1254. SHA1 fingerprint sections
126
127These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke
128plain keys (i.e. not certificates) by listing their SHA1 hashes:
129
130 string public_key_hash[0]
131 ....
132
133This section must contain at least one "public_key_hash". The hash blob
134is obtained by taking the SHA1 hash of the public key blob. Hashes in
135this section must appear in numeric order, treating each hash as a big-
136endian integer.
137
138This section may appear multiple times.
139
1405. KRL signature sections
141
142The KRL_SECTION_SIGNATURE section serves a different purpose to the
143preceeding ones: to provide cryptographic authentication of a KRL that
144is retrieved over a channel that does not provide integrity protection.
145Its format is slightly different to the previously-described sections:
146in order to simplify the signature generation, it includes as a "body"
147two string components instead of one.
148
149 byte KRL_SECTION_SIGNATURE
150 string signature_key
151 string signature
152
153The signature is calculated over the entire KRL from the KRL_MAGIC
154to this subsection's "signature_key", including both and using the
155signature generation rules appropriate for the type of "signature_key".
156
157This section must appear last in the KRL. If multiple signature sections
158appear, they must appear consecutively at the end of the KRL file.
159
160Implementations that retrieve KRLs over untrusted channels must verify
161signatures. Signature sections are optional for KRLs distributed by
162trusted means.
163
164$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $
diff --git a/README b/README
index 81cb922be..21dc6e1f7 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-6.1 for the release notes. 1See http://www.openssh.com/txt/release-6.2 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
64 64
65$Id: README,v 1.81 2012/08/22 11:57:13 djm Exp $ 65$Id: README,v 1.82 2013/02/26 23:48:19 djm Exp $
diff --git a/acss.c b/acss.c
deleted file mode 100644
index 86e2c01a8..000000000
--- a/acss.c
+++ /dev/null
@@ -1,267 +0,0 @@
1/* $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
2/*
3 * Copyright (c) 2004 The OpenBSD project
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include "includes.h"
19
20#include <string.h>
21
22#include <openssl/evp.h>
23
24#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
25
26#include "acss.h"
27
28/* decryption sbox */
29static unsigned char sboxdec[] = {
30 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
31 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
32 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
33 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
34 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
35 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
36 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
37 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
38 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
39 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
40 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
41 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
42 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
43 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
44 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
45 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
46 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
47 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
48 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
49 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
50 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
51 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
52 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
53 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
54 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
55 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
56 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
57 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
58 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
59 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
60 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
61 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
62};
63
64/* encryption sbox */
65static unsigned char sboxenc[] = {
66 0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
67 0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
68 0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
69 0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
70 0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
71 0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
72 0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
73 0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
74 0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
75 0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
76 0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
77 0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
78 0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
79 0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
80 0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
81 0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
82 0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
83 0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
84 0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
85 0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
86 0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
87 0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
88 0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
89 0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
90 0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
91 0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
92 0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
93 0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
94 0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
95 0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
96 0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
97 0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
98};
99
100static unsigned char reverse[] = {
101 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
102 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
103 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
104 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
105 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
106 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
107 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
108 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
109 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
110 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
111 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
112 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
113 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
114 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
115 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
116 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
117 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
118 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
119 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
120 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
121 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
122 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
123 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
124 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
125 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
126 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
127 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
128 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
129 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
130 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
131 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
132 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
133};
134
135/*
136 * Two linear feedback shift registers are used:
137 *
138 * lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier)
139 * x^15 + x + 1
140 * lfsr25: polynomial of degree 25, not know if primitive modulo 2
141 * x^13 + x^5 + x^4 + x^1 + 1
142 *
143 * Output bits are discarded, instead the feedback bits are added to produce
144 * the cipher stream. Depending on the mode, feedback bytes may be inverted
145 * bit-wise before addition.
146 *
147 * The lfsrs are seeded with bytes from the raw key:
148 *
149 * lfsr17: byte 0[0:7] at bit 9
150 * byte 1[0:7] at bit 0
151 *
152 * lfsr25: byte 2[0:4] at bit 16
153 * byte 2[5:7] at bit 22
154 * byte 3[0:7] at bit 8
155 * byte 4[0:7] at bit 0
156 *
157 * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
158 * lfsr25.
159 *
160 */
161
162int
163acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
164 unsigned char *out)
165{
166 unsigned long i;
167 unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
168
169 lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
170
171 /* keystream is sum of lfsrs */
172 for (i = 0; i < len; i++) {
173 lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
174 key->lfsr17 = (key->lfsr17 >> 8)
175 ^ (lfsr17tmp << 9)
176 ^ (lfsr17tmp << 12)
177 ^ (lfsr17tmp << 15);
178 key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */
179
180 lfsr25tmp = key->lfsr25
181 ^ (key->lfsr25 >> 3)
182 ^ (key->lfsr25 >> 4)
183 ^ (key->lfsr25 >> 12);
184 key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
185 key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */
186
187 lfsrsumtmp = key->lfsrsum;
188
189 /* addition */
190 switch (key->mode) {
191 case ACSS_AUTHENTICATE:
192 case ACSS_DATA:
193 key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
194 key->lfsrsum += key->lfsr25 >> 17;
195 break;
196 case ACSS_SESSIONKEY:
197 key->lfsrsum = key->lfsr17 >> 9;
198 key->lfsrsum += key->lfsr25 >> 17;
199 break;
200 case ACSS_TITLEKEY:
201 key->lfsrsum = key->lfsr17 >> 9;
202 key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
203 break;
204 default:
205 return 1;
206 }
207 key->lfsrsum += (lfsrsumtmp >> 8);
208
209 if (key->encrypt) {
210 out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
211 } else {
212 out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
213 }
214 }
215
216 return 0;
217}
218
219static void
220acss_seed(ACSS_KEY *key)
221{
222 int i;
223
224 /* if available, mangle with subkey */
225 if (key->subkey_avilable) {
226 for (i = 0; i < ACSS_KEYSIZE; i++)
227 key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
228 } else {
229 for (i = 0; i < ACSS_KEYSIZE; i++)
230 key->seed[i] = reverse[key->data[i]];
231 }
232
233 /* seed lfsrs */
234 key->lfsr17 = key->seed[1]
235 | (key->seed[0] << 9)
236 | (1 << 8); /* inject 1 at bit 9 */
237 key->lfsr25 = key->seed[4]
238 | (key->seed[3] << 8)
239 | ((key->seed[2] & 0x1f) << 16)
240 | ((key->seed[2] & 0xe0) << 17)
241 | (1 << 21); /* inject 1 at bit 22 */
242
243 key->lfsrsum = 0;
244}
245
246void
247acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
248{
249 memcpy(key->data, data, sizeof(key->data));
250 memset(key->subkey, 0, sizeof(key->subkey));
251
252 if (enc != -1)
253 key->encrypt = enc;
254 key->mode = mode;
255 key->subkey_avilable = 0;
256
257 acss_seed(key);
258}
259
260void
261acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
262{
263 memcpy(key->subkey, subkey, sizeof(key->subkey));
264 key->subkey_avilable = 1;
265 acss_seed(key);
266}
267#endif
diff --git a/acss.h b/acss.h
deleted file mode 100644
index 91b489542..000000000
--- a/acss.h
+++ /dev/null
@@ -1,47 +0,0 @@
1/* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
2/*
3 * Copyright (c) 2004 The OpenBSD project
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#ifndef _ACSS_H_
19#define _ACSS_H_
20
21/* 40bit key */
22#define ACSS_KEYSIZE 5
23
24/* modes of acss */
25#define ACSS_AUTHENTICATE 0
26#define ACSS_SESSIONKEY 1
27#define ACSS_TITLEKEY 2
28#define ACSS_DATA 3
29
30typedef struct acss_key_st {
31 unsigned int lfsr17; /* current state of lfsrs */
32 unsigned int lfsr25;
33 unsigned int lfsrsum;
34 unsigned char seed[ACSS_KEYSIZE];
35 unsigned char data[ACSS_KEYSIZE];
36 unsigned char subkey[ACSS_KEYSIZE];
37 int encrypt; /* XXX make these bit flags? */
38 int mode;
39 int seeded;
40 int subkey_avilable;
41} ACSS_KEY;
42
43void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
44void acss_setsubkey(ACSS_KEY *, const unsigned char *);
45int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
46
47#endif /* ifndef _ACSS_H_ */
diff --git a/auth-options.c b/auth-options.c
index 0e67bd8c0..23d0423e1 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -349,7 +349,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
349 xfree(patterns); 349 xfree(patterns);
350 goto bad_option; 350 goto bad_option;
351 } 351 }
352 if (options.allow_tcp_forwarding) 352 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
353 channel_add_permitted_opens(host, port); 353 channel_add_permitted_opens(host, port);
354 xfree(patterns); 354 xfree(patterns);
355 goto next_option; 355 goto next_option;
diff --git a/auth-rsa.c b/auth-rsa.c
index 4ab46cd51..2c8a7cb35 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rsa.c,v 1.80 2011/05/23 03:30:07 djm Exp $ */ 1/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -276,6 +276,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
276 temporarily_use_uid(pw); 276 temporarily_use_uid(pw);
277 277
278 for (i = 0; !allowed && i < options.num_authkeys_files; i++) { 278 for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
279 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
280 continue;
279 file = expand_authorized_keys( 281 file = expand_authorized_keys(
280 options.authorized_keys_files[i], pw); 282 options.authorized_keys_files[i], pw);
281 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); 283 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
diff --git a/auth.c b/auth.c
index a8cffd5c1..6128fa460 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.96 2012/05/13 01:42:32 dtucker Exp $ */ 1/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -71,6 +71,7 @@
71#endif 71#endif
72#include "authfile.h" 72#include "authfile.h"
73#include "monitor_wrap.h" 73#include "monitor_wrap.h"
74#include "krl.h"
74 75
75/* import */ 76/* import */
76extern ServerOptions options; 77extern ServerOptions options;
@@ -251,7 +252,8 @@ allowed_user(struct passwd * pw)
251} 252}
252 253
253void 254void
254auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) 255auth_log(Authctxt *authctxt, int authenticated, int partial,
256 const char *method, const char *submethod, const char *info)
255{ 257{
256 void (*authlog) (const char *fmt,...) = verbose; 258 void (*authlog) (const char *fmt,...) = verbose;
257 char *authmsg; 259 char *authmsg;
@@ -268,12 +270,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
268 270
269 if (authctxt->postponed) 271 if (authctxt->postponed)
270 authmsg = "Postponed"; 272 authmsg = "Postponed";
273 else if (partial)
274 authmsg = "Partial";
271 else 275 else
272 authmsg = authenticated ? "Accepted" : "Failed"; 276 authmsg = authenticated ? "Accepted" : "Failed";
273 277
274 authlog("%s %s for %s%.100s from %.200s port %d%s", 278 authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
275 authmsg, 279 authmsg,
276 method, 280 method,
281 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
277 authctxt->valid ? "" : "invalid user ", 282 authctxt->valid ? "" : "invalid user ",
278 authctxt->user, 283 authctxt->user,
279 get_remote_ipaddr(), 284 get_remote_ipaddr(),
@@ -303,7 +308,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
303 * Check whether root logins are disallowed. 308 * Check whether root logins are disallowed.
304 */ 309 */
305int 310int
306auth_root_allowed(char *method) 311auth_root_allowed(const char *method)
307{ 312{
308 switch (options.permit_root_login) { 313 switch (options.permit_root_login) {
309 case PERMIT_YES: 314 case PERMIT_YES:
@@ -409,41 +414,42 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
409 return host_status; 414 return host_status;
410} 415}
411 416
412
413/* 417/*
414 * Check a given file for security. This is defined as all components 418 * Check a given path for security. This is defined as all components
415 * of the path to the file must be owned by either the owner of 419 * of the path to the file must be owned by either the owner of
416 * of the file or root and no directories must be group or world writable. 420 * of the file or root and no directories must be group or world writable.
417 * 421 *
418 * XXX Should any specific check be done for sym links ? 422 * XXX Should any specific check be done for sym links ?
419 * 423 *
420 * Takes an open file descriptor, the file name, a uid and and 424 * Takes a file name, its stat information (preferably from fstat() to
425 * avoid races), the uid of the expected owner, their home directory and an
421 * error buffer plus max size as arguments. 426 * error buffer plus max size as arguments.
422 * 427 *
423 * Returns 0 on success and -1 on failure 428 * Returns 0 on success and -1 on failure
424 */ 429 */
425static int 430int
426secure_filename(FILE *f, const char *file, struct passwd *pw, 431auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
427 char *err, size_t errlen) 432 uid_t uid, char *err, size_t errlen)
428{ 433{
429 uid_t uid = pw->pw_uid;
430 char buf[MAXPATHLEN], homedir[MAXPATHLEN]; 434 char buf[MAXPATHLEN], homedir[MAXPATHLEN];
431 char *cp; 435 char *cp;
432 int comparehome = 0; 436 int comparehome = 0;
433 struct stat st; 437 struct stat st;
434 438
435 if (realpath(file, buf) == NULL) { 439 if (realpath(name, buf) == NULL) {
436 snprintf(err, errlen, "realpath %s failed: %s", file, 440 snprintf(err, errlen, "realpath %s failed: %s", name,
437 strerror(errno)); 441 strerror(errno));
438 return -1; 442 return -1;
439 } 443 }
440 if (realpath(pw->pw_dir, homedir) != NULL) 444 if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
441 comparehome = 1; 445 comparehome = 1;
442 446
443 /* check the open file to avoid races */ 447 if (!S_ISREG(stp->st_mode)) {
444 if (fstat(fileno(f), &st) < 0 || 448 snprintf(err, errlen, "%s is not a regular file", buf);
445 (st.st_uid != 0 && st.st_uid != uid) || 449 return -1;
446 (st.st_mode & 022) != 0) { 450 }
451 if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
452 (stp->st_mode & 022) != 0) {
447 snprintf(err, errlen, "bad ownership or modes for file %s", 453 snprintf(err, errlen, "bad ownership or modes for file %s",
448 buf); 454 buf);
449 return -1; 455 return -1;
@@ -458,7 +464,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
458 strlcpy(buf, cp, sizeof(buf)); 464 strlcpy(buf, cp, sizeof(buf));
459 465
460 if (stat(buf, &st) < 0 || 466 if (stat(buf, &st) < 0 ||
461 (st.st_uid != 0 && st.st_uid != uid) || 467 (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
462 (st.st_mode & 022) != 0) { 468 (st.st_mode & 022) != 0) {
463 snprintf(err, errlen, 469 snprintf(err, errlen,
464 "bad ownership or modes for directory %s", buf); 470 "bad ownership or modes for directory %s", buf);
@@ -479,6 +485,27 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
479 return 0; 485 return 0;
480} 486}
481 487
488/*
489 * Version of secure_path() that accepts an open file descriptor to
490 * avoid races.
491 *
492 * Returns 0 on success and -1 on failure
493 */
494static int
495secure_filename(FILE *f, const char *file, struct passwd *pw,
496 char *err, size_t errlen)
497{
498 struct stat st;
499
500 /* check the open file to avoid races */
501 if (fstat(fileno(f), &st) < 0) {
502 snprintf(err, errlen, "cannot stat file %s: %s",
503 file, strerror(errno));
504 return -1;
505 }
506 return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
507}
508
482static FILE * 509static FILE *
483auth_openfile(const char *file, struct passwd *pw, int strict_modes, 510auth_openfile(const char *file, struct passwd *pw, int strict_modes,
484 int log_missing, char *file_type) 511 int log_missing, char *file_type)
@@ -614,7 +641,16 @@ auth_key_is_revoked(Key *key)
614 641
615 if (options.revoked_keys_file == NULL) 642 if (options.revoked_keys_file == NULL)
616 return 0; 643 return 0;
617 644 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
645 case 0:
646 return 0; /* Not revoked */
647 case -2:
648 break; /* Not a KRL */
649 default:
650 goto revoked;
651 }
652 debug3("%s: treating %s as a key list", __func__,
653 options.revoked_keys_file);
618 switch (key_in_file(key, options.revoked_keys_file, 0)) { 654 switch (key_in_file(key, options.revoked_keys_file, 0)) {
619 case 0: 655 case 0:
620 /* key not revoked */ 656 /* key not revoked */
@@ -625,6 +661,7 @@ auth_key_is_revoked(Key *key)
625 "authentication"); 661 "authentication");
626 return 1; 662 return 1;
627 case 1: 663 case 1:
664 revoked:
628 /* Key revoked */ 665 /* Key revoked */
629 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 666 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
630 error("WARNING: authentication attempt with a revoked " 667 error("WARNING: authentication attempt with a revoked "
diff --git a/auth.h b/auth.h
index 0d786c4d5..c6fe84722 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.69 2011/05/23 03:30:07 djm Exp $ */ 1/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -64,6 +64,8 @@ struct Authctxt {
64#ifdef BSD_AUTH 64#ifdef BSD_AUTH
65 auth_session_t *as; 65 auth_session_t *as;
66#endif 66#endif
67 char **auth_methods; /* modified from server config */
68 u_int num_auth_methods;
67#ifdef KRB5 69#ifdef KRB5
68 krb5_context krb5_ctx; 70 krb5_context krb5_ctx;
69 krb5_ccache krb5_fwd_ccache; 71 krb5_ccache krb5_fwd_ccache;
@@ -120,6 +122,10 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
120int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 122int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
121int user_key_allowed(struct passwd *, Key *); 123int user_key_allowed(struct passwd *, Key *);
122 124
125struct stat;
126int auth_secure_path(const char *, struct stat *, const char *, uid_t,
127 char *, size_t);
128
123#ifdef KRB5 129#ifdef KRB5
124int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); 130int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
125int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); 131int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
@@ -142,12 +148,17 @@ void disable_forwarding(void);
142void do_authentication(Authctxt *); 148void do_authentication(Authctxt *);
143void do_authentication2(Authctxt *); 149void do_authentication2(Authctxt *);
144 150
145void auth_log(Authctxt *, int, char *, char *); 151void auth_log(Authctxt *, int, int, const char *, const char *,
146void userauth_finish(Authctxt *, int, char *); 152 const char *);
153void userauth_finish(Authctxt *, int, const char *, const char *);
154int auth_root_allowed(const char *);
155
147void userauth_send_banner(const char *); 156void userauth_send_banner(const char *);
148int auth_root_allowed(char *);
149 157
150char *auth2_read_banner(void); 158char *auth2_read_banner(void);
159int auth2_methods_valid(const char *, int);
160int auth2_update_methods_lists(Authctxt *, const char *);
161int auth2_setup_methods_lists(Authctxt *);
151 162
152void privsep_challenge_enable(void); 163void privsep_challenge_enable(void);
153 164
diff --git a/auth1.c b/auth1.c
index cc85aec74..6eea8d81e 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth1.c,v 1.75 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt)
253 if (options.use_pam && (PRIVSEP(do_pam_account()))) 253 if (options.use_pam && (PRIVSEP(do_pam_account())))
254#endif 254#endif
255 { 255 {
256 auth_log(authctxt, 1, "without authentication", ""); 256 auth_log(authctxt, 1, 0, "without authentication",
257 NULL, "");
257 return; 258 return;
258 } 259 }
259 } 260 }
@@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt)
352 353
353 skip: 354 skip:
354 /* Log before sending the reply */ 355 /* Log before sending the reply */
355 auth_log(authctxt, authenticated, get_authname(type), info); 356 auth_log(authctxt, authenticated, 0, get_authname(type),
357 NULL, info);
356 358
357 if (client_user != NULL) { 359 if (client_user != NULL) {
358 xfree(client_user); 360 xfree(client_user);
@@ -406,6 +408,11 @@ do_authentication(Authctxt *authctxt)
406 authctxt->pw = fakepw(); 408 authctxt->pw = fakepw();
407 } 409 }
408 410
411 /* Configuration may have changed as a result of Match */
412 if (options.num_auth_methods != 0)
413 fatal("AuthenticationMethods is not supported with SSH "
414 "protocol 1");
415
409 setproctitle("%s%s", authctxt->valid ? user : "unknown", 416 setproctitle("%s%s", authctxt->valid ? user : "unknown",
410 use_privsep ? " [net]" : ""); 417 use_privsep ? " [net]" : "");
411 418
diff --git a/auth2-chall.c b/auth2-chall.c
index e6dbffe22..6505d4009 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -283,7 +283,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
283 KbdintAuthctxt *kbdintctxt; 283 KbdintAuthctxt *kbdintctxt;
284 int authenticated = 0, res; 284 int authenticated = 0, res;
285 u_int i, nresp; 285 u_int i, nresp;
286 char **response = NULL, *method; 286 const char *devicename = NULL;
287 char **response = NULL;
287 288
288 if (authctxt == NULL) 289 if (authctxt == NULL)
289 fatal("input_userauth_info_response: no authctxt"); 290 fatal("input_userauth_info_response: no authctxt");
@@ -329,9 +330,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
329 /* Failure! */ 330 /* Failure! */
330 break; 331 break;
331 } 332 }
332 333 devicename = kbdintctxt->device->name;
333 xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name);
334
335 if (!authctxt->postponed) { 334 if (!authctxt->postponed) {
336 if (authenticated) { 335 if (authenticated) {
337 auth2_challenge_stop(authctxt); 336 auth2_challenge_stop(authctxt);
@@ -341,8 +340,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
341 auth2_challenge_start(authctxt); 340 auth2_challenge_start(authctxt);
342 } 341 }
343 } 342 }
344 userauth_finish(authctxt, authenticated, method); 343 userauth_finish(authctxt, authenticated, "keyboard-interactive",
345 xfree(method); 344 devicename);
346} 345}
347 346
348void 347void
diff --git a/auth2-gss.c b/auth2-gss.c
index 7dc87dba4..17d4a3a84 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -197,7 +197,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
197 } 197 }
198 authctxt->postponed = 0; 198 authctxt->postponed = 0;
199 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 199 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
200 userauth_finish(authctxt, 0, "gssapi-with-mic"); 200 userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
201 } else { 201 } else {
202 if (send_tok.length != 0) { 202 if (send_tok.length != 0) {
203 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 203 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -286,7 +286,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
286 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 286 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
287 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 287 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
288 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 288 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
289 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 289 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
290} 290}
291 291
292static void 292static void
@@ -327,7 +327,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
327 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 327 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
328 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 328 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
329 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 329 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
330 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 330 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
331} 331}
332 332
333Authmethod method_gsskeyex = { 333Authmethod method_gsskeyex = {
diff --git a/auth2-jpake.c b/auth2-jpake.c
index a460e8216..ed0eba47b 100644
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
556 authctxt->postponed = 0; 556 authctxt->postponed = 0;
557 jpake_free(authctxt->jpake_ctx); 557 jpake_free(authctxt->jpake_ctx);
558 authctxt->jpake_ctx = NULL; 558 authctxt->jpake_ctx = NULL;
559 userauth_finish(authctxt, authenticated, method_jpake.name); 559 userauth_finish(authctxt, authenticated, method_jpake.name, NULL);
560} 560}
561 561
562#endif /* JPAKE */ 562#endif /* JPAKE */
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 5bccb5d76..3ff6faa8b 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -27,9 +27,15 @@
27 27
28#include <sys/types.h> 28#include <sys/types.h>
29#include <sys/stat.h> 29#include <sys/stat.h>
30#include <sys/wait.h>
30 31
32#include <errno.h>
31#include <fcntl.h> 33#include <fcntl.h>
34#ifdef HAVE_PATHS_H
35# include <paths.h>
36#endif
32#include <pwd.h> 37#include <pwd.h>
38#include <signal.h>
33#include <stdio.h> 39#include <stdio.h>
34#include <stdarg.h> 40#include <stdarg.h>
35#include <string.h> 41#include <string.h>
@@ -240,7 +246,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
240 if (strcmp(cp, cert->principals[i]) == 0) { 246 if (strcmp(cp, cert->principals[i]) == 0) {
241 debug3("matched principal \"%.100s\" " 247 debug3("matched principal \"%.100s\" "
242 "from file \"%s\" on line %lu", 248 "from file \"%s\" on line %lu",
243 cert->principals[i], file, linenum); 249 cert->principals[i], file, linenum);
244 if (auth_parse_options(pw, line_opts, 250 if (auth_parse_options(pw, line_opts,
245 file, linenum) != 1) 251 file, linenum) != 1)
246 continue; 252 continue;
@@ -253,31 +259,22 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
253 fclose(f); 259 fclose(f);
254 restore_uid(); 260 restore_uid();
255 return 0; 261 return 0;
256} 262}
257 263
258/* return 1 if user allows given key */ 264/*
265 * Checks whether key is allowed in authorized_keys-format file,
266 * returns 1 if the key is allowed or 0 otherwise.
267 */
259static int 268static int
260user_key_allowed2(struct passwd *pw, Key *key, char *file) 269check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
261{ 270{
262 char line[SSH_MAX_PUBKEY_BYTES]; 271 char line[SSH_MAX_PUBKEY_BYTES];
263 const char *reason; 272 const char *reason;
264 int found_key = 0; 273 int found_key = 0;
265 FILE *f;
266 u_long linenum = 0; 274 u_long linenum = 0;
267 Key *found; 275 Key *found;
268 char *fp; 276 char *fp;
269 277
270 /* Temporarily use the user's uid. */
271 temporarily_use_uid(pw);
272
273 debug("trying public key file %s", file);
274 f = auth_openkeyfile(file, pw, options.strict_modes);
275
276 if (!f) {
277 restore_uid();
278 return 0;
279 }
280
281 found_key = 0; 278 found_key = 0;
282 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); 279 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
283 280
@@ -370,8 +367,6 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
370 break; 367 break;
371 } 368 }
372 } 369 }
373 restore_uid();
374 fclose(f);
375 key_free(found); 370 key_free(found);
376 if (!found_key) 371 if (!found_key)
377 debug2("key not found"); 372 debug2("key not found");
@@ -433,7 +428,180 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
433 return ret; 428 return ret;
434} 429}
435 430
436/* check whether given key is in .ssh/authorized_keys* */ 431/*
432 * Checks whether key is allowed in file.
433 * returns 1 if the key is allowed or 0 otherwise.
434 */
435static int
436user_key_allowed2(struct passwd *pw, Key *key, char *file)
437{
438 FILE *f;
439 int found_key = 0;
440
441 /* Temporarily use the user's uid. */
442 temporarily_use_uid(pw);
443
444 debug("trying public key file %s", file);
445 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) {
446 found_key = check_authkeys_file(f, file, key, pw);
447 fclose(f);
448 }
449
450 restore_uid();
451 return found_key;
452}
453
454/*
455 * Checks whether key is allowed in output of command.
456 * returns 1 if the key is allowed or 0 otherwise.
457 */
458static int
459user_key_command_allowed2(struct passwd *user_pw, Key *key)
460{
461 FILE *f;
462 int ok, found_key = 0;
463 struct passwd *pw;
464 struct stat st;
465 int status, devnull, p[2], i;
466 pid_t pid;
467 char *username, errmsg[512];
468
469 if (options.authorized_keys_command == NULL ||
470 options.authorized_keys_command[0] != '/')
471 return 0;
472
473 if (options.authorized_keys_command_user == NULL) {
474 error("No user for AuthorizedKeysCommand specified, skipping");
475 return 0;
476 }
477
478 username = percent_expand(options.authorized_keys_command_user,
479 "u", user_pw->pw_name, (char *)NULL);
480 pw = getpwnam(username);
481 if (pw == NULL) {
482 error("AuthorizedKeysCommandUser \"%s\" not found: %s",
483 username, strerror(errno));
484 free(username);
485 return 0;
486 }
487 free(username);
488
489 temporarily_use_uid(pw);
490
491 if (stat(options.authorized_keys_command, &st) < 0) {
492 error("Could not stat AuthorizedKeysCommand \"%s\": %s",
493 options.authorized_keys_command, strerror(errno));
494 goto out;
495 }
496 if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
497 errmsg, sizeof(errmsg)) != 0) {
498 error("Unsafe AuthorizedKeysCommand: %s", errmsg);
499 goto out;
500 }
501
502 if (pipe(p) != 0) {
503 error("%s: pipe: %s", __func__, strerror(errno));
504 goto out;
505 }
506
507 debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
508 options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
509
510 /*
511 * Don't want to call this in the child, where it can fatal() and
512 * run cleanup_exit() code.
513 */
514 restore_uid();
515
516 switch ((pid = fork())) {
517 case -1: /* error */
518 error("%s: fork: %s", __func__, strerror(errno));
519 close(p[0]);
520 close(p[1]);
521 return 0;
522 case 0: /* child */
523 for (i = 0; i < NSIG; i++)
524 signal(i, SIG_DFL);
525
526 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
527 error("%s: open %s: %s", __func__, _PATH_DEVNULL,
528 strerror(errno));
529 _exit(1);
530 }
531 /* Keep stderr around a while longer to catch errors */
532 if (dup2(devnull, STDIN_FILENO) == -1 ||
533 dup2(p[1], STDOUT_FILENO) == -1) {
534 error("%s: dup2: %s", __func__, strerror(errno));
535 _exit(1);
536 }
537 closefrom(STDERR_FILENO + 1);
538
539 /* Don't use permanently_set_uid() here to avoid fatal() */
540 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
541 error("setresgid %u: %s", (u_int)pw->pw_gid,
542 strerror(errno));
543 _exit(1);
544 }
545 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) {
546 error("setresuid %u: %s", (u_int)pw->pw_uid,
547 strerror(errno));
548 _exit(1);
549 }
550 /* stdin is pointed to /dev/null at this point */
551 if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
552 error("%s: dup2: %s", __func__, strerror(errno));
553 _exit(1);
554 }
555
556 execl(options.authorized_keys_command,
557 options.authorized_keys_command, user_pw->pw_name, NULL);
558
559 error("AuthorizedKeysCommand %s exec failed: %s",
560 options.authorized_keys_command, strerror(errno));
561 _exit(127);
562 default: /* parent */
563 break;
564 }
565
566 temporarily_use_uid(pw);
567
568 close(p[1]);
569 if ((f = fdopen(p[0], "r")) == NULL) {
570 error("%s: fdopen: %s", __func__, strerror(errno));
571 close(p[0]);
572 /* Don't leave zombie child */
573 kill(pid, SIGTERM);
574 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
575 ;
576 goto out;
577 }
578 ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
579 fclose(f);
580
581 while (waitpid(pid, &status, 0) == -1) {
582 if (errno != EINTR) {
583 error("%s: waitpid: %s", __func__, strerror(errno));
584 goto out;
585 }
586 }
587 if (WIFSIGNALED(status)) {
588 error("AuthorizedKeysCommand %s exited on signal %d",
589 options.authorized_keys_command, WTERMSIG(status));
590 goto out;
591 } else if (WEXITSTATUS(status) != 0) {
592 error("AuthorizedKeysCommand %s returned status %d",
593 options.authorized_keys_command, WEXITSTATUS(status));
594 goto out;
595 }
596 found_key = ok;
597 out:
598 restore_uid();
599 return found_key;
600}
601
602/*
603 * Check whether key authenticates and authorises the user.
604 */
437int 605int
438user_key_allowed(struct passwd *pw, Key *key) 606user_key_allowed(struct passwd *pw, Key *key)
439{ 607{
@@ -449,9 +617,17 @@ user_key_allowed(struct passwd *pw, Key *key)
449 if (success) 617 if (success)
450 return success; 618 return success;
451 619
620 success = user_key_command_allowed2(pw, key);
621 if (success > 0)
622 return success;
623
452 for (i = 0; !success && i < options.num_authkeys_files; i++) { 624 for (i = 0; !success && i < options.num_authkeys_files; i++) {
625
626 if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
627 continue;
453 file = expand_authorized_keys( 628 file = expand_authorized_keys(
454 options.authorized_keys_files[i], pw); 629 options.authorized_keys_files[i], pw);
630
455 success = user_key_allowed2(pw, key, file); 631 success = user_key_allowed2(pw, key, file);
456 xfree(file); 632 xfree(file);
457 } 633 }
diff --git a/auth2.c b/auth2.c
index 4313e9f26..d25940036 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -98,8 +98,10 @@ static void input_service_request(int, u_int32_t, void *);
98static void input_userauth_request(int, u_int32_t, void *); 98static void input_userauth_request(int, u_int32_t, void *);
99 99
100/* helper */ 100/* helper */
101static Authmethod *authmethod_lookup(const char *); 101static Authmethod *authmethod_lookup(Authctxt *, const char *);
102static char *authmethods_get(void); 102static char *authmethods_get(Authctxt *authctxt);
103static int method_allowed(Authctxt *, const char *);
104static int list_starts_with(const char *, const char *);
103 105
104char * 106char *
105auth2_read_banner(void) 107auth2_read_banner(void)
@@ -257,6 +259,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
257 if (use_privsep) 259 if (use_privsep)
258 mm_inform_authserv(service, style); 260 mm_inform_authserv(service, style);
259 userauth_banner(); 261 userauth_banner();
262 if (auth2_setup_methods_lists(authctxt) != 0)
263 packet_disconnect("no authentication methods enabled");
260 } else if (strcmp(user, authctxt->user) != 0 || 264 } else if (strcmp(user, authctxt->user) != 0 ||
261 strcmp(service, authctxt->service) != 0) { 265 strcmp(service, authctxt->service) != 0) {
262 packet_disconnect("Change of username or service not allowed: " 266 packet_disconnect("Change of username or service not allowed: "
@@ -279,12 +283,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
279 authctxt->server_caused_failure = 0; 283 authctxt->server_caused_failure = 0;
280 284
281 /* try to authenticate user */ 285 /* try to authenticate user */
282 m = authmethod_lookup(method); 286 m = authmethod_lookup(authctxt, method);
283 if (m != NULL && authctxt->failures < options.max_authtries) { 287 if (m != NULL && authctxt->failures < options.max_authtries) {
284 debug2("input_userauth_request: try method %s", method); 288 debug2("input_userauth_request: try method %s", method);
285 authenticated = m->userauth(authctxt); 289 authenticated = m->userauth(authctxt);
286 } 290 }
287 userauth_finish(authctxt, authenticated, method); 291 userauth_finish(authctxt, authenticated, method, NULL);
288 292
289 xfree(service); 293 xfree(service);
290 xfree(user); 294 xfree(user);
@@ -292,13 +296,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
292} 296}
293 297
294void 298void
295userauth_finish(Authctxt *authctxt, int authenticated, char *method) 299userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
300 const char *submethod)
296{ 301{
297 char *methods; 302 char *methods;
303 int partial = 0;
298 304
299 if (!authctxt->valid && authenticated) 305 if (!authctxt->valid && authenticated)
300 fatal("INTERNAL ERROR: authenticated invalid user %s", 306 fatal("INTERNAL ERROR: authenticated invalid user %s",
301 authctxt->user); 307 authctxt->user);
308 if (authenticated && authctxt->postponed)
309 fatal("INTERNAL ERROR: authenticated and postponed");
302 310
303 /* Special handling for root */ 311 /* Special handling for root */
304 if (authenticated && authctxt->pw->pw_uid == 0 && 312 if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -309,6 +317,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
309#endif 317#endif
310 } 318 }
311 319
320 if (authenticated && options.num_auth_methods != 0) {
321 if (!auth2_update_methods_lists(authctxt, method)) {
322 authenticated = 0;
323 partial = 1;
324 }
325 }
326
327 /* Log before sending the reply */
328 auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
329
330 if (authctxt->postponed)
331 return;
332
312#ifdef USE_PAM 333#ifdef USE_PAM
313 if (options.use_pam && authenticated) { 334 if (options.use_pam && authenticated) {
314 if (!PRIVSEP(do_pam_account())) { 335 if (!PRIVSEP(do_pam_account())) {
@@ -327,17 +348,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
327#ifdef _UNICOS 348#ifdef _UNICOS
328 if (authenticated && cray_access_denied(authctxt->user)) { 349 if (authenticated && cray_access_denied(authctxt->user)) {
329 authenticated = 0; 350 authenticated = 0;
330 fatal("Access denied for user %s.",authctxt->user); 351 fatal("Access denied for user %s.", authctxt->user);
331 } 352 }
332#endif /* _UNICOS */ 353#endif /* _UNICOS */
333 354
334 /* Log before sending the reply */
335 auth_log(authctxt, authenticated, method, " ssh2");
336
337 if (authctxt->postponed)
338 return;
339
340 /* XXX todo: check if multiple auth methods are needed */
341 if (authenticated == 1) { 355 if (authenticated == 1) {
342 /* turn off userauth */ 356 /* turn off userauth */
343 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 357 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -358,34 +372,61 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
358#endif 372#endif
359 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 373 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
360 } 374 }
361 methods = authmethods_get(); 375 methods = authmethods_get(authctxt);
376 debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
377 partial, methods);
362 packet_start(SSH2_MSG_USERAUTH_FAILURE); 378 packet_start(SSH2_MSG_USERAUTH_FAILURE);
363 packet_put_cstring(methods); 379 packet_put_cstring(methods);
364 packet_put_char(0); /* XXX partial success, unused */ 380 packet_put_char(partial);
365 packet_send(); 381 packet_send();
366 packet_write_wait(); 382 packet_write_wait();
367 xfree(methods); 383 xfree(methods);
368 } 384 }
369} 385}
370 386
387/*
388 * Checks whether method is allowed by at least one AuthenticationMethods
389 * methods list. Returns 1 if allowed, or no methods lists configured.
390 * 0 otherwise.
391 */
392static int
393method_allowed(Authctxt *authctxt, const char *method)
394{
395 u_int i;
396
397 /*
398 * NB. authctxt->num_auth_methods might be zero as a result of
399 * auth2_setup_methods_lists(), so check the configuration.
400 */
401 if (options.num_auth_methods == 0)
402 return 1;
403 for (i = 0; i < authctxt->num_auth_methods; i++) {
404 if (list_starts_with(authctxt->auth_methods[i], method))
405 return 1;
406 }
407 return 0;
408}
409
371static char * 410static char *
372authmethods_get(void) 411authmethods_get(Authctxt *authctxt)
373{ 412{
374 Buffer b; 413 Buffer b;
375 char *list; 414 char *list;
376 int i; 415 u_int i;
377 416
378 buffer_init(&b); 417 buffer_init(&b);
379 for (i = 0; authmethods[i] != NULL; i++) { 418 for (i = 0; authmethods[i] != NULL; i++) {
380 if (strcmp(authmethods[i]->name, "none") == 0) 419 if (strcmp(authmethods[i]->name, "none") == 0)
381 continue; 420 continue;
382 if (authmethods[i]->enabled != NULL && 421 if (authmethods[i]->enabled == NULL ||
383 *(authmethods[i]->enabled) != 0) { 422 *(authmethods[i]->enabled) == 0)
384 if (buffer_len(&b) > 0) 423 continue;
385 buffer_append(&b, ",", 1); 424 if (!method_allowed(authctxt, authmethods[i]->name))
386 buffer_append(&b, authmethods[i]->name, 425 continue;
387 strlen(authmethods[i]->name)); 426 if (buffer_len(&b) > 0)
388 } 427 buffer_append(&b, ",", 1);
428 buffer_append(&b, authmethods[i]->name,
429 strlen(authmethods[i]->name));
389 } 430 }
390 buffer_append(&b, "\0", 1); 431 buffer_append(&b, "\0", 1);
391 list = xstrdup(buffer_ptr(&b)); 432 list = xstrdup(buffer_ptr(&b));
@@ -394,7 +435,7 @@ authmethods_get(void)
394} 435}
395 436
396static Authmethod * 437static Authmethod *
397authmethod_lookup(const char *name) 438authmethod_lookup(Authctxt *authctxt, const char *name)
398{ 439{
399 int i; 440 int i;
400 441
@@ -402,10 +443,154 @@ authmethod_lookup(const char *name)
402 for (i = 0; authmethods[i] != NULL; i++) 443 for (i = 0; authmethods[i] != NULL; i++)
403 if (authmethods[i]->enabled != NULL && 444 if (authmethods[i]->enabled != NULL &&
404 *(authmethods[i]->enabled) != 0 && 445 *(authmethods[i]->enabled) != 0 &&
405 strcmp(name, authmethods[i]->name) == 0) 446 strcmp(name, authmethods[i]->name) == 0 &&
447 method_allowed(authctxt, authmethods[i]->name))
406 return authmethods[i]; 448 return authmethods[i];
407 debug2("Unrecognized authentication method name: %s", 449 debug2("Unrecognized authentication method name: %s",
408 name ? name : "NULL"); 450 name ? name : "NULL");
409 return NULL; 451 return NULL;
410} 452}
411 453
454/*
455 * Check a comma-separated list of methods for validity. Is need_enable is
456 * non-zero, then also require that the methods are enabled.
457 * Returns 0 on success or -1 if the methods list is invalid.
458 */
459int
460auth2_methods_valid(const char *_methods, int need_enable)
461{
462 char *methods, *omethods, *method;
463 u_int i, found;
464 int ret = -1;
465
466 if (*_methods == '\0') {
467 error("empty authentication method list");
468 return -1;
469 }
470 omethods = methods = xstrdup(_methods);
471 while ((method = strsep(&methods, ",")) != NULL) {
472 for (found = i = 0; !found && authmethods[i] != NULL; i++) {
473 if (strcmp(method, authmethods[i]->name) != 0)
474 continue;
475 if (need_enable) {
476 if (authmethods[i]->enabled == NULL ||
477 *(authmethods[i]->enabled) == 0) {
478 error("Disabled method \"%s\" in "
479 "AuthenticationMethods list \"%s\"",
480 method, _methods);
481 goto out;
482 }
483 }
484 found = 1;
485 break;
486 }
487 if (!found) {
488 error("Unknown authentication method \"%s\" in list",
489 method);
490 goto out;
491 }
492 }
493 ret = 0;
494 out:
495 free(omethods);
496 return ret;
497}
498
499/*
500 * Prune the AuthenticationMethods supplied in the configuration, removing
501 * any methods lists that include disabled methods. Note that this might
502 * leave authctxt->num_auth_methods == 0, even when multiple required auth
503 * has been requested. For this reason, all tests for whether multiple is
504 * enabled should consult options.num_auth_methods directly.
505 */
506int
507auth2_setup_methods_lists(Authctxt *authctxt)
508{
509 u_int i;
510
511 if (options.num_auth_methods == 0)
512 return 0;
513 debug3("%s: checking methods", __func__);
514 authctxt->auth_methods = xcalloc(options.num_auth_methods,
515 sizeof(*authctxt->auth_methods));
516 authctxt->num_auth_methods = 0;
517 for (i = 0; i < options.num_auth_methods; i++) {
518 if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
519 logit("Authentication methods list \"%s\" contains "
520 "disabled method, skipping",
521 options.auth_methods[i]);
522 continue;
523 }
524 debug("authentication methods list %d: %s",
525 authctxt->num_auth_methods, options.auth_methods[i]);
526 authctxt->auth_methods[authctxt->num_auth_methods++] =
527 xstrdup(options.auth_methods[i]);
528 }
529 if (authctxt->num_auth_methods == 0) {
530 error("No AuthenticationMethods left after eliminating "
531 "disabled methods");
532 return -1;
533 }
534 return 0;
535}
536
537static int
538list_starts_with(const char *methods, const char *method)
539{
540 size_t l = strlen(method);
541
542 if (strncmp(methods, method, l) != 0)
543 return 0;
544 if (methods[l] != ',' && methods[l] != '\0')
545 return 0;
546 return 1;
547}
548
549/*
550 * Remove method from the start of a comma-separated list of methods.
551 * Returns 0 if the list of methods did not start with that method or 1
552 * if it did.
553 */
554static int
555remove_method(char **methods, const char *method)
556{
557 char *omethods = *methods;
558 size_t l = strlen(method);
559
560 if (!list_starts_with(omethods, method))
561 return 0;
562 *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
563 free(omethods);
564 return 1;
565}
566
567/*
568 * Called after successful authentication. Will remove the successful method
569 * from the start of each list in which it occurs. If it was the last method
570 * in any list, then authentication is deemed successful.
571 * Returns 1 if the method completed any authentication list or 0 otherwise.
572 */
573int
574auth2_update_methods_lists(Authctxt *authctxt, const char *method)
575{
576 u_int i, found = 0;
577
578 debug3("%s: updating methods list after \"%s\"", __func__, method);
579 for (i = 0; i < authctxt->num_auth_methods; i++) {
580 if (!remove_method(&(authctxt->auth_methods[i]), method))
581 continue;
582 found = 1;
583 if (*authctxt->auth_methods[i] == '\0') {
584 debug2("authentication methods list %d complete", i);
585 return 1;
586 }
587 debug3("authentication methods list %d remaining: \"%s\"",
588 i, authctxt->auth_methods[i]);
589 }
590 /* This should not happen, but would be bad if it did */
591 if (!found)
592 fatal("%s: method not in AuthenticationMethods", __func__);
593 return 0;
594}
595
596
diff --git a/authfile.c b/authfile.c
index 7dd449690..3544d170b 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */ 1/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -150,7 +150,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
150 cipher_set_key_string(&ciphercontext, cipher, passphrase, 150 cipher_set_key_string(&ciphercontext, cipher, passphrase,
151 CIPHER_ENCRYPT); 151 CIPHER_ENCRYPT);
152 cipher_crypt(&ciphercontext, cp, 152 cipher_crypt(&ciphercontext, cp,
153 buffer_ptr(&buffer), buffer_len(&buffer)); 153 buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
154 cipher_cleanup(&ciphercontext); 154 cipher_cleanup(&ciphercontext);
155 memset(&ciphercontext, 0, sizeof(ciphercontext)); 155 memset(&ciphercontext, 0, sizeof(ciphercontext));
156 156
@@ -474,7 +474,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
474 cipher_set_key_string(&ciphercontext, cipher, passphrase, 474 cipher_set_key_string(&ciphercontext, cipher, passphrase,
475 CIPHER_DECRYPT); 475 CIPHER_DECRYPT);
476 cipher_crypt(&ciphercontext, cp, 476 cipher_crypt(&ciphercontext, cp,
477 buffer_ptr(&copy), buffer_len(&copy)); 477 buffer_ptr(&copy), buffer_len(&copy), 0, 0);
478 cipher_cleanup(&ciphercontext); 478 cipher_cleanup(&ciphercontext);
479 memset(&ciphercontext, 0, sizeof(ciphercontext)); 479 memset(&ciphercontext, 0, sizeof(ciphercontext));
480 buffer_free(&copy); 480 buffer_free(&copy);
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index 4de9d42e4..4b842b3f7 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -337,17 +337,17 @@ then
337else 337else
338 if [ "\${USE_SYM_LINKS}" = yes ] 338 if [ "\${USE_SYM_LINKS}" = yes ]
339 then 339 then
340 [ "$RCS_D" = yes ] && \ 340 [ "$RCS_D" = yes ] && \\
341 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 341 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
342 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 342 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
343 [ "$RC1_D" = no ] || \ 343 [ "$RC1_D" = no ] || \\
344 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 344 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
345 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 345 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
346 else 346 else
347 [ "$RCS_D" = yes ] && \ 347 [ "$RCS_D" = yes ] && \\
348 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 348 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
349 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 349 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
350 [ "$RC1_D" = no ] || \ 350 [ "$RC1_D" = no ] || \\
351 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 351 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
352 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 352 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
353 fi 353 fi
@@ -538,10 +538,10 @@ then
538PRE_INS_STOP=no 538PRE_INS_STOP=no
539POST_INS_START=no 539POST_INS_START=no
540# determine if should restart the daemon 540# determine if should restart the daemon
541if [ -s ${piddir}/sshd.pid ] && \ 541if [ -s ${piddir}/sshd.pid ] && \\
542 /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1 542 /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
543then 543then
544 ans=\`ckyorn -d n \ 544 ans=\`ckyorn -d n \\
545-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? 545-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
546 case \$ans in 546 case \$ans in
547 [y,Y]*) PRE_INS_STOP=yes 547 [y,Y]*) PRE_INS_STOP=yes
@@ -552,7 +552,7 @@ then
552else 552else
553 553
554# determine if we should start sshd 554# determine if we should start sshd
555 ans=\`ckyorn -d n \ 555 ans=\`ckyorn -d n \\
556-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? 556-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
557 case \$ans in 557 case \$ans in
558 [y,Y]*) POST_INS_START=yes ;; 558 [y,Y]*) POST_INS_START=yes ;;
@@ -573,7 +573,7 @@ USE_SYM_LINKS=no
573PRE_INS_STOP=no 573PRE_INS_STOP=no
574POST_INS_START=no 574POST_INS_START=no
575# Use symbolic links? 575# Use symbolic links?
576ans=\`ckyorn -d n \ 576ans=\`ckyorn -d n \\
577-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? 577-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
578case \$ans in 578case \$ans in
579 [y,Y]*) USE_SYM_LINKS=yes ;; 579 [y,Y]*) USE_SYM_LINKS=yes ;;
@@ -582,7 +582,7 @@ esac
582# determine if should restart the daemon 582# determine if should restart the daemon
583if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] 583if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
584then 584then
585 ans=\`ckyorn -d n \ 585 ans=\`ckyorn -d n \\
586-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? 586-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
587 case \$ans in 587 case \$ans in
588 [y,Y]*) PRE_INS_STOP=yes 588 [y,Y]*) PRE_INS_STOP=yes
@@ -593,7 +593,7 @@ then
593else 593else
594 594
595# determine if we should start sshd 595# determine if we should start sshd
596 ans=\`ckyorn -d n \ 596 ans=\`ckyorn -d n \\
597-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? 597-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
598 case \$ans in 598 case \$ans in
599 [y,Y]*) POST_INS_START=yes ;; 599 [y,Y]*) POST_INS_START=yes ;;
diff --git a/channels.c b/channels.c
index 7791febd7..9cf85a38d 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ 1/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port)
3165void 3165void
3166channel_disable_adm_local_opens(void) 3166channel_disable_adm_local_opens(void)
3167{ 3167{
3168 if (num_adm_permitted_opens == 0) { 3168 channel_clear_adm_permitted_opens();
3169 permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); 3169 permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
3170 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3170 permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL;
3171 = NULL; 3171 num_adm_permitted_opens = 1;
3172 num_adm_permitted_opens = 1;
3173 }
3174} 3172}
3175 3173
3176void 3174void
diff --git a/cipher-acss.c b/cipher-acss.c
deleted file mode 100644
index e755f92b9..000000000
--- a/cipher-acss.c
+++ /dev/null
@@ -1,86 +0,0 @@
1/*
2 * Copyright (c) 2004 The OpenBSD project
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "includes.h"
18
19#include <openssl/evp.h>
20
21#include <string.h>
22
23#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
24
25#include "acss.h"
26#include "openbsd-compat/openssl-compat.h"
27
28#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)
29
30typedef struct {
31 ACSS_KEY ks;
32} EVP_ACSS_KEY;
33
34#define EVP_CTRL_SET_ACSS_MODE 0xff06
35#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07
36
37static int
38acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
39 const unsigned char *iv, int enc)
40{
41 acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
42 return 1;
43}
44
45static int
46acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
47 LIBCRYPTO_EVP_INL_TYPE inl)
48{
49 acss(&data(ctx)->ks,inl,in,out);
50 return 1;
51}
52
53static int
54acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
55{
56 switch(type) {
57 case EVP_CTRL_SET_ACSS_MODE:
58 data(ctx)->ks.mode = arg;
59 return 1;
60 case EVP_CTRL_SET_ACSS_SUBKEY:
61 acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
62 return 1;
63 default:
64 return -1;
65 }
66}
67
68const EVP_CIPHER *
69evp_acss(void)
70{
71 static EVP_CIPHER acss_cipher;
72
73 memset(&acss_cipher, 0, sizeof(EVP_CIPHER));
74
75 acss_cipher.nid = NID_undef;
76 acss_cipher.block_size = 1;
77 acss_cipher.key_len = 5;
78 acss_cipher.init = acss_init_key;
79 acss_cipher.do_cipher = acss_ciph;
80 acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
81 acss_cipher.ctrl = acss_ctrl;
82
83 return (&acss_cipher);
84}
85#endif
86
diff --git a/cipher-aes.c b/cipher-aes.c
index bfda6d2f2..07ec7aa5d 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -46,9 +46,6 @@ struct ssh_rijndael_ctx
46 u_char r_iv[RIJNDAEL_BLOCKSIZE]; 46 u_char r_iv[RIJNDAEL_BLOCKSIZE];
47}; 47};
48 48
49const EVP_CIPHER * evp_rijndael(void);
50void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
51
52static int 49static int
53ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, 50ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
54 int enc) 51 int enc)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 04975b4b6..d1fe69f57 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -16,6 +16,7 @@
16 */ 16 */
17#include "includes.h" 17#include "includes.h"
18 18
19#ifndef OPENSSL_HAVE_EVPCTR
19#include <sys/types.h> 20#include <sys/types.h>
20 21
21#include <stdarg.h> 22#include <stdarg.h>
@@ -33,9 +34,6 @@
33#include <openssl/aes.h> 34#include <openssl/aes.h>
34#endif 35#endif
35 36
36const EVP_CIPHER *evp_aes_128_ctr(void);
37void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
38
39struct ssh_aes_ctr_ctx 37struct ssh_aes_ctr_ctx
40{ 38{
41 AES_KEY aes_ctx; 39 AES_KEY aes_ctx;
@@ -144,3 +142,5 @@ evp_aes_128_ctr(void)
144#endif 142#endif
145 return (&aes_ctr); 143 return (&aes_ctr);
146} 144}
145
146#endif /* OPENSSL_HAVE_EVPCTR */
diff --git a/cipher.c b/cipher.c
index bb5c0ac3a..9ca1d0065 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.c,v 1.82 2009/01/26 09:58:15 markus Exp $ */ 1/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -54,41 +54,46 @@
54extern const EVP_CIPHER *evp_ssh1_bf(void); 54extern const EVP_CIPHER *evp_ssh1_bf(void);
55extern const EVP_CIPHER *evp_ssh1_3des(void); 55extern const EVP_CIPHER *evp_ssh1_3des(void);
56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); 56extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
57extern const EVP_CIPHER *evp_aes_128_ctr(void);
58extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
59 57
60struct Cipher { 58struct Cipher {
61 char *name; 59 char *name;
62 int number; /* for ssh1 only */ 60 int number; /* for ssh1 only */
63 u_int block_size; 61 u_int block_size;
64 u_int key_len; 62 u_int key_len;
63 u_int iv_len; /* defaults to block_size */
64 u_int auth_len;
65 u_int discard_len; 65 u_int discard_len;
66 u_int cbc_mode; 66 u_int cbc_mode;
67 const EVP_CIPHER *(*evptype)(void); 67 const EVP_CIPHER *(*evptype)(void);
68} ciphers[] = { 68} ciphers[] = {
69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, 69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
70 { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, 70 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, 71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 1, evp_ssh1_bf }, 72 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
73 73
74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, 74 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
75 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, 75 { "blowfish-cbc",
76 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, 76 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
77 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, 77 { "cast128-cbc",
78 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, 78 SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
79 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, 79 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
80 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, 80 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
81 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, 81 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
82 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 82 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
83 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
84 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
83 { "rijndael-cbc@lysator.liu.se", 85 { "rijndael-cbc@lysator.liu.se",
84 SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, 86 SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
85 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, 87 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
86 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, 88 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
87 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, 89 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
88#ifdef USE_CIPHER_ACSS 90#ifdef OPENSSL_HAVE_EVPGCM
89 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, 91 { "aes128-gcm@openssh.com",
92 SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
93 { "aes256-gcm@openssh.com",
94 SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
90#endif 95#endif
91 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } 96 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
92}; 97};
93 98
94/*--*/ 99/*--*/
@@ -106,6 +111,18 @@ cipher_keylen(const Cipher *c)
106} 111}
107 112
108u_int 113u_int
114cipher_authlen(const Cipher *c)
115{
116 return (c->auth_len);
117}
118
119u_int
120cipher_ivlen(const Cipher *c)
121{
122 return (c->iv_len ? c->iv_len : c->block_size);
123}
124
125u_int
109cipher_get_number(const Cipher *c) 126cipher_get_number(const Cipher *c)
110{ 127{
111 return (c->number); 128 return (c->number);
@@ -224,11 +241,12 @@ cipher_init(CipherContext *cc, Cipher *cipher,
224 keylen = 8; 241 keylen = 8;
225 } 242 }
226 cc->plaintext = (cipher->number == SSH_CIPHER_NONE); 243 cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
244 cc->encrypt = do_encrypt;
227 245
228 if (keylen < cipher->key_len) 246 if (keylen < cipher->key_len)
229 fatal("cipher_init: key length %d is insufficient for %s.", 247 fatal("cipher_init: key length %d is insufficient for %s.",
230 keylen, cipher->name); 248 keylen, cipher->name);
231 if (iv != NULL && ivlen < cipher->block_size) 249 if (iv != NULL && ivlen < cipher_ivlen(cipher))
232 fatal("cipher_init: iv length %d is insufficient for %s.", 250 fatal("cipher_init: iv length %d is insufficient for %s.",
233 ivlen, cipher->name); 251 ivlen, cipher->name);
234 cc->cipher = cipher; 252 cc->cipher = cipher;
@@ -249,6 +267,11 @@ cipher_init(CipherContext *cc, Cipher *cipher,
249 (do_encrypt == CIPHER_ENCRYPT)) == 0) 267 (do_encrypt == CIPHER_ENCRYPT)) == 0)
250 fatal("cipher_init: EVP_CipherInit failed for %s", 268 fatal("cipher_init: EVP_CipherInit failed for %s",
251 cipher->name); 269 cipher->name);
270 if (cipher_authlen(cipher) &&
271 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
272 -1, (u_char *)iv))
273 fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
274 cipher->name);
252 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 275 klen = EVP_CIPHER_CTX_key_length(&cc->evp);
253 if (klen > 0 && keylen != (u_int)klen) { 276 if (klen > 0 && keylen != (u_int)klen) {
254 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 277 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
@@ -273,13 +296,59 @@ cipher_init(CipherContext *cc, Cipher *cipher,
273 } 296 }
274} 297}
275 298
299/*
300 * cipher_crypt() operates as following:
301 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
302 * Theses bytes are treated as additional authenticated data for
303 * authenticated encryption modes.
304 * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
305 * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
306 * This tag is written on encryption and verified on decryption.
307 * Both 'aadlen' and 'authlen' can be set to 0.
308 */
276void 309void
277cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) 310cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
311 u_int len, u_int aadlen, u_int authlen)
278{ 312{
313 if (authlen) {
314 u_char lastiv[1];
315
316 if (authlen != cipher_authlen(cc->cipher))
317 fatal("%s: authlen mismatch %d", __func__, authlen);
318 /* increment IV */
319 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
320 1, lastiv))
321 fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
322 /* set tag on decyption */
323 if (!cc->encrypt &&
324 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
325 authlen, (u_char *)src + aadlen + len))
326 fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
327 }
328 if (aadlen) {
329 if (authlen &&
330 EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
331 fatal("%s: EVP_Cipher(aad) failed", __func__);
332 memcpy(dest, src, aadlen);
333 }
279 if (len % cc->cipher->block_size) 334 if (len % cc->cipher->block_size)
280 fatal("cipher_encrypt: bad plaintext length %d", len); 335 fatal("%s: bad plaintext length %d", __func__, len);
281 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 336 if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
282 fatal("evp_crypt: EVP_Cipher failed"); 337 len) < 0)
338 fatal("%s: EVP_Cipher failed", __func__);
339 if (authlen) {
340 /* compute tag (on encrypt) or verify tag (on decrypt) */
341 if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
342 if (cc->encrypt)
343 fatal("%s: EVP_Cipher(final) failed", __func__);
344 else
345 fatal("Decryption integrity check failed");
346 }
347 if (cc->encrypt &&
348 !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
349 authlen, dest + aadlen + len))
350 fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
351 }
283} 352}
284 353
285void 354void
@@ -351,10 +420,12 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
351 ssh_rijndael_iv(&cc->evp, 0, iv, len); 420 ssh_rijndael_iv(&cc->evp, 0, iv, len);
352 else 421 else
353#endif 422#endif
423#ifndef OPENSSL_HAVE_EVPCTR
354 if (c->evptype == evp_aes_128_ctr) 424 if (c->evptype == evp_aes_128_ctr)
355 ssh_aes_ctr_iv(&cc->evp, 0, iv, len); 425 ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
356 else 426 else
357 memcpy(iv, cc->evp.iv, len); 427#endif
428 memcpy(iv, cc->evp.iv, len);
358 break; 429 break;
359 case SSH_CIPHER_3DES: 430 case SSH_CIPHER_3DES:
360 ssh1_3des_iv(&cc->evp, 0, iv, 24); 431 ssh1_3des_iv(&cc->evp, 0, iv, 24);
@@ -382,10 +453,12 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
382 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 453 ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
383 else 454 else
384#endif 455#endif
456#ifndef OPENSSL_HAVE_EVPCTR
385 if (c->evptype == evp_aes_128_ctr) 457 if (c->evptype == evp_aes_128_ctr)
386 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); 458 ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
387 else 459 else
388 memcpy(cc->evp.iv, iv, evplen); 460#endif
461 memcpy(cc->evp.iv, iv, evplen);
389 break; 462 break;
390 case SSH_CIPHER_3DES: 463 case SSH_CIPHER_3DES:
391 ssh1_3des_iv(&cc->evp, 1, iv, 24); 464 ssh1_3des_iv(&cc->evp, 1, iv, 24);
@@ -395,21 +468,13 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
395 } 468 }
396} 469}
397 470
398#if OPENSSL_VERSION_NUMBER < 0x00907000L
399#define EVP_X_STATE(evp) &(evp).c
400#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
401#else
402#define EVP_X_STATE(evp) (evp).cipher_data
403#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
404#endif
405
406int 471int
407cipher_get_keycontext(const CipherContext *cc, u_char *dat) 472cipher_get_keycontext(const CipherContext *cc, u_char *dat)
408{ 473{
409 Cipher *c = cc->cipher; 474 Cipher *c = cc->cipher;
410 int plen = 0; 475 int plen = 0;
411 476
412 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 477 if (c->evptype == EVP_rc4) {
413 plen = EVP_X_STATE_LEN(cc->evp); 478 plen = EVP_X_STATE_LEN(cc->evp);
414 if (dat == NULL) 479 if (dat == NULL)
415 return (plen); 480 return (plen);
@@ -424,7 +489,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat)
424 Cipher *c = cc->cipher; 489 Cipher *c = cc->cipher;
425 int plen; 490 int plen;
426 491
427 if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { 492 if (c->evptype == EVP_rc4) {
428 plen = EVP_X_STATE_LEN(cc->evp); 493 plen = EVP_X_STATE_LEN(cc->evp);
429 memcpy(EVP_X_STATE(cc->evp), dat, plen); 494 memcpy(EVP_X_STATE(cc->evp), dat, plen);
430 } 495 }
diff --git a/cipher.h b/cipher.h
index 3dd2270bb..8cb57c3e5 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.h,v 1.37 2009/01/26 09:58:15 markus Exp $ */ 1/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -64,6 +64,7 @@ typedef struct CipherContext CipherContext;
64struct Cipher; 64struct Cipher;
65struct CipherContext { 65struct CipherContext {
66 int plaintext; 66 int plaintext;
67 int encrypt;
67 EVP_CIPHER_CTX evp; 68 EVP_CIPHER_CTX evp;
68 Cipher *cipher; 69 Cipher *cipher;
69}; 70};
@@ -76,11 +77,14 @@ char *cipher_name(int);
76int ciphers_valid(const char *); 77int ciphers_valid(const char *);
77void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, 78void cipher_init(CipherContext *, Cipher *, const u_char *, u_int,
78 const u_char *, u_int, int); 79 const u_char *, u_int, int);
79void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); 80void cipher_crypt(CipherContext *, u_char *, const u_char *,
81 u_int, u_int, u_int);
80void cipher_cleanup(CipherContext *); 82void cipher_cleanup(CipherContext *);
81void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); 83void cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
82u_int cipher_blocksize(const Cipher *); 84u_int cipher_blocksize(const Cipher *);
83u_int cipher_keylen(const Cipher *); 85u_int cipher_keylen(const Cipher *);
86u_int cipher_authlen(const Cipher *);
87u_int cipher_ivlen(const Cipher *);
84u_int cipher_is_cbc(const Cipher *); 88u_int cipher_is_cbc(const Cipher *);
85 89
86u_int cipher_get_number(const Cipher *); 90u_int cipher_get_number(const Cipher *);
diff --git a/clientloop.c b/clientloop.c
index 7bb63c73b..2ef816ab3 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.240 2012/06/20 04:42:58 djm Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -972,9 +972,9 @@ process_cmdline(void)
972 goto out; 972 goto out;
973 } 973 }
974 if (local || dynamic) { 974 if (local || dynamic) {
975 if (channel_setup_local_fwd_listener(fwd.listen_host, 975 if (!channel_setup_local_fwd_listener(fwd.listen_host,
976 fwd.listen_port, fwd.connect_host, 976 fwd.listen_port, fwd.connect_host,
977 fwd.connect_port, options.gateway_ports) < 0) { 977 fwd.connect_port, options.gateway_ports)) {
978 logit("Port forwarding failed."); 978 logit("Port forwarding failed.");
979 goto out; 979 goto out;
980 } 980 }
@@ -1000,6 +1000,63 @@ out:
1000 xfree(fwd.connect_host); 1000 xfree(fwd.connect_host);
1001} 1001}
1002 1002
1003/* reasons to suppress output of an escape command in help output */
1004#define SUPPRESS_NEVER 0 /* never suppress, always show */
1005#define SUPPRESS_PROTO1 1 /* don't show in protocol 1 sessions */
1006#define SUPPRESS_MUXCLIENT 2 /* don't show in mux client sessions */
1007#define SUPPRESS_MUXMASTER 4 /* don't show in mux master sessions */
1008#define SUPPRESS_SYSLOG 8 /* don't show when logging to syslog */
1009struct escape_help_text {
1010 const char *cmd;
1011 const char *text;
1012 unsigned int flags;
1013};
1014static struct escape_help_text esc_txt[] = {
1015 {".", "terminate session", SUPPRESS_MUXMASTER},
1016 {".", "terminate connection (and any multiplexed sessions)",
1017 SUPPRESS_MUXCLIENT},
1018 {"B", "send a BREAK to the remote system", SUPPRESS_PROTO1},
1019 {"C", "open a command line", SUPPRESS_MUXCLIENT},
1020 {"R", "request rekey", SUPPRESS_PROTO1},
1021 {"V/v", "decrease/increase verbosity (LogLevel)", SUPPRESS_MUXCLIENT},
1022 {"^Z", "suspend ssh", SUPPRESS_MUXCLIENT},
1023 {"#", "list forwarded connections", SUPPRESS_NEVER},
1024 {"&", "background ssh (when waiting for connections to terminate)",
1025 SUPPRESS_MUXCLIENT},
1026 {"?", "this message", SUPPRESS_NEVER},
1027};
1028
1029static void
1030print_escape_help(Buffer *b, int escape_char, int protocol2, int mux_client,
1031 int using_stderr)
1032{
1033 unsigned int i, suppress_flags;
1034 char string[1024];
1035
1036 snprintf(string, sizeof string, "%c?\r\n"
1037 "Supported escape sequences:\r\n", escape_char);
1038 buffer_append(b, string, strlen(string));
1039
1040 suppress_flags = (protocol2 ? 0 : SUPPRESS_PROTO1) |
1041 (mux_client ? SUPPRESS_MUXCLIENT : 0) |
1042 (mux_client ? 0 : SUPPRESS_MUXMASTER) |
1043 (using_stderr ? 0 : SUPPRESS_SYSLOG);
1044
1045 for (i = 0; i < sizeof(esc_txt)/sizeof(esc_txt[0]); i++) {
1046 if (esc_txt[i].flags & suppress_flags)
1047 continue;
1048 snprintf(string, sizeof string, " %c%-3s - %s\r\n",
1049 escape_char, esc_txt[i].cmd, esc_txt[i].text);
1050 buffer_append(b, string, strlen(string));
1051 }
1052
1053 snprintf(string, sizeof string,
1054 " %c%c - send the escape character by typing it twice\r\n"
1055 "(Note that escapes are only recognized immediately after "
1056 "newline.)\r\n", escape_char, escape_char);
1057 buffer_append(b, string, strlen(string));
1058}
1059
1003/* 1060/*
1004 * Process the characters one by one, call with c==NULL for proto1 case. 1061 * Process the characters one by one, call with c==NULL for proto1 case.
1005 */ 1062 */
@@ -1050,6 +1107,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1050 if (c && c->ctl_chan != -1) { 1107 if (c && c->ctl_chan != -1) {
1051 chan_read_failed(c); 1108 chan_read_failed(c);
1052 chan_write_failed(c); 1109 chan_write_failed(c);
1110 mux_master_session_cleanup_cb(c->self,
1111 NULL);
1053 return 0; 1112 return 0;
1054 } else 1113 } else
1055 quit_pending = 1; 1114 quit_pending = 1;
@@ -1058,11 +1117,16 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1058 case 'Z' - 64: 1117 case 'Z' - 64:
1059 /* XXX support this for mux clients */ 1118 /* XXX support this for mux clients */
1060 if (c && c->ctl_chan != -1) { 1119 if (c && c->ctl_chan != -1) {
1120 char b[16];
1061 noescape: 1121 noescape:
1122 if (ch == 'Z' - 64)
1123 snprintf(b, sizeof b, "^Z");
1124 else
1125 snprintf(b, sizeof b, "%c", ch);
1062 snprintf(string, sizeof string, 1126 snprintf(string, sizeof string,
1063 "%c%c escape not available to " 1127 "%c%s escape not available to "
1064 "multiplexed sessions\r\n", 1128 "multiplexed sessions\r\n",
1065 escape_char, ch); 1129 escape_char, b);
1066 buffer_append(berr, string, 1130 buffer_append(berr, string,
1067 strlen(string)); 1131 strlen(string));
1068 continue; 1132 continue;
@@ -1101,6 +1165,31 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1101 } 1165 }
1102 continue; 1166 continue;
1103 1167
1168 case 'V':
1169 /* FALLTHROUGH */
1170 case 'v':
1171 if (c && c->ctl_chan != -1)
1172 goto noescape;
1173 if (!log_is_on_stderr()) {
1174 snprintf(string, sizeof string,
1175 "%c%c [Logging to syslog]\r\n",
1176 escape_char, ch);
1177 buffer_append(berr, string,
1178 strlen(string));
1179 continue;
1180 }
1181 if (ch == 'V' && options.log_level >
1182 SYSLOG_LEVEL_QUIET)
1183 log_change_level(--options.log_level);
1184 if (ch == 'v' && options.log_level <
1185 SYSLOG_LEVEL_DEBUG3)
1186 log_change_level(++options.log_level);
1187 snprintf(string, sizeof string,
1188 "%c%c [LogLevel %s]\r\n", escape_char, ch,
1189 log_level_name(options.log_level));
1190 buffer_append(berr, string, strlen(string));
1191 continue;
1192
1104 case '&': 1193 case '&':
1105 if (c && c->ctl_chan != -1) 1194 if (c && c->ctl_chan != -1)
1106 goto noescape; 1195 goto noescape;
@@ -1154,43 +1243,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1154 continue; 1243 continue;
1155 1244
1156 case '?': 1245 case '?':
1157 if (c && c->ctl_chan != -1) { 1246 print_escape_help(berr, escape_char, compat20,
1158 snprintf(string, sizeof string, 1247 (c && c->ctl_chan != -1),
1159"%c?\r\n\ 1248 log_is_on_stderr());
1160Supported escape sequences:\r\n\
1161 %c. - terminate session\r\n\
1162 %cB - send a BREAK to the remote system\r\n\
1163 %cR - Request rekey (SSH protocol 2 only)\r\n\
1164 %c# - list forwarded connections\r\n\
1165 %c? - this message\r\n\
1166 %c%c - send the escape character by typing it twice\r\n\
1167(Note that escapes are only recognized immediately after newline.)\r\n",
1168 escape_char, escape_char,
1169 escape_char, escape_char,
1170 escape_char, escape_char,
1171 escape_char, escape_char);
1172 } else {
1173 snprintf(string, sizeof string,
1174"%c?\r\n\
1175Supported escape sequences:\r\n\
1176 %c. - terminate connection (and any multiplexed sessions)\r\n\
1177 %cB - send a BREAK to the remote system\r\n\
1178 %cC - open a command line\r\n\
1179 %cR - Request rekey (SSH protocol 2 only)\r\n\
1180 %c^Z - suspend ssh\r\n\
1181 %c# - list forwarded connections\r\n\
1182 %c& - background ssh (when waiting for connections to terminate)\r\n\
1183 %c? - this message\r\n\
1184 %c%c - send the escape character by typing it twice\r\n\
1185(Note that escapes are only recognized immediately after newline.)\r\n",
1186 escape_char, escape_char,
1187 escape_char, escape_char,
1188 escape_char, escape_char,
1189 escape_char, escape_char,
1190 escape_char, escape_char,
1191 escape_char);
1192 }
1193 buffer_append(berr, string, strlen(string));
1194 continue; 1249 continue;
1195 1250
1196 case '#': 1251 case '#':
@@ -2202,10 +2257,10 @@ client_stop_mux(void)
2202 if (options.control_path != NULL && muxserver_sock != -1) 2257 if (options.control_path != NULL && muxserver_sock != -1)
2203 unlink(options.control_path); 2258 unlink(options.control_path);
2204 /* 2259 /*
2205 * If we are in persist mode, signal that we should close when all 2260 * If we are in persist mode, or don't have a shell, signal that we
2206 * active channels are closed. 2261 * should close when all active channels are closed.
2207 */ 2262 */
2208 if (options.control_persist) { 2263 if (options.control_persist || no_shell_flag) {
2209 session_closed = 1; 2264 session_closed = 1;
2210 setproctitle("[stopped mux]"); 2265 setproctitle("[stopped mux]");
2211 } 2266 }
diff --git a/clientloop.h b/clientloop.h
index 3bb794879..d2baa0324 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.h,v 1.29 2011/09/09 22:46:44 djm Exp $ */ 1/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -76,4 +76,5 @@ void muxserver_listen(void);
76void muxclient(const char *); 76void muxclient(const char *);
77void mux_exit_message(Channel *, int); 77void mux_exit_message(Channel *, int);
78void mux_tty_alloc_failed(Channel *); 78void mux_tty_alloc_failed(Channel *);
79void mux_master_session_cleanup_cb(int, void *);
79 80
diff --git a/compat.c b/compat.c
index 0dc089fd6..f680f4fe3 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: compat.c,v 1.79 2011/09/23 07:45:05 markus Exp $ */ 1/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -45,6 +45,8 @@ int datafellows = 0;
45void 45void
46enable_compat20(void) 46enable_compat20(void)
47{ 47{
48 if (compat20)
49 return;
48 debug("Enabling compatibility mode for protocol 2.0"); 50 debug("Enabling compatibility mode for protocol 2.0");
49 compat20 = 1; 51 compat20 = 1;
50} 52}
diff --git a/config.h.in b/config.h.in
index 6c4f2272a..67858ef6d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -74,6 +74,9 @@
74/* Define if your snprintf is busted */ 74/* Define if your snprintf is busted */
75#undef BROKEN_SNPRINTF 75#undef BROKEN_SNPRINTF
76 76
77/* FreeBSD strnvis does not do what we need */
78#undef BROKEN_STRNVIS
79
77/* tcgetattr with ICANON may hang */ 80/* tcgetattr with ICANON may hang */
78#undef BROKEN_TCGETATTR_ICANON 81#undef BROKEN_TCGETATTR_ICANON
79 82
@@ -215,6 +218,9 @@
215/* Define to 1 if you have the `BN_is_prime_ex' function. */ 218/* Define to 1 if you have the `BN_is_prime_ex' function. */
216#undef HAVE_BN_IS_PRIME_EX 219#undef HAVE_BN_IS_PRIME_EX
217 220
221/* Define to 1 if you have the <bsd/libutil.h> header file. */
222#undef HAVE_BSD_LIBUTIL_H
223
218/* Define to 1 if you have the <bsm/audit.h> header file. */ 224/* Define to 1 if you have the <bsm/audit.h> header file. */
219#undef HAVE_BSM_AUDIT_H 225#undef HAVE_BSM_AUDIT_H
220 226
@@ -256,6 +262,10 @@
256 don't. */ 262 don't. */
257#undef HAVE_DECL_GLOB_NOMATCH 263#undef HAVE_DECL_GLOB_NOMATCH
258 264
265/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE',
266 and to 0 if you don't. */
267#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
268
259/* Define to 1 if you have the declaration of `h_errno', and to 0 if you 269/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
260 don't. */ 270 don't. */
261#undef HAVE_DECL_H_ERRNO 271#undef HAVE_DECL_H_ERRNO
@@ -326,6 +336,9 @@
326/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */ 336/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
327#undef HAVE_DSA_GENERATE_PARAMETERS_EX 337#undef HAVE_DSA_GENERATE_PARAMETERS_EX
328 338
339/* Define to 1 if you have the <elf.h> header file. */
340#undef HAVE_ELF_H
341
329/* Define to 1 if you have the <endian.h> header file. */ 342/* Define to 1 if you have the <endian.h> header file. */
330#undef HAVE_ENDIAN_H 343#undef HAVE_ENDIAN_H
331 344
@@ -338,6 +351,9 @@
338/* Define if your system has /etc/default/login */ 351/* Define if your system has /etc/default/login */
339#undef HAVE_ETC_DEFAULT_LOGIN 352#undef HAVE_ETC_DEFAULT_LOGIN
340 353
354/* Define if libcrypto has EVP_CIPHER_CTX_ctrl */
355#undef HAVE_EVP_CIPHER_CTX_CTRL
356
341/* Define to 1 if you have the `EVP_sha256' function. */ 357/* Define to 1 if you have the `EVP_sha256' function. */
342#undef HAVE_EVP_SHA256 358#undef HAVE_EVP_SHA256
343 359
@@ -428,6 +444,12 @@
428/* Define to 1 if you have the `getpeerucred' function. */ 444/* Define to 1 if you have the `getpeerucred' function. */
429#undef HAVE_GETPEERUCRED 445#undef HAVE_GETPEERUCRED
430 446
447/* Define to 1 if you have the `getpgid' function. */
448#undef HAVE_GETPGID
449
450/* Define to 1 if you have the `getpgrp' function. */
451#undef HAVE_GETPGRP
452
431/* Define to 1 if you have the `getpwanam' function. */ 453/* Define to 1 if you have the `getpwanam' function. */
432#undef HAVE_GETPWANAM 454#undef HAVE_GETPWANAM
433 455
@@ -972,6 +994,9 @@
972/* Define to 1 if you have the `strtoul' function. */ 994/* Define to 1 if you have the `strtoul' function. */
973#undef HAVE_STRTOUL 995#undef HAVE_STRTOUL
974 996
997/* Define to 1 if you have the `strtoull' function. */
998#undef HAVE_STRTOULL
999
975/* define if you have struct addrinfo data type */ 1000/* define if you have struct addrinfo data type */
976#undef HAVE_STRUCT_ADDRINFO 1001#undef HAVE_STRUCT_ADDRINFO
977 1002
@@ -1152,6 +1177,9 @@
1152/* Define to 1 if you have the `user_from_uid' function. */ 1177/* Define to 1 if you have the `user_from_uid' function. */
1153#undef HAVE_USER_FROM_UID 1178#undef HAVE_USER_FROM_UID
1154 1179
1180/* Define to 1 if you have the `usleep' function. */
1181#undef HAVE_USLEEP
1182
1155/* Define to 1 if you have the <util.h> header file. */ 1183/* Define to 1 if you have the <util.h> header file. */
1156#undef HAVE_UTIL_H 1184#undef HAVE_UTIL_H
1157 1185
@@ -1307,6 +1335,9 @@
1307/* Need setpgrp to acquire controlling tty */ 1335/* Need setpgrp to acquire controlling tty */
1308#undef NEED_SETPGRP 1336#undef NEED_SETPGRP
1309 1337
1338/* compiler does not accept __attribute__ on return types */
1339#undef NO_ATTRIBUTE_ON_RETURN_TYPE
1340
1310/* Define if the concept of ports only accessible to superusers isn't known */ 1341/* Define if the concept of ports only accessible to superusers isn't known */
1311#undef NO_IPPORT_RESERVED_CONCEPT 1342#undef NO_IPPORT_RESERVED_CONCEPT
1312 1343
@@ -1322,6 +1353,12 @@
1322/* libcrypto includes complete ECC support */ 1353/* libcrypto includes complete ECC support */
1323#undef OPENSSL_HAS_ECC 1354#undef OPENSSL_HAS_ECC
1324 1355
1356/* libcrypto has EVP AES CTR */
1357#undef OPENSSL_HAVE_EVPCTR
1358
1359/* libcrypto has EVP AES GCM */
1360#undef OPENSSL_HAVE_EVPGCM
1361
1325/* libcrypto is missing AES 192 and 256 bit functions */ 1362/* libcrypto is missing AES 192 and 256 bit functions */
1326#undef OPENSSL_LOBOTOMISED_AES 1363#undef OPENSSL_LOBOTOMISED_AES
1327 1364
@@ -1356,6 +1393,9 @@
1356/* must supply username to passwd */ 1393/* must supply username to passwd */
1357#undef PASSWD_NEEDS_USERNAME 1394#undef PASSWD_NEEDS_USERNAME
1358 1395
1396/* System dirs owned by bin (uid 2) */
1397#undef PLATFORM_SYS_DIR_UID
1398
1359/* Port number of PRNGD/EGD random number socket */ 1399/* Port number of PRNGD/EGD random number socket */
1360#undef PRNGD_PORT 1400#undef PRNGD_PORT
1361 1401
diff --git a/configure b/configure
index 5e473371d..c4d1ed0d2 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.496 . 2# From configure.ac Revision: 1.518 .
3# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.68 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
5# 5#
@@ -614,6 +614,8 @@ XAUTH_PATH
614STRIP_OPT 614STRIP_OPT
615xauth_path 615xauth_path
616PRIVSEP_PATH 616PRIVSEP_PATH
617K5LIBS
618GSSLIBS
617KRB5CONF 619KRB5CONF
618SSHDLIBS 620SSHDLIBS
619SSHLIBS 621SSHLIBS
@@ -5587,60 +5589,6 @@ if test "x$ac_cv_have_decl_PR_SET_NO_NEW_PRIVS" = xyes; then :
5587 have_linux_no_new_privs=1 5589 have_linux_no_new_privs=1
5588fi 5590fi
5589 5591
5590if test "x$have_linux_no_new_privs" = "x1" ; then
5591ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" "
5592 #include <sys/types.h>
5593 #include <linux/seccomp.h>
5594
5595"
5596if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then :
5597 have_seccomp_filter=1
5598fi
5599
5600fi
5601if test "x$have_seccomp_filter" = "x1" ; then
5602{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5
5603$as_echo_n "checking kernel for seccomp_filter support... " >&6; }
5604if test "$cross_compiling" = yes; then :
5605 { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5
5606$as_echo "cross-compiling, assuming yes" >&6; }
5607
5608else
5609 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5610/* end confdefs.h. */
5611
5612 #include <errno.h>
5613 #include <linux/seccomp.h>
5614 #include <stdlib.h>
5615 #include <sys/prctl.h>
5616
5617int
5618main ()
5619{
5620 errno = 0;
5621 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
5622 exit(errno == EFAULT ? 0 : 1);
5623 ;
5624 return 0;
5625}
5626_ACEOF
5627if ac_fn_c_try_run "$LINENO"; then :
5628 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5629$as_echo "yes" >&6; }
5630else
5631
5632 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5633$as_echo "no" >&6; }
5634 # Disable seccomp filter as a target
5635 have_seccomp_filter=0
5636
5637fi
5638rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
5639 conftest.$ac_objext conftest.beam conftest.$ac_ext
5640fi
5641
5642fi
5643
5644use_stack_protector=1 5592use_stack_protector=1
5645 5593
5646# Check whether --with-stackprotect was given. 5594# Check whether --with-stackprotect was given.
@@ -5996,6 +5944,34 @@ fi
5996 fi 5944 fi
5997fi 5945fi
5998 5946
5947{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler allows __attribute__ on return types" >&5
5948$as_echo_n "checking if compiler allows __attribute__ on return types... " >&6; }
5949cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5950/* end confdefs.h. */
5951
5952#include <stdlib.h>
5953__attribute__((__unused__)) static void foo(void){return;}
5954int
5955main ()
5956{
5957 exit(0);
5958 ;
5959 return 0;
5960}
5961_ACEOF
5962if ac_fn_c_try_compile "$LINENO"; then :
5963 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5964$as_echo "yes" >&6; }
5965else
5966 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5967$as_echo "no" >&6; }
5968
5969$as_echo "#define NO_ATTRIBUTE_ON_RETURN_TYPE 1" >>confdefs.h
5970
5971
5972fi
5973rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5974
5999if test "x$no_attrib_nonnull" != "x1" ; then 5975if test "x$no_attrib_nonnull" != "x1" ; then
6000 5976
6001$as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h 5977$as_echo "#define HAVE_ATTRIBUTE__NONNULL__ 1" >>confdefs.h
@@ -6087,6 +6063,7 @@ for ac_header in \
6087 crypto/sha2.h \ 6063 crypto/sha2.h \
6088 dirent.h \ 6064 dirent.h \
6089 endian.h \ 6065 endian.h \
6066 elf.h \
6090 features.h \ 6067 features.h \
6091 fcntl.h \ 6068 fcntl.h \
6092 floatingpoint.h \ 6069 floatingpoint.h \
@@ -6513,6 +6490,9 @@ $as_echo "#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1" >>confdefs.h
6513 6490
6514$as_echo "#define PTY_ZEROREAD 1" >>confdefs.h 6491$as_echo "#define PTY_ZEROREAD 1" >>confdefs.h
6515 6492
6493
6494$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
6495
6516 ;; 6496 ;;
6517*-*-cygwin*) 6497*-*-cygwin*)
6518 check_for_libcrypt_later=1 6498 check_for_libcrypt_later=1
@@ -6777,6 +6757,9 @@ $as_echo "#define LOCKED_PASSWD_STRING \"*\"" >>confdefs.h
6777 6757
6778 $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h 6758 $as_echo "#define SPT_TYPE SPT_PSTAT" >>confdefs.h
6779 6759
6760
6761$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
6762
6780 maildir="/var/mail" 6763 maildir="/var/mail"
6781 LIBS="$LIBS -lsec" 6764 LIBS="$LIBS -lsec"
6782 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5 6765 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for t_error in -lxnet" >&5
@@ -7006,22 +6989,32 @@ _ACEOF
7006fi 6989fi
7007done 6990done
7008 6991
7009 have_seccomp_audit_arch=1 6992 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp architecture" >&5
6993$as_echo_n "checking for seccomp architecture... " >&6; }
6994 seccomp_audit_arch=
7010 case "$host" in 6995 case "$host" in
7011 x86_64-*) 6996 x86_64-*)
7012 6997 seccomp_audit_arch=AUDIT_ARCH_X86_64
7013$as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64" >>confdefs.h
7014
7015 ;; 6998 ;;
7016 i*86-*) 6999 i*86-*)
7017 7000 seccomp_audit_arch=AUDIT_ARCH_I386
7018$as_echo "#define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386" >>confdefs.h
7019
7020 ;;
7021 *)
7022 have_seccomp_audit_arch=0
7023 ;; 7001 ;;
7002 arm*-*)
7003 seccomp_audit_arch=AUDIT_ARCH_ARM
7004 ;;
7024 esac 7005 esac
7006 if test "x$seccomp_audit_arch" != "x" ; then
7007 { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$seccomp_audit_arch\"" >&5
7008$as_echo "\"$seccomp_audit_arch\"" >&6; }
7009
7010cat >>confdefs.h <<_ACEOF
7011#define SECCOMP_AUDIT_ARCH $seccomp_audit_arch
7012_ACEOF
7013
7014 else
7015 { $as_echo "$as_me:${as_lineno-$LINENO}: result: architecture not supported" >&5
7016$as_echo "architecture not supported" >&6; }
7017 fi
7025 ;; 7018 ;;
7026mips-sony-bsd|mips-sony-newsos4) 7019mips-sony-bsd|mips-sony-newsos4)
7027 7020
@@ -7072,6 +7065,9 @@ fi
7072 7065
7073$as_echo "#define BROKEN_GLOB 1" >>confdefs.h 7066$as_echo "#define BROKEN_GLOB 1" >>confdefs.h
7074 7067
7068
7069$as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h
7070
7075 ;; 7071 ;;
7076*-*-bsdi*) 7072*-*-bsdi*)
7077 $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h 7073 $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
@@ -7556,6 +7552,7 @@ done
7556 7552
7557 MANTYPE=man 7553 MANTYPE=man
7558 TEST_SHELL=ksh 7554 TEST_SHELL=ksh
7555 SKIP_DISABLE_LASTLOG_DEFINE=yes
7559 ;; 7556 ;;
7560*-*-unicosmk*) 7557*-*-unicosmk*)
7561 7558
@@ -8387,12 +8384,13 @@ fi
8387done 8384done
8388 8385
8389 8386
8390for ac_header in libutil.h 8387for ac_header in bsd/libutil.h libutil.h
8391do : 8388do :
8392 ac_fn_c_check_header_mongrel "$LINENO" "libutil.h" "ac_cv_header_libutil_h" "$ac_includes_default" 8389 as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
8393if test "x$ac_cv_header_libutil_h" = xyes; then : 8390ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
8391if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
8394 cat >>confdefs.h <<_ACEOF 8392 cat >>confdefs.h <<_ACEOF
8395#define HAVE_LIBUTIL_H 1 8393#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
8396_ACEOF 8394_ACEOF
8397 8395
8398fi 8396fi
@@ -9582,6 +9580,8 @@ for ac_func in \
9582 getopt \ 9580 getopt \
9583 getpeereid \ 9581 getpeereid \
9584 getpeerucred \ 9582 getpeerucred \
9583 getpgid \
9584 getpgrp \
9585 _getpty \ 9585 _getpty \
9586 getrlimit \ 9586 getrlimit \
9587 getttyent \ 9587 getttyent \
@@ -9641,6 +9641,7 @@ for ac_func in \
9641 strtonum \ 9641 strtonum \
9642 strtoll \ 9642 strtoll \
9643 strtoul \ 9643 strtoul \
9644 strtoull \
9644 swap32 \ 9645 swap32 \
9645 sysconf \ 9646 sysconf \
9646 tcgetpgrp \ 9647 tcgetpgrp \
@@ -9649,6 +9650,7 @@ for ac_func in \
9649 unsetenv \ 9650 unsetenv \
9650 updwtmpx \ 9651 updwtmpx \
9651 user_from_uid \ 9652 user_from_uid \
9653 usleep \
9652 vasprintf \ 9654 vasprintf \
9653 vhangup \ 9655 vhangup \
9654 vsnprintf \ 9656 vsnprintf \
@@ -11256,6 +11258,147 @@ fi
11256rm -f core conftest.err conftest.$ac_objext \ 11258rm -f core conftest.err conftest.$ac_objext \
11257 conftest$ac_exeext conftest.$ac_ext 11259 conftest$ac_exeext conftest.$ac_ext
11258 11260
11261# Check for OpenSSL with EVP_aes_*ctr
11262{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES CTR via EVP" >&5
11263$as_echo_n "checking whether OpenSSL has AES CTR via EVP... " >&6; }
11264cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11265/* end confdefs.h. */
11266
11267#include <string.h>
11268#include <openssl/evp.h>
11269
11270int
11271main ()
11272{
11273
11274 exit(EVP_aes_128_ctr() == NULL ||
11275 EVP_aes_192_cbc() == NULL ||
11276 EVP_aes_256_cbc() == NULL);
11277
11278 ;
11279 return 0;
11280}
11281_ACEOF
11282if ac_fn_c_try_link "$LINENO"; then :
11283
11284 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
11285$as_echo "yes" >&6; }
11286
11287$as_echo "#define OPENSSL_HAVE_EVPCTR 1" >>confdefs.h
11288
11289
11290else
11291
11292 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11293$as_echo "no" >&6; }
11294
11295
11296fi
11297rm -f core conftest.err conftest.$ac_objext \
11298 conftest$ac_exeext conftest.$ac_ext
11299
11300# Check for OpenSSL with EVP_aes_*gcm
11301{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has AES GCM via EVP" >&5
11302$as_echo_n "checking whether OpenSSL has AES GCM via EVP... " >&6; }
11303cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11304/* end confdefs.h. */
11305
11306#include <string.h>
11307#include <openssl/evp.h>
11308
11309int
11310main ()
11311{
11312
11313 exit(EVP_aes_128_gcm() == NULL ||
11314 EVP_aes_256_gcm() == NULL ||
11315 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
11316 EVP_CTRL_GCM_IV_GEN == 0 ||
11317 EVP_CTRL_GCM_SET_TAG == 0 ||
11318 EVP_CTRL_GCM_GET_TAG == 0 ||
11319 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
11320
11321 ;
11322 return 0;
11323}
11324_ACEOF
11325if ac_fn_c_try_link "$LINENO"; then :
11326
11327 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
11328$as_echo "yes" >&6; }
11329
11330$as_echo "#define OPENSSL_HAVE_EVPGCM 1" >>confdefs.h
11331
11332
11333else
11334
11335 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11336$as_echo "no" >&6; }
11337
11338
11339fi
11340rm -f core conftest.err conftest.$ac_objext \
11341 conftest$ac_exeext conftest.$ac_ext
11342
11343{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing EVP_CIPHER_CTX_ctrl" >&5
11344$as_echo_n "checking for library containing EVP_CIPHER_CTX_ctrl... " >&6; }
11345if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
11346 $as_echo_n "(cached) " >&6
11347else
11348 ac_func_search_save_LIBS=$LIBS
11349cat confdefs.h - <<_ACEOF >conftest.$ac_ext
11350/* end confdefs.h. */
11351
11352/* Override any GCC internal prototype to avoid an error.
11353 Use char because int might match the return type of a GCC
11354 builtin and then its argument prototype would still apply. */
11355#ifdef __cplusplus
11356extern "C"
11357#endif
11358char EVP_CIPHER_CTX_ctrl ();
11359int
11360main ()
11361{
11362return EVP_CIPHER_CTX_ctrl ();
11363 ;
11364 return 0;
11365}
11366_ACEOF
11367for ac_lib in '' crypto; do
11368 if test -z "$ac_lib"; then
11369 ac_res="none required"
11370 else
11371 ac_res=-l$ac_lib
11372 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
11373 fi
11374 if ac_fn_c_try_link "$LINENO"; then :
11375 ac_cv_search_EVP_CIPHER_CTX_ctrl=$ac_res
11376fi
11377rm -f core conftest.err conftest.$ac_objext \
11378 conftest$ac_exeext
11379 if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
11380 break
11381fi
11382done
11383if ${ac_cv_search_EVP_CIPHER_CTX_ctrl+:} false; then :
11384
11385else
11386 ac_cv_search_EVP_CIPHER_CTX_ctrl=no
11387fi
11388rm conftest.$ac_ext
11389LIBS=$ac_func_search_save_LIBS
11390fi
11391{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_EVP_CIPHER_CTX_ctrl" >&5
11392$as_echo "$ac_cv_search_EVP_CIPHER_CTX_ctrl" >&6; }
11393ac_res=$ac_cv_search_EVP_CIPHER_CTX_ctrl
11394if test "$ac_res" != no; then :
11395 test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
11396
11397$as_echo "#define HAVE_EVP_CIPHER_CTX_CTRL 1" >>confdefs.h
11398
11399fi
11400
11401
11259{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5 11402{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if EVP_DigestUpdate returns an int" >&5
11260$as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; } 11403$as_echo_n "checking if EVP_DigestUpdate returns an int... " >&6; }
11261cat confdefs.h - <<_ACEOF >conftest.$ac_ext 11404cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -11885,6 +12028,57 @@ _ACEOF
11885 12028
11886 12029
11887 12030
12031if test "x$have_linux_no_new_privs" = "x1" ; then
12032ac_fn_c_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" "
12033 #include <sys/types.h>
12034 #include <linux/seccomp.h>
12035
12036"
12037if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then :
12038 have_seccomp_filter=1
12039fi
12040
12041fi
12042if test "x$have_seccomp_filter" = "x1" ; then
12043{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5
12044$as_echo_n "checking kernel for seccomp_filter support... " >&6; }
12045cat confdefs.h - <<_ACEOF >conftest.$ac_ext
12046/* end confdefs.h. */
12047
12048 #include <errno.h>
12049 #include <elf.h>
12050 #include <linux/audit.h>
12051 #include <linux/seccomp.h>
12052 #include <stdlib.h>
12053 #include <sys/prctl.h>
12054
12055int
12056main ()
12057{
12058 int i = $seccomp_audit_arch;
12059 errno = 0;
12060 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
12061 exit(errno == EFAULT ? 0 : 1);
12062 ;
12063 return 0;
12064}
12065_ACEOF
12066if ac_fn_c_try_link "$LINENO"; then :
12067 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
12068$as_echo "yes" >&6; }
12069else
12070
12071 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
12072$as_echo "no" >&6; }
12073 # Disable seccomp filter as a target
12074 have_seccomp_filter=0
12075
12076
12077fi
12078rm -f core conftest.err conftest.$ac_objext \
12079 conftest$ac_exeext conftest.$ac_ext
12080fi
12081
11888# Decide which sandbox style to use 12082# Decide which sandbox style to use
11889sandbox_arg="" 12083sandbox_arg=""
11890 12084
@@ -11933,6 +12127,7 @@ main ()
11933 struct rlimit rl_zero; 12127 struct rlimit rl_zero;
11934 int fd, r; 12128 int fd, r;
11935 fd_set fds; 12129 fd_set fds;
12130 struct timeval tv;
11936 12131
11937 fd = open("/dev/null", O_RDONLY); 12132 fd = open("/dev/null", O_RDONLY);
11938 FD_ZERO(&fds); 12133 FD_ZERO(&fds);
@@ -11940,7 +12135,9 @@ main ()
11940 rl_zero.rlim_cur = rl_zero.rlim_max = 0; 12135 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
11941 setrlimit(RLIMIT_FSIZE, &rl_zero); 12136 setrlimit(RLIMIT_FSIZE, &rl_zero);
11942 setrlimit(RLIMIT_NOFILE, &rl_zero); 12137 setrlimit(RLIMIT_NOFILE, &rl_zero);
11943 r = select(fd+1, &fds, NULL, NULL, NULL); 12138 tv.tv_sec = 1;
12139 tv.tv_usec = 0;
12140 r = select(fd+1, &fds, NULL, NULL, &tv);
11944 exit (r == -1 ? 1 : 0); 12141 exit (r == -1 ? 1 : 0);
11945 12142
11946 ; 12143 ;
@@ -11961,6 +12158,54 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
11961fi 12158fi
11962 12159
11963 12160
12161{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit(RLIMIT_NOFILE,{0,0}) works" >&5
12162$as_echo_n "checking if setrlimit(RLIMIT_NOFILE,{0,0}) works... " >&6; }
12163if test "$cross_compiling" = yes; then :
12164 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: assuming yes" >&5
12165$as_echo "$as_me: WARNING: cross compiling: assuming yes" >&2;}
12166
12167else
12168 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
12169/* end confdefs.h. */
12170
12171#include <sys/types.h>
12172#ifdef HAVE_SYS_TIME_H
12173# include <sys/time.h>
12174#endif
12175#include <sys/resource.h>
12176#include <errno.h>
12177#include <stdlib.h>
12178
12179int
12180main ()
12181{
12182
12183 struct rlimit rl_zero;
12184 int fd, r;
12185 fd_set fds;
12186
12187 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
12188 r = setrlimit(RLIMIT_NOFILE, &rl_zero);
12189 exit (r == -1 ? 1 : 0);
12190
12191 ;
12192 return 0;
12193}
12194_ACEOF
12195if ac_fn_c_try_run "$LINENO"; then :
12196 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
12197$as_echo "yes" >&6; }
12198 rlimit_nofile_zero_works=yes
12199else
12200 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
12201$as_echo "no" >&6; }
12202 rlimit_nofile_zero_works=no
12203fi
12204rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
12205 conftest.$ac_objext conftest.beam conftest.$ac_ext
12206fi
12207
12208
11964{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5 12209{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if setrlimit RLIMIT_FSIZE works" >&5
11965$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; } 12210$as_echo_n "checking if setrlimit RLIMIT_FSIZE works... " >&6; }
11966if test "$cross_compiling" = yes; then : 12211if test "$cross_compiling" = yes; then :
@@ -12024,11 +12269,13 @@ $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h
12024elif test "x$sandbox_arg" = "xseccomp_filter" || \ 12269elif test "x$sandbox_arg" = "xseccomp_filter" || \
12025 ( test -z "$sandbox_arg" && \ 12270 ( test -z "$sandbox_arg" && \
12026 test "x$have_seccomp_filter" = "x1" && \ 12271 test "x$have_seccomp_filter" = "x1" && \
12272 test "x$ac_cv_header_elf_h" = "xyes" && \
12027 test "x$ac_cv_header_linux_audit_h" = "xyes" && \ 12273 test "x$ac_cv_header_linux_audit_h" = "xyes" && \
12028 test "x$have_seccomp_audit_arch" = "x1" && \ 12274 test "x$ac_cv_header_linux_filter_h" = "xyes" && \
12275 test "x$seccomp_audit_arch" != "x" && \
12029 test "x$have_linux_no_new_privs" = "x1" && \ 12276 test "x$have_linux_no_new_privs" = "x1" && \
12030 test "x$ac_cv_func_prctl" = "xyes" ) ; then 12277 test "x$ac_cv_func_prctl" = "xyes" ) ; then
12031 test "x$have_seccomp_audit_arch" != "x1" && \ 12278 test "x$seccomp_audit_arch" = "x" && \
12032 as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5 12279 as_fn_error $? "seccomp_filter sandbox not supported on $host" "$LINENO" 5
12033 test "x$have_linux_no_new_privs" != "x1" && \ 12280 test "x$have_linux_no_new_privs" != "x1" && \
12034 as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5 12281 as_fn_error $? "seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS" "$LINENO" 5
@@ -12042,7 +12289,8 @@ $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
12042 12289
12043elif test "x$sandbox_arg" = "xrlimit" || \ 12290elif test "x$sandbox_arg" = "xrlimit" || \
12044 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ 12291 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
12045 test "x$select_works_with_rlimit" == "xyes" ) ; then 12292 test "x$select_works_with_rlimit" = "xyes" && \
12293 test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
12046 test "x$ac_cv_func_setrlimit" != "xyes" && \ 12294 test "x$ac_cv_func_setrlimit" != "xyes" && \
12047 as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 12295 as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5
12048 test "x$select_works_with_rlimit" != "xyes" && \ 12296 test "x$select_works_with_rlimit" != "xyes" && \
@@ -15227,6 +15475,9 @@ fi
15227 15475
15228 15476
15229 if test -x $KRB5CONF ; then 15477 if test -x $KRB5CONF ; then
15478 K5CFLAGS="`$KRB5CONF --cflags`"
15479 K5LIBS="`$KRB5CONF --libs`"
15480 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
15230 15481
15231 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5 15482 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gssapi support" >&5
15232$as_echo_n "checking for gssapi support... " >&6; } 15483$as_echo_n "checking for gssapi support... " >&6; }
@@ -15236,15 +15487,13 @@ $as_echo "yes" >&6; }
15236 15487
15237$as_echo "#define GSSAPI 1" >>confdefs.h 15488$as_echo "#define GSSAPI 1" >>confdefs.h
15238 15489
15239 k5confopts=gssapi 15490 GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
15491 GSSLIBS="`$KRB5CONF --libs gssapi`"
15492 CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
15240 else 15493 else
15241 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 15494 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
15242$as_echo "no" >&6; } 15495$as_echo "no" >&6; }
15243 k5confopts=""
15244 fi 15496 fi
15245 K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
15246 K5LIBS="`$KRB5CONF --libs $k5confopts`"
15247 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
15248 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 15497 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
15249$as_echo_n "checking whether we are using Heimdal... " >&6; } 15498$as_echo_n "checking whether we are using Heimdal... " >&6; }
15250 cat confdefs.h - <<_ACEOF >conftest.$ac_ext 15499 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -15447,7 +15696,7 @@ if ${ac_cv_lib_gssapi_krb5_gss_init_sec_context+:} false; then :
15447 $as_echo_n "(cached) " >&6 15696 $as_echo_n "(cached) " >&6
15448else 15697else
15449 ac_check_lib_save_LIBS=$LIBS 15698 ac_check_lib_save_LIBS=$LIBS
15450LIBS="-lgssapi_krb5 $K5LIBS $LIBS" 15699LIBS="-lgssapi_krb5 $LIBS"
15451cat confdefs.h - <<_ACEOF >conftest.$ac_ext 15700cat confdefs.h - <<_ACEOF >conftest.$ac_ext
15452/* end confdefs.h. */ 15701/* end confdefs.h. */
15453 15702
@@ -15480,7 +15729,7 @@ $as_echo "$ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&6; }
15480if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then : 15729if test "x$ac_cv_lib_gssapi_krb5_gss_init_sec_context" = xyes; then :
15481 $as_echo "#define GSSAPI 1" >>confdefs.h 15730 $as_echo "#define GSSAPI 1" >>confdefs.h
15482 15731
15483 K5LIBS="-lgssapi_krb5 $K5LIBS" 15732 GSSLIBS="-lgssapi_krb5"
15484else 15733else
15485 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5 15734 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgssapi" >&5
15486$as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; } 15735$as_echo_n "checking for gss_init_sec_context in -lgssapi... " >&6; }
@@ -15488,7 +15737,7 @@ if ${ac_cv_lib_gssapi_gss_init_sec_context+:} false; then :
15488 $as_echo_n "(cached) " >&6 15737 $as_echo_n "(cached) " >&6
15489else 15738else
15490 ac_check_lib_save_LIBS=$LIBS 15739 ac_check_lib_save_LIBS=$LIBS
15491LIBS="-lgssapi $K5LIBS $LIBS" 15740LIBS="-lgssapi $LIBS"
15492cat confdefs.h - <<_ACEOF >conftest.$ac_ext 15741cat confdefs.h - <<_ACEOF >conftest.$ac_ext
15493/* end confdefs.h. */ 15742/* end confdefs.h. */
15494 15743
@@ -15521,7 +15770,48 @@ $as_echo "$ac_cv_lib_gssapi_gss_init_sec_context" >&6; }
15521if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then : 15770if test "x$ac_cv_lib_gssapi_gss_init_sec_context" = xyes; then :
15522 $as_echo "#define GSSAPI 1" >>confdefs.h 15771 $as_echo "#define GSSAPI 1" >>confdefs.h
15523 15772
15524 K5LIBS="-lgssapi $K5LIBS" 15773 GSSLIBS="-lgssapi"
15774else
15775 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gss_init_sec_context in -lgss" >&5
15776$as_echo_n "checking for gss_init_sec_context in -lgss... " >&6; }
15777if ${ac_cv_lib_gss_gss_init_sec_context+:} false; then :
15778 $as_echo_n "(cached) " >&6
15779else
15780 ac_check_lib_save_LIBS=$LIBS
15781LIBS="-lgss $LIBS"
15782cat confdefs.h - <<_ACEOF >conftest.$ac_ext
15783/* end confdefs.h. */
15784
15785/* Override any GCC internal prototype to avoid an error.
15786 Use char because int might match the return type of a GCC
15787 builtin and then its argument prototype would still apply. */
15788#ifdef __cplusplus
15789extern "C"
15790#endif
15791char gss_init_sec_context ();
15792int
15793main ()
15794{
15795return gss_init_sec_context ();
15796 ;
15797 return 0;
15798}
15799_ACEOF
15800if ac_fn_c_try_link "$LINENO"; then :
15801 ac_cv_lib_gss_gss_init_sec_context=yes
15802else
15803 ac_cv_lib_gss_gss_init_sec_context=no
15804fi
15805rm -f core conftest.err conftest.$ac_objext \
15806 conftest$ac_exeext conftest.$ac_ext
15807LIBS=$ac_check_lib_save_LIBS
15808fi
15809{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gss_gss_init_sec_context" >&5
15810$as_echo "$ac_cv_lib_gss_gss_init_sec_context" >&6; }
15811if test "x$ac_cv_lib_gss_gss_init_sec_context" = xyes; then :
15812 $as_echo "#define GSSAPI 1" >>confdefs.h
15813
15814 GSSLIBS="-lgss"
15525else 15815else
15526 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 15816 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot find any suitable gss-api library - build may fail" >&5
15527$as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;} 15817$as_echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;}
@@ -15531,6 +15821,9 @@ fi
15531fi 15821fi
15532 15822
15533 15823
15824fi
15825
15826
15534 ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default" 15827 ac_fn_c_check_header_mongrel "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default"
15535if test "x$ac_cv_header_gssapi_h" = xyes; then : 15828if test "x$ac_cv_header_gssapi_h" = xyes; then :
15536 15829
@@ -15618,7 +15911,6 @@ fi
15618done 15911done
15619 15912
15620 15913
15621 LIBS="$LIBS $K5LIBS"
15622 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5 15914 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing k_hasafs" >&5
15623$as_echo_n "checking for library containing k_hasafs... " >&6; } 15915$as_echo_n "checking for library containing k_hasafs... " >&6; }
15624if ${ac_cv_search_k_hasafs+:} false; then : 15916if ${ac_cv_search_k_hasafs+:} false; then :
@@ -15677,12 +15969,39 @@ $as_echo "#define USE_AFS 1" >>confdefs.h
15677 15969
15678fi 15970fi
15679 15971
15972
15973 ac_fn_c_check_decl "$LINENO" "GSS_C_NT_HOSTBASED_SERVICE" "ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" "
15974#ifdef HAVE_GSSAPI_H
15975# include <gssapi.h>
15976#elif defined(HAVE_GSSAPI_GSSAPI_H)
15977# include <gssapi/gssapi.h>
15978#endif
15979
15980#ifdef HAVE_GSSAPI_GENERIC_H
15981# include <gssapi_generic.h>
15982#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
15983# include <gssapi/gssapi_generic.h>
15984#endif
15985
15986"
15987if test "x$ac_cv_have_decl_GSS_C_NT_HOSTBASED_SERVICE" = xyes; then :
15988 ac_have_decl=1
15989else
15990 ac_have_decl=0
15991fi
15992
15993cat >>confdefs.h <<_ACEOF
15994#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl
15995_ACEOF
15996
15680 fi 15997 fi
15681 15998
15682 15999
15683fi 16000fi
15684 16001
15685 16002
16003
16004
15686# Looking for programs, paths and files 16005# Looking for programs, paths and files
15687 16006
15688PRIVSEP_PATH=/var/empty 16007PRIVSEP_PATH=/var/empty
@@ -16737,7 +17056,6 @@ _ACEOF
16737 17056
16738fi 17057fi
16739 17058
16740
16741{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5 17059{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if your system defines WTMPX_FILE" >&5
16742$as_echo_n "checking if your system defines WTMPX_FILE... " >&6; } 17060$as_echo_n "checking if your system defines WTMPX_FILE... " >&6; }
16743cat confdefs.h - <<_ACEOF >conftest.$ac_ext 17061cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -16790,6 +17108,60 @@ if test ! -z "$blibpath" ; then
16790$as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;} 17108$as_echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
16791fi 17109fi
16792 17110
17111ac_fn_c_check_member "$LINENO" "struct lastlog" "ll_line" "ac_cv_member_struct_lastlog_ll_line" "
17112#ifdef HAVE_SYS_TYPES_H
17113#include <sys/types.h>
17114#endif
17115#ifdef HAVE_UTMP_H
17116#include <utmp.h>
17117#endif
17118#ifdef HAVE_UTMPX_H
17119#include <utmpx.h>
17120#endif
17121#ifdef HAVE_LASTLOG_H
17122#include <lastlog.h>
17123#endif
17124
17125"
17126if test "x$ac_cv_member_struct_lastlog_ll_line" = xyes; then :
17127
17128else
17129
17130 if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
17131 $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h
17132
17133 fi
17134
17135fi
17136
17137
17138ac_fn_c_check_member "$LINENO" "struct utmp" "ut_line" "ac_cv_member_struct_utmp_ut_line" "
17139#ifdef HAVE_SYS_TYPES_H
17140#include <sys/types.h>
17141#endif
17142#ifdef HAVE_UTMP_H
17143#include <utmp.h>
17144#endif
17145#ifdef HAVE_UTMPX_H
17146#include <utmpx.h>
17147#endif
17148#ifdef HAVE_LASTLOG_H
17149#include <lastlog.h>
17150#endif
17151
17152"
17153if test "x$ac_cv_member_struct_utmp_ut_line" = xyes; then :
17154
17155else
17156
17157 $as_echo "#define DISABLE_UTMP 1" >>confdefs.h
17158
17159 $as_echo "#define DISABLE_WTMP 1" >>confdefs.h
17160
17161
17162fi
17163
17164
16793CFLAGS="$CFLAGS $werror_flags" 17165CFLAGS="$CFLAGS $werror_flags"
16794 17166
16795if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then 17167if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
diff --git a/configure.ac b/configure.ac
index f3718537f..271a63a46 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.496 2012/07/06 01:49:29 djm Exp $ 1# $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.496 $) 18AC_REVISION($Revision: 1.518 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -120,32 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
120 #include <sys/types.h> 120 #include <sys/types.h>
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123if test "x$have_linux_no_new_privs" = "x1" ; then
124AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
125 #include <sys/types.h>
126 #include <linux/seccomp.h>
127])
128fi
129if test "x$have_seccomp_filter" = "x1" ; then
130AC_MSG_CHECKING([kernel for seccomp_filter support])
131AC_RUN_IFELSE([AC_LANG_PROGRAM([[
132 #include <errno.h>
133 #include <linux/seccomp.h>
134 #include <stdlib.h>
135 #include <sys/prctl.h>
136 ]],
137 [[ errno = 0;
138 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
139 exit(errno == EFAULT ? 0 : 1); ]])],
140 [ AC_MSG_RESULT([yes]) ], [
141 AC_MSG_RESULT([no])
142 # Disable seccomp filter as a target
143 have_seccomp_filter=0
144 ],
145 [ AC_MSG_RESULT([cross-compiling, assuming yes]) ]
146)
147fi
148
149use_stack_protector=1 123use_stack_protector=1
150AC_ARG_WITH([stackprotect], 124AC_ARG_WITH([stackprotect],
151 [ --without-stackprotect Don't use compiler's stack protection], [ 125 [ --without-stackprotect Don't use compiler's stack protection], [
@@ -239,6 +213,18 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
239 fi 213 fi
240fi 214fi
241 215
216AC_MSG_CHECKING([if compiler allows __attribute__ on return types])
217AC_COMPILE_IFELSE(
218 [AC_LANG_PROGRAM([[
219#include <stdlib.h>
220__attribute__((__unused__)) static void foo(void){return;}]],
221 [[ exit(0); ]])],
222 [ AC_MSG_RESULT([yes]) ],
223 [ AC_MSG_RESULT([no])
224 AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
225 [compiler does not accept __attribute__ on return types]) ]
226)
227
242if test "x$no_attrib_nonnull" != "x1" ; then 228if test "x$no_attrib_nonnull" != "x1" ; then
243 AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull]) 229 AC_DEFINE([HAVE_ATTRIBUTE__NONNULL__], [1], [Have attribute nonnull])
244fi 230fi
@@ -310,6 +296,7 @@ AC_CHECK_HEADERS([ \
310 crypto/sha2.h \ 296 crypto/sha2.h \
311 dirent.h \ 297 dirent.h \
312 endian.h \ 298 endian.h \
299 elf.h \
313 features.h \ 300 features.h \
314 fcntl.h \ 301 fcntl.h \
315 floatingpoint.h \ 302 floatingpoint.h \
@@ -493,6 +480,7 @@ case "$host" in
493 AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], 480 AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1],
494 [AIX 5.2 and 5.3 (and presumably newer) require this]) 481 [AIX 5.2 and 5.3 (and presumably newer) require this])
495 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) 482 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
483 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
496 ;; 484 ;;
497*-*-cygwin*) 485*-*-cygwin*)
498 check_for_libcrypt_later=1 486 check_for_libcrypt_later=1
@@ -602,6 +590,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
602 AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], 590 AC_DEFINE([LOCKED_PASSWD_STRING], ["*"],
603 [String used in /etc/passwd to denote locked account]) 591 [String used in /etc/passwd to denote locked account])
604 AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) 592 AC_DEFINE([SPT_TYPE], [SPT_PSTAT])
593 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
605 maildir="/var/mail" 594 maildir="/var/mail"
606 LIBS="$LIBS -lsec" 595 LIBS="$LIBS -lsec"
607 AC_CHECK_LIB([xnet], [t_error], , 596 AC_CHECK_LIB([xnet], [t_error], ,
@@ -713,20 +702,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
713 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], 702 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
714 [], [#include <linux/types.h>]) 703 [], [#include <linux/types.h>])
715 AC_CHECK_FUNCS([prctl]) 704 AC_CHECK_FUNCS([prctl])
716 have_seccomp_audit_arch=1 705 AC_MSG_CHECKING([for seccomp architecture])
706 seccomp_audit_arch=
717 case "$host" in 707 case "$host" in
718 x86_64-*) 708 x86_64-*)
719 AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], 709 seccomp_audit_arch=AUDIT_ARCH_X86_64
720 [Specify the system call convention in use])
721 ;; 710 ;;
722 i*86-*) 711 i*86-*)
723 AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], 712 seccomp_audit_arch=AUDIT_ARCH_I386
724 [Specify the system call convention in use])
725 ;;
726 *)
727 have_seccomp_audit_arch=0
728 ;; 713 ;;
714 arm*-*)
715 seccomp_audit_arch=AUDIT_ARCH_ARM
716 ;;
729 esac 717 esac
718 if test "x$seccomp_audit_arch" != "x" ; then
719 AC_MSG_RESULT(["$seccomp_audit_arch"])
720 AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
721 [Specify the system call convention in use])
722 else
723 AC_MSG_RESULT([architecture not supported])
724 fi
730 ;; 725 ;;
731mips-sony-bsd|mips-sony-newsos4) 726mips-sony-bsd|mips-sony-newsos4)
732 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) 727 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
@@ -750,6 +745,7 @@ mips-sony-bsd|mips-sony-newsos4)
750 AC_CHECK_HEADER([net/if_tap.h], , 745 AC_CHECK_HEADER([net/if_tap.h], ,
751 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) 746 AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
752 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) 747 AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
748 AC_DEFINE([BROKEN_STRNVIS], [1], [FreeBSD strnvis does not do what we need])
753 ;; 749 ;;
754*-*-bsdi*) 750*-*-bsdi*)
755 AC_DEFINE([SETEUID_BREAKS_SETUID]) 751 AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -926,6 +922,7 @@ mips-sony-bsd|mips-sony-newsos4)
926 AC_CHECK_FUNCS([getluid setluid]) 922 AC_CHECK_FUNCS([getluid setluid])
927 MANTYPE=man 923 MANTYPE=man
928 TEST_SHELL=ksh 924 TEST_SHELL=ksh
925 SKIP_DISABLE_LASTLOG_DEFINE=yes
929 ;; 926 ;;
930*-*-unicosmk*) 927*-*-unicosmk*)
931 AC_DEFINE([NO_SSH_LASTLOG], [1], 928 AC_DEFINE([NO_SSH_LASTLOG], [1],
@@ -1194,7 +1191,7 @@ AC_CHECK_FUNCS([utimes],
1194) 1191)
1195 1192
1196dnl Checks for libutil functions 1193dnl Checks for libutil functions
1197AC_CHECK_HEADERS([libutil.h]) 1194AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1198AC_SEARCH_LIBS([fmt_scaled], [util bsd]) 1195AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1199AC_SEARCH_LIBS([login], [util bsd]) 1196AC_SEARCH_LIBS([login], [util bsd])
1200AC_SEARCH_LIBS([logout], [util bsd]) 1197AC_SEARCH_LIBS([logout], [util bsd])
@@ -1563,6 +1560,8 @@ AC_CHECK_FUNCS([ \
1563 getopt \ 1560 getopt \
1564 getpeereid \ 1561 getpeereid \
1565 getpeerucred \ 1562 getpeerucred \
1563 getpgid \
1564 getpgrp \
1566 _getpty \ 1565 _getpty \
1567 getrlimit \ 1566 getrlimit \
1568 getttyent \ 1567 getttyent \
@@ -1622,6 +1621,7 @@ AC_CHECK_FUNCS([ \
1622 strtonum \ 1621 strtonum \
1623 strtoll \ 1622 strtoll \
1624 strtoul \ 1623 strtoul \
1624 strtoull \
1625 swap32 \ 1625 swap32 \
1626 sysconf \ 1626 sysconf \
1627 tcgetpgrp \ 1627 tcgetpgrp \
@@ -1630,6 +1630,7 @@ AC_CHECK_FUNCS([ \
1630 unsetenv \ 1630 unsetenv \
1631 updwtmpx \ 1631 updwtmpx \
1632 user_from_uid \ 1632 user_from_uid \
1633 usleep \
1633 vasprintf \ 1634 vasprintf \
1634 vhangup \ 1635 vhangup \
1635 vsnprintf \ 1636 vsnprintf \
@@ -2323,6 +2324,56 @@ AC_LINK_IFELSE(
2323 ] 2324 ]
2324) 2325)
2325 2326
2327# Check for OpenSSL with EVP_aes_*ctr
2328AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2329AC_LINK_IFELSE(
2330 [AC_LANG_PROGRAM([[
2331#include <string.h>
2332#include <openssl/evp.h>
2333 ]], [[
2334 exit(EVP_aes_128_ctr() == NULL ||
2335 EVP_aes_192_cbc() == NULL ||
2336 EVP_aes_256_cbc() == NULL);
2337 ]])],
2338 [
2339 AC_MSG_RESULT([yes])
2340 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2341 [libcrypto has EVP AES CTR])
2342 ],
2343 [
2344 AC_MSG_RESULT([no])
2345 ]
2346)
2347
2348# Check for OpenSSL with EVP_aes_*gcm
2349AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2350AC_LINK_IFELSE(
2351 [AC_LANG_PROGRAM([[
2352#include <string.h>
2353#include <openssl/evp.h>
2354 ]], [[
2355 exit(EVP_aes_128_gcm() == NULL ||
2356 EVP_aes_256_gcm() == NULL ||
2357 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2358 EVP_CTRL_GCM_IV_GEN == 0 ||
2359 EVP_CTRL_GCM_SET_TAG == 0 ||
2360 EVP_CTRL_GCM_GET_TAG == 0 ||
2361 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2362 ]])],
2363 [
2364 AC_MSG_RESULT([yes])
2365 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2366 [libcrypto has EVP AES GCM])
2367 ],
2368 [
2369 AC_MSG_RESULT([no])
2370 ]
2371)
2372
2373AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2374 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2375 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2376
2326AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) 2377AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2327AC_LINK_IFELSE( 2378AC_LINK_IFELSE(
2328 [AC_LANG_PROGRAM([[ 2379 [AC_LANG_PROGRAM([[
@@ -2589,6 +2640,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
2589 [non-privileged user for privilege separation]) 2640 [non-privileged user for privilege separation])
2590AC_SUBST([SSH_PRIVSEP_USER]) 2641AC_SUBST([SSH_PRIVSEP_USER])
2591 2642
2643if test "x$have_linux_no_new_privs" = "x1" ; then
2644AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
2645 #include <sys/types.h>
2646 #include <linux/seccomp.h>
2647])
2648fi
2649if test "x$have_seccomp_filter" = "x1" ; then
2650AC_MSG_CHECKING([kernel for seccomp_filter support])
2651AC_LINK_IFELSE([AC_LANG_PROGRAM([[
2652 #include <errno.h>
2653 #include <elf.h>
2654 #include <linux/audit.h>
2655 #include <linux/seccomp.h>
2656 #include <stdlib.h>
2657 #include <sys/prctl.h>
2658 ]],
2659 [[ int i = $seccomp_audit_arch;
2660 errno = 0;
2661 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
2662 exit(errno == EFAULT ? 0 : 1); ]])],
2663 [ AC_MSG_RESULT([yes]) ], [
2664 AC_MSG_RESULT([no])
2665 # Disable seccomp filter as a target
2666 have_seccomp_filter=0
2667 ]
2668)
2669fi
2670
2592# Decide which sandbox style to use 2671# Decide which sandbox style to use
2593sandbox_arg="" 2672sandbox_arg=""
2594AC_ARG_WITH([sandbox], 2673AC_ARG_WITH([sandbox],
@@ -2623,6 +2702,7 @@ AC_RUN_IFELSE(
2623 struct rlimit rl_zero; 2702 struct rlimit rl_zero;
2624 int fd, r; 2703 int fd, r;
2625 fd_set fds; 2704 fd_set fds;
2705 struct timeval tv;
2626 2706
2627 fd = open("/dev/null", O_RDONLY); 2707 fd = open("/dev/null", O_RDONLY);
2628 FD_ZERO(&fds); 2708 FD_ZERO(&fds);
@@ -2630,7 +2710,9 @@ AC_RUN_IFELSE(
2630 rl_zero.rlim_cur = rl_zero.rlim_max = 0; 2710 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
2631 setrlimit(RLIMIT_FSIZE, &rl_zero); 2711 setrlimit(RLIMIT_FSIZE, &rl_zero);
2632 setrlimit(RLIMIT_NOFILE, &rl_zero); 2712 setrlimit(RLIMIT_NOFILE, &rl_zero);
2633 r = select(fd+1, &fds, NULL, NULL, NULL); 2713 tv.tv_sec = 1;
2714 tv.tv_usec = 0;
2715 r = select(fd+1, &fds, NULL, NULL, &tv);
2634 exit (r == -1 ? 1 : 0); 2716 exit (r == -1 ? 1 : 0);
2635 ]])], 2717 ]])],
2636 [AC_MSG_RESULT([yes]) 2718 [AC_MSG_RESULT([yes])
@@ -2640,6 +2722,32 @@ AC_RUN_IFELSE(
2640 [AC_MSG_WARN([cross compiling: assuming yes])] 2722 [AC_MSG_WARN([cross compiling: assuming yes])]
2641) 2723)
2642 2724
2725AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
2726AC_RUN_IFELSE(
2727 [AC_LANG_PROGRAM([[
2728#include <sys/types.h>
2729#ifdef HAVE_SYS_TIME_H
2730# include <sys/time.h>
2731#endif
2732#include <sys/resource.h>
2733#include <errno.h>
2734#include <stdlib.h>
2735 ]],[[
2736 struct rlimit rl_zero;
2737 int fd, r;
2738 fd_set fds;
2739
2740 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
2741 r = setrlimit(RLIMIT_NOFILE, &rl_zero);
2742 exit (r == -1 ? 1 : 0);
2743 ]])],
2744 [AC_MSG_RESULT([yes])
2745 rlimit_nofile_zero_works=yes],
2746 [AC_MSG_RESULT([no])
2747 rlimit_nofile_zero_works=no],
2748 [AC_MSG_WARN([cross compiling: assuming yes])]
2749)
2750
2643AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) 2751AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
2644AC_RUN_IFELSE( 2752AC_RUN_IFELSE(
2645 [AC_LANG_PROGRAM([[ 2753 [AC_LANG_PROGRAM([[
@@ -2676,11 +2784,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
2676elif test "x$sandbox_arg" = "xseccomp_filter" || \ 2784elif test "x$sandbox_arg" = "xseccomp_filter" || \
2677 ( test -z "$sandbox_arg" && \ 2785 ( test -z "$sandbox_arg" && \
2678 test "x$have_seccomp_filter" = "x1" && \ 2786 test "x$have_seccomp_filter" = "x1" && \
2787 test "x$ac_cv_header_elf_h" = "xyes" && \
2679 test "x$ac_cv_header_linux_audit_h" = "xyes" && \ 2788 test "x$ac_cv_header_linux_audit_h" = "xyes" && \
2680 test "x$have_seccomp_audit_arch" = "x1" && \ 2789 test "x$ac_cv_header_linux_filter_h" = "xyes" && \
2790 test "x$seccomp_audit_arch" != "x" && \
2681 test "x$have_linux_no_new_privs" = "x1" && \ 2791 test "x$have_linux_no_new_privs" = "x1" && \
2682 test "x$ac_cv_func_prctl" = "xyes" ) ; then 2792 test "x$ac_cv_func_prctl" = "xyes" ) ; then
2683 test "x$have_seccomp_audit_arch" != "x1" && \ 2793 test "x$seccomp_audit_arch" = "x" && \
2684 AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) 2794 AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
2685 test "x$have_linux_no_new_privs" != "x1" && \ 2795 test "x$have_linux_no_new_privs" != "x1" && \
2686 AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) 2796 AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
@@ -2692,7 +2802,8 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
2692 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) 2802 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
2693elif test "x$sandbox_arg" = "xrlimit" || \ 2803elif test "x$sandbox_arg" = "xrlimit" || \
2694 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ 2804 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
2695 test "x$select_works_with_rlimit" == "xyes" ) ; then 2805 test "x$select_works_with_rlimit" = "xyes" && \
2806 test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
2696 test "x$ac_cv_func_setrlimit" != "xyes" && \ 2807 test "x$ac_cv_func_setrlimit" != "xyes" && \
2697 AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) 2808 AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
2698 test "x$select_works_with_rlimit" != "xyes" && \ 2809 test "x$select_works_with_rlimit" != "xyes" && \
@@ -3584,6 +3695,9 @@ AC_ARG_WITH([kerberos5],
3584 [$KRB5ROOT/bin/krb5-config], 3695 [$KRB5ROOT/bin/krb5-config],
3585 [$KRB5ROOT/bin:$PATH]) 3696 [$KRB5ROOT/bin:$PATH])
3586 if test -x $KRB5CONF ; then 3697 if test -x $KRB5CONF ; then
3698 K5CFLAGS="`$KRB5CONF --cflags`"
3699 K5LIBS="`$KRB5CONF --libs`"
3700 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
3587 3701
3588 AC_MSG_CHECKING([for gssapi support]) 3702 AC_MSG_CHECKING([for gssapi support])
3589 if $KRB5CONF | grep gssapi >/dev/null ; then 3703 if $KRB5CONF | grep gssapi >/dev/null ; then
@@ -3591,14 +3705,12 @@ AC_ARG_WITH([kerberos5],
3591 AC_DEFINE([GSSAPI], [1], 3705 AC_DEFINE([GSSAPI], [1],
3592 [Define this if you want GSSAPI 3706 [Define this if you want GSSAPI
3593 support in the version 2 protocol]) 3707 support in the version 2 protocol])
3594 k5confopts=gssapi 3708 GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
3709 GSSLIBS="`$KRB5CONF --libs gssapi`"
3710 CPPFLAGS="$CPPFLAGS $GSSCFLAGS"
3595 else 3711 else
3596 AC_MSG_RESULT([no]) 3712 AC_MSG_RESULT([no])
3597 k5confopts=""
3598 fi 3713 fi
3599 K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
3600 K5LIBS="`$KRB5CONF --libs $k5confopts`"
3601 CPPFLAGS="$CPPFLAGS $K5CFLAGS"
3602 AC_MSG_CHECKING([whether we are using Heimdal]) 3714 AC_MSG_CHECKING([whether we are using Heimdal])
3603 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h> 3715 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <krb5.h>
3604 ]], [[ char *tmp = heimdal_version; ]])], 3716 ]], [[ char *tmp = heimdal_version; ]])],
@@ -3630,14 +3742,16 @@ AC_ARG_WITH([kerberos5],
3630 3742
3631 AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context], 3743 AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],
3632 [ AC_DEFINE([GSSAPI]) 3744 [ AC_DEFINE([GSSAPI])
3633 K5LIBS="-lgssapi_krb5 $K5LIBS" ], 3745 GSSLIBS="-lgssapi_krb5" ],
3634 [ AC_CHECK_LIB([gssapi], [gss_init_sec_context], 3746 [ AC_CHECK_LIB([gssapi], [gss_init_sec_context],
3635 [ AC_DEFINE([GSSAPI]) 3747 [ AC_DEFINE([GSSAPI])
3636 K5LIBS="-lgssapi $K5LIBS" ], 3748 GSSLIBS="-lgssapi" ],
3637 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), 3749 [ AC_CHECK_LIB([gss], [gss_init_sec_context],
3638 $K5LIBS) 3750 [ AC_DEFINE([GSSAPI])
3639 ], 3751 GSSLIBS="-lgss" ],
3640 $K5LIBS) 3752 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
3753 ])
3754 ])
3641 3755
3642 AC_CHECK_HEADER([gssapi.h], , 3756 AC_CHECK_HEADER([gssapi.h], ,
3643 [ unset ac_cv_header_gssapi_h 3757 [ unset ac_cv_header_gssapi_h
@@ -3665,12 +3779,27 @@ AC_ARG_WITH([kerberos5],
3665 AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h]) 3779 AC_CHECK_HEADERS([gssapi_krb5.h gssapi/gssapi_krb5.h])
3666 AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h]) 3780 AC_CHECK_HEADERS([gssapi_generic.h gssapi/gssapi_generic.h])
3667 3781
3668 LIBS="$LIBS $K5LIBS"
3669 AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1], 3782 AC_SEARCH_LIBS([k_hasafs], [kafs], [AC_DEFINE([USE_AFS], [1],
3670 [Define this if you want to use libkafs' AFS support])]) 3783 [Define this if you want to use libkafs' AFS support])])
3784
3785 AC_CHECK_DECLS([GSS_C_NT_HOSTBASED_SERVICE], [], [], [[
3786#ifdef HAVE_GSSAPI_H
3787# include <gssapi.h>
3788#elif defined(HAVE_GSSAPI_GSSAPI_H)
3789# include <gssapi/gssapi.h>
3790#endif
3791
3792#ifdef HAVE_GSSAPI_GENERIC_H
3793# include <gssapi_generic.h>
3794#elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
3795# include <gssapi/gssapi_generic.h>
3796#endif
3797 ]])
3671 fi 3798 fi
3672 ] 3799 ]
3673) 3800)
3801AC_SUBST([GSSLIBS])
3802AC_SUBST([K5LIBS])
3674 3803
3675# Looking for programs, paths and files 3804# Looking for programs, paths and files
3676 3805
@@ -4337,7 +4466,6 @@ if test -n "$conf_wtmp_location"; then
4337 [Define if you want to specify the path to your wtmp file]) 4466 [Define if you want to specify the path to your wtmp file])
4338fi 4467fi
4339 4468
4340
4341dnl wtmpx detection 4469dnl wtmpx detection
4342AC_MSG_CHECKING([if your system defines WTMPX_FILE]) 4470AC_MSG_CHECKING([if your system defines WTMPX_FILE])
4343AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ 4471AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
@@ -4369,6 +4497,43 @@ if test ! -z "$blibpath" ; then
4369 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) 4497 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
4370fi 4498fi
4371 4499
4500AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
4501 if test x$SKIP_DISABLE_LASTLOG_DEFINE != "xyes" ; then
4502 AC_DEFINE([DISABLE_LASTLOG])
4503 fi
4504 ], [
4505#ifdef HAVE_SYS_TYPES_H
4506#include <sys/types.h>
4507#endif
4508#ifdef HAVE_UTMP_H
4509#include <utmp.h>
4510#endif
4511#ifdef HAVE_UTMPX_H
4512#include <utmpx.h>
4513#endif
4514#ifdef HAVE_LASTLOG_H
4515#include <lastlog.h>
4516#endif
4517 ])
4518
4519AC_CHECK_MEMBER([struct utmp.ut_line], [], [
4520 AC_DEFINE([DISABLE_UTMP])
4521 AC_DEFINE([DISABLE_WTMP])
4522 ], [
4523#ifdef HAVE_SYS_TYPES_H
4524#include <sys/types.h>
4525#endif
4526#ifdef HAVE_UTMP_H
4527#include <utmp.h>
4528#endif
4529#ifdef HAVE_UTMPX_H
4530#include <utmpx.h>
4531#endif
4532#ifdef HAVE_LASTLOG_H
4533#include <lastlog.h>
4534#endif
4535 ])
4536
4372dnl Adding -Werror to CFLAGS early prevents configure tests from running. 4537dnl Adding -Werror to CFLAGS early prevents configure tests from running.
4373dnl Add now. 4538dnl Add now.
4374CFLAGS="$CFLAGS $werror_flags" 4539CFLAGS="$CFLAGS $werror_flags"
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 9fd07953a..196bd7904 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
16 16
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%define version 6.1p1 19%define version 6.2p1
20%if %{use_stable} 20%if %{use_stable}
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
@@ -363,4 +363,4 @@ fi
363* Mon Jan 01 1998 ... 363* Mon Jan 01 1998 ...
364Template Version: 1.31 364Template Version: 1.31
365 365
366$Id: openssh.spec,v 1.78 2012/08/22 11:57:15 djm Exp $ 366$Id: openssh.spec,v 1.79 2013/02/26 23:48:20 djm Exp $
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index f74ad4486..3898c6c99 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 6.1p1 1%define ver 6.2p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index e9a751796..40c8dfd9f 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -29,7 +29,7 @@ do_restart_sanity_check()
29{ 29{
30 $SSHD -t 30 $SSHD -t
31 RETVAL=$? 31 RETVAL=$?
32 if [ ! "$RETVAL" = 0 ]; then 32 if [ $RETVAL -ne 0 ]; then
33 failure $"Configuration file or keys are invalid" 33 failure $"Configuration file or keys are invalid"
34 echo 34 echo
35 fi 35 fi
@@ -49,7 +49,7 @@ start()
49 echo -n $"Starting $prog:" 49 echo -n $"Starting $prog:"
50 $SSHD $OPTIONS && success || failure 50 $SSHD $OPTIONS && success || failure
51 RETVAL=$? 51 RETVAL=$?
52 [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd 52 [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
53 echo 53 echo
54} 54}
55 55
@@ -58,7 +58,7 @@ stop()
58 echo -n $"Stopping $prog:" 58 echo -n $"Stopping $prog:"
59 killproc $SSHD -TERM 59 killproc $SSHD -TERM
60 RETVAL=$? 60 RETVAL=$?
61 [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd 61 [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
62 echo 62 echo
63} 63}
64 64
@@ -87,7 +87,7 @@ case "$1" in
87 condrestart) 87 condrestart)
88 if [ -f /var/lock/subsys/sshd ] ; then 88 if [ -f /var/lock/subsys/sshd ] ; then
89 do_restart_sanity_check 89 do_restart_sanity_check
90 if [ "$RETVAL" = 0 ] ; then 90 if [ $RETVAL -eq 0 ] ; then
91 stop 91 stop
92 # avoid race 92 # avoid race
93 sleep 3 93 sleep 3
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 9451aceec..af18a1929 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -1,54 +1,293 @@
1#!/bin/sh 1#!/bin/sh
2 2
3# Shell script to install your public key on a remote machine 3# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
4# Takes the remote machine name as an argument. 4# 2013 Martin Kletzander <mkletzan@redhat.com>
5# Obviously, the remote machine must accept password authentication, 5# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
6# or one of the other keys in your ssh-agent, for this to work. 6# 2010 Eric Moret <eric.moret@gmail.com>
7 7# 2009 Xr <xr@i-jeuxvideo.com>
8ID_FILE="${HOME}/.ssh/id_rsa.pub" 8# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
9 9# 2004 Reini Urban <rurban@x-ray.at>
10if [ "-i" = "$1" ]; then 10# 2003 Colin Watson <cjwatson@debian.org>
11 shift 11# All rights reserved.
12 # check if we have 2 parameters left, if so the first is the new ID file 12#
13 if [ -n "$2" ]; then 13# Redistribution and use in source and binary forms, with or without
14 if expr "$1" : ".*\.pub" > /dev/null ; then 14# modification, are permitted provided that the following conditions
15 ID_FILE="$1" 15# are met:
16 else 16# 1. Redistributions of source code must retain the above copyright
17 ID_FILE="$1.pub" 17# notice, this list of conditions and the following disclaimer.
18 fi 18# 2. Redistributions in binary form must reproduce the above copyright
19 shift # and this should leave $1 as the target name 19# notice, this list of conditions and the following disclaimer in the
20# documentation and/or other materials provided with the distribution.
21#
22# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32
33# Shell script to install your public key(s) on a remote machine
34# See the ssh-copy-id(1) man page for details
35
36# check that we have something mildly sane as our shell, or try to find something better
37if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
38then
39 SANE_SH=${SANE_SH:-/usr/bin/ksh}
40 if printf 'true ^ false\n' | "$SANE_SH"
41 then
42 printf "'%s' seems viable.\n" "$SANE_SH"
43 exec "$SANE_SH" "$0" "$@"
44 else
45 cat <<-EOF
46 oh dear.
47
48 If you have a more recent shell available, that supports \$(...) etc.
49 please try setting the environment variable SANE_SH to the path of that
50 shell, and then retry running this script. If that works, please report
51 a bug describing your setup, and the shell you used to make it work.
52
53 EOF
54 printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
55 exit 1
20 fi 56 fi
21else 57fi
22 if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then 58
23 GET_ID="$GET_ID ssh-add -L" 59DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
60
61usage () {
62 printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
63 exit 1
64}
65
66# escape any single quotes in an argument
67quote() {
68 printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
69}
70
71use_id_file() {
72 local L_ID_FILE="$1"
73
74 if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
75 PUB_ID_FILE="$L_ID_FILE"
76 else
77 PUB_ID_FILE="$L_ID_FILE.pub"
24 fi 78 fi
79
80 PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
81
82 # check that the files are readable
83 for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
84 ErrMSG=$( { : < $f ; } 2>&1 ) || {
85 printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
86 exit 1
87 }
88 done
89 GET_ID="cat \"$PUB_ID_FILE\""
90}
91
92if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
93 GET_ID="ssh-add -L"
25fi 94fi
26 95
27if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then 96while test "$#" -gt 0
28 GET_ID="cat \"${ID_FILE}\"" 97do
98 [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
99 printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
100 usage
101 }
102
103 OPT= OPTARG=
104 # implement something like getopt to avoid Solaris pain
105 case "$1" in
106 -i?*|-o?*|-p?*)
107 OPT="$(printf -- "$1"|cut -c1-2)"
108 OPTARG="$(printf -- "$1"|cut -c3-)"
109 shift
110 ;;
111 -o|-p)
112 OPT="$1"
113 OPTARG="$2"
114 shift 2
115 ;;
116 -i)
117 OPT="$1"
118 test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
119 OPTARG="$2"
120 shift
121 }
122 shift
123 ;;
124 -n|-h|-\?)
125 OPT="$1"
126 OPTARG=
127 shift
128 ;;
129 --)
130 shift
131 while test "$#" -gt 0
132 do
133 SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
134 shift
135 done
136 break
137 ;;
138 -*)
139 printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
140 usage
141 ;;
142 *)
143 SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
144 shift
145 continue
146 ;;
147 esac
148
149 case "$OPT" in
150 -i)
151 SEEN_OPT_I="yes"
152 use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
153 ;;
154 -o|-p)
155 SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
156 ;;
157 -n)
158 DRY_RUN=1
159 ;;
160 -h|-\?)
161 usage
162 ;;
163 esac
164done
165
166eval set -- "$SAVEARGS"
167
168if [ $# != 1 ] ; then
169 printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
170 usage
29fi 171fi
30 172
31if [ -z "`eval $GET_ID`" ]; then 173# drop trailing colon
32 echo "$0: ERROR: No identities found" >&2 174USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
33 exit 1 175# tack the hostname onto SSH_OPTS
176SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
177# and populate "$@" for later use (only way to get proper quoting of options)
178eval set -- "$SSH_OPTS"
179
180if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
181 use_id_file "$PUB_ID_FILE"
34fi 182fi
35 183
36if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then 184if [ -z "$(eval $GET_ID)" ] ; then
37 echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 185 printf '%s: ERROR: No identities found\n' "$0" >&2
38 exit 1 186 exit 1
39fi 187fi
40 188
41# strip any trailing colon 189# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
42host=`echo $1 | sed 's/:$//'` 190# and has the side effect of setting $NEW_IDS
191populate_new_ids() {
192 local L_SUCCESS="$1"
43 193
44{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 194 # repopulate "$@" inside this function
195 eval set -- "$SSH_OPTS"
45 196
46cat <<EOF 197 umask 0177
47Now try logging into the machine, with "ssh '$host'", and check in: 198 local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
199 trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT
200 printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
201 NEW_IDS=$(
202 eval $GET_ID | {
203 while read ID ; do
204 printf '%s\n' "$ID" > $L_TMP_ID_FILE
48 205
49 ~/.ssh/authorized_keys 206 # the next line assumes $PRIV_ID_FILE only set if using a single id file - this
207 # assumption will break if we implement the possibility of multiple -i options.
208 # The point being that if file based, ssh needs the private key, which it cannot
209 # find if only given the contents of the .pub file in an unrelated tmpfile
210 ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
211 -o PreferredAuthentications=publickey \
212 -o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
213 if [ "$?" = "$L_SUCCESS" ] ; then
214 : > $L_TMP_ID_FILE
215 else
216 grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || {
217 sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE
218 cat >/dev/null #consume the other keys, causing loop to end
219 }
220 fi
221
222 cat $L_TMP_ID_FILE
223 done
224 }
225 )
226 rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
227
228 if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
229 printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
230 exit 1
231 fi
232 if [ -z "$NEW_IDS" ] ; then
233 printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
234 exit 0
235 fi
236 printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
237}
50 238
51to make sure we haven't added extra keys that you weren't expecting. 239REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
240 sed -ne 's/.*remote software version //p')
52 241
53EOF 242case "$REMOTE_VERSION" in
243 NetScreen*)
244 populate_new_ids 1
245 for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
246 KEY_NO=$(($KEY_NO + 1))
247 printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
248 printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
249 continue
250 }
251 [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
252 if [ $? = 255 ] ; then
253 printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
254 else
255 ADDED=$(($ADDED + 1))
256 fi
257 done
258 if [ -z "$ADDED" ] ; then
259 exit 1
260 fi
261 ;;
262 *)
263 # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
264 populate_new_ids 0
265 [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
266 umask 077 ;
267 mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
268 if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
269 || exit 1
270 ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
271 ;;
272esac
273
274if [ "$DRY_RUN" ] ; then
275 cat <<-EOF
276 =-=-=-=-=-=-=-=
277 Would have added the following key(s):
278
279 $NEW_IDS
280 =-=-=-=-=-=-=-=
281 EOF
282else
283 cat <<-EOF
284
285 Number of key(s) added: $ADDED
286
287 Now try logging into the machine, with: "ssh $SSH_OPTS"
288 and check to make sure that only the key(s) you wanted were added.
289
290 EOF
291fi
54 292
293# =-=-=-=
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
index cb15ab24d..67a59e492 100644
--- a/contrib/ssh-copy-id.1
+++ b/contrib/ssh-copy-id.1
@@ -1,75 +1,186 @@
1.ig \" -*- nroff -*- 1.ig \" -*- nroff -*-
2Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/> 2Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
3 3
4Permission is granted to make and distribute verbatim copies of 4Redistribution and use in source and binary forms, with or without
5this manual provided the copyright notice and this permission notice 5modification, are permitted provided that the following conditions
6are preserved on all copies. 6are met:
71. Redistributions of source code must retain the above copyright
8 notice, this list of conditions and the following disclaimer.
92. Redistributions in binary form must reproduce the above copyright
10 notice, this list of conditions and the following disclaimer in the
11 documentation and/or other materials provided with the distribution.
7 12
8Permission is granted to copy and distribute modified versions of this 13THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
9manual under the conditions for verbatim copying, provided that the 14IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
10entire resulting derived work is distributed under the terms of a 15OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
11permission notice identical to this one. 16IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
12 17INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
13Permission is granted to copy and distribute translations of this 18NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
14manual into another language, under the above conditions for modified 19DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
15versions, except that this permission notice may be included in 20THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
16translations approved by the Free Software Foundation instead of in 21(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
17the original English. 22THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18.. 23..
19.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" 24.Dd $Mdocdate: June 17 2010 $
20.SH NAME 25.Dt SSH-COPY-ID 1
21ssh-copy-id \- install your public key in a remote machine's authorized_keys 26.Os
22.SH SYNOPSIS 27.Sh NAME
23.B ssh-copy-id [-i [identity_file]] 28.Nm ssh-copy-id
24.I "[user@]machine" 29.Nd use locally available keys to authorise logins on a remote machine
30.Sh SYNOPSIS
31.Nm
32.Op Fl n
33.Op Fl i Op Ar identity_file
34.Op Fl p Ar port
35.Op Fl o Ar ssh_option
36.Op Ar user Ns @ Ns
37.Ar hostname
38.Nm
39.Fl h | Fl ?
25.br 40.br
26.SH DESCRIPTION 41.Sh DESCRIPTION
27.BR ssh-copy-id 42.Nm
28is a script that uses ssh to log into a remote machine and 43is a script that uses
29append the indicated identity file to that machine's 44.Xr ssh 1
30.B ~/.ssh/authorized_keys 45to log into a remote machine (presumably using a login password,
31file. 46so password authentication should be enabled, unless you've done some
32.PP 47clever use of multiple identities). It assembles a list of one or more
33If the 48fingerprints (as described below) and tries to log in with each key, to
34.B -i 49see if any of them are already installed (of course, if you are not using
35option is given then the identity file (defaults to 50.Xr ssh-agent 1
36.BR ~/.ssh/id_rsa.pub ) 51this may result in you being repeatedly prompted for pass-phrases).
37is used, regardless of whether there are any keys in your 52It then assembles a list of those that failed to log in, and using ssh,
38.BR ssh-agent . 53enables logins with those keys on the remote server. By default it adds
39Otherwise, if this: 54the keys by appending them to the remote user's
40.PP 55.Pa ~/.ssh/authorized_keys
41.B " ssh-add -L" 56(creating the file, and directory, if necessary). It is also capable
42.PP 57of detecting if the remote system is a NetScreen, and using its
43provides any output, it uses that in preference to the identity file. 58.Ql set ssh pka-dsa key ...
44.PP 59command instead.
45If the 60.Pp
46.B -i 61The options are as follows:
47option is used, or the 62.Bl -tag -width Ds
48.B ssh-add 63.It Fl i Ar identity_file
49produced no output, then it uses the contents of the identity 64Use only the key(s) contained in
50file. Once it has one or more fingerprints (by whatever means) it 65.Ar identity_file
51uses ssh to append them to 66(rather than looking for identities via
52.B ~/.ssh/authorized_keys 67.Xr ssh-add 1
53on the remote machine (creating the file, and directory, if necessary.) 68or in the
54 69.Ic default_ID_file ) .
55.SH NOTES 70If the filename does not end in
56This program does not modify the permissions of any 71.Pa .pub
57pre-existing files or directories. Therefore, if the remote 72this is added. If the filename is omitted, the
58.B sshd 73.Ic default_ID_file
59has 74is used.
60.B StrictModes 75.Pp
61set in its 76Note that this can be used to ensure that the keys copied have the
62configuration, then the user's home, 77comment one prefers and/or extra options applied, by ensuring that the
63.B ~/.ssh 78key file has these set as preferred before the copy is attempted.
64folder, and 79.It Fl n
65.B ~/.ssh/authorized_keys 80do a dry-run. Instead of installing keys on the remote system simply
66file may need to have group writability disabled manually, e.g. via 81prints the key(s) that would have been installed.
67 82.It Fl h , Fl ?
68.B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys" 83Print Usage summary
69 84.It Fl p Ar port , Fl o Ar ssh_option
70on the remote machine. 85These two options are simply passed through untouched, along with their
71 86argument, to allow one to set the port or other
72.SH "SEE ALSO" 87.Xr ssh 1
73.BR ssh (1), 88options, respectively.
74.BR ssh-agent (1), 89.Pp
75.BR sshd (8) 90Rather than specifying these as command line options, it is often better to use (per-host) settings in
91.Xr ssh 1 Ns 's
92configuration file:
93.Xr ssh_config 5 .
94.El
95.Pp
96Default behaviour without
97.Fl i ,
98is to check if
99.Ql ssh-add -L
100provides any output, and if so those keys are used. Note that this results in
101the comment on the key being the filename that was given to
102.Xr ssh-add 1
103when the key was loaded into your
104.Xr ssh-agent 1
105rather than the comment contained in that file, which is a bit of a shame.
106Otherwise, if
107.Xr ssh-add 1
108provides no keys contents of the
109.Ic default_ID_file
110will be used.
111.Pp
112The
113.Ic default_ID_file
114is the most recent file that matches:
115.Pa ~/.ssh/id*.pub ,
116(excluding those that match
117.Pa ~/.ssh/*-cert.pub )
118so if you create a key that is not the one you want
119.Nm
120to use, just use
121.Xr touch 1
122on your preferred key's
123.Pa .pub
124file to reinstate it as the most recent.
125.Pp
126.Sh EXAMPLES
127If you have already installed keys from one system on a lot of remote
128hosts, and you then create a new key, on a new client machine, say,
129it can be difficult to keep track of which systems on which you've
130installed the new key. One way of dealing with this is to load both
131the new key and old key(s) into your
132.Xr ssh-agent 1 .
133Load the new key first, without the
134.Fl c
135option, then load one or more old keys into the agent, possibly by
136ssh-ing to the client machine that has that old key, using the
137.Fl A
138option to allow agent forwarding:
139.Pp
140.D1 user@newclient$ ssh-add
141.D1 user@newclient$ ssh -A old.client
142.D1 user@oldl$ ssh-add -c
143.D1 No ... prompt for pass-phrase ...
144.D1 user@old$ logoff
145.D1 user@newclient$ ssh someserver
146.Pp
147now, if the new key is installed on the server, you'll be allowed in
148unprompted, whereas if you only have the old key(s) enabled, you'll be
149asked for confirmation, which is your cue to log back out and run
150.Pp
151.D1 user@newclient$ ssh-copy-id -i someserver
152.Pp
153The reason you might want to specify the -i option in this case is to
154ensure that the comment on the installed key is the one from the
155.Pa .pub
156file, rather than just the filename that was loaded into you agent.
157It also ensures that only the id you intended is installed, rather than
158all the keys that you have in your
159.Xr ssh-agent 1 .
160Of course, you can specify another id, or use the contents of the
161.Xr ssh-agent 1
162as you prefer.
163.Pp
164Having mentioned
165.Xr ssh-add 1 Ns 's
166.Fl c
167option, you might consider using this whenever using agent forwarding
168to avoid your key being hijacked, but it is much better to instead use
169.Xr ssh 1 Ns 's
170.Ar ProxyCommand
171and
172.Fl W
173option,
174to bounce through remote servers while always doing direct end-to-end
175authentication. This way the middle hop(s) don't get access to your
176.Xr ssh-agent 1 .
177A web search for
178.Ql ssh proxycommand nc
179should prove enlightening (N.B. the modern approach is to use the
180.Fl W
181option, rather than
182.Xr nc 1 ) .
183.Sh "SEE ALSO"
184.Xr ssh 1 ,
185.Xr ssh-agent 1 ,
186.Xr sshd 8
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 3b8abecc8..960feae07 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 6.1p1 16Version: 6.2p1
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index 4a3bc41db..28f28e41d 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -49,7 +49,7 @@ case "$1" in
49 ## Start daemon with startproc(8). If this fails 49 ## Start daemon with startproc(8). If this fails
50 ## the echo return value is set appropriate. 50 ## the echo return value is set appropriate.
51 51
52 startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" 52 startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
53 53
54 # Remember status and be verbose 54 # Remember status and be verbose
55 rc_status -v 55 rc_status -v
@@ -59,7 +59,7 @@ case "$1" in
59 ## Stop daemon with killproc(8) and if this fails 59 ## Stop daemon with killproc(8) and if this fails
60 ## set echo the echo return value. 60 ## set echo the echo return value.
61 61
62 killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd 62 killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
63 63
64 # Remember status and be verbose 64 # Remember status and be verbose
65 rc_status -v 65 rc_status -v
@@ -87,7 +87,7 @@ case "$1" in
87 87
88 echo -n "Reload service sshd" 88 echo -n "Reload service sshd"
89 89
90 killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd 90 killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
91 91
92 rc_status -v 92 rc_status -v
93 93
@@ -103,7 +103,7 @@ case "$1" in
103 # 2 - service dead, but /var/lock/ lock file exists 103 # 2 - service dead, but /var/lock/ lock file exists
104 # 3 - service not running 104 # 3 - service not running
105 105
106 checkproc -p $SSHD_PIDFILE /usr/sbin/sshd 106 checkproc -p $SSHD_PIDFILE $SSHD_BIN
107 107
108 rc_status -v 108 rc_status -v
109 ;; 109 ;;
diff --git a/defines.h b/defines.h
index 53f83a142..64515c2ff 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.169 2012/02/15 04:13:06 tim Exp $ */ 28/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -227,11 +227,7 @@ typedef uint16_t u_int16_t;
227typedef uint32_t u_int32_t; 227typedef uint32_t u_int32_t;
228# define HAVE_U_INTXX_T 1 228# define HAVE_U_INTXX_T 1
229# else 229# else
230# if (SIZEOF_CHAR == 1)
231typedef unsigned char u_int8_t; 230typedef unsigned char u_int8_t;
232# else
233# error "8 bit int type not found."
234# endif
235# if (SIZEOF_SHORT_INT == 2) 231# if (SIZEOF_SHORT_INT == 2)
236typedef unsigned short int u_int16_t; 232typedef unsigned short int u_int16_t;
237# else 233# else
@@ -283,6 +279,10 @@ typedef unsigned char u_char;
283# define HAVE_U_CHAR 279# define HAVE_U_CHAR
284#endif /* HAVE_U_CHAR */ 280#endif /* HAVE_U_CHAR */
285 281
282#ifndef ULLONG_MAX
283# define ULLONG_MAX ((unsigned long long)-1)
284#endif
285
286#ifndef SIZE_T_MAX 286#ifndef SIZE_T_MAX
287#define SIZE_T_MAX ULONG_MAX 287#define SIZE_T_MAX ULONG_MAX
288#endif /* SIZE_T_MAX */ 288#endif /* SIZE_T_MAX */
diff --git a/includes.h b/includes.h
index b4c53d9b4..3e206c899 100644
--- a/includes.h
+++ b/includes.h
@@ -137,8 +137,10 @@
137# include <tmpdir.h> 137# include <tmpdir.h>
138#endif 138#endif
139 139
140#ifdef HAVE_LIBUTIL_H 140#if defined(HAVE_BSD_LIBUTIL_H)
141# include <libutil.h> /* Openpty on FreeBSD at least */ 141# include <bsd/libutil.h>
142#elif defined(HAVE_LIBUTIL_H)
143# include <libutil.h>
142#endif 144#endif
143 145
144#if defined(KRB5) && defined(USE_AFS) 146#if defined(KRB5) && defined(USE_AFS)
diff --git a/kex.c b/kex.c
index 58349fc19..f9e7a9c09 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -246,8 +246,18 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
246 packet_get_char(); 246 packet_get_char();
247 for (i = 0; i < PROPOSAL_MAX; i++) 247 for (i = 0; i < PROPOSAL_MAX; i++)
248 xfree(packet_get_string(NULL)); 248 xfree(packet_get_string(NULL));
249 (void) packet_get_char(); 249 /*
250 (void) packet_get_int(); 250 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
251 * KEX method has the server move first, but a server might be using
252 * a custom method or one that we otherwise don't support. We should
253 * be prepared to remember first_kex_follows here so we can eat a
254 * packet later.
255 * XXX2 - RFC4253 is kind of ambiguous on what first_kex_follows means
256 * for cases where the server *doesn't* go first. I guess we should
257 * ignore it when it is set for these cases, which is what we do now.
258 */
259 (void) packet_get_char(); /* first_kex_follows */
260 (void) packet_get_int(); /* reserved */
251 packet_check_eom(); 261 packet_check_eom();
252 262
253 kex_kexinit_finish(kex); 263 kex_kexinit_finish(kex);
@@ -298,6 +308,7 @@ choose_enc(Enc *enc, char *client, char *server)
298 enc->name = name; 308 enc->name = name;
299 enc->enabled = 0; 309 enc->enabled = 0;
300 enc->iv = NULL; 310 enc->iv = NULL;
311 enc->iv_len = cipher_ivlen(enc->cipher);
301 enc->key = NULL; 312 enc->key = NULL;
302 enc->key_len = cipher_keylen(enc->cipher); 313 enc->key_len = cipher_keylen(enc->cipher);
303 enc->block_size = cipher_blocksize(enc->cipher); 314 enc->block_size = cipher_blocksize(enc->cipher);
@@ -423,7 +434,7 @@ kex_choose_conf(Kex *kex)
423 char **my, **peer; 434 char **my, **peer;
424 char **cprop, **sprop; 435 char **cprop, **sprop;
425 int nenc, nmac, ncomp; 436 int nenc, nmac, ncomp;
426 u_int mode, ctos, need; 437 u_int mode, ctos, need, authlen;
427 int first_kex_follows, type; 438 int first_kex_follows, type;
428 439
429 my = kex_buf2prop(&kex->my, NULL); 440 my = kex_buf2prop(&kex->my, NULL);
@@ -456,13 +467,16 @@ kex_choose_conf(Kex *kex)
456 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; 467 nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
457 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; 468 nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
458 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; 469 ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
459 choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]); 470 choose_enc(&newkeys->enc, cprop[nenc], sprop[nenc]);
460 choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]); 471 /* ignore mac for authenticated encryption */
472 authlen = cipher_authlen(newkeys->enc.cipher);
473 if (authlen == 0)
474 choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]);
461 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); 475 choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
462 debug("kex: %s %s %s %s", 476 debug("kex: %s %s %s %s",
463 ctos ? "client->server" : "server->client", 477 ctos ? "client->server" : "server->client",
464 newkeys->enc.name, 478 newkeys->enc.name,
465 newkeys->mac.name, 479 authlen == 0 ? newkeys->mac.name : "<implicit>",
466 newkeys->comp.name); 480 newkeys->comp.name);
467 } 481 }
468 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); 482 choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
@@ -475,6 +489,8 @@ kex_choose_conf(Kex *kex)
475 need = newkeys->enc.key_len; 489 need = newkeys->enc.key_len;
476 if (need < newkeys->enc.block_size) 490 if (need < newkeys->enc.block_size)
477 need = newkeys->enc.block_size; 491 need = newkeys->enc.block_size;
492 if (need < newkeys->enc.iv_len)
493 need = newkeys->enc.iv_len;
478 if (need < newkeys->mac.key_len) 494 if (need < newkeys->mac.key_len)
479 need = newkeys->mac.key_len; 495 need = newkeys->mac.key_len;
480 } 496 }
diff --git a/kex.h b/kex.h
index fa50b2ccb..8013ab8a4 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.52 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -92,6 +92,7 @@ struct Enc {
92 Cipher *cipher; 92 Cipher *cipher;
93 int enabled; 93 int enabled;
94 u_int key_len; 94 u_int key_len;
95 u_int iv_len;
95 u_int block_size; 96 u_int block_size;
96 u_char *key; 97 u_char *key;
97 u_char *iv; 98 u_char *iv;
@@ -103,6 +104,7 @@ struct Mac {
103 u_char *key; 104 u_char *key;
104 u_int key_len; 105 u_int key_len;
105 int type; 106 int type;
107 int etm; /* Encrypt-then-MAC */
106 const EVP_MD *evp_md; 108 const EVP_MD *evp_md;
107 HMAC_CTX evp_ctx; 109 HMAC_CTX evp_ctx;
108 struct umac_ctx *umac_ctx; 110 struct umac_ctx *umac_ctx;
diff --git a/key.c b/key.c
index 2a16b25b9..fdfed5c56 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */
2/* 2/*
3 * read_bignum(): 3 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -55,6 +55,8 @@
55#include "misc.h" 55#include "misc.h"
56#include "ssh2.h" 56#include "ssh2.h"
57 57
58static int to_blob(const Key *, u_char **, u_int *, int);
59
58static struct KeyCert * 60static struct KeyCert *
59cert_new(void) 61cert_new(void)
60{ 62{
@@ -324,14 +326,15 @@ key_equal(const Key *a, const Key *b)
324} 326}
325 327
326u_char* 328u_char*
327key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) 329key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
330 u_int *dgst_raw_length)
328{ 331{
329 const EVP_MD *md = NULL; 332 const EVP_MD *md = NULL;
330 EVP_MD_CTX ctx; 333 EVP_MD_CTX ctx;
331 u_char *blob = NULL; 334 u_char *blob = NULL;
332 u_char *retval = NULL; 335 u_char *retval = NULL;
333 u_int len = 0; 336 u_int len = 0;
334 int nlen, elen, otype; 337 int nlen, elen;
335 338
336 *dgst_raw_length = 0; 339 *dgst_raw_length = 0;
337 340
@@ -371,10 +374,7 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
371 case KEY_ECDSA_CERT: 374 case KEY_ECDSA_CERT:
372 case KEY_RSA_CERT: 375 case KEY_RSA_CERT:
373 /* We want a fingerprint of the _key_ not of the cert */ 376 /* We want a fingerprint of the _key_ not of the cert */
374 otype = k->type; 377 to_blob(k, &blob, &len, 1);
375 k->type = key_type_plain(k->type);
376 key_to_blob(k, &blob, &len);
377 k->type = otype;
378 break; 378 break;
379 case KEY_UNSPEC: 379 case KEY_UNSPEC:
380 return retval; 380 return retval;
@@ -1591,18 +1591,19 @@ key_from_blob(const u_char *blob, u_int blen)
1591 return key; 1591 return key;
1592} 1592}
1593 1593
1594int 1594static int
1595key_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1595to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
1596{ 1596{
1597 Buffer b; 1597 Buffer b;
1598 int len; 1598 int len, type;
1599 1599
1600 if (key == NULL) { 1600 if (key == NULL) {
1601 error("key_to_blob: key == NULL"); 1601 error("key_to_blob: key == NULL");
1602 return 0; 1602 return 0;
1603 } 1603 }
1604 buffer_init(&b); 1604 buffer_init(&b);
1605 switch (key->type) { 1605 type = force_plain ? key_type_plain(key->type) : key->type;
1606 switch (type) {
1606 case KEY_DSA_CERT_V00: 1607 case KEY_DSA_CERT_V00:
1607 case KEY_RSA_CERT_V00: 1608 case KEY_RSA_CERT_V00:
1608 case KEY_DSA_CERT: 1609 case KEY_DSA_CERT:
@@ -1613,7 +1614,8 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1613 buffer_len(&key->cert->certblob)); 1614 buffer_len(&key->cert->certblob));
1614 break; 1615 break;
1615 case KEY_DSA: 1616 case KEY_DSA:
1616 buffer_put_cstring(&b, key_ssh_name(key)); 1617 buffer_put_cstring(&b,
1618 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1617 buffer_put_bignum2(&b, key->dsa->p); 1619 buffer_put_bignum2(&b, key->dsa->p);
1618 buffer_put_bignum2(&b, key->dsa->q); 1620 buffer_put_bignum2(&b, key->dsa->q);
1619 buffer_put_bignum2(&b, key->dsa->g); 1621 buffer_put_bignum2(&b, key->dsa->g);
@@ -1621,14 +1623,16 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1621 break; 1623 break;
1622#ifdef OPENSSL_HAS_ECC 1624#ifdef OPENSSL_HAS_ECC
1623 case KEY_ECDSA: 1625 case KEY_ECDSA:
1624 buffer_put_cstring(&b, key_ssh_name(key)); 1626 buffer_put_cstring(&b,
1627 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1625 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); 1628 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1626 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), 1629 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1627 EC_KEY_get0_public_key(key->ecdsa)); 1630 EC_KEY_get0_public_key(key->ecdsa));
1628 break; 1631 break;
1629#endif 1632#endif
1630 case KEY_RSA: 1633 case KEY_RSA:
1631 buffer_put_cstring(&b, key_ssh_name(key)); 1634 buffer_put_cstring(&b,
1635 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1632 buffer_put_bignum2(&b, key->rsa->e); 1636 buffer_put_bignum2(&b, key->rsa->e);
1633 buffer_put_bignum2(&b, key->rsa->n); 1637 buffer_put_bignum2(&b, key->rsa->n);
1634 break; 1638 break;
@@ -1650,6 +1654,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1650} 1654}
1651 1655
1652int 1656int
1657key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1658{
1659 return to_blob(key, blobp, lenp, 0);
1660}
1661
1662int
1653key_sign( 1663key_sign(
1654 const Key *key, 1664 const Key *key,
1655 u_char **sigp, u_int *lenp, 1665 u_char **sigp, u_int *lenp,
@@ -2028,7 +2038,7 @@ key_cert_check_authority(const Key *k, int want_host, int require_principal,
2028} 2038}
2029 2039
2030int 2040int
2031key_cert_is_legacy(Key *k) 2041key_cert_is_legacy(const Key *k)
2032{ 2042{
2033 switch (k->type) { 2043 switch (k->type) {
2034 case KEY_DSA_CERT_V00: 2044 case KEY_DSA_CERT_V00:
diff --git a/key.h b/key.h
index ca56b4271..4beaf202e 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.h,v 1.34 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -97,7 +97,7 @@ Key *key_demote(const Key *);
97int key_equal_public(const Key *, const Key *); 97int key_equal_public(const Key *, const Key *);
98int key_equal(const Key *, const Key *); 98int key_equal(const Key *, const Key *);
99char *key_fingerprint(Key *, enum fp_type, enum fp_rep); 99char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
100u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); 100u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
101const char *key_type(const Key *); 101const char *key_type(const Key *);
102const char *key_cert_type(const Key *); 102const char *key_cert_type(const Key *);
103int key_write(const Key *, FILE *); 103int key_write(const Key *, FILE *);
@@ -115,7 +115,7 @@ int key_certify(Key *, Key *);
115void key_cert_copy(const Key *, struct Key *); 115void key_cert_copy(const Key *, struct Key *);
116int key_cert_check_authority(const Key *, int, int, const char *, 116int key_cert_check_authority(const Key *, int, int, const char *,
117 const char **); 117 const char **);
118int key_cert_is_legacy(Key *); 118int key_cert_is_legacy(const Key *);
119 119
120int key_ecdsa_nid_from_name(const char *); 120int key_ecdsa_nid_from_name(const char *);
121int key_curve_name_to_nid(const char *); 121int key_curve_name_to_nid(const char *);
diff --git a/krl.c b/krl.c
new file mode 100644
index 000000000..5a6bd14aa
--- /dev/null
+++ b/krl.c
@@ -0,0 +1,1229 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: krl.c,v 1.9 2013/01/27 10:06:12 djm Exp $ */
18
19#include "includes.h"
20
21#include <sys/types.h>
22#include <sys/param.h>
23#include <openbsd-compat/sys-tree.h>
24#include <openbsd-compat/sys-queue.h>
25
26#include <errno.h>
27#include <fcntl.h>
28#include <limits.h>
29#include <string.h>
30#include <time.h>
31#include <unistd.h>
32
33#include "buffer.h"
34#include "key.h"
35#include "authfile.h"
36#include "misc.h"
37#include "log.h"
38#include "xmalloc.h"
39
40#include "krl.h"
41
42/* #define DEBUG_KRL */
43#ifdef DEBUG_KRL
44# define KRL_DBG(x) debug3 x
45#else
46# define KRL_DBG(x)
47#endif
48
49/*
50 * Trees of revoked serial numbers, key IDs and keys. This allows
51 * quick searching, querying and producing lists in canonical order.
52 */
53
54/* Tree of serial numbers. XXX make smarter: really need a real sparse bitmap */
55struct revoked_serial {
56 u_int64_t lo, hi;
57 RB_ENTRY(revoked_serial) tree_entry;
58};
59static int serial_cmp(struct revoked_serial *a, struct revoked_serial *b);
60RB_HEAD(revoked_serial_tree, revoked_serial);
61RB_GENERATE_STATIC(revoked_serial_tree, revoked_serial, tree_entry, serial_cmp);
62
63/* Tree of key IDs */
64struct revoked_key_id {
65 char *key_id;
66 RB_ENTRY(revoked_key_id) tree_entry;
67};
68static int key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b);
69RB_HEAD(revoked_key_id_tree, revoked_key_id);
70RB_GENERATE_STATIC(revoked_key_id_tree, revoked_key_id, tree_entry, key_id_cmp);
71
72/* Tree of blobs (used for keys and fingerprints) */
73struct revoked_blob {
74 u_char *blob;
75 u_int len;
76 RB_ENTRY(revoked_blob) tree_entry;
77};
78static int blob_cmp(struct revoked_blob *a, struct revoked_blob *b);
79RB_HEAD(revoked_blob_tree, revoked_blob);
80RB_GENERATE_STATIC(revoked_blob_tree, revoked_blob, tree_entry, blob_cmp);
81
82/* Tracks revoked certs for a single CA */
83struct revoked_certs {
84 Key *ca_key;
85 struct revoked_serial_tree revoked_serials;
86 struct revoked_key_id_tree revoked_key_ids;
87 TAILQ_ENTRY(revoked_certs) entry;
88};
89TAILQ_HEAD(revoked_certs_list, revoked_certs);
90
91struct ssh_krl {
92 u_int64_t krl_version;
93 u_int64_t generated_date;
94 u_int64_t flags;
95 char *comment;
96 struct revoked_blob_tree revoked_keys;
97 struct revoked_blob_tree revoked_sha1s;
98 struct revoked_certs_list revoked_certs;
99};
100
101/* Return equal if a and b overlap */
102static int
103serial_cmp(struct revoked_serial *a, struct revoked_serial *b)
104{
105 if (a->hi >= b->lo && a->lo <= b->hi)
106 return 0;
107 return a->lo < b->lo ? -1 : 1;
108}
109
110static int
111key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b)
112{
113 return strcmp(a->key_id, b->key_id);
114}
115
116static int
117blob_cmp(struct revoked_blob *a, struct revoked_blob *b)
118{
119 int r;
120
121 if (a->len != b->len) {
122 if ((r = memcmp(a->blob, b->blob, MIN(a->len, b->len))) != 0)
123 return r;
124 return a->len > b->len ? 1 : -1;
125 } else
126 return memcmp(a->blob, b->blob, a->len);
127}
128
129struct ssh_krl *
130ssh_krl_init(void)
131{
132 struct ssh_krl *krl;
133
134 if ((krl = calloc(1, sizeof(*krl))) == NULL)
135 return NULL;
136 RB_INIT(&krl->revoked_keys);
137 RB_INIT(&krl->revoked_sha1s);
138 TAILQ_INIT(&krl->revoked_certs);
139 return krl;
140}
141
142static void
143revoked_certs_free(struct revoked_certs *rc)
144{
145 struct revoked_serial *rs, *trs;
146 struct revoked_key_id *rki, *trki;
147
148 RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) {
149 RB_REMOVE(revoked_serial_tree, &rc->revoked_serials, rs);
150 free(rs);
151 }
152 RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, trki) {
153 RB_REMOVE(revoked_key_id_tree, &rc->revoked_key_ids, rki);
154 free(rki->key_id);
155 free(rki);
156 }
157 if (rc->ca_key != NULL)
158 key_free(rc->ca_key);
159}
160
161void
162ssh_krl_free(struct ssh_krl *krl)
163{
164 struct revoked_blob *rb, *trb;
165 struct revoked_certs *rc, *trc;
166
167 if (krl == NULL)
168 return;
169
170 free(krl->comment);
171 RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) {
172 RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb);
173 free(rb->blob);
174 free(rb);
175 }
176 RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) {
177 RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb);
178 free(rb->blob);
179 free(rb);
180 }
181 TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) {
182 TAILQ_REMOVE(&krl->revoked_certs, rc, entry);
183 revoked_certs_free(rc);
184 }
185}
186
187void
188ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version)
189{
190 krl->krl_version = version;
191}
192
193void
194ssh_krl_set_comment(struct ssh_krl *krl, const char *comment)
195{
196 free(krl->comment);
197 if ((krl->comment = strdup(comment)) == NULL)
198 fatal("%s: strdup", __func__);
199}
200
201/*
202 * Find the revoked_certs struct for a CA key. If allow_create is set then
203 * create a new one in the tree if one did not exist already.
204 */
205static int
206revoked_certs_for_ca_key(struct ssh_krl *krl, const Key *ca_key,
207 struct revoked_certs **rcp, int allow_create)
208{
209 struct revoked_certs *rc;
210
211 *rcp = NULL;
212 TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
213 if (key_equal(rc->ca_key, ca_key)) {
214 *rcp = rc;
215 return 0;
216 }
217 }
218 if (!allow_create)
219 return 0;
220 /* If this CA doesn't exist in the list then add it now */
221 if ((rc = calloc(1, sizeof(*rc))) == NULL)
222 return -1;
223 if ((rc->ca_key = key_from_private(ca_key)) == NULL) {
224 free(rc);
225 return -1;
226 }
227 RB_INIT(&rc->revoked_serials);
228 RB_INIT(&rc->revoked_key_ids);
229 TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry);
230 debug3("%s: new CA %s", __func__, key_type(ca_key));
231 *rcp = rc;
232 return 0;
233}
234
235static int
236insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
237{
238 struct revoked_serial rs, *ers, *crs, *irs;
239
240 KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi));
241 bzero(&rs, sizeof(rs));
242 rs.lo = lo;
243 rs.hi = hi;
244 ers = RB_NFIND(revoked_serial_tree, rt, &rs);
245 if (ers == NULL || serial_cmp(ers, &rs) != 0) {
246 /* No entry matches. Just insert */
247 if ((irs = malloc(sizeof(rs))) == NULL)
248 return -1;
249 memcpy(irs, &rs, sizeof(*irs));
250 ers = RB_INSERT(revoked_serial_tree, rt, irs);
251 if (ers != NULL) {
252 KRL_DBG(("%s: bad: ers != NULL", __func__));
253 /* Shouldn't happen */
254 free(irs);
255 return -1;
256 }
257 ers = irs;
258 } else {
259 KRL_DBG(("%s: overlap found %llu:%llu", __func__,
260 ers->lo, ers->hi));
261 /*
262 * The inserted entry overlaps an existing one. Grow the
263 * existing entry.
264 */
265 if (ers->lo > lo)
266 ers->lo = lo;
267 if (ers->hi < hi)
268 ers->hi = hi;
269 }
270 /*
271 * The inserted or revised range might overlap or abut adjacent ones;
272 * coalesce as necessary.
273 */
274
275 /* Check predecessors */
276 while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) {
277 KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi));
278 if (ers->lo != 0 && crs->hi < ers->lo - 1)
279 break;
280 /* This entry overlaps. */
281 if (crs->lo < ers->lo) {
282 ers->lo = crs->lo;
283 KRL_DBG(("%s: pred extend %llu:%llu", __func__,
284 ers->lo, ers->hi));
285 }
286 RB_REMOVE(revoked_serial_tree, rt, crs);
287 free(crs);
288 }
289 /* Check successors */
290 while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) {
291 KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi));
292 if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1)
293 break;
294 /* This entry overlaps. */
295 if (crs->hi > ers->hi) {
296 ers->hi = crs->hi;
297 KRL_DBG(("%s: succ extend %llu:%llu", __func__,
298 ers->lo, ers->hi));
299 }
300 RB_REMOVE(revoked_serial_tree, rt, crs);
301 free(crs);
302 }
303 KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi));
304 return 0;
305}
306
307int
308ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
309 u_int64_t serial)
310{
311 return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial);
312}
313
314int
315ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
316 u_int64_t lo, u_int64_t hi)
317{
318 struct revoked_certs *rc;
319
320 if (lo > hi || lo == 0)
321 return -1;
322 if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0)
323 return -1;
324 return insert_serial_range(&rc->revoked_serials, lo, hi);
325}
326
327int
328ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
329 const char *key_id)
330{
331 struct revoked_key_id *rki, *erki;
332 struct revoked_certs *rc;
333
334 if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0)
335 return -1;
336
337 debug3("%s: revoke %s", __func__, key_id);
338 if ((rki = calloc(1, sizeof(*rki))) == NULL ||
339 (rki->key_id = strdup(key_id)) == NULL) {
340 free(rki);
341 fatal("%s: strdup", __func__);
342 }
343 erki = RB_INSERT(revoked_key_id_tree, &rc->revoked_key_ids, rki);
344 if (erki != NULL) {
345 free(rki->key_id);
346 free(rki);
347 }
348 return 0;
349}
350
351/* Convert "key" to a public key blob without any certificate information */
352static int
353plain_key_blob(const Key *key, u_char **blob, u_int *blen)
354{
355 Key *kcopy;
356 int r;
357
358 if ((kcopy = key_from_private(key)) == NULL)
359 return -1;
360 if (key_is_cert(kcopy)) {
361 if (key_drop_cert(kcopy) != 0) {
362 error("%s: key_drop_cert", __func__);
363 key_free(kcopy);
364 return -1;
365 }
366 }
367 r = key_to_blob(kcopy, blob, blen);
368 free(kcopy);
369 return r == 0 ? -1 : 0;
370}
371
372/* Revoke a key blob. Ownership of blob is transferred to the tree */
373static int
374revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len)
375{
376 struct revoked_blob *rb, *erb;
377
378 if ((rb = calloc(1, sizeof(*rb))) == NULL)
379 return -1;
380 rb->blob = blob;
381 rb->len = len;
382 erb = RB_INSERT(revoked_blob_tree, rbt, rb);
383 if (erb != NULL) {
384 free(rb->blob);
385 free(rb);
386 }
387 return 0;
388}
389
390int
391ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key)
392{
393 u_char *blob;
394 u_int len;
395
396 debug3("%s: revoke type %s", __func__, key_type(key));
397 if (plain_key_blob(key, &blob, &len) != 0)
398 return -1;
399 return revoke_blob(&krl->revoked_keys, blob, len);
400}
401
402int
403ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key)
404{
405 u_char *blob;
406 u_int len;
407
408 debug3("%s: revoke type %s by sha1", __func__, key_type(key));
409 if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL)
410 return -1;
411 return revoke_blob(&krl->revoked_sha1s, blob, len);
412}
413
414int
415ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key)
416{
417 if (!key_is_cert(key))
418 return ssh_krl_revoke_key_sha1(krl, key);
419
420 if (key_cert_is_legacy(key) || key->cert->serial == 0) {
421 return ssh_krl_revoke_cert_by_key_id(krl,
422 key->cert->signature_key,
423 key->cert->key_id);
424 } else {
425 return ssh_krl_revoke_cert_by_serial(krl,
426 key->cert->signature_key,
427 key->cert->serial);
428 }
429}
430
431/*
432 * Select a copact next section type to emit in a KRL based on the
433 * current section type, the run length of contiguous revoked serial
434 * numbers and the gaps from the last and to the next revoked serial.
435 * Applies a mostly-accurate bit cost model to select the section type
436 * that will minimise the size of the resultant KRL.
437 */
438static int
439choose_next_state(int current_state, u_int64_t contig, int final,
440 u_int64_t last_gap, u_int64_t next_gap, int *force_new_section)
441{
442 int new_state;
443 u_int64_t cost, cost_list, cost_range, cost_bitmap, cost_bitmap_restart;
444
445 /*
446 * Avoid unsigned overflows.
447 * The limits are high enough to avoid confusing the calculations.
448 */
449 contig = MIN(contig, 1ULL<<31);
450 last_gap = MIN(last_gap, 1ULL<<31);
451 next_gap = MIN(next_gap, 1ULL<<31);
452
453 /*
454 * Calculate the cost to switch from the current state to candidates.
455 * NB. range sections only ever contain a single range, so their
456 * switching cost is independent of the current_state.
457 */
458 cost_list = cost_bitmap = cost_bitmap_restart = 0;
459 cost_range = 8;
460 switch (current_state) {
461 case KRL_SECTION_CERT_SERIAL_LIST:
462 cost_bitmap_restart = cost_bitmap = 8 + 64;
463 break;
464 case KRL_SECTION_CERT_SERIAL_BITMAP:
465 cost_list = 8;
466 cost_bitmap_restart = 8 + 64;
467 break;
468 case KRL_SECTION_CERT_SERIAL_RANGE:
469 case 0:
470 cost_bitmap_restart = cost_bitmap = 8 + 64;
471 cost_list = 8;
472 }
473
474 /* Estimate base cost in bits of each section type */
475 cost_list += 64 * contig + (final ? 0 : 8+64);
476 cost_range += (2 * 64) + (final ? 0 : 8+64);
477 cost_bitmap += last_gap + contig + (final ? 0 : MIN(next_gap, 8+64));
478 cost_bitmap_restart += contig + (final ? 0 : MIN(next_gap, 8+64));
479
480 /* Convert to byte costs for actual comparison */
481 cost_list = (cost_list + 7) / 8;
482 cost_bitmap = (cost_bitmap + 7) / 8;
483 cost_bitmap_restart = (cost_bitmap_restart + 7) / 8;
484 cost_range = (cost_range + 7) / 8;
485
486 /* Now pick the best choice */
487 *force_new_section = 0;
488 new_state = KRL_SECTION_CERT_SERIAL_BITMAP;
489 cost = cost_bitmap;
490 if (cost_range < cost) {
491 new_state = KRL_SECTION_CERT_SERIAL_RANGE;
492 cost = cost_range;
493 }
494 if (cost_list < cost) {
495 new_state = KRL_SECTION_CERT_SERIAL_LIST;
496 cost = cost_list;
497 }
498 if (cost_bitmap_restart < cost) {
499 new_state = KRL_SECTION_CERT_SERIAL_BITMAP;
500 *force_new_section = 1;
501 cost = cost_bitmap_restart;
502 }
503 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
504 "list %llu range %llu bitmap %llu new bitmap %llu, "
505 "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final,
506 cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state,
507 *force_new_section ? " restart" : "");
508 return new_state;
509}
510
511/* Generate a KRL_SECTION_CERTIFICATES KRL section */
512static int
513revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
514{
515 int final, force_new_sect, r = -1;
516 u_int64_t i, contig, gap, last = 0, bitmap_start = 0;
517 struct revoked_serial *rs, *nrs;
518 struct revoked_key_id *rki;
519 int next_state, state = 0;
520 Buffer sect;
521 u_char *kblob = NULL;
522 u_int klen;
523 BIGNUM *bitmap = NULL;
524
525 /* Prepare CA scope key blob if we have one supplied */
526 if (key_to_blob(rc->ca_key, &kblob, &klen) == 0)
527 return -1;
528
529 buffer_init(&sect);
530
531 /* Store the header */
532 buffer_put_string(buf, kblob, klen);
533 buffer_put_string(buf, NULL, 0); /* Reserved */
534
535 free(kblob);
536
537 /* Store the revoked serials. */
538 for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials);
539 rs != NULL;
540 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
541 debug3("%s: serial %llu:%llu state 0x%02x", __func__,
542 rs->lo, rs->hi, state);
543
544 /* Check contiguous length and gap to next section (if any) */
545 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
546 final = nrs == NULL;
547 gap = nrs == NULL ? 0 : nrs->lo - rs->hi;
548 contig = 1 + (rs->hi - rs->lo);
549
550 /* Choose next state based on these */
551 next_state = choose_next_state(state, contig, final,
552 state == 0 ? 0 : rs->lo - last, gap, &force_new_sect);
553
554 /*
555 * If the current section is a range section or has a different
556 * type to the next section, then finish it off now.
557 */
558 if (state != 0 && (force_new_sect || next_state != state ||
559 state == KRL_SECTION_CERT_SERIAL_RANGE)) {
560 debug3("%s: finish state 0x%02x", __func__, state);
561 switch (state) {
562 case KRL_SECTION_CERT_SERIAL_LIST:
563 case KRL_SECTION_CERT_SERIAL_RANGE:
564 break;
565 case KRL_SECTION_CERT_SERIAL_BITMAP:
566 buffer_put_bignum2(&sect, bitmap);
567 BN_free(bitmap);
568 bitmap = NULL;
569 break;
570 }
571 buffer_put_char(buf, state);
572 buffer_put_string(buf,
573 buffer_ptr(&sect), buffer_len(&sect));
574 }
575
576 /* If we are starting a new section then prepare it now */
577 if (next_state != state || force_new_sect) {
578 debug3("%s: start state 0x%02x", __func__, next_state);
579 state = next_state;
580 buffer_clear(&sect);
581 switch (state) {
582 case KRL_SECTION_CERT_SERIAL_LIST:
583 case KRL_SECTION_CERT_SERIAL_RANGE:
584 break;
585 case KRL_SECTION_CERT_SERIAL_BITMAP:
586 if ((bitmap = BN_new()) == NULL)
587 goto out;
588 bitmap_start = rs->lo;
589 buffer_put_int64(&sect, bitmap_start);
590 break;
591 }
592 }
593
594 /* Perform section-specific processing */
595 switch (state) {
596 case KRL_SECTION_CERT_SERIAL_LIST:
597 for (i = 0; i < contig; i++)
598 buffer_put_int64(&sect, rs->lo + i);
599 break;
600 case KRL_SECTION_CERT_SERIAL_RANGE:
601 buffer_put_int64(&sect, rs->lo);
602 buffer_put_int64(&sect, rs->hi);
603 break;
604 case KRL_SECTION_CERT_SERIAL_BITMAP:
605 if (rs->lo - bitmap_start > INT_MAX) {
606 error("%s: insane bitmap gap", __func__);
607 goto out;
608 }
609 for (i = 0; i < contig; i++) {
610 if (BN_set_bit(bitmap,
611 rs->lo + i - bitmap_start) != 1)
612 goto out;
613 }
614 break;
615 }
616 last = rs->hi;
617 }
618 /* Flush the remaining section, if any */
619 if (state != 0) {
620 debug3("%s: serial final flush for state 0x%02x",
621 __func__, state);
622 switch (state) {
623 case KRL_SECTION_CERT_SERIAL_LIST:
624 case KRL_SECTION_CERT_SERIAL_RANGE:
625 break;
626 case KRL_SECTION_CERT_SERIAL_BITMAP:
627 buffer_put_bignum2(&sect, bitmap);
628 BN_free(bitmap);
629 bitmap = NULL;
630 break;
631 }
632 buffer_put_char(buf, state);
633 buffer_put_string(buf,
634 buffer_ptr(&sect), buffer_len(&sect));
635 }
636 debug3("%s: serial done ", __func__);
637
638 /* Now output a section for any revocations by key ID */
639 buffer_clear(&sect);
640 RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
641 debug3("%s: key ID %s", __func__, rki->key_id);
642 buffer_put_cstring(&sect, rki->key_id);
643 }
644 if (buffer_len(&sect) != 0) {
645 buffer_put_char(buf, KRL_SECTION_CERT_KEY_ID);
646 buffer_put_string(buf, buffer_ptr(&sect),
647 buffer_len(&sect));
648 }
649 r = 0;
650 out:
651 if (bitmap != NULL)
652 BN_free(bitmap);
653 buffer_free(&sect);
654 return r;
655}
656
657int
658ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
659 u_int nsign_keys)
660{
661 int r = -1;
662 struct revoked_certs *rc;
663 struct revoked_blob *rb;
664 Buffer sect;
665 u_char *kblob = NULL, *sblob = NULL;
666 u_int klen, slen, i;
667
668 if (krl->generated_date == 0)
669 krl->generated_date = time(NULL);
670
671 buffer_init(&sect);
672
673 /* Store the header */
674 buffer_append(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1);
675 buffer_put_int(buf, KRL_FORMAT_VERSION);
676 buffer_put_int64(buf, krl->krl_version);
677 buffer_put_int64(buf, krl->generated_date);
678 buffer_put_int64(buf, krl->flags);
679 buffer_put_string(buf, NULL, 0);
680 buffer_put_cstring(buf, krl->comment ? krl->comment : "");
681
682 /* Store sections for revoked certificates */
683 TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
684 if (revoked_certs_generate(rc, &sect) != 0)
685 goto out;
686 buffer_put_char(buf, KRL_SECTION_CERTIFICATES);
687 buffer_put_string(buf, buffer_ptr(&sect),
688 buffer_len(&sect));
689 }
690
691 /* Finally, output sections for revocations by public key/hash */
692 buffer_clear(&sect);
693 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
694 debug3("%s: key len %u ", __func__, rb->len);
695 buffer_put_string(&sect, rb->blob, rb->len);
696 }
697 if (buffer_len(&sect) != 0) {
698 buffer_put_char(buf, KRL_SECTION_EXPLICIT_KEY);
699 buffer_put_string(buf, buffer_ptr(&sect),
700 buffer_len(&sect));
701 }
702 buffer_clear(&sect);
703 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
704 debug3("%s: hash len %u ", __func__, rb->len);
705 buffer_put_string(&sect, rb->blob, rb->len);
706 }
707 if (buffer_len(&sect) != 0) {
708 buffer_put_char(buf, KRL_SECTION_FINGERPRINT_SHA1);
709 buffer_put_string(buf, buffer_ptr(&sect),
710 buffer_len(&sect));
711 }
712
713 for (i = 0; i < nsign_keys; i++) {
714 if (key_to_blob(sign_keys[i], &kblob, &klen) == 0)
715 goto out;
716
717 debug3("%s: signature key len %u", __func__, klen);
718 buffer_put_char(buf, KRL_SECTION_SIGNATURE);
719 buffer_put_string(buf, kblob, klen);
720
721 if (key_sign(sign_keys[i], &sblob, &slen,
722 buffer_ptr(buf), buffer_len(buf)) == -1)
723 goto out;
724 debug3("%s: signature sig len %u", __func__, slen);
725 buffer_put_string(buf, sblob, slen);
726 }
727
728 r = 0;
729 out:
730 free(kblob);
731 free(sblob);
732 buffer_free(&sect);
733 return r;
734}
735
736static void
737format_timestamp(u_int64_t timestamp, char *ts, size_t nts)
738{
739 time_t t;
740 struct tm *tm;
741
742 t = timestamp;
743 tm = localtime(&t);
744 *ts = '\0';
745 strftime(ts, nts, "%Y%m%dT%H%M%S", tm);
746}
747
748static int
749parse_revoked_certs(Buffer *buf, struct ssh_krl *krl)
750{
751 int ret = -1, nbits;
752 u_char type, *blob;
753 u_int blen;
754 Buffer subsect;
755 u_int64_t serial, serial_lo, serial_hi;
756 BIGNUM *bitmap = NULL;
757 char *key_id = NULL;
758 Key *ca_key = NULL;
759
760 buffer_init(&subsect);
761
762 if ((blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL ||
763 buffer_get_string_ptr_ret(buf, NULL) == NULL) { /* reserved */
764 error("%s: buffer error", __func__);
765 goto out;
766 }
767 if ((ca_key = key_from_blob(blob, blen)) == NULL)
768 goto out;
769
770 while (buffer_len(buf) > 0) {
771 if (buffer_get_char_ret(&type, buf) != 0 ||
772 (blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL) {
773 error("%s: buffer error", __func__);
774 goto out;
775 }
776 buffer_clear(&subsect);
777 buffer_append(&subsect, blob, blen);
778 debug3("%s: subsection type 0x%02x", __func__, type);
779 /* buffer_dump(&subsect); */
780
781 switch (type) {
782 case KRL_SECTION_CERT_SERIAL_LIST:
783 while (buffer_len(&subsect) > 0) {
784 if (buffer_get_int64_ret(&serial,
785 &subsect) != 0) {
786 error("%s: buffer error", __func__);
787 goto out;
788 }
789 if (ssh_krl_revoke_cert_by_serial(krl, ca_key,
790 serial) != 0) {
791 error("%s: update failed", __func__);
792 goto out;
793 }
794 }
795 break;
796 case KRL_SECTION_CERT_SERIAL_RANGE:
797 if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 ||
798 buffer_get_int64_ret(&serial_hi, &subsect) != 0) {
799 error("%s: buffer error", __func__);
800 goto out;
801 }
802 if (ssh_krl_revoke_cert_by_serial_range(krl, ca_key,
803 serial_lo, serial_hi) != 0) {
804 error("%s: update failed", __func__);
805 goto out;
806 }
807 break;
808 case KRL_SECTION_CERT_SERIAL_BITMAP:
809 if ((bitmap = BN_new()) == NULL) {
810 error("%s: BN_new", __func__);
811 goto out;
812 }
813 if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 ||
814 buffer_get_bignum2_ret(&subsect, bitmap) != 0) {
815 error("%s: buffer error", __func__);
816 goto out;
817 }
818 if ((nbits = BN_num_bits(bitmap)) < 0) {
819 error("%s: bitmap bits < 0", __func__);
820 goto out;
821 }
822 for (serial = 0; serial < (u_int)nbits; serial++) {
823 if (serial > 0 && serial_lo + serial == 0) {
824 error("%s: bitmap wraps u64", __func__);
825 goto out;
826 }
827 if (!BN_is_bit_set(bitmap, serial))
828 continue;
829 if (ssh_krl_revoke_cert_by_serial(krl, ca_key,
830 serial_lo + serial) != 0) {
831 error("%s: update failed", __func__);
832 goto out;
833 }
834 }
835 BN_free(bitmap);
836 bitmap = NULL;
837 break;
838 case KRL_SECTION_CERT_KEY_ID:
839 while (buffer_len(&subsect) > 0) {
840 if ((key_id = buffer_get_cstring_ret(&subsect,
841 NULL)) == NULL) {
842 error("%s: buffer error", __func__);
843 goto out;
844 }
845 if (ssh_krl_revoke_cert_by_key_id(krl, ca_key,
846 key_id) != 0) {
847 error("%s: update failed", __func__);
848 goto out;
849 }
850 free(key_id);
851 key_id = NULL;
852 }
853 break;
854 default:
855 error("Unsupported KRL certificate section %u", type);
856 goto out;
857 }
858 if (buffer_len(&subsect) > 0) {
859 error("KRL certificate section contains unparsed data");
860 goto out;
861 }
862 }
863
864 ret = 0;
865 out:
866 if (ca_key != NULL)
867 key_free(ca_key);
868 if (bitmap != NULL)
869 BN_free(bitmap);
870 free(key_id);
871 buffer_free(&subsect);
872 return ret;
873}
874
875
876/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
877int
878ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
879 const Key **sign_ca_keys, u_int nsign_ca_keys)
880{
881 Buffer copy, sect;
882 struct ssh_krl *krl;
883 char timestamp[64];
884 int ret = -1, r, sig_seen;
885 Key *key = NULL, **ca_used = NULL;
886 u_char type, *blob;
887 u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0;
888
889 *krlp = NULL;
890 if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 ||
891 memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) {
892 debug3("%s: not a KRL", __func__);
893 /*
894 * Return success but a NULL *krlp here to signal that the
895 * file might be a simple list of keys.
896 */
897 return 0;
898 }
899
900 /* Take a copy of the KRL buffer so we can verify its signature later */
901 buffer_init(&copy);
902 buffer_append(&copy, buffer_ptr(buf), buffer_len(buf));
903
904 buffer_init(&sect);
905 buffer_consume(&copy, sizeof(KRL_MAGIC) - 1);
906
907 if ((krl = ssh_krl_init()) == NULL) {
908 error("%s: alloc failed", __func__);
909 goto out;
910 }
911
912 if (buffer_get_int_ret(&format_version, &copy) != 0) {
913 error("%s: KRL truncated", __func__);
914 goto out;
915 }
916 if (format_version != KRL_FORMAT_VERSION) {
917 error("%s: KRL unsupported format version %u",
918 __func__, format_version);
919 goto out;
920 }
921 if (buffer_get_int64_ret(&krl->krl_version, &copy) != 0 ||
922 buffer_get_int64_ret(&krl->generated_date, &copy) != 0 ||
923 buffer_get_int64_ret(&krl->flags, &copy) != 0 ||
924 buffer_get_string_ptr_ret(&copy, NULL) == NULL || /* reserved */
925 (krl->comment = buffer_get_cstring_ret(&copy, NULL)) == NULL) {
926 error("%s: buffer error", __func__);
927 goto out;
928 }
929
930 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
931 debug("KRL version %llu generated at %s%s%s", krl->krl_version,
932 timestamp, *krl->comment ? ": " : "", krl->comment);
933
934 /*
935 * 1st pass: verify signatures, if any. This is done to avoid
936 * detailed parsing of data whose provenance is unverified.
937 */
938 sig_seen = 0;
939 sects_off = buffer_len(buf) - buffer_len(&copy);
940 while (buffer_len(&copy) > 0) {
941 if (buffer_get_char_ret(&type, &copy) != 0 ||
942 (blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
943 error("%s: buffer error", __func__);
944 goto out;
945 }
946 debug3("%s: first pass, section 0x%02x", __func__, type);
947 if (type != KRL_SECTION_SIGNATURE) {
948 if (sig_seen) {
949 error("KRL contains non-signature section "
950 "after signature");
951 goto out;
952 }
953 /* Not interested for now. */
954 continue;
955 }
956 sig_seen = 1;
957 /* First string component is the signing key */
958 if ((key = key_from_blob(blob, blen)) == NULL) {
959 error("%s: invalid signature key", __func__);
960 goto out;
961 }
962 sig_off = buffer_len(buf) - buffer_len(&copy);
963 /* Second string component is the signature itself */
964 if ((blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
965 error("%s: buffer error", __func__);
966 goto out;
967 }
968 /* Check signature over entire KRL up to this point */
969 if (key_verify(key, blob, blen,
970 buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) {
971 error("bad signaure on KRL");
972 goto out;
973 }
974 /* Check if this key has already signed this KRL */
975 for (i = 0; i < nca_used; i++) {
976 if (key_equal(ca_used[i], key)) {
977 error("KRL signed more than once with "
978 "the same key");
979 goto out;
980 }
981 }
982 /* Record keys used to sign the KRL */
983 ca_used = xrealloc(ca_used, nca_used + 1, sizeof(*ca_used));
984 ca_used[nca_used++] = key;
985 key = NULL;
986 break;
987 }
988
989 /*
990 * 2nd pass: parse and load the KRL, skipping the header to the point
991 * where the section start.
992 */
993 buffer_append(&copy, (u_char*)buffer_ptr(buf) + sects_off,
994 buffer_len(buf) - sects_off);
995 while (buffer_len(&copy) > 0) {
996 if (buffer_get_char_ret(&type, &copy) != 0 ||
997 (blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
998 error("%s: buffer error", __func__);
999 goto out;
1000 }
1001 debug3("%s: second pass, section 0x%02x", __func__, type);
1002 buffer_clear(&sect);
1003 buffer_append(&sect, blob, blen);
1004
1005 switch (type) {
1006 case KRL_SECTION_CERTIFICATES:
1007 if ((r = parse_revoked_certs(&sect, krl)) != 0)
1008 goto out;
1009 break;
1010 case KRL_SECTION_EXPLICIT_KEY:
1011 case KRL_SECTION_FINGERPRINT_SHA1:
1012 while (buffer_len(&sect) > 0) {
1013 if ((blob = buffer_get_string_ret(&sect,
1014 &blen)) == NULL) {
1015 error("%s: buffer error", __func__);
1016 goto out;
1017 }
1018 if (type == KRL_SECTION_FINGERPRINT_SHA1 &&
1019 blen != 20) {
1020 error("%s: bad SHA1 length", __func__);
1021 goto out;
1022 }
1023 if (revoke_blob(
1024 type == KRL_SECTION_EXPLICIT_KEY ?
1025 &krl->revoked_keys : &krl->revoked_sha1s,
1026 blob, blen) != 0)
1027 goto out; /* revoke_blob frees blob */
1028 }
1029 break;
1030 case KRL_SECTION_SIGNATURE:
1031 /* Handled above, but still need to stay in synch */
1032 buffer_clear(&sect);
1033 if ((blob = buffer_get_string_ptr_ret(&copy,
1034 &blen)) == NULL) {
1035 error("%s: buffer error", __func__);
1036 goto out;
1037 }
1038 break;
1039 default:
1040 error("Unsupported KRL section %u", type);
1041 goto out;
1042 }
1043 if (buffer_len(&sect) > 0) {
1044 error("KRL section contains unparsed data");
1045 goto out;
1046 }
1047 }
1048
1049 /* Check that the key(s) used to sign the KRL weren't revoked */
1050 sig_seen = 0;
1051 for (i = 0; i < nca_used; i++) {
1052 if (ssh_krl_check_key(krl, ca_used[i]) == 0)
1053 sig_seen = 1;
1054 else {
1055 key_free(ca_used[i]);
1056 ca_used[i] = NULL;
1057 }
1058 }
1059 if (nca_used && !sig_seen) {
1060 error("All keys used to sign KRL were revoked");
1061 goto out;
1062 }
1063
1064 /* If we have CA keys, then verify that one was used to sign the KRL */
1065 if (sig_seen && nsign_ca_keys != 0) {
1066 sig_seen = 0;
1067 for (i = 0; !sig_seen && i < nsign_ca_keys; i++) {
1068 for (j = 0; j < nca_used; j++) {
1069 if (ca_used[j] == NULL)
1070 continue;
1071 if (key_equal(ca_used[j], sign_ca_keys[i])) {
1072 sig_seen = 1;
1073 break;
1074 }
1075 }
1076 }
1077 if (!sig_seen) {
1078 error("KRL not signed with any trusted key");
1079 goto out;
1080 }
1081 }
1082
1083 *krlp = krl;
1084 ret = 0;
1085 out:
1086 if (ret != 0)
1087 ssh_krl_free(krl);
1088 for (i = 0; i < nca_used; i++) {
1089 if (ca_used[i] != NULL)
1090 key_free(ca_used[i]);
1091 }
1092 free(ca_used);
1093 if (key != NULL)
1094 key_free(key);
1095 buffer_free(&copy);
1096 buffer_free(&sect);
1097 return ret;
1098}
1099
1100/* Checks whether a given key/cert is revoked. Does not check its CA */
1101static int
1102is_key_revoked(struct ssh_krl *krl, const Key *key)
1103{
1104 struct revoked_blob rb, *erb;
1105 struct revoked_serial rs, *ers;
1106 struct revoked_key_id rki, *erki;
1107 struct revoked_certs *rc;
1108
1109 /* Check explicitly revoked hashes first */
1110 bzero(&rb, sizeof(rb));
1111 if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
1112 return -1;
1113 erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
1114 free(rb.blob);
1115 if (erb != NULL) {
1116 debug("%s: revoked by key SHA1", __func__);
1117 return -1;
1118 }
1119
1120 /* Next, explicit keys */
1121 bzero(&rb, sizeof(rb));
1122 if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
1123 return -1;
1124 erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
1125 free(rb.blob);
1126 if (erb != NULL) {
1127 debug("%s: revoked by explicit key", __func__);
1128 return -1;
1129 }
1130
1131 if (!key_is_cert(key))
1132 return 0;
1133
1134 /* Check cert revocation */
1135 if (revoked_certs_for_ca_key(krl, key->cert->signature_key,
1136 &rc, 0) != 0)
1137 return -1;
1138 if (rc == NULL)
1139 return 0; /* No entry for this CA */
1140
1141 /* Check revocation by cert key ID */
1142 bzero(&rki, sizeof(rki));
1143 rki.key_id = key->cert->key_id;
1144 erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki);
1145 if (erki != NULL) {
1146 debug("%s: revoked by key ID", __func__);
1147 return -1;
1148 }
1149
1150 /*
1151 * Legacy cert formats lack serial numbers. Zero serials numbers
1152 * are ignored (it's the default when the CA doesn't specify one).
1153 */
1154 if (key_cert_is_legacy(key) || key->cert->serial == 0)
1155 return 0;
1156
1157 bzero(&rs, sizeof(rs));
1158 rs.lo = rs.hi = key->cert->serial;
1159 ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs);
1160 if (ers != NULL) {
1161 KRL_DBG(("%s: %llu matched %llu:%llu", __func__,
1162 key->cert->serial, ers->lo, ers->hi));
1163 debug("%s: revoked by serial", __func__);
1164 return -1;
1165 }
1166 KRL_DBG(("%s: %llu no match", __func__, key->cert->serial));
1167
1168 return 0;
1169}
1170
1171int
1172ssh_krl_check_key(struct ssh_krl *krl, const Key *key)
1173{
1174 int r;
1175
1176 debug2("%s: checking key", __func__);
1177 if ((r = is_key_revoked(krl, key)) != 0)
1178 return r;
1179 if (key_is_cert(key)) {
1180 debug2("%s: checking CA key", __func__);
1181 if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0)
1182 return r;
1183 }
1184 debug3("%s: key okay", __func__);
1185 return 0;
1186}
1187
1188/* Returns 0 on success, -1 on error or key revoked, -2 if path is not a KRL */
1189int
1190ssh_krl_file_contains_key(const char *path, const Key *key)
1191{
1192 Buffer krlbuf;
1193 struct ssh_krl *krl;
1194 int revoked, fd;
1195
1196 if (path == NULL)
1197 return 0;
1198
1199 if ((fd = open(path, O_RDONLY)) == -1) {
1200 error("open %s: %s", path, strerror(errno));
1201 error("Revoked keys file not accessible - refusing public key "
1202 "authentication");
1203 return -1;
1204 }
1205 buffer_init(&krlbuf);
1206 if (!key_load_file(fd, path, &krlbuf)) {
1207 close(fd);
1208 buffer_free(&krlbuf);
1209 error("Revoked keys file not readable - refusing public key "
1210 "authentication");
1211 return -1;
1212 }
1213 close(fd);
1214 if (ssh_krl_from_blob(&krlbuf, &krl, NULL, 0) != 0) {
1215 buffer_free(&krlbuf);
1216 error("Invalid KRL, refusing public key "
1217 "authentication");
1218 return -1;
1219 }
1220 buffer_free(&krlbuf);
1221 if (krl == NULL) {
1222 debug3("%s: %s is not a KRL file", __func__, path);
1223 return -2;
1224 }
1225 debug2("%s: checking KRL %s", __func__, path);
1226 revoked = ssh_krl_check_key(krl, key) != 0;
1227 ssh_krl_free(krl);
1228 return revoked ? -1 : 0;
1229}
diff --git a/krl.h b/krl.h
new file mode 100644
index 000000000..2c43f5bb2
--- /dev/null
+++ b/krl.h
@@ -0,0 +1,63 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: krl.h,v 1.2 2013/01/18 00:24:58 djm Exp $ */
18
19#ifndef _KRL_H
20#define _KRL_H
21
22/* Functions to manage key revocation lists */
23
24#define KRL_MAGIC "SSHKRL\n\0"
25#define KRL_FORMAT_VERSION 1
26
27/* KRL section types */
28#define KRL_SECTION_CERTIFICATES 1
29#define KRL_SECTION_EXPLICIT_KEY 2
30#define KRL_SECTION_FINGERPRINT_SHA1 3
31#define KRL_SECTION_SIGNATURE 4
32
33/* KRL_SECTION_CERTIFICATES subsection types */
34#define KRL_SECTION_CERT_SERIAL_LIST 0x20
35#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
36#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
37#define KRL_SECTION_CERT_KEY_ID 0x23
38
39struct ssh_krl;
40
41struct ssh_krl *ssh_krl_init(void);
42void ssh_krl_free(struct ssh_krl *krl);
43void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
44void ssh_krl_set_sign_key(struct ssh_krl *krl, const Key *sign_key);
45void ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
46int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
47 u_int64_t serial);
48int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
49 u_int64_t lo, u_int64_t hi);
50int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
51 const char *key_id);
52int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key);
53int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key);
54int ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key);
55int ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
56 u_int nsign_keys);
57int ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
58 const Key **sign_ca_keys, u_int nsign_ca_keys);
59int ssh_krl_check_key(struct ssh_krl *krl, const Key *key);
60int ssh_krl_file_contains_key(const char *path, const Key *key);
61
62#endif /* _KRL_H */
63
diff --git a/log.c b/log.c
index ad5a10b47..d69154a67 100644
--- a/log.c
+++ b/log.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.c,v 1.42 2011/06/17 21:44:30 djm Exp $ */ 1/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -45,7 +45,7 @@
45#include <syslog.h> 45#include <syslog.h>
46#include <unistd.h> 46#include <unistd.h>
47#include <errno.h> 47#include <errno.h>
48#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) 48#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
49# include <vis.h> 49# include <vis.h>
50#endif 50#endif
51 51
@@ -329,6 +329,21 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
329#endif 329#endif
330} 330}
331 331
332void
333log_change_level(LogLevel new_log_level)
334{
335 /* no-op if log_init has not been called */
336 if (argv0 == NULL)
337 return;
338 log_init(argv0, new_log_level, log_facility, log_on_stderr);
339}
340
341int
342log_is_on_stderr(void)
343{
344 return log_on_stderr;
345}
346
332#define MSGBUFSIZ 1024 347#define MSGBUFSIZ 1024
333 348
334void 349void
diff --git a/log.h b/log.h
index 1b8d2142b..e3e328b06 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.h,v 1.18 2011/06/17 21:44:30 djm Exp $ */ 1/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -49,6 +49,8 @@ typedef enum {
49typedef void (log_handler_fn)(LogLevel, const char *, void *); 49typedef void (log_handler_fn)(LogLevel, const char *, void *);
50 50
51void log_init(char *, LogLevel, SyslogFacility, int); 51void log_init(char *, LogLevel, SyslogFacility, int);
52void log_change_level(LogLevel);
53int log_is_on_stderr(void);
52 54
53SyslogFacility log_facility_number(char *); 55SyslogFacility log_facility_number(char *);
54const char * log_facility_name(SyslogFacility); 56const char * log_facility_name(SyslogFacility);
diff --git a/loginrec.c b/loginrec.c
index 32941c985..f9662fa5c 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -180,10 +180,6 @@
180# include <util.h> 180# include <util.h>
181#endif 181#endif
182 182
183#ifdef HAVE_LIBUTIL_H
184# include <libutil.h>
185#endif
186
187/** 183/**
188 ** prototypes for helper functions in this file 184 ** prototypes for helper functions in this file
189 **/ 185 **/
diff --git a/mac.c b/mac.c
index 9b450e4e2..3f2dc6f2a 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */ 1/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -48,6 +48,7 @@
48 48
49#define SSH_EVP 1 /* OpenSSL EVP-based MAC */ 49#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ 50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
51#define SSH_UMAC128 3
51 52
52struct { 53struct {
53 char *name; 54 char *name;
@@ -56,19 +57,36 @@ struct {
56 int truncatebits; /* truncate digest if != 0 */ 57 int truncatebits; /* truncate digest if != 0 */
57 int key_len; /* just for UMAC */ 58 int key_len; /* just for UMAC */
58 int len; /* just for UMAC */ 59 int len; /* just for UMAC */
60 int etm; /* Encrypt-then-MAC */
59} macs[] = { 61} macs[] = {
60 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, 62 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
61 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, 63 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
64 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
62#ifdef HAVE_EVP_SHA256 65#ifdef HAVE_EVP_SHA256
63 { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, 66 { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
64 { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, 67 { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
65#endif 68#endif
66 { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, 69 { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 },
67 { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, 70 { "hmac-md5-96", SSH_EVP, EVP_md5, 96, 0, 0, 0 },
68 { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, 71 { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
69 { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, 72 { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
70 { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, 73 { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 0 },
71 { NULL, 0, NULL, 0, -1, -1 } 74 { "umac-128@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 0 },
75
76 /* Encrypt-then-MAC variants */
77 { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
78 { "hmac-sha1-96-etm@openssh.com", SSH_EVP, EVP_sha1, 96, 0, 0, 1 },
79#ifdef HAVE_EVP_SHA256
80 { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
81 { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
82#endif
83 { "hmac-md5-etm@openssh.com", SSH_EVP, EVP_md5, 0, 0, 0, 1 },
84 { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 },
85 { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
86 { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 },
87 { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 },
88
89 { NULL, 0, NULL, 0, 0, 0, 0 }
72}; 90};
73 91
74static void 92static void
@@ -88,6 +106,7 @@ mac_setup_by_id(Mac *mac, int which)
88 } 106 }
89 if (macs[which].truncatebits != 0) 107 if (macs[which].truncatebits != 0)
90 mac->mac_len = macs[which].truncatebits / 8; 108 mac->mac_len = macs[which].truncatebits / 8;
109 mac->etm = macs[which].etm;
91} 110}
92 111
93int 112int
@@ -122,6 +141,9 @@ mac_init(Mac *mac)
122 case SSH_UMAC: 141 case SSH_UMAC:
123 mac->umac_ctx = umac_new(mac->key); 142 mac->umac_ctx = umac_new(mac->key);
124 return 0; 143 return 0;
144 case SSH_UMAC128:
145 mac->umac_ctx = umac128_new(mac->key);
146 return 0;
125 default: 147 default:
126 return -1; 148 return -1;
127 } 149 }
@@ -151,6 +173,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
151 umac_update(mac->umac_ctx, data, datalen); 173 umac_update(mac->umac_ctx, data, datalen);
152 umac_final(mac->umac_ctx, m, nonce); 174 umac_final(mac->umac_ctx, m, nonce);
153 break; 175 break;
176 case SSH_UMAC128:
177 put_u64(nonce, seqno);
178 umac128_update(mac->umac_ctx, data, datalen);
179 umac128_final(mac->umac_ctx, m, nonce);
180 break;
154 default: 181 default:
155 fatal("mac_compute: unknown MAC type"); 182 fatal("mac_compute: unknown MAC type");
156 } 183 }
@@ -163,6 +190,9 @@ mac_clear(Mac *mac)
163 if (mac->type == SSH_UMAC) { 190 if (mac->type == SSH_UMAC) {
164 if (mac->umac_ctx != NULL) 191 if (mac->umac_ctx != NULL)
165 umac_delete(mac->umac_ctx); 192 umac_delete(mac->umac_ctx);
193 } else if (mac->type == SSH_UMAC128) {
194 if (mac->umac_ctx != NULL)
195 umac128_delete(mac->umac_ctx);
166 } else if (mac->evp_md != NULL) 196 } else if (mac->evp_md != NULL)
167 HMAC_cleanup(&mac->evp_ctx); 197 HMAC_cleanup(&mac->evp_ctx);
168 mac->evp_md = NULL; 198 mac->evp_md = NULL;
diff --git a/moduli b/moduli
index 3bb155de9..49f76ee98 100644
--- a/moduli
+++ b/moduli
@@ -1,206 +1,199 @@
1# $OpenBSD: moduli,v 1.7 2012/07/20 00:39:57 dtucker Exp $ 1# $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $
2# Time Type Tests Tries Size Generator Modulus 2# Time Type Tests Tries Size Generator Modulus
320120705004026 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844A94DCF 320120821044040 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A770E2EC9F
420120705004028 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844B1694B 420120821044046 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7711F2C6B
520120705004036 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844E34093 520120821044047 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771225323
620120705004039 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F41247 620120821044048 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712507AB
720120705004040 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242844F8B39B 720120821044050 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712A2DB3
820120705004042 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284500D22F 820120821044051 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7712CACEF
920120705004044 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284504854B 920120821044053 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7713959C3
1020120705004047 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451642A3 1020120821044057 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7715BBA13
1120120705004049 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428451B31D3 1120120821044103 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77191592F
1220120705004052 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452B05CB 1220120821044104 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771938E1F
1320120705004053 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428452BB06B 1320120821044106 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771A1E127
1420120705004057 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284544D6EF 1420120821044108 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B3CDFB
1520120705004101 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428454FBFBF 1520120821044109 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771B71913
1620120705004103 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284556870F 1620120821044111 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771C2759F
1720120705004104 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A1DCF 1720120821044113 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771CF8ABF
1820120705004106 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455A71F3 1820120821044114 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771D2B49B
1920120705004107 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428455C229B 1920120821044116 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771DF6193
2020120705004109 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845624C8F 2020120821044117 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771E67E33
2120120705004111 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845650AD7 2120120821044120 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A771FA581B
2220120705004113 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284572AE77 2220120821044121 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772027DDB
2320120705004116 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428457F0DE7 2320120821044123 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772093F8B
2420120705004119 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428458D623F 2420120821044124 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7720EEF6F
2520120705004121 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598C1BF 2520120821044125 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77216CAD7
2620120705004122 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284598FF9F 2620120821044126 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77219A90B
2720120705004127 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845B559BF 2720120821044129 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7722A0103
2820120705004129 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845BA77E7 2820120821044130 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772343DBF
2920120705004131 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C3989F 2920120821044133 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772460C3F
3020120705004132 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845C5A23F 3020120821044137 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7726A4E0F
3120120705004134 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845CAF1DB 3120120821044138 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772716D8B
3220120705004136 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D1CB5B 3220120821044141 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A7728D719B
3320120705004137 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845D4528F 3320120821044143 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A77297AA8B
3420120705004139 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845DCBCB3 3420120821044145 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772A8794B
3520120705004143 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EE91B7 3520120821044147 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772B4D6AB
3620120705004144 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845EFF1A7 3620120821044149 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BD325F
3720120705004145 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F363FB 3720120821044150 2 6 100 1023 5 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772BDAE07
3820120705004146 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F3738B 3820120821044151 2 6 100 1023 2 D9277DAA27DB131C03B108D41A76B4DA8ACEECCCAE73D2E48CEDAAA70B09EF9F04FB020DCF36C51B8E485B26FABE0337E24232BE4F4E693548310244937433FB1A5758195DC73B84ADEF8237472C46747D79DC0A2CF8A57CE8DBD8F466A20F8551E7B1B824B2E4987A8816D9BC0741C2798F3EBAD3ADEBCC78FCE6A772C95CE3
3920120705004148 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242845F437CF 3920120821044502 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96361507
4020120705004150 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284601A3BF 4020120821044515 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F965885BF
4120120705004152 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284603421F 4120120821044519 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F966006C7
4220120705004153 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284605C5B7 4220120821044528 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9674A0EB
4320120705004155 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428460AF7CB 4320120821044539 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969457F3
4420120705004159 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846266533 4420120821044544 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F969BE79B
4520120705004201 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846287DD3 4520120821044606 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F96E1E827
4620120705004204 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846397273 4620120821044623 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9714284B
4720120705004206 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284646FA83 4720120821044630 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97231CB7
4820120705004207 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA6242846475ED3 4820120821044636 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F972E01DF
4920120705004210 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284651649F 4920120821044647 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974BCED3
5020120705004212 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659876B 5020120821044650 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974C3A43
5120120705004213 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284659F8F3 5120120821044653 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F974E8F73
5220120705004214 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465BD413 5220120821044701 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9763403B
5320120705004216 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428465F222B 5320120821044705 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9767666B
5420120705004217 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA624284660995B 5420120821044708 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9768D81F
5520120705004221 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428467B9247 5520120821044726 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F979FD437
5620120705004227 2 6 100 1023 5 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468DAF87 5620120821044729 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A29BC7
5720120705004230 2 6 100 1023 2 C9398FAC691CA974CDDD9E4254BD438A42F3294EB2EEAD1952EE1528921C54074519CCDAE5247550B94BCEF27A4C068DFF9135619D258C7AB9924231177BC6906A04CA6C2EA550D6F9EFCA41F5A0BB29E2DB461FE3E7B10B40737D6B5BA00078628B09353C87C1B23502F7B88265C56C935681E48FD982A68EA62428468E1A13 5720120821044732 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97A56447
5820120705004838 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7205887 5820120821044737 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97AEDBDB
5920120705004853 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F73B39C7 5920120821044740 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97B187F3
6020120705004937 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7A3E153 6020120821044746 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97BC6EE3
6120120705005002 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7DB4473 6120120821044757 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F97DCCDEB
6220120705005017 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F7F7293F 6220120821044817 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F981975F7
6320120705005025 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F802FE8B 6320120821044831 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F983EC267
6420120705005048 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F836B5D3 6420120821044841 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F985A032F
6520120705005117 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F878CDEB 6520120821044846 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9863B0AB
6620120705005122 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F87AB3EB 6620120821044852 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F986E5C7F
6720120705005140 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F89EAA43 6720120821044911 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98A8FF6B
6820120705005148 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8AA75F3 6820120821044917 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98B40E4B
6920120705005201 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8C2EAAB 6920120821044924 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98C5840F
7020120705005215 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8DEAC73 7020120821044940 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F98F22CEB
7120120705005221 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8E3C303 7120120821044947 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99040FFF
7220120705005231 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F8F51EFF 7220120821044954 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99139AE3
7320120705005246 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F9115B97 7320120821045010 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9940BEFB
7420120705005317 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F95737CF 7420120821045017 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9954379F
7520120705005324 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F960A5F7 7520120821045020 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99548C23
7620120705005339 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F97DBAB3 7620120821045023 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99562FC3
7720120705005353 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8F999A9CF 7720120821045028 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9960CDCF
7820120705005453 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA253557 7820120821045038 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F997AC0B3
7920120705005516 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA597D23 7920120821045045 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F998D9B6B
8020120705005521 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FA5B9B1B 8020120821045050 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9994BB77
8120120705005600 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAB57F73 8120120821045059 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC001B
8220120705005606 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FABBBAFB 8220120821045101 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99AC5547
8320120705005632 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FAF58CB3 8320120821045107 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99B86567
8420120705005640 2 6 100 1535 2 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB01659B 8420120821045110 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99BA2677
8520120705005645 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB04D9E7 8520120821045128 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F99EF4523
8620120705005659 2 6 100 1535 5 E78D0311A0270EFB6AFA3D49C4F29AFBD1F6E17F09EF7C478453B0AC3569217D11C976B33A34B1455AF42C925882D5F7B37DE14F96EAFA62819815B9C023647FAA7C00A26B88EF6F1D4791BA4AFB3C41E7F09C79742FEB04897DDCCDA6CB75BCA573228359359397BDD1B054FC6B900829A4914E939F813E09DDFE94783F2739EB19D59E921881C601B2401E553972C47E93FBC5410B3712E936C9EA2255445A1E5312D6E6DBE4B7DBF69C1C6F366E91DDDDD04E67C9A5F7FD6E18C8FB205C67 8620120821045154 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A419DAB
8720120705011229 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DA381EB 8720120821045214 2 6 100 1535 5 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A7D1E67
8820120705011307 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205DAEFA5B 8820120821045218 2 6 100 1535 2 D1391174233D315398FE2830AC6B2B66BCCD01B0A634899F339B7879F1DB85712E9DC4E4B1C6C8355570C1D2DCB53493DF18175A9C53D1128B592B4C72D97136F5542FEB981CBFE8012FDD30361F288A42BD5EBB08BAB0A5640E1AC48763B2ABD1945FEE36B2D55E1D50A1C86CED9DD141C4E7BE2D32D9B562A0F8E2E927020E91F58B57EB9ACDDA106A59302D7E92AD5F6E851A45FA1CFE86029A0F727F65A8F475F33572E2FDAB6073F0C21B8B54C3823DB2EF068927E5D747498F9A826443
8920120705011647 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E09B2B7 8920120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
9020120705011825 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E30C613 9020120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
9120120705011957 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E5B7E3F 9120120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
9220120705012217 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205E9ED607 9220120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
9320120705012259 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EB4E9E3 9320120821050118 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682361D5F
9420120705012319 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EBDF313 9420120821050218 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936828ADA17
9520120705012338 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205EC9AD5F 9520120821050243 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293682A8A7CB
9620120705012817 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205F79773F 9620120821050427 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368341AC87
9720120705012947 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FB2897B 9720120821050515 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936837F8657
9820120705013020 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D205FC0CFAB 9820120821050545 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A3DFD3
9920120705013559 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20606541A3 9920120821050554 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683A9635F
10020120705013637 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206078A9DF 10020120821050636 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683DF582B
10120120705013859 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060C181BB 10120120821050648 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293683E86803
10220120705014010 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060DFB1BB 10220120821050758 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684495A13
10320120705014101 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2060F217A3 10320120821050807 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936844FAB5B
10420120705014248 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061182263 10420120821050849 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368486D99B
10520120705014325 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061214FC3 10520120821050916 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684A776A7
10620120705014539 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206162E447 10620120821050942 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684C4FF73
10720120705014658 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206186D1F3 10720120821051003 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DB980F
10820120705014856 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2061D0EF73 10820120821051010 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293684DD4FBF
10920120705015000 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062023BFB 10920120821051158 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685721537
11020120705015045 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20621EDDEB 11020120821051206 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685768253
11120120705015234 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062752373 11120120821051231 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685930F13
11220120705015345 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2062B97207 11220120821051240 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685987B0B
11320120705015734 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20636C6B0F 11320120821051324 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685D5E36B
11420120705015750 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063752183 11420120821051349 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293685F3AB7F
11520120705015806 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20637DAF9B 11520120821051424 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686206187
11620120705015900 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063B134BB 11620120821051516 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368668EB4B
11720120705015921 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2063C148EB 11720120821051540 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368686EB87
11820120705020044 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20640F2047 11820120821051622 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686BCCF13
11920120705020232 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20647E3FEB 11920120821051703 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686F13B9F
12020120705020339 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2064C2CC83 12020120821051715 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293686FB2D4F
12120120705020502 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065162F7B 12120120821051837 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876ED7DF
12220120705020512 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D2065194343 12220120821051843 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936876F05DB
12320120705020523 2 6 100 2047 2 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D20651C2E2B 12320120821051930 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293687AEDE8F
12420120705020541 2 6 100 2047 5 F40926C361E350C4310F5B3D226E71AEC07A03D75D888F970ABA8668618ED65C320792C35505B25AB099C9DB0EAFE3CD8A831A9B54F68F68C48EF3282593342D5B7529949B37B29D99EBF2DC8B454F02354772A10041B7F150A6181C103244FC53E52DC4DE433853E8363FCDA31A8F9B0C245C5B5F2B341877A37854FAC42141C6F1FB8B8514E21672C4462FFEEDFA979469B68FC868E646F29CF8775D2087E01603C5BA5C628DFF0B30C8F3E66EFB13176CC4564AB386578DF555549A80E04F537BA0E235919AB75D2B48F69C29E0F3784A25A97BB8189059FAEBA055797808FA6E3566F8A7D3E7C5E0754B23EAA38441B0F1A563EEC2FF7D374D206528BA2F 12420120821052131 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293688637CFF
12520120705021818 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165EF071CF 12520120821053137 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942284EA9F
12620120705022441 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54165F6DCFB7 12620120821053209 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94228B7F67
12720120705024326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541660E5F72B 12720120821053317 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9422A2B3C7
12820120705025034 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416617271AB 12820120821053841 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94232DEF87
12920120705025525 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661CDD5AF 12920120821054039 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942359AB7B
13020120705025705 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661E6A71F 13020120821054334 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423A371A7
13120120705025752 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541661EE2413 13120120821054455 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9423C1CEEF
13220120705030403 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662662DC7 13220120821054844 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424273F1F
13320120705030432 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416626728EF 13320120821055307 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424987667
13420120705030953 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541662CA2463 13420120821055436 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424B90BAB
13520120705031728 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416635CAC93 13520120821055700 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9424F6C7CF
13620120705032458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541663EC109F 13620120821060224 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94258ADCEF
13720120705032902 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166431CB8F 13720120821060334 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425A1FCEB
13820120705033016 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166441BDC3 13820120821060420 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9425AEBF43
13920120705033652 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664BF1503 13920120821060927 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942634C34F
14020120705033740 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664C48A73 14020120821061829 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94272F0D4F
14120120705034025 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541664F440CF 14120120821062020 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94275B00B7
14220120705034138 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541665048ECB 14220120821062241 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9427941F5F
14320120705034458 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416653F1BC7 14320120821063416 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9428D5E367
14420120705040416 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541666BE5B43 14420120821063648 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942917E127
14520120705041326 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416676F9AD3 14520120821064052 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9429825A2B
14620120705041429 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA5416677BBDD7 14620120821064951 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942A74C4EB
14720120705041928 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667DA5427 14720120821065736 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942B4640D3
14820120705042013 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA541667E0CDA7 14820120821071146 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CCD6D1B
14920120705044833 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A1D45AB 14920120821071337 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942CF9321B
15020120705045307 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166A71DD37 15020120821072545 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF942E48654F
15120120705050710 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166B8634A3 15120120821075022 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9430F1B6A3
15220120705051048 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BC572CB 15220120821080229 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9432356F63
15320120705051219 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166BDA113F 15320120821081230 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF94333D9363
15420120705051634 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166C28FFCB 15420120821081746 2 6 100 3071 5 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C6A7A7
15520120705052331 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166CAA425B 15520120821081811 2 6 100 3071 2 DFAA35D35531E0F524F0099877A482D2AC8D589F374394A262A8E81A8A4FB2F65FADBAB395E05D147B29D486DFAA41F41597A256DA82A8B6F76401AED53D0253F956CEC610D417E42E3B287F7938FC24D8821B40BFA218A956EB7401BED6C96C68C7FD64F8170A8A76B953DD2F05420118F6B144D8FE48060A2BCB85056B478EDEF96DBC70427053ECD2958C074169E9550DD877779A3CF17C5AC850598C7586BEEA9DCFE9DD2A5FB62DF5F33EA7BC00CDA31B9D2DD721F979EA85B6E63F0C4E30BDDCD3A335522F9004C4ED50B15DC537F55324DD4FA119FB3F101467C6D7E1699DE4B3E3C478A8679B8EB3FA5C9B826B44530FD3BE9AD3063B240B0C853EBDDBD68DD940332D98F148D5D9E1DC977D60A0D23D0CA1198637FEAE4E7FAAC173AF2B84313A666CFB4EE6972811921D0AD867CE57F3BBC8D6CB057E3B66757BB46C9F72662624D44E14528327E3A7100E81A12C43C4E236118318CD90C8AA185BBB0C764826DAEAEE8DD245C5B451B4944E6122CC522D1C335C2EEF9433C94C93
15620120705052812 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166D041A0B 15620120821084945 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45B27D047
15720120705053701 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166DA81DB7 15720120821091240 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45C370A33
15820120705055127 2 6 100 3071 5 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166EC251D7 15820120821092428 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45CBB9FBB
15920120705055500 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F01CF6B 15920120821093047 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45D001E73
16020120705055603 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F0EF763 16020120821095420 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E104D6F
16120120705055831 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F39358B 16120120821095624 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45E21E2BF
16220120705060133 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F5FDC7B 16220120821102749 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA45F9B1B7B
16320120705060444 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8017B3 16320120821105854 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4610E205F
16420120705060616 2 6 100 3071 2 D890FD65E29157CFC7DDEE6D3593A43B0FABAD7638B24BFB0E58470A19C3CABAE86077D2C8B6BC113A7D01DC52820B4325F8EDF001A95AD2153A9CA5C2CFE131FE8472608D36D5252AF9B8C7438974D569147CFEC5D1CE0C492E7629CCE2277A85FF32B7D8051F901241B34277318752D75D3BDEC041C37E22FFA4859F52A875B2A01727978E6BABF8E4570383ECE6C8F4A8D0EFDE7894D92891E4B62B9CD31061E50177162AE78C2CFE8EF850721EFB79EC61560806F40A6EA84E40A430EE82D5737C4456B03126E4AA7C6E291612D433BB255B2F96A9C2C75B437EC79FD386A0984D6BECA43C7D5B5A91A1642E787911BD9D42A0E8E264E8317EB7E86E679787DD4D1FA0D7B39E94070123B186247B6710C0BB11FAC8589D196831D2AC1DCF25CAE16874740D310CC40A9F3C91B09A86112ACA4E62FAE3986896A4B8132AE3F2CE11B0B21DE147168E3E27FF0067C8787D5C930D6F05AF47A7BC8C59F34F17CC28C39207DFC14B9DA5C61C1B0D18E87662427DCBCF254B3BDA54166F8A763B 16420120821110658 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461631FBF
16520120705074615 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E404D4A9FF 16520120821110744 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA461635E3B
16620120705075624 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405259C43 16620120821115206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4636E0DF7
16720120705075814 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4052CF1E3 16720120821121256 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4645F38B3
16820120705082750 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E405CAF157 16820120821121421 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46467609B
16920120705091841 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40777DB37 16920120821122649 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA464F87D6B
17020120705094647 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40863BD9B 17020120821122854 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46508F94B
17120120705113042 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40BE821C7 17120120821125200 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4661CBC5B
17220120705113614 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C0EADAB 17220120821130613 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466BC6B33
17320120705113856 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40C1D4D93 17320120821131115 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA466ED9CC7
17420120705115824 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40CBE3D6B 17420120821132817 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA467B278B3
17520120705122406 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40D792E73 17520120821135349 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA468D8351B
17620120705123711 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40DDA1F9F 17620120821141206 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA469A817A7
17720120705124452 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40E149903 17720120821144909 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46B488EF7
17820120705133408 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F205063 17820120821150021 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46BC5D5E7
17920120705133854 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40F36CB23 17920120821153843 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46D774723
18020120705140912 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E40FF3C14B 18020120821162006 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA46F5488DB
18120120705151048 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41130009B 18120120821170404 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47157A067
18220120705154517 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E411EA83DB 18220120821173305 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472A1E94B
18320120705155613 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4123EC08F 18320120821173936 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA472E0E57F
18420120705162202 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4130DF347 18420120821174533 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4731F7433
18520120705162423 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41319263F 18520120821180053 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA473C7CE3F
18620120705163533 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4136A686F 18620120821180952 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4742A8237
18720120705170312 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4144BD02B 18720120821181124 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA474343C5B
18820120705175100 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E415E0D6BB 18820120821183540 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4754D89DB
18920120705190344 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E418110983 18920120821183852 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA47569B47F
19020120705191532 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4186E4BE3 19020120821184512 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AC57DB
19120120705193904 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41933A90B 19120120821184603 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475AD78CB
19220120705201440 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A1607FF 19220120821184701 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA475B0038F
19320120705202233 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41A3C4B5F 19320120821185939 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA4763BD72F
19420120705204542 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41AFA0127 19420120821190630 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476853BB7
19520120705205809 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41B59BD9B 19520120821190945 2 6 100 4095 2 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA476A47843
19620120705213138 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41C73B903 19620120821195501 2 6 100 4095 5 EF07B0F39662DC8600224E46AB8BE8CB72E552D52E88013D20EC039A0697ED9AAD018B16F0B910D4AD54437B8585AAA4EAE0CE216E31F50EDF0CD05DAF5E02A73D399C91B38220EC3B62C42D1CF6BF06378533A70C1F8F4F4416DD542213D3432412125FDBFF7B9473CE6F8812D860E66282C9F34C1774D1EA57D54DADDF7E37A12C4A6AD5B4A30128C29D27D03B6535C0F7A8AF857E18ECAB992984E6D546918AAACB971A2AC2C2E7AF79A9547979E6342DB7443985E5F7EDF6F9F22B600EEB42CB84A5F1ACD76E213C52E3052DAE1A9119801CFA28E6EFD4F6BC35FA06C8724D78A96AF054826C0BF865D0EC5F6F4D31C1D3F7CF2FE6F16AF267A7BA04753AEF420D4D8C36BCE8D9694814B9E9C3DF468064EB5636405C71CA9D8D50D36570B42639C9C2C02FB3A3D0C6B28DD200B0AF164C621D60B12E35E4D00129C8900F6EFDBB49FF34DD64CB13CD4087A7F84FEFD77D4E8099C2B804BA643EAFCA66D1F02BD09AE44AC83A5149F60711B7B108C01D53FF15FA59B36BE62A870F163F5063CEE103B377808343AFBD32271199E26D93734011BED2305EDE2E841EAD512E23B8C9B8CD4D398C7B4C8B76B355CC150B66B8EB7779E2CA519E10E45D0FB138676850C56F23DB135F546D364B92BC1C9423E089D30D4D57D27D7885EE14AE135A488C0542C3719FBEF46F4BB5FB53A28DA26DDF84C8BC55348A8AA478A96AEF
19720120705214528 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41CE1ACFB
19820120705215449 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41D2A1E9B
19920120705225456 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41F236C7F
20020120705231339 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E41FB99943
20120120705232933 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E4203D8FB3
20220120705233827 2 6 100 4095 2 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420804A5B
20320120705234448 2 6 100 4095 5 DFFB779B102B10577B70CDEE209CFAB26C1253293E8D5276DBAC95D03FCBD38E8A848E936A1CB8030EBC8E2C34EAC58F80CC9CCF8791D989809E2B4AB5CC21CCA57AAA4A5BB1790A0285F2E221F5F2E3432D7FE997B5E128AC60AE4D96D64D578F0E00AD9A784A66669CC98A6313A453D8071AA32C0CCFFE0F563A39478DE745FBE68390AE208F9A1927E205527C34E903C9392DFBB15172842B60C0F7DD073B9AFDA8DED1110031323DE355D245DCA105739D476C83F9FC1CB2DADAEB3858E1A5958B2A878EC1D7AF9DE6191A324B0370C84E092157E46BBF7743DE32A6F935F64A6855CFF6D48B6312C4CB90C057BE850A14377042080D370219B0677961112B926D69780F82EE3292619A074E22EFF9D919D01D872079A94BF8CBD98E700D63B5C33409B070133AB2D09AA175215F80D5D64290D74059955EE9CFE7E7CF7E83C51DFE9822BDC92F5447AF88BB944A812607D9A1508885EAAF1FE5C42779085F0D831E21A689C141D769E423F42B5CE2BFE8DB4AE13808AD146903A8322D895306C34285BAB6EF9B4DC9498051F5246CD9716D6E00BCB255CDCFCE603EB54C0D9ABFB187FBFE9FC2D456624D7A9415D1D9022B4AE86045AD1FA073400A8F85F6469B609666B0E78A5BCE8B02825A7F9CE33776BD068F2B4626472EADFED316CF2F2CEDFFF966A9D5C30B41C1ABD5DBFBE29F0953292A6C96ADF8E420AC9D9F
20420120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB 19720120705232031 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B241215BB
20520120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B 19820120705233800 2 6 100 6143 2 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B246EC93B
20620120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477 19920120706002709 2 6 100 6143 5 EEBCAD36F686DDEB790C1EBDF6C6355A4EEB95435785FAC26C1DDBBD0D3C284AB5B4A1D5BA22131604AAE087D8B9431038CDA76DAA9E1C8D10793F53374FDF26489D38FF13188B6961B86E44A065D2FADEFC6C9496350AFA4129C9FD1B6B321E6053A6C645978C151D623C1106FE6669C220690B637F6259522F88250CC2B1B7F170706E9CE741F6E26BB4E86FB6822B13D8A7CE99FEF5CD66EF08310ECE5CC86648BD90E1DC59332505579116D3F3C8314065DC1319BEA133ED809903CA4949905C3D21619217816465E964768FFE76BC962AACBC8FF13477990A81C8759BBE95DFFA22E299F7C0F79A0EA7C44B28E8AB96149CC213E7C886E3D0A2230D7A4176749D6EDD6FCA2F5F3E2BD10392BC818CFB25C696C1EC14CE6F23CDB6C3DA2ED77E098A874799EB65F82A4EAF85CA0C9E68278381AF964AA5816B2CDA8E1ABB2954C02F641E1F374563B0F9DBF2F1B6D8168558BB971C8F48668A8034F82908D45D4D9A9072375D00AE0D5D442C6E6B6B2E7280C104C7675FDB0795DD0D3273E74BDC7B243B7604447502EB1572A273ABA0032CDB754345B1ACDF17B5AEDA45B661DBEFDA084B1427F94C8EA62BAB6A1E05DED8F2F706445879F15FB096996765238B6B546FDE5F219B5B85B31E804A989C4959600998A03572FB59DC150714BDB0C71A236497AE79871FBEFCAFFF34D2DF0142F2AF3C9C5D92F5FC7A61A27FF9AA1EADDF3552A2BED2CC4D19FB0F67DCC02744947A42FE10B338A3A8E634B413AE46C4E644DD5934D5820C9714656171A02BBCA25AED1CCD9EB9BEF9C63E7E966B0E2E47146191ECA452588FA2AFF50AF25FABAF83E143D47A651BD9B9C37CF5D6319FDCBC2F5D4B76D07B52D857FDE48FD983F06B531F7D316E2961E17D358FE6556C82C2E78C1D9CCF68760EFD8CC692E8912914781651D834C0C766B3D71C07C91AB93619E0C06385CFAC6FA18E1DEC7F3C5EE92C906CC49A4786D24CDB4F5656DE60F1F4412367B16BDA68DA368218C16E30C48366A8C0FDFA6E708E3353B8471402A42E594903774A65EA7AB5A83D08AD10D34DB38201B44B2582B477
diff --git a/moduli.0 b/moduli.0
index bf510de32..77dfa4295 100644
--- a/moduli.0
+++ b/moduli.0
@@ -25,7 +25,7 @@ DESCRIPTION
25 25
26 0 Unknown, not tested. 26 0 Unknown, not tested.
27 2 "Safe" prime; (p-1)/2 is also prime. 27 2 "Safe" prime; (p-1)/2 is also prime.
28 4 Sophie Germain; (p+1)*2 is also prime. 28 4 Sophie Germain; 2p+1 is also prime.
29 29
30 Moduli candidates initially produced by ssh-keygen(1) 30 Moduli candidates initially produced by ssh-keygen(1)
31 are Sophie Germain primes (type 4). Further primality 31 are Sophie Germain primes (type 4). Further primality
@@ -66,7 +66,9 @@ DESCRIPTION
66SEE ALSO 66SEE ALSO
67 ssh-keygen(1), sshd(8) 67 ssh-keygen(1), sshd(8)
68 68
69 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer 69STANDARDS
70 Protocol, RFC 4419, 2006. 70 M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
71 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
72 2006.
71 73
72OpenBSD 5.2 October 14, 2010 OpenBSD 5.2 74OpenBSD 5.3 September 26, 2012 OpenBSD 5.3
diff --git a/moduli.5 b/moduli.5
index 0e01b9414..ef0de0850 100644
--- a/moduli.5
+++ b/moduli.5
@@ -1,4 +1,4 @@
1.\" $OpenBSD: moduli.5,v 1.15 2010/10/14 20:41:28 jmc Exp $ 1.\" $OpenBSD: moduli.5,v 1.17 2012/09/26 17:34:38 jmc Exp $
2.\" 2.\"
3.\" Copyright (c) 2008 Damien Miller <djm@mindrot.org> 3.\" Copyright (c) 2008 Damien Miller <djm@mindrot.org>
4.\" 4.\"
@@ -13,7 +13,7 @@
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.Dd $Mdocdate: October 14 2010 $ 16.Dd $Mdocdate: September 26 2012 $
17.Dt MODULI 5 17.Dt MODULI 5
18.Os 18.Os
19.Sh NAME 19.Sh NAME
@@ -61,7 +61,7 @@ Unknown, not tested.
61.It 2 61.It 2
62"Safe" prime; (p-1)/2 is also prime. 62"Safe" prime; (p-1)/2 is also prime.
63.It 4 63.It 4
64Sophie Germain; (p+1)*2 is also prime. 64Sophie Germain; 2p+1 is also prime.
65.El 65.El
66.Pp 66.Pp
67Moduli candidates initially produced by 67Moduli candidates initially produced by
@@ -115,8 +115,13 @@ that best meets the size requirement.
115.Sh SEE ALSO 115.Sh SEE ALSO
116.Xr ssh-keygen 1 , 116.Xr ssh-keygen 1 ,
117.Xr sshd 8 117.Xr sshd 8
118.Sh STANDARDS
118.Rs 119.Rs
120.%A M. Friedl
121.%A N. Provos
122.%A W. Simpson
123.%D March 2006
119.%R RFC 4419 124.%R RFC 4419
120.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" 125.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
121.%D 2006 126.%D 2006
122.Re 127.Re
diff --git a/monitor.c b/monitor.c
index ed598ce35..d7a782f89 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ 1/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -201,6 +201,7 @@ static int key_blobtype = MM_NOKEY;
201static char *hostbased_cuser = NULL; 201static char *hostbased_cuser = NULL;
202static char *hostbased_chost = NULL; 202static char *hostbased_chost = NULL;
203static char *auth_method = "unknown"; 203static char *auth_method = "unknown";
204static char *auth_submethod = NULL;
204static u_int session_id2_len = 0; 205static u_int session_id2_len = 0;
205static u_char *session_id2 = NULL; 206static u_char *session_id2 = NULL;
206static pid_t monitor_child_pid; 207static pid_t monitor_child_pid;
@@ -361,7 +362,7 @@ void
361monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 362monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
362{ 363{
363 struct mon_table *ent; 364 struct mon_table *ent;
364 int authenticated = 0; 365 int authenticated = 0, partial = 0;
365 366
366 debug3("preauth child monitor started"); 367 debug3("preauth child monitor started");
367 368
@@ -392,8 +393,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
392 393
393 /* The first few requests do not require asynchronous access */ 394 /* The first few requests do not require asynchronous access */
394 while (!authenticated) { 395 while (!authenticated) {
396 partial = 0;
395 auth_method = "unknown"; 397 auth_method = "unknown";
398 auth_submethod = NULL;
396 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); 399 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
400
401 /* Special handling for multiple required authentications */
402 if (options.num_auth_methods != 0) {
403 if (!compat20)
404 fatal("AuthenticationMethods is not supported"
405 "with SSH protocol 1");
406 if (authenticated &&
407 !auth2_update_methods_lists(authctxt,
408 auth_method)) {
409 debug3("%s: method %s: partial", __func__,
410 auth_method);
411 authenticated = 0;
412 partial = 1;
413 }
414 }
415
397 if (authenticated) { 416 if (authenticated) {
398 if (!(ent->flags & MON_AUTHDECIDE)) 417 if (!(ent->flags & MON_AUTHDECIDE))
399 fatal("%s: unexpected authentication from %d", 418 fatal("%s: unexpected authentication from %d",
@@ -414,9 +433,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
414 } 433 }
415#endif 434#endif
416 } 435 }
417
418 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 436 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
419 auth_log(authctxt, authenticated, auth_method, 437 auth_log(authctxt, authenticated, partial,
438 auth_method, auth_submethod,
420 compat20 ? " ssh2" : ""); 439 compat20 ? " ssh2" : "");
421 if (!authenticated) 440 if (!authenticated)
422 authctxt->failures++; 441 authctxt->failures++;
@@ -432,10 +451,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
432#endif 451#endif
433 } 452 }
434 453
435 /* Drain any buffered messages from the child */
436 while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
437 ;
438
439 if (!authctxt->valid) 454 if (!authctxt->valid)
440 fatal("%s: authenticated invalid user", __func__); 455 fatal("%s: authenticated invalid user", __func__);
441 if (strcmp(auth_method, "unknown") == 0) 456 if (strcmp(auth_method, "unknown") == 0)
@@ -446,6 +461,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
446 461
447 mm_get_keystate(pmonitor); 462 mm_get_keystate(pmonitor);
448 463
464 /* Drain any buffered messages from the child */
465 while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
466 ;
467
449 close(pmonitor->m_sendfd); 468 close(pmonitor->m_sendfd);
450 close(pmonitor->m_log_recvfd); 469 close(pmonitor->m_log_recvfd);
451 pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; 470 pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1;
@@ -798,7 +817,17 @@ mm_answer_pwnamallow(int sock, Buffer *m)
798 COPY_MATCH_STRING_OPTS(); 817 COPY_MATCH_STRING_OPTS();
799#undef M_CP_STROPT 818#undef M_CP_STROPT
800#undef M_CP_STRARRAYOPT 819#undef M_CP_STRARRAYOPT
801 820
821 /* Create valid auth method lists */
822 if (compat20 && auth2_setup_methods_lists(authctxt) != 0) {
823 /*
824 * The monitor will continue long enough to let the child
825 * run to it's packet_disconnect(), but it must not allow any
826 * authentication to succeed.
827 */
828 debug("%s: no valid authentication method lists", __func__);
829 }
830
802 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); 831 debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
803 mm_request_send(sock, MONITOR_ANS_PWNAM, m); 832 mm_request_send(sock, MONITOR_ANS_PWNAM, m);
804 833
@@ -935,7 +964,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
935 debug3("%s: sending authenticated: %d", __func__, authok); 964 debug3("%s: sending authenticated: %d", __func__, authok);
936 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 965 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
937 966
938 auth_method = "bsdauth"; 967 if (compat20)
968 auth_method = "keyboard-interactive"; /* XXX auth_submethod */
969 else
970 auth_method = "bsdauth";
939 971
940 return (authok != 0); 972 return (authok != 0);
941} 973}
@@ -1074,7 +1106,8 @@ mm_answer_pam_query(int sock, Buffer *m)
1074 xfree(prompts); 1106 xfree(prompts);
1075 if (echo_on != NULL) 1107 if (echo_on != NULL)
1076 xfree(echo_on); 1108 xfree(echo_on);
1077 auth_method = "keyboard-interactive/pam"; 1109 auth_method = "keyboard-interactive";
1110 auth_submethod = "pam";
1078 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1111 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
1079 return (0); 1112 return (0);
1080} 1113}
@@ -1103,7 +1136,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
1103 buffer_clear(m); 1136 buffer_clear(m);
1104 buffer_put_int(m, ret); 1137 buffer_put_int(m, ret);
1105 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); 1138 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
1106 auth_method = "keyboard-interactive/pam"; 1139 auth_method = "keyboard-interactive";
1140 auth_submethod = "pam";
1107 if (ret == 0) 1141 if (ret == 0)
1108 sshpam_authok = sshpam_ctxt; 1142 sshpam_authok = sshpam_ctxt;
1109 return (0); 1143 return (0);
@@ -1117,7 +1151,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
1117 (sshpam_device.free_ctx)(sshpam_ctxt); 1151 (sshpam_device.free_ctx)(sshpam_ctxt);
1118 buffer_clear(m); 1152 buffer_clear(m);
1119 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 1153 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1120 auth_method = "keyboard-interactive/pam"; 1154 auth_method = "keyboard-interactive";
1155 auth_submethod = "pam";
1121 return (sshpam_authok == sshpam_ctxt); 1156 return (sshpam_authok == sshpam_ctxt);
1122} 1157}
1123#endif 1158#endif
@@ -1191,7 +1226,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
1191 hostbased_chost = chost; 1226 hostbased_chost = chost;
1192 } else { 1227 } else {
1193 /* Log failed attempt */ 1228 /* Log failed attempt */
1194 auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); 1229 auth_log(authctxt, 0, 0, auth_method, NULL,
1230 compat20 ? " ssh2" : "");
1195 xfree(blob); 1231 xfree(blob);
1196 xfree(cuser); 1232 xfree(cuser);
1197 xfree(chost); 1233 xfree(chost);
diff --git a/monitor.h b/monitor.h
index db0443fec..9aa4e6fe5 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ 1/* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */
2 2
3/* 3/*
4 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -28,46 +28,51 @@
28#ifndef _MONITOR_H_ 28#ifndef _MONITOR_H_
29#define _MONITOR_H_ 29#define _MONITOR_H_
30 30
31/* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */
31enum monitor_reqtype { 32enum monitor_reqtype {
32 MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, 33 MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1,
33 MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, 34 MONITOR_REQ_FREE = 2,
34 MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, 35 MONITOR_REQ_AUTHSERV = 4,
35 MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, 36 MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7,
36 MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, 37 MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9,
37 MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, 38 MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11,
38 MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, 39 MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
39 MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, 40 MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
40 MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, 41 MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
41 MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, 42 MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
42 MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, 43 MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
43 MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, 44 MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
44 MONITOR_REQ_KEYEXPORT, 45 MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
45 MONITOR_REQ_PTY, MONITOR_ANS_PTY, 46 MONITOR_REQ_KEYEXPORT = 26,
46 MONITOR_REQ_PTYCLEANUP, 47 MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29,
47 MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, 48 MONITOR_REQ_PTYCLEANUP = 30,
48 MONITOR_REQ_SESSID, 49 MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33,
49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, 50 MONITOR_REQ_SESSID = 34,
50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, 51 MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, 52 MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
52 MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, 53 MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
53 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, 54 MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43,
54 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, 55 MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
55 MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, 56 MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
56 MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, 57 MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
57 MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, 58 MONITOR_REQ_TERM = 50,
58 MONITOR_REQ_PAM_START, 59 MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53,
59 MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, 60 MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55,
60 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, 61 MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
61 MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, 62 MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
62 MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, 63 MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
63 MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, 64
64 MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, 65 MONITOR_REQ_PAM_START = 100,
65 MONITOR_REQ_TERM, 66 MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
66 MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, 67 MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
67 MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, 68 MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
68 MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, 69 MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
69 MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, 70 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
70 MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, 71 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
72
73 MONITOR_REQ_GSSSIGN = 200, MONITOR_ANS_GSSSIGN = 201,
74 MONITOR_REQ_GSSUPCREDS = 202, MONITOR_ANS_GSSUPCREDS = 203,
75
71}; 76};
72 77
73struct mm_master; 78struct mm_master;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index fc6bbcd2e..ed8dbdadf 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */ 1/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -491,25 +491,24 @@ mm_newkeys_from_blob(u_char *blob, int blen)
491 enc->enabled = buffer_get_int(&b); 491 enc->enabled = buffer_get_int(&b);
492 enc->block_size = buffer_get_int(&b); 492 enc->block_size = buffer_get_int(&b);
493 enc->key = buffer_get_string(&b, &enc->key_len); 493 enc->key = buffer_get_string(&b, &enc->key_len);
494 enc->iv = buffer_get_string(&b, &len); 494 enc->iv = buffer_get_string(&b, &enc->iv_len);
495 if (len != enc->block_size)
496 fatal("%s: bad ivlen: expected %u != %u", __func__,
497 enc->block_size, len);
498 495
499 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher) 496 if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher)
500 fatal("%s: bad cipher name %s or pointer %p", __func__, 497 fatal("%s: bad cipher name %s or pointer %p", __func__,
501 enc->name, enc->cipher); 498 enc->name, enc->cipher);
502 499
503 /* Mac structure */ 500 /* Mac structure */
504 mac->name = buffer_get_string(&b, NULL); 501 if (cipher_authlen(enc->cipher) == 0) {
505 if (mac->name == NULL || mac_setup(mac, mac->name) == -1) 502 mac->name = buffer_get_string(&b, NULL);
506 fatal("%s: can not setup mac %s", __func__, mac->name); 503 if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
507 mac->enabled = buffer_get_int(&b); 504 fatal("%s: can not setup mac %s", __func__, mac->name);
508 mac->key = buffer_get_string(&b, &len); 505 mac->enabled = buffer_get_int(&b);
509 if (len > mac->key_len) 506 mac->key = buffer_get_string(&b, &len);
510 fatal("%s: bad mac key length: %u > %d", __func__, len, 507 if (len > mac->key_len)
511 mac->key_len); 508 fatal("%s: bad mac key length: %u > %d", __func__, len,
512 mac->key_len = len; 509 mac->key_len);
510 mac->key_len = len;
511 }
513 512
514 /* Comp structure */ 513 /* Comp structure */
515 comp->type = buffer_get_int(&b); 514 comp->type = buffer_get_int(&b);
@@ -551,13 +550,15 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
551 buffer_put_int(&b, enc->enabled); 550 buffer_put_int(&b, enc->enabled);
552 buffer_put_int(&b, enc->block_size); 551 buffer_put_int(&b, enc->block_size);
553 buffer_put_string(&b, enc->key, enc->key_len); 552 buffer_put_string(&b, enc->key, enc->key_len);
554 packet_get_keyiv(mode, enc->iv, enc->block_size); 553 packet_get_keyiv(mode, enc->iv, enc->iv_len);
555 buffer_put_string(&b, enc->iv, enc->block_size); 554 buffer_put_string(&b, enc->iv, enc->iv_len);
556 555
557 /* Mac structure */ 556 /* Mac structure */
558 buffer_put_cstring(&b, mac->name); 557 if (cipher_authlen(enc->cipher) == 0) {
559 buffer_put_int(&b, mac->enabled); 558 buffer_put_cstring(&b, mac->name);
560 buffer_put_string(&b, mac->key, mac->key_len); 559 buffer_put_int(&b, mac->enabled);
560 buffer_put_string(&b, mac->key, mac->key_len);
561 }
561 562
562 /* Comp structure */ 563 /* Comp structure */
563 buffer_put_int(&b, comp->type); 564 buffer_put_int(&b, comp->type);
@@ -621,7 +622,7 @@ mm_send_keystate(struct monitor *monitor)
621 ivlen = packet_get_keyiv_len(MODE_OUT); 622 ivlen = packet_get_keyiv_len(MODE_OUT);
622 packet_get_keyiv(MODE_OUT, iv, ivlen); 623 packet_get_keyiv(MODE_OUT, iv, ivlen);
623 buffer_put_string(&m, iv, ivlen); 624 buffer_put_string(&m, iv, ivlen);
624 ivlen = packet_get_keyiv_len(MODE_OUT); 625 ivlen = packet_get_keyiv_len(MODE_IN);
625 packet_get_keyiv(MODE_IN, iv, ivlen); 626 packet_get_keyiv(MODE_IN, iv, ivlen);
626 buffer_put_string(&m, iv, ivlen); 627 buffer_put_string(&m, iv, ivlen);
627 goto skip; 628 goto skip;
diff --git a/mux.c b/mux.c
index 5e0e65ff3..1ae0e0915 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mux.c,v 1.36 2012/07/06 01:37:21 djm Exp $ */ 1/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -63,10 +63,6 @@
63# include <util.h> 63# include <util.h>
64#endif 64#endif
65 65
66#ifdef HAVE_LIBUTIL_H
67# include <libutil.h>
68#endif
69
70#include "openbsd-compat/sys-queue.h" 66#include "openbsd-compat/sys-queue.h"
71#include "xmalloc.h" 67#include "xmalloc.h"
72#include "log.h" 68#include "log.h"
@@ -188,7 +184,7 @@ static const struct {
188 184
189/* Cleanup callback fired on closure of mux slave _session_ channel */ 185/* Cleanup callback fired on closure of mux slave _session_ channel */
190/* ARGSUSED */ 186/* ARGSUSED */
191static void 187void
192mux_master_session_cleanup_cb(int cid, void *unused) 188mux_master_session_cleanup_cb(int cid, void *unused)
193{ 189{
194 Channel *cc, *c = channel_by_id(cid); 190 Channel *cc, *c = channel_by_id(cid);
@@ -738,9 +734,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
738 } 734 }
739 735
740 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 736 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
741 if (channel_setup_local_fwd_listener(fwd.listen_host, 737 if (!channel_setup_local_fwd_listener(fwd.listen_host,
742 fwd.listen_port, fwd.connect_host, fwd.connect_port, 738 fwd.listen_port, fwd.connect_host, fwd.connect_port,
743 options.gateway_ports) < 0) { 739 options.gateway_ports)) {
744 fail: 740 fail:
745 logit("slave-requested %s failed", fwd_desc); 741 logit("slave-requested %s failed", fwd_desc);
746 buffer_put_int(r, MUX_S_FAILURE); 742 buffer_put_int(r, MUX_S_FAILURE);
diff --git a/myproposal.h b/myproposal.h
index b9b819c0a..99d093461 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */ 1/* $OpenBSD: myproposal.h,v 1.32 2013/01/08 18:49:04 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -73,6 +73,7 @@
73#define KEX_DEFAULT_ENCRYPT \ 73#define KEX_DEFAULT_ENCRYPT \
74 "aes128-ctr,aes192-ctr,aes256-ctr," \ 74 "aes128-ctr,aes192-ctr,aes256-ctr," \
75 "arcfour256,arcfour128," \ 75 "arcfour256,arcfour128," \
76 "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
76 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ 77 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
77 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" 78 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
78#ifdef HAVE_EVP_SHA256 79#ifdef HAVE_EVP_SHA256
@@ -83,9 +84,19 @@
83# define SHA2_HMAC_MODES 84# define SHA2_HMAC_MODES
84#endif 85#endif
85#define KEX_DEFAULT_MAC \ 86#define KEX_DEFAULT_MAC \
87 "hmac-md5-etm@openssh.com," \
88 "hmac-sha1-etm@openssh.com," \
89 "umac-64-etm@openssh.com," \
90 "umac-128-etm@openssh.com," \
91 "hmac-sha2-256-etm@openssh.com," \
92 "hmac-sha2-512-etm@openssh.com," \
93 "hmac-ripemd160-etm@openssh.com," \
94 "hmac-sha1-96-etm@openssh.com," \
95 "hmac-md5-96-etm@openssh.com," \
86 "hmac-md5," \ 96 "hmac-md5," \
87 "hmac-sha1," \ 97 "hmac-sha1," \
88 "umac-64@openssh.com," \ 98 "umac-64@openssh.com," \
99 "umac-128@openssh.com," \
89 SHA2_HMAC_MODES \ 100 SHA2_HMAC_MODES \
90 "hmac-ripemd160," \ 101 "hmac-ripemd160," \
91 "hmac-ripemd160@openssh.com," \ 102 "hmac-ripemd160@openssh.com," \
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 196a81d13..e1c3651e8 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $ 1# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,9 +16,9 @@ RANLIB=@RANLIB@
16INSTALL=@INSTALL@ 16INSTALL=@INSTALL@
17LDFLAGS=-L. @LDFLAGS@ 17LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o 23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
24 24
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 3ef373f56..d75854e83 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -165,6 +165,17 @@ int nanosleep(const struct timespec *req, struct timespec *rem)
165} 165}
166#endif 166#endif
167 167
168#if !defined(HAVE_USLEEP)
169int usleep(unsigned int useconds)
170{
171 struct timespec ts;
172
173 ts.tv_sec = useconds / 1000000;
174 ts.tv_nsec = (useconds % 1000000) * 1000;
175 return nanosleep(&ts, NULL);
176}
177#endif
178
168#ifndef HAVE_TCGETPGRP 179#ifndef HAVE_TCGETPGRP
169pid_t 180pid_t
170tcgetpgrp(int fd) 181tcgetpgrp(int fd)
@@ -242,8 +253,25 @@ strdup(const char *str)
242#endif 253#endif
243 254
244#ifndef HAVE_ISBLANK 255#ifndef HAVE_ISBLANK
245int isblank(int c) 256int
257isblank(int c)
246{ 258{
247 return (c == ' ' || c == '\t'); 259 return (c == ' ' || c == '\t');
248} 260}
249#endif 261#endif
262
263#ifndef HAVE_GETPGID
264pid_t
265getpgid(pid_t pid)
266{
267#if defined(HAVE_GETPGRP) && !defined(GETPGRP_VOID)
268 return getpgrp(pid);
269#elif defined(HAVE_GETPGRP)
270 if (pid == 0)
271 return getpgrp();
272#endif
273
274 errno = ESRCH;
275 return -1;
276}
277#endif
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index eac5217ca..430066376 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-misc.h,v 1.21 2012/07/03 22:50:10 dtucker Exp $ */ 1/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> 4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -80,6 +80,10 @@ struct timespec {
80int nanosleep(const struct timespec *, struct timespec *); 80int nanosleep(const struct timespec *, struct timespec *);
81#endif 81#endif
82 82
83#ifndef HAVE_USLEEP
84int usleep(unsigned int useconds);
85#endif
86
83#ifndef HAVE_TCGETPGRP 87#ifndef HAVE_TCGETPGRP
84pid_t tcgetpgrp(int); 88pid_t tcgetpgrp(int);
85#endif 89#endif
@@ -102,4 +106,8 @@ mysig_t mysignal(int sig, mysig_t act);
102int isblank(int); 106int isblank(int);
103#endif 107#endif
104 108
109#ifndef HAVE_GETPGID
110pid_t getpgid(pid_t);
111#endif
112
105#endif /* _BSD_MISC_H */ 113#endif /* _BSD_MISC_H */
diff --git a/openbsd-compat/bsd-setres_id.c b/openbsd-compat/bsd-setres_id.c
new file mode 100644
index 000000000..020b214b8
--- /dev/null
+++ b/openbsd-compat/bsd-setres_id.c
@@ -0,0 +1,99 @@
1/* $Id: bsd-setres_id.c,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include "includes.h"
20
21#include <sys/types.h>
22
23#include <stdarg.h>
24#include <unistd.h>
25
26#include "log.h"
27
28#if !defined(HAVE_SETRESGID) || defined(BROKEN_SETRESGID)
29int
30setresgid(gid_t rgid, gid_t egid, gid_t sgid)
31{
32 int ret = 0, saved_errno;
33
34 if (rgid != sgid) {
35 errno = ENOSYS;
36 return -1;
37 }
38#if defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
39 if (setregid(rgid, egid) < 0) {
40 saved_errno = errno;
41 error("setregid %u: %.100s", rgid, strerror(errno));
42 errno = saved_errno;
43 ret = -1;
44 }
45#else
46 if (setegid(egid) < 0) {
47 saved_errno = errno;
48 error("setegid %u: %.100s", (u_int)egid, strerror(errno));
49 errno = saved_errno;
50 ret = -1;
51 }
52 if (setgid(rgid) < 0) {
53 saved_errno = errno;
54 error("setgid %u: %.100s", rgid, strerror(errno));
55 errno = saved_errno;
56 ret = -1;
57 }
58#endif
59 return ret;
60}
61#endif
62
63#if !defined(HAVE_SETRESUID) || defined(BROKEN_SETRESUID)
64int
65setresuid(uid_t ruid, uid_t euid, uid_t suid)
66{
67 int ret = 0, saved_errno;
68
69 if (ruid != suid) {
70 errno = ENOSYS;
71 return -1;
72 }
73#if defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
74 if (setreuid(ruid, euid) < 0) {
75 saved_errno = errno;
76 error("setreuid %u: %.100s", ruid, strerror(errno));
77 errno = saved_errno;
78 ret = -1;
79 }
80#else
81
82# ifndef SETEUID_BREAKS_SETUID
83 if (seteuid(euid) < 0) {
84 saved_errno = errno;
85 error("seteuid %u: %.100s", euid, strerror(errno));
86 errno = saved_errno;
87 ret = -1;
88 }
89# endif
90 if (setuid(ruid) < 0) {
91 saved_errno = errno;
92 error("setuid %u: %.100s", ruid, strerror(errno));
93 errno = saved_errno;
94 ret = -1;
95 }
96#endif
97 return ret;
98}
99#endif
diff --git a/openbsd-compat/bsd-setres_id.h b/openbsd-compat/bsd-setres_id.h
new file mode 100644
index 000000000..6c269e0b9
--- /dev/null
+++ b/openbsd-compat/bsd-setres_id.h
@@ -0,0 +1,24 @@
1/* $Id: bsd-setres_id.h,v 1.1 2012/11/05 06:04:37 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2012 Darren Tucker (dtucker at zip com au).
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#ifndef HAVE_SETRESGID
20int setresgid(gid_t, gid_t, gid_t);
21#endif
22#ifndef HAVE_SETRESUID
23int setresuid(uid_t, uid_t, uid_t);
24#endif
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 807acf626..a8c579f49 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.52 2011/09/23 01:16:11 djm Exp $ */ 1/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -149,6 +149,7 @@ int writev(int, struct iovec *, int);
149 149
150/* Home grown routines */ 150/* Home grown routines */
151#include "bsd-misc.h" 151#include "bsd-misc.h"
152#include "bsd-setres_id.h"
152#include "bsd-statvfs.h" 153#include "bsd-statvfs.h"
153#include "bsd-waitpid.h" 154#include "bsd-waitpid.h"
154#include "bsd-poll.h" 155#include "bsd-poll.h"
@@ -189,6 +190,14 @@ int snprintf(char *, size_t, SNPRINTF_CONST char *, ...);
189long long strtoll(const char *, char **, int); 190long long strtoll(const char *, char **, int);
190#endif 191#endif
191 192
193#ifndef HAVE_STRTOUL
194unsigned long strtoul(const char *, char **, int);
195#endif
196
197#ifndef HAVE_STRTOULL
198unsigned long long strtoull(const char *, char **, int);
199#endif
200
192#ifndef HAVE_STRTONUM 201#ifndef HAVE_STRTONUM
193long long strtonum(const char *, long long, long long, const char **); 202long long strtonum(const char *, long long, long long, const char **);
194#endif 203#endif
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index a151eff38..e7439b4e7 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.20 2012/01/17 03:03:39 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.24 2013/02/12 00:00:40 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -40,7 +40,7 @@
40# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 40# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
41#endif 41#endif
42 42
43#if OPENSSL_VERSION_NUMBER < 0x1000000fL 43#if OPENSSL_VERSION_NUMBER < 0x10000001L
44# define LIBCRYPTO_EVP_INL_TYPE unsigned int 44# define LIBCRYPTO_EVP_INL_TYPE unsigned int
45#else 45#else
46# define LIBCRYPTO_EVP_INL_TYPE size_t 46# define LIBCRYPTO_EVP_INL_TYPE size_t
@@ -59,20 +59,43 @@
59# define EVP_aes_128_cbc evp_rijndael 59# define EVP_aes_128_cbc evp_rijndael
60# define EVP_aes_192_cbc evp_rijndael 60# define EVP_aes_192_cbc evp_rijndael
61# define EVP_aes_256_cbc evp_rijndael 61# define EVP_aes_256_cbc evp_rijndael
62extern const EVP_CIPHER *evp_rijndael(void); 62const EVP_CIPHER *evp_rijndael(void);
63extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); 63void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
64#endif 64#endif
65 65
66#if !defined(EVP_CTRL_SET_ACSS_MODE) 66#ifndef OPENSSL_HAVE_EVPCTR
67# if (OPENSSL_VERSION_NUMBER >= 0x00907000L) 67#define EVP_aes_128_ctr evp_aes_128_ctr
68# define USE_CIPHER_ACSS 1 68#define EVP_aes_192_ctr evp_aes_128_ctr
69extern const EVP_CIPHER *evp_acss(void); 69#define EVP_aes_256_ctr evp_aes_128_ctr
70# define EVP_acss evp_acss 70const EVP_CIPHER *evp_aes_128_ctr(void);
71void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
72#endif
73
74/* Avoid some #ifdef. Code that uses these is unreachable without GCM */
75#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED)
76# define EVP_CTRL_GCM_SET_IV_FIXED -1
77# define EVP_CTRL_GCM_IV_GEN -1
78# define EVP_CTRL_GCM_SET_TAG -1
79# define EVP_CTRL_GCM_GET_TAG -1
80#endif
81
82/* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */
83#ifndef HAVE_EVP_CIPHER_CTX_CTRL
84# ifdef OPENSSL_HAVE_EVPGCM
85# error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */
71# else 86# else
72# define EVP_acss NULL 87# define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0)
73# endif 88# endif
74#endif 89#endif
75 90
91#if OPENSSL_VERSION_NUMBER < 0x00907000L
92#define EVP_X_STATE(evp) &(evp).c
93#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
94#else
95#define EVP_X_STATE(evp) (evp).cipher_data
96#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
97#endif
98
76/* OpenSSL 0.9.8e returns cipher key len not context key len */ 99/* OpenSSL 0.9.8e returns cipher key len not context key len */
77#if (OPENSSL_VERSION_NUMBER == 0x0090805fL) 100#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
78# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) 101# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
diff --git a/openbsd-compat/strtoull.c b/openbsd-compat/strtoull.c
new file mode 100644
index 000000000..f7c818c52
--- /dev/null
+++ b/openbsd-compat/strtoull.c
@@ -0,0 +1,110 @@
1/* $OpenBSD: strtoull.c,v 1.5 2005/08/08 08:05:37 espie Exp $ */
2/*-
3 * Copyright (c) 1992 The Regents of the University of California.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the University nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoull.c */
32
33#include "includes.h"
34#ifndef HAVE_STRTOULL
35
36#include <sys/types.h>
37
38#include <ctype.h>
39#include <errno.h>
40#include <limits.h>
41#include <stdlib.h>
42
43/*
44 * Convert a string to an unsigned long long.
45 *
46 * Ignores `locale' stuff. Assumes that the upper and lower case
47 * alphabets and digits are each contiguous.
48 */
49unsigned long long
50strtoull(const char *nptr, char **endptr, int base)
51{
52 const char *s;
53 unsigned long long acc, cutoff;
54 int c;
55 int neg, any, cutlim;
56
57 /*
58 * See strtoq for comments as to the logic used.
59 */
60 s = nptr;
61 do {
62 c = (unsigned char) *s++;
63 } while (isspace(c));
64 if (c == '-') {
65 neg = 1;
66 c = *s++;
67 } else {
68 neg = 0;
69 if (c == '+')
70 c = *s++;
71 }
72 if ((base == 0 || base == 16) &&
73 c == '0' && (*s == 'x' || *s == 'X')) {
74 c = s[1];
75 s += 2;
76 base = 16;
77 }
78 if (base == 0)
79 base = c == '0' ? 8 : 10;
80
81 cutoff = ULLONG_MAX / (unsigned long long)base;
82 cutlim = ULLONG_MAX % (unsigned long long)base;
83 for (acc = 0, any = 0;; c = (unsigned char) *s++) {
84 if (isdigit(c))
85 c -= '0';
86 else if (isalpha(c))
87 c -= isupper(c) ? 'A' - 10 : 'a' - 10;
88 else
89 break;
90 if (c >= base)
91 break;
92 if (any < 0)
93 continue;
94 if (acc > cutoff || (acc == cutoff && c > cutlim)) {
95 any = -1;
96 acc = ULLONG_MAX;
97 errno = ERANGE;
98 } else {
99 any = 1;
100 acc *= (unsigned long long)base;
101 acc += c;
102 }
103 }
104 if (neg && any > 0)
105 acc = -acc;
106 if (endptr != 0)
107 *endptr = (char *) (any ? s - 1 : nptr);
108 return (acc);
109}
110#endif /* !HAVE_STRTOULL */
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h
index 5cf0587bd..28aaaa37a 100644
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: queue.h,v 1.32 2007/04/30 18:42:34 pedro Exp $ */ 1/* $OpenBSD: queue.h,v 1.36 2012/04/11 13:29:14 naddy Exp $ */
2/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ 2/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */
3 3
4/* 4/*
@@ -202,10 +202,10 @@ struct { \
202 (var) != SLIST_END(head); \ 202 (var) != SLIST_END(head); \
203 (var) = SLIST_NEXT(var, field)) 203 (var) = SLIST_NEXT(var, field))
204 204
205#define SLIST_FOREACH_PREVPTR(var, varp, head, field) \ 205#define SLIST_FOREACH_SAFE(var, head, field, tvar) \
206 for ((varp) = &SLIST_FIRST((head)); \ 206 for ((var) = SLIST_FIRST(head); \
207 ((var) = *(varp)) != SLIST_END(head); \ 207 (var) && ((tvar) = SLIST_NEXT(var, field), 1); \
208 (varp) = &SLIST_NEXT((var), field)) 208 (var) = (tvar))
209 209
210/* 210/*
211 * Singly-linked List functions. 211 * Singly-linked List functions.
@@ -224,7 +224,7 @@ struct { \
224 (head)->slh_first = (elm); \ 224 (head)->slh_first = (elm); \
225} while (0) 225} while (0)
226 226
227#define SLIST_REMOVE_NEXT(head, elm, field) do { \ 227#define SLIST_REMOVE_AFTER(elm, field) do { \
228 (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ 228 (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \
229} while (0) 229} while (0)
230 230
@@ -276,6 +276,11 @@ struct { \
276 (var)!= LIST_END(head); \ 276 (var)!= LIST_END(head); \
277 (var) = LIST_NEXT(var, field)) 277 (var) = LIST_NEXT(var, field))
278 278
279#define LIST_FOREACH_SAFE(var, head, field, tvar) \
280 for ((var) = LIST_FIRST(head); \
281 (var) && ((tvar) = LIST_NEXT(var, field), 1); \
282 (var) = (tvar))
283
279/* 284/*
280 * List functions. 285 * List functions.
281 */ 286 */
@@ -354,6 +359,11 @@ struct { \
354 (var) != SIMPLEQ_END(head); \ 359 (var) != SIMPLEQ_END(head); \
355 (var) = SIMPLEQ_NEXT(var, field)) 360 (var) = SIMPLEQ_NEXT(var, field))
356 361
362#define SIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \
363 for ((var) = SIMPLEQ_FIRST(head); \
364 (var) && ((tvar) = SIMPLEQ_NEXT(var, field), 1); \
365 (var) = (tvar))
366
357/* 367/*
358 * Simple queue functions. 368 * Simple queue functions.
359 */ 369 */
@@ -385,6 +395,12 @@ struct { \
385 (head)->sqh_last = &(head)->sqh_first; \ 395 (head)->sqh_last = &(head)->sqh_first; \
386} while (0) 396} while (0)
387 397
398#define SIMPLEQ_REMOVE_AFTER(head, elm, field) do { \
399 if (((elm)->field.sqe_next = (elm)->field.sqe_next->field.sqe_next) \
400 == NULL) \
401 (head)->sqh_last = &(elm)->field.sqe_next; \
402} while (0)
403
388/* 404/*
389 * Tail queue definitions. 405 * Tail queue definitions.
390 */ 406 */
@@ -422,11 +438,24 @@ struct { \
422 (var) != TAILQ_END(head); \ 438 (var) != TAILQ_END(head); \
423 (var) = TAILQ_NEXT(var, field)) 439 (var) = TAILQ_NEXT(var, field))
424 440
441#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \
442 for ((var) = TAILQ_FIRST(head); \
443 (var) != TAILQ_END(head) && \
444 ((tvar) = TAILQ_NEXT(var, field), 1); \
445 (var) = (tvar))
446
447
425#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ 448#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \
426 for((var) = TAILQ_LAST(head, headname); \ 449 for((var) = TAILQ_LAST(head, headname); \
427 (var) != TAILQ_END(head); \ 450 (var) != TAILQ_END(head); \
428 (var) = TAILQ_PREV(var, headname, field)) 451 (var) = TAILQ_PREV(var, headname, field))
429 452
453#define TAILQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \
454 for ((var) = TAILQ_LAST(head, headname); \
455 (var) != TAILQ_END(head) && \
456 ((tvar) = TAILQ_PREV(var, headname, field), 1); \
457 (var) = (tvar))
458
430/* 459/*
431 * Tail queue functions. 460 * Tail queue functions.
432 */ 461 */
@@ -526,11 +555,23 @@ struct { \
526 (var) != CIRCLEQ_END(head); \ 555 (var) != CIRCLEQ_END(head); \
527 (var) = CIRCLEQ_NEXT(var, field)) 556 (var) = CIRCLEQ_NEXT(var, field))
528 557
558#define CIRCLEQ_FOREACH_SAFE(var, head, field, tvar) \
559 for ((var) = CIRCLEQ_FIRST(head); \
560 (var) != CIRCLEQ_END(head) && \
561 ((tvar) = CIRCLEQ_NEXT(var, field), 1); \
562 (var) = (tvar))
563
529#define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ 564#define CIRCLEQ_FOREACH_REVERSE(var, head, field) \
530 for((var) = CIRCLEQ_LAST(head); \ 565 for((var) = CIRCLEQ_LAST(head); \
531 (var) != CIRCLEQ_END(head); \ 566 (var) != CIRCLEQ_END(head); \
532 (var) = CIRCLEQ_PREV(var, field)) 567 (var) = CIRCLEQ_PREV(var, field))
533 568
569#define CIRCLEQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \
570 for ((var) = CIRCLEQ_LAST(head, headname); \
571 (var) != CIRCLEQ_END(head) && \
572 ((tvar) = CIRCLEQ_PREV(var, headname, field), 1); \
573 (var) = (tvar))
574
534/* 575/*
535 * Circular queue functions. 576 * Circular queue functions.
536 */ 577 */
diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h
index d4949b5e7..7f7546ecd 100644
--- a/openbsd-compat/sys-tree.h
+++ b/openbsd-compat/sys-tree.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tree.h,v 1.10 2007/10/29 23:49:41 djm Exp $ */ 1/* $OpenBSD: tree.h,v 1.13 2011/07/09 00:19:45 pirofti Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * All rights reserved. 4 * All rights reserved.
@@ -26,6 +26,11 @@
26 26
27/* OPENBSD ORIGINAL: sys/sys/tree.h */ 27/* OPENBSD ORIGINAL: sys/sys/tree.h */
28 28
29#include "config.h"
30#ifdef NO_ATTRIBUTE_ON_RETURN_TYPE
31# define __attribute__(x)
32#endif
33
29#ifndef _SYS_TREE_H_ 34#ifndef _SYS_TREE_H_
30#define _SYS_TREE_H_ 35#define _SYS_TREE_H_
31 36
@@ -331,7 +336,7 @@ struct { \
331} while (0) 336} while (0)
332 337
333#ifndef RB_AUGMENT 338#ifndef RB_AUGMENT
334#define RB_AUGMENT(x) 339#define RB_AUGMENT(x) do {} while (0)
335#endif 340#endif
336 341
337#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ 342#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \
@@ -375,21 +380,31 @@ struct { \
375} while (0) 380} while (0)
376 381
377/* Generates prototypes and inline functions */ 382/* Generates prototypes and inline functions */
378#define RB_PROTOTYPE(name, type, field, cmp) \ 383#define RB_PROTOTYPE(name, type, field, cmp) \
379void name##_RB_INSERT_COLOR(struct name *, struct type *); \ 384 RB_PROTOTYPE_INTERNAL(name, type, field, cmp,)
380void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ 385#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \
381struct type *name##_RB_REMOVE(struct name *, struct type *); \ 386 RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static)
382struct type *name##_RB_INSERT(struct name *, struct type *); \ 387#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \
383struct type *name##_RB_FIND(struct name *, struct type *); \ 388attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \
384struct type *name##_RB_NEXT(struct type *); \ 389attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\
385struct type *name##_RB_MINMAX(struct name *, int); 390attr struct type *name##_RB_REMOVE(struct name *, struct type *); \
386 391attr struct type *name##_RB_INSERT(struct name *, struct type *); \
392attr struct type *name##_RB_FIND(struct name *, struct type *); \
393attr struct type *name##_RB_NFIND(struct name *, struct type *); \
394attr struct type *name##_RB_NEXT(struct type *); \
395attr struct type *name##_RB_PREV(struct type *); \
396attr struct type *name##_RB_MINMAX(struct name *, int); \
397 \
387 398
388/* Main rb operation. 399/* Main rb operation.
389 * Moves node close to the key of elm to top 400 * Moves node close to the key of elm to top
390 */ 401 */
391#define RB_GENERATE(name, type, field, cmp) \ 402#define RB_GENERATE(name, type, field, cmp) \
392void \ 403 RB_GENERATE_INTERNAL(name, type, field, cmp,)
404#define RB_GENERATE_STATIC(name, type, field, cmp) \
405 RB_GENERATE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static)
406#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \
407attr void \
393name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ 408name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \
394{ \ 409{ \
395 struct type *parent, *gparent, *tmp; \ 410 struct type *parent, *gparent, *tmp; \
@@ -433,7 +448,7 @@ name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \
433 RB_COLOR(head->rbh_root, field) = RB_BLACK; \ 448 RB_COLOR(head->rbh_root, field) = RB_BLACK; \
434} \ 449} \
435 \ 450 \
436void \ 451attr void \
437name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ 452name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \
438{ \ 453{ \
439 struct type *tmp; \ 454 struct type *tmp; \
@@ -509,7 +524,7 @@ name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm)
509 RB_COLOR(elm, field) = RB_BLACK; \ 524 RB_COLOR(elm, field) = RB_BLACK; \
510} \ 525} \
511 \ 526 \
512struct type * \ 527attr struct type * \
513name##_RB_REMOVE(struct name *head, struct type *elm) \ 528name##_RB_REMOVE(struct name *head, struct type *elm) \
514{ \ 529{ \
515 struct type *child, *parent, *old = elm; \ 530 struct type *child, *parent, *old = elm; \
@@ -577,7 +592,7 @@ color: \
577} \ 592} \
578 \ 593 \
579/* Inserts a node into the RB tree */ \ 594/* Inserts a node into the RB tree */ \
580struct type * \ 595attr struct type * \
581name##_RB_INSERT(struct name *head, struct type *elm) \ 596name##_RB_INSERT(struct name *head, struct type *elm) \
582{ \ 597{ \
583 struct type *tmp; \ 598 struct type *tmp; \
@@ -608,7 +623,7 @@ name##_RB_INSERT(struct name *head, struct type *elm) \
608} \ 623} \
609 \ 624 \
610/* Finds the node with the same key as elm */ \ 625/* Finds the node with the same key as elm */ \
611struct type * \ 626attr struct type * \
612name##_RB_FIND(struct name *head, struct type *elm) \ 627name##_RB_FIND(struct name *head, struct type *elm) \
613{ \ 628{ \
614 struct type *tmp = RB_ROOT(head); \ 629 struct type *tmp = RB_ROOT(head); \
@@ -625,7 +640,29 @@ name##_RB_FIND(struct name *head, struct type *elm) \
625 return (NULL); \ 640 return (NULL); \
626} \ 641} \
627 \ 642 \
628struct type * \ 643/* Finds the first node greater than or equal to the search key */ \
644attr struct type * \
645name##_RB_NFIND(struct name *head, struct type *elm) \
646{ \
647 struct type *tmp = RB_ROOT(head); \
648 struct type *res = NULL; \
649 int comp; \
650 while (tmp) { \
651 comp = cmp(elm, tmp); \
652 if (comp < 0) { \
653 res = tmp; \
654 tmp = RB_LEFT(tmp, field); \
655 } \
656 else if (comp > 0) \
657 tmp = RB_RIGHT(tmp, field); \
658 else \
659 return (tmp); \
660 } \
661 return (res); \
662} \
663 \
664/* ARGSUSED */ \
665attr struct type * \
629name##_RB_NEXT(struct type *elm) \ 666name##_RB_NEXT(struct type *elm) \
630{ \ 667{ \
631 if (RB_RIGHT(elm, field)) { \ 668 if (RB_RIGHT(elm, field)) { \
@@ -646,7 +683,29 @@ name##_RB_NEXT(struct type *elm) \
646 return (elm); \ 683 return (elm); \
647} \ 684} \
648 \ 685 \
649struct type * \ 686/* ARGSUSED */ \
687attr struct type * \
688name##_RB_PREV(struct type *elm) \
689{ \
690 if (RB_LEFT(elm, field)) { \
691 elm = RB_LEFT(elm, field); \
692 while (RB_RIGHT(elm, field)) \
693 elm = RB_RIGHT(elm, field); \
694 } else { \
695 if (RB_PARENT(elm, field) && \
696 (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \
697 elm = RB_PARENT(elm, field); \
698 else { \
699 while (RB_PARENT(elm, field) && \
700 (elm == RB_LEFT(RB_PARENT(elm, field), field)))\
701 elm = RB_PARENT(elm, field); \
702 elm = RB_PARENT(elm, field); \
703 } \
704 } \
705 return (elm); \
706} \
707 \
708attr struct type * \
650name##_RB_MINMAX(struct name *head, int val) \ 709name##_RB_MINMAX(struct name *head, int val) \
651{ \ 710{ \
652 struct type *tmp = RB_ROOT(head); \ 711 struct type *tmp = RB_ROOT(head); \
@@ -667,7 +726,9 @@ name##_RB_MINMAX(struct name *head, int val) \
667#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) 726#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y)
668#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) 727#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y)
669#define RB_FIND(name, x, y) name##_RB_FIND(x, y) 728#define RB_FIND(name, x, y) name##_RB_FIND(x, y)
729#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y)
670#define RB_NEXT(name, x, y) name##_RB_NEXT(y) 730#define RB_NEXT(name, x, y) name##_RB_NEXT(y)
731#define RB_PREV(name, x, y) name##_RB_PREV(y)
671#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) 732#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF)
672#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) 733#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF)
673 734
@@ -676,4 +737,19 @@ name##_RB_MINMAX(struct name *head, int val) \
676 (x) != NULL; \ 737 (x) != NULL; \
677 (x) = name##_RB_NEXT(x)) 738 (x) = name##_RB_NEXT(x))
678 739
740#define RB_FOREACH_SAFE(x, name, head, y) \
741 for ((x) = RB_MIN(name, head); \
742 ((x) != NULL) && ((y) = name##_RB_NEXT(x), 1); \
743 (x) = (y))
744
745#define RB_FOREACH_REVERSE(x, name, head) \
746 for ((x) = RB_MAX(name, head); \
747 (x) != NULL; \
748 (x) = name##_RB_PREV(x))
749
750#define RB_FOREACH_REVERSE_SAFE(x, name, head, y) \
751 for ((x) = RB_MAX(name, head); \
752 ((x) != NULL) && ((y) = name##_RB_PREV(x), 1); \
753 (x) = (y))
754
679#endif /* _SYS_TREE_H_ */ 755#endif /* _SYS_TREE_H_ */
diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c
index 3a087b341..f6f5665c1 100644
--- a/openbsd-compat/vis.c
+++ b/openbsd-compat/vis.c
@@ -31,7 +31,7 @@
31/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ 31/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
32 32
33#include "includes.h" 33#include "includes.h"
34#if !defined(HAVE_STRNVIS) 34#if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS)
35 35
36#include <ctype.h> 36#include <ctype.h>
37#include <string.h> 37#include <string.h>
diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h
index 3898a9e70..d1286c99d 100644
--- a/openbsd-compat/vis.h
+++ b/openbsd-compat/vis.h
@@ -35,7 +35,7 @@
35/* OPENBSD ORIGINAL: include/vis.h */ 35/* OPENBSD ORIGINAL: include/vis.h */
36 36
37#include "includes.h" 37#include "includes.h"
38#if !defined(HAVE_STRNVIS) 38#if !defined(HAVE_STRNVIS) || defined(BROKEN_STRNVIS)
39 39
40#ifndef _VIS_H_ 40#ifndef _VIS_H_
41#define _VIS_H_ 41#define _VIS_H_
@@ -92,4 +92,4 @@ ssize_t strnunvis(char *, const char *, size_t)
92 92
93#endif /* !_VIS_H_ */ 93#endif /* !_VIS_H_ */
94 94
95#endif /* !HAVE_STRNVIS */ 95#endif /* !HAVE_STRNVIS || BROKEN_STRNVIS */
diff --git a/packet.c b/packet.c
index d0c66fe57..9326ddea6 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */ 1/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -275,7 +275,7 @@ packet_stop_discard(void)
275static void 275static void
276packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard) 276packet_start_discard(Enc *enc, Mac *mac, u_int packet_length, u_int discard)
277{ 277{
278 if (enc == NULL || !cipher_is_cbc(enc->cipher)) 278 if (enc == NULL || !cipher_is_cbc(enc->cipher) || (mac && mac->etm))
279 packet_disconnect("Packet corrupt"); 279 packet_disconnect("Packet corrupt");
280 if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled) 280 if (packet_length != PACKET_MAX_SIZE && mac && mac->enabled)
281 active_state->packet_discard_mac = mac; 281 active_state->packet_discard_mac = mac;
@@ -709,7 +709,7 @@ packet_send1(void)
709 buffer_len(&active_state->outgoing_packet)); 709 buffer_len(&active_state->outgoing_packet));
710 cipher_crypt(&active_state->send_context, cp, 710 cipher_crypt(&active_state->send_context, cp,
711 buffer_ptr(&active_state->outgoing_packet), 711 buffer_ptr(&active_state->outgoing_packet),
712 buffer_len(&active_state->outgoing_packet)); 712 buffer_len(&active_state->outgoing_packet), 0, 0);
713 713
714#ifdef PACKET_DEBUG 714#ifdef PACKET_DEBUG
715 fprintf(stderr, "encrypted: "); 715 fprintf(stderr, "encrypted: ");
@@ -757,6 +757,9 @@ set_newkeys(int mode)
757 mac = &active_state->newkeys[mode]->mac; 757 mac = &active_state->newkeys[mode]->mac;
758 comp = &active_state->newkeys[mode]->comp; 758 comp = &active_state->newkeys[mode]->comp;
759 mac_clear(mac); 759 mac_clear(mac);
760 memset(enc->iv, 0, enc->iv_len);
761 memset(enc->key, 0, enc->key_len);
762 memset(mac->key, 0, mac->key_len);
760 xfree(enc->name); 763 xfree(enc->name);
761 xfree(enc->iv); 764 xfree(enc->iv);
762 xfree(enc->key); 765 xfree(enc->key);
@@ -771,11 +774,11 @@ set_newkeys(int mode)
771 enc = &active_state->newkeys[mode]->enc; 774 enc = &active_state->newkeys[mode]->enc;
772 mac = &active_state->newkeys[mode]->mac; 775 mac = &active_state->newkeys[mode]->mac;
773 comp = &active_state->newkeys[mode]->comp; 776 comp = &active_state->newkeys[mode]->comp;
774 if (mac_init(mac) == 0) 777 if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
775 mac->enabled = 1; 778 mac->enabled = 1;
776 DBG(debug("cipher_init_context: %d", mode)); 779 DBG(debug("cipher_init_context: %d", mode));
777 cipher_init(cc, enc->cipher, enc->key, enc->key_len, 780 cipher_init(cc, enc->cipher, enc->key, enc->key_len,
778 enc->iv, enc->block_size, crypt_type); 781 enc->iv, enc->iv_len, crypt_type);
779 /* Deleting the keys does not gain extra security */ 782 /* Deleting the keys does not gain extra security */
780 /* memset(enc->iv, 0, enc->block_size); 783 /* memset(enc->iv, 0, enc->block_size);
781 memset(enc->key, 0, enc->key_len); 784 memset(enc->key, 0, enc->key_len);
@@ -842,9 +845,8 @@ static void
842packet_send2_wrapped(void) 845packet_send2_wrapped(void)
843{ 846{
844 u_char type, *cp, *macbuf = NULL; 847 u_char type, *cp, *macbuf = NULL;
845 u_char padlen, pad; 848 u_char padlen, pad = 0;
846 u_int packet_length = 0; 849 u_int i, len, authlen = 0, aadlen = 0;
847 u_int i, len;
848 u_int32_t rnd = 0; 850 u_int32_t rnd = 0;
849 Enc *enc = NULL; 851 Enc *enc = NULL;
850 Mac *mac = NULL; 852 Mac *mac = NULL;
@@ -855,8 +857,12 @@ packet_send2_wrapped(void)
855 enc = &active_state->newkeys[MODE_OUT]->enc; 857 enc = &active_state->newkeys[MODE_OUT]->enc;
856 mac = &active_state->newkeys[MODE_OUT]->mac; 858 mac = &active_state->newkeys[MODE_OUT]->mac;
857 comp = &active_state->newkeys[MODE_OUT]->comp; 859 comp = &active_state->newkeys[MODE_OUT]->comp;
860 /* disable mac for authenticated encryption */
861 if ((authlen = cipher_authlen(enc->cipher)) != 0)
862 mac = NULL;
858 } 863 }
859 block_size = enc ? enc->block_size : 8; 864 block_size = enc ? enc->block_size : 8;
865 aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
860 866
861 cp = buffer_ptr(&active_state->outgoing_packet); 867 cp = buffer_ptr(&active_state->outgoing_packet);
862 type = cp[5]; 868 type = cp[5];
@@ -889,6 +895,7 @@ packet_send2_wrapped(void)
889 * calc size of padding, alloc space, get random data, 895 * calc size of padding, alloc space, get random data,
890 * minimum padding is 4 bytes 896 * minimum padding is 4 bytes
891 */ 897 */
898 len -= aadlen; /* packet length is not encrypted for EtM modes */
892 padlen = block_size - (len % block_size); 899 padlen = block_size - (len % block_size);
893 if (padlen < 4) 900 if (padlen < 4)
894 padlen += block_size; 901 padlen += block_size;
@@ -916,29 +923,37 @@ packet_send2_wrapped(void)
916 /* clear padding */ 923 /* clear padding */
917 memset(cp, 0, padlen); 924 memset(cp, 0, padlen);
918 } 925 }
919 /* packet_length includes payload, padding and padding length field */ 926 /* sizeof (packet_len + pad_len + payload + padding) */
920 packet_length = buffer_len(&active_state->outgoing_packet) - 4; 927 len = buffer_len(&active_state->outgoing_packet);
921 cp = buffer_ptr(&active_state->outgoing_packet); 928 cp = buffer_ptr(&active_state->outgoing_packet);
922 put_u32(cp, packet_length); 929 /* packet_length includes payload, padding and padding length field */
930 put_u32(cp, len - 4);
923 cp[4] = padlen; 931 cp[4] = padlen;
924 DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen)); 932 DBG(debug("send: len %d (includes padlen %d, aadlen %d)",
933 len, padlen, aadlen));
925 934
926 /* compute MAC over seqnr and packet(length fields, payload, padding) */ 935 /* compute MAC over seqnr and packet(length fields, payload, padding) */
927 if (mac && mac->enabled) { 936 if (mac && mac->enabled && !mac->etm) {
928 macbuf = mac_compute(mac, active_state->p_send.seqnr, 937 macbuf = mac_compute(mac, active_state->p_send.seqnr,
929 buffer_ptr(&active_state->outgoing_packet), 938 buffer_ptr(&active_state->outgoing_packet), len);
930 buffer_len(&active_state->outgoing_packet));
931 DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr)); 939 DBG(debug("done calc MAC out #%d", active_state->p_send.seqnr));
932 } 940 }
933 /* encrypt packet and append to output buffer. */ 941 /* encrypt packet and append to output buffer. */
934 cp = buffer_append_space(&active_state->output, 942 cp = buffer_append_space(&active_state->output, len + authlen);
935 buffer_len(&active_state->outgoing_packet));
936 cipher_crypt(&active_state->send_context, cp, 943 cipher_crypt(&active_state->send_context, cp,
937 buffer_ptr(&active_state->outgoing_packet), 944 buffer_ptr(&active_state->outgoing_packet),
938 buffer_len(&active_state->outgoing_packet)); 945 len - aadlen, aadlen, authlen);
939 /* append unencrypted MAC */ 946 /* append unencrypted MAC */
940 if (mac && mac->enabled) 947 if (mac && mac->enabled) {
948 if (mac->etm) {
949 /* EtM: compute mac over aadlen + cipher text */
950 macbuf = mac_compute(mac,
951 active_state->p_send.seqnr, cp, len);
952 DBG(debug("done calc MAC(EtM) out #%d",
953 active_state->p_send.seqnr));
954 }
941 buffer_append(&active_state->output, macbuf, mac->mac_len); 955 buffer_append(&active_state->output, macbuf, mac->mac_len);
956 }
942#ifdef PACKET_DEBUG 957#ifdef PACKET_DEBUG
943 fprintf(stderr, "encrypted: "); 958 fprintf(stderr, "encrypted: ");
944 buffer_dump(&active_state->output); 959 buffer_dump(&active_state->output);
@@ -949,8 +964,8 @@ packet_send2_wrapped(void)
949 if (++active_state->p_send.packets == 0) 964 if (++active_state->p_send.packets == 0)
950 if (!(datafellows & SSH_BUG_NOREKEY)) 965 if (!(datafellows & SSH_BUG_NOREKEY))
951 fatal("XXX too many packets with same key"); 966 fatal("XXX too many packets with same key");
952 active_state->p_send.blocks += (packet_length + 4) / block_size; 967 active_state->p_send.blocks += len / block_size;
953 active_state->p_send.bytes += packet_length + 4; 968 active_state->p_send.bytes += len;
954 buffer_clear(&active_state->outgoing_packet); 969 buffer_clear(&active_state->outgoing_packet);
955 970
956 if (type == SSH2_MSG_NEWKEYS) 971 if (type == SSH2_MSG_NEWKEYS)
@@ -1187,7 +1202,7 @@ packet_read_poll1(void)
1187 buffer_clear(&active_state->incoming_packet); 1202 buffer_clear(&active_state->incoming_packet);
1188 cp = buffer_append_space(&active_state->incoming_packet, padded_len); 1203 cp = buffer_append_space(&active_state->incoming_packet, padded_len);
1189 cipher_crypt(&active_state->receive_context, cp, 1204 cipher_crypt(&active_state->receive_context, cp,
1190 buffer_ptr(&active_state->input), padded_len); 1205 buffer_ptr(&active_state->input), padded_len, 0, 0);
1191 1206
1192 buffer_consume(&active_state->input, padded_len); 1207 buffer_consume(&active_state->input, padded_len);
1193 1208
@@ -1235,8 +1250,8 @@ static int
1235packet_read_poll2(u_int32_t *seqnr_p) 1250packet_read_poll2(u_int32_t *seqnr_p)
1236{ 1251{
1237 u_int padlen, need; 1252 u_int padlen, need;
1238 u_char *macbuf, *cp, type; 1253 u_char *macbuf = NULL, *cp, type;
1239 u_int maclen, block_size; 1254 u_int maclen, authlen = 0, aadlen = 0, block_size;
1240 Enc *enc = NULL; 1255 Enc *enc = NULL;
1241 Mac *mac = NULL; 1256 Mac *mac = NULL;
1242 Comp *comp = NULL; 1257 Comp *comp = NULL;
@@ -1248,11 +1263,29 @@ packet_read_poll2(u_int32_t *seqnr_p)
1248 enc = &active_state->newkeys[MODE_IN]->enc; 1263 enc = &active_state->newkeys[MODE_IN]->enc;
1249 mac = &active_state->newkeys[MODE_IN]->mac; 1264 mac = &active_state->newkeys[MODE_IN]->mac;
1250 comp = &active_state->newkeys[MODE_IN]->comp; 1265 comp = &active_state->newkeys[MODE_IN]->comp;
1266 /* disable mac for authenticated encryption */
1267 if ((authlen = cipher_authlen(enc->cipher)) != 0)
1268 mac = NULL;
1251 } 1269 }
1252 maclen = mac && mac->enabled ? mac->mac_len : 0; 1270 maclen = mac && mac->enabled ? mac->mac_len : 0;
1253 block_size = enc ? enc->block_size : 8; 1271 block_size = enc ? enc->block_size : 8;
1272 aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
1254 1273
1255 if (active_state->packlen == 0) { 1274 if (aadlen && active_state->packlen == 0) {
1275 if (buffer_len(&active_state->input) < 4)
1276 return SSH_MSG_NONE;
1277 cp = buffer_ptr(&active_state->input);
1278 active_state->packlen = get_u32(cp);
1279 if (active_state->packlen < 1 + 4 ||
1280 active_state->packlen > PACKET_MAX_SIZE) {
1281#ifdef PACKET_DEBUG
1282 buffer_dump(&active_state->input);
1283#endif
1284 logit("Bad packet length %u.", active_state->packlen);
1285 packet_disconnect("Packet corrupt");
1286 }
1287 buffer_clear(&active_state->incoming_packet);
1288 } else if (active_state->packlen == 0) {
1256 /* 1289 /*
1257 * check if input size is less than the cipher block size, 1290 * check if input size is less than the cipher block size,
1258 * decrypt first block and extract length of incoming packet 1291 * decrypt first block and extract length of incoming packet
@@ -1263,7 +1296,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
1263 cp = buffer_append_space(&active_state->incoming_packet, 1296 cp = buffer_append_space(&active_state->incoming_packet,
1264 block_size); 1297 block_size);
1265 cipher_crypt(&active_state->receive_context, cp, 1298 cipher_crypt(&active_state->receive_context, cp,
1266 buffer_ptr(&active_state->input), block_size); 1299 buffer_ptr(&active_state->input), block_size, 0, 0);
1267 cp = buffer_ptr(&active_state->incoming_packet); 1300 cp = buffer_ptr(&active_state->incoming_packet);
1268 active_state->packlen = get_u32(cp); 1301 active_state->packlen = get_u32(cp);
1269 if (active_state->packlen < 1 + 4 || 1302 if (active_state->packlen < 1 + 4 ||
@@ -1276,13 +1309,21 @@ packet_read_poll2(u_int32_t *seqnr_p)
1276 PACKET_MAX_SIZE); 1309 PACKET_MAX_SIZE);
1277 return SSH_MSG_NONE; 1310 return SSH_MSG_NONE;
1278 } 1311 }
1279 DBG(debug("input: packet len %u", active_state->packlen+4));
1280 buffer_consume(&active_state->input, block_size); 1312 buffer_consume(&active_state->input, block_size);
1281 } 1313 }
1282 /* we have a partial packet of block_size bytes */ 1314 DBG(debug("input: packet len %u", active_state->packlen+4));
1283 need = 4 + active_state->packlen - block_size; 1315 if (aadlen) {
1284 DBG(debug("partial packet %d, need %d, maclen %d", block_size, 1316 /* only the payload is encrypted */
1285 need, maclen)); 1317 need = active_state->packlen;
1318 } else {
1319 /*
1320 * the payload size and the payload are encrypted, but we
1321 * have a partial packet of block_size bytes
1322 */
1323 need = 4 + active_state->packlen - block_size;
1324 }
1325 DBG(debug("partial packet: block %d, need %d, maclen %d, authlen %d,"
1326 " aadlen %d", block_size, need, maclen, authlen, aadlen));
1286 if (need % block_size != 0) { 1327 if (need % block_size != 0) {
1287 logit("padding error: need %d block %d mod %d", 1328 logit("padding error: need %d block %d mod %d",
1288 need, block_size, need % block_size); 1329 need, block_size, need % block_size);
@@ -1292,26 +1333,35 @@ packet_read_poll2(u_int32_t *seqnr_p)
1292 } 1333 }
1293 /* 1334 /*
1294 * check if the entire packet has been received and 1335 * check if the entire packet has been received and
1295 * decrypt into incoming_packet 1336 * decrypt into incoming_packet:
1337 * 'aadlen' bytes are unencrypted, but authenticated.
1338 * 'need' bytes are encrypted, followed by either
1339 * 'authlen' bytes of authentication tag or
1340 * 'maclen' bytes of message authentication code.
1296 */ 1341 */
1297 if (buffer_len(&active_state->input) < need + maclen) 1342 if (buffer_len(&active_state->input) < aadlen + need + authlen + maclen)
1298 return SSH_MSG_NONE; 1343 return SSH_MSG_NONE;
1299#ifdef PACKET_DEBUG 1344#ifdef PACKET_DEBUG
1300 fprintf(stderr, "read_poll enc/full: "); 1345 fprintf(stderr, "read_poll enc/full: ");
1301 buffer_dump(&active_state->input); 1346 buffer_dump(&active_state->input);
1302#endif 1347#endif
1303 cp = buffer_append_space(&active_state->incoming_packet, need); 1348 /* EtM: compute mac over encrypted input */
1349 if (mac && mac->enabled && mac->etm)
1350 macbuf = mac_compute(mac, active_state->p_read.seqnr,
1351 buffer_ptr(&active_state->input), aadlen + need);
1352 cp = buffer_append_space(&active_state->incoming_packet, aadlen + need);
1304 cipher_crypt(&active_state->receive_context, cp, 1353 cipher_crypt(&active_state->receive_context, cp,
1305 buffer_ptr(&active_state->input), need); 1354 buffer_ptr(&active_state->input), need, aadlen, authlen);
1306 buffer_consume(&active_state->input, need); 1355 buffer_consume(&active_state->input, aadlen + need + authlen);
1307 /* 1356 /*
1308 * compute MAC over seqnr and packet, 1357 * compute MAC over seqnr and packet,
1309 * increment sequence number for incoming packet 1358 * increment sequence number for incoming packet
1310 */ 1359 */
1311 if (mac && mac->enabled) { 1360 if (mac && mac->enabled) {
1312 macbuf = mac_compute(mac, active_state->p_read.seqnr, 1361 if (!mac->etm)
1313 buffer_ptr(&active_state->incoming_packet), 1362 macbuf = mac_compute(mac, active_state->p_read.seqnr,
1314 buffer_len(&active_state->incoming_packet)); 1363 buffer_ptr(&active_state->incoming_packet),
1364 buffer_len(&active_state->incoming_packet));
1315 if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input), 1365 if (timingsafe_bcmp(macbuf, buffer_ptr(&active_state->input),
1316 mac->mac_len) != 0) { 1366 mac->mac_len) != 0) {
1317 logit("Corrupted MAC on input."); 1367 logit("Corrupted MAC on input.");
@@ -1410,7 +1460,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1410 case SSH2_MSG_DISCONNECT: 1460 case SSH2_MSG_DISCONNECT:
1411 reason = packet_get_int(); 1461 reason = packet_get_int();
1412 msg = packet_get_string(NULL); 1462 msg = packet_get_string(NULL);
1413 logit("Received disconnect from %s: %u: %.400s", 1463 error("Received disconnect from %s: %u: %.400s",
1414 get_remote_ipaddr(), reason, msg); 1464 get_remote_ipaddr(), reason, msg);
1415 xfree(msg); 1465 xfree(msg);
1416 cleanup_exit(255); 1466 cleanup_exit(255);
@@ -1435,7 +1485,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1435 break; 1485 break;
1436 case SSH_MSG_DISCONNECT: 1486 case SSH_MSG_DISCONNECT:
1437 msg = packet_get_string(NULL); 1487 msg = packet_get_string(NULL);
1438 logit("Received disconnect from %s: %.400s", 1488 error("Received disconnect from %s: %.400s",
1439 get_remote_ipaddr(), msg); 1489 get_remote_ipaddr(), msg);
1440 cleanup_exit(255); 1490 cleanup_exit(255);
1441 break; 1491 break;
diff --git a/platform.c b/platform.c
index a455472b3..3262b2478 100644
--- a/platform.c
+++ b/platform.c
@@ -1,4 +1,4 @@
1/* $Id: platform.c,v 1.18 2011/01/11 06:02:25 djm Exp $ */ 1/* $Id: platform.c,v 1.19 2013/03/12 00:31:05 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2006 Darren Tucker. All rights reserved. 4 * Copyright (c) 2006 Darren Tucker. All rights reserved.
@@ -194,3 +194,19 @@ platform_krb5_get_principal_name(const char *pw_name)
194 return NULL; 194 return NULL;
195#endif 195#endif
196} 196}
197
198/*
199 * return 1 if the specified uid is a uid that may own a system directory
200 * otherwise 0.
201 */
202int
203platform_sys_dir_uid(uid_t uid)
204{
205 if (uid == 0)
206 return 1;
207#ifdef PLATFORM_SYS_DIR_UID
208 if (uid == PLATFORM_SYS_DIR_UID)
209 return 1;
210#endif
211 return 0;
212}
diff --git a/platform.h b/platform.h
index 944d2c340..19f6bfdd3 100644
--- a/platform.h
+++ b/platform.h
@@ -1,4 +1,4 @@
1/* $Id: platform.h,v 1.7 2010/11/05 03:47:01 dtucker Exp $ */ 1/* $Id: platform.h,v 1.8 2013/03/12 00:31:05 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2006 Darren Tucker. All rights reserved. 4 * Copyright (c) 2006 Darren Tucker. All rights reserved.
@@ -29,5 +29,4 @@ void platform_setusercontext(struct passwd *);
29void platform_setusercontext_post_groups(struct passwd *); 29void platform_setusercontext_post_groups(struct passwd *);
30char *platform_get_krb5_client(const char *); 30char *platform_get_krb5_client(const char *);
31char *platform_krb5_get_principal_name(const char *); 31char *platform_krb5_get_principal_name(const char *);
32 32int platform_sys_dir_uid(uid_t);
33
diff --git a/regress/Makefile b/regress/Makefile
index f114c27e9..6ef5d9cce 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.58 2011/01/06 22:46:21 djm Exp $ 1# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -57,7 +57,11 @@ LTESTS= connect \
57 kextype \ 57 kextype \
58 cert-hostkey \ 58 cert-hostkey \
59 cert-userkey \ 59 cert-userkey \
60 host-expand 60 host-expand \
61 keys-command \
62 forward-control \
63 integrity \
64 krl
61 65
62INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers 66INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
63#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 67#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -67,23 +71,27 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
67USER!= id -un 71USER!= id -un
68CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ 72CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
69 t8.out t8.out.pub t9.out t9.out.pub \ 73 t8.out t8.out.pub t9.out t9.out.pub \
70 authorized_keys_${USER} known_hosts pidfile \ 74 authorized_keys_${USER} known_hosts pidfile testdata \
71 ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ 75 ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
72 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ 76 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
73 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ 77 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
74 ls.copy banner.in banner.out empty.in \ 78 ls.copy banner.in banner.out empty.in \
75 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 79 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
76 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 80 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
77 known_hosts-cert host_ca_key* cert_host_key* \ 81 known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
78 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 82 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
79 key.rsa-* key.dsa-* key.ecdsa-* \ 83 key.rsa-* key.dsa-* key.ecdsa-* \
80 authorized_principals_${USER} expect actual 84 authorized_principals_${USER} expect actual ready \
85 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
86
81 87
82# Enable all malloc(3) randomisations and checks 88# Enable all malloc(3) randomisations and checks
83TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 89TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
84 90
85TEST_SSH_SSHKEYGEN?=ssh-keygen 91TEST_SSH_SSHKEYGEN?=ssh-keygen
86 92
93CPPFLAGS=-I..
94
87t1: 95t1:
88 ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv 96 ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
89 tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv 97 tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6700db274..3bba9f8f2 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -22,9 +22,8 @@ for ktype in rsa dsa $ecdsa ; do
22 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 22 ${SSHKEYGEN} -q -N '' -t ${ktype} \
23 -f $OBJ/cert_user_key_${ktype} || \ 23 -f $OBJ/cert_user_key_${ktype} || \
24 fail "ssh-keygen of cert_user_key_${ktype} failed" 24 fail "ssh-keygen of cert_user_key_${ktype} failed"
25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \ 25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
26 "regress user key for $USER" \ 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
27 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
28 fail "couldn't sign cert_user_key_${ktype}" 27 fail "couldn't sign cert_user_key_${ktype}"
29 # v00 ecdsa certs do not exist 28 # v00 ecdsa certs do not exist
30 test "${ktype}" = "ecdsa" && continue 29 test "${ktype}" = "ecdsa" && continue
@@ -185,14 +184,32 @@ basic_tests() {
185 ( 184 (
186 cat $OBJ/sshd_proxy_bak 185 cat $OBJ/sshd_proxy_bak
187 echo "UsePrivilegeSeparation $privsep" 186 echo "UsePrivilegeSeparation $privsep"
188 echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub" 187 echo "RevokedKeys $OBJ/cert_user_key_revoked"
189 echo "$extra_sshd" 188 echo "$extra_sshd"
190 ) > $OBJ/sshd_proxy 189 ) > $OBJ/sshd_proxy
190 cp $OBJ/cert_user_key_${ktype}.pub \
191 $OBJ/cert_user_key_revoked
192 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
193 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
194 if [ $? -eq 0 ]; then
195 fail "ssh cert connect succeeded unexpecedly"
196 fi
197 verbose "$tid: ${_prefix} revoked via KRL"
198 rm $OBJ/cert_user_key_revoked
199 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
200 $OBJ/cert_user_key_${ktype}.pub
191 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
192 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 202 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
193 if [ $? -eq 0 ]; then 203 if [ $? -eq 0 ]; then
194 fail "ssh cert connect succeeded unexpecedly" 204 fail "ssh cert connect succeeded unexpecedly"
195 fi 205 fi
206 verbose "$tid: ${_prefix} empty KRL"
207 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
208 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
209 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
210 if [ $? -ne 0 ]; then
211 fail "ssh cert connect failed"
212 fi
196 done 213 done
197 214
198 # Revoked CA 215 # Revoked CA
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 5800f4b09..65e5f35ec 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,29 +1,31 @@
1# $OpenBSD: cipher-speed.sh,v 1.5 2012/06/28 05:07:45 dtucker Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
5 5
6getbytes () 6getbytes ()
7{ 7{
8 sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' 8 sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \
9 -e '/copied/s/.*s, \(.* MB.s\).*/\1/p'
9} 10}
10 11
11tries="1 2" 12tries="1 2"
12DATA=/bin/ls
13DATA=/bsd
14 13
15ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 14ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
16 arcfour128 arcfour256 arcfour 15 arcfour128 arcfour256 arcfour
17 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 16 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
18 aes128-ctr aes192-ctr aes256-ctr" 17 aes128-ctr aes192-ctr aes256-ctr"
19macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" 18config_defined OPENSSL_HAVE_EVPGCM && \
20config_defined HAVE_EVP_SHA256 && 19 ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
20macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
21 hmac-sha1-96 hmac-md5-96"
22config_defined HAVE_EVP_SHA256 && \
21 macs="$macs hmac-sha2-256 hmac-sha2-512" 23 macs="$macs hmac-sha2-256 hmac-sha2-512"
22 24
23for c in $ciphers; do for m in $macs; do 25for c in $ciphers; do n=0; for m in $macs; do
24 trace "proto 2 cipher $c mac $m" 26 trace "proto 2 cipher $c mac $m"
25 for x in $tries; do 27 for x in $tries; do
26 echon "$c/$m:\t" 28 printf "%-60s" "$c/$m:"
27 ( ${SSH} -o 'compression no' \ 29 ( ${SSH} -o 'compression no' \
28 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ 30 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
29 exec sh -c \'"dd of=/dev/null obs=32k"\' \ 31 exec sh -c \'"dd of=/dev/null obs=32k"\' \
@@ -33,13 +35,18 @@ for c in $ciphers; do for m in $macs; do
33 fail "ssh -2 failed with mac $m cipher $c" 35 fail "ssh -2 failed with mac $m cipher $c"
34 fi 36 fi
35 done 37 done
38 # No point trying all MACs for GCM since they are ignored.
39 case $c in
40 aes*-gcm@openssh.com) test $n -gt 0 && break;;
41 esac
42 n=`expr $n + 1`
36done; done 43done; done
37 44
38ciphers="3des blowfish" 45ciphers="3des blowfish"
39for c in $ciphers; do 46for c in $ciphers; do
40 trace "proto 1 cipher $c" 47 trace "proto 1 cipher $c"
41 for x in $tries; do 48 for x in $tries; do
42 echon "$c:\t" 49 printf "%-60s" "$c:"
43 ( ${SSH} -o 'compression no' \ 50 ( ${SSH} -o 'compression no' \
44 -F $OBJ/ssh_proxy -1 -c $c somehost \ 51 -F $OBJ/ssh_proxy -1 -c $c somehost \
45 exec sh -c \'"dd of=/dev/null obs=32k"\' \ 52 exec sh -c \'"dd of=/dev/null obs=32k"\' \
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 000000000..80ddb4167
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,168 @@
1# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
2# Placed in the Public Domain.
3
4tid="sshd control of local and remote forwarding"
5
6LFWD_PORT=3320
7RFWD_PORT=3321
8CTL=$OBJ/ctl-sock
9READY=$OBJ/ready
10
11wait_for_file_to_appear() {
12 _path=$1
13 _n=0
14 while test ! -f $_path ; do
15 test $_n -eq 1 && trace "waiting for $_path to appear"
16 _n=`expr $_n + 1`
17 test $_n -ge 20 && return 1
18 sleep 1
19 done
20 return 0
21}
22
23wait_for_process_to_exit() {
24 _pid=$1
25 _n=0
26 while kill -0 $_pid 2>/dev/null ; do
27 test $_n -eq 1 && trace "waiting for $_pid to exit"
28 _n=`expr $_n + 1`
29 test $_n -ge 20 && return 1
30 sleep 1
31 done
32 return 0
33}
34
35# usage: check_lfwd protocol Y|N message
36check_lfwd() {
37 _proto=$1
38 _expected=$2
39 _message=$3
40 rm -f $READY
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \
44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
45 >/dev/null 2>&1 &
46 _sshpid=$!
47 wait_for_file_to_appear $READY || \
48 fatal "check_lfwd ssh fail: $_message"
49 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
50 -oConnectionAttempts=4 host true >/dev/null 2>&1
51 _result=$?
52 kill $_sshpid `cat $READY` 2>/dev/null
53 wait_for_process_to_exit $_sshpid
54 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
55 fail "check_lfwd failed (expecting success): $_message"
56 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
57 fail "check_lfwd succeeded (expecting failure): $_message"
58 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
59 fatal "check_lfwd invalid argument \"$_expected\""
60 else
61 verbose "check_lfwd done (expecting $_expected): $_message"
62 fi
63}
64
65# usage: check_rfwd protocol Y|N message
66check_rfwd() {
67 _proto=$1
68 _expected=$2
69 _message=$3
70 rm -f $READY
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \
74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
75 >/dev/null 2>&1 &
76 _sshpid=$!
77 wait_for_file_to_appear $READY
78 _result=$?
79 if test $_result -eq 0 ; then
80 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
81 -oConnectionAttempts=4 host true >/dev/null 2>&1
82 _result=$?
83 kill $_sshpid `cat $READY` 2>/dev/null
84 wait_for_process_to_exit $_sshpid
85 fi
86 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
87 fail "check_rfwd failed (expecting success): $_message"
88 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
89 fail "check_rfwd succeeded (expecting failure): $_message"
90 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
91 fatal "check_rfwd invalid argument \"$_expected\""
92 else
93 verbose "check_rfwd done (expecting $_expected): $_message"
94 fi
95}
96
97start_sshd
98cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100
101# Sanity check: ensure the default config allows forwarding
102for p in 1 2 ; do
103 check_lfwd $p Y "proto $p, default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
105done
106
107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
108all_tests() {
109 _tcpfwd=$1
110 _plain_lfwd=$2
111 _plain_rfwd=$3
112 _nopermit_lfwd=$4
113 _nopermit_rfwd=$5
114 _permit_lfwd=$6
115 _permit_rfwd=$7
116 _badfwd=127.0.0.1:22
117 _goodfwd=127.0.0.1:${PORT}
118 for _proto in 1 2 ; do
119 cp ${OBJ}/authorized_keys_${USER}.bak \
120 ${OBJ}/authorized_keys_${USER}
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
122 # No PermitOpen
123 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ) \
125 > ${OBJ}/sshd_proxy
126 check_lfwd $_proto $_plain_lfwd "$_prefix"
127 check_rfwd $_proto $_plain_rfwd "$_prefix"
128 # PermitOpen via sshd_config that doesn't match
129 ( cat ${OBJ}/sshd_proxy.bak ;
130 echo "AllowTcpForwarding $_tcpfwd" ;
131 echo "PermitOpen $_badfwd" ) \
132 > ${OBJ}/sshd_proxy
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
135 # PermitOpen via sshd_config that does match
136 ( cat ${OBJ}/sshd_proxy.bak ;
137 echo "AllowTcpForwarding $_tcpfwd" ;
138 echo "PermitOpen $_badfwd $_goodfwd" ) \
139 > ${OBJ}/sshd_proxy
140 # NB. permitopen via authorized_keys should have same
141 # success/fail as via sshd_config
142 # permitopen via authorized_keys that doesn't match
143 sed "s/^/permitopen=\"$_badfwd\" /" \
144 < ${OBJ}/authorized_keys_${USER}.bak \
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
146 ( cat ${OBJ}/sshd_proxy.bak ;
147 echo "AllowTcpForwarding $_tcpfwd" ) \
148 > ${OBJ}/sshd_proxy
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
151 # permitopen via authorized_keys that does match
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
153 < ${OBJ}/authorized_keys_${USER}.bak \
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
155 ( cat ${OBJ}/sshd_proxy.bak ;
156 echo "AllowTcpForwarding $_tcpfwd" ) \
157 > ${OBJ}/sshd_proxy
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
160 done
161}
162
163# no-permitopen mismatch-permitopen match-permitopen
164# AllowTcpForwarding local remote local remote local remote
165all_tests yes Y Y N Y Y Y
166all_tests local Y N N N Y N
167all_tests remote N Y N Y N Y
168all_tests no N N N N N N
diff --git a/regress/integrity.sh b/regress/integrity.sh
new file mode 100644
index 000000000..4d46926d5
--- /dev/null
+++ b/regress/integrity.sh
@@ -0,0 +1,74 @@
1# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $
2# Placed in the Public Domain.
3
4tid="integrity"
5
6# start at byte 2900 (i.e. after kex) and corrupt at different offsets
7# XXX the test hangs if we modify the low bytes of the packet length
8# XXX and ssh tries to read...
9tries=10
10startoffset=2900
11macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
12 hmac-sha1-96 hmac-md5-96
13 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
14 umac-64-etm@openssh.com umac-128-etm@openssh.com
15 hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
16config_defined HAVE_EVP_SHA256 &&
17 macs="$macs hmac-sha2-256 hmac-sha2-512
18 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
19# The following are not MACs, but ciphers with integrated integrity. They are
20# handled specially below.
21config_defined OPENSSL_HAVE_EVPGCM && \
22 macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
23
24# sshd-command for proxy (see test-exec.sh)
25cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy"
26
27jot() {
28 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
29}
30
31for m in $macs; do
32 trace "test $tid: mac $m"
33 elen=0
34 epad=0
35 emac=0
36 ecnt=0
37 skip=0
38 for off in `jot $tries $startoffset`; do
39 skip=`expr $skip - 1`
40 if [ $skip -gt 0 ]; then
41 # avoid modifying the high bytes of the length
42 continue
43 fi
44 # modify output from sshd at offset $off
45 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
46 case $m in
47 aes*gcm*) macopt="-c $m";;
48 *) macopt="-m $m";;
49 esac
50 output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
51 999.999.999.999 'printf "%4096s" " "' 2>&1`
52 if [ $? -eq 0 ]; then
53 fail "ssh -m $m succeeds with bit-flip at $off"
54 fi
55 ecnt=`expr $ecnt + 1`
56 output=`echo $output | tr -s '\r\n' '.'`
57 verbose "test $tid: $m @$off $output"
58 case "$output" in
59 Bad?packet*) elen=`expr $elen + 1`; skip=3;;
60 Corrupted?MAC* | Decryption?integrity?check?failed*)
61 emac=`expr $emac + 1`; skip=0;;
62 padding*) epad=`expr $epad + 1`; skip=0;;
63 *) fail "unexpected error mac $m at $off";;
64 esac
65 done
66 verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
67 if [ $emac -eq 0 ]; then
68 fail "$m: no mac errors"
69 fi
70 expect=`expr $ecnt - $epad - $elen`
71 if [ $emac -ne $expect ]; then
72 fail "$m: expected $expect mac errors, got $emac"
73 fi
74done
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
new file mode 100644
index 000000000..b595a434f
--- /dev/null
+++ b/regress/keys-command.sh
@@ -0,0 +1,39 @@
1# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="authorized keys from command"
5
6if test -z "$SUDO" ; then
7 echo "skipped (SUDO not set)"
8 echo "need SUDO to create file in /var/run, test won't work without"
9 exit 0
10fi
11
12# Establish a AuthorizedKeysCommand in /var/run where it will have
13# acceptable directory permissions.
14KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
15cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
16#!/bin/sh
17test "x\$1" != "x${LOGNAME}" && exit 1
18exec cat "$OBJ/authorized_keys_${LOGNAME}"
19_EOF
20$SUDO chmod 0755 "$KEY_COMMAND"
21
22cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
23(
24 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
25 echo AuthorizedKeysFile none
26 echo AuthorizedKeysCommand $KEY_COMMAND
27 echo AuthorizedKeysCommandUser ${LOGNAME}
28) > $OBJ/sshd_proxy
29
30if [ -x $KEY_COMMAND ]; then
31 ${SSH} -F $OBJ/ssh_proxy somehost true
32 if [ $? -ne 0 ]; then
33 fail "connect failed"
34 fi
35else
36 echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
37fi
38
39$SUDO rm -f $KEY_COMMAND
diff --git a/regress/krl.sh b/regress/krl.sh
new file mode 100644
index 000000000..62a239c38
--- /dev/null
+++ b/regress/krl.sh
@@ -0,0 +1,161 @@
1# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
2# Placed in the Public Domain.
3
4tid="key revocation lists"
5
6# If we don't support ecdsa keys then this tell will be much slower.
7ECDSA=ecdsa
8if test "x$TEST_SSH_ECC" != "xyes"; then
9 ECDSA=rsa
10fi
11
12# Do most testing with ssh-keygen; it uses the same verification code as sshd.
13
14# Old keys will interfere with ssh-keygen.
15rm -f $OBJ/revoked-* $OBJ/krl-*
16
17# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
19 fatal "$SSHKEYGEN CA failed"
20
21# A specification that revokes some certificates by serial numbers
22# The serial pattern is chosen to ensure the KRL includes list, range and
23# bitmap sections.
24cat << EOF >> $OBJ/revoked-serials
25serial: 1-4
26serial: 10
27serial: 15
28serial: 30
29serial: 50
30serial: 999
31# The following sum to 500-799
32serial: 500
33serial: 501
34serial: 502
35serial: 503-600
36serial: 700-797
37serial: 798
38serial: 799
39serial: 599-701
40EOF
41
42jot() {
43 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
44}
45
46# A specification that revokes some certificated by key ID.
47touch $OBJ/revoked-keyid
48for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
49 # Fill in by-ID revocation spec.
50 echo "id: revoked $n" >> $OBJ/revoked-keyid
51done
52
53keygen() {
54 N=$1
55 f=$OBJ/revoked-`printf "%04d" $N`
56 # Vary the keytype. We use mostly ECDSA since this is fastest by far.
57 keytype=$ECDSA
58 case $N in
59 2 | 10 | 510 | 1001) keytype=rsa;;
60 4 | 30 | 520 | 1002) keytype=dsa;;
61 esac
62 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
63 || fatal "$SSHKEYGEN failed"
64 # Sign cert
65 $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
66 || fatal "$SSHKEYGEN sign failed"
67 echo $f
68}
69
70# Generate some keys.
71verbose "$tid: generating test keys"
72REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
73for n in $REVOKED_SERIALS ; do
74 f=`keygen $n`
75 REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
76 REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
77done
78NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
79NOTREVOKED=""
80for n in $NOTREVOKED_SERIALS ; do
81 NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
82 NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
83done
84
85genkrls() {
86 OPTS=$1
87$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
88 >/dev/null || fatal "$SSHKEYGEN KRL failed"
89$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
90 >/dev/null || fatal "$SSHKEYGEN KRL failed"
91$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
92 >/dev/null || fatal "$SSHKEYGEN KRL failed"
93$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
94 >/dev/null || fatal "$SSHKEYGEN KRL failed"
95$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
96 >/dev/null || fatal "$SSHKEYGEN KRL failed"
97# KRLs from serial/key-id spec need the CA specified.
98$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
99 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
100$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
101 >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
102$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
103 >/dev/null || fatal "$SSHKEYGEN KRL failed"
104$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
105 >/dev/null || fatal "$SSHKEYGEN KRL failed"
106}
107
108verbose "$tid: generating KRLs"
109genkrls
110
111check_krl() {
112 KEY=$1
113 KRL=$2
114 EXPECT_REVOKED=$3
115 TAG=$4
116 $SSHKEYGEN -Qf $KRL $KEY >/dev/null
117 result=$?
118 if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
119 fatal "key $KEY not revoked by KRL $KRL: $TAG"
120 elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
121 fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
122 fi
123}
124test_all() {
125 FILES=$1
126 TAG=$2
127 KEYS_RESULT=$3
128 ALL_RESULT=$4
129 SERIAL_RESULT=$5
130 KEYID_RESULT=$6
131 CERTS_RESULT=$7
132 CA_RESULT=$8
133 verbose "$tid: checking revocations for $TAG"
134 for f in $FILES ; do
135 check_krl $f $OBJ/krl-empty no "$TAG"
136 check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
137 check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
138 check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
139 check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
140 check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
141 check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
142 done
143}
144# keys all serial keyid certs CA
145test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
146test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
147test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
148test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
149
150# Check update. Results should be identical.
151verbose "$tid: testing KRL update"
152for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
153 $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
154 cp -f $OBJ/krl-empty $f
155 genkrls -u
156done
157# keys all serial keyid certs CA
158test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
159test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
160test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
161test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
diff --git a/regress/modpipe.c b/regress/modpipe.c
new file mode 100755
index 000000000..9629aa80b
--- /dev/null
+++ b/regress/modpipe.c
@@ -0,0 +1,175 @@
1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */
18
19#include "includes.h"
20
21#include <sys/types.h>
22#include <unistd.h>
23#include <stdio.h>
24#include <string.h>
25#include <stdarg.h>
26#include <stdlib.h>
27#include <errno.h>
28#include "openbsd-compat/getopt.c"
29
30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
32
33static void
34err(int r, const char *fmt, ...)
35{
36 va_list args;
37
38 va_start(args, fmt);
39 fprintf(stderr, "%s: ", strerror(errno));
40 vfprintf(stderr, fmt, args);
41 fputc('\n', stderr);
42 va_end(args);
43 exit(r);
44}
45
46static void
47errx(int r, const char *fmt, ...)
48{
49 va_list args;
50
51 va_start(args, fmt);
52 vfprintf(stderr, fmt, args);
53 fputc('\n', stderr);
54 va_end(args);
55 exit(r);
56}
57
58static void
59usage(void)
60{
61 fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n");
62 fprintf(stderr, "modspec is one of:\n");
63 fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n");
64 fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n");
65 exit(1);
66}
67
68#define MAX_MODIFICATIONS 256
69struct modification {
70 enum { MOD_XOR, MOD_AND_OR } what;
71 u_int64_t offset;
72 u_int8_t m1, m2;
73};
74
75static void
76parse_modification(const char *s, struct modification *m)
77{
78 char what[16+1];
79 int n, m1, m2;
80
81 bzero(m, sizeof(*m));
82 if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
83 what, &m->offset, &m1, &m2)) < 3)
84 errx(1, "Invalid modification spec \"%s\"", s);
85 if (strcasecmp(what, "xor") == 0) {
86 if (n > 3)
87 errx(1, "Invalid modification spec \"%s\"", s);
88 if (m1 < 0 || m1 > 0xff)
89 errx(1, "Invalid XOR modification value");
90 m->what = MOD_XOR;
91 m->m1 = m1;
92 } else if (strcasecmp(what, "andor") == 0) {
93 if (n != 4)
94 errx(1, "Invalid modification spec \"%s\"", s);
95 if (m1 < 0 || m1 > 0xff)
96 errx(1, "Invalid AND modification value");
97 if (m2 < 0 || m2 > 0xff)
98 errx(1, "Invalid OR modification value");
99 m->what = MOD_AND_OR;
100 m->m1 = m1;
101 m->m2 = m2;
102 } else
103 errx(1, "Invalid modification type \"%s\"", what);
104}
105
106int
107main(int argc, char **argv)
108{
109 int ch;
110 u_char buf[8192];
111 size_t total;
112 ssize_t r, s, o;
113 struct modification mods[MAX_MODIFICATIONS];
114 u_int i, wflag = 0, num_mods = 0;
115
116 while ((ch = getopt(argc, argv, "wm:")) != -1) {
117 switch (ch) {
118 case 'm':
119 if (num_mods >= MAX_MODIFICATIONS)
120 errx(1, "Too many modifications");
121 parse_modification(optarg, &(mods[num_mods++]));
122 break;
123 case 'w':
124 wflag = 1;
125 break;
126 default:
127 usage();
128 /* NOTREACHED */
129 }
130 }
131 for (total = 0;;) {
132 r = s = read(STDIN_FILENO, buf, sizeof(buf));
133 if (r == 0)
134 break;
135 if (r < 0) {
136 if (errno == EAGAIN || errno == EINTR)
137 continue;
138 err(1, "read");
139 }
140 for (i = 0; i < num_mods; i++) {
141 if (mods[i].offset < total ||
142 mods[i].offset >= total + s)
143 continue;
144 switch (mods[i].what) {
145 case MOD_XOR:
146 buf[mods[i].offset - total] ^= mods[i].m1;
147 break;
148 case MOD_AND_OR:
149 buf[mods[i].offset - total] &= mods[i].m1;
150 buf[mods[i].offset - total] |= mods[i].m2;
151 break;
152 }
153 }
154 for (o = 0; o < s; o += r) {
155 r = write(STDOUT_FILENO, buf, s - o);
156 if (r == 0)
157 break;
158 if (r < 0) {
159 if (errno == EAGAIN || errno == EINTR)
160 continue;
161 err(1, "write");
162 }
163 }
164 total += s;
165 }
166 /* Warn if modifications not reached in input stream */
167 r = 0;
168 for (i = 0; wflag && i < num_mods; i++) {
169 if (mods[i].offset < total)
170 continue;
171 r = 1;
172 fprintf(stderr, "modpipe: warning - mod %u not reached\n", i);
173 }
174 return r;
175}
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 93e15088f..1e6cc7606 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.13 2012/06/01 00:47:36 djm Exp $ 1# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -13,14 +13,22 @@ fi
13DATA=/bin/ls${EXEEXT} 13DATA=/bin/ls${EXEEXT}
14COPY=$OBJ/ls.copy 14COPY=$OBJ/ls.copy
15 15
16wait_for_mux_master_ready()
17{
18 for i in 1 2 3 4 5; do
19 ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \
20 >/dev/null 2>&1 && return 0
21 sleep $i
22 done
23 fatal "mux master never becomes ready"
24}
25
16start_sshd 26start_sshd
17 27
18trace "start master, fork to background" 28trace "start master, fork to background"
19${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & 29${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
20MASTER_PID=$! 30MASTER_PID=$!
21 31wait_for_mux_master_ready
22# Wait for master to start and authenticate
23sleep 5
24 32
25verbose "test $tid: envpass" 33verbose "test $tid: envpass"
26trace "env passing over multiplexed connection" 34trace "env passing over multiplexed connection"
@@ -78,13 +86,35 @@ for s in 0 1 4 5 44; do
78 fi 86 fi
79done 87done
80 88
81trace "test check command" 89verbose "test $tid: cmd check"
82${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost || fail "check command failed" 90${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \
91 || fail "check command failed"
83 92
84trace "test exit command" 93verbose "test $tid: cmd exit"
85${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost || fail "send exit command failed" 94${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \
95 || fail "send exit command failed"
86 96
87# Wait for master to exit 97# Wait for master to exit
88sleep 2 98wait $MASTER_PID
99kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
89 100
90kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" 101# Restart master and test -O stop command with master using -N
102verbose "test $tid: cmd stop"
103trace "restart master, fork to background"
104${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
105MASTER_PID=$!
106wait_for_mux_master_ready
107
108# start a long-running command then immediately request a stop
109${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
110 >>$TEST_SSH_LOGFILE 2>&1 &
111SLEEP_PID=$!
112${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \
113 || fail "send stop command failed"
114
115# wait until both long-running command and master have exited.
116wait $SLEEP_PID
117[ $! != 0 ] || fail "waiting for concurrent command"
118wait $MASTER_PID
119[ $! != 0 ] || fail "waiting for master stop"
120kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index bdc2c1a49..aa4e6e5c0 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -140,6 +140,10 @@ if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
140 TEST_SSH_LOGFILE=/dev/null 140 TEST_SSH_LOGFILE=/dev/null
141fi 141fi
142 142
143# Some data for test copies
144DATA=$OBJ/testdata
145cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA
146
143# these should be used in tests 147# these should be used in tests
144export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 148export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
145#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 149#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 925863504..084a1457a 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.13 2012/06/28 05:07:45 dtucker Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
@@ -7,11 +7,20 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
7 arcfour128 arcfour256 arcfour 7 arcfour128 arcfour256 arcfour
8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
9 aes128-ctr aes192-ctr aes256-ctr" 9 aes128-ctr aes192-ctr aes256-ctr"
10macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" 10config_defined OPENSSL_HAVE_EVPGCM && \
11 ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
12macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
13 hmac-sha1-96 hmac-md5-96
14 hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
15 umac-64-etm@openssh.com umac-128-etm@openssh.com
16 hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com
17 hmac-ripemd160-etm@openssh.com"
11config_defined HAVE_EVP_SHA256 && 18config_defined HAVE_EVP_SHA256 &&
12 macs="$macs hmac-sha2-256 hmac-sha2-512" 19 macs="$macs hmac-sha2-256 hmac-sha2-512
20 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
13 21
14for c in $ciphers; do 22for c in $ciphers; do
23 n=0
15 for m in $macs; do 24 for m in $macs; do
16 trace "proto 2 cipher $c mac $m" 25 trace "proto 2 cipher $c mac $m"
17 verbose "test $tid: proto 2 cipher $c mac $m" 26 verbose "test $tid: proto 2 cipher $c mac $m"
@@ -19,6 +28,11 @@ for c in $ciphers; do
19 if [ $? -ne 0 ]; then 28 if [ $? -ne 0 ]; then
20 fail "ssh -2 failed with mac $m cipher $c" 29 fail "ssh -2 failed with mac $m cipher $c"
21 fi 30 fi
31 # No point trying all MACs for GCM since they are ignored.
32 case $c in
33 aes*-gcm@openssh.com) test $n -gt 0 && break;;
34 esac
35 n=`expr $n + 1`
22 done 36 done
23done 37done
24 38
@@ -32,20 +46,3 @@ for c in $ciphers; do
32 fi 46 fi
33done 47done
34 48
35if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null
36then
37 :
38else
39
40echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy
41c=acss@openssh.org
42for m in $macs; do
43 trace "proto 2 $c mac $m"
44 verbose "test $tid: proto 2 cipher $c mac $m"
45 ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
46 if [ $? -ne 0 ]; then
47 fail "ssh -2 failed with mac $m cipher $c"
48 fi
49done
50
51fi
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ef2b13c4f..e12418399 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -44,6 +44,7 @@
44#include <linux/audit.h> 44#include <linux/audit.h>
45#include <linux/filter.h> 45#include <linux/filter.h>
46#include <linux/seccomp.h> 46#include <linux/seccomp.h>
47#include <elf.h>
47 48
48#include <asm/unistd.h> 49#include <asm/unistd.h>
49 50
@@ -90,7 +91,9 @@ static const struct sock_filter preauth_insns[] = {
90 SC_DENY(open, EACCES), 91 SC_DENY(open, EACCES),
91 SC_ALLOW(getpid), 92 SC_ALLOW(getpid),
92 SC_ALLOW(gettimeofday), 93 SC_ALLOW(gettimeofday),
94#ifdef __NR_time /* not defined on EABI ARM */
93 SC_ALLOW(time), 95 SC_ALLOW(time),
96#endif
94 SC_ALLOW(read), 97 SC_ALLOW(read),
95 SC_ALLOW(write), 98 SC_ALLOW(write),
96 SC_ALLOW(close), 99 SC_ALLOW(close),
@@ -102,7 +105,12 @@ static const struct sock_filter preauth_insns[] = {
102 SC_ALLOW(select), 105 SC_ALLOW(select),
103#endif 106#endif
104 SC_ALLOW(madvise), 107 SC_ALLOW(madvise),
108#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
109 SC_ALLOW(mmap2),
110#endif
111#ifdef __NR_mmap
105 SC_ALLOW(mmap), 112 SC_ALLOW(mmap),
113#endif
106 SC_ALLOW(munmap), 114 SC_ALLOW(munmap),
107 SC_ALLOW(exit_group), 115 SC_ALLOW(exit_group),
108#ifdef __NR_rt_sigprocmask 116#ifdef __NR_rt_sigprocmask
diff --git a/scp.0 b/scp.0
index e612d30ef..119d9293b 100644
--- a/scp.0
+++ b/scp.0
@@ -155,4 +155,4 @@ AUTHORS
155 Timo Rinne <tri@iki.fi> 155 Timo Rinne <tri@iki.fi>
156 Tatu Ylonen <ylo@cs.hut.fi> 156 Tatu Ylonen <ylo@cs.hut.fi>
157 157
158OpenBSD 5.2 September 5, 2011 OpenBSD 5.2 158OpenBSD 5.3 September 5, 2011 OpenBSD 5.3
diff --git a/scp.c b/scp.c
index 08587b5f2..645d7403b 100644
--- a/scp.c
+++ b/scp.c
@@ -103,7 +103,7 @@
103#include <string.h> 103#include <string.h>
104#include <time.h> 104#include <time.h>
105#include <unistd.h> 105#include <unistd.h>
106#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) 106#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
107#include <vis.h> 107#include <vis.h>
108#endif 108#endif
109 109
diff --git a/servconf.c b/servconf.c
index 5be0c7bbf..cdc029308 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -48,6 +48,8 @@
48#include "groupaccess.h" 48#include "groupaccess.h"
49#include "canohost.h" 49#include "canohost.h"
50#include "packet.h" 50#include "packet.h"
51#include "hostfile.h"
52#include "auth.h"
51 53
52static void add_listen_addr(ServerOptions *, char *, int); 54static void add_listen_addr(ServerOptions *, char *, int);
53static void add_one_listen_addr(ServerOptions *, char *, int); 55static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -138,6 +140,8 @@ initialize_server_options(ServerOptions *options)
138 options->num_permitted_opens = -1; 140 options->num_permitted_opens = -1;
139 options->adm_forced_command = NULL; 141 options->adm_forced_command = NULL;
140 options->chroot_directory = NULL; 142 options->chroot_directory = NULL;
143 options->authorized_keys_command = NULL;
144 options->authorized_keys_command_user = NULL;
141 options->zero_knowledge_password_authentication = -1; 145 options->zero_knowledge_password_authentication = -1;
142 options->revoked_keys_file = NULL; 146 options->revoked_keys_file = NULL;
143 options->trusted_user_ca_keys = NULL; 147 options->trusted_user_ca_keys = NULL;
@@ -255,17 +259,17 @@ fill_default_server_options(ServerOptions *options)
255 if (options->compression == -1) 259 if (options->compression == -1)
256 options->compression = COMP_DELAYED; 260 options->compression = COMP_DELAYED;
257 if (options->allow_tcp_forwarding == -1) 261 if (options->allow_tcp_forwarding == -1)
258 options->allow_tcp_forwarding = 1; 262 options->allow_tcp_forwarding = FORWARD_ALLOW;
259 if (options->allow_agent_forwarding == -1) 263 if (options->allow_agent_forwarding == -1)
260 options->allow_agent_forwarding = 1; 264 options->allow_agent_forwarding = 1;
261 if (options->gateway_ports == -1) 265 if (options->gateway_ports == -1)
262 options->gateway_ports = 0; 266 options->gateway_ports = 0;
263 if (options->max_startups == -1) 267 if (options->max_startups == -1)
264 options->max_startups = 10; 268 options->max_startups = 100;
265 if (options->max_startups_rate == -1) 269 if (options->max_startups_rate == -1)
266 options->max_startups_rate = 100; /* 100% */ 270 options->max_startups_rate = 30; /* 30% */
267 if (options->max_startups_begin == -1) 271 if (options->max_startups_begin == -1)
268 options->max_startups_begin = options->max_startups; 272 options->max_startups_begin = 10;
269 if (options->max_authtries == -1) 273 if (options->max_authtries == -1)
270 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 274 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
271 if (options->max_sessions == -1) 275 if (options->max_sessions == -1)
@@ -340,6 +344,8 @@ typedef enum {
340 sZeroKnowledgePasswordAuthentication, sHostCertificate, 344 sZeroKnowledgePasswordAuthentication, sHostCertificate,
341 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 345 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
342 sKexAlgorithms, sIPQoS, sVersionAddendum, 346 sKexAlgorithms, sIPQoS, sVersionAddendum,
347 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
348 sAuthenticationMethods,
343 sDeprecated, sUnsupported 349 sDeprecated, sUnsupported
344} ServerOpCodes; 350} ServerOpCodes;
345 351
@@ -474,7 +480,10 @@ static struct {
474 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 480 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
475 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 481 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
476 { "ipqos", sIPQoS, SSHCFG_ALL }, 482 { "ipqos", sIPQoS, SSHCFG_ALL },
483 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
484 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
477 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 485 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
486 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
478 { NULL, sBadOption, 0 } 487 { NULL, sBadOption, 0 }
479}; 488};
480 489
@@ -639,8 +648,9 @@ out:
639} 648}
640 649
641/* 650/*
642 * All of the attributes on a single Match line are ANDed together, so we need to check every 651 * All of the attributes on a single Match line are ANDed together, so we need
643 * attribute and set the result to zero if any attribute does not match. 652 * to check every * attribute and set the result to zero if any attribute does
653 * not match.
644 */ 654 */
645static int 655static int
646match_cfg_line(char **condition, int line, struct connection_info *ci) 656match_cfg_line(char **condition, int line, struct connection_info *ci)
@@ -797,6 +807,14 @@ static const struct multistate multistate_privsep[] = {
797 { "no", PRIVSEP_OFF }, 807 { "no", PRIVSEP_OFF },
798 { NULL, -1 } 808 { NULL, -1 }
799}; 809};
810static const struct multistate multistate_tcpfwd[] = {
811 { "yes", FORWARD_ALLOW },
812 { "all", FORWARD_ALLOW },
813 { "no", FORWARD_DENY },
814 { "remote", FORWARD_REMOTE },
815 { "local", FORWARD_LOCAL },
816 { NULL, -1 }
817};
800 818
801int 819int
802process_server_config_line(ServerOptions *options, char *line, 820process_server_config_line(ServerOptions *options, char *line,
@@ -1166,7 +1184,8 @@ process_server_config_line(ServerOptions *options, char *line,
1166 1184
1167 case sAllowTcpForwarding: 1185 case sAllowTcpForwarding:
1168 intptr = &options->allow_tcp_forwarding; 1186 intptr = &options->allow_tcp_forwarding;
1169 goto parse_flag; 1187 multistate_ptr = multistate_tcpfwd;
1188 goto parse_multistate;
1170 1189
1171 case sAllowAgentForwarding: 1190 case sAllowAgentForwarding:
1172 intptr = &options->allow_agent_forwarding; 1191 intptr = &options->allow_agent_forwarding;
@@ -1446,7 +1465,6 @@ process_server_config_line(ServerOptions *options, char *line,
1446 } 1465 }
1447 if (strcmp(arg, "none") == 0) { 1466 if (strcmp(arg, "none") == 0) {
1448 if (*activep && n == -1) { 1467 if (*activep && n == -1) {
1449 channel_clear_adm_permitted_opens();
1450 options->num_permitted_opens = 1; 1468 options->num_permitted_opens = 1;
1451 channel_disable_adm_local_opens(); 1469 channel_disable_adm_local_opens();
1452 } 1470 }
@@ -1530,6 +1548,43 @@ process_server_config_line(ServerOptions *options, char *line,
1530 } 1548 }
1531 return 0; 1549 return 0;
1532 1550
1551 case sAuthorizedKeysCommand:
1552 len = strspn(cp, WHITESPACE);
1553 if (*activep && options->authorized_keys_command == NULL) {
1554 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1555 fatal("%.200s line %d: AuthorizedKeysCommand "
1556 "must be an absolute path",
1557 filename, linenum);
1558 options->authorized_keys_command = xstrdup(cp + len);
1559 }
1560 return 0;
1561
1562 case sAuthorizedKeysCommandUser:
1563 charptr = &options->authorized_keys_command_user;
1564
1565 arg = strdelim(&cp);
1566 if (*activep && *charptr == NULL)
1567 *charptr = xstrdup(arg);
1568 break;
1569
1570 case sAuthenticationMethods:
1571 if (*activep && options->num_auth_methods == 0) {
1572 while ((arg = strdelim(&cp)) && *arg != '\0') {
1573 if (options->num_auth_methods >=
1574 MAX_AUTH_METHODS)
1575 fatal("%s line %d: "
1576 "too many authentication methods.",
1577 filename, linenum);
1578 if (auth2_methods_valid(arg, 0) != 0)
1579 fatal("%s line %d: invalid "
1580 "authentication method list.",
1581 filename, linenum);
1582 options->auth_methods[
1583 options->num_auth_methods++] = xstrdup(arg);
1584 }
1585 }
1586 return 0;
1587
1533 case sDeprecated: 1588 case sDeprecated:
1534 logit("%s line %d: Deprecated option %s", 1589 logit("%s line %d: Deprecated option %s",
1535 filename, linenum, arg); 1590 filename, linenum, arg);
@@ -1680,6 +1735,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1680 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1735 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1681 M_CP_INTOPT(kbd_interactive_authentication); 1736 M_CP_INTOPT(kbd_interactive_authentication);
1682 M_CP_INTOPT(zero_knowledge_password_authentication); 1737 M_CP_INTOPT(zero_knowledge_password_authentication);
1738 M_CP_STROPT(authorized_keys_command);
1739 M_CP_STROPT(authorized_keys_command_user);
1683 M_CP_INTOPT(permit_root_login); 1740 M_CP_INTOPT(permit_root_login);
1684 M_CP_INTOPT(permit_empty_passwd); 1741 M_CP_INTOPT(permit_empty_passwd);
1685 1742
@@ -1764,6 +1821,8 @@ fmt_intarg(ServerOpCodes code, int val)
1764 return fmt_multistate_int(val, multistate_compression); 1821 return fmt_multistate_int(val, multistate_compression);
1765 case sUsePrivilegeSeparation: 1822 case sUsePrivilegeSeparation:
1766 return fmt_multistate_int(val, multistate_privsep); 1823 return fmt_multistate_int(val, multistate_privsep);
1824 case sAllowTcpForwarding:
1825 return fmt_multistate_int(val, multistate_tcpfwd);
1767 case sProtocol: 1826 case sProtocol:
1768 switch (val) { 1827 switch (val) {
1769 case SSH_PROTO_1: 1828 case SSH_PROTO_1:
@@ -1943,6 +2002,8 @@ dump_config(ServerOptions *o)
1943 dump_cfg_string(sAuthorizedPrincipalsFile, 2002 dump_cfg_string(sAuthorizedPrincipalsFile,
1944 o->authorized_principals_file); 2003 o->authorized_principals_file);
1945 dump_cfg_string(sVersionAddendum, o->version_addendum); 2004 dump_cfg_string(sVersionAddendum, o->version_addendum);
2005 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2006 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
1946 2007
1947 /* string arguments requiring a lookup */ 2008 /* string arguments requiring a lookup */
1948 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2009 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -1960,6 +2021,8 @@ dump_config(ServerOptions *o)
1960 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2021 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1961 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2022 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1962 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2023 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2024 dump_cfg_strarray_oneline(sAuthenticationMethods,
2025 o->num_auth_methods, o->auth_methods);
1963 2026
1964 /* other arguments */ 2027 /* other arguments */
1965 for (i = 0; i < o->num_subsystems; i++) 2028 for (i = 0; i < o->num_subsystems; i++)
diff --git a/servconf.h b/servconf.h
index 2ccf4d0f2..06e21a93d 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.103 2012/07/10 02:19:15 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -28,6 +28,7 @@
28#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ 28#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
29#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ 29#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */
30#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */ 30#define MAX_AUTHKEYS_FILES 256 /* Max # of authorized_keys files. */
31#define MAX_AUTH_METHODS 256 /* Max # of AuthenticationMethods. */
31 32
32/* permit_root_login */ 33/* permit_root_login */
33#define PERMIT_NOT_SET -1 34#define PERMIT_NOT_SET -1
@@ -41,6 +42,12 @@
41#define PRIVSEP_ON 1 42#define PRIVSEP_ON 1
42#define PRIVSEP_NOSANDBOX 2 43#define PRIVSEP_NOSANDBOX 2
43 44
45/* AllowTCPForwarding */
46#define FORWARD_DENY 0
47#define FORWARD_REMOTE (1)
48#define FORWARD_LOCAL (1<<1)
49#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
50
44#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ 51#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
45#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ 52#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
46 53
@@ -118,7 +125,7 @@ typedef struct {
118 int permit_user_env; /* If true, read ~/.ssh/environment */ 125 int permit_user_env; /* If true, read ~/.ssh/environment */
119 int use_login; /* If true, login(1) is used */ 126 int use_login; /* If true, login(1) is used */
120 int compression; /* If true, compression is allowed */ 127 int compression; /* If true, compression is allowed */
121 int allow_tcp_forwarding; 128 int allow_tcp_forwarding; /* One of FORWARD_* */
122 int allow_agent_forwarding; 129 int allow_agent_forwarding;
123 u_int num_allow_users; 130 u_int num_allow_users;
124 char *allow_users[MAX_ALLOW_USERS]; 131 char *allow_users[MAX_ALLOW_USERS];
@@ -169,8 +176,13 @@ typedef struct {
169 char *revoked_keys_file; 176 char *revoked_keys_file;
170 char *trusted_user_ca_keys; 177 char *trusted_user_ca_keys;
171 char *authorized_principals_file; 178 char *authorized_principals_file;
179 char *authorized_keys_command;
180 char *authorized_keys_command_user;
172 181
173 char *version_addendum; /* Appended to SSH banner */ 182 char *version_addendum; /* Appended to SSH banner */
183
184 u_int num_auth_methods;
185 char *auth_methods[MAX_AUTH_METHODS];
174} ServerOptions; 186} ServerOptions;
175 187
176/* Information about the incoming connection as used by Match */ 188/* Information about the incoming connection as used by Match */
@@ -194,12 +206,15 @@ struct connection_info {
194 M_CP_STROPT(trusted_user_ca_keys); \ 206 M_CP_STROPT(trusted_user_ca_keys); \
195 M_CP_STROPT(revoked_keys_file); \ 207 M_CP_STROPT(revoked_keys_file); \
196 M_CP_STROPT(authorized_principals_file); \ 208 M_CP_STROPT(authorized_principals_file); \
209 M_CP_STROPT(authorized_keys_command); \
210 M_CP_STROPT(authorized_keys_command_user); \
197 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ 211 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
198 M_CP_STRARRAYOPT(allow_users, num_allow_users); \ 212 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
199 M_CP_STRARRAYOPT(deny_users, num_deny_users); \ 213 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
200 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ 214 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
201 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ 215 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
202 M_CP_STRARRAYOPT(accept_env, num_accept_env); \ 216 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
217 M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
203 } while (0) 218 } while (0)
204 219
205struct connection_info *get_connection_info(int, int); 220struct connection_info *get_connection_info(int, int);
diff --git a/serverloop.c b/serverloop.c
index 741c5befb..e224bd08a 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ 1/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -708,7 +708,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
708 &nalloc, max_time_milliseconds); 708 &nalloc, max_time_milliseconds);
709 709
710 if (received_sigterm) { 710 if (received_sigterm) {
711 logit("Exiting on signal %d", received_sigterm); 711 logit("Exiting on signal %d", (int)received_sigterm);
712 /* Clean up sessions, utmp, etc. */ 712 /* Clean up sessions, utmp, etc. */
713 cleanup_exit(255); 713 cleanup_exit(255);
714 } 714 }
@@ -858,7 +858,7 @@ server_loop2(Authctxt *authctxt)
858 &nalloc, 0); 858 &nalloc, 0);
859 859
860 if (received_sigterm) { 860 if (received_sigterm) {
861 logit("Exiting on signal %d", received_sigterm); 861 logit("Exiting on signal %d", (int)received_sigterm);
862 /* Clean up sessions, utmp, etc. */ 862 /* Clean up sessions, utmp, etc. */
863 cleanup_exit(255); 863 cleanup_exit(255);
864 } 864 }
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
950static Channel * 950static Channel *
951server_request_direct_tcpip(void) 951server_request_direct_tcpip(void)
952{ 952{
953 Channel *c; 953 Channel *c = NULL;
954 char *target, *originator; 954 char *target, *originator;
955 u_short target_port, originator_port; 955 u_short target_port, originator_port;
956 956
@@ -963,9 +963,16 @@ server_request_direct_tcpip(void)
963 debug("server_request_direct_tcpip: originator %s port %d, target %s " 963 debug("server_request_direct_tcpip: originator %s port %d, target %s "
964 "port %d", originator, originator_port, target, target_port); 964 "port %d", originator, originator_port, target, target_port);
965 965
966 /* XXX check permission */ 966 /* XXX fine grained permissions */
967 c = channel_connect_to(target, target_port, 967 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
968 "direct-tcpip", "direct-tcpip"); 968 !no_port_forwarding_flag) {
969 c = channel_connect_to(target, target_port,
970 "direct-tcpip", "direct-tcpip");
971 } else {
972 logit("refused local port forward: "
973 "originator %s port %d, target %s port %d",
974 originator, originator_port, target, target_port);
975 }
969 976
970 xfree(originator); 977 xfree(originator);
971 xfree(target); 978 xfree(target);
@@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1126 listen_address, listen_port); 1133 listen_address, listen_port);
1127 1134
1128 /* check permissions */ 1135 /* check permissions */
1129 if (!options.allow_tcp_forwarding || 1136 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
1130 no_port_forwarding_flag || 1137 no_port_forwarding_flag ||
1131 (!want_reply && listen_port == 0) 1138 (!want_reply && listen_port == 0)
1132#ifndef NO_IPPORT_RESERVED_CONCEPT 1139#ifndef NO_IPPORT_RESERVED_CONCEPT
diff --git a/session.c b/session.c
index 65bf28776..19eaa20c3 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ 1/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt)
273 setproctitle("%s", authctxt->pw->pw_name); 273 setproctitle("%s", authctxt->pw->pw_name);
274 274
275 /* setup the channel layer */ 275 /* setup the channel layer */
276 if (!no_port_forwarding_flag && options.allow_tcp_forwarding) 276 if (no_port_forwarding_flag ||
277 (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
278 channel_disable_adm_local_opens();
279 else
277 channel_permit_all_opens(); 280 channel_permit_all_opens();
278 281
279 auth_debug_send(); 282 auth_debug_send();
@@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt)
383 debug("Port forwarding not permitted for this authentication."); 386 debug("Port forwarding not permitted for this authentication.");
384 break; 387 break;
385 } 388 }
386 if (!options.allow_tcp_forwarding) { 389 if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) {
387 debug("Port forwarding not permitted."); 390 debug("Port forwarding not permitted.");
388 break; 391 break;
389 } 392 }
@@ -1517,6 +1520,11 @@ do_setusercontext(struct passwd *pw)
1517 perror("unable to set user context (setuser)"); 1520 perror("unable to set user context (setuser)");
1518 exit(1); 1521 exit(1);
1519 } 1522 }
1523 /*
1524 * FreeBSD's setusercontext() will not apply the user's
1525 * own umask setting unless running with the user's UID.
1526 */
1527 (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
1520#else 1528#else
1521 /* Permanently switch to the desired uid. */ 1529 /* Permanently switch to the desired uid. */
1522 permanently_set_uid(pw); 1530 permanently_set_uid(pw);
diff --git a/sftp-server.0 b/sftp-server.0
index 340929d75..6beddcc13 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -4,7 +4,8 @@ NAME
4 sftp-server - SFTP server subsystem 4 sftp-server - SFTP server subsystem
5 5
6SYNOPSIS 6SYNOPSIS
7 sftp-server [-ehR] [-f log_facility] [-l log_level] [-u umask] 7 sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
8 [-u umask]
8 9
9DESCRIPTION 10DESCRIPTION
10 sftp-server is a program that speaks the server side of SFTP protocol to 11 sftp-server is a program that speaks the server side of SFTP protocol to
@@ -17,6 +18,15 @@ DESCRIPTION
17 18
18 Valid options are: 19 Valid options are:
19 20
21 -d start_directory
22 specifies an alternate starting directory for users. The
23 pathname may contain the following tokens that are expanded at
24 runtime: %% is replaced by a literal '%', %h is replaced by the
25 home directory of the user being authenticated, and %u is
26 replaced by the username of that user. The default is to use the
27 user's home directory. This option is useful in conjunction with
28 the sshd_config(5) ChrootDirectory option.
29
20 -e Causes sftp-server to print logging information to stderr instead 30 -e Causes sftp-server to print logging information to stderr instead
21 of syslog for debugging. 31 of syslog for debugging.
22 32
@@ -61,4 +71,4 @@ HISTORY
61AUTHORS 71AUTHORS
62 Markus Friedl <markus@openbsd.org> 72 Markus Friedl <markus@openbsd.org>
63 73
64OpenBSD 5.2 January 9, 2010 OpenBSD 5.2 74OpenBSD 5.3 January 4, 2013 OpenBSD 5.3
diff --git a/sftp-server.8 b/sftp-server.8
index bb19c15e1..2fd3df20c 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp-server.8,v 1.19 2010/01/09 03:36:00 jmc Exp $ 1.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $
2.\" 2.\"
3.\" Copyright (c) 2000 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: January 9 2010 $ 25.Dd $Mdocdate: January 4 2013 $
26.Dt SFTP-SERVER 8 26.Dt SFTP-SERVER 8
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -31,6 +31,7 @@
31.Sh SYNOPSIS 31.Sh SYNOPSIS
32.Nm sftp-server 32.Nm sftp-server
33.Op Fl ehR 33.Op Fl ehR
34.Op Fl d Ar start_directory
34.Op Fl f Ar log_facility 35.Op Fl f Ar log_facility
35.Op Fl l Ar log_level 36.Op Fl l Ar log_level
36.Op Fl u Ar umask 37.Op Fl u Ar umask
@@ -56,6 +57,17 @@ for more information.
56.Pp 57.Pp
57Valid options are: 58Valid options are:
58.Bl -tag -width Ds 59.Bl -tag -width Ds
60.It Fl d Ar start_directory
61specifies an alternate starting directory for users.
62The pathname may contain the following tokens that are expanded at runtime:
63%% is replaced by a literal '%',
64%h is replaced by the home directory of the user being authenticated,
65and %u is replaced by the username of that user.
66The default is to use the user's home directory.
67This option is useful in conjunction with the
68.Xr sshd_config 5
69.Cm ChrootDirectory
70option.
59.It Fl e 71.It Fl e
60Causes 72Causes
61.Nm 73.Nm
diff --git a/sftp-server.c b/sftp-server.c
index 9d01c7d79..cce074a56 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-server.c,v 1.94 2011/06/17 21:46:16 djm Exp $ */ 1/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */
2/* 2/*
3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
4 * 4 *
@@ -1390,7 +1390,8 @@ sftp_server_usage(void)
1390 extern char *__progname; 1390 extern char *__progname;
1391 1391
1392 fprintf(stderr, 1392 fprintf(stderr,
1393 "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]\n", 1393 "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
1394 "[-l log_level]\n\t[-u umask]\n",
1394 __progname); 1395 __progname);
1395 exit(1); 1396 exit(1);
1396} 1397}
@@ -1402,7 +1403,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1402 int in, out, max, ch, skipargs = 0, log_stderr = 0; 1403 int in, out, max, ch, skipargs = 0, log_stderr = 0;
1403 ssize_t len, olen, set_size; 1404 ssize_t len, olen, set_size;
1404 SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; 1405 SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
1405 char *cp, buf[4*4096]; 1406 char *cp, *homedir = NULL, buf[4*4096];
1406 long mask; 1407 long mask;
1407 1408
1408 extern char *optarg; 1409 extern char *optarg;
@@ -1411,7 +1412,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1411 __progname = ssh_get_progname(argv[0]); 1412 __progname = ssh_get_progname(argv[0]);
1412 log_init(__progname, log_level, log_facility, log_stderr); 1413 log_init(__progname, log_level, log_facility, log_stderr);
1413 1414
1414 while (!skipargs && (ch = getopt(argc, argv, "f:l:u:cehR")) != -1) { 1415 pw = pwcopy(user_pw);
1416
1417 while (!skipargs && (ch = getopt(argc, argv, "d:f:l:u:cehR")) != -1) {
1415 switch (ch) { 1418 switch (ch) {
1416 case 'R': 1419 case 'R':
1417 readonly = 1; 1420 readonly = 1;
@@ -1436,6 +1439,12 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1436 if (log_facility == SYSLOG_FACILITY_NOT_SET) 1439 if (log_facility == SYSLOG_FACILITY_NOT_SET)
1437 error("Invalid log facility \"%s\"", optarg); 1440 error("Invalid log facility \"%s\"", optarg);
1438 break; 1441 break;
1442 case 'd':
1443 cp = tilde_expand_filename(optarg, user_pw->pw_uid);
1444 homedir = percent_expand(cp, "d", user_pw->pw_dir,
1445 "u", user_pw->pw_name, (char *)NULL);
1446 free(cp);
1447 break;
1439 case 'u': 1448 case 'u':
1440 errno = 0; 1449 errno = 0;
1441 mask = strtol(optarg, &cp, 8); 1450 mask = strtol(optarg, &cp, 8);
@@ -1463,8 +1472,6 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1463 } else 1472 } else
1464 client_addr = xstrdup("UNKNOWN"); 1473 client_addr = xstrdup("UNKNOWN");
1465 1474
1466 pw = pwcopy(user_pw);
1467
1468 logit("session opened for local user %s from [%s]", 1475 logit("session opened for local user %s from [%s]",
1469 pw->pw_name, client_addr); 1476 pw->pw_name, client_addr);
1470 1477
@@ -1489,6 +1496,13 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1489 rset = (fd_set *)xmalloc(set_size); 1496 rset = (fd_set *)xmalloc(set_size);
1490 wset = (fd_set *)xmalloc(set_size); 1497 wset = (fd_set *)xmalloc(set_size);
1491 1498
1499 if (homedir != NULL) {
1500 if (chdir(homedir) != 0) {
1501 error("chdir to \"%s\" failed: %s", homedir,
1502 strerror(errno));
1503 }
1504 }
1505
1492 for (;;) { 1506 for (;;) {
1493 memset(rset, 0, set_size); 1507 memset(rset, 0, set_size);
1494 memset(wset, 0, set_size); 1508 memset(wset, 0, set_size);
diff --git a/sftp.0 b/sftp.0
index e67b64c48..dd1da5241 100644
--- a/sftp.0
+++ b/sftp.0
@@ -336,4 +336,4 @@ SEE ALSO
336 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress 336 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
337 material. 337 material.
338 338
339OpenBSD 5.2 September 5, 2011 OpenBSD 5.2 339OpenBSD 5.3 September 5, 2011 OpenBSD 5.3
diff --git a/sftp.c b/sftp.c
index 235c6ad04..342ae7efc 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp.c,v 1.136 2012/06/22 14:36:33 dtucker Exp $ */ 1/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -54,10 +54,6 @@ typedef void EditLine;
54# include <util.h> 54# include <util.h>
55#endif 55#endif
56 56
57#ifdef HAVE_LIBUTIL_H
58# include <libutil.h>
59#endif
60
61#include "xmalloc.h" 57#include "xmalloc.h"
62#include "log.h" 58#include "log.h"
63#include "pathnames.h" 59#include "pathnames.h"
@@ -991,6 +987,10 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
991 state = MA_START; 987 state = MA_START;
992 i = j = 0; 988 i = j = 0;
993 for (;;) { 989 for (;;) {
990 if ((size_t)argc >= sizeof(argv) / sizeof(*argv)){
991 error("Too many arguments.");
992 return NULL;
993 }
994 if (isspace(arg[i])) { 994 if (isspace(arg[i])) {
995 if (state == MA_UNQUOTED) { 995 if (state == MA_UNQUOTED) {
996 /* Terminate current argument */ 996 /* Terminate current argument */
@@ -1141,7 +1141,7 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag,
1141 1141
1142 /* Figure out which command we have */ 1142 /* Figure out which command we have */
1143 for (i = 0; cmds[i].c != NULL; i++) { 1143 for (i = 0; cmds[i].c != NULL; i++) {
1144 if (strcasecmp(cmds[i].c, argv[0]) == 0) 1144 if (argv[0] != NULL && strcasecmp(cmds[i].c, argv[0]) == 0)
1145 break; 1145 break;
1146 } 1146 }
1147 cmdnum = cmds[i].n; 1147 cmdnum = cmds[i].n;
@@ -1695,7 +1695,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1695{ 1695{
1696 glob_t g; 1696 glob_t g;
1697 char *tmp, *tmp2, ins[3]; 1697 char *tmp, *tmp2, ins[3];
1698 u_int i, hadglob, pwdlen, len, tmplen, filelen; 1698 u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
1699 const LineInfo *lf; 1699 const LineInfo *lf;
1700 1700
1701 /* Glob from "file" location */ 1701 /* Glob from "file" location */
@@ -1704,6 +1704,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1704 else 1704 else
1705 xasprintf(&tmp, "%s*", file); 1705 xasprintf(&tmp, "%s*", file);
1706 1706
1707 /* Check if the path is absolute. */
1708 isabs = tmp[0] == '/';
1709
1707 memset(&g, 0, sizeof(g)); 1710 memset(&g, 0, sizeof(g));
1708 if (remote != LOCAL) { 1711 if (remote != LOCAL) {
1709 tmp = make_absolute(tmp, remote_path); 1712 tmp = make_absolute(tmp, remote_path);
@@ -1738,7 +1741,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1738 goto out; 1741 goto out;
1739 1742
1740 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); 1743 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc);
1741 tmp = path_strip(tmp2, remote_path); 1744 tmp = path_strip(tmp2, isabs ? NULL : remote_path);
1742 xfree(tmp2); 1745 xfree(tmp2);
1743 1746
1744 if (tmp == NULL) 1747 if (tmp == NULL)
@@ -1747,8 +1750,18 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1747 tmplen = strlen(tmp); 1750 tmplen = strlen(tmp);
1748 filelen = strlen(file); 1751 filelen = strlen(file);
1749 1752
1750 if (tmplen > filelen) { 1753 /* Count the number of escaped characters in the input string. */
1751 tmp2 = tmp + filelen; 1754 cesc = isesc = 0;
1755 for (i = 0; i < filelen; i++) {
1756 if (!isesc && file[i] == '\\' && i + 1 < filelen){
1757 isesc = 1;
1758 cesc++;
1759 } else
1760 isesc = 0;
1761 }
1762
1763 if (tmplen > (filelen - cesc)) {
1764 tmp2 = tmp + filelen - cesc;
1752 len = strlen(tmp2); 1765 len = strlen(tmp2);
1753 /* quote argument on way out */ 1766 /* quote argument on way out */
1754 for (i = 0; i < len; i++) { 1767 for (i = 0; i < len; i++) {
@@ -1762,6 +1775,8 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1762 case '\t': 1775 case '\t':
1763 case '[': 1776 case '[':
1764 case ' ': 1777 case ' ':
1778 case '#':
1779 case '*':
1765 if (quote == '\0' || tmp2[i] == quote) { 1780 if (quote == '\0' || tmp2[i] == quote) {
1766 if (el_insertstr(el, ins) == -1) 1781 if (el_insertstr(el, ins) == -1)
1767 fatal("el_insertstr " 1782 fatal("el_insertstr "
@@ -1917,6 +1932,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
1917 return (-1); 1932 return (-1);
1918 } 1933 }
1919 } else { 1934 } else {
1935 /* XXX this is wrong wrt quoting */
1920 if (file2 == NULL) 1936 if (file2 == NULL)
1921 snprintf(cmd, sizeof cmd, "get %s", dir); 1937 snprintf(cmd, sizeof cmd, "get %s", dir);
1922 else 1938 else
diff --git a/ssh-add.0 b/ssh-add.0
index 2ed59c10e..ed43dc8cc 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -37,16 +37,17 @@ DESCRIPTION
37 37
38 -d Instead of adding identities, removes identities from the agent. 38 -d Instead of adding identities, removes identities from the agent.
39 If ssh-add has been run without arguments, the keys for the 39 If ssh-add has been run without arguments, the keys for the
40 default identities will be removed. Otherwise, the argument list 40 default identities and their corresponding certificates will be
41 will be interpreted as a list of paths to public key files and 41 removed. Otherwise, the argument list will be interpreted as a
42 matching keys will be removed from the agent. If no public key 42 list of paths to public key files to specify keys and
43 is found at a given path, ssh-add will append .pub and retry. 43 certificates to be removed from the agent. If no public key is
44 found at a given path, ssh-add will append .pub and retry.
44 45
45 -e pkcs11 46 -e pkcs11
46 Remove keys provided by the PKCS#11 shared library pkcs11. 47 Remove keys provided by the PKCS#11 shared library pkcs11.
47 48
48 -k When loading keys into the agent, load plain private keys only 49 -k When loading keys into or deleting keys from the agent, process
49 and skip certificates. 50 plain private keys only and skip certificates.
50 51
51 -L Lists public key parameters of all identities currently 52 -L Lists public key parameters of all identities currently
52 represented by the agent. 53 represented by the agent.
@@ -115,4 +116,4 @@ AUTHORS
115 created OpenSSH. Markus Friedl contributed the support for SSH protocol 116 created OpenSSH. Markus Friedl contributed the support for SSH protocol
116 versions 1.5 and 2.0. 117 versions 1.5 and 2.0.
117 118
118OpenBSD 5.2 October 18, 2011 OpenBSD 5.2 119OpenBSD 5.3 December 3, 2012 OpenBSD 5.3
diff --git a/ssh-add.1 b/ssh-add.1
index aec620dea..44846b67e 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $ 1.\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: October 18 2011 $ 38.Dd $Mdocdate: December 3 2012 $
39.Dt SSH-ADD 1 39.Dt SSH-ADD 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -98,10 +98,10 @@ Deletes all identities from the agent.
98Instead of adding identities, removes identities from the agent. 98Instead of adding identities, removes identities from the agent.
99If 99If
100.Nm 100.Nm
101has been run without arguments, the keys for the default identities will 101has been run without arguments, the keys for the default identities and
102be removed. 102their corresponding certificates will be removed.
103Otherwise, the argument list will be interpreted as a list of paths to 103Otherwise, the argument list will be interpreted as a list of paths to
104public key files and matching keys will be removed from the agent. 104public key files to specify keys and certificates to be removed from the agent.
105If no public key is found at a given path, 105If no public key is found at a given path,
106.Nm 106.Nm
107will append 107will append
@@ -111,8 +111,8 @@ and retry.
111Remove keys provided by the PKCS#11 shared library 111Remove keys provided by the PKCS#11 shared library
112.Ar pkcs11 . 112.Ar pkcs11 .
113.It Fl k 113.It Fl k
114When loading keys into the agent, load plain private keys only and skip 114When loading keys into or deleting keys from the agent, process plain private
115certificates. 115keys only and skip certificates.
116.It Fl L 116.It Fl L
117Lists public key parameters of all identities currently represented 117Lists public key parameters of all identities currently represented
118by the agent. 118by the agent.
diff --git a/ssh-add.c b/ssh-add.c
index 738644d27..008084704 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -96,10 +96,10 @@ clear_pass(void)
96} 96}
97 97
98static int 98static int
99delete_file(AuthenticationConnection *ac, const char *filename) 99delete_file(AuthenticationConnection *ac, const char *filename, int key_only)
100{ 100{
101 Key *public; 101 Key *public = NULL, *cert = NULL;
102 char *comment = NULL; 102 char *certpath = NULL, *comment = NULL;
103 int ret = -1; 103 int ret = -1;
104 104
105 public = key_load_public(filename, &comment); 105 public = key_load_public(filename, &comment);
@@ -113,8 +113,33 @@ delete_file(AuthenticationConnection *ac, const char *filename)
113 } else 113 } else
114 fprintf(stderr, "Could not remove identity: %s\n", filename); 114 fprintf(stderr, "Could not remove identity: %s\n", filename);
115 115
116 key_free(public); 116 if (key_only)
117 xfree(comment); 117 goto out;
118
119 /* Now try to delete the corresponding certificate too */
120 free(comment);
121 comment = NULL;
122 xasprintf(&certpath, "%s-cert.pub", filename);
123 if ((cert = key_load_public(certpath, &comment)) == NULL)
124 goto out;
125 if (!key_equal_public(cert, public))
126 fatal("Certificate %s does not match private key %s",
127 certpath, filename);
128
129 if (ssh_remove_identity(ac, cert)) {
130 fprintf(stderr, "Identity removed: %s (%s)\n", certpath,
131 comment);
132 ret = 0;
133 } else
134 fprintf(stderr, "Could not remove identity: %s\n", certpath);
135
136 out:
137 if (cert != NULL)
138 key_free(cert);
139 if (public != NULL)
140 key_free(public);
141 free(certpath);
142 free(comment);
118 143
119 return ret; 144 return ret;
120} 145}
@@ -354,7 +379,7 @@ static int
354do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) 379do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file)
355{ 380{
356 if (deleting) { 381 if (deleting) {
357 if (delete_file(ac, file) == -1) 382 if (delete_file(ac, file, key_only) == -1)
358 return -1; 383 return -1;
359 } else { 384 } else {
360 if (add_file(ac, file, key_only) == -1) 385 if (add_file(ac, file, key_only) == -1)
diff --git a/ssh-agent.0 b/ssh-agent.0
index 77930ce42..578984815 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -120,4 +120,4 @@ AUTHORS
120 created OpenSSH. Markus Friedl contributed the support for SSH protocol 120 created OpenSSH. Markus Friedl contributed the support for SSH protocol
121 versions 1.5 and 2.0. 121 versions 1.5 and 2.0.
122 122
123OpenBSD 5.2 November 21, 2010 OpenBSD 5.2 123OpenBSD 5.3 November 21, 2010 OpenBSD 5.3
diff --git a/ssh-gss.h b/ssh-gss.h
index 31d5a0835..bc6e8f946 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -42,12 +42,13 @@
42# include <gssapi/gssapi_generic.h> 42# include <gssapi/gssapi_generic.h>
43# endif 43# endif
44 44
45/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ 45/* Old MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
46 46
47#ifndef GSS_C_NT_HOSTBASED_SERVICE 47# if !HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
48#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name 48# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
49#endif /* GSS_C_NT_... */ 49# endif /* !HAVE_DECL_GSS_C_NT_... */
50#endif /* !HEIMDAL */ 50
51# endif /* !HEIMDAL */
51#endif /* KRB5 */ 52#endif /* KRB5 */
52 53
53/* draft-ietf-secsh-gsskeyex-06 */ 54/* draft-ietf-secsh-gsskeyex-06 */
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 8f9fbd179..3c7a64753 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -25,6 +25,9 @@ SYNOPSIS
25 [-O option] [-V validity_interval] [-z serial_number] file ... 25 [-O option] [-V validity_interval] [-z serial_number] file ...
26 ssh-keygen -L [-f input_keyfile] 26 ssh-keygen -L [-f input_keyfile]
27 ssh-keygen -A 27 ssh-keygen -A
28 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
29 file ...
30 ssh-keygen -Q -f krl_file file ...
28 31
29DESCRIPTION 32DESCRIPTION
30 ssh-keygen generates, manages and converts authentication keys for 33 ssh-keygen generates, manages and converts authentication keys for
@@ -37,6 +40,10 @@ DESCRIPTION
37 ssh-keygen is also used to generate groups for use in Diffie-Hellman 40 ssh-keygen is also used to generate groups for use in Diffie-Hellman
38 group exchange (DH-GEX). See the MODULI GENERATION section for details. 41 group exchange (DH-GEX). See the MODULI GENERATION section for details.
39 42
43 Finally, ssh-keygen can be used to generate and update Key Revocation
44 Lists, and to test whether given keys have been revoked by one. See the
45 KEY REVOCATION LISTS section for details.
46
40 Normally each user wishing to use SSH with public key authentication runs 47 Normally each user wishing to use SSH with public key authentication runs
41 this once to create the authentication key in ~/.ssh/identity, 48 this once to create the authentication key in ~/.ssh/identity,
42 ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the 49 ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the
@@ -167,6 +174,13 @@ DESCRIPTION
167 keys from other software, including several commercial SSH 174 keys from other software, including several commercial SSH
168 implementations. The default import format is ``RFC4716''. 175 implementations. The default import format is ``RFC4716''.
169 176
177 -k Generate a KRL file. In this mode, ssh-keygen will generate a
178 KRL file at the location specified via the -f flag that revokes
179 every key or certificate presented on the command line.
180 Keys/certificates to be revoked may be specified by public key
181 file or using the format described in the KEY REVOCATION LISTS
182 section.
183
170 -L Prints the contents of a certificate. 184 -L Prints the contents of a certificate.
171 185
172 -l Show fingerprint of specified public key file. Private RSA1 keys 186 -l Show fingerprint of specified public key file. Private RSA1 keys
@@ -256,6 +270,8 @@ DESCRIPTION
256 containing the private key, for the old passphrase, and twice for 270 containing the private key, for the old passphrase, and twice for
257 the new passphrase. 271 the new passphrase.
258 272
273 -Q Test whether keys have been revoked in a KRL.
274
259 -q Silence ssh-keygen. 275 -q Silence ssh-keygen.
260 276
261 -R hostname 277 -R hostname
@@ -275,6 +291,10 @@ DESCRIPTION
275 Certify (sign) a public key using the specified CA key. Please 291 Certify (sign) a public key using the specified CA key. Please
276 see the CERTIFICATES section for details. 292 see the CERTIFICATES section for details.
277 293
294 When generating a KRL, -s specifies a path to a CA public key
295 file used to revoke certificates directly by key ID or serial
296 number. See the KEY REVOCATION LISTS section for details.
297
278 -T output_file 298 -T output_file
279 Test DH group exchange candidate primes (generated using the -G 299 Test DH group exchange candidate primes (generated using the -G
280 option) for safety. 300 option) for safety.
@@ -284,6 +304,10 @@ DESCRIPTION
284 ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' 304 ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa''
285 for protocol version 2. 305 for protocol version 2.
286 306
307 -u Update a KRL. When specified with -k, keys listed via the
308 command line are added to the existing KRL rather than a new KRL
309 being created.
310
287 -V validity_interval 311 -V validity_interval
288 Specify a validity interval when signing a certificate. A 312 Specify a validity interval when signing a certificate. A
289 validity interval may consist of a single time, indicating that 313 validity interval may consist of a single time, indicating that
@@ -321,6 +345,9 @@ DESCRIPTION
321 distinguish this certificate from others from the same CA. The 345 distinguish this certificate from others from the same CA. The
322 default serial number is zero. 346 default serial number is zero.
323 347
348 When generating a KRL, the -z flag is used to specify a KRL
349 version number.
350
324MODULI GENERATION 351MODULI GENERATION
325 ssh-keygen may be used to generate groups for the Diffie-Hellman Group 352 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
326 Exchange (DH-GEX) protocol. Generating these groups is a two-step 353 Exchange (DH-GEX) protocol. Generating these groups is a two-step
@@ -404,13 +431,64 @@ CERTIFICATES
404 Finally, certificates may be defined with a validity lifetime. The -V 431 Finally, certificates may be defined with a validity lifetime. The -V
405 option allows specification of certificate start and end times. A 432 option allows specification of certificate start and end times. A
406 certificate that is presented at a time outside this range will not be 433 certificate that is presented at a time outside this range will not be
407 considered valid. By default, certificates have a maximum validity 434 considered valid. By default, certificates are valid from UNIX Epoch to
408 interval. 435 the distant future.
409 436
410 For certificates to be used for user or host authentication, the CA 437 For certificates to be used for user or host authentication, the CA
411 public key must be trusted by sshd(8) or ssh(1). Please refer to those 438 public key must be trusted by sshd(8) or ssh(1). Please refer to those
412 manual pages for details. 439 manual pages for details.
413 440
441KEY REVOCATION LISTS
442 ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
443 These binary files specify keys or certificates to be revoked using a
444 compact format, taking as little a one bit per certificate if they are
445 being revoked by serial number.
446
447 KRLs may be generated using the -k flag. This option reads one or more
448 files from the command line and generates a new KRL. The files may
449 either contain a KRL specification (see below) or public keys, listed one
450 per line. Plain public keys are revoked by listing their hash or
451 contents in the KRL and certificates revoked by serial number or key ID
452 (if the serial is zero or not available).
453
454 Revoking keys using a KRL specification offers explicit control over the
455 types of record used to revoke keys and may be used to directly revoke
456 certificates by serial number or key ID without having the complete
457 original certificate on hand. A KRL specification consists of lines
458 containing one of the following directives followed by a colon and some
459 directive-specific information.
460
461 serial: serial_number[-serial_number]
462 Revokes a certificate with the specified serial number. Serial
463 numbers are 64-bit values, not including zero and may be
464 expressed in decimal, hex or octal. If two serial numbers are
465 specified separated by a hyphen, then the range of serial numbers
466 including and between each is revoked. The CA key must have been
467 specified on the ssh-keygen command line using the -s option.
468
469 id: key_id
470 Revokes a certificate with the specified key ID string. The CA
471 key must have been specified on the ssh-keygen command line using
472 the -s option.
473
474 key: public_key
475 Revokes the specified key. If a certificate is listed, then it
476 is revoked as a plain public key.
477
478 sha1: public_key
479 Revokes the specified key by its SHA1 hash.
480
481 KRLs may be updated using the -u flag in addition to -k. When this
482 option is specified, keys listed via the command line are merged into the
483 KRL, adding to those already there.
484
485 It is also possible, given a KRL, to test whether it revokes a particular
486 key (or keys). The -Q flag will query an existing KRL, testing each key
487 specified on the commandline. If any key listed on the command line has
488 been revoked (or an error encountered) then ssh-keygen will exit with a
489 non-zero exit status. A zero exit status will only be returned if no key
490 was revoked.
491
414FILES 492FILES
415 ~/.ssh/identity 493 ~/.ssh/identity
416 Contains the protocol version 1 RSA authentication identity of 494 Contains the protocol version 1 RSA authentication identity of
@@ -465,4 +543,4 @@ AUTHORS
465 created OpenSSH. Markus Friedl contributed the support for SSH protocol 543 created OpenSSH. Markus Friedl contributed the support for SSH protocol
466 versions 1.5 and 2.0. 544 versions 1.5 and 2.0.
467 545
468OpenBSD 5.2 July 6, 2012 OpenBSD 5.2 546OpenBSD 5.3 January 19, 2013 OpenBSD 5.3
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 03f927edf..7da73e07c 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: July 6 2012 $ 38.Dd $Mdocdate: January 19 2013 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -122,6 +122,17 @@
122.Op Fl f Ar input_keyfile 122.Op Fl f Ar input_keyfile
123.Nm ssh-keygen 123.Nm ssh-keygen
124.Fl A 124.Fl A
125.Nm ssh-keygen
126.Fl k
127.Fl f Ar krl_file
128.Op Fl u
129.Op Fl s Ar ca_public
130.Op Fl z Ar version_number
131.Ar
132.Nm ssh-keygen
133.Fl Q
134.Fl f Ar krl_file
135.Ar
125.Ek 136.Ek
126.Sh DESCRIPTION 137.Sh DESCRIPTION
127.Nm 138.Nm
@@ -144,6 +155,14 @@ See the
144.Sx MODULI GENERATION 155.Sx MODULI GENERATION
145section for details. 156section for details.
146.Pp 157.Pp
158Finally,
159.Nm
160can be used to generate and update Key Revocation Lists, and to test whether
161given keys have been revoked by one.
162See the
163.Sx KEY REVOCATION LISTS
164section for details.
165.Pp
147Normally each user wishing to use SSH 166Normally each user wishing to use SSH
148with public key authentication runs this once to create the authentication 167with public key authentication runs this once to create the authentication
149key in 168key in
@@ -321,6 +340,17 @@ This option allows importing keys from other software, including several
321commercial SSH implementations. 340commercial SSH implementations.
322The default import format is 341The default import format is
323.Dq RFC4716 . 342.Dq RFC4716 .
343.It Fl k
344Generate a KRL file.
345In this mode,
346.Nm
347will generate a KRL file at the location specified via the
348.Fl f
349flag that revokes every key or certificate presented on the command line.
350Keys/certificates to be revoked may be specified by public key file or
351using the format described in the
352.Sx KEY REVOCATION LISTS
353section.
324.It Fl L 354.It Fl L
325Prints the contents of a certificate. 355Prints the contents of a certificate.
326.It Fl l 356.It Fl l
@@ -425,6 +455,8 @@ creating a new private key.
425The program will prompt for the file 455The program will prompt for the file
426containing the private key, for the old passphrase, and twice for the 456containing the private key, for the old passphrase, and twice for the
427new passphrase. 457new passphrase.
458.It Fl Q
459Test whether keys have been revoked in a KRL.
428.It Fl q 460.It Fl q
429Silence 461Silence
430.Nm ssh-keygen . 462.Nm ssh-keygen .
@@ -448,6 +480,14 @@ Certify (sign) a public key using the specified CA key.
448Please see the 480Please see the
449.Sx CERTIFICATES 481.Sx CERTIFICATES
450section for details. 482section for details.
483.Pp
484When generating a KRL,
485.Fl s
486specifies a path to a CA public key file used to revoke certificates directly
487by key ID or serial number.
488See the
489.Sx KEY REVOCATION LISTS
490section for details.
451.It Fl T Ar output_file 491.It Fl T Ar output_file
452Test DH group exchange candidate primes (generated using the 492Test DH group exchange candidate primes (generated using the
453.Fl G 493.Fl G
@@ -462,6 +502,12 @@ for protocol version 1 and
462or 502or
463.Dq rsa 503.Dq rsa
464for protocol version 2. 504for protocol version 2.
505.It Fl u
506Update a KRL.
507When specified with
508.Fl k ,
509keys listed via the command line are added to the existing KRL rather than
510a new KRL being created.
465.It Fl V Ar validity_interval 511.It Fl V Ar validity_interval
466Specify a validity interval when signing a certificate. 512Specify a validity interval when signing a certificate.
467A validity interval may consist of a single time, indicating that the 513A validity interval may consist of a single time, indicating that the
@@ -504,6 +550,10 @@ OpenSSH format file and print an OpenSSH public key to stdout.
504Specifies a serial number to be embedded in the certificate to distinguish 550Specifies a serial number to be embedded in the certificate to distinguish
505this certificate from others from the same CA. 551this certificate from others from the same CA.
506The default serial number is zero. 552The default serial number is zero.
553.Pp
554When generating a KRL, the
555.Fl z
556flag is used to specify a KRL version number.
507.El 557.El
508.Sh MODULI GENERATION 558.Sh MODULI GENERATION
509.Nm 559.Nm
@@ -628,7 +678,9 @@ The
628option allows specification of certificate start and end times. 678option allows specification of certificate start and end times.
629A certificate that is presented at a time outside this range will not be 679A certificate that is presented at a time outside this range will not be
630considered valid. 680considered valid.
631By default, certificates have a maximum validity interval. 681By default, certificates are valid from
682.Ux
683Epoch to the distant future.
632.Pp 684.Pp
633For certificates to be used for user or host authentication, the CA 685For certificates to be used for user or host authentication, the CA
634public key must be trusted by 686public key must be trusted by
@@ -636,6 +688,73 @@ public key must be trusted by
636or 688or
637.Xr ssh 1 . 689.Xr ssh 1 .
638Please refer to those manual pages for details. 690Please refer to those manual pages for details.
691.Sh KEY REVOCATION LISTS
692.Nm
693is able to manage OpenSSH format Key Revocation Lists (KRLs).
694These binary files specify keys or certificates to be revoked using a
695compact format, taking as little a one bit per certificate if they are being
696revoked by serial number.
697.Pp
698KRLs may be generated using the
699.Fl k
700flag.
701This option reads one or more files from the command line and generates a new
702KRL.
703The files may either contain a KRL specification (see below) or public keys,
704listed one per line.
705Plain public keys are revoked by listing their hash or contents in the KRL and
706certificates revoked by serial number or key ID (if the serial is zero or
707not available).
708.Pp
709Revoking keys using a KRL specification offers explicit control over the
710types of record used to revoke keys and may be used to directly revoke
711certificates by serial number or key ID without having the complete original
712certificate on hand.
713A KRL specification consists of lines containing one of the following directives
714followed by a colon and some directive-specific information.
715.Bl -tag -width Ds
716.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
717Revokes a certificate with the specified serial number.
718Serial numbers are 64-bit values, not including zero and may be expressed
719in decimal, hex or octal.
720If two serial numbers are specified separated by a hyphen, then the range
721of serial numbers including and between each is revoked.
722The CA key must have been specified on the
723.Nm
724command line using the
725.Fl s
726option.
727.It Cm id : Ar key_id
728Revokes a certificate with the specified key ID string.
729The CA key must have been specified on the
730.Nm
731command line using the
732.Fl s
733option.
734.It Cm key : Ar public_key
735Revokes the specified key.
736If a certificate is listed, then it is revoked as a plain public key.
737.It Cm sha1 : Ar public_key
738Revokes the specified key by its SHA1 hash.
739.El
740.Pp
741KRLs may be updated using the
742.Fl u
743flag in addition to
744.Fl k .
745When this option is specified, keys listed via the command line are merged into
746the KRL, adding to those already there.
747.Pp
748It is also possible, given a KRL, to test whether it revokes a particular key
749(or keys).
750The
751.Fl Q
752flag will query an existing KRL, testing each key specified on the commandline.
753If any key listed on the command line has been revoked (or an error encountered)
754then
755.Nm
756will exit with a non-zero exit status.
757A zero exit status will only be returned if no key was revoked.
639.Sh FILES 758.Sh FILES
640.Bl -tag -width Ds -compact 759.Bl -tag -width Ds -compact
641.It Pa ~/.ssh/identity 760.It Pa ~/.ssh/identity
diff --git a/ssh-keygen.c b/ssh-keygen.c
index a223ddc81..d1a205e18 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.216 2012/07/06 06:38:03 jmc Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -48,8 +48,11 @@
48#include "match.h" 48#include "match.h"
49#include "hostfile.h" 49#include "hostfile.h"
50#include "dns.h" 50#include "dns.h"
51#include "ssh.h"
51#include "ssh2.h" 52#include "ssh2.h"
52#include "ssh-pkcs11.h" 53#include "ssh-pkcs11.h"
54#include "atomicio.h"
55#include "krl.h"
53 56
54/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ 57/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
55#define DEFAULT_BITS 2048 58#define DEFAULT_BITS 2048
@@ -104,7 +107,7 @@ char *identity_comment = NULL;
104char *ca_key_path = NULL; 107char *ca_key_path = NULL;
105 108
106/* Certificate serial number */ 109/* Certificate serial number */
107long long cert_serial = 0; 110unsigned long long cert_serial = 0;
108 111
109/* Key type when certifying */ 112/* Key type when certifying */
110u_int cert_key_type = SSH2_CERT_TYPE_USER; 113u_int cert_key_type = SSH2_CERT_TYPE_USER;
@@ -723,15 +726,33 @@ do_download(struct passwd *pw)
723#ifdef ENABLE_PKCS11 726#ifdef ENABLE_PKCS11
724 Key **keys = NULL; 727 Key **keys = NULL;
725 int i, nkeys; 728 int i, nkeys;
729 enum fp_rep rep;
730 enum fp_type fptype;
731 char *fp, *ra;
732
733 fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
734 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
726 735
727 pkcs11_init(0); 736 pkcs11_init(0);
728 nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); 737 nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
729 if (nkeys <= 0) 738 if (nkeys <= 0)
730 fatal("cannot read public key from pkcs11"); 739 fatal("cannot read public key from pkcs11");
731 for (i = 0; i < nkeys; i++) { 740 for (i = 0; i < nkeys; i++) {
732 key_write(keys[i], stdout); 741 if (print_fingerprint) {
742 fp = key_fingerprint(keys[i], fptype, rep);
743 ra = key_fingerprint(keys[i], SSH_FP_MD5,
744 SSH_FP_RANDOMART);
745 printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
746 fp, key_type(keys[i]));
747 if (log_level >= SYSLOG_LEVEL_VERBOSE)
748 printf("%s\n", ra);
749 xfree(ra);
750 xfree(fp);
751 } else {
752 key_write(keys[i], stdout);
753 fprintf(stdout, "\n");
754 }
733 key_free(keys[i]); 755 key_free(keys[i]);
734 fprintf(stdout, "\n");
735 } 756 }
736 xfree(keys); 757 xfree(keys);
737 pkcs11_terminate(); 758 pkcs11_terminate();
@@ -1088,8 +1109,14 @@ do_known_hosts(struct passwd *pw, const char *name)
1088 ca ? " (CA key)" : ""); 1109 ca ? " (CA key)" : "");
1089 printhost(out, cp, pub, ca, 0); 1110 printhost(out, cp, pub, ca, 0);
1090 } 1111 }
1091 if (delete_host && !c && !ca) 1112 if (delete_host) {
1092 printhost(out, cp, pub, ca, 0); 1113 if (!c && !ca)
1114 printhost(out, cp, pub, ca, 0);
1115 else
1116 printf("# Host %s found: "
1117 "line %d type %s\n", name,
1118 num, key_type(pub));
1119 }
1093 } else if (hash_hosts) 1120 } else if (hash_hosts)
1094 printhost(out, cp, pub, ca, 0); 1121 printhost(out, cp, pub, ca, 0);
1095 } else { 1122 } else {
@@ -1104,8 +1131,14 @@ do_known_hosts(struct passwd *pw, const char *name)
1104 printhost(out, name, pub, 1131 printhost(out, name, pub,
1105 ca, hash_hosts && !ca); 1132 ca, hash_hosts && !ca);
1106 } 1133 }
1107 if (delete_host && !c && !ca) 1134 if (delete_host) {
1108 printhost(out, cp, pub, ca, 0); 1135 if (!c && !ca)
1136 printhost(out, cp, pub, ca, 0);
1137 else
1138 printf("# Host %s found: "
1139 "line %d type %s\n", name,
1140 num, key_type(pub));
1141 }
1109 } else if (hash_hosts) { 1142 } else if (hash_hosts) {
1110 for (cp2 = strsep(&cp, ","); 1143 for (cp2 = strsep(&cp, ",");
1111 cp2 != NULL && *cp2 != '\0'; 1144 cp2 != NULL && *cp2 != '\0';
@@ -1867,6 +1900,226 @@ do_show_cert(struct passwd *pw)
1867} 1900}
1868 1901
1869static void 1902static void
1903load_krl(const char *path, struct ssh_krl **krlp)
1904{
1905 Buffer krlbuf;
1906 int fd;
1907
1908 buffer_init(&krlbuf);
1909 if ((fd = open(path, O_RDONLY)) == -1)
1910 fatal("open %s: %s", path, strerror(errno));
1911 if (!key_load_file(fd, path, &krlbuf))
1912 fatal("Unable to load KRL");
1913 close(fd);
1914 /* XXX check sigs */
1915 if (ssh_krl_from_blob(&krlbuf, krlp, NULL, 0) != 0 ||
1916 *krlp == NULL)
1917 fatal("Invalid KRL file");
1918 buffer_free(&krlbuf);
1919}
1920
1921static void
1922update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
1923 struct ssh_krl *krl)
1924{
1925 Key *key = NULL;
1926 u_long lnum = 0;
1927 char *path, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];
1928 unsigned long long serial, serial2;
1929 int i, was_explicit_key, was_sha1, r;
1930 FILE *krl_spec;
1931
1932 path = tilde_expand_filename(file, pw->pw_uid);
1933 if (strcmp(path, "-") == 0) {
1934 krl_spec = stdin;
1935 free(path);
1936 path = xstrdup("(standard input)");
1937 } else if ((krl_spec = fopen(path, "r")) == NULL)
1938 fatal("fopen %s: %s", path, strerror(errno));
1939
1940 if (!quiet)
1941 printf("Revoking from %s\n", path);
1942 while (read_keyfile_line(krl_spec, path, line, sizeof(line),
1943 &lnum) == 0) {
1944 was_explicit_key = was_sha1 = 0;
1945 cp = line + strspn(line, " \t");
1946 /* Trim trailing space, comments and strip \n */
1947 for (i = 0, r = -1; cp[i] != '\0'; i++) {
1948 if (cp[i] == '#' || cp[i] == '\n') {
1949 cp[i] = '\0';
1950 break;
1951 }
1952 if (cp[i] == ' ' || cp[i] == '\t') {
1953 /* Remember the start of a span of whitespace */
1954 if (r == -1)
1955 r = i;
1956 } else
1957 r = -1;
1958 }
1959 if (r != -1)
1960 cp[r] = '\0';
1961 if (*cp == '\0')
1962 continue;
1963 if (strncasecmp(cp, "serial:", 7) == 0) {
1964 if (ca == NULL) {
1965 fatal("revoking certificated by serial number "
1966 "requires specification of a CA key");
1967 }
1968 cp += 7;
1969 cp = cp + strspn(cp, " \t");
1970 errno = 0;
1971 serial = strtoull(cp, &ep, 0);
1972 if (*cp == '\0' || (*ep != '\0' && *ep != '-'))
1973 fatal("%s:%lu: invalid serial \"%s\"",
1974 path, lnum, cp);
1975 if (errno == ERANGE && serial == ULLONG_MAX)
1976 fatal("%s:%lu: serial out of range",
1977 path, lnum);
1978 serial2 = serial;
1979 if (*ep == '-') {
1980 cp = ep + 1;
1981 errno = 0;
1982 serial2 = strtoull(cp, &ep, 0);
1983 if (*cp == '\0' || *ep != '\0')
1984 fatal("%s:%lu: invalid serial \"%s\"",
1985 path, lnum, cp);
1986 if (errno == ERANGE && serial2 == ULLONG_MAX)
1987 fatal("%s:%lu: serial out of range",
1988 path, lnum);
1989 if (serial2 <= serial)
1990 fatal("%s:%lu: invalid serial range "
1991 "%llu:%llu", path, lnum,
1992 (unsigned long long)serial,
1993 (unsigned long long)serial2);
1994 }
1995 if (ssh_krl_revoke_cert_by_serial_range(krl,
1996 ca, serial, serial2) != 0) {
1997 fatal("%s: revoke serial failed",
1998 __func__);
1999 }
2000 } else if (strncasecmp(cp, "id:", 3) == 0) {
2001 if (ca == NULL) {
2002 fatal("revoking certificated by key ID "
2003 "requires specification of a CA key");
2004 }
2005 cp += 3;
2006 cp = cp + strspn(cp, " \t");
2007 if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0)
2008 fatal("%s: revoke key ID failed", __func__);
2009 } else {
2010 if (strncasecmp(cp, "key:", 4) == 0) {
2011 cp += 4;
2012 cp = cp + strspn(cp, " \t");
2013 was_explicit_key = 1;
2014 } else if (strncasecmp(cp, "sha1:", 5) == 0) {
2015 cp += 5;
2016 cp = cp + strspn(cp, " \t");
2017 was_sha1 = 1;
2018 } else {
2019 /*
2020 * Just try to process the line as a key.
2021 * Parsing will fail if it isn't.
2022 */
2023 }
2024 if ((key = key_new(KEY_UNSPEC)) == NULL)
2025 fatal("key_new");
2026 if (key_read(key, &cp) != 1)
2027 fatal("%s:%lu: invalid key", path, lnum);
2028 if (was_explicit_key)
2029 r = ssh_krl_revoke_key_explicit(krl, key);
2030 else if (was_sha1)
2031 r = ssh_krl_revoke_key_sha1(krl, key);
2032 else
2033 r = ssh_krl_revoke_key(krl, key);
2034 if (r != 0)
2035 fatal("%s: revoke key failed", __func__);
2036 key_free(key);
2037 }
2038 }
2039 if (strcmp(path, "-") != 0)
2040 fclose(krl_spec);
2041}
2042
2043static void
2044do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2045{
2046 struct ssh_krl *krl;
2047 struct stat sb;
2048 Key *ca = NULL;
2049 int fd, i;
2050 char *tmp;
2051 Buffer kbuf;
2052
2053 if (*identity_file == '\0')
2054 fatal("KRL generation requires an output file");
2055 if (stat(identity_file, &sb) == -1) {
2056 if (errno != ENOENT)
2057 fatal("Cannot access KRL \"%s\": %s",
2058 identity_file, strerror(errno));
2059 if (updating)
2060 fatal("KRL \"%s\" does not exist", identity_file);
2061 }
2062 if (ca_key_path != NULL) {
2063 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
2064 if ((ca = key_load_public(tmp, NULL)) == NULL)
2065 fatal("Cannot load CA public key %s", tmp);
2066 xfree(tmp);
2067 }
2068
2069 if (updating)
2070 load_krl(identity_file, &krl);
2071 else if ((krl = ssh_krl_init()) == NULL)
2072 fatal("couldn't create KRL");
2073
2074 if (cert_serial != 0)
2075 ssh_krl_set_version(krl, cert_serial);
2076 if (identity_comment != NULL)
2077 ssh_krl_set_comment(krl, identity_comment);
2078
2079 for (i = 0; i < argc; i++)
2080 update_krl_from_file(pw, argv[i], ca, krl);
2081
2082 buffer_init(&kbuf);
2083 if (ssh_krl_to_blob(krl, &kbuf, NULL, 0) != 0)
2084 fatal("Couldn't generate KRL");
2085 if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
2086 fatal("open %s: %s", identity_file, strerror(errno));
2087 if (atomicio(vwrite, fd, buffer_ptr(&kbuf), buffer_len(&kbuf)) !=
2088 buffer_len(&kbuf))
2089 fatal("write %s: %s", identity_file, strerror(errno));
2090 close(fd);
2091 buffer_free(&kbuf);
2092 ssh_krl_free(krl);
2093}
2094
2095static void
2096do_check_krl(struct passwd *pw, int argc, char **argv)
2097{
2098 int i, r, ret = 0;
2099 char *comment;
2100 struct ssh_krl *krl;
2101 Key *k;
2102
2103 if (*identity_file == '\0')
2104 fatal("KRL checking requires an input file");
2105 load_krl(identity_file, &krl);
2106 for (i = 0; i < argc; i++) {
2107 if ((k = key_load_public(argv[i], &comment)) == NULL)
2108 fatal("Cannot load public key %s", argv[i]);
2109 r = ssh_krl_check_key(krl, k);
2110 printf("%s%s%s%s: %s\n", argv[i],
2111 *comment ? " (" : "", comment, *comment ? ")" : "",
2112 r == 0 ? "ok" : "REVOKED");
2113 if (r != 0)
2114 ret = 1;
2115 key_free(k);
2116 free(comment);
2117 }
2118 ssh_krl_free(krl);
2119 exit(ret);
2120}
2121
2122static void
1870usage(void) 2123usage(void)
1871{ 2124{
1872 fprintf(stderr, "usage: %s [options]\n", __progname); 2125 fprintf(stderr, "usage: %s [options]\n", __progname);
@@ -1892,6 +2145,7 @@ usage(void)
1892 fprintf(stderr, " -J number Screen this number of moduli lines.\n"); 2145 fprintf(stderr, " -J number Screen this number of moduli lines.\n");
1893 fprintf(stderr, " -j number Start screening moduli at specified line.\n"); 2146 fprintf(stderr, " -j number Start screening moduli at specified line.\n");
1894 fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); 2147 fprintf(stderr, " -K checkpt Write checkpoints to this file.\n");
2148 fprintf(stderr, " -k Generate a KRL file.\n");
1895 fprintf(stderr, " -L Print the contents of a certificate.\n"); 2149 fprintf(stderr, " -L Print the contents of a certificate.\n");
1896 fprintf(stderr, " -l Show fingerprint of key file.\n"); 2150 fprintf(stderr, " -l Show fingerprint of key file.\n");
1897 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); 2151 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
@@ -1901,6 +2155,7 @@ usage(void)
1901 fprintf(stderr, " -O option Specify a certificate option.\n"); 2155 fprintf(stderr, " -O option Specify a certificate option.\n");
1902 fprintf(stderr, " -P phrase Provide old passphrase.\n"); 2156 fprintf(stderr, " -P phrase Provide old passphrase.\n");
1903 fprintf(stderr, " -p Change passphrase of private key file.\n"); 2157 fprintf(stderr, " -p Change passphrase of private key file.\n");
2158 fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n");
1904 fprintf(stderr, " -q Quiet.\n"); 2159 fprintf(stderr, " -q Quiet.\n");
1905 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); 2160 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
1906 fprintf(stderr, " -r hostname Print DNS resource record.\n"); 2161 fprintf(stderr, " -r hostname Print DNS resource record.\n");
@@ -1908,6 +2163,7 @@ usage(void)
1908 fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); 2163 fprintf(stderr, " -s ca_key Certify keys with CA key.\n");
1909 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); 2164 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
1910 fprintf(stderr, " -t type Specify type of key to create.\n"); 2165 fprintf(stderr, " -t type Specify type of key to create.\n");
2166 fprintf(stderr, " -u Update KRL rather than creating a new one.\n");
1911 fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); 2167 fprintf(stderr, " -V from:to Specify certificate validity interval.\n");
1912 fprintf(stderr, " -v Verbose.\n"); 2168 fprintf(stderr, " -v Verbose.\n");
1913 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); 2169 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
@@ -1925,14 +2181,14 @@ main(int argc, char **argv)
1925{ 2181{
1926 char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; 2182 char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
1927 char *checkpoint = NULL; 2183 char *checkpoint = NULL;
1928 char out_file[MAXPATHLEN], *rr_hostname = NULL; 2184 char out_file[MAXPATHLEN], *ep, *rr_hostname = NULL;
1929 Key *private, *public; 2185 Key *private, *public;
1930 struct passwd *pw; 2186 struct passwd *pw;
1931 struct stat st; 2187 struct stat st;
1932 int opt, type, fd; 2188 int opt, type, fd;
1933 u_int32_t memory = 0, generator_wanted = 0, trials = 100; 2189 u_int32_t memory = 0, generator_wanted = 0, trials = 100;
1934 int do_gen_candidates = 0, do_screen_candidates = 0; 2190 int do_gen_candidates = 0, do_screen_candidates = 0;
1935 int gen_all_hostkeys = 0; 2191 int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
1936 unsigned long start_lineno = 0, lines_to_process = 0; 2192 unsigned long start_lineno = 0, lines_to_process = 0;
1937 BIGNUM *start = NULL; 2193 BIGNUM *start = NULL;
1938 FILE *f; 2194 FILE *f;
@@ -1962,8 +2218,8 @@ main(int argc, char **argv)
1962 exit(1); 2218 exit(1);
1963 } 2219 }
1964 2220
1965 while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:" 2221 while ((opt = getopt(argc, argv, "ABHLQXceghiklpquvxy"
1966 "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z")) != -1) { 2222 "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
1967 switch (opt) { 2223 switch (opt) {
1968 case 'A': 2224 case 'A':
1969 gen_all_hostkeys = 1; 2225 gen_all_hostkeys = 1;
@@ -2042,6 +2298,9 @@ main(int argc, char **argv)
2042 case 'N': 2298 case 'N':
2043 identity_new_passphrase = optarg; 2299 identity_new_passphrase = optarg;
2044 break; 2300 break;
2301 case 'Q':
2302 check_krl = 1;
2303 break;
2045 case 'O': 2304 case 'O':
2046 add_cert_option(optarg); 2305 add_cert_option(optarg);
2047 break; 2306 break;
@@ -2060,6 +2319,9 @@ main(int argc, char **argv)
2060 cert_key_type = SSH2_CERT_TYPE_HOST; 2319 cert_key_type = SSH2_CERT_TYPE_HOST;
2061 certflags_flags = 0; 2320 certflags_flags = 0;
2062 break; 2321 break;
2322 case 'k':
2323 gen_krl = 1;
2324 break;
2063 case 'i': 2325 case 'i':
2064 case 'X': 2326 case 'X':
2065 /* import key */ 2327 /* import key */
@@ -2077,6 +2339,9 @@ main(int argc, char **argv)
2077 case 'D': 2339 case 'D':
2078 pkcs11provider = optarg; 2340 pkcs11provider = optarg;
2079 break; 2341 break;
2342 case 'u':
2343 update_krl = 1;
2344 break;
2080 case 'v': 2345 case 'v':
2081 if (log_level == SYSLOG_LEVEL_INFO) 2346 if (log_level == SYSLOG_LEVEL_INFO)
2082 log_level = SYSLOG_LEVEL_DEBUG1; 2347 log_level = SYSLOG_LEVEL_DEBUG1;
@@ -2133,9 +2398,11 @@ main(int argc, char **argv)
2133 parse_cert_times(optarg); 2398 parse_cert_times(optarg);
2134 break; 2399 break;
2135 case 'z': 2400 case 'z':
2136 cert_serial = strtonum(optarg, 0, LLONG_MAX, &errstr); 2401 errno = 0;
2137 if (errstr) 2402 cert_serial = strtoull(optarg, &ep, 10);
2138 fatal("Invalid serial number: %s", errstr); 2403 if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
2404 (errno == ERANGE && cert_serial == ULLONG_MAX))
2405 fatal("Invalid serial number \"%s\"", optarg);
2139 break; 2406 break;
2140 case '?': 2407 case '?':
2141 default: 2408 default:
@@ -2150,11 +2417,11 @@ main(int argc, char **argv)
2150 argc -= optind; 2417 argc -= optind;
2151 2418
2152 if (ca_key_path != NULL) { 2419 if (ca_key_path != NULL) {
2153 if (argc < 1) { 2420 if (argc < 1 && !gen_krl) {
2154 printf("Too few arguments.\n"); 2421 printf("Too few arguments.\n");
2155 usage(); 2422 usage();
2156 } 2423 }
2157 } else if (argc > 0) { 2424 } else if (argc > 0 && !gen_krl && !check_krl) {
2158 printf("Too many arguments.\n"); 2425 printf("Too many arguments.\n");
2159 usage(); 2426 usage();
2160 } 2427 }
@@ -2163,9 +2430,17 @@ main(int argc, char **argv)
2163 usage(); 2430 usage();
2164 } 2431 }
2165 if (print_fingerprint && (delete_host || hash_hosts)) { 2432 if (print_fingerprint && (delete_host || hash_hosts)) {
2166 printf("Cannot use -l with -D or -R.\n"); 2433 printf("Cannot use -l with -H or -R.\n");
2167 usage(); 2434 usage();
2168 } 2435 }
2436 if (gen_krl) {
2437 do_gen_krl(pw, update_krl, argc, argv);
2438 return (0);
2439 }
2440 if (check_krl) {
2441 do_check_krl(pw, argc, argv);
2442 return (0);
2443 }
2169 if (ca_key_path != NULL) { 2444 if (ca_key_path != NULL) {
2170 if (cert_key_id == NULL) 2445 if (cert_key_id == NULL)
2171 fatal("Must specify key id (-I) when certifying"); 2446 fatal("Must specify key id (-I) when certifying");
@@ -2175,6 +2450,8 @@ main(int argc, char **argv)
2175 do_show_cert(pw); 2450 do_show_cert(pw);
2176 if (delete_host || hash_hosts || find_host) 2451 if (delete_host || hash_hosts || find_host)
2177 do_known_hosts(pw, rr_hostname); 2452 do_known_hosts(pw, rr_hostname);
2453 if (pkcs11provider != NULL)
2454 do_download(pw);
2178 if (print_fingerprint || print_bubblebabble) 2455 if (print_fingerprint || print_bubblebabble)
2179 do_fingerprint(pw); 2456 do_fingerprint(pw);
2180 if (change_passphrase) 2457 if (change_passphrase)
@@ -2212,8 +2489,6 @@ main(int argc, char **argv)
2212 exit(0); 2489 exit(0);
2213 } 2490 }
2214 } 2491 }
2215 if (pkcs11provider != NULL)
2216 do_download(pw);
2217 2492
2218 if (do_gen_candidates) { 2493 if (do_gen_candidates) {
2219 FILE *out = fopen(out_file, "w"); 2494 FILE *out = fopen(out_file, "w");
@@ -2233,7 +2508,7 @@ main(int argc, char **argv)
2233 2508
2234 if (do_screen_candidates) { 2509 if (do_screen_candidates) {
2235 FILE *in; 2510 FILE *in;
2236 FILE *out = fopen(out_file, "w"); 2511 FILE *out = fopen(out_file, "a");
2237 2512
2238 if (have_identity && strcmp(identity_file, "-") != 0) { 2513 if (have_identity && strcmp(identity_file, "-") != 0) {
2239 if ((in = fopen(identity_file, "r")) == NULL) { 2514 if ((in = fopen(identity_file, "r")) == NULL) {
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 0d8cf3cf4..559c5a1f4 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -106,4 +106,4 @@ BUGS
106 This is because it opens a connection to the ssh port, reads the public 106 This is because it opens a connection to the ssh port, reads the public
107 key, and drops the connection as soon as it gets the key. 107 key, and drops the connection as soon as it gets the key.
108 108
109OpenBSD 5.2 April 11, 2012 OpenBSD 5.2 109OpenBSD 5.3 April 11, 2012 OpenBSD 5.3
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 50b7162dc..a2e9eec2b 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -48,4 +48,4 @@ HISTORY
48AUTHORS 48AUTHORS
49 Markus Friedl <markus@openbsd.org> 49 Markus Friedl <markus@openbsd.org>
50 50
51OpenBSD 5.2 August 31, 2010 OpenBSD 5.2 51OpenBSD 5.3 August 31, 2010 OpenBSD 5.3
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 2f8a674aa..dcfaa222a 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
22AUTHORS 22AUTHORS
23 Markus Friedl <markus@openbsd.org> 23 Markus Friedl <markus@openbsd.org>
24 24
25OpenBSD 5.2 February 10, 2010 OpenBSD 5.2 25OpenBSD 5.3 February 10, 2010 OpenBSD 5.3
diff --git a/ssh.0 b/ssh.0
index 7d43f8879..f6b642bc8 100644
--- a/ssh.0
+++ b/ssh.0
@@ -396,8 +396,8 @@ AUTHENTICATION
396 since it provides additional mechanisms for confidentiality (the traffic 396 since it provides additional mechanisms for confidentiality (the traffic
397 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and 397 is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
398 integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64, 398 integrity (hmac-md5, hmac-sha1, hmac-sha2-256, hmac-sha2-512, umac-64,
399 hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the 399 umac-128, hmac-ripemd160). Protocol 1 lacks a strong mechanism for
400 integrity of the connection. 400 ensuring the integrity of the connection.
401 401
402 The methods available for authentication are: GSSAPI-based 402 The methods available for authentication are: GSSAPI-based
403 authentication, host-based authentication, public key authentication, 403 authentication, host-based authentication, public key authentication,
@@ -537,6 +537,12 @@ ESCAPE CHARACTERS
537 ~R Request rekeying of the connection (only useful for SSH protocol 537 ~R Request rekeying of the connection (only useful for SSH protocol
538 version 2 and if the peer supports it). 538 version 2 and if the peer supports it).
539 539
540 ~V Decrease the verbosity (LogLevel) when errors are being written
541 to stderr.
542
543 ~v Increase the verbosity (LogLevel) when errors are being written
544 to stderr.
545
540TCP FORWARDING 546TCP FORWARDING
541 Forwarding of arbitrary TCP connections over the secure channel can be 547 Forwarding of arbitrary TCP connections over the secure channel can be
542 specified either on the command line or in a configuration file. One 548 specified either on the command line or in a configuration file. One
@@ -862,36 +868,45 @@ SEE ALSO
862 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), 868 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
863 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8) 869 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
864 870
865 The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006. 871STANDARDS
872 S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned
873 Numbers, RFC 4250, January 2006.
866 874
867 The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006. 875 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture,
876 RFC 4251, January 2006.
868 877
869 The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006. 878 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol,
879 RFC 4252, January 2006.
870 880
871 The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006. 881 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer
882 Protocol, RFC 4253, January 2006.
872 883
873 The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006. 884 T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC
885 4254, January 2006.
874 886
875 Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC 887 J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell
876 4255, 2006. 888 (SSH) Key Fingerprints, RFC 4255, January 2006.
877 889
878 Generic Message Exchange Authentication for the Secure Shell Protocol 890 F. Cusack and M. Forssen, Generic Message Exchange Authentication for the
879 (SSH), RFC 4256, 2006. 891 Secure Shell Protocol (SSH), RFC 4256, January 2006.
880 892
881 The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006. 893 J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break
894 Extension, RFC 4335, January 2006.
882 895
883 The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006. 896 M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport
897 Layer Encryption Modes, RFC 4344, January 2006.
884 898
885 Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer 899 B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport
886 Protocol, RFC 4345, 2006. 900 Layer Protocol, RFC 4345, January 2006.
887 901
888 Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer 902 M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
889 Protocol, RFC 4419, 2006. 903 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
890 904
891 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. 905 J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File
906 Format, RFC 4716, November 2006.
892 907
893 Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, 908 D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the
894 RFC 5656, 2009. 909 Secure Shell Transport Layer, RFC 5656, December 2009.
895 910
896 A. Perrig and D. Song, Hash Visualization: a New Technique to improve 911 A. Perrig and D. Song, Hash Visualization: a New Technique to improve
897 Real-World Security, 1999, International Workshop on Cryptographic 912 Real-World Security, 1999, International Workshop on Cryptographic
@@ -904,4 +919,4 @@ AUTHORS
904 created OpenSSH. Markus Friedl contributed the support for SSH protocol 919 created OpenSSH. Markus Friedl contributed the support for SSH protocol
905 versions 1.5 and 2.0. 920 versions 1.5 and 2.0.
906 921
907OpenBSD 5.2 June 18, 2012 OpenBSD 5.2 922OpenBSD 5.3 October 4, 2012 OpenBSD 5.3
diff --git a/ssh.1 b/ssh.1
index eaf5d83db..a5576edb6 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.326 2012/06/18 12:17:18 dtucker Exp $ 36.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $
37.Dd $Mdocdate: June 18 2012 $ 37.Dd $Mdocdate: October 4 2012 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -674,7 +674,7 @@ it provides additional mechanisms for confidentiality
674(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) 674(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
675and integrity (hmac-md5, hmac-sha1, 675and integrity (hmac-md5, hmac-sha1,
676hmac-sha2-256, hmac-sha2-512, 676hmac-sha2-256, hmac-sha2-512,
677umac-64, hmac-ripemd160). 677umac-64, umac-128, hmac-ripemd160).
678Protocol 1 lacks a strong mechanism for ensuring the 678Protocol 1 lacks a strong mechanism for ensuring the
679integrity of the connection. 679integrity of the connection.
680.Pp 680.Pp
@@ -926,6 +926,14 @@ option.
926.It Cm ~R 926.It Cm ~R
927Request rekeying of the connection 927Request rekeying of the connection
928(only useful for SSH protocol version 2 and if the peer supports it). 928(only useful for SSH protocol version 2 and if the peer supports it).
929.It Cm ~V
930Decrease the verbosity
931.Pq Ic LogLevel
932when errors are being written to stderr.
933.It Cm ~v
934Increase the verbosity
935.Pq Ic LogLevel
936when errors are being written to stderr.
929.El 937.El
930.Sh TCP FORWARDING 938.Sh TCP FORWARDING
931Forwarding of arbitrary TCP connections over the secure channel can 939Forwarding of arbitrary TCP connections over the secure channel can
@@ -1426,77 +1434,118 @@ if an error occurred.
1426.Xr ssh_config 5 , 1434.Xr ssh_config 5 ,
1427.Xr ssh-keysign 8 , 1435.Xr ssh-keysign 8 ,
1428.Xr sshd 8 1436.Xr sshd 8
1437.Sh STANDARDS
1429.Rs 1438.Rs
1439.%A S. Lehtinen
1440.%A C. Lonvick
1441.%D January 2006
1430.%R RFC 4250 1442.%R RFC 4250
1431.%T "The Secure Shell (SSH) Protocol Assigned Numbers" 1443.%T The Secure Shell (SSH) Protocol Assigned Numbers
1432.%D 2006
1433.Re 1444.Re
1445.Pp
1434.Rs 1446.Rs
1447.%A T. Ylonen
1448.%A C. Lonvick
1449.%D January 2006
1435.%R RFC 4251 1450.%R RFC 4251
1436.%T "The Secure Shell (SSH) Protocol Architecture" 1451.%T The Secure Shell (SSH) Protocol Architecture
1437.%D 2006
1438.Re 1452.Re
1453.Pp
1439.Rs 1454.Rs
1455.%A T. Ylonen
1456.%A C. Lonvick
1457.%D January 2006
1440.%R RFC 4252 1458.%R RFC 4252
1441.%T "The Secure Shell (SSH) Authentication Protocol" 1459.%T The Secure Shell (SSH) Authentication Protocol
1442.%D 2006
1443.Re 1460.Re
1461.Pp
1444.Rs 1462.Rs
1463.%A T. Ylonen
1464.%A C. Lonvick
1465.%D January 2006
1445.%R RFC 4253 1466.%R RFC 4253
1446.%T "The Secure Shell (SSH) Transport Layer Protocol" 1467.%T The Secure Shell (SSH) Transport Layer Protocol
1447.%D 2006
1448.Re 1468.Re
1469.Pp
1449.Rs 1470.Rs
1471.%A T. Ylonen
1472.%A C. Lonvick
1473.%D January 2006
1450.%R RFC 4254 1474.%R RFC 4254
1451.%T "The Secure Shell (SSH) Connection Protocol" 1475.%T The Secure Shell (SSH) Connection Protocol
1452.%D 2006
1453.Re 1476.Re
1477.Pp
1454.Rs 1478.Rs
1479.%A J. Schlyter
1480.%A W. Griffin
1481.%D January 2006
1455.%R RFC 4255 1482.%R RFC 4255
1456.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" 1483.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
1457.%D 2006
1458.Re 1484.Re
1485.Pp
1459.Rs 1486.Rs
1487.%A F. Cusack
1488.%A M. Forssen
1489.%D January 2006
1460.%R RFC 4256 1490.%R RFC 4256
1461.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)" 1491.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
1462.%D 2006
1463.Re 1492.Re
1493.Pp
1464.Rs 1494.Rs
1495.%A J. Galbraith
1496.%A P. Remaker
1497.%D January 2006
1465.%R RFC 4335 1498.%R RFC 4335
1466.%T "The Secure Shell (SSH) Session Channel Break Extension" 1499.%T The Secure Shell (SSH) Session Channel Break Extension
1467.%D 2006
1468.Re 1500.Re
1501.Pp
1469.Rs 1502.Rs
1503.%A M. Bellare
1504.%A T. Kohno
1505.%A C. Namprempre
1506.%D January 2006
1470.%R RFC 4344 1507.%R RFC 4344
1471.%T "The Secure Shell (SSH) Transport Layer Encryption Modes" 1508.%T The Secure Shell (SSH) Transport Layer Encryption Modes
1472.%D 2006
1473.Re 1509.Re
1510.Pp
1474.Rs 1511.Rs
1512.%A B. Harris
1513.%D January 2006
1475.%R RFC 4345 1514.%R RFC 4345
1476.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol" 1515.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1477.%D 2006
1478.Re 1516.Re
1517.Pp
1479.Rs 1518.Rs
1519.%A M. Friedl
1520.%A N. Provos
1521.%A W. Simpson
1522.%D March 2006
1480.%R RFC 4419 1523.%R RFC 4419
1481.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" 1524.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
1482.%D 2006
1483.Re 1525.Re
1526.Pp
1484.Rs 1527.Rs
1528.%A J. Galbraith
1529.%A R. Thayer
1530.%D November 2006
1485.%R RFC 4716 1531.%R RFC 4716
1486.%T "The Secure Shell (SSH) Public Key File Format" 1532.%T The Secure Shell (SSH) Public Key File Format
1487.%D 2006
1488.Re 1533.Re
1534.Pp
1489.Rs 1535.Rs
1536.%A D. Stebila
1537.%A J. Green
1538.%D December 2009
1490.%R RFC 5656 1539.%R RFC 5656
1491.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer" 1540.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
1492.%D 2009
1493.Re 1541.Re
1542.Pp
1494.Rs 1543.Rs
1495.%T "Hash Visualization: a New Technique to improve Real-World Security"
1496.%A A. Perrig 1544.%A A. Perrig
1497.%A D. Song 1545.%A D. Song
1498.%D 1999 1546.%D 1999
1499.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)" 1547.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)
1548.%T Hash Visualization: a New Technique to improve Real-World Security
1500.Re 1549.Re
1501.Sh AUTHORS 1550.Sh AUTHORS
1502OpenSSH is a derivative of the original and free 1551OpenSSH is a derivative of the original and free
diff --git a/ssh_config.0 b/ssh_config.0
index d8256d137..164d11817 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -97,10 +97,13 @@ DESCRIPTION
97 preference. Multiple ciphers must be comma-separated. The 97 preference. Multiple ciphers must be comma-separated. The
98 supported ciphers are ``3des-cbc'', ``aes128-cbc'', 98 supported ciphers are ``3des-cbc'', ``aes128-cbc'',
99 ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', 99 ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'',
100 ``aes256-ctr'', ``arcfour128'', ``arcfour256'', ``arcfour'', 100 ``aes256-ctr'', ``aes128-gcm@openssh.com'',
101 ``blowfish-cbc'', and ``cast128-cbc''. The default is: 101 ``aes256-gcm@openssh.com'', ``arcfour128'', ``arcfour256'',
102 ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''. The default
103 is:
102 104
103 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 105 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
106 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
104 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 107 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
105 aes256-cbc,arcfour 108 aes256-cbc,arcfour
106 109
@@ -354,11 +357,11 @@ DESCRIPTION
354 357
355 IdentitiesOnly 358 IdentitiesOnly
356 Specifies that ssh(1) should only use the authentication identity 359 Specifies that ssh(1) should only use the authentication identity
357 files configured in the ssh_config files, even if ssh-agent(1) 360 files configured in the ssh_config files, even if ssh-agent(1) or
358 offers more identities. The argument to this keyword must be 361 a PKCS11Provider offers more identities. The argument to this
359 ``yes'' or ``no''. This option is intended for situations where 362 keyword must be ``yes'' or ``no''. This option is intended for
360 ssh-agent offers many different identities. The default is 363 situations where ssh-agent offers many different identities. The
361 ``no''. 364 default is ``no''.
362 365
363 IdentityFile 366 IdentityFile
364 Specifies a file from which the user's DSA, ECDSA or RSA 367 Specifies a file from which the user's DSA, ECDSA or RSA
@@ -460,9 +463,16 @@ DESCRIPTION
460 MACs Specifies the MAC (message authentication code) algorithms in 463 MACs Specifies the MAC (message authentication code) algorithms in
461 order of preference. The MAC algorithm is used in protocol 464 order of preference. The MAC algorithm is used in protocol
462 version 2 for data integrity protection. Multiple algorithms 465 version 2 for data integrity protection. Multiple algorithms
463 must be comma-separated. The default is: 466 must be comma-separated. The algorithms that contain ``-etm''
464 467 calculate the MAC after encryption (encrypt-then-mac). These are
465 hmac-md5,hmac-sha1,umac-64@openssh.com, 468 considered safer and their use recommended. The default is:
469
470 hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
471 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
472 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
473 hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
474 hmac-md5-96-etm@openssh.com,
475 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
466 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 476 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
467 hmac-sha1-96,hmac-md5-96 477 hmac-sha1-96,hmac-md5-96
468 478
@@ -763,4 +773,4 @@ AUTHORS
763 created OpenSSH. Markus Friedl contributed the support for SSH protocol 773 created OpenSSH. Markus Friedl contributed the support for SSH protocol
764 versions 1.5 and 2.0. 774 versions 1.5 and 2.0.
765 775
766OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 776OpenBSD 5.3 January 8, 2013 OpenBSD 5.3
diff --git a/ssh_config.5 b/ssh_config.5
index 1c118eefc..bd3a7127a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $
37.Dd $Mdocdate: June 29 2012 $ 37.Dd $Mdocdate: January 8 2013 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -204,6 +204,8 @@ The supported ciphers are
204.Dq aes128-ctr , 204.Dq aes128-ctr ,
205.Dq aes192-ctr , 205.Dq aes192-ctr ,
206.Dq aes256-ctr , 206.Dq aes256-ctr ,
207.Dq aes128-gcm@openssh.com ,
208.Dq aes256-gcm@openssh.com ,
207.Dq arcfour128 , 209.Dq arcfour128 ,
208.Dq arcfour256 , 210.Dq arcfour256 ,
209.Dq arcfour , 211.Dq arcfour ,
@@ -213,6 +215,7 @@ and
213The default is: 215The default is:
214.Bd -literal -offset 3n 216.Bd -literal -offset 3n
215aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 217aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
218aes128-gcm@openssh.com,aes256-gcm@openssh.com,
216aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 219aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
217aes256-cbc,arcfour 220aes256-cbc,arcfour
218.Ed 221.Ed
@@ -634,6 +637,8 @@ should only use the authentication identity files configured in the
634files, 637files,
635even if 638even if
636.Xr ssh-agent 1 639.Xr ssh-agent 1
640or a
641.Cm PKCS11Provider
637offers more identities. 642offers more identities.
638The argument to this keyword must be 643The argument to this keyword must be
639.Dq yes 644.Dq yes
@@ -822,9 +827,18 @@ in order of preference.
822The MAC algorithm is used in protocol version 2 827The MAC algorithm is used in protocol version 2
823for data integrity protection. 828for data integrity protection.
824Multiple algorithms must be comma-separated. 829Multiple algorithms must be comma-separated.
830The algorithms that contain
831.Dq -etm
832calculate the MAC after encryption (encrypt-then-mac).
833These are considered safer and their use recommended.
825The default is: 834The default is:
826.Bd -literal -offset indent 835.Bd -literal -offset indent
827hmac-md5,hmac-sha1,umac-64@openssh.com, 836hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
837umac-64-etm@openssh.com,umac-128-etm@openssh.com,
838hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
839hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
840hmac-md5-96-etm@openssh.com,
841hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
828hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 842hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
829hmac-sha1-96,hmac-md5-96 843hmac-sha1-96,hmac-md5-96
830.Ed 844.Ed
diff --git a/sshconnect.c b/sshconnect.c
index 0ee726637..07800a65f 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.234 2011/05/24 07:15:47 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -429,6 +429,24 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
429 return 0; 429 return 0;
430} 430}
431 431
432static void
433send_client_banner(int connection_out, int minor1)
434{
435 /* Send our own protocol version identification. */
436 if (compat20) {
437 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
438 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
439 } else {
440 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
441 PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
442 }
443 if (roaming_atomicio(vwrite, connection_out, client_version_string,
444 strlen(client_version_string)) != strlen(client_version_string))
445 fatal("write: %.100s", strerror(errno));
446 chop(client_version_string);
447 debug("Local version string %.100s", client_version_string);
448}
449
432/* 450/*
433 * Waits for the server identification string, and sends our own 451 * Waits for the server identification string, and sends our own
434 * identification string. 452 * identification string.
@@ -440,7 +458,7 @@ ssh_exchange_identification(int timeout_ms)
440 int remote_major, remote_minor, mismatch; 458 int remote_major, remote_minor, mismatch;
441 int connection_in = packet_get_connection_in(); 459 int connection_in = packet_get_connection_in();
442 int connection_out = packet_get_connection_out(); 460 int connection_out = packet_get_connection_out();
443 int minor1 = PROTOCOL_MINOR_1; 461 int minor1 = PROTOCOL_MINOR_1, client_banner_sent = 0;
444 u_int i, n; 462 u_int i, n;
445 size_t len; 463 size_t len;
446 int fdsetsz, remaining, rc; 464 int fdsetsz, remaining, rc;
@@ -450,6 +468,16 @@ ssh_exchange_identification(int timeout_ms)
450 fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask); 468 fdsetsz = howmany(connection_in + 1, NFDBITS) * sizeof(fd_mask);
451 fdset = xcalloc(1, fdsetsz); 469 fdset = xcalloc(1, fdsetsz);
452 470
471 /*
472 * If we are SSH2-only then we can send the banner immediately and
473 * save a round-trip.
474 */
475 if (options.protocol == SSH_PROTO_2) {
476 enable_compat20();
477 send_client_banner(connection_out, 0);
478 client_banner_sent = 1;
479 }
480
453 /* Read other side's version identification. */ 481 /* Read other side's version identification. */
454 remaining = timeout_ms; 482 remaining = timeout_ms;
455 for (n = 0;;) { 483 for (n = 0;;) {
@@ -552,18 +580,9 @@ ssh_exchange_identification(int timeout_ms)
552 fatal("Protocol major versions differ: %d vs. %d", 580 fatal("Protocol major versions differ: %d vs. %d",
553 (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, 581 (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
554 remote_major); 582 remote_major);
555 /* Send our own protocol version identification. */ 583 if (!client_banner_sent)
556 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", 584 send_client_banner(connection_out, minor1);
557 compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
558 compat20 ? PROTOCOL_MINOR_2 : minor1,
559 SSH_VERSION, compat20 ? "\r\n" : "\n");
560 if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
561 != strlen(buf))
562 fatal("write: %.100s", strerror(errno));
563 client_version_string = xstrdup(buf);
564 chop(client_version_string);
565 chop(server_version_string); 585 chop(server_version_string);
566 debug("Local version string %.100s", client_version_string);
567} 586}
568 587
569/* defaults to 'no' */ 588/* defaults to 'no' */
diff --git a/sshconnect2.c b/sshconnect2.c
index 11dd3e720..8015b1bdf 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.189 2012/06/22 12:30:26 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -40,7 +40,7 @@
40#include <stdio.h> 40#include <stdio.h>
41#include <string.h> 41#include <string.h>
42#include <unistd.h> 42#include <unistd.h>
43#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) 43#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
44#include <vis.h> 44#include <vis.h>
45#endif 45#endif
46 46
@@ -304,6 +304,7 @@ struct identity {
304 char *filename; /* comment for agent-only keys */ 304 char *filename; /* comment for agent-only keys */
305 int tried; 305 int tried;
306 int isprivate; /* key points to the private key */ 306 int isprivate; /* key points to the private key */
307 int userprovided;
307}; 308};
308TAILQ_HEAD(idlist, identity); 309TAILQ_HEAD(idlist, identity);
309 310
@@ -369,7 +370,7 @@ void userauth(Authctxt *, char *);
369static int sign_and_send_pubkey(Authctxt *, Identity *); 370static int sign_and_send_pubkey(Authctxt *, Identity *);
370static void pubkey_prepare(Authctxt *); 371static void pubkey_prepare(Authctxt *);
371static void pubkey_cleanup(Authctxt *); 372static void pubkey_cleanup(Authctxt *);
372static Key *load_identity_file(char *); 373static Key *load_identity_file(char *, int);
373 374
374static Authmethod *authmethod_get(char *authlist); 375static Authmethod *authmethod_get(char *authlist);
375static Authmethod *authmethod_lookup(const char *name); 376static Authmethod *authmethod_lookup(const char *name);
@@ -1302,7 +1303,7 @@ identity_sign(Identity *id, u_char **sigp, u_int *lenp,
1302 if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) 1303 if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
1303 return (key_sign(id->key, sigp, lenp, data, datalen)); 1304 return (key_sign(id->key, sigp, lenp, data, datalen));
1304 /* load the private key from the file */ 1305 /* load the private key from the file */
1305 if ((prv = load_identity_file(id->filename)) == NULL) 1306 if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL)
1306 return (-1); 1307 return (-1);
1307 ret = key_sign(prv, sigp, lenp, data, datalen); 1308 ret = key_sign(prv, sigp, lenp, data, datalen);
1308 key_free(prv); 1309 key_free(prv);
@@ -1427,7 +1428,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
1427} 1428}
1428 1429
1429static Key * 1430static Key *
1430load_identity_file(char *filename) 1431load_identity_file(char *filename, int userprovided)
1431{ 1432{
1432 Key *private; 1433 Key *private;
1433 char prompt[300], *passphrase; 1434 char prompt[300], *passphrase;
@@ -1435,7 +1436,8 @@ load_identity_file(char *filename)
1435 struct stat st; 1436 struct stat st;
1436 1437
1437 if (stat(filename, &st) < 0) { 1438 if (stat(filename, &st) < 0) {
1438 debug3("no such identity: %s", filename); 1439 (userprovided ? logit : debug3)("no such identity: %s: %s",
1440 filename, strerror(errno));
1439 return NULL; 1441 return NULL;
1440 } 1442 }
1441 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); 1443 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
@@ -1475,7 +1477,7 @@ load_identity_file(char *filename)
1475static void 1477static void
1476pubkey_prepare(Authctxt *authctxt) 1478pubkey_prepare(Authctxt *authctxt)
1477{ 1479{
1478 Identity *id; 1480 Identity *id, *id2, *tmp;
1479 Idlist agent, files, *preferred; 1481 Idlist agent, files, *preferred;
1480 Key *key; 1482 Key *key;
1481 AuthenticationConnection *ac; 1483 AuthenticationConnection *ac;
@@ -1487,7 +1489,7 @@ pubkey_prepare(Authctxt *authctxt)
1487 preferred = &authctxt->keys; 1489 preferred = &authctxt->keys;
1488 TAILQ_INIT(preferred); /* preferred order of keys */ 1490 TAILQ_INIT(preferred); /* preferred order of keys */
1489 1491
1490 /* list of keys stored in the filesystem */ 1492 /* list of keys stored in the filesystem and PKCS#11 */
1491 for (i = 0; i < options.num_identity_files; i++) { 1493 for (i = 0; i < options.num_identity_files; i++) {
1492 key = options.identity_keys[i]; 1494 key = options.identity_keys[i];
1493 if (key && key->type == KEY_RSA1) 1495 if (key && key->type == KEY_RSA1)
@@ -1498,8 +1500,32 @@ pubkey_prepare(Authctxt *authctxt)
1498 id = xcalloc(1, sizeof(*id)); 1500 id = xcalloc(1, sizeof(*id));
1499 id->key = key; 1501 id->key = key;
1500 id->filename = xstrdup(options.identity_files[i]); 1502 id->filename = xstrdup(options.identity_files[i]);
1503 id->userprovided = 1;
1501 TAILQ_INSERT_TAIL(&files, id, next); 1504 TAILQ_INSERT_TAIL(&files, id, next);
1502 } 1505 }
1506 /* Prefer PKCS11 keys that are explicitly listed */
1507 TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
1508 if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0)
1509 continue;
1510 found = 0;
1511 TAILQ_FOREACH(id2, &files, next) {
1512 if (id2->key == NULL ||
1513 (id2->key->flags & KEY_FLAG_EXT) != 0)
1514 continue;
1515 if (key_equal(id->key, id2->key)) {
1516 TAILQ_REMOVE(&files, id, next);
1517 TAILQ_INSERT_TAIL(preferred, id, next);
1518 found = 1;
1519 break;
1520 }
1521 }
1522 /* If IdentitiesOnly set and key not found then don't use it */
1523 if (!found && options.identities_only) {
1524 TAILQ_REMOVE(&files, id, next);
1525 bzero(id, sizeof(id));
1526 free(id);
1527 }
1528 }
1503 /* list of keys supported by the agent */ 1529 /* list of keys supported by the agent */
1504 if ((ac = ssh_get_authentication_connection())) { 1530 if ((ac = ssh_get_authentication_connection())) {
1505 for (key = ssh_get_first_identity(ac, &comment, 2); 1531 for (key = ssh_get_first_identity(ac, &comment, 2);
@@ -1539,7 +1565,8 @@ pubkey_prepare(Authctxt *authctxt)
1539 TAILQ_INSERT_TAIL(preferred, id, next); 1565 TAILQ_INSERT_TAIL(preferred, id, next);
1540 } 1566 }
1541 TAILQ_FOREACH(id, preferred, next) { 1567 TAILQ_FOREACH(id, preferred, next) {
1542 debug2("key: %s (%p)", id->filename, id->key); 1568 debug2("key: %s (%p),%s", id->filename, id->key,
1569 id->userprovided ? " explicit" : "");
1543 } 1570 }
1544} 1571}
1545 1572
@@ -1584,7 +1611,8 @@ userauth_pubkey(Authctxt *authctxt)
1584 sent = send_pubkey_test(authctxt, id); 1611 sent = send_pubkey_test(authctxt, id);
1585 } else if (id->key == NULL) { 1612 } else if (id->key == NULL) {
1586 debug("Trying private key: %s", id->filename); 1613 debug("Trying private key: %s", id->filename);
1587 id->key = load_identity_file(id->filename); 1614 id->key = load_identity_file(id->filename,
1615 id->userprovided);
1588 if (id->key != NULL) { 1616 if (id->key != NULL) {
1589 id->isprivate = 1; 1617 id->isprivate = 1;
1590 sent = sign_and_send_pubkey(authctxt, id); 1618 sent = sign_and_send_pubkey(authctxt, id);
diff --git a/sshd.0 b/sshd.0
index 35093337d..83f9a881b 100644
--- a/sshd.0
+++ b/sshd.0
@@ -169,7 +169,7 @@ AUTHENTICATION
169 client selects the encryption algorithm to use from those offered by the 169 client selects the encryption algorithm to use from those offered by the
170 server. Additionally, session integrity is provided through a 170 server. Additionally, session integrity is provided through a
171 cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, 171 cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
172 hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512). 172 umac-128, hmac-ripemd160, hmac-sha2-256 or hmac-sha2-512).
173 173
174 Finally, the server and the client enter an authentication dialog. The 174 Finally, the server and the client enter an authentication dialog. The
175 client tries to authenticate itself using host-based authentication, 175 client tries to authenticate itself using host-based authentication,
@@ -634,4 +634,4 @@ CAVEATS
634 System security is not improved unless rshd, rlogind, and rexecd are 634 System security is not improved unless rshd, rlogind, and rexecd are
635 disabled (thus completely disabling rlogin and rsh into the machine). 635 disabled (thus completely disabling rlogin and rsh into the machine).
636 636
637OpenBSD 5.2 June 18, 2012 OpenBSD 5.2 637OpenBSD 5.3 October 4, 2012 OpenBSD 5.3
diff --git a/sshd.8 b/sshd.8
index a1a74d86a..132397839 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $ 36.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $
37.Dd $Mdocdate: June 18 2012 $ 37.Dd $Mdocdate: October 4 2012 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -316,7 +316,7 @@ The client selects the encryption algorithm
316to use from those offered by the server. 316to use from those offered by the server.
317Additionally, session integrity is provided 317Additionally, session integrity is provided
318through a cryptographic message authentication code 318through a cryptographic message authentication code
319(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, 319(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
320hmac-sha2-256 or hmac-sha2-512). 320hmac-sha2-256 or hmac-sha2-512).
321.Pp 321.Pp
322Finally, the server and the client enter an authentication dialog. 322Finally, the server and the client enter an authentication dialog.
diff --git a/sshd.c b/sshd.c
index 6b2f59220..d8faaebd5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -363,6 +363,15 @@ grace_alarm_handler(int sig)
363 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) 363 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
364 kill(pmonitor->m_pid, SIGALRM); 364 kill(pmonitor->m_pid, SIGALRM);
365 365
366 /*
367 * Try to kill any processes that we have spawned, E.g. authorized
368 * keys command helpers.
369 */
370 if (getpgid(0) == getpid()) {
371 signal(SIGTERM, SIG_IGN);
372 killpg(0, SIGTERM);
373 }
374
366 /* Log error and exit. */ 375 /* Log error and exit. */
367 sigdie("Timeout before authentication for %s", get_remote_ipaddr()); 376 sigdie("Timeout before authentication for %s", get_remote_ipaddr());
368} 377}
@@ -1332,6 +1341,7 @@ main(int ac, char **av)
1332 int remote_port; 1341 int remote_port;
1333 char *line; 1342 char *line;
1334 int config_s[2] = { -1 , -1 }; 1343 int config_s[2] = { -1 , -1 };
1344 u_int n;
1335 u_int64_t ibytes, obytes; 1345 u_int64_t ibytes, obytes;
1336 mode_t new_umask; 1346 mode_t new_umask;
1337 Key *key; 1347 Key *key;
@@ -1554,6 +1564,33 @@ main(int ac, char **av)
1554 if (options.challenge_response_authentication) 1564 if (options.challenge_response_authentication)
1555 options.kbd_interactive_authentication = 1; 1565 options.kbd_interactive_authentication = 1;
1556 1566
1567 /* Check that options are sensible */
1568 if (options.authorized_keys_command_user == NULL &&
1569 (options.authorized_keys_command != NULL &&
1570 strcasecmp(options.authorized_keys_command, "none") != 0))
1571 fatal("AuthorizedKeysCommand set without "
1572 "AuthorizedKeysCommandUser");
1573
1574 /*
1575 * Check whether there is any path through configured auth methods.
1576 * Unfortunately it is not possible to verify this generally before
1577 * daemonisation in the presence of Match block, but this catches
1578 * and warns for trivial misconfigurations that could break login.
1579 */
1580 if (options.num_auth_methods != 0) {
1581 if ((options.protocol & SSH_PROTO_1))
1582 fatal("AuthenticationMethods is not supported with "
1583 "SSH protocol 1");
1584 for (n = 0; n < options.num_auth_methods; n++) {
1585 if (auth2_methods_valid(options.auth_methods[n],
1586 1) == 0)
1587 break;
1588 }
1589 if (n >= options.num_auth_methods)
1590 fatal("AuthenticationMethods cannot be satisfied by "
1591 "enabled authentication methods");
1592 }
1593
1557 /* set default channel AF */ 1594 /* set default channel AF */
1558 channel_set_af(options.address_family); 1595 channel_set_af(options.address_family);
1559 1596
@@ -1563,7 +1600,8 @@ main(int ac, char **av)
1563 exit(1); 1600 exit(1);
1564 } 1601 }
1565 1602
1566 debug("sshd version %.100s", SSH_RELEASE); 1603 debug("sshd version %s, %s", SSH_VERSION,
1604 SSLeay_version(SSLEAY_VERSION));
1567 1605
1568 /* Store privilege separation user for later use if required. */ 1606 /* Store privilege separation user for later use if required. */
1569 if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { 1607 if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
diff --git a/sshd_config b/sshd_config
index 2e3cca499..1af2afd7a 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ 1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -51,6 +51,9 @@ AuthorizedKeysFile .ssh/authorized_keys
51 51
52#AuthorizedPrincipalsFile none 52#AuthorizedPrincipalsFile none
53 53
54#AuthorizedKeysCommand none
55#AuthorizedKeysCommandUser nobody
56
54# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 57# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
55#RhostsRSAAuthentication no 58#RhostsRSAAuthentication no
56# similar for protocol version 2 59# similar for protocol version 2
@@ -108,7 +111,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
108#ClientAliveCountMax 3 111#ClientAliveCountMax 3
109#UseDNS yes 112#UseDNS yes
110#PidFile /var/run/sshd.pid 113#PidFile /var/run/sshd.pid
111#MaxStartups 10 114#MaxStartups 10:30:100
112#PermitTunnel no 115#PermitTunnel no
113#ChrootDirectory none 116#ChrootDirectory none
114#VersionAddendum none 117#VersionAddendum none
diff --git a/sshd_config.0 b/sshd_config.0
index d9c87b7a0..2648db3d4 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -53,10 +53,14 @@ DESCRIPTION
53 See PATTERNS in ssh_config(5) for more information on patterns. 53 See PATTERNS in ssh_config(5) for more information on patterns.
54 54
55 AllowTcpForwarding 55 AllowTcpForwarding
56 Specifies whether TCP forwarding is permitted. The default is 56 Specifies whether TCP forwarding is permitted. The available
57 ``yes''. Note that disabling TCP forwarding does not improve 57 options are ``yes'' or ``all'' to allow TCP forwarding, ``no'' to
58 security unless users are also denied shell access, as they can 58 prevent all TCP forwarding, ``local'' to allow local (from the
59 always install their own forwarders. 59 perspective of ssh(1)) forwarding only or ``remote'' to allow
60 remote forwarding only. The default is ``yes''. Note that
61 disabling TCP forwarding does not improve security unless users
62 are also denied shell access, as they can always install their
63 own forwarders.
60 64
61 AllowUsers 65 AllowUsers
62 This keyword can be followed by a list of user name patterns, 66 This keyword can be followed by a list of user name patterns,
@@ -71,6 +75,44 @@ DESCRIPTION
71 75
72 See PATTERNS in ssh_config(5) for more information on patterns. 76 See PATTERNS in ssh_config(5) for more information on patterns.
73 77
78 AuthenticationMethods
79 Specifies the authentication methods that must be successfully
80 completed for a user to be granted access. This option must be
81 followed by one or more comma-separated lists of authentication
82 method names. Successful authentication requires completion of
83 every method in at least one of these lists.
84
85 For example, an argument of ``publickey,password
86 publickey,keyboard-interactive'' would require the user to
87 complete public key authentication, followed by either password
88 or keyboard interactive authentication. Only methods that are
89 next in one or more lists are offered at each stage, so for this
90 example, it would not be possible to attempt password or
91 keyboard-interactive authentication before public key.
92
93 This option is only available for SSH protocol 2 and will yield a
94 fatal error if enabled if protocol 1 is also enabled. Note that
95 each authentication method listed should also be explicitly
96 enabled in the configuration. The default is not to require
97 multiple authentication; successful completion of a single
98 authentication method is sufficient.
99
100 AuthorizedKeysCommand
101 Specifies a program to be used to look up the user's public keys.
102 The program will be invoked with a single argument of the
103 username being authenticated, and should produce on standard
104 output zero or more lines of authorized_keys output (see
105 AUTHORIZED_KEYS in sshd(8)). If a key supplied by
106 AuthorizedKeysCommand does not successfully authenticate and
107 authorize the user then public key authentication continues using
108 the usual AuthorizedKeysFile files. By default, no
109 AuthorizedKeysCommand is run.
110
111 AuthorizedKeysCommandUser
112 Specifies the user under whose account the AuthorizedKeysCommand
113 is run. It is recommended to use a dedicated user that has no
114 other role on the host than running authorized keys commands.
115
74 AuthorizedKeysFile 116 AuthorizedKeysFile
75 Specifies the file that contains the public keys that can be used 117 Specifies the file that contains the public keys that can be used
76 for user authentication. The format is described in the 118 for user authentication. The format is described in the
@@ -150,11 +192,13 @@ DESCRIPTION
150 Specifies the ciphers allowed for protocol version 2. Multiple 192 Specifies the ciphers allowed for protocol version 2. Multiple
151 ciphers must be comma-separated. The supported ciphers are 193 ciphers must be comma-separated. The supported ciphers are
152 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 194 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
153 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 195 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
154 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 196 ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
155 ``cast128-cbc''. The default is: 197 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
198 and ``cast128-cbc''. The default is:
156 199
157 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 200 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
201 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
158 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 202 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
159 aes256-cbc,arcfour 203 aes256-cbc,arcfour
160 204
@@ -373,9 +417,16 @@ DESCRIPTION
373 MACs Specifies the available MAC (message authentication code) 417 MACs Specifies the available MAC (message authentication code)
374 algorithms. The MAC algorithm is used in protocol version 2 for 418 algorithms. The MAC algorithm is used in protocol version 2 for
375 data integrity protection. Multiple algorithms must be comma- 419 data integrity protection. Multiple algorithms must be comma-
376 separated. The default is: 420 separated. The algorithms that contain ``-etm'' calculate the
377 421 MAC after encryption (encrypt-then-mac). These are considered
378 hmac-md5,hmac-sha1,umac-64@openssh.com, 422 safer and their use recommended. The default is:
423
424 hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
425 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
426 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
427 hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
428 hmac-md5-96-etm@openssh.com,
429 hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
379 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 430 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
380 hmac-sha1-96,hmac-md5-96 431 hmac-sha1-96,hmac-md5-96
381 432
@@ -402,15 +453,16 @@ DESCRIPTION
402 Only a subset of keywords may be used on the lines following a 453 Only a subset of keywords may be used on the lines following a
403 Match keyword. Available keywords are AcceptEnv, 454 Match keyword. Available keywords are AcceptEnv,
404 AllowAgentForwarding, AllowGroups, AllowTcpForwarding, 455 AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
405 AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, 456 AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
406 ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, 457 AuthorizedKeysCommandUser, AuthorizedKeysFile,
407 GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, 458 AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
408 HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, 459 DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
409 KerberosAuthentication, MaxAuthTries, MaxSessions, 460 HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
410 PasswordAuthentication, PermitEmptyPasswords, PermitOpen, 461 KbdInteractiveAuthentication, KerberosAuthentication,
411 PermitRootLogin, PermitTunnel, PubkeyAuthentication, 462 MaxAuthTries, MaxSessions, PasswordAuthentication,
412 RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, 463 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
413 X11Forwarding and X11UseLocalHost. 464 PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
465 X11DisplayOffset, X11Forwarding and X11UseLocalHost.
414 466
415 MaxAuthTries 467 MaxAuthTries
416 Specifies the maximum number of authentication attempts permitted 468 Specifies the maximum number of authentication attempts permitted
@@ -425,7 +477,7 @@ DESCRIPTION
425 Specifies the maximum number of concurrent unauthenticated 477 Specifies the maximum number of concurrent unauthenticated
426 connections to the SSH daemon. Additional connections will be 478 connections to the SSH daemon. Additional connections will be
427 dropped until authentication succeeds or the LoginGraceTime 479 dropped until authentication succeeds or the LoginGraceTime
428 expires for a connection. The default is 10. 480 expires for a connection. The default is 10:30:100.
429 481
430 Alternatively, random early drop can be enabled by specifying the 482 Alternatively, random early drop can be enabled by specifying the
431 three colon separated values ``start:rate:full'' (e.g. 483 three colon separated values ``start:rate:full'' (e.g.
@@ -520,10 +572,13 @@ DESCRIPTION
520 version 2 only. 572 version 2 only.
521 573
522 RevokedKeys 574 RevokedKeys
523 Specifies a list of revoked public keys. Keys listed in this 575 Specifies revoked public keys. Keys listed in this file will be
524 file will be refused for public key authentication. Note that if 576 refused for public key authentication. Note that if this file is
525 this file is not readable, then public key authentication will be 577 not readable, then public key authentication will be refused for
526 refused for all users. 578 all users. Keys may be specified as a text file, listing one
579 public key per line, or as an OpenSSH Key Revocation List (KRL)
580 as generated by ssh-keygen(1). For more information on KRLs, see
581 the KEY REVOCATION LISTS section in ssh-keygen(1).
527 582
528 RhostsRSAAuthentication 583 RhostsRSAAuthentication
529 Specifies whether rhosts or /etc/hosts.equiv authentication 584 Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -722,4 +777,4 @@ AUTHORS
722 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 777 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
723 for privilege separation. 778 for privilege separation.
724 779
725OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 780OpenBSD 5.3 February 6, 2013 OpenBSD 5.3
diff --git a/sshd_config.5 b/sshd_config.5
index ef4164edd..935bb62fa 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $
37.Dd $Mdocdate: June 29 2012 $ 37.Dd $Mdocdate: February 6 2013 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -124,6 +124,19 @@ in
124for more information on patterns. 124for more information on patterns.
125.It Cm AllowTcpForwarding 125.It Cm AllowTcpForwarding
126Specifies whether TCP forwarding is permitted. 126Specifies whether TCP forwarding is permitted.
127The available options are
128.Dq yes
129or
130.Dq all
131to allow TCP forwarding,
132.Dq no
133to prevent all TCP forwarding,
134.Dq local
135to allow local (from the perspective of
136.Xr ssh 1 )
137forwarding only or
138.Dq remote
139to allow remote forwarding only.
127The default is 140The default is
128.Dq yes . 141.Dq yes .
129Note that disabling TCP forwarding does not improve security unless 142Note that disabling TCP forwarding does not improve security unless
@@ -151,6 +164,45 @@ See
151in 164in
152.Xr ssh_config 5 165.Xr ssh_config 5
153for more information on patterns. 166for more information on patterns.
167.It Cm AuthenticationMethods
168Specifies the authentication methods that must be successfully completed
169for a user to be granted access.
170This option must be followed by one or more comma-separated lists of
171authentication method names.
172Successful authentication requires completion of every method in at least
173one of these lists.
174.Pp
175For example, an argument of
176.Dq publickey,password publickey,keyboard-interactive
177would require the user to complete public key authentication, followed by
178either password or keyboard interactive authentication.
179Only methods that are next in one or more lists are offered at each stage,
180so for this example, it would not be possible to attempt password or
181keyboard-interactive authentication before public key.
182.Pp
183This option is only available for SSH protocol 2 and will yield a fatal
184error if enabled if protocol 1 is also enabled.
185Note that each authentication method listed should also be explicitly enabled
186in the configuration.
187The default is not to require multiple authentication; successful completion
188of a single authentication method is sufficient.
189.It Cm AuthorizedKeysCommand
190Specifies a program to be used to look up the user's public keys.
191The program will be invoked with a single argument of the username
192being authenticated, and should produce on standard output zero or
193more lines of authorized_keys output (see
194.Sx AUTHORIZED_KEYS
195in
196.Xr sshd 8 ) .
197If a key supplied by AuthorizedKeysCommand does not successfully authenticate
198and authorize the user then public key authentication continues using the usual
199.Cm AuthorizedKeysFile
200files.
201By default, no AuthorizedKeysCommand is run.
202.It Cm AuthorizedKeysCommandUser
203Specifies the user under whose account the AuthorizedKeysCommand is run.
204It is recommended to use a dedicated user that has no other role on the host
205than running authorized keys commands.
154.It Cm AuthorizedKeysFile 206.It Cm AuthorizedKeysFile
155Specifies the file that contains the public keys that can be used 207Specifies the file that contains the public keys that can be used
156for user authentication. 208for user authentication.
@@ -284,6 +336,8 @@ The supported ciphers are
284.Dq aes128-ctr , 336.Dq aes128-ctr ,
285.Dq aes192-ctr , 337.Dq aes192-ctr ,
286.Dq aes256-ctr , 338.Dq aes256-ctr ,
339.Dq aes128-gcm@openssh.com ,
340.Dq aes256-gcm@openssh.com ,
287.Dq arcfour128 , 341.Dq arcfour128 ,
288.Dq arcfour256 , 342.Dq arcfour256 ,
289.Dq arcfour , 343.Dq arcfour ,
@@ -293,6 +347,7 @@ and
293The default is: 347The default is:
294.Bd -literal -offset 3n 348.Bd -literal -offset 3n
295aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, 349aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
350aes128-gcm@openssh.com,aes256-gcm@openssh.com,
296aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, 351aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
297aes256-cbc,arcfour 352aes256-cbc,arcfour
298.Ed 353.Ed
@@ -682,9 +737,18 @@ Specifies the available MAC (message authentication code) algorithms.
682The MAC algorithm is used in protocol version 2 737The MAC algorithm is used in protocol version 2
683for data integrity protection. 738for data integrity protection.
684Multiple algorithms must be comma-separated. 739Multiple algorithms must be comma-separated.
740The algorithms that contain
741.Dq -etm
742calculate the MAC after encryption (encrypt-then-mac).
743These are considered safer and their use recommended.
685The default is: 744The default is:
686.Bd -literal -offset indent 745.Bd -literal -offset indent
687hmac-md5,hmac-sha1,umac-64@openssh.com, 746hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
747umac-64-etm@openssh.com,umac-128-etm@openssh.com,
748hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
749hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
750hmac-md5-96-etm@openssh.com,
751hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
688hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, 752hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
689hmac-sha1-96,hmac-md5-96 753hmac-sha1-96,hmac-md5-96
690.Ed 754.Ed
@@ -739,6 +803,9 @@ Available keywords are
739.Cm AllowGroups , 803.Cm AllowGroups ,
740.Cm AllowTcpForwarding , 804.Cm AllowTcpForwarding ,
741.Cm AllowUsers , 805.Cm AllowUsers ,
806.Cm AuthenticationMethods ,
807.Cm AuthorizedKeysCommand ,
808.Cm AuthorizedKeysCommandUser ,
742.Cm AuthorizedKeysFile , 809.Cm AuthorizedKeysFile ,
743.Cm AuthorizedPrincipalsFile , 810.Cm AuthorizedPrincipalsFile ,
744.Cm Banner , 811.Cm Banner ,
@@ -781,7 +848,7 @@ SSH daemon.
781Additional connections will be dropped until authentication succeeds or the 848Additional connections will be dropped until authentication succeeds or the
782.Cm LoginGraceTime 849.Cm LoginGraceTime
783expires for a connection. 850expires for a connection.
784The default is 10. 851The default is 10:30:100.
785.Pp 852.Pp
786Alternatively, random early drop can be enabled by specifying 853Alternatively, random early drop can be enabled by specifying
787the three colon separated values 854the three colon separated values
@@ -955,10 +1022,17 @@ The default is
955.Dq yes . 1022.Dq yes .
956Note that this option applies to protocol version 2 only. 1023Note that this option applies to protocol version 2 only.
957.It Cm RevokedKeys 1024.It Cm RevokedKeys
958Specifies a list of revoked public keys. 1025Specifies revoked public keys.
959Keys listed in this file will be refused for public key authentication. 1026Keys listed in this file will be refused for public key authentication.
960Note that if this file is not readable, then public key authentication will 1027Note that if this file is not readable, then public key authentication will
961be refused for all users. 1028be refused for all users.
1029Keys may be specified as a text file, listing one public key per line, or as
1030an OpenSSH Key Revocation List (KRL) as generated by
1031.Xr ssh-keygen 1 .
1032For more information on KRLs, see the
1033.Sx KEY REVOCATION LISTS
1034section in
1035.Xr ssh-keygen 1 .
962.It Cm RhostsRSAAuthentication 1036.It Cm RhostsRSAAuthentication
963Specifies whether rhosts or /etc/hosts.equiv authentication together 1037Specifies whether rhosts or /etc/hosts.equiv authentication together
964with successful RSA host authentication is allowed. 1038with successful RSA host authentication is allowed.
diff --git a/uidswap.c b/uidswap.c
index 837648396..cdd7309e3 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -138,20 +138,8 @@ permanently_drop_suid(uid_t uid)
138 uid_t old_uid = getuid(); 138 uid_t old_uid = getuid();
139 139
140 debug("permanently_drop_suid: %u", (u_int)uid); 140 debug("permanently_drop_suid: %u", (u_int)uid);
141#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
142 if (setresuid(uid, uid, uid) < 0) 141 if (setresuid(uid, uid, uid) < 0)
143 fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); 142 fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
144#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
145 if (setreuid(uid, uid) < 0)
146 fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
147#else
148# ifndef SETEUID_BREAKS_SETUID
149 if (seteuid(uid) < 0)
150 fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
151# endif
152 if (setuid(uid) < 0)
153 fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
154#endif
155 143
156#ifndef HAVE_CYGWIN 144#ifndef HAVE_CYGWIN
157 /* Try restoration of UID if changed (test clearing of saved uid) */ 145 /* Try restoration of UID if changed (test clearing of saved uid) */
@@ -220,18 +208,8 @@ permanently_set_uid(struct passwd *pw)
220 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, 208 debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
221 (u_int)pw->pw_gid); 209 (u_int)pw->pw_gid);
222 210
223#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
224 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) 211 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
225 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); 212 fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
226#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
227 if (setregid(pw->pw_gid, pw->pw_gid) < 0)
228 fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
229#else
230 if (setegid(pw->pw_gid) < 0)
231 fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
232 if (setgid(pw->pw_gid) < 0)
233 fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
234#endif
235 213
236#ifdef __APPLE__ 214#ifdef __APPLE__
237 /* 215 /*
@@ -243,20 +221,8 @@ permanently_set_uid(struct passwd *pw)
243 pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); 221 pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
244#endif 222#endif
245 223
246#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
247 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) 224 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
248 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); 225 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
249#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
250 if (setreuid(pw->pw_uid, pw->pw_uid) < 0)
251 fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
252#else
253# ifndef SETEUID_BREAKS_SETUID
254 if (seteuid(pw->pw_uid) < 0)
255 fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
256# endif
257 if (setuid(pw->pw_uid) < 0)
258 fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
259#endif
260 226
261#ifndef HAVE_CYGWIN 227#ifndef HAVE_CYGWIN
262 /* Try restoration of GID if changed (test clearing of saved gid) */ 228 /* Try restoration of GID if changed (test clearing of saved gid) */
diff --git a/umac.c b/umac.c
index e78d2cc5f..0567c37f9 100644
--- a/umac.c
+++ b/umac.c
@@ -52,7 +52,15 @@
52/* --- User Switches ---------------------------------------------------- */ 52/* --- User Switches ---------------------------------------------------- */
53/* ---------------------------------------------------------------------- */ 53/* ---------------------------------------------------------------------- */
54 54
55#ifndef UMAC_OUTPUT_LEN
55#define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ 56#define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */
57#endif
58
59#if UMAC_OUTPUT_LEN != 4 && UMAC_OUTPUT_LEN != 8 && \
60 UMAC_OUTPUT_LEN != 12 && UMAC_OUTPUT_LEN != 16
61# error UMAC_OUTPUT_LEN must be defined to 4, 8, 12 or 16
62#endif
63
56/* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ 64/* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */
57/* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ 65/* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */
58/* #define SSE2 0 Is SSE2 is available? */ 66/* #define SSE2 0 Is SSE2 is available? */
diff --git a/umac.h b/umac.h
index 055c705f8..6795112a3 100644
--- a/umac.h
+++ b/umac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ 1/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.h -- C Implementation UMAC Message Authentication 4 * umac.h -- C Implementation UMAC Message Authentication
@@ -116,6 +116,12 @@ int uhash(uhash_ctx_t ctx,
116 116
117#endif 117#endif
118 118
119/* matching umac-128 API, we reuse umac_ctx, since it's opaque */
120struct umac_ctx *umac128_new(u_char key[]);
121int umac128_update(struct umac_ctx *ctx, u_char *input, long len);
122int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]);
123int umac128_delete(struct umac_ctx *ctx);
124
119#ifdef __cplusplus 125#ifdef __cplusplus
120 } 126 }
121#endif 127#endif
diff --git a/version.h b/version.h
index 76adaaff2..784f707a6 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
1/* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */ 1/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_6.1" 3#define SSH_VERSION "OpenSSH_6.2"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p1"
6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 22:55:05 +0000