summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog631
-rw-r--r--Makefile.in20
-rw-r--r--README4
-rw-r--r--aclocal.m413
-rw-r--r--addrmatch.c6
-rw-r--r--auth-chall.c22
-rw-r--r--auth-krb5.c27
-rw-r--r--auth-options.c66
-rw-r--r--auth-pam.c44
-rw-r--r--auth-rsa.c23
-rw-r--r--auth.c52
-rw-r--r--auth.h16
-rw-r--r--auth1.c47
-rw-r--r--auth2-chall.c37
-rw-r--r--auth2-gss.c22
-rw-r--r--auth2-hostbased.c18
-rw-r--r--auth2-jpake.c24
-rw-r--r--auth2-kbdint.c6
-rw-r--r--auth2-passwd.c6
-rw-r--r--auth2-pubkey.c86
-rw-r--r--auth2.c93
-rw-r--r--authfd.c10
-rw-r--r--authfile.c23
-rw-r--r--bufaux.c12
-rw-r--r--bufbn.c18
-rw-r--r--bufec.c6
-rw-r--r--buffer.c4
-rw-r--r--buffer.h4
-rw-r--r--canohost.c10
-rw-r--r--channels.c137
-rw-r--r--channels.h9
-rw-r--r--cipher-3des1.c6
-rw-r--r--cipher-aes.c2
-rw-r--r--cipher-ctr.c2
-rw-r--r--cipher.c63
-rw-r--r--cipher.h13
-rw-r--r--clientloop.c91
-rw-r--r--clientloop.h3
-rw-r--r--compat.c6
-rwxr-xr-xconfig.guess262
-rw-r--r--config.h.in71
-rwxr-xr-xconfig.sub190
-rwxr-xr-xconfigure647
-rw-r--r--configure.ac147
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/cygwin/README212
-rw-r--r--contrib/cygwin/ssh-host-config4
-rw-r--r--contrib/cygwin/ssh-user-config6
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--debian/changelog15
-rw-r--r--debian/patches/auth-log-verbosity.patch19
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch4
-rw-r--r--debian/patches/consolekit.patch41
-rw-r--r--debian/patches/debian-banner.patch20
-rw-r--r--debian/patches/debian-config.patch12
-rw-r--r--debian/patches/doc-hash-tab-completion.patch4
-rw-r--r--debian/patches/doc-upstart.patch4
-rw-r--r--debian/patches/gssapi.patch268
-rw-r--r--debian/patches/keepalive-extensions.patch24
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch4
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch6
-rw-r--r--debian/patches/openbsd-docs.patch20
-rw-r--r--debian/patches/package-versioning.patch8
-rw-r--r--debian/patches/quieter-signals.patch4
-rw-r--r--debian/patches/selinux-role.patch50
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/shell-path.patch4
-rw-r--r--debian/patches/sigstop.patch4
-rw-r--r--debian/patches/ssh-argv0.patch4
-rw-r--r--debian/patches/ssh-copy-id-portable.patch20
-rw-r--r--debian/patches/ssh-vulnkey.patch114
-rw-r--r--debian/patches/ssh1-keepalive.patch16
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/user-group-modes.patch26
-rw-r--r--defines.h24
-rw-r--r--dh.c74
-rw-r--r--dns.c10
-rwxr-xr-xfixalgorithms26
-rw-r--r--groupaccess.c9
-rw-r--r--gss-genr.c22
-rw-r--r--gss-serv-krb5.c44
-rw-r--r--gss-serv.c5
-rw-r--r--hostfile.c31
-rw-r--r--hostfile.h4
-rw-r--r--includes.h2
-rw-r--r--jpake.c8
-rw-r--r--kex.c130
-rw-r--r--kex.h17
-rw-r--r--kexdhc.c8
-rw-r--r--kexdhs.c16
-rw-r--r--kexecdh.c20
-rw-r--r--kexecdhc.c13
-rw-r--r--kexecdhs.c21
-rw-r--r--kexgexc.c8
-rw-r--r--kexgexs.c17
-rw-r--r--kexgssc.c9
-rw-r--r--kexgsss.c11
-rw-r--r--key.c291
-rw-r--r--key.h9
-rw-r--r--krl.c36
-rw-r--r--log.c20
-rw-r--r--log.h3
-rw-r--r--loginrec.c2
-rw-r--r--mac.c83
-rw-r--r--mac.h3
-rw-r--r--match.c15
-rw-r--r--misc.c59
-rw-r--r--misc.h3
-rw-r--r--moduli.02
-rw-r--r--moduli.c10
-rw-r--r--monitor.c233
-rw-r--r--monitor_mm.c13
-rw-r--r--monitor_wrap.c40
-rw-r--r--mux.c152
-rw-r--r--myproposal.h28
-rw-r--r--openbsd-compat/Makefile.in4
-rw-r--r--openbsd-compat/bsd-cygwin_util.c2
-rw-r--r--openbsd-compat/bsd-cygwin_util.h2
-rw-r--r--openbsd-compat/bsd-misc.h14
-rw-r--r--openbsd-compat/getopt.c123
-rw-r--r--openbsd-compat/getopt.h74
-rw-r--r--openbsd-compat/getopt_long.c532
-rw-r--r--openbsd-compat/getrrsetbyname-ldns.c1
-rw-r--r--openbsd-compat/openbsd-compat.h12
-rw-r--r--openbsd-compat/port-aix.c10
-rw-r--r--openbsd-compat/port-linux.c12
-rw-r--r--openbsd-compat/xcrypt.c7
-rw-r--r--packet.c74
-rw-r--r--packet.h7
-rw-r--r--pathnames.h22
-rw-r--r--progressmeter.c6
-rw-r--r--readconf.c128
-rw-r--r--readconf.h5
-rw-r--r--readpass.c4
-rw-r--r--regress/Makefile13
-rw-r--r--regress/agent-getpeereid.sh3
-rw-r--r--regress/agent-timeout.sh2
-rw-r--r--regress/agent.sh4
-rw-r--r--regress/bsd.regress.mk79
-rw-r--r--regress/cert-hostkey.sh48
-rw-r--r--regress/cert-userkey.sh10
-rw-r--r--regress/cfgmatch.sh17
-rw-r--r--regress/cipher-speed.sh2
-rw-r--r--regress/conch-ciphers.sh5
-rw-r--r--regress/dynamic-forward.sh4
-rw-r--r--regress/forcecommand.sh10
-rw-r--r--regress/forwarding.sh28
-rw-r--r--regress/integrity.sh22
-rw-r--r--regress/keytype.sh4
-rw-r--r--regress/krl.sh4
-rw-r--r--regress/localcommand.sh2
-rw-r--r--regress/login-timeout.sh2
-rwxr-xr-xregress/modpipe.c4
-rw-r--r--regress/multiplex.sh55
-rw-r--r--regress/portnum.sh2
-rw-r--r--regress/proto-version.sh4
-rw-r--r--regress/proxy-connect.sh10
-rw-r--r--regress/putty-ciphers.sh5
-rw-r--r--regress/putty-kex.sh5
-rw-r--r--regress/putty-transfer.sh5
-rw-r--r--regress/reexec.sh8
-rw-r--r--regress/rekey.sh103
-rwxr-xr-xregress/runtests.sh13
-rw-r--r--regress/scp.sh4
-rw-r--r--regress/sftp-badcmds.sh4
-rw-r--r--regress/sftp-batch.sh4
-rw-r--r--regress/sftp-chroot.sh25
-rw-r--r--regress/sftp-cmds.sh12
-rw-r--r--regress/sftp.sh5
-rw-r--r--regress/ssh-com-client.sh6
-rw-r--r--regress/ssh-com-sftp.sh4
-rw-r--r--regress/ssh-com.sh4
-rw-r--r--regress/sshd-log-wrapper.sh4
-rw-r--r--regress/stderr-after-eof.sh20
-rw-r--r--regress/stderr-data.sh6
-rw-r--r--regress/test-exec.sh143
-rw-r--r--regress/transfer.sh5
-rw-r--r--regress/try-ciphers.sh2
-rw-r--r--roaming_client.c9
-rw-r--r--roaming_common.c4
-rw-r--r--rsa.c10
-rw-r--r--sandbox-seccomp-filter.c1
-rw-r--r--sandbox-systrace.c3
-rw-r--r--schnorr.c18
-rw-r--r--scp.02
-rw-r--r--scp.18
-rw-r--r--scp.c91
-rw-r--r--servconf.c77
-rw-r--r--servconf.h6
-rw-r--r--serverloop.c49
-rw-r--r--session.c114
-rw-r--r--sftp-client.c135
-rw-r--r--sftp-client.h6
-rw-r--r--sftp-common.c6
-rw-r--r--sftp-glob.c6
-rw-r--r--sftp-server.04
-rw-r--r--sftp-server.810
-rw-r--r--sftp-server.c58
-rw-r--r--sftp.022
-rw-r--r--sftp.128
-rw-r--r--sftp.c217
-rw-r--r--ssh-add.02
-rw-r--r--ssh-add.c24
-rw-r--r--ssh-agent.02
-rw-r--r--ssh-agent.c95
-rw-r--r--ssh-dss.c10
-rw-r--r--ssh-ecdsa.c10
-rw-r--r--ssh-keygen.02
-rw-r--r--ssh-keygen.17
-rw-r--r--ssh-keygen.c116
-rw-r--r--ssh-keyscan.02
-rw-r--r--ssh-keyscan.18
-rw-r--r--ssh-keyscan.c16
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-keysign.86
-rw-r--r--ssh-keysign.c20
-rw-r--r--ssh-pkcs11-client.c10
-rw-r--r--ssh-pkcs11-helper.02
-rw-r--r--ssh-pkcs11-helper.86
-rw-r--r--ssh-pkcs11-helper.c24
-rw-r--r--ssh-pkcs11.c37
-rw-r--r--ssh-rsa.c23
-rw-r--r--ssh-vulnkey.c9
-rw-r--r--ssh.023
-rw-r--r--ssh.136
-rw-r--r--ssh.c101
-rw-r--r--ssh_config3
-rw-r--r--ssh_config.037
-rw-r--r--ssh_config.546
-rw-r--r--sshconnect.c41
-rw-r--r--sshconnect1.c18
-rw-r--r--sshconnect2.c175
-rw-r--r--sshd.013
-rw-r--r--sshd.817
-rw-r--r--sshd.c129
-rw-r--r--sshd_config5
-rw-r--r--sshd_config.043
-rw-r--r--sshd_config.597
-rw-r--r--sshlogin.c2
-rw-r--r--sshlogin.h2
-rw-r--r--uidswap.c6
-rw-r--r--umac.c76
-rw-r--r--umac.h14
-rw-r--r--uuencode.c7
-rw-r--r--version.h6
-rw-r--r--xmalloc.c10
-rw-r--r--xmalloc.h3
248 files changed, 5857 insertions, 3588 deletions
diff --git a/ChangeLog b/ChangeLog
index f5e2df0d0..1a0d2545e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,17 +1,628 @@
120130913
2 - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code;
3 ok dtucker@
4 - (djm) [channels.c] sigh, typo s/buffet_/buffer_/
5 - (djm) Release 6.3p1
6
720130808
8 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt
9 since some platforms (eg really old FreeBSD) don't have it. Instead,
10 run "make clean" before a complete regress run. ok djm.
11 - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(
12 CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
13 CLOCK_MONOTONIC define but don't actually support it. Found and tested
14 by Kevin Brott, ok djm.
15 - (dtucker) [misc.c] Remove define added for fallback testing that was
16 mistakenly included in the previous commit.
17 - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt
18 removal. The "make clean" removes modpipe which is built by the top-level
19 directory before running the tests. Spotted by tim@
20
2120130804
22 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support
23 for building with older Heimdal versions. ok djm.
24
2520130801
26 - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
27 blocking connecting socket will clear any stored errno that might
28 otherwise have been retrievable via getsockopt(). A hack to limit writes
29 to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
30 it in an #ifdef. Diagnosis and patch from Ivo Raisr.
31 - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134
32
3320130725
34 - (djm) OpenBSD CVS Sync
35 - djm@cvs.openbsd.org 2013/07/20 22:20:42
36 [krl.c]
37 fix verification error in (as-yet usused) KRL signature checking path
38 - djm@cvs.openbsd.org 2013/07/22 05:00:17
39 [umac.c]
40 make MAC key, data to be hashed and nonce for final hash const;
41 checked with -Wcast-qual
42 - djm@cvs.openbsd.org 2013/07/22 12:20:02
43 [umac.h]
44 oops, forgot to commit corresponding header change;
45 spotted by jsg and jasper
46 - djm@cvs.openbsd.org 2013/07/25 00:29:10
47 [ssh.c]
48 daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
49 it is fully detached from its controlling terminal. based on debugging
50 - djm@cvs.openbsd.org 2013/07/25 00:56:52
51 [sftp-client.c sftp-client.h sftp.1 sftp.c]
52 sftp support for resuming partial downloads; patch mostly by Loganaden
53 Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
54 "Just be careful" deraadt@
55 - djm@cvs.openbsd.org 2013/07/25 00:57:37
56 [version.h]
57 openssh-6.3 for release
58 - dtucker@cvs.openbsd.org 2013/05/30 20:12:32
59 [regress/test-exec.sh]
60 use ssh and sshd as testdata since it needs to be >256k for the rekey test
61 - dtucker@cvs.openbsd.org 2013/06/10 21:56:43
62 [regress/forwarding.sh]
63 Add test for forward config parsing
64 - djm@cvs.openbsd.org 2013/06/21 02:26:26
65 [regress/sftp-cmds.sh regress/test-exec.sh]
66 unbreak sftp-cmds for renamed test data (s/ls/data/)
67 - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on
68 Solaris and UnixWare. Feedback and OK djm@
69 - (tim) [regress/forwarding.sh] Fix for building outside source tree.
70
7120130720
72 - (djm) OpenBSD CVS Sync
73 - markus@cvs.openbsd.org 2013/07/19 07:37:48
74 [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
75 [servconf.h session.c sshd.c sshd_config.5]
76 add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
77 or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
78 ok djm@
79 - djm@cvs.openbsd.org 2013/07/20 01:43:46
80 [umac.c]
81 use a union to ensure correct alignment; ok deraadt
82 - djm@cvs.openbsd.org 2013/07/20 01:44:37
83 [ssh-keygen.c ssh.c]
84 More useful error message on missing current user in /etc/passwd
85 - djm@cvs.openbsd.org 2013/07/20 01:50:20
86 [ssh-agent.c]
87 call cleanup_handler on SIGINT when in debug mode to ensure sockets
88 are cleaned up on manual exit; bz#2120
89 - djm@cvs.openbsd.org 2013/07/20 01:55:13
90 [auth-krb5.c gss-serv-krb5.c gss-serv.c]
91 fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
92
9320130718
94 - (djm) OpenBSD CVS Sync
95 - dtucker@cvs.openbsd.org 2013/06/10 19:19:44
96 [readconf.c]
97 revert 1.203 while we investigate crashes reported by okan@
98 - guenther@cvs.openbsd.org 2013/06/17 04:48:42
99 [scp.c]
100 Handle time_t values as long long's when formatting them and when
101 parsing them from remote servers.
102 Improve error checking in parsing of 'T' lines.
103 ok dtucker@ deraadt@
104 - markus@cvs.openbsd.org 2013/06/20 19:15:06
105 [krl.c]
106 don't leak the rdata blob on errors; ok djm@
107 - djm@cvs.openbsd.org 2013/06/21 00:34:49
108 [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
109 for hostbased authentication, print the client host and user on
110 the auth success/failure line; bz#2064, ok dtucker@
111 - djm@cvs.openbsd.org 2013/06/21 00:37:49
112 [ssh_config.5]
113 explicitly mention that IdentitiesOnly can be used with IdentityFile
114 to control which keys are offered from an agent.
115 - djm@cvs.openbsd.org 2013/06/21 05:42:32
116 [dh.c]
117 sprinkle in some error() to explain moduli(5) parse failures
118 - djm@cvs.openbsd.org 2013/06/21 05:43:10
119 [scp.c]
120 make this -Wsign-compare clean after time_t conversion
121 - djm@cvs.openbsd.org 2013/06/22 06:31:57
122 [scp.c]
123 improved time_t overflow check suggested by guenther@
124 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
125 [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
126 do not use Sx for sections outwith the man page - ingo informs me that
127 stuff like html will render with broken links;
128 issue reported by Eric S. Raymond, via djm
129 - markus@cvs.openbsd.org 2013/07/02 12:31:43
130 [dh.c]
131 remove extra whitespace
132 - djm@cvs.openbsd.org 2013/07/12 00:19:59
133 [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
134 [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
135 fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
136 - djm@cvs.openbsd.org 2013/07/12 00:20:00
137 [sftp.c ssh-keygen.c ssh-pkcs11.c]
138 fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
139 - djm@cvs.openbsd.org 2013/07/12 00:43:50
140 [misc.c]
141 in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
142 errno == 0. Avoids confusing error message in some broken resolver
143 cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
144 - djm@cvs.openbsd.org 2013/07/12 05:42:03
145 [ssh-keygen.c]
146 do_print_resource_record() can never be called with a NULL filename, so
147 don't attempt (and bungle) asking for one if it has not been specified
148 bz#2127 ok dtucker@
149 - djm@cvs.openbsd.org 2013/07/12 05:48:55
150 [ssh.c]
151 set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
152 - schwarze@cvs.openbsd.org 2013/07/16 00:07:52
153 [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8]
154 use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
155 - djm@cvs.openbsd.org 2013/07/18 01:12:26
156 [ssh.1]
157 be more exact wrt perms for ~/.ssh/config; bz#2078
158
15920130702
160 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
161 contrib/cygwin/ssh-user-config] Modernizes and improve readability of
162 the Cygwin README file (which hasn't been updated for ages), drop
163 unsupported OSes from the ssh-host-config help text, and drop an
164 unneeded option from ssh-user-config. Patch from vinschen at redhat com.
165
16620130610
167 - (djm) OpenBSD CVS Sync
168 - dtucker@cvs.openbsd.org 2013/06/07 15:37:52
169 [channels.c channels.h clientloop.c]
170 Add an "ABANDONED" channel state and use for mux sessions that are
171 disconnected via the ~. escape sequence. Channels in this state will
172 be able to close if the server responds, but do not count as active channels.
173 This means that if you ~. all of the mux clients when using ControlPersist
174 on a broken network, the backgrounded mux master will exit when the
175 Control Persist time expires rather than hanging around indefinitely.
176 bz#1917, also reported and tested by tedu@. ok djm@ markus@.
177 - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported
178 algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages.
179 - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
180 the required OpenSSL support. Patch from naddy at freebsd.
181 - (dtucker) [myproposal.h] Make the conditional algorithm support consistent
182 and add some comments so it's clear what goes where.
183
18420130605
185 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of
186 the necessary functions, not from the openssl version.
187 - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test.
188 Patch from cjwatson at debian.
189 - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the
190 forwarding test is extremely slow copying data on some machines so switch
191 back to copying the much smaller ls binary until we can figure out why
192 this is.
193 - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building
194 modpipe in case there's anything in there we need.
195 - (dtucker) OpenBSD CVS Sync
196 - dtucker@cvs.openbsd.org 2013/06/02 21:01:51
197 [channels.h]
198 typo in comment
199 - dtucker@cvs.openbsd.org 2013/06/02 23:36:29
200 [clientloop.h clientloop.c mux.c]
201 No need for the mux cleanup callback to be visible so restore it to static
202 and call it through the detach_user function pointer. ok djm@
203 - dtucker@cvs.openbsd.org 2013/06/03 00:03:18
204 [mac.c]
205 force the MAC output to be 64-bit aligned so umac won't see unaligned
206 accesses on strict-alignment architectures. bz#2101, patch from
207 tomas.kuthan at oracle.com, ok djm@
208 - dtucker@cvs.openbsd.org 2013/06/04 19:12:23
209 [scp.c]
210 use MAXPATHLEN for buffer size instead of fixed value. ok markus
211 - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
212 [sftp.c]
213 Make sftp's libedit interface marginally multibyte aware by building up
214 the quoted string by character instead of by byte. Prevents failures
215 when linked against a libedit built with wide character support (bz#1990).
216 "looks ok" djm
217 - dtucker@cvs.openbsd.org 2013/06/05 02:07:29
218 [mux.c]
219 fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967,
220 ok djm
221 - dtucker@cvs.openbsd.org 2013/06/05 02:27:50
222 [sshd.c]
223 When running sshd -D, close stderr unless we have explicitly requesting
224 logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch
225 so, err, ok dtucker.
226 - dtucker@cvs.openbsd.org 2013/06/05 12:52:38
227 [sshconnect2.c]
228 Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm
229 - dtucker@cvs.openbsd.org 2013/06/05 22:00:28
230 [readconf.c]
231 plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm
232 - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for
233 platforms that don't have multibyte character support (specifically,
234 mblen).
235
23620130602
237 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy
238 linking regress/modpipe.
239 - (dtucker) OpenBSD CVS Sync
240 - dtucker@cvs.openbsd.org 2013/06/02 13:33:05
241 [progressmeter.c]
242 Add misc.h for monotime prototype. (ID sync only).
243 - dtucker@cvs.openbsd.org 2013/06/02 13:35:58
244 [ssh-agent.c]
245 Make parent_alive_interval time_t to avoid signed/unsigned comparison
246 - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms
247 to prevent noise from configure. Patch from Nathan Osman. (bz#2114).
248 - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android.
249 Patch from Nathan Osman.
250 - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we
251 need a shell that can handle "[ file1 -nt file2 ]". Rather than keep
252 dealing with shell portability issues in regression tests, we let
253 configure find us a capable shell on those platforms with an old /bin/sh.
254 - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr.
255 feedback and ok dtucker
256 - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker
257 - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h.
258 - (dtucker) [configure.ac] Some other platforms need sys/types.h before
259 sys/socket.h.
260
26120130601
262 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to
263 using openssl's DES_crypt function on platorms that don't have a native
264 one, eg Android. Based on a patch from Nathan Osman.
265 - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS
266 rather than trying to enumerate the plaforms that don't have them.
267 Based on a patch from Nathan Osman, with help from tim@.
268 - (dtucker) OpenBSD CVS Sync
269 - djm@cvs.openbsd.org 2013/05/17 00:13:13
270 [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
271 ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
272 gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
273 auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
274 servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
275 auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
276 sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
277 kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
278 kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
279 monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
280 ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
281 sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
282 ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
283 dns.c packet.c readpass.c authfd.c moduli.c]
284 bye, bye xfree(); ok markus@
285 - djm@cvs.openbsd.org 2013/05/19 02:38:28
286 [auth2-pubkey.c]
287 fix failure to recognise cert-authority keys if a key of a different type
288 appeared in authorized_keys before it; ok markus@
289 - djm@cvs.openbsd.org 2013/05/19 02:42:42
290 [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
291 Standardise logging of supplemental information during userauth. Keys
292 and ruser is now logged in the auth success/failure message alongside
293 the local username, remote host/port and protocol in use. Certificates
294 contents and CA are logged too.
295 Pushing all logging onto a single line simplifies log analysis as it is
296 no longer necessary to relate information scattered across multiple log
297 entries. "I like it" markus@
298 - dtucker@cvs.openbsd.org 2013/05/31 12:28:10
299 [ssh-agent.c]
300 Use time_t where appropriate. ok djm
301 - dtucker@cvs.openbsd.org 2013/06/01 13:15:52
302 [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
303 channels.c sandbox-systrace.c]
304 Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
305 keepalives and rekeying will work properly over clock steps. Suggested by
306 markus@, "looks good" djm@.
307 - dtucker@cvs.openbsd.org 2013/06/01 20:59:25
308 [scp.c sftp-client.c]
309 Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
310 from Nathan Osman via bz#2085. ok deraadt.
311 - dtucker@cvs.openbsd.org 2013/06/01 22:34:50
312 [sftp-client.c]
313 Update progressmeter when data is acked, not when it's sent. bz#2108, from
314 Debian via Colin Watson, ok djm@
315 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
316 groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
317 sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
318 openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
319 openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
320 with the equivalent calls to free.
321 - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall
322 back to time(NULL) if we can't find it anywhere.
323 - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.
324
32520130529
326 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
327 implementation of endgrent for platforms that don't have it (eg Android).
328 Loosely based on a patch from Nathan Osman, ok djm
329
330 20130517
331 - (dtucker) OpenBSD CVS Sync
332 - djm@cvs.openbsd.org 2013/03/07 00:20:34
333 [regress/proxy-connect.sh]
334 repeat test with a style appended to the username
335 - dtucker@cvs.openbsd.org 2013/03/23 11:09:43
336 [regress/test-exec.sh]
337 Only regenerate host keys if they don't exist or if ssh-keygen has changed
338 since they were. Reduces test runtime by 5-30% depending on machine
339 speed.
340 - dtucker@cvs.openbsd.org 2013/04/06 06:00:22
341 [regress/rekey.sh regress/test-exec.sh regress/integrity.sh
342 regress/multiplex.sh Makefile regress/cfgmatch.sh]
343 Split the regress log into 3 parts: the debug output from ssh, the debug
344 log from sshd and the output from the client command (ssh, scp or sftp).
345 Somewhat functional now, will become more useful when ssh/sshd -E is added.
346 - dtucker@cvs.openbsd.org 2013/04/07 02:16:03
347 [regress/Makefile regress/rekey.sh regress/integrity.sh
348 regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh]
349 use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and
350 save the output from any failing tests. If a test fails the debug output
351 from ssh and sshd for the failing tests (and only the failing tests) should
352 be available in failed-ssh{,d}.log.
353 - djm@cvs.openbsd.org 2013/04/18 02:46:12
354 [regress/Makefile regress/sftp-chroot.sh]
355 test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@
356 - dtucker@cvs.openbsd.org 2013/04/22 07:23:08
357 [regress/multiplex.sh]
358 Write mux master logs to regress.log instead of ssh.log to keep separate
359 - djm@cvs.openbsd.org 2013/05/10 03:46:14
360 [regress/modpipe.c]
361 sync some portability changes from portable OpenSSH (id sync only)
362 - dtucker@cvs.openbsd.org 2013/05/16 02:10:35
363 [regress/rekey.sh]
364 Add test for time-based rekeying
365 - dtucker@cvs.openbsd.org 2013/05/16 03:33:30
366 [regress/rekey.sh]
367 test rekeying when there's no data being transferred
368 - dtucker@cvs.openbsd.org 2013/05/16 04:26:10
369 [regress/rekey.sh]
370 add server-side rekey test
371 - dtucker@cvs.openbsd.org 2013/05/16 05:48:31
372 [regress/rekey.sh]
373 add tests for RekeyLimit parsing
374 - dtucker@cvs.openbsd.org 2013/05/17 00:37:40
375 [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh
376 regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh
377 regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh
378 regress/ssh-com.sh]
379 replace 'echo -n' with 'printf' since it's more portable
380 also remove "echon" hack.
381 - dtucker@cvs.openbsd.org 2013/05/17 01:16:09
382 [regress/agent-timeout.sh]
383 Pull back some portability changes from -portable:
384 - TIMEOUT is a read-only variable in some shells
385 - not all greps have -q so redirect to /dev/null instead.
386 (ID sync only)
387 - dtucker@cvs.openbsd.org 2013/05/17 01:32:11
388 [regress/integrity.sh]
389 don't print output from ssh before getting it (it's available in ssh.log)
390 - dtucker@cvs.openbsd.org 2013/05/17 04:29:14
391 [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh
392 regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh
393 regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh
394 regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh
395 regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh
396 regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh
397 regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh
398 regress/multiplex.sh]
399 Move the setting of DATA and COPY into test-exec.sh
400 - dtucker@cvs.openbsd.org 2013/05/17 10:16:26
401 [regress/try-ciphers.sh]
402 use expr for math to keep diffs vs portable down
403 (id sync only)
404 - dtucker@cvs.openbsd.org 2013/05/17 10:23:52
405 [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh]
406 Use SUDO when cat'ing pid files and running the sshd log wrapper so that
407 it works with a restrictive umask and the pid files are not world readable.
408 Changes from -portable. (id sync only)
409 - dtucker@cvs.openbsd.org 2013/05/17 10:24:48
410 [regress/localcommand.sh]
411 use backticks for portability. (id sync only)
412 - dtucker@cvs.openbsd.org 2013/05/17 10:26:26
413 [regress/sftp-badcmds.sh]
414 remove unused BATCH variable. (id sync only)
415 - dtucker@cvs.openbsd.org 2013/05/17 10:28:11
416 [regress/sftp.sh]
417 only compare copied data if sftp succeeds. from portable (id sync only)
418 - dtucker@cvs.openbsd.org 2013/05/17 10:30:07
419 [regress/test-exec.sh]
420 wait a bit longer for startup and use case for absolute path.
421 from portable (id sync only)
422 - dtucker@cvs.openbsd.org 2013/05/17 10:33:09
423 [regress/agent-getpeereid.sh]
424 don't redirect stdout from sudo. from portable (id sync only)
425 - dtucker@cvs.openbsd.org 2013/05/17 10:34:30
426 [regress/portnum.sh]
427 use a more portable negated if structure. from portable (id sync only)
428 - dtucker@cvs.openbsd.org 2013/05/17 10:35:43
429 [regress/scp.sh]
430 use a file extention that's not special on some platforms. from portable
431 (id sync only)
432 - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it
433 in portable and it's long gone in openbsd.
434 - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange
435 methods. When the openssl version doesn't support ECDH then next one on
436 the list is DH group exchange, but that causes a bit more traffic which can
437 mean that the tests flip bits in the initial exchange rather than the MACed
438 traffic and we get different errors to what the tests look for.
439 - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits.
440 - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd.
441 - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd.
442 - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh]
443 Move the jot helper function to portable-specific part of test-exec.sh.
444 - (dtucker) [regress/test-exec.sh] Move the portable-specific functions
445 together and add a couple of missing lines from openbsd.
446 - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5
447 helper function to the portable part of test-exec.sh.
448 - (dtucker) [regress/runtests.sh] Remove obsolete test driver script.
449 - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by
450 rev 1.6 which calls wait.
451
120130516 45220130516
2 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be 453 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
3 executed if mktemp failed; bz#2105 ok dtucker@ 454 executed if mktemp failed; bz#2105 ok dtucker@
4 - (djm) Release 6.2p2 455 - (dtucker) OpenBSD CVS Sync
456 - tedu@cvs.openbsd.org 2013/04/23 17:49:45
457 [misc.c]
458 use xasprintf instead of a series of strlcats and strdup. ok djm
459 - tedu@cvs.openbsd.org 2013/04/24 16:01:46
460 [misc.c]
461 remove extra parens noticed by nicm
462 - dtucker@cvs.openbsd.org 2013/05/06 07:35:12
463 [sftp-server.8]
464 Reference the version of the sftp draft we actually implement. ok djm@
465 - djm@cvs.openbsd.org 2013/05/10 03:40:07
466 [sshconnect2.c]
467 fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from
468 Colin Watson
469 - djm@cvs.openbsd.org 2013/05/10 04:08:01
470 [key.c]
471 memleak in cert_free(), wasn't actually freeing the struct;
472 bz#2096 from shm AT digitalsun.pl
473 - dtucker@cvs.openbsd.org 2013/05/10 10:13:50
474 [ssh-pkcs11-helper.c]
475 remove unused extern optarg. ok markus@
476 - dtucker@cvs.openbsd.org 2013/05/16 02:00:34
477 [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
478 ssh_config.5 packet.h]
479 Add an optional second argument to RekeyLimit in the client to allow
480 rekeying based on elapsed time in addition to amount of traffic.
481 with djm@ jmc@, ok djm
482 - dtucker@cvs.openbsd.org 2013/05/16 04:09:14
483 [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
484 sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
485 rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
486 page.
487 - djm@cvs.openbsd.org 2013/05/16 04:27:50
488 [ssh_config.5 readconf.h readconf.c]
489 add the ability to ignore specific unrecognised ssh_config options;
490 bz#866; ok markus@
491 - jmc@cvs.openbsd.org 2013/05/16 06:28:45
492 [ssh_config.5]
493 put IgnoreUnknown in the right place;
494 - jmc@cvs.openbsd.org 2013/05/16 06:30:06
495 [sshd_config.5]
496 oops! avoid Xr to self;
497 - dtucker@cvs.openbsd.org 2013/05/16 09:08:41
498 [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c]
499 Fix some "unused result" warnings found via clang and -portable.
500 ok markus@
501 - dtucker@cvs.openbsd.org 2013/05/16 09:12:31
502 [readconf.c servconf.c]
503 switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@
504 - dtucker@cvs.openbsd.org 2013/05/16 10:43:34
505 [servconf.c readconf.c]
506 remove now-unused variables
507 - dtucker@cvs.openbsd.org 2013/05/16 10:44:06
508 [servconf.c]
509 remove another now-unused variable
510 - (dtucker) [configure.ac readconf.c servconf.c
511 openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled.
5 512
620130510 51320130510
7 - (djm) OpenBSD CVS Cherrypick 514 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler
515 supports it. Mentioned by Colin Watson in bz#2100, ok djm.
516 - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to
517 getopt.c. Preprocessed source is identical other than line numbers.
518 - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No
519 portability changes yet.
520 - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c
521 openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add
522 portability code to getopt_long.c and switch over Makefile and the ugly
523 hack in modpipe.c. Fixes bz#1448.
524 - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c
525 openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb
526 in to use it when we're using our own getopt.
527 - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the
528 underlying libraries support them.
529 - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so
530 we don't get a warning on compilers that *don't* support it. Add
531 -Wno-unknown-warning-option. Move both to the start of the list for
532 maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9.
533
53420130423
535 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support
536 platforms, such as Android, that lack struct passwd.pw_gecos. Report
537 and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@
538 - (djm) OpenBSD CVS Sync
539 - markus@cvs.openbsd.org 2013/03/05 20:16:09
540 [sshconnect2.c]
541 reset pubkey order on partial success; ok djm@
542 - djm@cvs.openbsd.org 2013/03/06 23:35:23
543 [session.c]
544 fatal() when ChrootDirectory specified by running without root privileges;
545 ok markus@
546 - djm@cvs.openbsd.org 2013/03/06 23:36:53
547 [readconf.c]
548 g/c unused variable (-Wunused)
549 - djm@cvs.openbsd.org 2013/03/07 00:19:59
550 [auth2-pubkey.c monitor.c]
551 reconstruct the original username that was sent by the client, which may
552 have included a style (e.g. "root:skey") when checking public key
553 signatures. Fixes public key and hostbased auth when the client specified
554 a style; ok markus@
555 - markus@cvs.openbsd.org 2013/03/07 19:27:25
556 [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5]
557 add submethod support to AuthenticationMethods; ok and freedback djm@
558 - djm@cvs.openbsd.org 2013/03/08 06:32:58
559 [ssh.c]
560 allow "ssh -f none ..." ok markus@
561 - djm@cvs.openbsd.org 2013/04/05 00:14:00
562 [auth2-gss.c krl.c sshconnect2.c]
563 hush some {unused, printf type} warnings
564 - djm@cvs.openbsd.org 2013/04/05 00:31:49
565 [pathnames.h]
566 use the existing _PATH_SSH_USER_RC define to construct the other
567 pathnames; bz#2077, ok dtucker@ (no binary change)
568 - djm@cvs.openbsd.org 2013/04/05 00:58:51
569 [mux.c]
570 cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too
571 (in addition to ones already in OPEN); bz#2079, ok dtucker@
572 - markus@cvs.openbsd.org 2013/04/06 16:07:00
573 [channels.c sshd.c]
574 handle ECONNABORTED for accept(); ok deraadt some time ago...
575 - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
576 [log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
577 Add -E option to ssh and sshd to append debugging logs to a specified file
578 instead of stderr or syslog. ok markus@, man page help jmc@
579 - dtucker@cvs.openbsd.org 2013/04/07 09:40:27
580 [sshd.8]
581 clarify -e text. suggested by & ok jmc@
8 - djm@cvs.openbsd.org 2013/04/11 02:27:50 582 - djm@cvs.openbsd.org 2013/04/11 02:27:50
9 [packet.c] 583 [packet.c]
10 quiet disconnect notifications on the server from error() back to logit() 584 quiet disconnect notifications on the server from error() back to logit()
11 if it is a normal client closure; bz#2057 ok+feedback dtucker@ 585 if it is a normal client closure; bz#2057 ok+feedback dtucker@
12 - (djm) [version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 586 - dtucker@cvs.openbsd.org 2013/04/17 09:04:09
13 [contrib/suse/openssh.spec] Crank version numbers for release. 587 [session.c]
14 - (djm) [README] Update release notes URL 588 revert rev 1.262; it fails because uid is already set here. ok djm@
589 - djm@cvs.openbsd.org 2013/04/18 02:16:07
590 [sftp.c]
591 make "sftp -q" do what it says on the sticker: hush everything but errors;
592 ok dtucker@
593 - djm@cvs.openbsd.org 2013/04/19 01:00:10
594 [sshd_config.5]
595 document the requirment that the AuthorizedKeysCommand be owned by root;
596 ok dtucker@ markus@
597 - djm@cvs.openbsd.org 2013/04/19 01:01:00
598 [ssh-keygen.c]
599 fix some memory leaks; bz#2088 ok dtucker@
600 - djm@cvs.openbsd.org 2013/04/19 01:03:01
601 [session.c]
602 reintroduce 1.262 without the connection-killing bug:
603 fatal() when ChrootDirectory specified by running without root privileges;
604 ok markus@
605 - djm@cvs.openbsd.org 2013/04/19 01:06:50
606 [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
607 [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
608 add the ability to query supported ciphers, MACs, key type and KEX
609 algorithms to ssh. Includes some refactoring of KEX and key type handling
610 to be table-driven; ok markus@
611 - djm@cvs.openbsd.org 2013/04/19 11:10:18
612 [ssh.c]
613 add -Q to usage; reminded by jmc@
614 - djm@cvs.openbsd.org 2013/04/19 12:07:08
615 [kex.c]
616 remove duplicated list entry pointed out by naddy@
617 - dtucker@cvs.openbsd.org 2013/04/22 01:17:18
618 [mux.c]
619 typo in debug output: evitval->exitval
620
62120130418
622 - (djm) [config.guess config.sub] Update to last versions before they switch
623 to GPL3. ok dtucker@
624 - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from
625 unused argument warnings (in particular, -fno-builtin-memset) from clang.
15 626
1620130404 62720130404
17 - (dtucker) OpenBSD CVS Sync 628 - (dtucker) OpenBSD CVS Sync
@@ -40,10 +651,16 @@
40 to avoid conflicting definitions of __int64, adding the required bits. 651 to avoid conflicting definitions of __int64, adding the required bits.
41 Patch from Corinna Vinschen. 652 Patch from Corinna Vinschen.
42 653
65420120323
655 - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit.
656
4320120322 65720120322
44 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil 658 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
45 Hands' greatly revised version. 659 Hands' greatly revised version.
46 - (djm) Release 6.2p1 660 - (djm) Release 6.2p1
661 - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype.
662 - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before
663 defining it again. Prevents warnings if someone, eg, sets it in CFLAGS.
47 664
4820120318 66520120318
49 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] 666 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
diff --git a/Makefile.in b/Makefile.in
index 5b2431d4a..839abbd48 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $ 1# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -125,6 +125,8 @@ PATHSUBS = \
125 -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' 125 -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
126 126
127FIXPATHSCMD = $(SED) $(PATHSUBS) 127FIXPATHSCMD = $(SED) $(PATHSUBS)
128FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
129 @UNSUPPORTED_ALGORITHMS@
128 130
129all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) 131all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
130 132
@@ -191,9 +193,10 @@ $(MANPAGES): $(MANPAGES_IN)
191 manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ 193 manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
192 fi; \ 194 fi; \
193 if test "$(MANTYPE)" = "man"; then \ 195 if test "$(MANTYPE)" = "man"; then \
194 $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ 196 $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
197 $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
195 else \ 198 else \
196 $(FIXPATHSCMD) $${manpage} > $@; \ 199 $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
197 fi 200 fi
198 201
199$(CONFIGFILES): $(CONFIGFILES_IN) 202$(CONFIGFILES): $(CONFIGFILES_IN)
@@ -394,15 +397,14 @@ uninstall:
394 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 397 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
395 398
396regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c 399regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
397 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ 400 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
398 $(CC) $(CPPFLAGS) -o $@ $? \ 401 [ -f `pwd`/regress/Makefile ] || \
399 $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) 402 ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
403 $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
404 $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
400 405
401tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) 406tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
402 BUILDDIR=`pwd`; \ 407 BUILDDIR=`pwd`; \
403 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
404 [ -f `pwd`/regress/Makefile ] || \
405 ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
406 TEST_SHELL="@TEST_SHELL@"; \ 408 TEST_SHELL="@TEST_SHELL@"; \
407 TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ 409 TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
408 TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ 410 TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
diff --git a/README b/README
index 52bb657d6..ece2dba19 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-6.2p2 for the release notes. 1See http://www.openssh.com/txt/release-6.3 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
64 64
65$Id: README,v 1.82.2.1 2013/05/10 06:12:54 djm Exp $ 65$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $
diff --git a/aclocal.m4 b/aclocal.m4
index 9bdea5ec2..1b3bed790 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
1dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $ 1dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $
2dnl 2dnl
3dnl OpenSSH-specific autoconf macros 3dnl OpenSSH-specific autoconf macros
4dnl 4dnl
@@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
14 _define_flag="$2" 14 _define_flag="$2"
15 test "x$_define_flag" = "x" && _define_flag="$1" 15 test "x$_define_flag" = "x" && _define_flag="$1"
16 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], 16 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
17 [ AC_MSG_RESULT([yes]) 17 [
18 CFLAGS="$saved_CFLAGS $_define_flag"], 18if `grep -i "unrecognized option" conftest.err >/dev/null`
19then
20 AC_MSG_RESULT([no])
21 CFLAGS="$saved_CFLAGS"
22else
23 AC_MSG_RESULT([yes])
24 CFLAGS="$saved_CFLAGS $_define_flag"
25fi],
19 [ AC_MSG_RESULT([no]) 26 [ AC_MSG_RESULT([no])
20 CFLAGS="$saved_CFLAGS" ] 27 CFLAGS="$saved_CFLAGS" ]
21 ) 28 )
diff --git a/addrmatch.c b/addrmatch.c
index 388603cae..fb6de92e7 100644
--- a/addrmatch.c
+++ b/addrmatch.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */ 1/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org> 4 * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list)
420 goto foundit; 420 goto foundit;
421 } 421 }
422 } 422 }
423 xfree(o); 423 free(o);
424 424
425 return ret; 425 return ret;
426} 426}
@@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list)
494 continue; 494 continue;
495 } 495 }
496 } 496 }
497 xfree(o); 497 free(o);
498 498
499 return ret; 499 return ret;
500} 500}
diff --git a/auth-chall.c b/auth-chall.c
index 919b1eaa4..0005aa88b 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt)
69 fatal("get_challenge: numprompts < 1"); 69 fatal("get_challenge: numprompts < 1");
70 challenge = xstrdup(prompts[0]); 70 challenge = xstrdup(prompts[0]);
71 for (i = 0; i < numprompts; i++) 71 for (i = 0; i < numprompts; i++)
72 xfree(prompts[i]); 72 free(prompts[i]);
73 xfree(prompts); 73 free(prompts);
74 xfree(name); 74 free(name);
75 xfree(echo_on); 75 free(echo_on);
76 xfree(info); 76 free(info);
77 77
78 return (challenge); 78 return (challenge);
79} 79}
@@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response)
102 authenticated = 1; 102 authenticated = 1;
103 103
104 for (i = 0; i < numprompts; i++) 104 for (i = 0; i < numprompts; i++)
105 xfree(prompts[i]); 105 free(prompts[i]);
106 xfree(prompts); 106 free(prompts);
107 xfree(name); 107 free(name);
108 xfree(echo_on); 108 free(echo_on);
109 xfree(info); 109 free(info);
110 break; 110 break;
111 } 111 }
112 device->free_ctx(authctxt->kbdintctxt); 112 device->free_ctx(authctxt->kbdintctxt);
diff --git a/auth-krb5.c b/auth-krb5.c
index 4c2375462..5613b5772 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
2/* 2/*
3 * Kerberos v5 authentication and ticket-passing routines. 3 * Kerberos v5 authentication and ticket-passing routines.
4 * 4 *
@@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
79 krb5_ccache ccache = NULL; 79 krb5_ccache ccache = NULL;
80 int len; 80 int len;
81 char *client, *platform_client; 81 char *client, *platform_client;
82 const char *errmsg;
82 83
83 /* get platform-specific kerberos client principal name (if it exists) */ 84 /* get platform-specific kerberos client principal name (if it exists) */
84 platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name); 85 platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
@@ -96,7 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
96 goto out; 97 goto out;
97 98
98#ifdef HEIMDAL 99#ifdef HEIMDAL
100# ifdef HAVE_KRB5_CC_NEW_UNIQUE
101 problem = krb5_cc_new_unique(authctxt->krb5_ctx,
102 krb5_mcc_ops.prefix, NULL, &ccache);
103# else
99 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); 104 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
105# endif
100 if (problem) 106 if (problem)
101 goto out; 107 goto out;
102 108
@@ -115,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
115 if (problem) 121 if (problem)
116 goto out; 122 goto out;
117 123
124# ifdef HAVE_KRB5_CC_NEW_UNIQUE
125 problem = krb5_cc_new_unique(authctxt->krb5_ctx,
126 krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
127# else
118 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, 128 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
119 &authctxt->krb5_fwd_ccache); 129 &authctxt->krb5_fwd_ccache);
130# endif
120 if (problem) 131 if (problem)
121 goto out; 132 goto out;
122 133
@@ -186,17 +197,19 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
186 out: 197 out:
187 restore_uid(); 198 restore_uid();
188 199
189 if (platform_client != NULL) 200 free(platform_client);
190 xfree(platform_client);
191 201
192 if (problem) { 202 if (problem) {
193 if (ccache) 203 if (ccache)
194 krb5_cc_destroy(authctxt->krb5_ctx, ccache); 204 krb5_cc_destroy(authctxt->krb5_ctx, ccache);
195 205
196 if (authctxt->krb5_ctx != NULL && problem!=-1) 206 if (authctxt->krb5_ctx != NULL && problem!=-1) {
197 debug("Kerberos password authentication failed: %s", 207 errmsg = krb5_get_error_message(authctxt->krb5_ctx,
198 krb5_get_err_text(authctxt->krb5_ctx, problem)); 208 problem);
199 else 209 debug("Kerberos password authentication failed: %s",
210 errmsg);
211 krb5_free_error_message(authctxt->krb5_ctx, errmsg);
212 } else
200 debug("Kerberos password authentication failed: %d", 213 debug("Kerberos password authentication failed: %d",
201 problem); 214 problem);
202 215
diff --git a/auth-options.c b/auth-options.c
index 78e8f3955..73e330bf5 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -83,15 +83,15 @@ auth_clear_options(void)
83 while (custom_environment) { 83 while (custom_environment) {
84 struct envstring *ce = custom_environment; 84 struct envstring *ce = custom_environment;
85 custom_environment = ce->next; 85 custom_environment = ce->next;
86 xfree(ce->s); 86 free(ce->s);
87 xfree(ce); 87 free(ce);
88 } 88 }
89 if (forced_command) { 89 if (forced_command) {
90 xfree(forced_command); 90 free(forced_command);
91 forced_command = NULL; 91 forced_command = NULL;
92 } 92 }
93 if (authorized_principals) { 93 if (authorized_principals) {
94 xfree(authorized_principals); 94 free(authorized_principals);
95 authorized_principals = NULL; 95 authorized_principals = NULL;
96 } 96 }
97 forced_tun_device = -1; 97 forced_tun_device = -1;
@@ -160,7 +160,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
160 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 160 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
161 opts += strlen(cp); 161 opts += strlen(cp);
162 if (forced_command != NULL) 162 if (forced_command != NULL)
163 xfree(forced_command); 163 free(forced_command);
164 forced_command = xmalloc(strlen(opts) + 1); 164 forced_command = xmalloc(strlen(opts) + 1);
165 i = 0; 165 i = 0;
166 while (*opts) { 166 while (*opts) {
@@ -178,7 +178,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
178 file, linenum); 178 file, linenum);
179 auth_debug_add("%.100s, line %lu: missing end quote", 179 auth_debug_add("%.100s, line %lu: missing end quote",
180 file, linenum); 180 file, linenum);
181 xfree(forced_command); 181 free(forced_command);
182 forced_command = NULL; 182 forced_command = NULL;
183 goto bad_option; 183 goto bad_option;
184 } 184 }
@@ -191,7 +191,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
191 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 191 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
192 opts += strlen(cp); 192 opts += strlen(cp);
193 if (authorized_principals != NULL) 193 if (authorized_principals != NULL)
194 xfree(authorized_principals); 194 free(authorized_principals);
195 authorized_principals = xmalloc(strlen(opts) + 1); 195 authorized_principals = xmalloc(strlen(opts) + 1);
196 i = 0; 196 i = 0;
197 while (*opts) { 197 while (*opts) {
@@ -209,7 +209,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
209 file, linenum); 209 file, linenum);
210 auth_debug_add("%.100s, line %lu: missing end quote", 210 auth_debug_add("%.100s, line %lu: missing end quote",
211 file, linenum); 211 file, linenum);
212 xfree(authorized_principals); 212 free(authorized_principals);
213 authorized_principals = NULL; 213 authorized_principals = NULL;
214 goto bad_option; 214 goto bad_option;
215 } 215 }
@@ -243,7 +243,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
243 file, linenum); 243 file, linenum);
244 auth_debug_add("%.100s, line %lu: missing end quote", 244 auth_debug_add("%.100s, line %lu: missing end quote",
245 file, linenum); 245 file, linenum);
246 xfree(s); 246 free(s);
247 goto bad_option; 247 goto bad_option;
248 } 248 }
249 s[i] = '\0'; 249 s[i] = '\0';
@@ -280,7 +280,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
280 file, linenum); 280 file, linenum);
281 auth_debug_add("%.100s, line %lu: missing end quote", 281 auth_debug_add("%.100s, line %lu: missing end quote",
282 file, linenum); 282 file, linenum);
283 xfree(patterns); 283 free(patterns);
284 goto bad_option; 284 goto bad_option;
285 } 285 }
286 patterns[i] = '\0'; 286 patterns[i] = '\0';
@@ -288,7 +288,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
288 switch (match_host_and_ip(remote_host, remote_ip, 288 switch (match_host_and_ip(remote_host, remote_ip,
289 patterns)) { 289 patterns)) {
290 case 1: 290 case 1:
291 xfree(patterns); 291 free(patterns);
292 /* Host name matches. */ 292 /* Host name matches. */
293 goto next_option; 293 goto next_option;
294 case -1: 294 case -1:
@@ -298,7 +298,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
298 "invalid criteria", file, linenum); 298 "invalid criteria", file, linenum);
299 /* FALLTHROUGH */ 299 /* FALLTHROUGH */
300 case 0: 300 case 0:
301 xfree(patterns); 301 free(patterns);
302 if (!logged_from_hostip) { 302 if (!logged_from_hostip) {
303 logit("Authentication tried for %.100s with " 303 logit("Authentication tried for %.100s with "
304 "correct key but not from a permitted " 304 "correct key but not from a permitted "
@@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
337 file, linenum); 337 file, linenum);
338 auth_debug_add("%.100s, line %lu: missing " 338 auth_debug_add("%.100s, line %lu: missing "
339 "end quote", file, linenum); 339 "end quote", file, linenum);
340 xfree(patterns); 340 free(patterns);
341 goto bad_option; 341 goto bad_option;
342 } 342 }
343 patterns[i] = '\0'; 343 patterns[i] = '\0';
@@ -351,7 +351,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
351 auth_debug_add("%.100s, line %lu: " 351 auth_debug_add("%.100s, line %lu: "
352 "Bad permitopen specification", file, 352 "Bad permitopen specification", file,
353 linenum); 353 linenum);
354 xfree(patterns); 354 free(patterns);
355 goto bad_option; 355 goto bad_option;
356 } 356 }
357 host = cleanhostname(host); 357 host = cleanhostname(host);
@@ -360,12 +360,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
360 "<%.100s>", file, linenum, p ? p : ""); 360 "<%.100s>", file, linenum, p ? p : "");
361 auth_debug_add("%.100s, line %lu: " 361 auth_debug_add("%.100s, line %lu: "
362 "Bad permitopen port", file, linenum); 362 "Bad permitopen port", file, linenum);
363 xfree(patterns); 363 free(patterns);
364 goto bad_option; 364 goto bad_option;
365 } 365 }
366 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) 366 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
367 channel_add_permitted_opens(host, port); 367 channel_add_permitted_opens(host, port);
368 xfree(patterns); 368 free(patterns);
369 goto next_option; 369 goto next_option;
370 } 370 }
371 cp = "tunnel=\""; 371 cp = "tunnel=\"";
@@ -384,13 +384,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
384 file, linenum); 384 file, linenum);
385 auth_debug_add("%.100s, line %lu: missing end quote", 385 auth_debug_add("%.100s, line %lu: missing end quote",
386 file, linenum); 386 file, linenum);
387 xfree(tun); 387 free(tun);
388 forced_tun_device = -1; 388 forced_tun_device = -1;
389 goto bad_option; 389 goto bad_option;
390 } 390 }
391 tun[i] = '\0'; 391 tun[i] = '\0';
392 forced_tun_device = a2tun(tun, NULL); 392 forced_tun_device = a2tun(tun, NULL);
393 xfree(tun); 393 free(tun);
394 if (forced_tun_device == SSH_TUNID_ERR) { 394 if (forced_tun_device == SSH_TUNID_ERR) {
395 debug("%.100s, line %lu: invalid tun device", 395 debug("%.100s, line %lu: invalid tun device",
396 file, linenum); 396 file, linenum);
@@ -446,7 +446,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
446{ 446{
447 char *command, *allowed; 447 char *command, *allowed;
448 const char *remote_ip; 448 const char *remote_ip;
449 u_char *name = NULL, *data_blob = NULL; 449 char *name = NULL;
450 u_char *data_blob = NULL;
450 u_int nlen, dlen, clen; 451 u_int nlen, dlen, clen;
451 Buffer c, data; 452 Buffer c, data;
452 int ret = -1, found; 453 int ret = -1, found;
@@ -498,7 +499,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
498 if (*cert_forced_command != NULL) { 499 if (*cert_forced_command != NULL) {
499 error("Certificate has multiple " 500 error("Certificate has multiple "
500 "force-command options"); 501 "force-command options");
501 xfree(command); 502 free(command);
502 goto out; 503 goto out;
503 } 504 }
504 *cert_forced_command = command; 505 *cert_forced_command = command;
@@ -514,7 +515,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
514 if ((*cert_source_address_done)++) { 515 if ((*cert_source_address_done)++) {
515 error("Certificate has multiple " 516 error("Certificate has multiple "
516 "source-address options"); 517 "source-address options");
517 xfree(allowed); 518 free(allowed);
518 goto out; 519 goto out;
519 } 520 }
520 remote_ip = get_remote_ipaddr(); 521 remote_ip = get_remote_ipaddr();
@@ -522,7 +523,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
522 allowed)) { 523 allowed)) {
523 case 1: 524 case 1:
524 /* accepted */ 525 /* accepted */
525 xfree(allowed); 526 free(allowed);
526 break; 527 break;
527 case 0: 528 case 0:
528 /* no match */ 529 /* no match */
@@ -538,12 +539,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
538 "is not permitted to use this " 539 "is not permitted to use this "
539 "certificate for login.", 540 "certificate for login.",
540 remote_ip); 541 remote_ip);
541 xfree(allowed); 542 free(allowed);
542 goto out; 543 goto out;
543 case -1: 544 case -1:
544 error("Certificate source-address " 545 error("Certificate source-address "
545 "contents invalid"); 546 "contents invalid");
546 xfree(allowed); 547 free(allowed);
547 goto out; 548 goto out;
548 } 549 }
549 found = 1; 550 found = 1;
@@ -565,9 +566,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
565 goto out; 566 goto out;
566 } 567 }
567 buffer_clear(&data); 568 buffer_clear(&data);
568 xfree(name); 569 free(name);
569 xfree(data_blob); 570 free(data_blob);
570 name = data_blob = NULL; 571 name = NULL;
572 data_blob = NULL;
571 } 573 }
572 /* successfully parsed all options */ 574 /* successfully parsed all options */
573 ret = 0; 575 ret = 0;
@@ -576,13 +578,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
576 if (ret != 0 && 578 if (ret != 0 &&
577 cert_forced_command != NULL && 579 cert_forced_command != NULL &&
578 *cert_forced_command != NULL) { 580 *cert_forced_command != NULL) {
579 xfree(*cert_forced_command); 581 free(*cert_forced_command);
580 *cert_forced_command = NULL; 582 *cert_forced_command = NULL;
581 } 583 }
582 if (name != NULL) 584 if (name != NULL)
583 xfree(name); 585 free(name);
584 if (data_blob != NULL) 586 if (data_blob != NULL)
585 xfree(data_blob); 587 free(data_blob);
586 buffer_free(&data); 588 buffer_free(&data);
587 buffer_free(&c); 589 buffer_free(&c);
588 return ret; 590 return ret;
@@ -644,7 +646,7 @@ auth_cert_options(Key *k, struct passwd *pw)
644 /* CA-specified forced command supersedes key option */ 646 /* CA-specified forced command supersedes key option */
645 if (cert_forced_command != NULL) { 647 if (cert_forced_command != NULL) {
646 if (forced_command != NULL) 648 if (forced_command != NULL)
647 xfree(forced_command); 649 free(forced_command);
648 forced_command = cert_forced_command; 650 forced_command = cert_forced_command;
649 } 651 }
650 return 0; 652 return 0;
diff --git a/auth-pam.c b/auth-pam.c
index 675006e6f..d51318b3a 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
412 412
413 fail: 413 fail:
414 for(i = 0; i < n; i++) { 414 for(i = 0; i < n; i++) {
415 if (reply[i].resp != NULL) 415 free(reply[i].resp);
416 xfree(reply[i].resp);
417 } 416 }
418 xfree(reply); 417 free(reply);
419 buffer_free(&buffer); 418 buffer_free(&buffer);
420 return (PAM_CONV_ERR); 419 return (PAM_CONV_ERR);
421} 420}
@@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
586 585
587 fail: 586 fail:
588 for(i = 0; i < n; i++) { 587 for(i = 0; i < n; i++) {
589 if (reply[i].resp != NULL) 588 free(reply[i].resp);
590 xfree(reply[i].resp);
591 } 589 }
592 xfree(reply); 590 free(reply);
593 return (PAM_CONV_ERR); 591 return (PAM_CONV_ERR);
594} 592}
595 593
@@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt)
693 /* Start the authentication thread */ 691 /* Start the authentication thread */
694 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { 692 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
695 error("PAM: failed create sockets: %s", strerror(errno)); 693 error("PAM: failed create sockets: %s", strerror(errno));
696 xfree(ctxt); 694 free(ctxt);
697 return (NULL); 695 return (NULL);
698 } 696 }
699 ctxt->pam_psock = socks[0]; 697 ctxt->pam_psock = socks[0];
@@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt)
703 strerror(errno)); 701 strerror(errno));
704 close(socks[0]); 702 close(socks[0]);
705 close(socks[1]); 703 close(socks[1]);
706 xfree(ctxt); 704 free(ctxt);
707 return (NULL); 705 return (NULL);
708 } 706 }
709 cleanup_ctxt = ctxt; 707 cleanup_ctxt = ctxt;
@@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info,
742 strlcpy(**prompts + plen, msg, len - plen); 740 strlcpy(**prompts + plen, msg, len - plen);
743 plen += mlen; 741 plen += mlen;
744 **echo_on = (type == PAM_PROMPT_ECHO_ON); 742 **echo_on = (type == PAM_PROMPT_ECHO_ON);
745 xfree(msg); 743 free(msg);
746 return (0); 744 return (0);
747 case PAM_ERROR_MSG: 745 case PAM_ERROR_MSG:
748 case PAM_TEXT_INFO: 746 case PAM_TEXT_INFO:
@@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info,
753 plen += mlen; 751 plen += mlen;
754 strlcat(**prompts + plen, "\n", len - plen); 752 strlcat(**prompts + plen, "\n", len - plen);
755 plen++; 753 plen++;
756 xfree(msg); 754 free(msg);
757 break; 755 break;
758 case PAM_ACCT_EXPIRED: 756 case PAM_ACCT_EXPIRED:
759 sshpam_account_status = 0; 757 sshpam_account_status = 0;
@@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info,
766 *num = 0; 764 *num = 0;
767 **echo_on = 0; 765 **echo_on = 0;
768 ctxt->pam_done = -1; 766 ctxt->pam_done = -1;
769 xfree(msg); 767 free(msg);
770 return 0; 768 return 0;
771 } 769 }
772 /* FALLTHROUGH */ 770 /* FALLTHROUGH */
@@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info,
776 debug("PAM: %s", **prompts); 774 debug("PAM: %s", **prompts);
777 buffer_append(&loginmsg, **prompts, 775 buffer_append(&loginmsg, **prompts,
778 strlen(**prompts)); 776 strlen(**prompts));
779 xfree(**prompts); 777 free(**prompts);
780 **prompts = NULL; 778 **prompts = NULL;
781 } 779 }
782 if (type == PAM_SUCCESS) { 780 if (type == PAM_SUCCESS) {
@@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info,
790 *num = 0; 788 *num = 0;
791 **echo_on = 0; 789 **echo_on = 0;
792 ctxt->pam_done = 1; 790 ctxt->pam_done = 1;
793 xfree(msg); 791 free(msg);
794 return (0); 792 return (0);
795 } 793 }
796 error("PAM: %s for %s%.100s from %.100s", msg, 794 error("PAM: %s for %s%.100s from %.100s", msg,
@@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info,
801 default: 799 default:
802 *num = 0; 800 *num = 0;
803 **echo_on = 0; 801 **echo_on = 0;
804 xfree(msg); 802 free(msg);
805 ctxt->pam_done = -1; 803 ctxt->pam_done = -1;
806 return (-1); 804 return (-1);
807 } 805 }
@@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp)
852 850
853 debug3("PAM: %s entering", __func__); 851 debug3("PAM: %s entering", __func__);
854 sshpam_thread_cleanup(); 852 sshpam_thread_cleanup();
855 xfree(ctxt); 853 free(ctxt);
856 /* 854 /*
857 * We don't call sshpam_cleanup() here because we may need the PAM 855 * We don't call sshpam_cleanup() here because we may need the PAM
858 * handle at a later stage, e.g. when setting up a session. It's 856 * handle at a later stage, e.g. when setting up a session. It's
@@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
1006 1004
1007 fail: 1005 fail:
1008 for(i = 0; i < n; i++) { 1006 for(i = 0; i < n; i++) {
1009 if (reply[i].resp != NULL) 1007 free(reply[i].resp);
1010 xfree(reply[i].resp);
1011 } 1008 }
1012 xfree(reply); 1009 free(reply);
1013 return (PAM_CONV_ERR); 1010 return (PAM_CONV_ERR);
1014} 1011}
1015 1012
@@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value)
1081 1078
1082 snprintf(compound, len, "%s=%s", name, value); 1079 snprintf(compound, len, "%s=%s", name, value);
1083 ret = pam_putenv(sshpam_handle, compound); 1080 ret = pam_putenv(sshpam_handle, compound);
1084 xfree(compound); 1081 free(compound);
1085#endif 1082#endif
1086 1083
1087 return (ret); 1084 return (ret);
@@ -1108,8 +1105,8 @@ free_pam_environment(char **env)
1108 return; 1105 return;
1109 1106
1110 for (envp = env; *envp; envp++) 1107 for (envp = env; *envp; envp++)
1111 xfree(*envp); 1108 free(*envp);
1112 xfree(env); 1109 free(env);
1113} 1110}
1114 1111
1115/* 1112/*
@@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
1165 1162
1166 fail: 1163 fail:
1167 for(i = 0; i < n; i++) { 1164 for(i = 0; i < n; i++) {
1168 if (reply[i].resp != NULL) 1165 free(reply[i].resp);
1169 xfree(reply[i].resp);
1170 } 1166 }
1171 xfree(reply); 1167 free(reply);
1172 return (PAM_CONV_ERR); 1168 return (PAM_CONV_ERR);
1173} 1169}
1174 1170
diff --git a/auth-rsa.c b/auth-rsa.c
index 33cdb5dae..9b139c928 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ 1/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -164,9 +164,8 @@ static int
164rsa_key_allowed_in_file(struct passwd *pw, char *file, 164rsa_key_allowed_in_file(struct passwd *pw, char *file,
165 const BIGNUM *client_n, Key **rkey) 165 const BIGNUM *client_n, Key **rkey)
166{ 166{
167 char line[SSH_MAX_PUBKEY_BYTES]; 167 char *fp, line[SSH_MAX_PUBKEY_BYTES];
168 int allowed = 0; 168 int allowed = 0, bits;
169 u_int bits;
170 FILE *f; 169 FILE *f;
171 u_long linenum = 0; 170 u_long linenum = 0;
172 Key *key; 171 Key *key;
@@ -229,11 +228,16 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
229 228
230 /* check the real bits */ 229 /* check the real bits */
231 keybits = BN_num_bits(key->rsa->n); 230 keybits = BN_num_bits(key->rsa->n);
232 if (keybits < 0 || bits != (u_int)keybits) 231 if (keybits < 0 || bits != keybits)
233 logit("Warning: %s, line %lu: keysize mismatch: " 232 logit("Warning: %s, line %lu: keysize mismatch: "
234 "actual %d vs. announced %d.", 233 "actual %d vs. announced %d.",
235 file, linenum, BN_num_bits(key->rsa->n), bits); 234 file, linenum, BN_num_bits(key->rsa->n), bits);
236 235
236 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
237 debug("matching key found: file %s, line %lu %s %s",
238 file, linenum, key_type(key), fp);
239 free(fp);
240
237 /* Never accept a revoked key */ 241 /* Never accept a revoked key */
238 if (auth_key_is_revoked(key, 0)) 242 if (auth_key_is_revoked(key, 0))
239 break; 243 break;
@@ -283,7 +287,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
283 file = expand_authorized_keys( 287 file = expand_authorized_keys(
284 options.authorized_keys_files[i], pw); 288 options.authorized_keys_files[i], pw);
285 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); 289 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
286 xfree(file); 290 free(file);
287 } 291 }
288 292
289 restore_uid(); 293 restore_uid();
@@ -300,7 +304,6 @@ int
300auth_rsa(Authctxt *authctxt, BIGNUM *client_n) 304auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
301{ 305{
302 Key *key; 306 Key *key;
303 char *fp;
304 struct passwd *pw = authctxt->pw; 307 struct passwd *pw = authctxt->pw;
305 308
306 /* no user given */ 309 /* no user given */
@@ -330,11 +333,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
330 * options; this will be reset if the options cause the 333 * options; this will be reset if the options cause the
331 * authentication to be rejected. 334 * authentication to be rejected.
332 */ 335 */
333 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 336 pubkey_auth_info(authctxt, key, NULL);
334 verbose("Found matching %s key: %s",
335 key_type(key), fp);
336 xfree(fp);
337 key_free(key);
338 337
339 packet_send_debug("RSA authentication accepted."); 338 packet_send_debug("RSA authentication accepted.");
340 return (1); 339 return (1);
diff --git a/auth.c b/auth.c
index 514602a0c..7f6c6c8ad 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ 1/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -73,6 +73,7 @@
73#include "authfile.h" 73#include "authfile.h"
74#include "monitor_wrap.h" 74#include "monitor_wrap.h"
75#include "krl.h" 75#include "krl.h"
76#include "compat.h"
76 77
77/* import */ 78/* import */
78extern ServerOptions options; 79extern ServerOptions options;
@@ -166,17 +167,17 @@ allowed_user(struct passwd * pw)
166 if (stat(shell, &st) != 0) { 167 if (stat(shell, &st) != 0) {
167 logit("User %.100s not allowed because shell %.100s " 168 logit("User %.100s not allowed because shell %.100s "
168 "does not exist", pw->pw_name, shell); 169 "does not exist", pw->pw_name, shell);
169 xfree(shell); 170 free(shell);
170 return 0; 171 return 0;
171 } 172 }
172 if (S_ISREG(st.st_mode) == 0 || 173 if (S_ISREG(st.st_mode) == 0 ||
173 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { 174 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
174 logit("User %.100s not allowed because shell %.100s " 175 logit("User %.100s not allowed because shell %.100s "
175 "is not executable", pw->pw_name, shell); 176 "is not executable", pw->pw_name, shell);
176 xfree(shell); 177 free(shell);
177 return 0; 178 return 0;
178 } 179 }
179 xfree(shell); 180 free(shell);
180 } 181 }
181 182
182 if (options.num_deny_users > 0 || options.num_allow_users > 0 || 183 if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
@@ -253,8 +254,25 @@ allowed_user(struct passwd * pw)
253} 254}
254 255
255void 256void
257auth_info(Authctxt *authctxt, const char *fmt, ...)
258{
259 va_list ap;
260 int i;
261
262 free(authctxt->info);
263 authctxt->info = NULL;
264
265 va_start(ap, fmt);
266 i = vasprintf(&authctxt->info, fmt, ap);
267 va_end(ap);
268
269 if (i < 0 || authctxt->info == NULL)
270 fatal("vasprintf failed");
271}
272
273void
256auth_log(Authctxt *authctxt, int authenticated, int partial, 274auth_log(Authctxt *authctxt, int authenticated, int partial,
257 const char *method, const char *submethod, const char *info) 275 const char *method, const char *submethod)
258{ 276{
259 void (*authlog) (const char *fmt,...) = verbose; 277 void (*authlog) (const char *fmt,...) = verbose;
260 char *authmsg; 278 char *authmsg;
@@ -276,7 +294,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
276 else 294 else
277 authmsg = authenticated ? "Accepted" : "Failed"; 295 authmsg = authenticated ? "Accepted" : "Failed";
278 296
279 authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", 297 authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
280 authmsg, 298 authmsg,
281 method, 299 method,
282 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, 300 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
@@ -284,7 +302,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
284 authctxt->user, 302 authctxt->user,
285 get_remote_ipaddr(), 303 get_remote_ipaddr(),
286 get_remote_port(), 304 get_remote_port(),
287 info); 305 compat20 ? "ssh2" : "ssh1",
306 authctxt->info != NULL ? ": " : "",
307 authctxt->info != NULL ? authctxt->info : "");
308 free(authctxt->info);
309 authctxt->info = NULL;
288 310
289#ifdef CUSTOM_FAILED_LOGIN 311#ifdef CUSTOM_FAILED_LOGIN
290 if (authenticated == 0 && !authctxt->postponed && 312 if (authenticated == 0 && !authctxt->postponed &&
@@ -356,7 +378,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
356 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); 378 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
357 if (i < 0 || (size_t)i >= sizeof(ret)) 379 if (i < 0 || (size_t)i >= sizeof(ret))
358 fatal("expand_authorized_keys: path too long"); 380 fatal("expand_authorized_keys: path too long");
359 xfree(file); 381 free(file);
360 return (xstrdup(ret)); 382 return (xstrdup(ret));
361} 383}
362 384
@@ -397,7 +419,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
397 load_hostkeys(hostkeys, host, user_hostfile); 419 load_hostkeys(hostkeys, host, user_hostfile);
398 restore_uid(); 420 restore_uid();
399 } 421 }
400 xfree(user_hostfile); 422 free(user_hostfile);
401 } 423 }
402 host_status = check_key_in_hostkeys(hostkeys, key, &found); 424 host_status = check_key_in_hostkeys(hostkeys, key, &found);
403 if (host_status == HOST_REVOKED) 425 if (host_status == HOST_REVOKED)
@@ -647,7 +669,7 @@ auth_key_is_revoked(Key *key, int hostkey)
647 logit("Public key %s from %s blacklisted (see " 669 logit("Public key %s from %s blacklisted (see "
648 "ssh-vulnkey(1)); continuing anyway", 670 "ssh-vulnkey(1)); continuing anyway",
649 key_fp, get_remote_ipaddr()); 671 key_fp, get_remote_ipaddr());
650 xfree(key_fp); 672 free(key_fp);
651 } else { 673 } else {
652 if (hostkey) 674 if (hostkey)
653 error("Host key %s blacklisted (see " 675 error("Host key %s blacklisted (see "
@@ -656,7 +678,7 @@ auth_key_is_revoked(Key *key, int hostkey)
656 logit("Public key %s from %s blacklisted (see " 678 logit("Public key %s from %s blacklisted (see "
657 "ssh-vulnkey(1))", 679 "ssh-vulnkey(1))",
658 key_fp, get_remote_ipaddr()); 680 key_fp, get_remote_ipaddr());
659 xfree(key_fp); 681 free(key_fp);
660 return 1; 682 return 1;
661 } 683 }
662 } 684 }
@@ -688,7 +710,7 @@ auth_key_is_revoked(Key *key, int hostkey)
688 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 710 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
689 error("WARNING: authentication attempt with a revoked " 711 error("WARNING: authentication attempt with a revoked "
690 "%s key %s ", key_type(key), key_fp); 712 "%s key %s ", key_type(key), key_fp);
691 xfree(key_fp); 713 free(key_fp);
692 return 1; 714 return 1;
693 } 715 }
694 fatal("key_in_file returned junk"); 716 fatal("key_in_file returned junk");
@@ -719,7 +741,7 @@ auth_debug_send(void)
719 while (buffer_len(&auth_debug)) { 741 while (buffer_len(&auth_debug)) {
720 msg = buffer_get_string(&auth_debug, NULL); 742 msg = buffer_get_string(&auth_debug, NULL);
721 packet_send_debug("%s", msg); 743 packet_send_debug("%s", msg);
722 xfree(msg); 744 free(msg);
723 } 745 }
724} 746}
725 747
@@ -743,10 +765,12 @@ fakepw(void)
743 fake.pw_name = "NOUSER"; 765 fake.pw_name = "NOUSER";
744 fake.pw_passwd = 766 fake.pw_passwd =
745 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; 767 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
768#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
746 fake.pw_gecos = "NOUSER"; 769 fake.pw_gecos = "NOUSER";
770#endif
747 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; 771 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
748 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; 772 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
749#ifdef HAVE_PW_CLASS_IN_PASSWD 773#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
750 fake.pw_class = ""; 774 fake.pw_class = "";
751#endif 775#endif
752 fake.pw_dir = "/nonexist"; 776 fake.pw_dir = "/nonexist";
diff --git a/auth.h b/auth.h
index c2328f05b..ec95460cf 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -61,6 +61,7 @@ struct Authctxt {
61 char *style; 61 char *style;
62 char *role; 62 char *role;
63 void *kbdintctxt; 63 void *kbdintctxt;
64 char *info; /* Extra info for next auth_log */
64 void *jpake_ctx; 65 void *jpake_ctx;
65#ifdef BSD_AUTH 66#ifdef BSD_AUTH
66 auth_session_t *as; 67 auth_session_t *as;
@@ -122,6 +123,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
122int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); 123int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
123int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 124int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
124int user_key_allowed(struct passwd *, Key *); 125int user_key_allowed(struct passwd *, Key *);
126void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
127 __attribute__((__format__ (printf, 3, 4)));
125 128
126struct stat; 129struct stat;
127int auth_secure_path(const char *, struct stat *, const char *, uid_t, 130int auth_secure_path(const char *, struct stat *, const char *, uid_t,
@@ -149,8 +152,10 @@ void disable_forwarding(void);
149void do_authentication(Authctxt *); 152void do_authentication(Authctxt *);
150void do_authentication2(Authctxt *); 153void do_authentication2(Authctxt *);
151 154
152void auth_log(Authctxt *, int, int, const char *, const char *, 155void auth_info(Authctxt *authctxt, const char *, ...)
153 const char *); 156 __attribute__((__format__ (printf, 2, 3)))
157 __attribute__((__nonnull__ (2)));
158void auth_log(Authctxt *, int, int, const char *, const char *);
154void userauth_finish(Authctxt *, int, const char *, const char *); 159void userauth_finish(Authctxt *, int, const char *, const char *);
155int auth_root_allowed(const char *); 160int auth_root_allowed(const char *);
156 161
@@ -158,8 +163,9 @@ void userauth_send_banner(const char *);
158 163
159char *auth2_read_banner(void); 164char *auth2_read_banner(void);
160int auth2_methods_valid(const char *, int); 165int auth2_methods_valid(const char *, int);
161int auth2_update_methods_lists(Authctxt *, const char *); 166int auth2_update_methods_lists(Authctxt *, const char *, const char *);
162int auth2_setup_methods_lists(Authctxt *); 167int auth2_setup_methods_lists(Authctxt *);
168int auth2_method_allowed(Authctxt *, const char *, const char *);
163 169
164void privsep_challenge_enable(void); 170void privsep_challenge_enable(void);
165 171
@@ -193,10 +199,12 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *,
193 199
194/* hostkey handling */ 200/* hostkey handling */
195Key *get_hostkey_by_index(int); 201Key *get_hostkey_by_index(int);
202Key *get_hostkey_public_by_index(int);
196Key *get_hostkey_public_by_type(int); 203Key *get_hostkey_public_by_type(int);
197Key *get_hostkey_private_by_type(int); 204Key *get_hostkey_private_by_type(int);
198int get_hostkey_index(Key *); 205int get_hostkey_index(Key *);
199int ssh1_session_key(BIGNUM *); 206int ssh1_session_key(BIGNUM *);
207void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
200 208
201/* debug messages during authentication */ 209/* debug messages during authentication */
202void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); 210void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff --git a/auth1.c b/auth1.c
index de49b172d..2803a3c97 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -45,11 +45,11 @@
45extern ServerOptions options; 45extern ServerOptions options;
46extern Buffer loginmsg; 46extern Buffer loginmsg;
47 47
48static int auth1_process_password(Authctxt *, char *, size_t); 48static int auth1_process_password(Authctxt *);
49static int auth1_process_rsa(Authctxt *, char *, size_t); 49static int auth1_process_rsa(Authctxt *);
50static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t); 50static int auth1_process_rhosts_rsa(Authctxt *);
51static int auth1_process_tis_challenge(Authctxt *, char *, size_t); 51static int auth1_process_tis_challenge(Authctxt *);
52static int auth1_process_tis_response(Authctxt *, char *, size_t); 52static int auth1_process_tis_response(Authctxt *);
53 53
54static char *client_user = NULL; /* Used to fill in remote user for PAM */ 54static char *client_user = NULL; /* Used to fill in remote user for PAM */
55 55
@@ -57,7 +57,7 @@ struct AuthMethod1 {
57 int type; 57 int type;
58 char *name; 58 char *name;
59 int *enabled; 59 int *enabled;
60 int (*method)(Authctxt *, char *, size_t); 60 int (*method)(Authctxt *);
61}; 61};
62 62
63const struct AuthMethod1 auth1_methods[] = { 63const struct AuthMethod1 auth1_methods[] = {
@@ -112,7 +112,7 @@ get_authname(int type)
112 112
113/*ARGSUSED*/ 113/*ARGSUSED*/
114static int 114static int
115auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) 115auth1_process_password(Authctxt *authctxt)
116{ 116{
117 int authenticated = 0; 117 int authenticated = 0;
118 char *password; 118 char *password;
@@ -130,14 +130,14 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
130 authenticated = PRIVSEP(auth_password(authctxt, password)); 130 authenticated = PRIVSEP(auth_password(authctxt, password));
131 131
132 memset(password, 0, dlen); 132 memset(password, 0, dlen);
133 xfree(password); 133 free(password);
134 134
135 return (authenticated); 135 return (authenticated);
136} 136}
137 137
138/*ARGSUSED*/ 138/*ARGSUSED*/
139static int 139static int
140auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) 140auth1_process_rsa(Authctxt *authctxt)
141{ 141{
142 int authenticated = 0; 142 int authenticated = 0;
143 BIGNUM *n; 143 BIGNUM *n;
@@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
155 155
156/*ARGSUSED*/ 156/*ARGSUSED*/
157static int 157static int
158auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) 158auth1_process_rhosts_rsa(Authctxt *authctxt)
159{ 159{
160 int keybits, authenticated = 0; 160 int keybits, authenticated = 0;
161 u_int bits; 161 u_int bits;
@@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
187 client_host_key); 187 client_host_key);
188 key_free(client_host_key); 188 key_free(client_host_key);
189 189
190 snprintf(info, infolen, " ruser %.100s", client_user); 190 auth_info(authctxt, "ruser %.100s", client_user);
191 191
192 return (authenticated); 192 return (authenticated);
193} 193}
194 194
195/*ARGSUSED*/ 195/*ARGSUSED*/
196static int 196static int
197auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) 197auth1_process_tis_challenge(Authctxt *authctxt)
198{ 198{
199 char *challenge; 199 char *challenge;
200 200
@@ -204,7 +204,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
204 debug("sending challenge '%s'", challenge); 204 debug("sending challenge '%s'", challenge);
205 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); 205 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
206 packet_put_cstring(challenge); 206 packet_put_cstring(challenge);
207 xfree(challenge); 207 free(challenge);
208 packet_send(); 208 packet_send();
209 packet_write_wait(); 209 packet_write_wait();
210 210
@@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
213 213
214/*ARGSUSED*/ 214/*ARGSUSED*/
215static int 215static int
216auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) 216auth1_process_tis_response(Authctxt *authctxt)
217{ 217{
218 int authenticated = 0; 218 int authenticated = 0;
219 char *response; 219 char *response;
@@ -223,7 +223,7 @@ auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
223 packet_check_eom(); 223 packet_check_eom();
224 authenticated = verify_response(authctxt, response); 224 authenticated = verify_response(authctxt, response);
225 memset(response, 'r', dlen); 225 memset(response, 'r', dlen);
226 xfree(response); 226 free(response);
227 227
228 return (authenticated); 228 return (authenticated);
229} 229}
@@ -236,7 +236,6 @@ static void
236do_authloop(Authctxt *authctxt) 236do_authloop(Authctxt *authctxt)
237{ 237{
238 int authenticated = 0; 238 int authenticated = 0;
239 char info[1024];
240 int prev = 0, type = 0; 239 int prev = 0, type = 0;
241 const struct AuthMethod1 *meth; 240 const struct AuthMethod1 *meth;
242 241
@@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt)
254#endif 253#endif
255 { 254 {
256 auth_log(authctxt, 1, 0, "without authentication", 255 auth_log(authctxt, 1, 0, "without authentication",
257 NULL, ""); 256 NULL);
258 return; 257 return;
259 } 258 }
260 } 259 }
@@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt)
268 /* default to fail */ 267 /* default to fail */
269 authenticated = 0; 268 authenticated = 0;
270 269
271 info[0] = '\0';
272 270
273 /* Get a packet from the client. */ 271 /* Get a packet from the client. */
274 prev = type; 272 prev = type;
@@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt)
298 goto skip; 296 goto skip;
299 } 297 }
300 298
301 authenticated = meth->method(authctxt, info, sizeof(info)); 299 authenticated = meth->method(authctxt);
302 if (authenticated == -1) 300 if (authenticated == -1)
303 continue; /* "postponed" */ 301 continue; /* "postponed" */
304 302
@@ -353,13 +351,10 @@ do_authloop(Authctxt *authctxt)
353 351
354 skip: 352 skip:
355 /* Log before sending the reply */ 353 /* Log before sending the reply */
356 auth_log(authctxt, authenticated, 0, get_authname(type), 354 auth_log(authctxt, authenticated, 0, get_authname(type), NULL);
357 NULL, info);
358 355
359 if (client_user != NULL) { 356 free(client_user);
360 xfree(client_user); 357 client_user = NULL;
361 client_user = NULL;
362 }
363 358
364 if (authenticated) 359 if (authenticated)
365 return; 360 return;
diff --git a/auth2-chall.c b/auth2-chall.c
index 6505d4009..98f3093ce 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.38 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -147,15 +147,13 @@ kbdint_free(KbdintAuthctxt *kbdintctxt)
147{ 147{
148 if (kbdintctxt->device) 148 if (kbdintctxt->device)
149 kbdint_reset_device(kbdintctxt); 149 kbdint_reset_device(kbdintctxt);
150 if (kbdintctxt->devices) { 150 free(kbdintctxt->devices);
151 xfree(kbdintctxt->devices); 151 bzero(kbdintctxt, sizeof(*kbdintctxt));
152 kbdintctxt->devices = NULL; 152 free(kbdintctxt);
153 }
154 xfree(kbdintctxt);
155} 153}
156/* get next device */ 154/* get next device */
157static int 155static int
158kbdint_next_device(KbdintAuthctxt *kbdintctxt) 156kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
159{ 157{
160 size_t len; 158 size_t len;
161 char *t; 159 char *t;
@@ -169,12 +167,16 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
169 167
170 if (len == 0) 168 if (len == 0)
171 break; 169 break;
172 for (i = 0; devices[i]; i++) 170 for (i = 0; devices[i]; i++) {
171 if (!auth2_method_allowed(authctxt,
172 "keyboard-interactive", devices[i]->name))
173 continue;
173 if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) 174 if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
174 kbdintctxt->device = devices[i]; 175 kbdintctxt->device = devices[i];
176 }
175 t = kbdintctxt->devices; 177 t = kbdintctxt->devices;
176 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; 178 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
177 xfree(t); 179 free(t);
178 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? 180 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
179 kbdintctxt->devices : "<empty>"); 181 kbdintctxt->devices : "<empty>");
180 } while (kbdintctxt->devices && !kbdintctxt->device); 182 } while (kbdintctxt->devices && !kbdintctxt->device);
@@ -221,7 +223,7 @@ auth2_challenge_start(Authctxt *authctxt)
221 debug2("auth2_challenge_start: devices %s", 223 debug2("auth2_challenge_start: devices %s",
222 kbdintctxt->devices ? kbdintctxt->devices : "<empty>"); 224 kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
223 225
224 if (kbdint_next_device(kbdintctxt) == 0) { 226 if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
225 auth2_challenge_stop(authctxt); 227 auth2_challenge_stop(authctxt);
226 return 0; 228 return 0;
227 } 229 }
@@ -268,11 +270,11 @@ send_userauth_info_request(Authctxt *authctxt)
268 packet_write_wait(); 270 packet_write_wait();
269 271
270 for (i = 0; i < kbdintctxt->nreq; i++) 272 for (i = 0; i < kbdintctxt->nreq; i++)
271 xfree(prompts[i]); 273 free(prompts[i]);
272 xfree(prompts); 274 free(prompts);
273 xfree(echo_on); 275 free(echo_on);
274 xfree(name); 276 free(name);
275 xfree(instr); 277 free(instr);
276 return 1; 278 return 1;
277} 279}
278 280
@@ -311,10 +313,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
311 313
312 for (i = 0; i < nresp; i++) { 314 for (i = 0; i < nresp; i++) {
313 memset(response[i], 'r', strlen(response[i])); 315 memset(response[i], 'r', strlen(response[i]));
314 xfree(response[i]); 316 free(response[i]);
315 } 317 }
316 if (response) 318 free(response);
317 xfree(response);
318 319
319 switch (res) { 320 switch (res) {
320 case 0: 321 case 0:
diff --git a/auth2-gss.c b/auth2-gss.c
index 17d4a3a84..b8db8204f 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -81,7 +81,7 @@ userauth_gsskeyex(Authctxt *authctxt)
81 authctxt->pw)); 81 authctxt->pw));
82 82
83 buffer_free(&b); 83 buffer_free(&b);
84 xfree(mic.value); 84 free(mic.value);
85 85
86 return (authenticated); 86 return (authenticated);
87} 87}
@@ -115,8 +115,7 @@ userauth_gssapi(Authctxt *authctxt)
115 do { 115 do {
116 mechs--; 116 mechs--;
117 117
118 if (doid) 118 free(doid);
119 xfree(doid);
120 119
121 present = 0; 120 present = 0;
122 doid = packet_get_string(&len); 121 doid = packet_get_string(&len);
@@ -135,7 +134,7 @@ userauth_gssapi(Authctxt *authctxt)
135 gss_release_oid_set(&ms, &supported); 134 gss_release_oid_set(&ms, &supported);
136 135
137 if (!present) { 136 if (!present) {
138 xfree(doid); 137 free(doid);
139 authctxt->server_caused_failure = 1; 138 authctxt->server_caused_failure = 1;
140 return (0); 139 return (0);
141 } 140 }
@@ -143,7 +142,7 @@ userauth_gssapi(Authctxt *authctxt)
143 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 142 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
144 if (ctxt != NULL) 143 if (ctxt != NULL)
145 ssh_gssapi_delete_ctx(&ctxt); 144 ssh_gssapi_delete_ctx(&ctxt);
146 xfree(doid); 145 free(doid);
147 authctxt->server_caused_failure = 1; 146 authctxt->server_caused_failure = 1;
148 return (0); 147 return (0);
149 } 148 }
@@ -156,7 +155,7 @@ userauth_gssapi(Authctxt *authctxt)
156 packet_put_string(doid, len); 155 packet_put_string(doid, len);
157 156
158 packet_send(); 157 packet_send();
159 xfree(doid); 158 free(doid);
160 159
161 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 160 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
162 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 161 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
@@ -187,7 +186,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
187 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 186 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
188 &send_tok, &flags)); 187 &send_tok, &flags));
189 188
190 xfree(recv_tok.value); 189 free(recv_tok.value);
191 190
192 if (GSS_ERROR(maj_status)) { 191 if (GSS_ERROR(maj_status)) {
193 if (send_tok.length != 0) { 192 if (send_tok.length != 0) {
@@ -242,7 +241,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
242 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 241 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
243 &send_tok, NULL)); 242 &send_tok, NULL));
244 243
245 xfree(recv_tok.value); 244 free(recv_tok.value);
246 245
247 /* We can't return anything to the client, even if we wanted to */ 246 /* We can't return anything to the client, even if we wanted to */
248 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 247 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -263,14 +262,11 @@ static void
263input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 262input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
264{ 263{
265 Authctxt *authctxt = ctxt; 264 Authctxt *authctxt = ctxt;
266 Gssctxt *gssctxt;
267 int authenticated; 265 int authenticated;
268 266
269 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 267 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
270 fatal("No authentication or GSSAPI context"); 268 fatal("No authentication or GSSAPI context");
271 269
272 gssctxt = authctxt->methoddata;
273
274 /* 270 /*
275 * We don't need to check the status, because we're only enabled in 271 * We don't need to check the status, because we're only enabled in
276 * the dispatcher once the exchange is complete 272 * the dispatcher once the exchange is complete
@@ -320,7 +316,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
320 logit("GSSAPI MIC check failed"); 316 logit("GSSAPI MIC check failed");
321 317
322 buffer_free(&b); 318 buffer_free(&b);
323 xfree(mic.value); 319 free(mic.value);
324 320
325 authctxt->postponed = 0; 321 authctxt->postponed = 0;
326 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 322 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 700631558..3a17f1bf2 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt)
116#ifdef DEBUG_PK 116#ifdef DEBUG_PK
117 buffer_dump(&b); 117 buffer_dump(&b);
118#endif 118#endif
119
120 pubkey_auth_info(authctxt, key,
121 "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
122
119 /* test for allowed key and correct signature */ 123 /* test for allowed key and correct signature */
120 authenticated = 0; 124 authenticated = 0;
121 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && 125 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@@ -128,11 +132,11 @@ done:
128 debug2("userauth_hostbased: authenticated %d", authenticated); 132 debug2("userauth_hostbased: authenticated %d", authenticated);
129 if (key != NULL) 133 if (key != NULL)
130 key_free(key); 134 key_free(key);
131 xfree(pkalg); 135 free(pkalg);
132 xfree(pkblob); 136 free(pkblob);
133 xfree(cuser); 137 free(cuser);
134 xfree(chost); 138 free(chost);
135 xfree(sig); 139 free(sig);
136 return authenticated; 140 return authenticated;
137} 141}
138 142
@@ -207,7 +211,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
207 verbose("Accepted %s public key %s from %s@%s", 211 verbose("Accepted %s public key %s from %s@%s",
208 key_type(key), fp, cuser, lookup); 212 key_type(key), fp, cuser, lookup);
209 } 213 }
210 xfree(fp); 214 free(fp);
211 } 215 }
212 216
213 return (host_status == HOST_OK); 217 return (host_status == HOST_OK);
diff --git a/auth2-jpake.c b/auth2-jpake.c
index ed0eba47b..78a6b8817 100644
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -179,7 +179,7 @@ derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
179 __func__, len, digest_len); 179 __func__, len, digest_len);
180 memcpy(rawsalt, digest, len); 180 memcpy(rawsalt, digest, len);
181 bzero(digest, digest_len); 181 bzero(digest, digest_len);
182 xfree(digest); 182 free(digest);
183} 183}
184 184
185/* ASCII an integer [0, 64) for inclusion in a password/salt */ 185/* ASCII an integer [0, 64) for inclusion in a password/salt */
@@ -258,7 +258,7 @@ fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
258 makesalt(22, authctxt->user)); 258 makesalt(22, authctxt->user));
259 *scheme = xstrdup("bcrypt"); 259 *scheme = xstrdup("bcrypt");
260 } 260 }
261 xfree(style); 261 free(style);
262 debug3("%s: fake %s salt for user %s: %s", 262 debug3("%s: fake %s salt for user %s: %s",
263 __func__, *scheme, authctxt->user, *salt); 263 __func__, *scheme, authctxt->user, *salt);
264} 264}
@@ -361,7 +361,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
361 JPAKE_DEBUG_BN((*s, "%s: s = ", __func__)); 361 JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
362#endif 362#endif
363 bzero(secret, secret_len); 363 bzero(secret, secret_len);
364 xfree(secret); 364 free(secret);
365} 365}
366 366
367/* 367/*
@@ -403,12 +403,12 @@ auth2_jpake_start(Authctxt *authctxt)
403 403
404 bzero(hash_scheme, strlen(hash_scheme)); 404 bzero(hash_scheme, strlen(hash_scheme));
405 bzero(salt, strlen(salt)); 405 bzero(salt, strlen(salt));
406 xfree(hash_scheme); 406 free(hash_scheme);
407 xfree(salt); 407 free(salt);
408 bzero(x3_proof, x3_proof_len); 408 bzero(x3_proof, x3_proof_len);
409 bzero(x4_proof, x4_proof_len); 409 bzero(x4_proof, x4_proof_len);
410 xfree(x3_proof); 410 free(x3_proof);
411 xfree(x4_proof); 411 free(x4_proof);
412 412
413 /* Expect step 1 packet from peer */ 413 /* Expect step 1 packet from peer */
414 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, 414 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
@@ -455,8 +455,8 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
455 455
456 bzero(x1_proof, x1_proof_len); 456 bzero(x1_proof, x1_proof_len);
457 bzero(x2_proof, x2_proof_len); 457 bzero(x2_proof, x2_proof_len);
458 xfree(x1_proof); 458 free(x1_proof);
459 xfree(x2_proof); 459 free(x2_proof);
460 460
461 if (!use_privsep) 461 if (!use_privsep)
462 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); 462 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
@@ -469,7 +469,7 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
469 packet_write_wait(); 469 packet_write_wait();
470 470
471 bzero(x4_s_proof, x4_s_proof_len); 471 bzero(x4_s_proof, x4_s_proof_len);
472 xfree(x4_s_proof); 472 free(x4_s_proof);
473 473
474 /* Expect step 2 packet from peer */ 474 /* Expect step 2 packet from peer */
475 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, 475 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
@@ -510,7 +510,7 @@ input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
510 &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len)); 510 &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
511 511
512 bzero(x2_s_proof, x2_s_proof_len); 512 bzero(x2_s_proof, x2_s_proof_len);
513 xfree(x2_s_proof); 513 free(x2_s_proof);
514 514
515 if (!use_privsep) 515 if (!use_privsep)
516 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); 516 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index fae67da6e..c39bdc62d 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -56,8 +56,8 @@ userauth_kbdint(Authctxt *authctxt)
56 if (options.challenge_response_authentication) 56 if (options.challenge_response_authentication)
57 authenticated = auth2_challenge(authctxt, devs); 57 authenticated = auth2_challenge(authctxt, devs);
58 58
59 xfree(devs); 59 free(devs);
60 xfree(lang); 60 free(lang);
61 return authenticated; 61 return authenticated;
62} 62}
63 63
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 5f1f3635f..21bc5047d 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth2-passwd.c,v 1.10 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -60,7 +60,7 @@ userauth_passwd(Authctxt *authctxt)
60 /* discard new password from packet */ 60 /* discard new password from packet */
61 newpass = packet_get_string(&newlen); 61 newpass = packet_get_string(&newlen);
62 memset(newpass, 0, newlen); 62 memset(newpass, 0, newlen);
63 xfree(newpass); 63 free(newpass);
64 } 64 }
65 packet_check_eom(); 65 packet_check_eom();
66 66
@@ -69,7 +69,7 @@ userauth_passwd(Authctxt *authctxt)
69 else if (PRIVSEP(auth_password(authctxt, password)) == 1) 69 else if (PRIVSEP(auth_password(authctxt, password)) == 1)
70 authenticated = 1; 70 authenticated = 1;
71 memset(password, 0, len); 71 memset(password, 0, len);
72 xfree(password); 72 free(password);
73 return authenticated; 73 return authenticated;
74} 74}
75 75
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f980b0dad..7c0ceee55 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
75{ 75{
76 Buffer b; 76 Buffer b;
77 Key *key = NULL; 77 Key *key = NULL;
78 char *pkalg; 78 char *pkalg, *userstyle;
79 u_char *pkblob, *sig; 79 u_char *pkblob, *sig;
80 u_int alen, blen, slen; 80 u_int alen, blen, slen;
81 int have_sig, pktype; 81 int have_sig, pktype;
@@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
127 } 127 }
128 /* reconstruct packet */ 128 /* reconstruct packet */
129 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 129 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
130 buffer_put_cstring(&b, authctxt->user); 130 xasprintf(&userstyle, "%s%s%s", authctxt->user,
131 authctxt->style ? ":" : "",
132 authctxt->style ? authctxt->style : "");
133 buffer_put_cstring(&b, userstyle);
134 free(userstyle);
131 buffer_put_cstring(&b, 135 buffer_put_cstring(&b,
132 datafellows & SSH_BUG_PKSERVICE ? 136 datafellows & SSH_BUG_PKSERVICE ?
133 "ssh-userauth" : 137 "ssh-userauth" :
@@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
143#ifdef DEBUG_PK 147#ifdef DEBUG_PK
144 buffer_dump(&b); 148 buffer_dump(&b);
145#endif 149#endif
150 pubkey_auth_info(authctxt, key, NULL);
151
146 /* test for correct signature */ 152 /* test for correct signature */
147 authenticated = 0; 153 authenticated = 0;
148 if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && 154 if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
150 buffer_len(&b))) == 1) 156 buffer_len(&b))) == 1)
151 authenticated = 1; 157 authenticated = 1;
152 buffer_free(&b); 158 buffer_free(&b);
153 xfree(sig); 159 free(sig);
154 } else { 160 } else {
155 debug("test whether pkalg/pkblob are acceptable"); 161 debug("test whether pkalg/pkblob are acceptable");
156 packet_check_eom(); 162 packet_check_eom();
@@ -178,11 +184,45 @@ done:
178 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); 184 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
179 if (key != NULL) 185 if (key != NULL)
180 key_free(key); 186 key_free(key);
181 xfree(pkalg); 187 free(pkalg);
182 xfree(pkblob); 188 free(pkblob);
183 return authenticated; 189 return authenticated;
184} 190}
185 191
192void
193pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
194{
195 char *fp, *extra;
196 va_list ap;
197 int i;
198
199 extra = NULL;
200 if (fmt != NULL) {
201 va_start(ap, fmt);
202 i = vasprintf(&extra, fmt, ap);
203 va_end(ap);
204 if (i < 0 || extra == NULL)
205 fatal("%s: vasprintf failed", __func__);
206 }
207
208 if (key_is_cert(key)) {
209 fp = key_fingerprint(key->cert->signature_key,
210 SSH_FP_MD5, SSH_FP_HEX);
211 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
212 key_type(key), key->cert->key_id,
213 (unsigned long long)key->cert->serial,
214 key_type(key->cert->signature_key), fp,
215 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
216 free(fp);
217 } else {
218 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
219 auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
220 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
221 free(fp);
222 }
223 free(extra);
224}
225
186static int 226static int
187match_principals_option(const char *principal_list, struct KeyCert *cert) 227match_principals_option(const char *principal_list, struct KeyCert *cert)
188{ 228{
@@ -196,7 +236,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
196 principal_list, NULL)) != NULL) { 236 principal_list, NULL)) != NULL) {
197 debug3("matched principal from key options \"%.100s\"", 237 debug3("matched principal from key options \"%.100s\"",
198 result); 238 result);
199 xfree(result); 239 free(result);
200 return 1; 240 return 1;
201 } 241 }
202 } 242 }
@@ -277,13 +317,14 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
277 char *fp; 317 char *fp;
278 318
279 found_key = 0; 319 found_key = 0;
280 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
281 320
321 found = NULL;
282 auth_start_parse_options(); 322 auth_start_parse_options();
283
284 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 323 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
285 char *cp, *key_options = NULL; 324 char *cp, *key_options = NULL;
286 325 if (found != NULL)
326 key_free(found);
327 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
287 auth_clear_options(); 328 auth_clear_options();
288 329
289 /* Skip leading whitespace, empty and comment lines. */ 330 /* Skip leading whitespace, empty and comment lines. */
@@ -335,7 +376,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
335 reason = "Certificate does not contain an " 376 reason = "Certificate does not contain an "
336 "authorized principal"; 377 "authorized principal";
337 fail_reason: 378 fail_reason:
338 xfree(fp); 379 free(fp);
339 error("%s", reason); 380 error("%s", reason);
340 auth_debug_add("%s", reason); 381 auth_debug_add("%s", reason);
341 continue; 382 continue;
@@ -345,13 +386,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
345 &reason) != 0) 386 &reason) != 0)
346 goto fail_reason; 387 goto fail_reason;
347 if (auth_cert_options(key, pw) != 0) { 388 if (auth_cert_options(key, pw) != 0) {
348 xfree(fp); 389 free(fp);
349 continue; 390 continue;
350 } 391 }
351 verbose("Accepted certificate ID \"%s\" " 392 verbose("Accepted certificate ID \"%s\" "
352 "signed by %s CA %s via %s", key->cert->key_id, 393 "signed by %s CA %s via %s", key->cert->key_id,
353 key_type(found), fp, file); 394 key_type(found), fp, file);
354 xfree(fp); 395 free(fp);
355 found_key = 1; 396 found_key = 1;
356 break; 397 break;
357 } else if (key_equal(found, key)) { 398 } else if (key_equal(found, key)) {
@@ -361,16 +402,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
361 if (key_is_cert_authority) 402 if (key_is_cert_authority)
362 continue; 403 continue;
363 found_key = 1; 404 found_key = 1;
364 debug("matching key found: file %s, line %lu",
365 file, linenum);
366 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); 405 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
367 verbose("Found matching %s key: %s", 406 debug("matching key found: file %s, line %lu %s %s",
368 key_type(found), fp); 407 file, linenum, key_type(found), fp);
369 xfree(fp); 408 free(fp);
370 break; 409 break;
371 } 410 }
372 } 411 }
373 key_free(found); 412 if (found != NULL)
413 key_free(found);
374 if (!found_key) 414 if (!found_key)
375 debug2("key not found"); 415 debug2("key not found");
376 return found_key; 416 return found_key;
@@ -425,10 +465,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
425 ret = 1; 465 ret = 1;
426 466
427 out: 467 out:
428 if (principals_file != NULL) 468 free(principals_file);
429 xfree(principals_file); 469 free(ca_fp);
430 if (ca_fp != NULL)
431 xfree(ca_fp);
432 return ret; 470 return ret;
433} 471}
434 472
@@ -634,7 +672,7 @@ user_key_allowed(struct passwd *pw, Key *key)
634 options.authorized_keys_files[i], pw); 672 options.authorized_keys_files[i], pw);
635 673
636 success = user_key_allowed2(pw, key, file); 674 success = user_key_allowed2(pw, key, file);
637 xfree(file); 675 free(file);
638 } 676 }
639 677
640 return success; 678 return success;
diff --git a/auth2.c b/auth2.c
index f00f14764..b55bbcd95 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -100,8 +100,12 @@ static void input_userauth_request(int, u_int32_t, void *);
100/* helper */ 100/* helper */
101static Authmethod *authmethod_lookup(Authctxt *, const char *); 101static Authmethod *authmethod_lookup(Authctxt *, const char *);
102static char *authmethods_get(Authctxt *authctxt); 102static char *authmethods_get(Authctxt *authctxt);
103static int method_allowed(Authctxt *, const char *); 103
104static int list_starts_with(const char *, const char *); 104#define MATCH_NONE 0 /* method or submethod mismatch */
105#define MATCH_METHOD 1 /* method matches (no submethod specified) */
106#define MATCH_BOTH 2 /* method and submethod match */
107#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */
108static int list_starts_with(const char *, const char *, const char *);
105 109
106char * 110char *
107auth2_read_banner(void) 111auth2_read_banner(void)
@@ -128,7 +132,7 @@ auth2_read_banner(void)
128 close(fd); 132 close(fd);
129 133
130 if (n != len) { 134 if (n != len) {
131 xfree(banner); 135 free(banner);
132 return (NULL); 136 return (NULL);
133 } 137 }
134 banner[n] = '\0'; 138 banner[n] = '\0';
@@ -164,8 +168,7 @@ userauth_banner(void)
164 userauth_send_banner(banner); 168 userauth_send_banner(banner);
165 169
166done: 170done:
167 if (banner) 171 free(banner);
168 xfree(banner);
169} 172}
170 173
171/* 174/*
@@ -210,7 +213,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
210 debug("bad service request %s", service); 213 debug("bad service request %s", service);
211 packet_disconnect("bad service request %s", service); 214 packet_disconnect("bad service request %s", service);
212 } 215 }
213 xfree(service); 216 free(service);
214} 217}
215 218
216/*ARGSUSED*/ 219/*ARGSUSED*/
@@ -296,9 +299,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
296 } 299 }
297 userauth_finish(authctxt, authenticated, method, NULL); 300 userauth_finish(authctxt, authenticated, method, NULL);
298 301
299 xfree(service); 302 free(service);
300 xfree(user); 303 free(user);
301 xfree(method); 304 free(method);
302} 305}
303 306
304void 307void
@@ -324,14 +327,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
324 } 327 }
325 328
326 if (authenticated && options.num_auth_methods != 0) { 329 if (authenticated && options.num_auth_methods != 0) {
327 if (!auth2_update_methods_lists(authctxt, method)) { 330 if (!auth2_update_methods_lists(authctxt, method, submethod)) {
328 authenticated = 0; 331 authenticated = 0;
329 partial = 1; 332 partial = 1;
330 } 333 }
331 } 334 }
332 335
333 /* Log before sending the reply */ 336 /* Log before sending the reply */
334 auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); 337 auth_log(authctxt, authenticated, partial, method, submethod);
335 338
336 if (authctxt->postponed) 339 if (authctxt->postponed)
337 return; 340 return;
@@ -386,7 +389,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
386 packet_put_char(partial); 389 packet_put_char(partial);
387 packet_send(); 390 packet_send();
388 packet_write_wait(); 391 packet_write_wait();
389 xfree(methods); 392 free(methods);
390 } 393 }
391} 394}
392 395
@@ -395,8 +398,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
395 * methods list. Returns 1 if allowed, or no methods lists configured. 398 * methods list. Returns 1 if allowed, or no methods lists configured.
396 * 0 otherwise. 399 * 0 otherwise.
397 */ 400 */
398static int 401int
399method_allowed(Authctxt *authctxt, const char *method) 402auth2_method_allowed(Authctxt *authctxt, const char *method,
403 const char *submethod)
400{ 404{
401 u_int i; 405 u_int i;
402 406
@@ -407,7 +411,8 @@ method_allowed(Authctxt *authctxt, const char *method)
407 if (options.num_auth_methods == 0) 411 if (options.num_auth_methods == 0)
408 return 1; 412 return 1;
409 for (i = 0; i < authctxt->num_auth_methods; i++) { 413 for (i = 0; i < authctxt->num_auth_methods; i++) {
410 if (list_starts_with(authctxt->auth_methods[i], method)) 414 if (list_starts_with(authctxt->auth_methods[i], method,
415 submethod) != MATCH_NONE)
411 return 1; 416 return 1;
412 } 417 }
413 return 0; 418 return 0;
@@ -427,7 +432,8 @@ authmethods_get(Authctxt *authctxt)
427 if (authmethods[i]->enabled == NULL || 432 if (authmethods[i]->enabled == NULL ||
428 *(authmethods[i]->enabled) == 0) 433 *(authmethods[i]->enabled) == 0)
429 continue; 434 continue;
430 if (!method_allowed(authctxt, authmethods[i]->name)) 435 if (!auth2_method_allowed(authctxt, authmethods[i]->name,
436 NULL))
431 continue; 437 continue;
432 if (buffer_len(&b) > 0) 438 if (buffer_len(&b) > 0)
433 buffer_append(&b, ",", 1); 439 buffer_append(&b, ",", 1);
@@ -450,7 +456,8 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
450 if (authmethods[i]->enabled != NULL && 456 if (authmethods[i]->enabled != NULL &&
451 *(authmethods[i]->enabled) != 0 && 457 *(authmethods[i]->enabled) != 0 &&
452 strcmp(name, authmethods[i]->name) == 0 && 458 strcmp(name, authmethods[i]->name) == 0 &&
453 method_allowed(authctxt, authmethods[i]->name)) 459 auth2_method_allowed(authctxt,
460 authmethods[i]->name, NULL))
454 return authmethods[i]; 461 return authmethods[i];
455 debug2("Unrecognized authentication method name: %s", 462 debug2("Unrecognized authentication method name: %s",
456 name ? name : "NULL"); 463 name ? name : "NULL");
@@ -465,7 +472,7 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
465int 472int
466auth2_methods_valid(const char *_methods, int need_enable) 473auth2_methods_valid(const char *_methods, int need_enable)
467{ 474{
468 char *methods, *omethods, *method; 475 char *methods, *omethods, *method, *p;
469 u_int i, found; 476 u_int i, found;
470 int ret = -1; 477 int ret = -1;
471 478
@@ -476,6 +483,8 @@ auth2_methods_valid(const char *_methods, int need_enable)
476 omethods = methods = xstrdup(_methods); 483 omethods = methods = xstrdup(_methods);
477 while ((method = strsep(&methods, ",")) != NULL) { 484 while ((method = strsep(&methods, ",")) != NULL) {
478 for (found = i = 0; !found && authmethods[i] != NULL; i++) { 485 for (found = i = 0; !found && authmethods[i] != NULL; i++) {
486 if ((p = strchr(method, ':')) != NULL)
487 *p = '\0';
479 if (strcmp(method, authmethods[i]->name) != 0) 488 if (strcmp(method, authmethods[i]->name) != 0)
480 continue; 489 continue;
481 if (need_enable) { 490 if (need_enable) {
@@ -541,15 +550,30 @@ auth2_setup_methods_lists(Authctxt *authctxt)
541} 550}
542 551
543static int 552static int
544list_starts_with(const char *methods, const char *method) 553list_starts_with(const char *methods, const char *method,
554 const char *submethod)
545{ 555{
546 size_t l = strlen(method); 556 size_t l = strlen(method);
557 int match;
558 const char *p;
547 559
548 if (strncmp(methods, method, l) != 0) 560 if (strncmp(methods, method, l) != 0)
549 return 0; 561 return MATCH_NONE;
550 if (methods[l] != ',' && methods[l] != '\0') 562 p = methods + l;
551 return 0; 563 match = MATCH_METHOD;
552 return 1; 564 if (*p == ':') {
565 if (!submethod)
566 return MATCH_PARTIAL;
567 l = strlen(submethod);
568 p += 1;
569 if (strncmp(submethod, p, l))
570 return MATCH_NONE;
571 p += l;
572 match = MATCH_BOTH;
573 }
574 if (*p != ',' && *p != '\0')
575 return MATCH_NONE;
576 return match;
553} 577}
554 578
555/* 579/*
@@ -558,14 +582,21 @@ list_starts_with(const char *methods, const char *method)
558 * if it did. 582 * if it did.
559 */ 583 */
560static int 584static int
561remove_method(char **methods, const char *method) 585remove_method(char **methods, const char *method, const char *submethod)
562{ 586{
563 char *omethods = *methods; 587 char *omethods = *methods, *p;
564 size_t l = strlen(method); 588 size_t l = strlen(method);
589 int match;
565 590
566 if (!list_starts_with(omethods, method)) 591 match = list_starts_with(omethods, method, submethod);
592 if (match != MATCH_METHOD && match != MATCH_BOTH)
567 return 0; 593 return 0;
568 *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); 594 p = omethods + l;
595 if (submethod && match == MATCH_BOTH)
596 p += 1 + strlen(submethod); /* include colon */
597 if (*p == ',')
598 p++;
599 *methods = xstrdup(p);
569 free(omethods); 600 free(omethods);
570 return 1; 601 return 1;
571} 602}
@@ -577,13 +608,15 @@ remove_method(char **methods, const char *method)
577 * Returns 1 if the method completed any authentication list or 0 otherwise. 608 * Returns 1 if the method completed any authentication list or 0 otherwise.
578 */ 609 */
579int 610int
580auth2_update_methods_lists(Authctxt *authctxt, const char *method) 611auth2_update_methods_lists(Authctxt *authctxt, const char *method,
612 const char *submethod)
581{ 613{
582 u_int i, found = 0; 614 u_int i, found = 0;
583 615
584 debug3("%s: updating methods list after \"%s\"", __func__, method); 616 debug3("%s: updating methods list after \"%s\"", __func__, method);
585 for (i = 0; i < authctxt->num_auth_methods; i++) { 617 for (i = 0; i < authctxt->num_auth_methods; i++) {
586 if (!remove_method(&(authctxt->auth_methods[i]), method)) 618 if (!remove_method(&(authctxt->auth_methods[i]), method,
619 submethod))
587 continue; 620 continue;
588 found = 1; 621 found = 1;
589 if (*authctxt->auth_methods[i] == '\0') { 622 if (*authctxt->auth_methods[i] == '\0') {
diff --git a/authfd.c b/authfd.c
index f037e838b..775786bee 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */ 1/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -224,7 +224,7 @@ ssh_close_authentication_connection(AuthenticationConnection *auth)
224{ 224{
225 buffer_free(&auth->identities); 225 buffer_free(&auth->identities);
226 close(auth->fd); 226 close(auth->fd);
227 xfree(auth); 227 free(auth);
228} 228}
229 229
230/* Lock/unlock agent */ 230/* Lock/unlock agent */
@@ -343,7 +343,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
343 blob = buffer_get_string(&auth->identities, &blen); 343 blob = buffer_get_string(&auth->identities, &blen);
344 *comment = buffer_get_string(&auth->identities, NULL); 344 *comment = buffer_get_string(&auth->identities, NULL);
345 key = key_from_blob(blob, blen); 345 key = key_from_blob(blob, blen);
346 xfree(blob); 346 free(blob);
347 break; 347 break;
348 default: 348 default:
349 return NULL; 349 return NULL;
@@ -436,7 +436,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
436 buffer_put_string(&msg, blob, blen); 436 buffer_put_string(&msg, blob, blen);
437 buffer_put_string(&msg, data, datalen); 437 buffer_put_string(&msg, data, datalen);
438 buffer_put_int(&msg, flags); 438 buffer_put_int(&msg, flags);
439 xfree(blob); 439 free(blob);
440 440
441 if (ssh_request_reply(auth, &msg, &msg) == 0) { 441 if (ssh_request_reply(auth, &msg, &msg) == 0) {
442 buffer_free(&msg); 442 buffer_free(&msg);
@@ -612,7 +612,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
612 key_to_blob(key, &blob, &blen); 612 key_to_blob(key, &blob, &blen);
613 buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); 613 buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
614 buffer_put_string(&msg, blob, blen); 614 buffer_put_string(&msg, blob, blen);
615 xfree(blob); 615 free(blob);
616 } else { 616 } else {
617 buffer_free(&msg); 617 buffer_free(&msg);
618 return 0; 618 return 0;
diff --git a/authfile.c b/authfile.c
index 1ecbda8b1..cb95cfcb8 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: authfile.c,v 1.97 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -90,7 +90,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
90 u_char buf[100], *cp; 90 u_char buf[100], *cp;
91 int i, cipher_num; 91 int i, cipher_num;
92 CipherContext ciphercontext; 92 CipherContext ciphercontext;
93 Cipher *cipher; 93 const Cipher *cipher;
94 u_int32_t rnd; 94 u_int32_t rnd;
95 95
96 /* 96 /*
@@ -422,7 +422,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
422 Buffer decrypted; 422 Buffer decrypted;
423 u_char *cp; 423 u_char *cp;
424 CipherContext ciphercontext; 424 CipherContext ciphercontext;
425 Cipher *cipher; 425 const Cipher *cipher;
426 Key *prv = NULL; 426 Key *prv = NULL;
427 Buffer copy; 427 Buffer copy;
428 428
@@ -510,8 +510,8 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
510 return prv; 510 return prv;
511 511
512fail: 512fail:
513 if (commentp) 513 if (commentp != NULL)
514 xfree(*commentp); 514 free(*commentp);
515 key_free(prv); 515 key_free(prv);
516 return NULL; 516 return NULL;
517} 517}
@@ -833,10 +833,10 @@ key_load_cert(const char *filename)
833 pub = key_new(KEY_UNSPEC); 833 pub = key_new(KEY_UNSPEC);
834 xasprintf(&file, "%s-cert.pub", filename); 834 xasprintf(&file, "%s-cert.pub", filename);
835 if (key_try_load_public(pub, file, NULL) == 1) { 835 if (key_try_load_public(pub, file, NULL) == 1) {
836 xfree(file); 836 free(file);
837 return pub; 837 return pub;
838 } 838 }
839 xfree(file); 839 free(file);
840 key_free(pub); 840 key_free(pub);
841 return NULL; 841 return NULL;
842} 842}
@@ -1034,10 +1034,9 @@ blacklisted_key_in_file(Key *key, const char *blacklist_file, char **fp)
1034 } 1034 }
1035 1035
1036out: 1036out:
1037 if (dgst_packed) 1037 free(dgst_packed);
1038 xfree(dgst_packed);
1039 if (ret != 1 && dgst_hex) { 1038 if (ret != 1 && dgst_hex) {
1040 xfree(dgst_hex); 1039 free(dgst_hex);
1041 dgst_hex = NULL; 1040 dgst_hex = NULL;
1042 } 1041 }
1043 if (fp) 1042 if (fp)
@@ -1065,7 +1064,7 @@ blacklisted_key(Key *key, char **fp)
1065 xasprintf(&blacklist_file, "%s.%s-%u", 1064 xasprintf(&blacklist_file, "%s.%s-%u",
1066 _PATH_BLACKLIST, key_type(public), key_size(public)); 1065 _PATH_BLACKLIST, key_type(public), key_size(public));
1067 ret = blacklisted_key_in_file(public, blacklist_file, fp); 1066 ret = blacklisted_key_in_file(public, blacklist_file, fp);
1068 xfree(blacklist_file); 1067 free(blacklist_file);
1069 if (ret > 0) { 1068 if (ret > 0) {
1070 key_free(public); 1069 key_free(public);
1071 return ret; 1070 return ret;
@@ -1074,7 +1073,7 @@ blacklisted_key(Key *key, char **fp)
1074 xasprintf(&blacklist_file, "%s.%s-%u", 1073 xasprintf(&blacklist_file, "%s.%s-%u",
1075 _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); 1074 _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
1076 ret2 = blacklisted_key_in_file(public, blacklist_file, fp); 1075 ret2 = blacklisted_key_in_file(public, blacklist_file, fp);
1077 xfree(blacklist_file); 1076 free(blacklist_file);
1078 if (ret2 > ret) 1077 if (ret2 > ret)
1079 ret = ret2; 1078 ret = ret2;
1080 1079
diff --git a/bufaux.c b/bufaux.c
index 00208ca27..de5b3ca1a 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufaux.c,v 1.50 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: bufaux.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -181,7 +181,7 @@ buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
181 /* Get the string. */ 181 /* Get the string. */
182 if (buffer_get_ret(buffer, value, len) == -1) { 182 if (buffer_get_ret(buffer, value, len) == -1) {
183 error("buffer_get_string_ret: buffer_get failed"); 183 error("buffer_get_string_ret: buffer_get failed");
184 xfree(value); 184 free(value);
185 return (NULL); 185 return (NULL);
186 } 186 }
187 /* Append a null character to make processing easier. */ 187 /* Append a null character to make processing easier. */
@@ -216,7 +216,7 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
216 error("buffer_get_cstring_ret: string contains \\0"); 216 error("buffer_get_cstring_ret: string contains \\0");
217 else { 217 else {
218 bzero(ret, length); 218 bzero(ret, length);
219 xfree(ret); 219 free(ret);
220 return NULL; 220 return NULL;
221 } 221 }
222 } 222 }
@@ -285,7 +285,7 @@ buffer_put_cstring(Buffer *buffer, const char *s)
285 * Returns a character from the buffer (0 - 255). 285 * Returns a character from the buffer (0 - 255).
286 */ 286 */
287int 287int
288buffer_get_char_ret(char *ret, Buffer *buffer) 288buffer_get_char_ret(u_char *ret, Buffer *buffer)
289{ 289{
290 if (buffer_get_ret(buffer, ret, 1) == -1) { 290 if (buffer_get_ret(buffer, ret, 1) == -1) {
291 error("buffer_get_char_ret: buffer_get_ret failed"); 291 error("buffer_get_char_ret: buffer_get_ret failed");
@@ -297,11 +297,11 @@ buffer_get_char_ret(char *ret, Buffer *buffer)
297int 297int
298buffer_get_char(Buffer *buffer) 298buffer_get_char(Buffer *buffer)
299{ 299{
300 char ch; 300 u_char ch;
301 301
302 if (buffer_get_char_ret(&ch, buffer) == -1) 302 if (buffer_get_char_ret(&ch, buffer) == -1)
303 fatal("buffer_get_char: buffer error"); 303 fatal("buffer_get_char: buffer error");
304 return (u_char) ch; 304 return ch;
305} 305}
306 306
307/* 307/*
diff --git a/bufbn.c b/bufbn.c
index 251cd0951..1fbfbbcc9 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/ 1/* $OpenBSD: bufbn.c,v 1.7 2013/05/17 00:13:13 djm Exp $*/
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -69,7 +69,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
69 if (oi != bin_size) { 69 if (oi != bin_size) {
70 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", 70 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
71 oi, bin_size); 71 oi, bin_size);
72 xfree(buf); 72 free(buf);
73 return (-1); 73 return (-1);
74 } 74 }
75 75
@@ -80,7 +80,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
80 buffer_append(buffer, buf, oi); 80 buffer_append(buffer, buf, oi);
81 81
82 memset(buf, 0, bin_size); 82 memset(buf, 0, bin_size);
83 xfree(buf); 83 free(buf);
84 84
85 return (0); 85 return (0);
86} 86}
@@ -167,13 +167,13 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
167 if (oi < 0 || (u_int)oi != bytes - 1) { 167 if (oi < 0 || (u_int)oi != bytes - 1) {
168 error("buffer_put_bignum2_ret: BN_bn2bin() failed: " 168 error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
169 "oi %d != bin_size %d", oi, bytes); 169 "oi %d != bin_size %d", oi, bytes);
170 xfree(buf); 170 free(buf);
171 return (-1); 171 return (-1);
172 } 172 }
173 hasnohigh = (buf[1] & 0x80) ? 0 : 1; 173 hasnohigh = (buf[1] & 0x80) ? 0 : 1;
174 buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); 174 buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
175 memset(buf, 0, bytes); 175 memset(buf, 0, bytes);
176 xfree(buf); 176 free(buf);
177 return (0); 177 return (0);
178} 178}
179 179
@@ -197,21 +197,21 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
197 197
198 if (len > 0 && (bin[0] & 0x80)) { 198 if (len > 0 && (bin[0] & 0x80)) {
199 error("buffer_get_bignum2_ret: negative numbers not supported"); 199 error("buffer_get_bignum2_ret: negative numbers not supported");
200 xfree(bin); 200 free(bin);
201 return (-1); 201 return (-1);
202 } 202 }
203 if (len > 8 * 1024) { 203 if (len > 8 * 1024) {
204 error("buffer_get_bignum2_ret: cannot handle BN of size %d", 204 error("buffer_get_bignum2_ret: cannot handle BN of size %d",
205 len); 205 len);
206 xfree(bin); 206 free(bin);
207 return (-1); 207 return (-1);
208 } 208 }
209 if (BN_bin2bn(bin, len, value) == NULL) { 209 if (BN_bin2bn(bin, len, value) == NULL) {
210 error("buffer_get_bignum2_ret: BN_bin2bn failed"); 210 error("buffer_get_bignum2_ret: BN_bin2bn failed");
211 xfree(bin); 211 free(bin);
212 return (-1); 212 return (-1);
213 } 213 }
214 xfree(bin); 214 free(bin);
215 return (0); 215 return (0);
216} 216}
217 217
diff --git a/bufec.c b/bufec.c
index 3dcb49477..6c0048978 100644
--- a/bufec.c
+++ b/bufec.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufec.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: bufec.c,v 1.2 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2010 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -78,7 +78,7 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
78 out: 78 out:
79 if (buf != NULL) { 79 if (buf != NULL) {
80 bzero(buf, len); 80 bzero(buf, len);
81 xfree(buf); 81 free(buf);
82 } 82 }
83 BN_CTX_free(bnctx); 83 BN_CTX_free(bnctx);
84 return ret; 84 return ret;
@@ -131,7 +131,7 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
131 out: 131 out:
132 BN_CTX_free(bnctx); 132 BN_CTX_free(bnctx);
133 bzero(buf, len); 133 bzero(buf, len);
134 xfree(buf); 134 free(buf);
135 return ret; 135 return ret;
136} 136}
137 137
diff --git a/buffer.c b/buffer.c
index ae9700344..007e7f94e 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: buffer.c,v 1.32 2010/02/09 03:56:28 djm Exp $ */ 1/* $OpenBSD: buffer.c,v 1.33 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -50,7 +50,7 @@ buffer_free(Buffer *buffer)
50 if (buffer->alloc > 0) { 50 if (buffer->alloc > 0) {
51 memset(buffer->buf, 0, buffer->alloc); 51 memset(buffer->buf, 0, buffer->alloc);
52 buffer->alloc = 0; 52 buffer->alloc = 0;
53 xfree(buffer->buf); 53 free(buffer->buf);
54 } 54 }
55} 55}
56 56
diff --git a/buffer.h b/buffer.h
index e2a9dd100..4fa2ca112 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: buffer.h,v 1.21 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: buffer.h,v 1.22 2013/07/12 00:19:58 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -84,7 +84,7 @@ int buffer_get_int64_ret(u_int64_t *, Buffer *);
84void *buffer_get_string_ret(Buffer *, u_int *); 84void *buffer_get_string_ret(Buffer *, u_int *);
85char *buffer_get_cstring_ret(Buffer *, u_int *); 85char *buffer_get_cstring_ret(Buffer *, u_int *);
86void *buffer_get_string_ptr_ret(Buffer *, u_int *); 86void *buffer_get_string_ptr_ret(Buffer *, u_int *);
87int buffer_get_char_ret(char *, Buffer *); 87int buffer_get_char_ret(u_char *, Buffer *);
88 88
89#ifdef OPENSSL_HAS_ECC 89#ifdef OPENSSL_HAS_ECC
90#include <openssl/ec.h> 90#include <openssl/ec.h>
diff --git a/canohost.c b/canohost.c
index dabd8a31a..69e8e6f6d 100644
--- a/canohost.c
+++ b/canohost.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */ 1/* $OpenBSD: canohost.c,v 1.67 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -41,7 +41,7 @@ static int cached_port = -1;
41 41
42/* 42/*
43 * Return the canonical name of the host at the other end of the socket. The 43 * Return the canonical name of the host at the other end of the socket. The
44 * caller should free the returned string with xfree. 44 * caller should free the returned string.
45 */ 45 */
46 46
47static char * 47static char *
@@ -323,10 +323,8 @@ get_local_name(int fd)
323void 323void
324clear_cached_addr(void) 324clear_cached_addr(void)
325{ 325{
326 if (canonical_host_ip != NULL) { 326 free(canonical_host_ip);
327 xfree(canonical_host_ip); 327 canonical_host_ip = NULL;
328 canonical_host_ip = NULL;
329 }
330 cached_port = -1; 328 cached_port = -1;
331} 329}
332 330
diff --git a/channels.c b/channels.c
index 9cf85a38d..ac675c742 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ 1/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -213,6 +213,7 @@ channel_lookup(int id)
213 case SSH_CHANNEL_OPEN: 213 case SSH_CHANNEL_OPEN:
214 case SSH_CHANNEL_INPUT_DRAINING: 214 case SSH_CHANNEL_INPUT_DRAINING:
215 case SSH_CHANNEL_OUTPUT_DRAINING: 215 case SSH_CHANNEL_OUTPUT_DRAINING:
216 case SSH_CHANNEL_ABANDONED:
216 return (c); 217 return (c);
217 } 218 }
218 logit("Non-public channel %d, type %d.", id, c->type); 219 logit("Non-public channel %d, type %d.", id, c->type);
@@ -247,7 +248,10 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
247 248
248 if ((c->isatty = is_tty) != 0) 249 if ((c->isatty = is_tty) != 0)
249 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 250 debug2("channel %d: rfd %d isatty", c->self, c->rfd);
251#ifdef _AIX
252 /* XXX: Later AIX versions can't push as much data to tty */
250 c->wfd_isatty = is_tty || isatty(c->wfd); 253 c->wfd_isatty = is_tty || isatty(c->wfd);
254#endif
251 255
252 /* enable nonblocking mode */ 256 /* enable nonblocking mode */
253 if (nonblock) { 257 if (nonblock) {
@@ -401,7 +405,7 @@ channel_free(Channel *c)
401 405
402 s = channel_open_message(); 406 s = channel_open_message();
403 debug3("channel %d: status: %s", c->self, s); 407 debug3("channel %d: status: %s", c->self, s);
404 xfree(s); 408 free(s);
405 409
406 if (c->sock != -1) 410 if (c->sock != -1)
407 shutdown(c->sock, SHUT_RDWR); 411 shutdown(c->sock, SHUT_RDWR);
@@ -409,29 +413,23 @@ channel_free(Channel *c)
409 buffer_free(&c->input); 413 buffer_free(&c->input);
410 buffer_free(&c->output); 414 buffer_free(&c->output);
411 buffer_free(&c->extended); 415 buffer_free(&c->extended);
412 if (c->remote_name) { 416 free(c->remote_name);
413 xfree(c->remote_name); 417 c->remote_name = NULL;
414 c->remote_name = NULL; 418 free(c->path);
415 } 419 c->path = NULL;
416 if (c->path) { 420 free(c->listening_addr);
417 xfree(c->path); 421 c->listening_addr = NULL;
418 c->path = NULL;
419 }
420 if (c->listening_addr) {
421 xfree(c->listening_addr);
422 c->listening_addr = NULL;
423 }
424 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 422 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
425 if (cc->abandon_cb != NULL) 423 if (cc->abandon_cb != NULL)
426 cc->abandon_cb(c, cc->ctx); 424 cc->abandon_cb(c, cc->ctx);
427 TAILQ_REMOVE(&c->status_confirms, cc, entry); 425 TAILQ_REMOVE(&c->status_confirms, cc, entry);
428 bzero(cc, sizeof(*cc)); 426 bzero(cc, sizeof(*cc));
429 xfree(cc); 427 free(cc);
430 } 428 }
431 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 429 if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
432 c->filter_cleanup(c->self, c->filter_ctx); 430 c->filter_cleanup(c->self, c->filter_ctx);
433 channels[c->self] = NULL; 431 channels[c->self] = NULL;
434 xfree(c); 432 free(c);
435} 433}
436 434
437void 435void
@@ -536,6 +534,7 @@ channel_still_open(void)
536 case SSH_CHANNEL_DYNAMIC: 534 case SSH_CHANNEL_DYNAMIC:
537 case SSH_CHANNEL_CONNECTING: 535 case SSH_CHANNEL_CONNECTING:
538 case SSH_CHANNEL_ZOMBIE: 536 case SSH_CHANNEL_ZOMBIE:
537 case SSH_CHANNEL_ABANDONED:
539 continue; 538 continue;
540 case SSH_CHANNEL_LARVAL: 539 case SSH_CHANNEL_LARVAL:
541 if (!compat20) 540 if (!compat20)
@@ -581,6 +580,7 @@ channel_find_open(void)
581 case SSH_CHANNEL_OPENING: 580 case SSH_CHANNEL_OPENING:
582 case SSH_CHANNEL_CONNECTING: 581 case SSH_CHANNEL_CONNECTING:
583 case SSH_CHANNEL_ZOMBIE: 582 case SSH_CHANNEL_ZOMBIE:
583 case SSH_CHANNEL_ABANDONED:
584 continue; 584 continue;
585 case SSH_CHANNEL_LARVAL: 585 case SSH_CHANNEL_LARVAL:
586 case SSH_CHANNEL_AUTH_SOCKET: 586 case SSH_CHANNEL_AUTH_SOCKET:
@@ -628,6 +628,7 @@ channel_open_message(void)
628 case SSH_CHANNEL_CLOSED: 628 case SSH_CHANNEL_CLOSED:
629 case SSH_CHANNEL_AUTH_SOCKET: 629 case SSH_CHANNEL_AUTH_SOCKET:
630 case SSH_CHANNEL_ZOMBIE: 630 case SSH_CHANNEL_ZOMBIE:
631 case SSH_CHANNEL_ABANDONED:
631 case SSH_CHANNEL_MUX_CLIENT: 632 case SSH_CHANNEL_MUX_CLIENT:
632 case SSH_CHANNEL_MUX_LISTENER: 633 case SSH_CHANNEL_MUX_LISTENER:
633 continue; 634 continue;
@@ -1080,10 +1081,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
1080 strlcpy(username, p, sizeof(username)); 1081 strlcpy(username, p, sizeof(username));
1081 buffer_consume(&c->input, len); 1082 buffer_consume(&c->input, len);
1082 1083
1083 if (c->path != NULL) { 1084 free(c->path);
1084 xfree(c->path); 1085 c->path = NULL;
1085 c->path = NULL;
1086 }
1087 if (need == 1) { /* SOCKS4: one string */ 1086 if (need == 1) { /* SOCKS4: one string */
1088 host = inet_ntoa(s4_req.dest_addr); 1087 host = inet_ntoa(s4_req.dest_addr);
1089 c->path = xstrdup(host); 1088 c->path = xstrdup(host);
@@ -1143,7 +1142,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1143 u_int8_t atyp; 1142 u_int8_t atyp;
1144 } s5_req, s5_rsp; 1143 } s5_req, s5_rsp;
1145 u_int16_t dest_port; 1144 u_int16_t dest_port;
1146 u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1145 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1146 u_char *p;
1147 u_int have, need, i, found, nmethods, addrlen, af; 1147 u_int have, need, i, found, nmethods, addrlen, af;
1148 1148
1149 debug2("channel %d: decode socks5", c->self); 1149 debug2("channel %d: decode socks5", c->self);
@@ -1213,13 +1213,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1213 buffer_consume(&c->input, sizeof(s5_req)); 1213 buffer_consume(&c->input, sizeof(s5_req));
1214 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1214 if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1215 buffer_consume(&c->input, 1); /* host string length */ 1215 buffer_consume(&c->input, 1); /* host string length */
1216 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1216 buffer_get(&c->input, &dest_addr, addrlen);
1217 buffer_get(&c->input, (char *)&dest_port, 2); 1217 buffer_get(&c->input, (char *)&dest_port, 2);
1218 dest_addr[addrlen] = '\0'; 1218 dest_addr[addrlen] = '\0';
1219 if (c->path != NULL) { 1219 free(c->path);
1220 xfree(c->path); 1220 c->path = NULL;
1221 c->path = NULL;
1222 }
1223 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1221 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1224 if (addrlen >= NI_MAXHOST) { 1222 if (addrlen >= NI_MAXHOST) {
1225 error("channel %d: dynamic request: socks5 hostname " 1223 error("channel %d: dynamic request: socks5 hostname "
@@ -1241,11 +1239,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1241 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1239 s5_rsp.command = SSH_SOCKS5_SUCCESS;
1242 s5_rsp.reserved = 0; /* ignored */ 1240 s5_rsp.reserved = 0; /* ignored */
1243 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1241 s5_rsp.atyp = SSH_SOCKS5_IPV4;
1244 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
1245 dest_port = 0; /* ignored */ 1242 dest_port = 0; /* ignored */
1246 1243
1247 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1244 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
1248 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1245 buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */
1249 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1246 buffer_append(&c->output, &dest_port, sizeof(dest_port));
1250 return 1; 1247 return 1;
1251} 1248}
@@ -1324,7 +1321,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1324{ 1321{
1325 Channel *nc; 1322 Channel *nc;
1326 struct sockaddr_storage addr; 1323 struct sockaddr_storage addr;
1327 int newsock; 1324 int newsock, oerrno;
1328 socklen_t addrlen; 1325 socklen_t addrlen;
1329 char buf[16384], *remote_ipaddr; 1326 char buf[16384], *remote_ipaddr;
1330 int remote_port; 1327 int remote_port;
@@ -1334,14 +1331,18 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1334 addrlen = sizeof(addr); 1331 addrlen = sizeof(addr);
1335 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1332 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1336 if (c->single_connection) { 1333 if (c->single_connection) {
1334 oerrno = errno;
1337 debug2("single_connection: closing X11 listener."); 1335 debug2("single_connection: closing X11 listener.");
1338 channel_close_fd(&c->sock); 1336 channel_close_fd(&c->sock);
1339 chan_mark_dead(c); 1337 chan_mark_dead(c);
1338 errno = oerrno;
1340 } 1339 }
1341 if (newsock < 0) { 1340 if (newsock < 0) {
1342 error("accept: %.100s", strerror(errno)); 1341 if (errno != EINTR && errno != EWOULDBLOCK &&
1342 errno != ECONNABORTED)
1343 error("accept: %.100s", strerror(errno));
1343 if (errno == EMFILE || errno == ENFILE) 1344 if (errno == EMFILE || errno == ENFILE)
1344 c->notbefore = time(NULL) + 1; 1345 c->notbefore = monotime() + 1;
1345 return; 1346 return;
1346 } 1347 }
1347 set_nodelay(newsock); 1348 set_nodelay(newsock);
@@ -1375,7 +1376,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1375 packet_put_cstring(buf); 1376 packet_put_cstring(buf);
1376 packet_send(); 1377 packet_send();
1377 } 1378 }
1378 xfree(remote_ipaddr); 1379 free(remote_ipaddr);
1379 } 1380 }
1380} 1381}
1381 1382
@@ -1389,7 +1390,7 @@ port_open_helper(Channel *c, char *rtype)
1389 1390
1390 if (remote_port == -1) { 1391 if (remote_port == -1) {
1391 /* Fake addr/port to appease peers that validate it (Tectia) */ 1392 /* Fake addr/port to appease peers that validate it (Tectia) */
1392 xfree(remote_ipaddr); 1393 free(remote_ipaddr);
1393 remote_ipaddr = xstrdup("127.0.0.1"); 1394 remote_ipaddr = xstrdup("127.0.0.1");
1394 remote_port = 65535; 1395 remote_port = 65535;
1395 } 1396 }
@@ -1402,7 +1403,7 @@ port_open_helper(Channel *c, char *rtype)
1402 rtype, c->listening_port, c->path, c->host_port, 1403 rtype, c->listening_port, c->path, c->host_port,
1403 remote_ipaddr, remote_port); 1404 remote_ipaddr, remote_port);
1404 1405
1405 xfree(c->remote_name); 1406 free(c->remote_name);
1406 c->remote_name = xstrdup(buf); 1407 c->remote_name = xstrdup(buf);
1407 1408
1408 if (compat20) { 1409 if (compat20) {
@@ -1434,7 +1435,7 @@ port_open_helper(Channel *c, char *rtype)
1434 packet_put_cstring(c->remote_name); 1435 packet_put_cstring(c->remote_name);
1435 packet_send(); 1436 packet_send();
1436 } 1437 }
1437 xfree(remote_ipaddr); 1438 free(remote_ipaddr);
1438} 1439}
1439 1440
1440static void 1441static void
@@ -1484,9 +1485,11 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
1484 addrlen = sizeof(addr); 1485 addrlen = sizeof(addr);
1485 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1486 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1486 if (newsock < 0) { 1487 if (newsock < 0) {
1487 error("accept: %.100s", strerror(errno)); 1488 if (errno != EINTR && errno != EWOULDBLOCK &&
1489 errno != ECONNABORTED)
1490 error("accept: %.100s", strerror(errno));
1488 if (errno == EMFILE || errno == ENFILE) 1491 if (errno == EMFILE || errno == ENFILE)
1489 c->notbefore = time(NULL) + 1; 1492 c->notbefore = monotime() + 1;
1490 return; 1493 return;
1491 } 1494 }
1492 set_nodelay(newsock); 1495 set_nodelay(newsock);
@@ -1522,7 +1525,7 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
1522 error("accept from auth socket: %.100s", 1525 error("accept from auth socket: %.100s",
1523 strerror(errno)); 1526 strerror(errno));
1524 if (errno == EMFILE || errno == ENFILE) 1527 if (errno == EMFILE || errno == ENFILE)
1525 c->notbefore = time(NULL) + 1; 1528 c->notbefore = monotime() + 1;
1526 return; 1529 return;
1527 } 1530 }
1528 nc = channel_new("accepted auth socket", 1531 nc = channel_new("accepted auth socket",
@@ -1685,7 +1688,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
1685 if (c->datagram) { 1688 if (c->datagram) {
1686 /* ignore truncated writes, datagrams might get lost */ 1689 /* ignore truncated writes, datagrams might get lost */
1687 len = write(c->wfd, buf, dlen); 1690 len = write(c->wfd, buf, dlen);
1688 xfree(data); 1691 free(data);
1689 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1692 if (len < 0 && (errno == EINTR || errno == EAGAIN ||
1690 errno == EWOULDBLOCK)) 1693 errno == EWOULDBLOCK))
1691 return 1; 1694 return 1;
@@ -1926,7 +1929,7 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset)
1926 &addrlen)) == -1) { 1929 &addrlen)) == -1) {
1927 error("%s accept: %s", __func__, strerror(errno)); 1930 error("%s accept: %s", __func__, strerror(errno));
1928 if (errno == EMFILE || errno == ENFILE) 1931 if (errno == EMFILE || errno == ENFILE)
1929 c->notbefore = time(NULL) + 1; 1932 c->notbefore = monotime() + 1;
1930 return; 1933 return;
1931 } 1934 }
1932 1935
@@ -2089,7 +2092,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset,
2089 channel_handler_init(); 2092 channel_handler_init();
2090 did_init = 1; 2093 did_init = 1;
2091 } 2094 }
2092 now = time(NULL); 2095 now = monotime();
2093 if (unpause_secs != NULL) 2096 if (unpause_secs != NULL)
2094 *unpause_secs = 0; 2097 *unpause_secs = 0;
2095 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2098 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) {
@@ -2219,7 +2222,7 @@ channel_output_poll(void)
2219 debug("channel %d: datagram " 2222 debug("channel %d: datagram "
2220 "too big for channel", 2223 "too big for channel",
2221 c->self); 2224 c->self);
2222 xfree(data); 2225 free(data);
2223 continue; 2226 continue;
2224 } 2227 }
2225 packet_start(SSH2_MSG_CHANNEL_DATA); 2228 packet_start(SSH2_MSG_CHANNEL_DATA);
@@ -2227,7 +2230,7 @@ channel_output_poll(void)
2227 packet_put_string(data, dlen); 2230 packet_put_string(data, dlen);
2228 packet_send(); 2231 packet_send();
2229 c->remote_window -= dlen + 4; 2232 c->remote_window -= dlen + 4;
2230 xfree(data); 2233 free(data);
2231 } 2234 }
2232 continue; 2235 continue;
2233 } 2236 }
@@ -2399,13 +2402,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
2399 if (data_len > c->local_window) { 2402 if (data_len > c->local_window) {
2400 logit("channel %d: rcvd too much extended_data %d, win %d", 2403 logit("channel %d: rcvd too much extended_data %d, win %d",
2401 c->self, data_len, c->local_window); 2404 c->self, data_len, c->local_window);
2402 xfree(data); 2405 free(data);
2403 return; 2406 return;
2404 } 2407 }
2405 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2408 debug2("channel %d: rcvd ext data %d", c->self, data_len);
2406 c->local_window -= data_len; 2409 c->local_window -= data_len;
2407 buffer_append(&c->extended, data, data_len); 2410 buffer_append(&c->extended, data, data_len);
2408 xfree(data); 2411 free(data);
2409} 2412}
2410 2413
2411/* ARGSUSED */ 2414/* ARGSUSED */
@@ -2495,7 +2498,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
2495 if (c == NULL) 2498 if (c == NULL)
2496 packet_disconnect("Received close confirmation for " 2499 packet_disconnect("Received close confirmation for "
2497 "out-of-range channel %d.", id); 2500 "out-of-range channel %d.", id);
2498 if (c->type != SSH_CHANNEL_CLOSED) 2501 if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED)
2499 packet_disconnect("Received close confirmation for " 2502 packet_disconnect("Received close confirmation for "
2500 "non-closed channel %d (type %d).", id, c->type); 2503 "non-closed channel %d (type %d).", id, c->type);
2501 channel_free(c); 2504 channel_free(c);
@@ -2571,10 +2574,8 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
2571 } 2574 }
2572 logit("channel %d: open failed: %s%s%s", id, 2575 logit("channel %d: open failed: %s%s%s", id,
2573 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2576 reason2txt(reason), msg ? ": ": "", msg ? msg : "");
2574 if (msg != NULL) 2577 free(msg);
2575 xfree(msg); 2578 free(lang);
2576 if (lang != NULL)
2577 xfree(lang);
2578 if (c->open_confirm) { 2579 if (c->open_confirm) {
2579 debug2("callback start"); 2580 debug2("callback start");
2580 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2581 c->open_confirm(c->self, 0, c->open_confirm_ctx);
@@ -2632,8 +2633,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
2632 packet_check_eom(); 2633 packet_check_eom();
2633 c = channel_connect_to(host, host_port, 2634 c = channel_connect_to(host, host_port,
2634 "connected socket", originator_string); 2635 "connected socket", originator_string);
2635 xfree(originator_string); 2636 free(originator_string);
2636 xfree(host); 2637 free(host);
2637 if (c == NULL) { 2638 if (c == NULL) {
2638 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2639 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2639 packet_put_int(remote_id); 2640 packet_put_int(remote_id);
@@ -2668,7 +2669,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
2668 cc->cb(type, c, cc->ctx); 2669 cc->cb(type, c, cc->ctx);
2669 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2670 TAILQ_REMOVE(&c->status_confirms, cc, entry);
2670 bzero(cc, sizeof(*cc)); 2671 bzero(cc, sizeof(*cc));
2671 xfree(cc); 2672 free(cc);
2672} 2673}
2673 2674
2674/* -- tcp forwarding */ 2675/* -- tcp forwarding */
@@ -3048,7 +3049,7 @@ channel_request_rforward_cancel(const char *host, u_short port)
3048 3049
3049 permitted_opens[i].listen_port = 0; 3050 permitted_opens[i].listen_port = 0;
3050 permitted_opens[i].port_to_connect = 0; 3051 permitted_opens[i].port_to_connect = 0;
3051 xfree(permitted_opens[i].host_to_connect); 3052 free(permitted_opens[i].host_to_connect);
3052 permitted_opens[i].host_to_connect = NULL; 3053 permitted_opens[i].host_to_connect = NULL;
3053 3054
3054 return 0; 3055 return 0;
@@ -3089,7 +3090,7 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
3089 host_port, gateway_ports); 3090 host_port, gateway_ports);
3090 3091
3091 /* Free the argument string. */ 3092 /* Free the argument string. */
3092 xfree(hostname); 3093 free(hostname);
3093 3094
3094 return (success ? 0 : -1); 3095 return (success ? 0 : -1);
3095} 3096}
@@ -3144,7 +3145,7 @@ channel_update_permitted_opens(int idx, int newport)
3144 } else { 3145 } else {
3145 permitted_opens[idx].listen_port = 0; 3146 permitted_opens[idx].listen_port = 0;
3146 permitted_opens[idx].port_to_connect = 0; 3147 permitted_opens[idx].port_to_connect = 0;
3147 xfree(permitted_opens[idx].host_to_connect); 3148 free(permitted_opens[idx].host_to_connect);
3148 permitted_opens[idx].host_to_connect = NULL; 3149 permitted_opens[idx].host_to_connect = NULL;
3149 } 3150 }
3150} 3151}
@@ -3177,12 +3178,9 @@ channel_clear_permitted_opens(void)
3177 int i; 3178 int i;
3178 3179
3179 for (i = 0; i < num_permitted_opens; i++) 3180 for (i = 0; i < num_permitted_opens; i++)
3180 if (permitted_opens[i].host_to_connect != NULL) 3181 free(permitted_opens[i].host_to_connect);
3181 xfree(permitted_opens[i].host_to_connect); 3182 free(permitted_opens);
3182 if (num_permitted_opens > 0) { 3183 permitted_opens = NULL;
3183 xfree(permitted_opens);
3184 permitted_opens = NULL;
3185 }
3186 num_permitted_opens = 0; 3184 num_permitted_opens = 0;
3187} 3185}
3188 3186
@@ -3192,12 +3190,9 @@ channel_clear_adm_permitted_opens(void)
3192 int i; 3190 int i;
3193 3191
3194 for (i = 0; i < num_adm_permitted_opens; i++) 3192 for (i = 0; i < num_adm_permitted_opens; i++)
3195 if (permitted_adm_opens[i].host_to_connect != NULL) 3193 free(permitted_adm_opens[i].host_to_connect);
3196 xfree(permitted_adm_opens[i].host_to_connect); 3194 free(permitted_adm_opens);
3197 if (num_adm_permitted_opens > 0) { 3195 permitted_adm_opens = NULL;
3198 xfree(permitted_adm_opens);
3199 permitted_adm_opens = NULL;
3200 }
3201 num_adm_permitted_opens = 0; 3196 num_adm_permitted_opens = 0;
3202} 3197}
3203 3198
@@ -3291,7 +3286,7 @@ connect_next(struct channel_connect *cctx)
3291static void 3286static void
3292channel_connect_ctx_free(struct channel_connect *cctx) 3287channel_connect_ctx_free(struct channel_connect *cctx)
3293{ 3288{
3294 xfree(cctx->host); 3289 free(cctx->host);
3295 if (cctx->aitop) 3290 if (cctx->aitop)
3296 freeaddrinfo(cctx->aitop); 3291 freeaddrinfo(cctx->aitop);
3297 bzero(cctx, sizeof(*cctx)); 3292 bzero(cctx, sizeof(*cctx));
@@ -3686,7 +3681,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
3686 c->remote_id = remote_id; 3681 c->remote_id = remote_id;
3687 c->force_drain = 1; 3682 c->force_drain = 1;
3688 } 3683 }
3689 xfree(remote_host); 3684 free(remote_host);
3690 if (c == NULL) { 3685 if (c == NULL) {
3691 /* Send refusal to the remote host. */ 3686 /* Send refusal to the remote host. */
3692 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3687 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
@@ -3794,7 +3789,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
3794 packet_put_int(screen_number); 3789 packet_put_int(screen_number);
3795 packet_send(); 3790 packet_send();
3796 packet_write_wait(); 3791 packet_write_wait();
3797 xfree(new_data); 3792 free(new_data);
3798} 3793}
3799 3794
3800 3795
diff --git a/channels.h b/channels.h
index d75b800f7..4fab9d7c4 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */ 1/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -55,7 +55,8 @@
55#define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ 55#define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */
56#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ 56#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */
57#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ 57#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
58#define SSH_CHANNEL_MAX_TYPE 17 58#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
59#define SSH_CHANNEL_MAX_TYPE 18
59 60
60#define CHANNEL_CANCEL_PORT_STATIC -1 61#define CHANNEL_CANCEL_PORT_STATIC -1
61 62
@@ -102,7 +103,9 @@ struct Channel {
102 int sock; /* sock fd */ 103 int sock; /* sock fd */
103 int ctl_chan; /* control channel (multiplexed connections) */ 104 int ctl_chan; /* control channel (multiplexed connections) */
104 int isatty; /* rfd is a tty */ 105 int isatty; /* rfd is a tty */
106#ifdef _AIX
105 int wfd_isatty; /* wfd is a tty */ 107 int wfd_isatty; /* wfd is a tty */
108#endif
106 int client_tty; /* (client) TTY has been requested */ 109 int client_tty; /* (client) TTY has been requested */
107 int force_drain; /* force close on iEOF */ 110 int force_drain; /* force close on iEOF */
108 time_t notbefore; /* Pause IO until deadline (time_t) */ 111 time_t notbefore; /* Pause IO until deadline (time_t) */
@@ -110,7 +113,7 @@ struct Channel {
110 * channels are delayed until the first call 113 * channels are delayed until the first call
111 * to a matching pre-select handler. 114 * to a matching pre-select handler.
112 * this way post-select handlers are not 115 * this way post-select handlers are not
113 * accidenly called if a FD gets reused */ 116 * accidentally called if a FD gets reused */
114 Buffer input; /* data read from socket, to be sent over 117 Buffer input; /* data read from socket, to be sent over
115 * encrypted connection */ 118 * encrypted connection */
116 Buffer output; /* data received over encrypted connection for 119 Buffer output; /* data received over encrypted connection for
diff --git a/cipher-3des1.c b/cipher-3des1.c
index b7aa588cd..c8a70244b 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher-3des1.c,v 1.7 2010/10/01 23:05:32 djm Exp $ */ 1/* $OpenBSD: cipher-3des1.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2003 Markus Friedl. All rights reserved. 3 * Copyright (c) 2003 Markus Friedl. All rights reserved.
4 * 4 *
@@ -94,7 +94,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
94 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || 94 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
95 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { 95 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
96 memset(c, 0, sizeof(*c)); 96 memset(c, 0, sizeof(*c));
97 xfree(c); 97 free(c);
98 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 98 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
99 return (0); 99 return (0);
100 } 100 }
@@ -135,7 +135,7 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
135 EVP_CIPHER_CTX_cleanup(&c->k2); 135 EVP_CIPHER_CTX_cleanup(&c->k2);
136 EVP_CIPHER_CTX_cleanup(&c->k3); 136 EVP_CIPHER_CTX_cleanup(&c->k3);
137 memset(c, 0, sizeof(*c)); 137 memset(c, 0, sizeof(*c));
138 xfree(c); 138 free(c);
139 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 139 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
140 } 140 }
141 return (1); 141 return (1);
diff --git a/cipher-aes.c b/cipher-aes.c
index 07ec7aa5d..8b1017272 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -120,7 +120,7 @@ ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
120 120
121 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 121 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
122 memset(c, 0, sizeof(*c)); 122 memset(c, 0, sizeof(*c));
123 xfree(c); 123 free(c);
124 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 124 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
125 } 125 }
126 return (1); 126 return (1);
diff --git a/cipher-ctr.c b/cipher-ctr.c
index d1fe69f57..ea0f9b3b7 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -104,7 +104,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
104 104
105 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 105 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
106 memset(c, 0, sizeof(*c)); 106 memset(c, 0, sizeof(*c));
107 xfree(c); 107 free(c);
108 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 108 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
109 } 109 }
110 return (1); 110 return (1);
diff --git a/cipher.c b/cipher.c
index 9ca1d0065..a2cbe2bea 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ 1/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -65,7 +65,9 @@ struct Cipher {
65 u_int discard_len; 65 u_int discard_len;
66 u_int cbc_mode; 66 u_int cbc_mode;
67 const EVP_CIPHER *(*evptype)(void); 67 const EVP_CIPHER *(*evptype)(void);
68} ciphers[] = { 68};
69
70static const struct Cipher ciphers[] = {
69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, 71 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
70 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, 72 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, 73 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
@@ -98,6 +100,27 @@ struct Cipher {
98 100
99/*--*/ 101/*--*/
100 102
103/* Returns a comma-separated list of supported ciphers. */
104char *
105cipher_alg_list(void)
106{
107 char *ret = NULL;
108 size_t nlen, rlen = 0;
109 const Cipher *c;
110
111 for (c = ciphers; c->name != NULL; c++) {
112 if (c->number != SSH_CIPHER_SSH2)
113 continue;
114 if (ret != NULL)
115 ret[rlen++] = '\n';
116 nlen = strlen(c->name);
117 ret = xrealloc(ret, 1, rlen + nlen + 2);
118 memcpy(ret + rlen, c->name, nlen + 1);
119 rlen += nlen;
120 }
121 return ret;
122}
123
101u_int 124u_int
102cipher_blocksize(const Cipher *c) 125cipher_blocksize(const Cipher *c)
103{ 126{
@@ -146,20 +169,20 @@ cipher_mask_ssh1(int client)
146 return mask; 169 return mask;
147} 170}
148 171
149Cipher * 172const Cipher *
150cipher_by_name(const char *name) 173cipher_by_name(const char *name)
151{ 174{
152 Cipher *c; 175 const Cipher *c;
153 for (c = ciphers; c->name != NULL; c++) 176 for (c = ciphers; c->name != NULL; c++)
154 if (strcmp(c->name, name) == 0) 177 if (strcmp(c->name, name) == 0)
155 return c; 178 return c;
156 return NULL; 179 return NULL;
157} 180}
158 181
159Cipher * 182const Cipher *
160cipher_by_number(int id) 183cipher_by_number(int id)
161{ 184{
162 Cipher *c; 185 const Cipher *c;
163 for (c = ciphers; c->name != NULL; c++) 186 for (c = ciphers; c->name != NULL; c++)
164 if (c->number == id) 187 if (c->number == id)
165 return c; 188 return c;
@@ -170,7 +193,7 @@ cipher_by_number(int id)
170int 193int
171ciphers_valid(const char *names) 194ciphers_valid(const char *names)
172{ 195{
173 Cipher *c; 196 const Cipher *c;
174 char *cipher_list, *cp; 197 char *cipher_list, *cp;
175 char *p; 198 char *p;
176 199
@@ -182,14 +205,14 @@ ciphers_valid(const char *names)
182 c = cipher_by_name(p); 205 c = cipher_by_name(p);
183 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 206 if (c == NULL || c->number != SSH_CIPHER_SSH2) {
184 debug("bad cipher %s [%s]", p, names); 207 debug("bad cipher %s [%s]", p, names);
185 xfree(cipher_list); 208 free(cipher_list);
186 return 0; 209 return 0;
187 } else { 210 } else {
188 debug3("cipher ok: %s [%s]", p, names); 211 debug3("cipher ok: %s [%s]", p, names);
189 } 212 }
190 } 213 }
191 debug3("ciphers ok: [%s]", names); 214 debug3("ciphers ok: [%s]", names);
192 xfree(cipher_list); 215 free(cipher_list);
193 return 1; 216 return 1;
194} 217}
195 218
@@ -201,7 +224,7 @@ ciphers_valid(const char *names)
201int 224int
202cipher_number(const char *name) 225cipher_number(const char *name)
203{ 226{
204 Cipher *c; 227 const Cipher *c;
205 if (name == NULL) 228 if (name == NULL)
206 return -1; 229 return -1;
207 for (c = ciphers; c->name != NULL; c++) 230 for (c = ciphers; c->name != NULL; c++)
@@ -213,12 +236,12 @@ cipher_number(const char *name)
213char * 236char *
214cipher_name(int id) 237cipher_name(int id)
215{ 238{
216 Cipher *c = cipher_by_number(id); 239 const Cipher *c = cipher_by_number(id);
217 return (c==NULL) ? "<unknown>" : c->name; 240 return (c==NULL) ? "<unknown>" : c->name;
218} 241}
219 242
220void 243void
221cipher_init(CipherContext *cc, Cipher *cipher, 244cipher_init(CipherContext *cc, const Cipher *cipher,
222 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 245 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
223 int do_encrypt) 246 int do_encrypt)
224{ 247{
@@ -291,8 +314,8 @@ cipher_init(CipherContext *cc, Cipher *cipher,
291 cipher->discard_len) == 0) 314 cipher->discard_len) == 0)
292 fatal("evp_crypt: EVP_Cipher failed during discard"); 315 fatal("evp_crypt: EVP_Cipher failed during discard");
293 memset(discard, 0, cipher->discard_len); 316 memset(discard, 0, cipher->discard_len);
294 xfree(junk); 317 free(junk);
295 xfree(discard); 318 free(discard);
296 } 319 }
297} 320}
298 321
@@ -364,7 +387,7 @@ cipher_cleanup(CipherContext *cc)
364 */ 387 */
365 388
366void 389void
367cipher_set_key_string(CipherContext *cc, Cipher *cipher, 390cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
368 const char *passphrase, int do_encrypt) 391 const char *passphrase, int do_encrypt)
369{ 392{
370 MD5_CTX md; 393 MD5_CTX md;
@@ -389,7 +412,7 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher,
389int 412int
390cipher_get_keyiv_len(const CipherContext *cc) 413cipher_get_keyiv_len(const CipherContext *cc)
391{ 414{
392 Cipher *c = cc->cipher; 415 const Cipher *c = cc->cipher;
393 int ivlen; 416 int ivlen;
394 417
395 if (c->number == SSH_CIPHER_3DES) 418 if (c->number == SSH_CIPHER_3DES)
@@ -402,7 +425,7 @@ cipher_get_keyiv_len(const CipherContext *cc)
402void 425void
403cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 426cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
404{ 427{
405 Cipher *c = cc->cipher; 428 const Cipher *c = cc->cipher;
406 int evplen; 429 int evplen;
407 430
408 switch (c->number) { 431 switch (c->number) {
@@ -438,7 +461,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
438void 461void
439cipher_set_keyiv(CipherContext *cc, u_char *iv) 462cipher_set_keyiv(CipherContext *cc, u_char *iv)
440{ 463{
441 Cipher *c = cc->cipher; 464 const Cipher *c = cc->cipher;
442 int evplen = 0; 465 int evplen = 0;
443 466
444 switch (c->number) { 467 switch (c->number) {
@@ -471,7 +494,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
471int 494int
472cipher_get_keycontext(const CipherContext *cc, u_char *dat) 495cipher_get_keycontext(const CipherContext *cc, u_char *dat)
473{ 496{
474 Cipher *c = cc->cipher; 497 const Cipher *c = cc->cipher;
475 int plen = 0; 498 int plen = 0;
476 499
477 if (c->evptype == EVP_rc4) { 500 if (c->evptype == EVP_rc4) {
@@ -486,7 +509,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat)
486void 509void
487cipher_set_keycontext(CipherContext *cc, u_char *dat) 510cipher_set_keycontext(CipherContext *cc, u_char *dat)
488{ 511{
489 Cipher *c = cc->cipher; 512 const Cipher *c = cc->cipher;
490 int plen; 513 int plen;
491 514
492 if (c->evptype == EVP_rc4) { 515 if (c->evptype == EVP_rc4) {
diff --git a/cipher.h b/cipher.h
index 8cb57c3e5..b878d50f4 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -66,21 +66,22 @@ struct CipherContext {
66 int plaintext; 66 int plaintext;
67 int encrypt; 67 int encrypt;
68 EVP_CIPHER_CTX evp; 68 EVP_CIPHER_CTX evp;
69 Cipher *cipher; 69 const Cipher *cipher;
70}; 70};
71 71
72u_int cipher_mask_ssh1(int); 72u_int cipher_mask_ssh1(int);
73Cipher *cipher_by_name(const char *); 73const Cipher *cipher_by_name(const char *);
74Cipher *cipher_by_number(int); 74const Cipher *cipher_by_number(int);
75int cipher_number(const char *); 75int cipher_number(const char *);
76char *cipher_name(int); 76char *cipher_name(int);
77int ciphers_valid(const char *); 77int ciphers_valid(const char *);
78void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, 78char *cipher_alg_list(void);
79void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
79 const u_char *, u_int, int); 80 const u_char *, u_int, int);
80void cipher_crypt(CipherContext *, u_char *, const u_char *, 81void cipher_crypt(CipherContext *, u_char *, const u_char *,
81 u_int, u_int, u_int); 82 u_int, u_int, u_int);
82void cipher_cleanup(CipherContext *); 83void cipher_cleanup(CipherContext *);
83void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); 84void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
84u_int cipher_blocksize(const Cipher *); 85u_int cipher_blocksize(const Cipher *);
85u_int cipher_keylen(const Cipher *); 86u_int cipher_keylen(const Cipher *);
86u_int cipher_authlen(const Cipher *); 87u_int cipher_authlen(const Cipher *);
diff --git a/clientloop.c b/clientloop.c
index 1a16b2525..35550eb4d 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -277,7 +277,7 @@ set_control_persist_exit_time(void)
277 control_persist_exit_time = 0; 277 control_persist_exit_time = 0;
278 } else if (control_persist_exit_time <= 0) { 278 } else if (control_persist_exit_time <= 0) {
279 /* a client connection has recently closed */ 279 /* a client connection has recently closed */
280 control_persist_exit_time = time(NULL) + 280 control_persist_exit_time = monotime() +
281 (time_t)options.control_persist_timeout; 281 (time_t)options.control_persist_timeout;
282 debug2("%s: schedule exit in %d seconds", __func__, 282 debug2("%s: schedule exit in %d seconds", __func__,
283 options.control_persist_timeout); 283 options.control_persist_timeout);
@@ -360,7 +360,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
360 if (system(cmd) == 0) 360 if (system(cmd) == 0)
361 generated = 1; 361 generated = 1;
362 if (x11_refuse_time == 0) { 362 if (x11_refuse_time == 0) {
363 now = time(NULL) + 1; 363 now = monotime() + 1;
364 if (UINT_MAX - timeout < now) 364 if (UINT_MAX - timeout < now)
365 x11_refuse_time = UINT_MAX; 365 x11_refuse_time = UINT_MAX;
366 else 366 else
@@ -397,10 +397,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
397 unlink(xauthfile); 397 unlink(xauthfile);
398 rmdir(xauthdir); 398 rmdir(xauthdir);
399 } 399 }
400 if (xauthdir) 400 free(xauthdir);
401 xfree(xauthdir); 401 free(xauthfile);
402 if (xauthfile)
403 xfree(xauthfile);
404 402
405 /* 403 /*
406 * If we didn't get authentication data, just make up some 404 * If we didn't get authentication data, just make up some
@@ -556,7 +554,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
556 if (--gc->ref_count <= 0) { 554 if (--gc->ref_count <= 0) {
557 TAILQ_REMOVE(&global_confirms, gc, entry); 555 TAILQ_REMOVE(&global_confirms, gc, entry);
558 bzero(gc, sizeof(*gc)); 556 bzero(gc, sizeof(*gc));
559 xfree(gc); 557 free(gc);
560 } 558 }
561 559
562 packet_set_alive_timeouts(0); 560 packet_set_alive_timeouts(0);
@@ -592,7 +590,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
592{ 590{
593 struct timeval tv, *tvp; 591 struct timeval tv, *tvp;
594 int timeout_secs; 592 int timeout_secs;
595 time_t minwait_secs = 0; 593 time_t minwait_secs = 0, server_alive_time = 0, now = monotime();
596 int ret; 594 int ret;
597 595
598 /* Add any selections by the channel mechanism. */ 596 /* Add any selections by the channel mechanism. */
@@ -641,12 +639,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
641 */ 639 */
642 640
643 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 641 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
644 if (options.server_alive_interval > 0) 642 if (options.server_alive_interval > 0) {
645 timeout_secs = options.server_alive_interval; 643 timeout_secs = options.server_alive_interval;
644 server_alive_time = now + options.server_alive_interval;
645 }
646 if (options.rekey_interval > 0 && compat20 && !rekeying)
647 timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout());
646 set_control_persist_exit_time(); 648 set_control_persist_exit_time();
647 if (control_persist_exit_time > 0) { 649 if (control_persist_exit_time > 0) {
648 timeout_secs = MIN(timeout_secs, 650 timeout_secs = MIN(timeout_secs,
649 control_persist_exit_time - time(NULL)); 651 control_persist_exit_time - now);
650 if (timeout_secs < 0) 652 if (timeout_secs < 0)
651 timeout_secs = 0; 653 timeout_secs = 0;
652 } 654 }
@@ -678,8 +680,15 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
678 snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); 680 snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
679 buffer_append(&stderr_buffer, buf, strlen(buf)); 681 buffer_append(&stderr_buffer, buf, strlen(buf));
680 quit_pending = 1; 682 quit_pending = 1;
681 } else if (ret == 0) 683 } else if (ret == 0) {
682 server_alive_check(); 684 /*
685 * Timeout. Could have been either keepalive or rekeying.
686 * Keepalive we check here, rekeying is checked in clientloop.
687 */
688 if (server_alive_time != 0 && server_alive_time <= monotime())
689 server_alive_check();
690 }
691
683} 692}
684 693
685static void 694static void
@@ -824,13 +833,13 @@ client_status_confirm(int type, Channel *c, void *ctx)
824 chan_write_failed(c); 833 chan_write_failed(c);
825 } 834 }
826 } 835 }
827 xfree(cr); 836 free(cr);
828} 837}
829 838
830static void 839static void
831client_abandon_status_confirm(Channel *c, void *ctx) 840client_abandon_status_confirm(Channel *c, void *ctx)
832{ 841{
833 xfree(ctx); 842 free(ctx);
834} 843}
835 844
836void 845void
@@ -997,12 +1006,9 @@ process_cmdline(void)
997out: 1006out:
998 signal(SIGINT, handler); 1007 signal(SIGINT, handler);
999 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1008 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
1000 if (cmd) 1009 free(cmd);
1001 xfree(cmd); 1010 free(fwd.listen_host);
1002 if (fwd.listen_host != NULL) 1011 free(fwd.connect_host);
1003 xfree(fwd.listen_host);
1004 if (fwd.connect_host != NULL)
1005 xfree(fwd.connect_host);
1006} 1012}
1007 1013
1008/* reasons to suppress output of an escape command in help output */ 1014/* reasons to suppress output of an escape command in help output */
@@ -1112,8 +1118,11 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1112 if (c && c->ctl_chan != -1) { 1118 if (c && c->ctl_chan != -1) {
1113 chan_read_failed(c); 1119 chan_read_failed(c);
1114 chan_write_failed(c); 1120 chan_write_failed(c);
1115 mux_master_session_cleanup_cb(c->self, 1121 if (c->detach_user)
1116 NULL); 1122 c->detach_user(c->self, NULL);
1123 c->type = SSH_CHANNEL_ABANDONED;
1124 buffer_clear(&c->input);
1125 chan_ibuf_empty(c);
1117 return 0; 1126 return 0;
1118 } else 1127 } else
1119 quit_pending = 1; 1128 quit_pending = 1;
@@ -1259,7 +1268,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1259 buffer_append(berr, string, strlen(string)); 1268 buffer_append(berr, string, strlen(string));
1260 s = channel_open_message(); 1269 s = channel_open_message();
1261 buffer_append(berr, s, strlen(s)); 1270 buffer_append(berr, s, strlen(s));
1262 xfree(s); 1271 free(s);
1263 continue; 1272 continue;
1264 1273
1265 case 'C': 1274 case 'C':
@@ -1448,7 +1457,7 @@ client_new_escape_filter_ctx(int escape_char)
1448void 1457void
1449client_filter_cleanup(int cid, void *ctx) 1458client_filter_cleanup(int cid, void *ctx)
1450{ 1459{
1451 xfree(ctx); 1460 free(ctx);
1452} 1461}
1453 1462
1454int 1463int
@@ -1662,16 +1671,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
1662 * connections, then quit. 1671 * connections, then quit.
1663 */ 1672 */
1664 if (control_persist_exit_time > 0) { 1673 if (control_persist_exit_time > 0) {
1665 if (time(NULL) >= control_persist_exit_time) { 1674 if (monotime() >= control_persist_exit_time) {
1666 debug("ControlPersist timeout expired"); 1675 debug("ControlPersist timeout expired");
1667 break; 1676 break;
1668 } 1677 }
1669 } 1678 }
1670 } 1679 }
1671 if (readset) 1680 free(readset);
1672 xfree(readset); 1681 free(writeset);
1673 if (writeset)
1674 xfree(writeset);
1675 1682
1676 /* Terminate the session. */ 1683 /* Terminate the session. */
1677 1684
@@ -1775,7 +1782,7 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt)
1775 packet_check_eom(); 1782 packet_check_eom();
1776 buffer_append(&stdout_buffer, data, data_len); 1783 buffer_append(&stdout_buffer, data, data_len);
1777 memset(data, 0, data_len); 1784 memset(data, 0, data_len);
1778 xfree(data); 1785 free(data);
1779} 1786}
1780static void 1787static void
1781client_input_stderr_data(int type, u_int32_t seq, void *ctxt) 1788client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
@@ -1785,7 +1792,7 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
1785 packet_check_eom(); 1792 packet_check_eom();
1786 buffer_append(&stderr_buffer, data, data_len); 1793 buffer_append(&stderr_buffer, data, data_len);
1787 memset(data, 0, data_len); 1794 memset(data, 0, data_len);
1788 xfree(data); 1795 free(data);
1789} 1796}
1790static void 1797static void
1791client_input_exit_status(int type, u_int32_t seq, void *ctxt) 1798client_input_exit_status(int type, u_int32_t seq, void *ctxt)
@@ -1865,8 +1872,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
1865 c = channel_connect_by_listen_address(listen_port, 1872 c = channel_connect_by_listen_address(listen_port,
1866 "forwarded-tcpip", originator_address); 1873 "forwarded-tcpip", originator_address);
1867 1874
1868 xfree(originator_address); 1875 free(originator_address);
1869 xfree(listen_address); 1876 free(listen_address);
1870 return c; 1877 return c;
1871} 1878}
1872 1879
@@ -1884,7 +1891,7 @@ client_request_x11(const char *request_type, int rchan)
1884 "malicious server."); 1891 "malicious server.");
1885 return NULL; 1892 return NULL;
1886 } 1893 }
1887 if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) { 1894 if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
1888 verbose("Rejected X11 connection after ForwardX11Timeout " 1895 verbose("Rejected X11 connection after ForwardX11Timeout "
1889 "expired"); 1896 "expired");
1890 return NULL; 1897 return NULL;
@@ -1900,7 +1907,7 @@ client_request_x11(const char *request_type, int rchan)
1900 /* XXX check permission */ 1907 /* XXX check permission */
1901 debug("client_request_x11: request from %s %d", originator, 1908 debug("client_request_x11: request from %s %d", originator,
1902 originator_port); 1909 originator_port);
1903 xfree(originator); 1910 free(originator);
1904 sock = x11_connect_display(); 1911 sock = x11_connect_display();
1905 if (sock < 0) 1912 if (sock < 0)
1906 return NULL; 1913 return NULL;
@@ -2027,7 +2034,7 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
2027 } 2034 }
2028 packet_send(); 2035 packet_send();
2029 } 2036 }
2030 xfree(ctype); 2037 free(ctype);
2031} 2038}
2032static void 2039static void
2033client_input_channel_req(int type, u_int32_t seq, void *ctxt) 2040client_input_channel_req(int type, u_int32_t seq, void *ctxt)
@@ -2073,7 +2080,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
2073 packet_put_int(c->remote_id); 2080 packet_put_int(c->remote_id);
2074 packet_send(); 2081 packet_send();
2075 } 2082 }
2076 xfree(rtype); 2083 free(rtype);
2077} 2084}
2078static void 2085static void
2079client_input_global_request(int type, u_int32_t seq, void *ctxt) 2086client_input_global_request(int type, u_int32_t seq, void *ctxt)
@@ -2092,7 +2099,7 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
2092 packet_send(); 2099 packet_send();
2093 packet_write_wait(); 2100 packet_write_wait();
2094 } 2101 }
2095 xfree(rtype); 2102 free(rtype);
2096} 2103}
2097 2104
2098void 2105void
@@ -2142,7 +2149,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
2142 /* Split */ 2149 /* Split */
2143 name = xstrdup(env[i]); 2150 name = xstrdup(env[i]);
2144 if ((val = strchr(name, '=')) == NULL) { 2151 if ((val = strchr(name, '=')) == NULL) {
2145 xfree(name); 2152 free(name);
2146 continue; 2153 continue;
2147 } 2154 }
2148 *val++ = '\0'; 2155 *val++ = '\0';
@@ -2156,7 +2163,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
2156 } 2163 }
2157 if (!matched) { 2164 if (!matched) {
2158 debug3("Ignored env %s", name); 2165 debug3("Ignored env %s", name);
2159 xfree(name); 2166 free(name);
2160 continue; 2167 continue;
2161 } 2168 }
2162 2169
@@ -2165,7 +2172,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
2165 packet_put_cstring(name); 2172 packet_put_cstring(name);
2166 packet_put_cstring(val); 2173 packet_put_cstring(val);
2167 packet_send(); 2174 packet_send();
2168 xfree(name); 2175 free(name);
2169 } 2176 }
2170 } 2177 }
2171 2178
diff --git a/clientloop.h b/clientloop.h
index d2baa0324..338d45186 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ 1/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -76,5 +76,4 @@ void muxserver_listen(void);
76void muxclient(const char *); 76void muxclient(const char *);
77void mux_exit_message(Channel *, int); 77void mux_exit_message(Channel *, int);
78void mux_tty_alloc_failed(Channel *); 78void mux_tty_alloc_failed(Channel *);
79void mux_master_session_cleanup_cb(int, void *);
80 79
diff --git a/compat.c b/compat.c
index f680f4fe3..ac353a706 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ 1/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -204,7 +204,7 @@ proto_spec(const char *spec)
204 break; 204 break;
205 } 205 }
206 } 206 }
207 xfree(s); 207 free(s);
208 return ret; 208 return ret;
209} 209}
210 210
@@ -230,7 +230,7 @@ compat_cipher_proposal(char *cipher_prop)
230 buffer_append(&b, "\0", 1); 230 buffer_append(&b, "\0", 1);
231 fix_ciphers = xstrdup(buffer_ptr(&b)); 231 fix_ciphers = xstrdup(buffer_ptr(&b));
232 buffer_free(&b); 232 buffer_free(&b);
233 xfree(orig_prop); 233 free(orig_prop);
234 debug2("Original cipher proposal: %s", cipher_prop); 234 debug2("Original cipher proposal: %s", cipher_prop);
235 debug2("Compat cipher proposal: %s", fix_ciphers); 235 debug2("Compat cipher proposal: %s", fix_ciphers);
236 if (!*fix_ciphers) 236 if (!*fix_ciphers)
diff --git a/config.guess b/config.guess
index 78553c4ea..b94cde8ef 100755
--- a/config.guess
+++ b/config.guess
@@ -2,9 +2,9 @@
2# Attempt to guess a canonical system name. 2# Attempt to guess a canonical system name.
3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
5# 2011 Free Software Foundation, Inc. 5# 2011, 2012, 2013 Free Software Foundation, Inc.
6 6
7timestamp='2011-01-23' 7timestamp='2012-12-23'
8 8
9# This file is free software; you can redistribute it and/or modify it 9# This file is free software; you can redistribute it and/or modify it
10# under the terms of the GNU General Public License as published by 10# under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ timestamp='2011-01-23'
17# General Public License for more details. 17# General Public License for more details.
18# 18#
19# You should have received a copy of the GNU General Public License 19# You should have received a copy of the GNU General Public License
20# along with this program; if not, write to the Free Software 20# along with this program; if not, see <http://www.gnu.org/licenses/>.
21# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
22# 02110-1301, USA.
23# 21#
24# As a special exception to the GNU General Public License, if you 22# As a special exception to the GNU General Public License, if you
25# distribute this file as part of a program that contains a 23# distribute this file as part of a program that contains a
@@ -57,8 +55,8 @@ GNU config.guess ($timestamp)
57 55
58Originally written by Per Bothner. 56Originally written by Per Bothner.
59Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 57Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
602001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free 582001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
61Software Foundation, Inc. 592012, 2013 Free Software Foundation, Inc.
62 60
63This is free software; see the source for copying conditions. There is NO 61This is free software; see the source for copying conditions. There is NO
64warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." 62warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
145case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in 143case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
146 *:NetBSD:*:*) 144 *:NetBSD:*:*)
147 # NetBSD (nbsd) targets should (where applicable) match one or 145 # NetBSD (nbsd) targets should (where applicable) match one or
148 # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, 146 # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
149 # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently 147 # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
150 # switched to ELF, *-*-netbsd* would select the old 148 # switched to ELF, *-*-netbsd* would select the old
151 # object file format. This provides both forward 149 # object file format. This provides both forward
@@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
181 fi 179 fi
182 ;; 180 ;;
183 *) 181 *)
184 os=netbsd 182 os=netbsd
185 ;; 183 ;;
186 esac 184 esac
187 # The OS release 185 # The OS release
@@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
202 # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. 200 # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
203 echo "${machine}-${os}${release}" 201 echo "${machine}-${os}${release}"
204 exit ;; 202 exit ;;
203 *:Bitrig:*:*)
204 UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
205 echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
206 exit ;;
205 *:OpenBSD:*:*) 207 *:OpenBSD:*:*)
206 UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` 208 UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
207 echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} 209 echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
@@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
224 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` 226 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
225 ;; 227 ;;
226 *5.*) 228 *5.*)
227 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` 229 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
228 ;; 230 ;;
229 esac 231 esac
230 # According to Compaq, /usr/sbin/psrinfo has been available on 232 # According to Compaq, /usr/sbin/psrinfo has been available on
@@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
299 echo s390-ibm-zvmoe 301 echo s390-ibm-zvmoe
300 exit ;; 302 exit ;;
301 *:OS400:*:*) 303 *:OS400:*:*)
302 echo powerpc-ibm-os400 304 echo powerpc-ibm-os400
303 exit ;; 305 exit ;;
304 arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) 306 arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
305 echo arm-acorn-riscix${UNAME_RELEASE} 307 echo arm-acorn-riscix${UNAME_RELEASE}
306 exit ;; 308 exit ;;
307 arm:riscos:*:*|arm:RISCOS:*:*) 309 arm*:riscos:*:*|arm*:RISCOS:*:*)
308 echo arm-unknown-riscos 310 echo arm-unknown-riscos
309 exit ;; 311 exit ;;
310 SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) 312 SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
398 # MiNT. But MiNT is downward compatible to TOS, so this should 400 # MiNT. But MiNT is downward compatible to TOS, so this should
399 # be no problem. 401 # be no problem.
400 atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) 402 atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
401 echo m68k-atari-mint${UNAME_RELEASE} 403 echo m68k-atari-mint${UNAME_RELEASE}
402 exit ;; 404 exit ;;
403 atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) 405 atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
404 echo m68k-atari-mint${UNAME_RELEASE} 406 echo m68k-atari-mint${UNAME_RELEASE}
405 exit ;; 407 exit ;;
406 *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) 408 *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
407 echo m68k-atari-mint${UNAME_RELEASE} 409 echo m68k-atari-mint${UNAME_RELEASE}
408 exit ;; 410 exit ;;
409 milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) 411 milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
410 echo m68k-milan-mint${UNAME_RELEASE} 412 echo m68k-milan-mint${UNAME_RELEASE}
411 exit ;; 413 exit ;;
412 hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) 414 hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
413 echo m68k-hades-mint${UNAME_RELEASE} 415 echo m68k-hades-mint${UNAME_RELEASE}
414 exit ;; 416 exit ;;
415 *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) 417 *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
416 echo m68k-unknown-mint${UNAME_RELEASE} 418 echo m68k-unknown-mint${UNAME_RELEASE}
417 exit ;; 419 exit ;;
418 m68k:machten:*:*) 420 m68k:machten:*:*)
419 echo m68k-apple-machten${UNAME_RELEASE} 421 echo m68k-apple-machten${UNAME_RELEASE}
420 exit ;; 422 exit ;;
@@ -484,8 +486,8 @@ EOF
484 echo m88k-motorola-sysv3 486 echo m88k-motorola-sysv3
485 exit ;; 487 exit ;;
486 AViiON:dgux:*:*) 488 AViiON:dgux:*:*)
487 # DG/UX returns AViiON for all architectures 489 # DG/UX returns AViiON for all architectures
488 UNAME_PROCESSOR=`/usr/bin/uname -p` 490 UNAME_PROCESSOR=`/usr/bin/uname -p`
489 if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] 491 if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
490 then 492 then
491 if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ 493 if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@@ -498,7 +500,7 @@ EOF
498 else 500 else
499 echo i586-dg-dgux${UNAME_RELEASE} 501 echo i586-dg-dgux${UNAME_RELEASE}
500 fi 502 fi
501 exit ;; 503 exit ;;
502 M88*:DolphinOS:*:*) # DolphinOS (SVR3) 504 M88*:DolphinOS:*:*) # DolphinOS (SVR3)
503 echo m88k-dolphin-sysv3 505 echo m88k-dolphin-sysv3
504 exit ;; 506 exit ;;
@@ -598,52 +600,52 @@ EOF
598 9000/[678][0-9][0-9]) 600 9000/[678][0-9][0-9])
599 if [ -x /usr/bin/getconf ]; then 601 if [ -x /usr/bin/getconf ]; then
600 sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` 602 sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
601 sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` 603 sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
602 case "${sc_cpu_version}" in 604 case "${sc_cpu_version}" in
603 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 605 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
604 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 606 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
605 532) # CPU_PA_RISC2_0 607 532) # CPU_PA_RISC2_0
606 case "${sc_kernel_bits}" in 608 case "${sc_kernel_bits}" in
607 32) HP_ARCH="hppa2.0n" ;; 609 32) HP_ARCH="hppa2.0n" ;;
608 64) HP_ARCH="hppa2.0w" ;; 610 64) HP_ARCH="hppa2.0w" ;;
609 '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 611 '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
610 esac ;; 612 esac ;;
611 esac 613 esac
612 fi 614 fi
613 if [ "${HP_ARCH}" = "" ]; then 615 if [ "${HP_ARCH}" = "" ]; then
614 eval $set_cc_for_build 616 eval $set_cc_for_build
615 sed 's/^ //' << EOF >$dummy.c 617 sed 's/^ //' << EOF >$dummy.c
616 618
617 #define _HPUX_SOURCE 619 #define _HPUX_SOURCE
618 #include <stdlib.h> 620 #include <stdlib.h>
619 #include <unistd.h> 621 #include <unistd.h>
620 622
621 int main () 623 int main ()
622 { 624 {
623 #if defined(_SC_KERNEL_BITS) 625 #if defined(_SC_KERNEL_BITS)
624 long bits = sysconf(_SC_KERNEL_BITS); 626 long bits = sysconf(_SC_KERNEL_BITS);
625 #endif 627 #endif
626 long cpu = sysconf (_SC_CPU_VERSION); 628 long cpu = sysconf (_SC_CPU_VERSION);
627 629
628 switch (cpu) 630 switch (cpu)
629 { 631 {
630 case CPU_PA_RISC1_0: puts ("hppa1.0"); break; 632 case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
631 case CPU_PA_RISC1_1: puts ("hppa1.1"); break; 633 case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
632 case CPU_PA_RISC2_0: 634 case CPU_PA_RISC2_0:
633 #if defined(_SC_KERNEL_BITS) 635 #if defined(_SC_KERNEL_BITS)
634 switch (bits) 636 switch (bits)
635 { 637 {
636 case 64: puts ("hppa2.0w"); break; 638 case 64: puts ("hppa2.0w"); break;
637 case 32: puts ("hppa2.0n"); break; 639 case 32: puts ("hppa2.0n"); break;
638 default: puts ("hppa2.0"); break; 640 default: puts ("hppa2.0"); break;
639 } break; 641 } break;
640 #else /* !defined(_SC_KERNEL_BITS) */ 642 #else /* !defined(_SC_KERNEL_BITS) */
641 puts ("hppa2.0"); break; 643 puts ("hppa2.0"); break;
642 #endif 644 #endif
643 default: puts ("hppa1.0"); break; 645 default: puts ("hppa1.0"); break;
644 } 646 }
645 exit (0); 647 exit (0);
646 } 648 }
647EOF 649EOF
648 (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` 650 (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
649 test -z "$HP_ARCH" && HP_ARCH=hppa 651 test -z "$HP_ARCH" && HP_ARCH=hppa
@@ -734,22 +736,22 @@ EOF
734 exit ;; 736 exit ;;
735 C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) 737 C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
736 echo c1-convex-bsd 738 echo c1-convex-bsd
737 exit ;; 739 exit ;;
738 C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) 740 C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
739 if getsysinfo -f scalar_acc 741 if getsysinfo -f scalar_acc
740 then echo c32-convex-bsd 742 then echo c32-convex-bsd
741 else echo c2-convex-bsd 743 else echo c2-convex-bsd
742 fi 744 fi
743 exit ;; 745 exit ;;
744 C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) 746 C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
745 echo c34-convex-bsd 747 echo c34-convex-bsd
746 exit ;; 748 exit ;;
747 C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) 749 C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
748 echo c38-convex-bsd 750 echo c38-convex-bsd
749 exit ;; 751 exit ;;
750 C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) 752 C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
751 echo c4-convex-bsd 753 echo c4-convex-bsd
752 exit ;; 754 exit ;;
753 CRAY*Y-MP:*:*:*) 755 CRAY*Y-MP:*:*:*)
754 echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 756 echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
755 exit ;; 757 exit ;;
@@ -773,14 +775,14 @@ EOF
773 exit ;; 775 exit ;;
774 F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) 776 F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
775 FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` 777 FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
776 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` 778 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
777 FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` 779 FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
778 echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" 780 echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
779 exit ;; 781 exit ;;
780 5000:UNIX_System_V:4.*:*) 782 5000:UNIX_System_V:4.*:*)
781 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` 783 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
782 FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` 784 FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
783 echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" 785 echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
784 exit ;; 786 exit ;;
785 i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) 787 i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
786 echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} 788 echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@@ -792,30 +794,35 @@ EOF
792 echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} 794 echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
793 exit ;; 795 exit ;;
794 *:FreeBSD:*:*) 796 *:FreeBSD:*:*)
795 case ${UNAME_MACHINE} in 797 UNAME_PROCESSOR=`/usr/bin/uname -p`
796 pc98) 798 case ${UNAME_PROCESSOR} in
797 echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
798 amd64) 799 amd64)
799 echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; 800 echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
800 *) 801 *)
801 echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; 802 echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
802 esac 803 esac
803 exit ;; 804 exit ;;
804 i*:CYGWIN*:*) 805 i*:CYGWIN*:*)
805 echo ${UNAME_MACHINE}-pc-cygwin 806 echo ${UNAME_MACHINE}-pc-cygwin
806 exit ;; 807 exit ;;
808 *:MINGW64*:*)
809 echo ${UNAME_MACHINE}-pc-mingw64
810 exit ;;
807 *:MINGW*:*) 811 *:MINGW*:*)
808 echo ${UNAME_MACHINE}-pc-mingw32 812 echo ${UNAME_MACHINE}-pc-mingw32
809 exit ;; 813 exit ;;
814 i*:MSYS*:*)
815 echo ${UNAME_MACHINE}-pc-msys
816 exit ;;
810 i*:windows32*:*) 817 i*:windows32*:*)
811 # uname -m includes "-pc" on this system. 818 # uname -m includes "-pc" on this system.
812 echo ${UNAME_MACHINE}-mingw32 819 echo ${UNAME_MACHINE}-mingw32
813 exit ;; 820 exit ;;
814 i*:PW*:*) 821 i*:PW*:*)
815 echo ${UNAME_MACHINE}-pc-pw32 822 echo ${UNAME_MACHINE}-pc-pw32
816 exit ;; 823 exit ;;
817 *:Interix*:*) 824 *:Interix*:*)
818 case ${UNAME_MACHINE} in 825 case ${UNAME_MACHINE} in
819 x86) 826 x86)
820 echo i586-pc-interix${UNAME_RELEASE} 827 echo i586-pc-interix${UNAME_RELEASE}
821 exit ;; 828 exit ;;
@@ -861,6 +868,13 @@ EOF
861 i*86:Minix:*:*) 868 i*86:Minix:*:*)
862 echo ${UNAME_MACHINE}-pc-minix 869 echo ${UNAME_MACHINE}-pc-minix
863 exit ;; 870 exit ;;
871 aarch64:Linux:*:*)
872 echo ${UNAME_MACHINE}-unknown-linux-gnu
873 exit ;;
874 aarch64_be:Linux:*:*)
875 UNAME_MACHINE=aarch64_be
876 echo ${UNAME_MACHINE}-unknown-linux-gnu
877 exit ;;
864 alpha:Linux:*:*) 878 alpha:Linux:*:*)
865 case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in 879 case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
866 EV5) UNAME_MACHINE=alphaev5 ;; 880 EV5) UNAME_MACHINE=alphaev5 ;;
@@ -870,7 +884,7 @@ EOF
870 EV6) UNAME_MACHINE=alphaev6 ;; 884 EV6) UNAME_MACHINE=alphaev6 ;;
871 EV67) UNAME_MACHINE=alphaev67 ;; 885 EV67) UNAME_MACHINE=alphaev67 ;;
872 EV68*) UNAME_MACHINE=alphaev68 ;; 886 EV68*) UNAME_MACHINE=alphaev68 ;;
873 esac 887 esac
874 objdump --private-headers /bin/sh | grep -q ld.so.1 888 objdump --private-headers /bin/sh | grep -q ld.so.1
875 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi 889 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
876 echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} 890 echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@@ -882,20 +896,29 @@ EOF
882 then 896 then
883 echo ${UNAME_MACHINE}-unknown-linux-gnu 897 echo ${UNAME_MACHINE}-unknown-linux-gnu
884 else 898 else
885 echo ${UNAME_MACHINE}-unknown-linux-gnueabi 899 if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
900 | grep -q __ARM_PCS_VFP
901 then
902 echo ${UNAME_MACHINE}-unknown-linux-gnueabi
903 else
904 echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
905 fi
886 fi 906 fi
887 exit ;; 907 exit ;;
888 avr32*:Linux:*:*) 908 avr32*:Linux:*:*)
889 echo ${UNAME_MACHINE}-unknown-linux-gnu 909 echo ${UNAME_MACHINE}-unknown-linux-gnu
890 exit ;; 910 exit ;;
891 cris:Linux:*:*) 911 cris:Linux:*:*)
892 echo cris-axis-linux-gnu 912 echo ${UNAME_MACHINE}-axis-linux-gnu
893 exit ;; 913 exit ;;
894 crisv32:Linux:*:*) 914 crisv32:Linux:*:*)
895 echo crisv32-axis-linux-gnu 915 echo ${UNAME_MACHINE}-axis-linux-gnu
896 exit ;; 916 exit ;;
897 frv:Linux:*:*) 917 frv:Linux:*:*)
898 echo frv-unknown-linux-gnu 918 echo ${UNAME_MACHINE}-unknown-linux-gnu
919 exit ;;
920 hexagon:Linux:*:*)
921 echo ${UNAME_MACHINE}-unknown-linux-gnu
899 exit ;; 922 exit ;;
900 i*86:Linux:*:*) 923 i*86:Linux:*:*)
901 LIBC=gnu 924 LIBC=gnu
@@ -937,7 +960,7 @@ EOF
937 test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } 960 test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
938 ;; 961 ;;
939 or32:Linux:*:*) 962 or32:Linux:*:*)
940 echo or32-unknown-linux-gnu 963 echo ${UNAME_MACHINE}-unknown-linux-gnu
941 exit ;; 964 exit ;;
942 padre:Linux:*:*) 965 padre:Linux:*:*)
943 echo sparc-unknown-linux-gnu 966 echo sparc-unknown-linux-gnu
@@ -963,7 +986,7 @@ EOF
963 echo ${UNAME_MACHINE}-ibm-linux 986 echo ${UNAME_MACHINE}-ibm-linux
964 exit ;; 987 exit ;;
965 sh64*:Linux:*:*) 988 sh64*:Linux:*:*)
966 echo ${UNAME_MACHINE}-unknown-linux-gnu 989 echo ${UNAME_MACHINE}-unknown-linux-gnu
967 exit ;; 990 exit ;;
968 sh*:Linux:*:*) 991 sh*:Linux:*:*)
969 echo ${UNAME_MACHINE}-unknown-linux-gnu 992 echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -972,16 +995,16 @@ EOF
972 echo ${UNAME_MACHINE}-unknown-linux-gnu 995 echo ${UNAME_MACHINE}-unknown-linux-gnu
973 exit ;; 996 exit ;;
974 tile*:Linux:*:*) 997 tile*:Linux:*:*)
975 echo ${UNAME_MACHINE}-tilera-linux-gnu 998 echo ${UNAME_MACHINE}-unknown-linux-gnu
976 exit ;; 999 exit ;;
977 vax:Linux:*:*) 1000 vax:Linux:*:*)
978 echo ${UNAME_MACHINE}-dec-linux-gnu 1001 echo ${UNAME_MACHINE}-dec-linux-gnu
979 exit ;; 1002 exit ;;
980 x86_64:Linux:*:*) 1003 x86_64:Linux:*:*)
981 echo x86_64-unknown-linux-gnu 1004 echo ${UNAME_MACHINE}-unknown-linux-gnu
982 exit ;; 1005 exit ;;
983 xtensa*:Linux:*:*) 1006 xtensa*:Linux:*:*)
984 echo ${UNAME_MACHINE}-unknown-linux-gnu 1007 echo ${UNAME_MACHINE}-unknown-linux-gnu
985 exit ;; 1008 exit ;;
986 i*86:DYNIX/ptx:4*:*) 1009 i*86:DYNIX/ptx:4*:*)
987 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. 1010 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -990,11 +1013,11 @@ EOF
990 echo i386-sequent-sysv4 1013 echo i386-sequent-sysv4
991 exit ;; 1014 exit ;;
992 i*86:UNIX_SV:4.2MP:2.*) 1015 i*86:UNIX_SV:4.2MP:2.*)
993 # Unixware is an offshoot of SVR4, but it has its own version 1016 # Unixware is an offshoot of SVR4, but it has its own version
994 # number series starting with 2... 1017 # number series starting with 2...
995 # I am not positive that other SVR4 systems won't match this, 1018 # I am not positive that other SVR4 systems won't match this,
996 # I just have to hope. -- rms. 1019 # I just have to hope. -- rms.
997 # Use sysv4.2uw... so that sysv4* matches it. 1020 # Use sysv4.2uw... so that sysv4* matches it.
998 echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} 1021 echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
999 exit ;; 1022 exit ;;
1000 i*86:OS/2:*:*) 1023 i*86:OS/2:*:*)
@@ -1026,7 +1049,7 @@ EOF
1026 fi 1049 fi
1027 exit ;; 1050 exit ;;
1028 i*86:*:5:[678]*) 1051 i*86:*:5:[678]*)
1029 # UnixWare 7.x, OpenUNIX and OpenServer 6. 1052 # UnixWare 7.x, OpenUNIX and OpenServer 6.
1030 case `/bin/uname -X | grep "^Machine"` in 1053 case `/bin/uname -X | grep "^Machine"` in
1031 *486*) UNAME_MACHINE=i486 ;; 1054 *486*) UNAME_MACHINE=i486 ;;
1032 *Pentium) UNAME_MACHINE=i586 ;; 1055 *Pentium) UNAME_MACHINE=i586 ;;
@@ -1054,13 +1077,13 @@ EOF
1054 exit ;; 1077 exit ;;
1055 pc:*:*:*) 1078 pc:*:*:*)
1056 # Left here for compatibility: 1079 # Left here for compatibility:
1057 # uname -m prints for DJGPP always 'pc', but it prints nothing about 1080 # uname -m prints for DJGPP always 'pc', but it prints nothing about
1058 # the processor, so we play safe by assuming i586. 1081 # the processor, so we play safe by assuming i586.
1059 # Note: whatever this is, it MUST be the same as what config.sub 1082 # Note: whatever this is, it MUST be the same as what config.sub
1060 # prints for the "djgpp" host, or else GDB configury will decide that 1083 # prints for the "djgpp" host, or else GDB configury will decide that
1061 # this is a cross-build. 1084 # this is a cross-build.
1062 echo i586-pc-msdosdjgpp 1085 echo i586-pc-msdosdjgpp
1063 exit ;; 1086 exit ;;
1064 Intel:Mach:3*:*) 1087 Intel:Mach:3*:*)
1065 echo i386-pc-mach3 1088 echo i386-pc-mach3
1066 exit ;; 1089 exit ;;
@@ -1095,8 +1118,8 @@ EOF
1095 /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ 1118 /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
1096 && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 1119 && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
1097 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) 1120 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
1098 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ 1121 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
1099 && { echo i486-ncr-sysv4; exit; } ;; 1122 && { echo i486-ncr-sysv4; exit; } ;;
1100 NCR*:*:4.2:* | MPRAS*:*:4.2:*) 1123 NCR*:*:4.2:* | MPRAS*:*:4.2:*)
1101 OS_REL='.3' 1124 OS_REL='.3'
1102 test -r /etc/.relid \ 1125 test -r /etc/.relid \
@@ -1139,10 +1162,10 @@ EOF
1139 echo ns32k-sni-sysv 1162 echo ns32k-sni-sysv
1140 fi 1163 fi
1141 exit ;; 1164 exit ;;
1142 PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort 1165 PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
1143 # says <Richard.M.Bartel@ccMail.Census.GOV> 1166 # says <Richard.M.Bartel@ccMail.Census.GOV>
1144 echo i586-unisys-sysv4 1167 echo i586-unisys-sysv4
1145 exit ;; 1168 exit ;;
1146 *:UNIX_System_V:4*:FTX*) 1169 *:UNIX_System_V:4*:FTX*)
1147 # From Gerald Hewes <hewes@openmarket.com>. 1170 # From Gerald Hewes <hewes@openmarket.com>.
1148 # How about differentiating between stratus architectures? -djm 1171 # How about differentiating between stratus architectures? -djm
@@ -1168,11 +1191,11 @@ EOF
1168 exit ;; 1191 exit ;;
1169 R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) 1192 R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
1170 if [ -d /usr/nec ]; then 1193 if [ -d /usr/nec ]; then
1171 echo mips-nec-sysv${UNAME_RELEASE} 1194 echo mips-nec-sysv${UNAME_RELEASE}
1172 else 1195 else
1173 echo mips-unknown-sysv${UNAME_RELEASE} 1196 echo mips-unknown-sysv${UNAME_RELEASE}
1174 fi 1197 fi
1175 exit ;; 1198 exit ;;
1176 BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. 1199 BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
1177 echo powerpc-be-beos 1200 echo powerpc-be-beos
1178 exit ;; 1201 exit ;;
@@ -1185,6 +1208,9 @@ EOF
1185 BePC:Haiku:*:*) # Haiku running on Intel PC compatible. 1208 BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
1186 echo i586-pc-haiku 1209 echo i586-pc-haiku
1187 exit ;; 1210 exit ;;
1211 x86_64:Haiku:*:*)
1212 echo x86_64-unknown-haiku
1213 exit ;;
1188 SX-4:SUPER-UX:*:*) 1214 SX-4:SUPER-UX:*:*)
1189 echo sx4-nec-superux${UNAME_RELEASE} 1215 echo sx4-nec-superux${UNAME_RELEASE}
1190 exit ;; 1216 exit ;;
@@ -1240,7 +1266,7 @@ EOF
1240 NEO-?:NONSTOP_KERNEL:*:*) 1266 NEO-?:NONSTOP_KERNEL:*:*)
1241 echo neo-tandem-nsk${UNAME_RELEASE} 1267 echo neo-tandem-nsk${UNAME_RELEASE}
1242 exit ;; 1268 exit ;;
1243 NSE-?:NONSTOP_KERNEL:*:*) 1269 NSE-*:NONSTOP_KERNEL:*:*)
1244 echo nse-tandem-nsk${UNAME_RELEASE} 1270 echo nse-tandem-nsk${UNAME_RELEASE}
1245 exit ;; 1271 exit ;;
1246 NSR-?:NONSTOP_KERNEL:*:*) 1272 NSR-?:NONSTOP_KERNEL:*:*)
@@ -1285,13 +1311,13 @@ EOF
1285 echo pdp10-unknown-its 1311 echo pdp10-unknown-its
1286 exit ;; 1312 exit ;;
1287 SEI:*:*:SEIUX) 1313 SEI:*:*:SEIUX)
1288 echo mips-sei-seiux${UNAME_RELEASE} 1314 echo mips-sei-seiux${UNAME_RELEASE}
1289 exit ;; 1315 exit ;;
1290 *:DragonFly:*:*) 1316 *:DragonFly:*:*)
1291 echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` 1317 echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
1292 exit ;; 1318 exit ;;
1293 *:*VMS:*:*) 1319 *:*VMS:*:*)
1294 UNAME_MACHINE=`(uname -p) 2>/dev/null` 1320 UNAME_MACHINE=`(uname -p) 2>/dev/null`
1295 case "${UNAME_MACHINE}" in 1321 case "${UNAME_MACHINE}" in
1296 A*) echo alpha-dec-vms ; exit ;; 1322 A*) echo alpha-dec-vms ; exit ;;
1297 I*) echo ia64-dec-vms ; exit ;; 1323 I*) echo ia64-dec-vms ; exit ;;
@@ -1309,11 +1335,11 @@ EOF
1309 i*86:AROS:*:*) 1335 i*86:AROS:*:*)
1310 echo ${UNAME_MACHINE}-pc-aros 1336 echo ${UNAME_MACHINE}-pc-aros
1311 exit ;; 1337 exit ;;
1338 x86_64:VMkernel:*:*)
1339 echo ${UNAME_MACHINE}-unknown-esx
1340 exit ;;
1312esac 1341esac
1313 1342
1314#echo '(No uname command or uname output not recognized.)' 1>&2
1315#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
1316
1317eval $set_cc_for_build 1343eval $set_cc_for_build
1318cat >$dummy.c <<EOF 1344cat >$dummy.c <<EOF
1319#ifdef _SEQUENT_ 1345#ifdef _SEQUENT_
@@ -1331,11 +1357,11 @@ main ()
1331#include <sys/param.h> 1357#include <sys/param.h>
1332 printf ("m68k-sony-newsos%s\n", 1358 printf ("m68k-sony-newsos%s\n",
1333#ifdef NEWSOS4 1359#ifdef NEWSOS4
1334 "4" 1360 "4"
1335#else 1361#else
1336 "" 1362 ""
1337#endif 1363#endif
1338 ); exit (0); 1364 ); exit (0);
1339#endif 1365#endif
1340#endif 1366#endif
1341 1367
diff --git a/config.h.in b/config.h.in
index 67858ef6d..34f1c9c53 100644
--- a/config.h.in
+++ b/config.h.in
@@ -230,6 +230,9 @@
230/* Define to 1 if you have the `clock' function. */ 230/* Define to 1 if you have the `clock' function. */
231#undef HAVE_CLOCK 231#undef HAVE_CLOCK
232 232
233/* Have clock_gettime */
234#undef HAVE_CLOCK_GETTIME
235
233/* define if you have clock_t data type */ 236/* define if you have clock_t data type */
234#undef HAVE_CLOCK_T 237#undef HAVE_CLOCK_T
235 238
@@ -242,6 +245,9 @@
242/* Define if your system uses ancillary data style file descriptor passing */ 245/* Define if your system uses ancillary data style file descriptor passing */
243#undef HAVE_CONTROL_IN_MSGHDR 246#undef HAVE_CONTROL_IN_MSGHDR
244 247
248/* Define to 1 if you have the `crypt' function. */
249#undef HAVE_CRYPT
250
245/* Define to 1 if you have the <crypto/sha2.h> header file. */ 251/* Define to 1 if you have the <crypto/sha2.h> header file. */
246#undef HAVE_CRYPTO_SHA2_H 252#undef HAVE_CRYPTO_SHA2_H
247 253
@@ -266,6 +272,10 @@
266 and to 0 if you don't. */ 272 and to 0 if you don't. */
267#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE 273#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
268 274
275/* Define to 1 if you have the declaration of `howmany', and to 0 if you
276 don't. */
277#undef HAVE_DECL_HOWMANY
278
269/* Define to 1 if you have the declaration of `h_errno', and to 0 if you 279/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
270 don't. */ 280 don't. */
271#undef HAVE_DECL_H_ERRNO 281#undef HAVE_DECL_H_ERRNO
@@ -286,6 +296,10 @@
286 don't. */ 296 don't. */
287#undef HAVE_DECL_MAXSYMLINKS 297#undef HAVE_DECL_MAXSYMLINKS
288 298
299/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
300 don't. */
301#undef HAVE_DECL_NFDBITS
302
289/* Define to 1 if you have the declaration of `offsetof', and to 0 if you 303/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
290 don't. */ 304 don't. */
291#undef HAVE_DECL_OFFSETOF 305#undef HAVE_DECL_OFFSETOF
@@ -318,6 +332,9 @@
318 don't. */ 332 don't. */
319#undef HAVE_DECL__GETSHORT 333#undef HAVE_DECL__GETSHORT
320 334
335/* Define to 1 if you have the `DES_crypt' function. */
336#undef HAVE_DES_CRYPT
337
321/* Define if you have /dev/ptmx */ 338/* Define if you have /dev/ptmx */
322#undef HAVE_DEV_PTMX 339#undef HAVE_DEV_PTMX
323 340
@@ -339,6 +356,9 @@
339/* Define to 1 if you have the <elf.h> header file. */ 356/* Define to 1 if you have the <elf.h> header file. */
340#undef HAVE_ELF_H 357#undef HAVE_ELF_H
341 358
359/* Define to 1 if you have the `endgrent' function. */
360#undef HAVE_ENDGRENT
361
342/* Define to 1 if you have the <endian.h> header file. */ 362/* Define to 1 if you have the <endian.h> header file. */
343#undef HAVE_ENDIAN_H 363#undef HAVE_ENDIAN_H
344 364
@@ -372,6 +392,9 @@
372/* Define to 1 if you have the <fcntl.h> header file. */ 392/* Define to 1 if you have the <fcntl.h> header file. */
373#undef HAVE_FCNTL_H 393#undef HAVE_FCNTL_H
374 394
395/* Define to 1 if the system has the type `fd_mask'. */
396#undef HAVE_FD_MASK
397
375/* Define to 1 if you have the <features.h> header file. */ 398/* Define to 1 if you have the <features.h> header file. */
376#undef HAVE_FEATURES_H 399#undef HAVE_FEATURES_H
377 400
@@ -576,6 +599,15 @@
576/* Define if you have isblank(3C). */ 599/* Define if you have isblank(3C). */
577#undef HAVE_ISBLANK 600#undef HAVE_ISBLANK
578 601
602/* Define to 1 if you have the `krb5_cc_new_unique' function. */
603#undef HAVE_KRB5_CC_NEW_UNIQUE
604
605/* Define to 1 if you have the `krb5_free_error_message' function. */
606#undef HAVE_KRB5_FREE_ERROR_MESSAGE
607
608/* Define to 1 if you have the `krb5_get_error_message' function. */
609#undef HAVE_KRB5_GET_ERROR_MESSAGE
610
579/* Define to 1 if you have the <lastlog.h> header file. */ 611/* Define to 1 if you have the <lastlog.h> header file. */
580#undef HAVE_LASTLOG_H 612#undef HAVE_LASTLOG_H
581 613
@@ -636,6 +668,9 @@
636/* Define to 1 if you have the <linux/seccomp.h> header file. */ 668/* Define to 1 if you have the <linux/seccomp.h> header file. */
637#undef HAVE_LINUX_SECCOMP_H 669#undef HAVE_LINUX_SECCOMP_H
638 670
671/* Define to 1 if you have the <locale.h> header file. */
672#undef HAVE_LOCALE_H
673
639/* Define to 1 if you have the `login' function. */ 674/* Define to 1 if you have the `login' function. */
640#undef HAVE_LOGIN 675#undef HAVE_LOGIN
641 676
@@ -663,6 +698,9 @@
663/* Define to 1 if you have the <maillock.h> header file. */ 698/* Define to 1 if you have the <maillock.h> header file. */
664#undef HAVE_MAILLOCK_H 699#undef HAVE_MAILLOCK_H
665 700
701/* Define to 1 if you have the `mblen' function. */
702#undef HAVE_MBLEN
703
666/* Define to 1 if you have the `md5_crypt' function. */ 704/* Define to 1 if you have the `md5_crypt' function. */
667#undef HAVE_MD5_CRYPT 705#undef HAVE_MD5_CRYPT
668 706
@@ -769,15 +807,6 @@
769/* Define to 1 if you have the `pututxline' function. */ 807/* Define to 1 if you have the `pututxline' function. */
770#undef HAVE_PUTUTXLINE 808#undef HAVE_PUTUTXLINE
771 809
772/* Define if your password has a pw_change field */
773#undef HAVE_PW_CHANGE_IN_PASSWD
774
775/* Define if your password has a pw_class field */
776#undef HAVE_PW_CLASS_IN_PASSWD
777
778/* Define if your password has a pw_expire field */
779#undef HAVE_PW_EXPIRE_IN_PASSWD
780
781/* Define to 1 if you have the `readpassphrase' function. */ 810/* Define to 1 if you have the `readpassphrase' function. */
782#undef HAVE_READPASSPHRASE 811#undef HAVE_READPASSPHRASE
783 812
@@ -814,6 +843,9 @@
814/* define if you have sa_family_t data type */ 843/* define if you have sa_family_t data type */
815#undef HAVE_SA_FAMILY_T 844#undef HAVE_SA_FAMILY_T
816 845
846/* Define to 1 if you have the `scan_scaled' function. */
847#undef HAVE_SCAN_SCALED
848
817/* Define if you have SecureWare-based protected password database */ 849/* Define if you have SecureWare-based protected password database */
818#undef HAVE_SECUREWARE 850#undef HAVE_SECUREWARE
819 851
@@ -1003,6 +1035,18 @@
1003/* define if you have struct in6_addr data type */ 1035/* define if you have struct in6_addr data type */
1004#undef HAVE_STRUCT_IN6_ADDR 1036#undef HAVE_STRUCT_IN6_ADDR
1005 1037
1038/* Define to 1 if `pw_change' is a member of `struct passwd'. */
1039#undef HAVE_STRUCT_PASSWD_PW_CHANGE
1040
1041/* Define to 1 if `pw_class' is a member of `struct passwd'. */
1042#undef HAVE_STRUCT_PASSWD_PW_CLASS
1043
1044/* Define to 1 if `pw_expire' is a member of `struct passwd'. */
1045#undef HAVE_STRUCT_PASSWD_PW_EXPIRE
1046
1047/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */
1048#undef HAVE_STRUCT_PASSWD_PW_GECOS
1049
1006/* define if you have struct sockaddr_in6 data type */ 1050/* define if you have struct sockaddr_in6 data type */
1007#undef HAVE_STRUCT_SOCKADDR_IN6 1051#undef HAVE_STRUCT_SOCKADDR_IN6
1008 1052
@@ -1323,15 +1367,6 @@
1323/* Set this to your mail directory if you do not have _PATH_MAILDIR */ 1367/* Set this to your mail directory if you do not have _PATH_MAILDIR */
1324#undef MAIL_DIRECTORY 1368#undef MAIL_DIRECTORY
1325 1369
1326/* Define on *nto-qnx systems */
1327#undef MISSING_FD_MASK
1328
1329/* Define on *nto-qnx systems */
1330#undef MISSING_HOWMANY
1331
1332/* Define on *nto-qnx systems */
1333#undef MISSING_NFDBITS
1334
1335/* Need setpgrp to acquire controlling tty */ 1370/* Need setpgrp to acquire controlling tty */
1336#undef NEED_SETPGRP 1371#undef NEED_SETPGRP
1337 1372
diff --git a/config.sub b/config.sub
index 2d8169626..eee8dccb0 100755
--- a/config.sub
+++ b/config.sub
@@ -2,9 +2,9 @@
2# Configuration validation subroutine script. 2# Configuration validation subroutine script.
3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
5# 2011 Free Software Foundation, Inc. 5# 2011, 2012, 2013 Free Software Foundation, Inc.
6 6
7timestamp='2011-01-01' 7timestamp='2012-12-23'
8 8
9# This file is (in principle) common to ALL GNU software. 9# This file is (in principle) common to ALL GNU software.
10# The presence of a machine in this file suggests that SOME GNU software 10# The presence of a machine in this file suggests that SOME GNU software
@@ -21,9 +21,7 @@ timestamp='2011-01-01'
21# GNU General Public License for more details. 21# GNU General Public License for more details.
22# 22#
23# You should have received a copy of the GNU General Public License 23# You should have received a copy of the GNU General Public License
24# along with this program; if not, write to the Free Software 24# along with this program; if not, see <http://www.gnu.org/licenses/>.
25# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
26# 02110-1301, USA.
27# 25#
28# As a special exception to the GNU General Public License, if you 26# As a special exception to the GNU General Public License, if you
29# distribute this file as part of a program that contains a 27# distribute this file as part of a program that contains a
@@ -76,8 +74,8 @@ version="\
76GNU config.sub ($timestamp) 74GNU config.sub ($timestamp)
77 75
78Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 76Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
792001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free 772001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
80Software Foundation, Inc. 782012, 2013 Free Software Foundation, Inc.
81 79
82This is free software; see the source for copying conditions. There is NO 80This is free software; see the source for copying conditions. There is NO
83warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." 81warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -125,13 +123,17 @@ esac
125maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` 123maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
126case $maybe_os in 124case $maybe_os in
127 nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ 125 nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
128 linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ 126 linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
129 knetbsd*-gnu* | netbsd*-gnu* | \ 127 knetbsd*-gnu* | netbsd*-gnu* | \
130 kopensolaris*-gnu* | \ 128 kopensolaris*-gnu* | \
131 storm-chaos* | os2-emx* | rtmk-nova*) 129 storm-chaos* | os2-emx* | rtmk-nova*)
132 os=-$maybe_os 130 os=-$maybe_os
133 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` 131 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
134 ;; 132 ;;
133 android-linux)
134 os=-linux-android
135 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
136 ;;
135 *) 137 *)
136 basic_machine=`echo $1 | sed 's/-[^-]*$//'` 138 basic_machine=`echo $1 | sed 's/-[^-]*$//'`
137 if [ $basic_machine != $1 ] 139 if [ $basic_machine != $1 ]
@@ -154,12 +156,12 @@ case $os in
154 -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ 156 -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
155 -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ 157 -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
156 -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ 158 -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
157 -apple | -axis | -knuth | -cray | -microblaze) 159 -apple | -axis | -knuth | -cray | -microblaze*)
158 os= 160 os=
159 basic_machine=$1 161 basic_machine=$1
160 ;; 162 ;;
161 -bluegene*) 163 -bluegene*)
162 os=-cnk 164 os=-cnk
163 ;; 165 ;;
164 -sim | -cisco | -oki | -wec | -winbond) 166 -sim | -cisco | -oki | -wec | -winbond)
165 os= 167 os=
@@ -175,10 +177,10 @@ case $os in
175 os=-chorusos 177 os=-chorusos
176 basic_machine=$1 178 basic_machine=$1
177 ;; 179 ;;
178 -chorusrdb) 180 -chorusrdb)
179 os=-chorusrdb 181 os=-chorusrdb
180 basic_machine=$1 182 basic_machine=$1
181 ;; 183 ;;
182 -hiux*) 184 -hiux*)
183 os=-hiuxwe2 185 os=-hiuxwe2
184 ;; 186 ;;
@@ -223,6 +225,12 @@ case $os in
223 -isc*) 225 -isc*)
224 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` 226 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
225 ;; 227 ;;
228 -lynx*178)
229 os=-lynxos178
230 ;;
231 -lynx*5)
232 os=-lynxos5
233 ;;
226 -lynx*) 234 -lynx*)
227 os=-lynxos 235 os=-lynxos
228 ;; 236 ;;
@@ -247,20 +255,27 @@ case $basic_machine in
247 # Some are omitted here because they have special meanings below. 255 # Some are omitted here because they have special meanings below.
248 1750a | 580 \ 256 1750a | 580 \
249 | a29k \ 257 | a29k \
258 | aarch64 | aarch64_be \
250 | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ 259 | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
251 | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ 260 | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
252 | am33_2.0 \ 261 | am33_2.0 \
253 | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ 262 | arc \
263 | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
264 | avr | avr32 \
265 | be32 | be64 \
254 | bfin \ 266 | bfin \
255 | c4x | clipper \ 267 | c4x | clipper \
256 | d10v | d30v | dlx | dsp16xx \ 268 | d10v | d30v | dlx | dsp16xx \
269 | epiphany \
257 | fido | fr30 | frv \ 270 | fido | fr30 | frv \
258 | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ 271 | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
272 | hexagon \
259 | i370 | i860 | i960 | ia64 \ 273 | i370 | i860 | i960 | ia64 \
260 | ip2k | iq2000 \ 274 | ip2k | iq2000 \
275 | le32 | le64 \
261 | lm32 \ 276 | lm32 \
262 | m32c | m32r | m32rle | m68000 | m68k | m88k \ 277 | m32c | m32r | m32rle | m68000 | m68k | m88k \
263 | maxq | mb | microblaze | mcore | mep | metag \ 278 | maxq | mb | microblaze | microblazeel | mcore | mep | metag \
264 | mips | mipsbe | mipseb | mipsel | mipsle \ 279 | mips | mipsbe | mipseb | mipsel | mipsle \
265 | mips16 \ 280 | mips16 \
266 | mips64 | mips64el \ 281 | mips64 | mips64el \
@@ -286,22 +301,23 @@ case $basic_machine in
286 | nds32 | nds32le | nds32be \ 301 | nds32 | nds32le | nds32be \
287 | nios | nios2 \ 302 | nios | nios2 \
288 | ns16k | ns32k \ 303 | ns16k | ns32k \
304 | open8 \
289 | or32 \ 305 | or32 \
290 | pdp10 | pdp11 | pj | pjl \ 306 | pdp10 | pdp11 | pj | pjl \
291 | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ 307 | powerpc | powerpc64 | powerpc64le | powerpcle \
292 | pyramid \ 308 | pyramid \
293 | rx \ 309 | rl78 | rx \
294 | score \ 310 | score \
295 | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ 311 | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
296 | sh64 | sh64le \ 312 | sh64 | sh64le \
297 | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ 313 | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
298 | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ 314 | sparcv8 | sparcv9 | sparcv9b | sparcv9v \
299 | spu | strongarm \ 315 | spu \
300 | tahoe | thumb | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ 316 | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
301 | ubicom32 \ 317 | ubicom32 \
302 | v850 | v850e \ 318 | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
303 | we32k \ 319 | we32k \
304 | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ 320 | x86 | xc16x | xstormy16 | xtensa \
305 | z8k | z80) 321 | z8k | z80)
306 basic_machine=$basic_machine-unknown 322 basic_machine=$basic_machine-unknown
307 ;; 323 ;;
@@ -314,8 +330,7 @@ case $basic_machine in
314 c6x) 330 c6x)
315 basic_machine=tic6x-unknown 331 basic_machine=tic6x-unknown
316 ;; 332 ;;
317 m6811 | m68hc11 | m6812 | m68hc12 | picochip) 333 m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
318 # Motorola 68HC11/12.
319 basic_machine=$basic_machine-unknown 334 basic_machine=$basic_machine-unknown
320 os=-none 335 os=-none
321 ;; 336 ;;
@@ -325,6 +340,21 @@ case $basic_machine in
325 basic_machine=mt-unknown 340 basic_machine=mt-unknown
326 ;; 341 ;;
327 342
343 strongarm | thumb | xscale)
344 basic_machine=arm-unknown
345 ;;
346 xgate)
347 basic_machine=$basic_machine-unknown
348 os=-none
349 ;;
350 xscaleeb)
351 basic_machine=armeb-unknown
352 ;;
353
354 xscaleel)
355 basic_machine=armel-unknown
356 ;;
357
328 # We use `pc' rather than `unknown' 358 # We use `pc' rather than `unknown'
329 # because (1) that's what they normally are, and 359 # because (1) that's what they normally are, and
330 # (2) the word "unknown" tends to confuse beginning users. 360 # (2) the word "unknown" tends to confuse beginning users.
@@ -339,11 +369,13 @@ case $basic_machine in
339 # Recognize the basic CPU types with company name. 369 # Recognize the basic CPU types with company name.
340 580-* \ 370 580-* \
341 | a29k-* \ 371 | a29k-* \
372 | aarch64-* | aarch64_be-* \
342 | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ 373 | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
343 | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ 374 | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
344 | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ 375 | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
345 | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ 376 | arm-* | armbe-* | armle-* | armeb-* | armv*-* \
346 | avr-* | avr32-* \ 377 | avr-* | avr32-* \
378 | be32-* | be64-* \
347 | bfin-* | bs2000-* \ 379 | bfin-* | bs2000-* \
348 | c[123]* | c30-* | [cjt]90-* | c4x-* \ 380 | c[123]* | c30-* | [cjt]90-* | c4x-* \
349 | clipper-* | craynv-* | cydra-* \ 381 | clipper-* | craynv-* | cydra-* \
@@ -352,12 +384,15 @@ case $basic_machine in
352 | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ 384 | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
353 | h8300-* | h8500-* \ 385 | h8300-* | h8500-* \
354 | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ 386 | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
387 | hexagon-* \
355 | i*86-* | i860-* | i960-* | ia64-* \ 388 | i*86-* | i860-* | i960-* | ia64-* \
356 | ip2k-* | iq2000-* \ 389 | ip2k-* | iq2000-* \
390 | le32-* | le64-* \
357 | lm32-* \ 391 | lm32-* \
358 | m32c-* | m32r-* | m32rle-* \ 392 | m32c-* | m32r-* | m32rle-* \
359 | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ 393 | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
360 | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ 394 | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
395 | microblaze-* | microblazeel-* \
361 | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ 396 | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
362 | mips16-* \ 397 | mips16-* \
363 | mips64-* | mips64el-* \ 398 | mips64-* | mips64el-* \
@@ -382,24 +417,26 @@ case $basic_machine in
382 | nds32-* | nds32le-* | nds32be-* \ 417 | nds32-* | nds32le-* | nds32be-* \
383 | nios-* | nios2-* \ 418 | nios-* | nios2-* \
384 | none-* | np1-* | ns16k-* | ns32k-* \ 419 | none-* | np1-* | ns16k-* | ns32k-* \
420 | open8-* \
385 | orion-* \ 421 | orion-* \
386 | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ 422 | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
387 | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ 423 | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
388 | pyramid-* \ 424 | pyramid-* \
389 | romp-* | rs6000-* | rx-* \ 425 | rl78-* | romp-* | rs6000-* | rx-* \
390 | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ 426 | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
391 | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ 427 | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
392 | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ 428 | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
393 | sparclite-* \ 429 | sparclite-* \
394 | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ 430 | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
395 | tahoe-* | thumb-* \ 431 | tahoe-* \
396 | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ 432 | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
397 | tile-* | tilegx-* \ 433 | tile*-* \
398 | tron-* \ 434 | tron-* \
399 | ubicom32-* \ 435 | ubicom32-* \
400 | v850-* | v850e-* | vax-* \ 436 | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
437 | vax-* \
401 | we32k-* \ 438 | we32k-* \
402 | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ 439 | x86-* | x86_64-* | xc16x-* | xps100-* \
403 | xstormy16-* | xtensa*-* \ 440 | xstormy16-* | xtensa*-* \
404 | ymp-* \ 441 | ymp-* \
405 | z8k-* | z80-*) 442 | z8k-* | z80-*)
@@ -424,7 +461,7 @@ case $basic_machine in
424 basic_machine=a29k-amd 461 basic_machine=a29k-amd
425 os=-udi 462 os=-udi
426 ;; 463 ;;
427 abacus) 464 abacus)
428 basic_machine=abacus-unknown 465 basic_machine=abacus-unknown
429 ;; 466 ;;
430 adobe68k) 467 adobe68k)
@@ -507,7 +544,7 @@ case $basic_machine in
507 basic_machine=c90-cray 544 basic_machine=c90-cray
508 os=-unicos 545 os=-unicos
509 ;; 546 ;;
510 cegcc) 547 cegcc)
511 basic_machine=arm-unknown 548 basic_machine=arm-unknown
512 os=-cegcc 549 os=-cegcc
513 ;; 550 ;;
@@ -697,7 +734,6 @@ case $basic_machine in
697 i370-ibm* | ibm*) 734 i370-ibm* | ibm*)
698 basic_machine=i370-ibm 735 basic_machine=i370-ibm
699 ;; 736 ;;
700# I'm not sure what "Sysv32" means. Should this be sysv3.2?
701 i*86v32) 737 i*86v32)
702 basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` 738 basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
703 os=-sysv32 739 os=-sysv32
@@ -755,9 +791,13 @@ case $basic_machine in
755 basic_machine=ns32k-utek 791 basic_machine=ns32k-utek
756 os=-sysv 792 os=-sysv
757 ;; 793 ;;
758 microblaze) 794 microblaze*)
759 basic_machine=microblaze-xilinx 795 basic_machine=microblaze-xilinx
760 ;; 796 ;;
797 mingw64)
798 basic_machine=x86_64-pc
799 os=-mingw64
800 ;;
761 mingw32) 801 mingw32)
762 basic_machine=i386-pc 802 basic_machine=i386-pc
763 os=-mingw32 803 os=-mingw32
@@ -794,10 +834,18 @@ case $basic_machine in
794 ms1-*) 834 ms1-*)
795 basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` 835 basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
796 ;; 836 ;;
837 msys)
838 basic_machine=i386-pc
839 os=-msys
840 ;;
797 mvs) 841 mvs)
798 basic_machine=i370-ibm 842 basic_machine=i370-ibm
799 os=-mvs 843 os=-mvs
800 ;; 844 ;;
845 nacl)
846 basic_machine=le32-unknown
847 os=-nacl
848 ;;
801 ncr3000) 849 ncr3000)
802 basic_machine=i486-ncr 850 basic_machine=i486-ncr
803 os=-sysv4 851 os=-sysv4
@@ -862,10 +910,10 @@ case $basic_machine in
862 np1) 910 np1)
863 basic_machine=np1-gould 911 basic_machine=np1-gould
864 ;; 912 ;;
865 neo-tandem) 913 neo-tandem)
866 basic_machine=neo-tandem 914 basic_machine=neo-tandem
867 ;; 915 ;;
868 nse-tandem) 916 nse-tandem)
869 basic_machine=nse-tandem 917 basic_machine=nse-tandem
870 ;; 918 ;;
871 nsr-tandem) 919 nsr-tandem)
@@ -950,9 +998,10 @@ case $basic_machine in
950 ;; 998 ;;
951 power) basic_machine=power-ibm 999 power) basic_machine=power-ibm
952 ;; 1000 ;;
953 ppc) basic_machine=powerpc-unknown 1001 ppc | ppcbe) basic_machine=powerpc-unknown
954 ;; 1002 ;;
955 ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` 1003 ppc-* | ppcbe-*)
1004 basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
956 ;; 1005 ;;
957 ppcle | powerpclittle | ppc-le | powerpc-little) 1006 ppcle | powerpclittle | ppc-le | powerpc-little)
958 basic_machine=powerpcle-unknown 1007 basic_machine=powerpcle-unknown
@@ -977,7 +1026,11 @@ case $basic_machine in
977 basic_machine=i586-unknown 1026 basic_machine=i586-unknown
978 os=-pw32 1027 os=-pw32
979 ;; 1028 ;;
980 rdos) 1029 rdos | rdos64)
1030 basic_machine=x86_64-pc
1031 os=-rdos
1032 ;;
1033 rdos32)
981 basic_machine=i386-pc 1034 basic_machine=i386-pc
982 os=-rdos 1035 os=-rdos
983 ;; 1036 ;;
@@ -1046,6 +1099,9 @@ case $basic_machine in
1046 basic_machine=i860-stratus 1099 basic_machine=i860-stratus
1047 os=-sysv4 1100 os=-sysv4
1048 ;; 1101 ;;
1102 strongarm-* | thumb-*)
1103 basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
1104 ;;
1049 sun2) 1105 sun2)
1050 basic_machine=m68000-sun 1106 basic_machine=m68000-sun
1051 ;; 1107 ;;
@@ -1102,13 +1158,8 @@ case $basic_machine in
1102 basic_machine=t90-cray 1158 basic_machine=t90-cray
1103 os=-unicos 1159 os=-unicos
1104 ;; 1160 ;;
1105 # This must be matched before tile*.
1106 tilegx*)
1107 basic_machine=tilegx-unknown
1108 os=-linux-gnu
1109 ;;
1110 tile*) 1161 tile*)
1111 basic_machine=tile-unknown 1162 basic_machine=$basic_machine-unknown
1112 os=-linux-gnu 1163 os=-linux-gnu
1113 ;; 1164 ;;
1114 tx39) 1165 tx39)
@@ -1178,6 +1229,9 @@ case $basic_machine in
1178 xps | xps100) 1229 xps | xps100)
1179 basic_machine=xps100-honeywell 1230 basic_machine=xps100-honeywell
1180 ;; 1231 ;;
1232 xscale-* | xscalee[bl]-*)
1233 basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
1234 ;;
1181 ymp) 1235 ymp)
1182 basic_machine=ymp-cray 1236 basic_machine=ymp-cray
1183 os=-unicos 1237 os=-unicos
@@ -1275,11 +1329,11 @@ esac
1275if [ x"$os" != x"" ] 1329if [ x"$os" != x"" ]
1276then 1330then
1277case $os in 1331case $os in
1278 # First match some system type aliases 1332 # First match some system type aliases
1279 # that might get confused with valid system types. 1333 # that might get confused with valid system types.
1280 # -solaris* is a basic system type, with this one exception. 1334 # -solaris* is a basic system type, with this one exception.
1281 -auroraux) 1335 -auroraux)
1282 os=-auroraux 1336 os=-auroraux
1283 ;; 1337 ;;
1284 -solaris1 | -solaris1.*) 1338 -solaris1 | -solaris1.*)
1285 os=`echo $os | sed -e 's|solaris1|sunos4|'` 1339 os=`echo $os | sed -e 's|solaris1|sunos4|'`
@@ -1309,15 +1363,15 @@ case $os in
1309 | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ 1363 | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
1310 | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ 1364 | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
1311 | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ 1365 | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
1312 | -openbsd* | -solidbsd* \ 1366 | -bitrig* | -openbsd* | -solidbsd* \
1313 | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ 1367 | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
1314 | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ 1368 | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
1315 | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ 1369 | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
1316 | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ 1370 | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
1317 | -chorusos* | -chorusrdb* | -cegcc* \ 1371 | -chorusos* | -chorusrdb* | -cegcc* \
1318 | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ 1372 | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
1319 | -mingw32* | -linux-gnu* | -linux-android* \ 1373 | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
1320 | -linux-newlib* | -linux-uclibc* \ 1374 | -linux-newlib* | -linux-musl* | -linux-uclibc* \
1321 | -uxpv* | -beos* | -mpeix* | -udk* \ 1375 | -uxpv* | -beos* | -mpeix* | -udk* \
1322 | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ 1376 | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
1323 | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ 1377 | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
@@ -1364,7 +1418,7 @@ case $os in
1364 -opened*) 1418 -opened*)
1365 os=-openedition 1419 os=-openedition
1366 ;; 1420 ;;
1367 -os400*) 1421 -os400*)
1368 os=-os400 1422 os=-os400
1369 ;; 1423 ;;
1370 -wince*) 1424 -wince*)
@@ -1413,7 +1467,7 @@ case $os in
1413 -sinix*) 1467 -sinix*)
1414 os=-sysv4 1468 os=-sysv4
1415 ;; 1469 ;;
1416 -tpf*) 1470 -tpf*)
1417 os=-tpf 1471 os=-tpf
1418 ;; 1472 ;;
1419 -triton*) 1473 -triton*)
@@ -1458,8 +1512,8 @@ case $os in
1458 -dicos*) 1512 -dicos*)
1459 os=-dicos 1513 os=-dicos
1460 ;; 1514 ;;
1461 -nacl*) 1515 -nacl*)
1462 ;; 1516 ;;
1463 -none) 1517 -none)
1464 ;; 1518 ;;
1465 *) 1519 *)
@@ -1482,10 +1536,10 @@ else
1482# system, and we'll never get to this point. 1536# system, and we'll never get to this point.
1483 1537
1484case $basic_machine in 1538case $basic_machine in
1485 score-*) 1539 score-*)
1486 os=-elf 1540 os=-elf
1487 ;; 1541 ;;
1488 spu-*) 1542 spu-*)
1489 os=-elf 1543 os=-elf
1490 ;; 1544 ;;
1491 *-acorn) 1545 *-acorn)
@@ -1497,8 +1551,11 @@ case $basic_machine in
1497 arm*-semi) 1551 arm*-semi)
1498 os=-aout 1552 os=-aout
1499 ;; 1553 ;;
1500 c4x-* | tic4x-*) 1554 c4x-* | tic4x-*)
1501 os=-coff 1555 os=-coff
1556 ;;
1557 hexagon-*)
1558 os=-elf
1502 ;; 1559 ;;
1503 tic54x-*) 1560 tic54x-*)
1504 os=-coff 1561 os=-coff
@@ -1527,14 +1584,11 @@ case $basic_machine in
1527 ;; 1584 ;;
1528 m68000-sun) 1585 m68000-sun)
1529 os=-sunos3 1586 os=-sunos3
1530 # This also exists in the configure program, but was not the
1531 # default.
1532 # os=-sunos4
1533 ;; 1587 ;;
1534 m68*-cisco) 1588 m68*-cisco)
1535 os=-aout 1589 os=-aout
1536 ;; 1590 ;;
1537 mep-*) 1591 mep-*)
1538 os=-elf 1592 os=-elf
1539 ;; 1593 ;;
1540 mips*-cisco) 1594 mips*-cisco)
@@ -1561,7 +1615,7 @@ case $basic_machine in
1561 *-ibm) 1615 *-ibm)
1562 os=-aix 1616 os=-aix
1563 ;; 1617 ;;
1564 *-knuth) 1618 *-knuth)
1565 os=-mmixware 1619 os=-mmixware
1566 ;; 1620 ;;
1567 *-wec) 1621 *-wec)
diff --git a/configure b/configure
index 4eeed9d09..78bbcd008 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.518 . 2# From configure.ac Revision: 1.536 .
3# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.68 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
5# 5#
@@ -605,6 +605,7 @@ ac_includes_default="\
605 605
606ac_subst_vars='LTLIBOBJS 606ac_subst_vars='LTLIBOBJS
607LIBOBJS 607LIBOBJS
608UNSUPPORTED_ALGORITHMS
608TEST_SSH_IPV6 609TEST_SSH_IPV6
609piddir 610piddir
610user_path 611user_path
@@ -5605,6 +5606,68 @@ fi
5605 5606
5606if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 5607if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
5607 { 5608 {
5609 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Qunused-arguments -Werror" >&5
5610$as_echo_n "checking if $CC supports -Qunused-arguments -Werror... " >&6; }
5611 saved_CFLAGS="$CFLAGS"
5612 CFLAGS="$CFLAGS -Qunused-arguments -Werror"
5613 _define_flag="-Qunused-arguments"
5614 test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments -Werror"
5615 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5616/* end confdefs.h. */
5617int main(void) { return 0; }
5618_ACEOF
5619if ac_fn_c_try_compile "$LINENO"; then :
5620
5621if `grep -i "unrecognized option" conftest.err >/dev/null`
5622then
5623 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5624$as_echo "no" >&6; }
5625 CFLAGS="$saved_CFLAGS"
5626else
5627 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5628$as_echo "yes" >&6; }
5629 CFLAGS="$saved_CFLAGS $_define_flag"
5630fi
5631else
5632 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5633$as_echo "no" >&6; }
5634 CFLAGS="$saved_CFLAGS"
5635
5636fi
5637rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5638}
5639 {
5640 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wunknown-warning-option -Werror" >&5
5641$as_echo_n "checking if $CC supports -Wunknown-warning-option -Werror... " >&6; }
5642 saved_CFLAGS="$CFLAGS"
5643 CFLAGS="$CFLAGS -Wunknown-warning-option -Werror"
5644 _define_flag="-Wno-unknown-warning-option"
5645 test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option -Werror"
5646 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5647/* end confdefs.h. */
5648int main(void) { return 0; }
5649_ACEOF
5650if ac_fn_c_try_compile "$LINENO"; then :
5651
5652if `grep -i "unrecognized option" conftest.err >/dev/null`
5653then
5654 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5655$as_echo "no" >&6; }
5656 CFLAGS="$saved_CFLAGS"
5657else
5658 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5659$as_echo "yes" >&6; }
5660 CFLAGS="$saved_CFLAGS $_define_flag"
5661fi
5662else
5663 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5664$as_echo "no" >&6; }
5665 CFLAGS="$saved_CFLAGS"
5666
5667fi
5668rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5669}
5670 {
5608 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wall" >&5 5671 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wall" >&5
5609$as_echo_n "checking if $CC supports -Wall... " >&6; } 5672$as_echo_n "checking if $CC supports -Wall... " >&6; }
5610 saved_CFLAGS="$CFLAGS" 5673 saved_CFLAGS="$CFLAGS"
@@ -5616,9 +5679,17 @@ $as_echo_n "checking if $CC supports -Wall... " >&6; }
5616int main(void) { return 0; } 5679int main(void) { return 0; }
5617_ACEOF 5680_ACEOF
5618if ac_fn_c_try_compile "$LINENO"; then : 5681if ac_fn_c_try_compile "$LINENO"; then :
5619 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5682
5683if `grep -i "unrecognized option" conftest.err >/dev/null`
5684then
5685 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5686$as_echo "no" >&6; }
5687 CFLAGS="$saved_CFLAGS"
5688else
5689 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5620$as_echo "yes" >&6; } 5690$as_echo "yes" >&6; }
5621 CFLAGS="$saved_CFLAGS $_define_flag" 5691 CFLAGS="$saved_CFLAGS $_define_flag"
5692fi
5622else 5693else
5623 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5694 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5624$as_echo "no" >&6; } 5695$as_echo "no" >&6; }
@@ -5639,9 +5710,17 @@ $as_echo_n "checking if $CC supports -Wpointer-arith... " >&6; }
5639int main(void) { return 0; } 5710int main(void) { return 0; }
5640_ACEOF 5711_ACEOF
5641if ac_fn_c_try_compile "$LINENO"; then : 5712if ac_fn_c_try_compile "$LINENO"; then :
5642 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5713
5714if `grep -i "unrecognized option" conftest.err >/dev/null`
5715then
5716 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5717$as_echo "no" >&6; }
5718 CFLAGS="$saved_CFLAGS"
5719else
5720 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5643$as_echo "yes" >&6; } 5721$as_echo "yes" >&6; }
5644 CFLAGS="$saved_CFLAGS $_define_flag" 5722 CFLAGS="$saved_CFLAGS $_define_flag"
5723fi
5645else 5724else
5646 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5725 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5647$as_echo "no" >&6; } 5726$as_echo "no" >&6; }
@@ -5662,9 +5741,17 @@ $as_echo_n "checking if $CC supports -Wuninitialized... " >&6; }
5662int main(void) { return 0; } 5741int main(void) { return 0; }
5663_ACEOF 5742_ACEOF
5664if ac_fn_c_try_compile "$LINENO"; then : 5743if ac_fn_c_try_compile "$LINENO"; then :
5665 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5744
5745if `grep -i "unrecognized option" conftest.err >/dev/null`
5746then
5747 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5748$as_echo "no" >&6; }
5749 CFLAGS="$saved_CFLAGS"
5750else
5751 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5666$as_echo "yes" >&6; } 5752$as_echo "yes" >&6; }
5667 CFLAGS="$saved_CFLAGS $_define_flag" 5753 CFLAGS="$saved_CFLAGS $_define_flag"
5754fi
5668else 5755else
5669 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5756 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5670$as_echo "no" >&6; } 5757$as_echo "no" >&6; }
@@ -5685,9 +5772,17 @@ $as_echo_n "checking if $CC supports -Wsign-compare... " >&6; }
5685int main(void) { return 0; } 5772int main(void) { return 0; }
5686_ACEOF 5773_ACEOF
5687if ac_fn_c_try_compile "$LINENO"; then : 5774if ac_fn_c_try_compile "$LINENO"; then :
5688 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5775
5776if `grep -i "unrecognized option" conftest.err >/dev/null`
5777then
5778 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5779$as_echo "no" >&6; }
5780 CFLAGS="$saved_CFLAGS"
5781else
5782 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5689$as_echo "yes" >&6; } 5783$as_echo "yes" >&6; }
5690 CFLAGS="$saved_CFLAGS $_define_flag" 5784 CFLAGS="$saved_CFLAGS $_define_flag"
5785fi
5691else 5786else
5692 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5787 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5693$as_echo "no" >&6; } 5788$as_echo "no" >&6; }
@@ -5708,9 +5803,48 @@ $as_echo_n "checking if $CC supports -Wformat-security... " >&6; }
5708int main(void) { return 0; } 5803int main(void) { return 0; }
5709_ACEOF 5804_ACEOF
5710if ac_fn_c_try_compile "$LINENO"; then : 5805if ac_fn_c_try_compile "$LINENO"; then :
5711 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5806
5807if `grep -i "unrecognized option" conftest.err >/dev/null`
5808then
5809 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5810$as_echo "no" >&6; }
5811 CFLAGS="$saved_CFLAGS"
5812else
5813 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5814$as_echo "yes" >&6; }
5815 CFLAGS="$saved_CFLAGS $_define_flag"
5816fi
5817else
5818 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5819$as_echo "no" >&6; }
5820 CFLAGS="$saved_CFLAGS"
5821
5822fi
5823rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5824}
5825 {
5826 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wsizeof-pointer-memaccess" >&5
5827$as_echo_n "checking if $CC supports -Wsizeof-pointer-memaccess... " >&6; }
5828 saved_CFLAGS="$CFLAGS"
5829 CFLAGS="$CFLAGS -Wsizeof-pointer-memaccess"
5830 _define_flag=""
5831 test "x$_define_flag" = "x" && _define_flag="-Wsizeof-pointer-memaccess"
5832 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5833/* end confdefs.h. */
5834int main(void) { return 0; }
5835_ACEOF
5836if ac_fn_c_try_compile "$LINENO"; then :
5837
5838if `grep -i "unrecognized option" conftest.err >/dev/null`
5839then
5840 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5841$as_echo "no" >&6; }
5842 CFLAGS="$saved_CFLAGS"
5843else
5844 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5712$as_echo "yes" >&6; } 5845$as_echo "yes" >&6; }
5713 CFLAGS="$saved_CFLAGS $_define_flag" 5846 CFLAGS="$saved_CFLAGS $_define_flag"
5847fi
5714else 5848else
5715 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5849 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5716$as_echo "no" >&6; } 5850$as_echo "no" >&6; }
@@ -5731,9 +5865,17 @@ $as_echo_n "checking if $CC supports -Wpointer-sign... " >&6; }
5731int main(void) { return 0; } 5865int main(void) { return 0; }
5732_ACEOF 5866_ACEOF
5733if ac_fn_c_try_compile "$LINENO"; then : 5867if ac_fn_c_try_compile "$LINENO"; then :
5734 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5868
5869if `grep -i "unrecognized option" conftest.err >/dev/null`
5870then
5871 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5872$as_echo "no" >&6; }
5873 CFLAGS="$saved_CFLAGS"
5874else
5875 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5735$as_echo "yes" >&6; } 5876$as_echo "yes" >&6; }
5736 CFLAGS="$saved_CFLAGS $_define_flag" 5877 CFLAGS="$saved_CFLAGS $_define_flag"
5878fi
5737else 5879else
5738 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5880 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5739$as_echo "no" >&6; } 5881$as_echo "no" >&6; }
@@ -5754,9 +5896,17 @@ $as_echo_n "checking if $CC supports -Wunused-result... " >&6; }
5754int main(void) { return 0; } 5896int main(void) { return 0; }
5755_ACEOF 5897_ACEOF
5756if ac_fn_c_try_compile "$LINENO"; then : 5898if ac_fn_c_try_compile "$LINENO"; then :
5757 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5899
5900if `grep -i "unrecognized option" conftest.err >/dev/null`
5901then
5902 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5903$as_echo "no" >&6; }
5904 CFLAGS="$saved_CFLAGS"
5905else
5906 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5758$as_echo "yes" >&6; } 5907$as_echo "yes" >&6; }
5759 CFLAGS="$saved_CFLAGS $_define_flag" 5908 CFLAGS="$saved_CFLAGS $_define_flag"
5909fi
5760else 5910else
5761 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5911 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5762$as_echo "no" >&6; } 5912$as_echo "no" >&6; }
@@ -5777,9 +5927,17 @@ $as_echo_n "checking if $CC supports -fno-strict-aliasing... " >&6; }
5777int main(void) { return 0; } 5927int main(void) { return 0; }
5778_ACEOF 5928_ACEOF
5779if ac_fn_c_try_compile "$LINENO"; then : 5929if ac_fn_c_try_compile "$LINENO"; then :
5780 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5930
5931if `grep -i "unrecognized option" conftest.err >/dev/null`
5932then
5933 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5934$as_echo "no" >&6; }
5935 CFLAGS="$saved_CFLAGS"
5936else
5937 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5781$as_echo "yes" >&6; } 5938$as_echo "yes" >&6; }
5782 CFLAGS="$saved_CFLAGS $_define_flag" 5939 CFLAGS="$saved_CFLAGS $_define_flag"
5940fi
5783else 5941else
5784 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5942 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5785$as_echo "no" >&6; } 5943$as_echo "no" >&6; }
@@ -5800,9 +5958,17 @@ $as_echo_n "checking if $CC supports -D_FORTIFY_SOURCE=2... " >&6; }
5800int main(void) { return 0; } 5958int main(void) { return 0; }
5801_ACEOF 5959_ACEOF
5802if ac_fn_c_try_compile "$LINENO"; then : 5960if ac_fn_c_try_compile "$LINENO"; then :
5803 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5961
5962if `grep -i "unrecognized option" conftest.err >/dev/null`
5963then
5964 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5965$as_echo "no" >&6; }
5966 CFLAGS="$saved_CFLAGS"
5967else
5968 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5804$as_echo "yes" >&6; } 5969$as_echo "yes" >&6; }
5805 CFLAGS="$saved_CFLAGS $_define_flag" 5970 CFLAGS="$saved_CFLAGS $_define_flag"
5971fi
5806else 5972else
5807 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5973 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5808$as_echo "no" >&6; } 5974$as_echo "no" >&6; }
@@ -6074,6 +6240,7 @@ for ac_header in \
6074 ia.h \ 6240 ia.h \
6075 iaf.h \ 6241 iaf.h \
6076 limits.h \ 6242 limits.h \
6243 locale.h \
6077 login.h \ 6244 login.h \
6078 maillock.h \ 6245 maillock.h \
6079 ndir.h \ 6246 ndir.h \
@@ -6112,7 +6279,6 @@ for ac_header in \
6112 sys/sysmacros.h \ 6279 sys/sysmacros.h \
6113 sys/time.h \ 6280 sys/time.h \
6114 sys/timers.h \ 6281 sys/timers.h \
6115 sys/un.h \
6116 time.h \ 6282 time.h \
6117 tmpdir.h \ 6283 tmpdir.h \
6118 ttyent.h \ 6284 ttyent.h \
@@ -6210,6 +6376,24 @@ fi
6210done 6376done
6211 6377
6212 6378
6379# Android requires sys/socket.h to be included before sys/un.h
6380for ac_header in sys/un.h
6381do :
6382 ac_fn_c_check_header_compile "$LINENO" "sys/un.h" "ac_cv_header_sys_un_h" "
6383#include <sys/types.h>
6384#include <sys/socket.h>
6385
6386"
6387if test "x$ac_cv_header_sys_un_h" = xyes; then :
6388 cat >>confdefs.h <<_ACEOF
6389#define HAVE_SYS_UN_H 1
6390_ACEOF
6391
6392fi
6393
6394done
6395
6396
6213# Messages for features tested for in target-specific section 6397# Messages for features tested for in target-specific section
6214SIA_MSG="no" 6398SIA_MSG="no"
6215SPC_MSG="no" 6399SPC_MSG="no"
@@ -6496,6 +6680,14 @@ $as_echo "#define PTY_ZEROREAD 1" >>confdefs.h
6496$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h 6680$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
6497 6681
6498 ;; 6682 ;;
6683*-*-android*)
6684
6685$as_echo "#define DISABLE_UTMP 1" >>confdefs.h
6686
6687
6688$as_echo "#define DISABLE_WTMP 1" >>confdefs.h
6689
6690 ;;
6499*-*-cygwin*) 6691*-*-cygwin*)
6500 check_for_libcrypt_later=1 6692 check_for_libcrypt_later=1
6501 LIBS="$LIBS /usr/lib/textreadmode.o" 6693 LIBS="$LIBS /usr/lib/textreadmode.o"
@@ -7257,6 +7449,7 @@ fi
7257 7449
7258fi 7450fi
7259 7451
7452 TEST_SHELL=$SHELL # let configure find us a capable shell
7260 ;; 7453 ;;
7261*-*-sunos4*) 7454*-*-sunos4*)
7262 CPPFLAGS="$CPPFLAGS -DSUNOS4" 7455 CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -7413,6 +7606,7 @@ $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h
7413 7606
7414 $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h 7607 $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h
7415 7608
7609 TEST_SHELL=$SHELL # let configure find us a capable shell
7416 ;; 7610 ;;
7417# UnixWare 7.x, OpenUNIX 8 7611# UnixWare 7.x, OpenUNIX 8
7418*-*-sysv5*) 7612*-*-sysv5*)
@@ -7432,10 +7626,10 @@ $as_echo "#define UNIXWARE_LONG_PASSWORDS 1" >>confdefs.h
7432 7626
7433 $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h 7627 $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h
7434 7628
7629 TEST_SHELL=$SHELL # let configure find us a capable shell
7435 case "$host" in 7630 case "$host" in
7436 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x 7631 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
7437 maildir=/var/spool/mail 7632 maildir=/var/spool/mail
7438 TEST_SHELL=/u95/bin/sh
7439 7633
7440$as_echo "#define BROKEN_LIBIAF 1" >>confdefs.h 7634$as_echo "#define BROKEN_LIBIAF 1" >>confdefs.h
7441 7635
@@ -7553,7 +7747,7 @@ fi
7553done 7747done
7554 7748
7555 MANTYPE=man 7749 MANTYPE=man
7556 TEST_SHELL=ksh 7750 TEST_SHELL=$SHELL # let configure find us a capable shell
7557 SKIP_DISABLE_LASTLOG_DEFINE=yes 7751 SKIP_DISABLE_LASTLOG_DEFINE=yes
7558 ;; 7752 ;;
7559*-*-unicosmk*) 7753*-*-unicosmk*)
@@ -7664,15 +7858,6 @@ $as_echo "#define BROKEN_READV_COMPARISON 1" >>confdefs.h
7664 7858
7665 $as_echo "#define NO_X11_UNIX_SOCKETS 1" >>confdefs.h 7859 $as_echo "#define NO_X11_UNIX_SOCKETS 1" >>confdefs.h
7666 7860
7667
7668$as_echo "#define MISSING_NFDBITS 1" >>confdefs.h
7669
7670
7671$as_echo "#define MISSING_HOWMANY 1" >>confdefs.h
7672
7673
7674$as_echo "#define MISSING_FD_MASK 1" >>confdefs.h
7675
7676 $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h 7861 $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h
7677 7862
7678 $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h 7863 $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h
@@ -7705,8 +7890,6 @@ $as_echo "#define HAVE_SYS_SYSLOG_H 1" >>confdefs.h
7705 7890
7706*-*-lynxos) 7891*-*-lynxos)
7707 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 7892 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
7708 $as_echo "#define MISSING_HOWMANY 1" >>confdefs.h
7709
7710 7893
7711$as_echo "#define BROKEN_SETVBUF 1" >>confdefs.h 7894$as_echo "#define BROKEN_SETVBUF 1" >>confdefs.h
7712 7895
@@ -8231,6 +8414,7 @@ else
8231/* end confdefs.h. */ 8414/* end confdefs.h. */
8232 8415
8233#include <stdio.h> 8416#include <stdio.h>
8417#include <stdlib.h>
8234#include <zlib.h> 8418#include <zlib.h>
8235 8419
8236int 8420int
@@ -8455,6 +8639,62 @@ if test "$ac_res" != no; then :
8455 8639
8456fi 8640fi
8457 8641
8642{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing scan_scaled" >&5
8643$as_echo_n "checking for library containing scan_scaled... " >&6; }
8644if ${ac_cv_search_scan_scaled+:} false; then :
8645 $as_echo_n "(cached) " >&6
8646else
8647 ac_func_search_save_LIBS=$LIBS
8648cat confdefs.h - <<_ACEOF >conftest.$ac_ext
8649/* end confdefs.h. */
8650
8651/* Override any GCC internal prototype to avoid an error.
8652 Use char because int might match the return type of a GCC
8653 builtin and then its argument prototype would still apply. */
8654#ifdef __cplusplus
8655extern "C"
8656#endif
8657char scan_scaled ();
8658int
8659main ()
8660{
8661return scan_scaled ();
8662 ;
8663 return 0;
8664}
8665_ACEOF
8666for ac_lib in '' util bsd; do
8667 if test -z "$ac_lib"; then
8668 ac_res="none required"
8669 else
8670 ac_res=-l$ac_lib
8671 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
8672 fi
8673 if ac_fn_c_try_link "$LINENO"; then :
8674 ac_cv_search_scan_scaled=$ac_res
8675fi
8676rm -f core conftest.err conftest.$ac_objext \
8677 conftest$ac_exeext
8678 if ${ac_cv_search_scan_scaled+:} false; then :
8679 break
8680fi
8681done
8682if ${ac_cv_search_scan_scaled+:} false; then :
8683
8684else
8685 ac_cv_search_scan_scaled=no
8686fi
8687rm conftest.$ac_ext
8688LIBS=$ac_func_search_save_LIBS
8689fi
8690{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_scan_scaled" >&5
8691$as_echo "$ac_cv_search_scan_scaled" >&6; }
8692ac_res=$ac_cv_search_scan_scaled
8693if test "$ac_res" != no; then :
8694 test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
8695
8696fi
8697
8458{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing login" >&5 8698{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing login" >&5
8459$as_echo_n "checking for library containing login... " >&6; } 8699$as_echo_n "checking for library containing login... " >&6; }
8460if ${ac_cv_search_login+:} false; then : 8700if ${ac_cv_search_login+:} false; then :
@@ -8735,7 +8975,7 @@ if test "$ac_res" != no; then :
8735 8975
8736fi 8976fi
8737 8977
8738for ac_func in fmt_scaled login logout openpty updwtmp logwtmp 8978for ac_func in fmt_scaled scan_scaled login logout openpty updwtmp logwtmp
8739do : 8979do :
8740 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` 8980 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
8741ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" 8981ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -9570,6 +9810,7 @@ for ac_func in \
9570 clock \ 9810 clock \
9571 closefrom \ 9811 closefrom \
9572 dirfd \ 9812 dirfd \
9813 endgrent \
9573 fchmod \ 9814 fchmod \
9574 fchown \ 9815 fchown \
9575 freeaddrinfo \ 9816 freeaddrinfo \
@@ -9594,6 +9835,7 @@ for ac_func in \
9594 inet_ntop \ 9835 inet_ntop \
9595 innetgr \ 9836 innetgr \
9596 login_getcapbool \ 9837 login_getcapbool \
9838 mblen \
9597 md5_crypt \ 9839 md5_crypt \
9598 memmove \ 9840 memmove \
9599 mkdtemp \ 9841 mkdtemp \
@@ -9852,6 +10094,65 @@ $as_echo "#define HAVE_NANOSLEEP 1" >>confdefs.h
9852fi 10094fi
9853 10095
9854 10096
10097{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
10098$as_echo_n "checking for library containing clock_gettime... " >&6; }
10099if ${ac_cv_search_clock_gettime+:} false; then :
10100 $as_echo_n "(cached) " >&6
10101else
10102 ac_func_search_save_LIBS=$LIBS
10103cat confdefs.h - <<_ACEOF >conftest.$ac_ext
10104/* end confdefs.h. */
10105
10106/* Override any GCC internal prototype to avoid an error.
10107 Use char because int might match the return type of a GCC
10108 builtin and then its argument prototype would still apply. */
10109#ifdef __cplusplus
10110extern "C"
10111#endif
10112char clock_gettime ();
10113int
10114main ()
10115{
10116return clock_gettime ();
10117 ;
10118 return 0;
10119}
10120_ACEOF
10121for ac_lib in '' rt; do
10122 if test -z "$ac_lib"; then
10123 ac_res="none required"
10124 else
10125 ac_res=-l$ac_lib
10126 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
10127 fi
10128 if ac_fn_c_try_link "$LINENO"; then :
10129 ac_cv_search_clock_gettime=$ac_res
10130fi
10131rm -f core conftest.err conftest.$ac_objext \
10132 conftest$ac_exeext
10133 if ${ac_cv_search_clock_gettime+:} false; then :
10134 break
10135fi
10136done
10137if ${ac_cv_search_clock_gettime+:} false; then :
10138
10139else
10140 ac_cv_search_clock_gettime=no
10141fi
10142rm conftest.$ac_ext
10143LIBS=$ac_func_search_save_LIBS
10144fi
10145{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5
10146$as_echo "$ac_cv_search_clock_gettime" >&6; }
10147ac_res=$ac_cv_search_clock_gettime
10148if test "$ac_res" != no; then :
10149 test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
10150
10151$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
10152
10153fi
10154
10155
9855ac_fn_c_check_decl "$LINENO" "getrusage" "ac_cv_have_decl_getrusage" "$ac_includes_default" 10156ac_fn_c_check_decl "$LINENO" "getrusage" "ac_cv_have_decl_getrusage" "$ac_includes_default"
9856if test "x$ac_cv_have_decl_getrusage" = xyes; then : 10157if test "x$ac_cv_have_decl_getrusage" = xyes; then :
9857 for ac_func in getrusage 10158 for ac_func in getrusage
@@ -10006,6 +10307,84 @@ cat >>confdefs.h <<_ACEOF
10006_ACEOF 10307_ACEOF
10007 10308
10008 10309
10310# extra bits for select(2)
10311ac_fn_c_check_decl "$LINENO" "howmany" "ac_cv_have_decl_howmany" "
10312#include <sys/param.h>
10313#include <sys/types.h>
10314#ifdef HAVE_SYS_SYSMACROS_H
10315#include <sys/sysmacros.h>
10316#endif
10317#ifdef HAVE_SYS_SELECT_H
10318#include <sys/select.h>
10319#endif
10320#ifdef HAVE_SYS_TIME_H
10321#include <sys/time.h>
10322#endif
10323#ifdef HAVE_UNISTD_H
10324#include <unistd.h>
10325#endif
10326
10327"
10328if test "x$ac_cv_have_decl_howmany" = xyes; then :
10329 ac_have_decl=1
10330else
10331 ac_have_decl=0
10332fi
10333
10334cat >>confdefs.h <<_ACEOF
10335#define HAVE_DECL_HOWMANY $ac_have_decl
10336_ACEOF
10337ac_fn_c_check_decl "$LINENO" "NFDBITS" "ac_cv_have_decl_NFDBITS" "
10338#include <sys/param.h>
10339#include <sys/types.h>
10340#ifdef HAVE_SYS_SYSMACROS_H
10341#include <sys/sysmacros.h>
10342#endif
10343#ifdef HAVE_SYS_SELECT_H
10344#include <sys/select.h>
10345#endif
10346#ifdef HAVE_SYS_TIME_H
10347#include <sys/time.h>
10348#endif
10349#ifdef HAVE_UNISTD_H
10350#include <unistd.h>
10351#endif
10352
10353"
10354if test "x$ac_cv_have_decl_NFDBITS" = xyes; then :
10355 ac_have_decl=1
10356else
10357 ac_have_decl=0
10358fi
10359
10360cat >>confdefs.h <<_ACEOF
10361#define HAVE_DECL_NFDBITS $ac_have_decl
10362_ACEOF
10363
10364ac_fn_c_check_type "$LINENO" "fd_mask" "ac_cv_type_fd_mask" "
10365#include <sys/param.h>
10366#include <sys/types.h>
10367#ifdef HAVE_SYS_SELECT_H
10368#include <sys/select.h>
10369#endif
10370#ifdef HAVE_SYS_TIME_H
10371#include <sys/time.h>
10372#endif
10373#ifdef HAVE_UNISTD_H
10374#include <unistd.h>
10375#endif
10376
10377"
10378if test "x$ac_cv_type_fd_mask" = xyes; then :
10379
10380cat >>confdefs.h <<_ACEOF
10381#define HAVE_FD_MASK 1
10382_ACEOF
10383
10384
10385fi
10386
10387
10009for ac_func in setresuid 10388for ac_func in setresuid
10010do : 10389do :
10011 ac_fn_c_check_func "$LINENO" "setresuid" "ac_cv_func_setresuid" 10390 ac_fn_c_check_func "$LINENO" "setresuid" "ac_cv_func_setresuid"
@@ -11336,6 +11715,8 @@ else
11336 11715
11337 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 11716 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11338$as_echo "no" >&6; } 11717$as_echo "no" >&6; }
11718 unsupported_algorithms="$unsupported_cipers \
11719 aes128-gcm@openssh.com aes256-gcm@openssh.com"
11339 11720
11340 11721
11341fi 11722fi
@@ -11532,6 +11913,18 @@ if test "x$ac_cv_lib_crypt_crypt" = xyes; then :
11532fi 11913fi
11533 11914
11534fi 11915fi
11916for ac_func in crypt DES_crypt
11917do :
11918 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
11919ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
11920if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
11921 cat >>confdefs.h <<_ACEOF
11922#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
11923_ACEOF
11924
11925fi
11926done
11927
11535 11928
11536# Search for SHA256 support in libc and/or OpenSSL 11929# Search for SHA256 support in libc and/or OpenSSL
11537for ac_func in SHA256_Update EVP_sha256 11930for ac_func in SHA256_Update EVP_sha256
@@ -11545,6 +11938,12 @@ _ACEOF
11545 TEST_SSH_SHA256=yes 11938 TEST_SSH_SHA256=yes
11546else 11939else
11547 TEST_SSH_SHA256=no 11940 TEST_SSH_SHA256=no
11941 unsupported_algorithms="$unsupported_algorithms \
11942 hmac-sha2-256 hmac-sha2-512 \
11943 diffie-hellman-group-exchange-sha256 \
11944 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
11945
11946
11548fi 11947fi
11549done 11948done
11550 11949
@@ -11593,6 +11992,12 @@ else
11593$as_echo "no" >&6; } 11992$as_echo "no" >&6; }
11594 TEST_SSH_ECC=no 11993 TEST_SSH_ECC=no
11595 COMMENT_OUT_ECC="#no ecc#" 11994 COMMENT_OUT_ECC="#no ecc#"
11995 unsupported_algorithms="$unsupported_algorithms \
11996 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
11997 ecdsa-sha2-nistp256-cert-v01@openssh.com \
11998 ecdsa-sha2-nistp384-cert-v01@openssh.com \
11999 ecdsa-sha2-nistp521-cert-v01@openssh.com \
12000 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"
11596 12001
11597 12002
11598fi 12003fi
@@ -14345,6 +14750,60 @@ _ACEOF
14345 14750
14346fi 14751fi
14347 14752
14753ac_fn_c_check_member "$LINENO" "struct passwd" "pw_gecos" "ac_cv_member_struct_passwd_pw_gecos" "
14754#include <sys/types.h>
14755#include <pwd.h>
14756
14757"
14758if test "x$ac_cv_member_struct_passwd_pw_gecos" = xyes; then :
14759
14760cat >>confdefs.h <<_ACEOF
14761#define HAVE_STRUCT_PASSWD_PW_GECOS 1
14762_ACEOF
14763
14764
14765fi
14766ac_fn_c_check_member "$LINENO" "struct passwd" "pw_class" "ac_cv_member_struct_passwd_pw_class" "
14767#include <sys/types.h>
14768#include <pwd.h>
14769
14770"
14771if test "x$ac_cv_member_struct_passwd_pw_class" = xyes; then :
14772
14773cat >>confdefs.h <<_ACEOF
14774#define HAVE_STRUCT_PASSWD_PW_CLASS 1
14775_ACEOF
14776
14777
14778fi
14779ac_fn_c_check_member "$LINENO" "struct passwd" "pw_change" "ac_cv_member_struct_passwd_pw_change" "
14780#include <sys/types.h>
14781#include <pwd.h>
14782
14783"
14784if test "x$ac_cv_member_struct_passwd_pw_change" = xyes; then :
14785
14786cat >>confdefs.h <<_ACEOF
14787#define HAVE_STRUCT_PASSWD_PW_CHANGE 1
14788_ACEOF
14789
14790
14791fi
14792ac_fn_c_check_member "$LINENO" "struct passwd" "pw_expire" "ac_cv_member_struct_passwd_pw_expire" "
14793#include <sys/types.h>
14794#include <pwd.h>
14795
14796"
14797if test "x$ac_cv_member_struct_passwd_pw_expire" = xyes; then :
14798
14799cat >>confdefs.h <<_ACEOF
14800#define HAVE_STRUCT_PASSWD_PW_EXPIRE 1
14801_ACEOF
14802
14803
14804fi
14805
14806
14348ac_fn_c_check_member "$LINENO" "struct __res_state" "retrans" "ac_cv_member_struct___res_state_retrans" " 14807ac_fn_c_check_member "$LINENO" "struct __res_state" "retrans" "ac_cv_member_struct___res_state_retrans" "
14349#include <stdio.h> 14808#include <stdio.h>
14350#if HAVE_SYS_TYPES_H 14809#if HAVE_SYS_TYPES_H
@@ -14437,108 +14896,6 @@ $as_echo "#define HAVE___SS_FAMILY_IN_SS 1" >>confdefs.h
14437 14896
14438fi 14897fi
14439 14898
14440{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pw_class field in struct passwd" >&5
14441$as_echo_n "checking for pw_class field in struct passwd... " >&6; }
14442if ${ac_cv_have_pw_class_in_struct_passwd+:} false; then :
14443 $as_echo_n "(cached) " >&6
14444else
14445
14446 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14447/* end confdefs.h. */
14448 #include <pwd.h>
14449int
14450main ()
14451{
14452 struct passwd p; p.pw_class = 0;
14453 ;
14454 return 0;
14455}
14456_ACEOF
14457if ac_fn_c_try_compile "$LINENO"; then :
14458 ac_cv_have_pw_class_in_struct_passwd="yes"
14459else
14460 ac_cv_have_pw_class_in_struct_passwd="no"
14461
14462fi
14463rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
14464
14465fi
14466{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pw_class_in_struct_passwd" >&5
14467$as_echo "$ac_cv_have_pw_class_in_struct_passwd" >&6; }
14468if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
14469
14470$as_echo "#define HAVE_PW_CLASS_IN_PASSWD 1" >>confdefs.h
14471
14472fi
14473
14474{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pw_expire field in struct passwd" >&5
14475$as_echo_n "checking for pw_expire field in struct passwd... " >&6; }
14476if ${ac_cv_have_pw_expire_in_struct_passwd+:} false; then :
14477 $as_echo_n "(cached) " >&6
14478else
14479
14480 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14481/* end confdefs.h. */
14482 #include <pwd.h>
14483int
14484main ()
14485{
14486 struct passwd p; p.pw_expire = 0;
14487 ;
14488 return 0;
14489}
14490_ACEOF
14491if ac_fn_c_try_compile "$LINENO"; then :
14492 ac_cv_have_pw_expire_in_struct_passwd="yes"
14493else
14494 ac_cv_have_pw_expire_in_struct_passwd="no"
14495
14496fi
14497rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
14498
14499fi
14500{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5
14501$as_echo "$ac_cv_have_pw_expire_in_struct_passwd" >&6; }
14502if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
14503
14504$as_echo "#define HAVE_PW_EXPIRE_IN_PASSWD 1" >>confdefs.h
14505
14506fi
14507
14508{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pw_change field in struct passwd" >&5
14509$as_echo_n "checking for pw_change field in struct passwd... " >&6; }
14510if ${ac_cv_have_pw_change_in_struct_passwd+:} false; then :
14511 $as_echo_n "(cached) " >&6
14512else
14513
14514 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14515/* end confdefs.h. */
14516 #include <pwd.h>
14517int
14518main ()
14519{
14520 struct passwd p; p.pw_change = 0;
14521 ;
14522 return 0;
14523}
14524_ACEOF
14525if ac_fn_c_try_compile "$LINENO"; then :
14526 ac_cv_have_pw_change_in_struct_passwd="yes"
14527else
14528 ac_cv_have_pw_change_in_struct_passwd="no"
14529
14530fi
14531rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
14532
14533fi
14534{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pw_change_in_struct_passwd" >&5
14535$as_echo "$ac_cv_have_pw_change_in_struct_passwd" >&6; }
14536if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
14537
14538$as_echo "#define HAVE_PW_CHANGE_IN_PASSWD 1" >>confdefs.h
14539
14540fi
14541
14542{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for msg_accrights field in struct msghdr" >&5 14899{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for msg_accrights field in struct msghdr" >&5
14543$as_echo_n "checking for msg_accrights field in struct msghdr... " >&6; } 14900$as_echo_n "checking for msg_accrights field in struct msghdr... " >&6; }
14544if ${ac_cv_have_accrights_in_msghdr+:} false; then : 14901if ${ac_cv_have_accrights_in_msghdr+:} false; then :
@@ -15996,6 +16353,22 @@ cat >>confdefs.h <<_ACEOF
15996#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl 16353#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl
15997_ACEOF 16354_ACEOF
15998 16355
16356 saved_LIBS="$LIBS"
16357 LIBS="$LIBS $K5LIBS"
16358 for ac_func in krb5_cc_new_unique krb5_get_error_message krb5_free_error_message
16359do :
16360 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
16361ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
16362if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
16363 cat >>confdefs.h <<_ACEOF
16364#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
16365_ACEOF
16366
16367fi
16368done
16369
16370 LIBS="$saved_LIBS"
16371
15999 fi 16372 fi
16000 16373
16001 16374
@@ -17307,6 +17680,8 @@ fi
17307 17680
17308TEST_SSH_IPV6=$TEST_SSH_IPV6 17681TEST_SSH_IPV6=$TEST_SSH_IPV6
17309 17682
17683UNSUPPORTED_ALGORITHMS=$unsupported_algorithms
17684
17310 17685
17311 17686
17312ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile survey.sh" 17687ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile survey.sh"
diff --git a/configure.ac b/configure.ac
index 198a2056e..d7d500a33 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $ 1# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.518 $) 18AC_REVISION($Revision: 1.536 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -129,11 +129,16 @@ AC_ARG_WITH([stackprotect],
129 129
130 130
131if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 131if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
132 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror],
133 [-Qunused-arguments])
134 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror],
135 [-Wno-unknown-warning-option])
132 OSSH_CHECK_CFLAG_COMPILE([-Wall]) 136 OSSH_CHECK_CFLAG_COMPILE([-Wall])
133 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) 137 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
134 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) 138 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
135 OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) 139 OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
136 OSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) 140 OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
141 OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
137 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) 142 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
138 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) 143 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
139 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) 144 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
@@ -305,6 +310,7 @@ AC_CHECK_HEADERS([ \
305 ia.h \ 310 ia.h \
306 iaf.h \ 311 iaf.h \
307 limits.h \ 312 limits.h \
313 locale.h \
308 login.h \ 314 login.h \
309 maillock.h \ 315 maillock.h \
310 ndir.h \ 316 ndir.h \
@@ -343,7 +349,6 @@ AC_CHECK_HEADERS([ \
343 sys/sysmacros.h \ 349 sys/sysmacros.h \
344 sys/time.h \ 350 sys/time.h \
345 sys/timers.h \ 351 sys/timers.h \
346 sys/un.h \
347 time.h \ 352 time.h \
348 tmpdir.h \ 353 tmpdir.h \
349 ttyent.h \ 354 ttyent.h \
@@ -381,6 +386,12 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [
381#include <sys/param.h> 386#include <sys/param.h>
382]) 387])
383 388
389# Android requires sys/socket.h to be included before sys/un.h
390AC_CHECK_HEADERS([sys/un.h], [], [], [
391#include <sys/types.h>
392#include <sys/socket.h>
393])
394
384# Messages for features tested for in target-specific section 395# Messages for features tested for in target-specific section
385SIA_MSG="no" 396SIA_MSG="no"
386SPC_MSG="no" 397SPC_MSG="no"
@@ -482,6 +493,10 @@ case "$host" in
482 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) 493 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
483 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) 494 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
484 ;; 495 ;;
496*-*-android*)
497 AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
498 AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
499 ;;
485*-*-cygwin*) 500*-*-cygwin*)
486 check_for_libcrypt_later=1 501 check_for_libcrypt_later=1
487 LIBS="$LIBS /usr/lib/textreadmode.o" 502 LIBS="$LIBS /usr/lib/textreadmode.o"
@@ -823,6 +838,7 @@ mips-sony-bsd|mips-sony-newsos4)
823 SP_MSG="yes" ], ) 838 SP_MSG="yes" ], )
824 ], 839 ],
825 ) 840 )
841 TEST_SHELL=$SHELL # let configure find us a capable shell
826 ;; 842 ;;
827*-*-sunos4*) 843*-*-sunos4*)
828 CPPFLAGS="$CPPFLAGS -DSUNOS4" 844 CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -866,6 +882,7 @@ mips-sony-bsd|mips-sony-newsos4)
866 AC_DEFINE([BROKEN_SETREGID]) 882 AC_DEFINE([BROKEN_SETREGID])
867 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd]) 883 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
868 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) 884 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
885 TEST_SHELL=$SHELL # let configure find us a capable shell
869 ;; 886 ;;
870# UnixWare 7.x, OpenUNIX 8 887# UnixWare 7.x, OpenUNIX 8
871*-*-sysv5*) 888*-*-sysv5*)
@@ -877,10 +894,10 @@ mips-sony-bsd|mips-sony-newsos4)
877 AC_DEFINE([BROKEN_SETREUID]) 894 AC_DEFINE([BROKEN_SETREUID])
878 AC_DEFINE([BROKEN_SETREGID]) 895 AC_DEFINE([BROKEN_SETREGID])
879 AC_DEFINE([PASSWD_NEEDS_USERNAME]) 896 AC_DEFINE([PASSWD_NEEDS_USERNAME])
897 TEST_SHELL=$SHELL # let configure find us a capable shell
880 case "$host" in 898 case "$host" in
881 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x 899 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
882 maildir=/var/spool/mail 900 maildir=/var/spool/mail
883 TEST_SHELL=/u95/bin/sh
884 AC_DEFINE([BROKEN_LIBIAF], [1], 901 AC_DEFINE([BROKEN_LIBIAF], [1],
885 [ia_uinfo routines not supported by OS yet]) 902 [ia_uinfo routines not supported by OS yet])
886 AC_DEFINE([BROKEN_UPDWTMPX]) 903 AC_DEFINE([BROKEN_UPDWTMPX])
@@ -921,7 +938,7 @@ mips-sony-bsd|mips-sony-newsos4)
921 AC_DEFINE([PASSWD_NEEDS_USERNAME]) 938 AC_DEFINE([PASSWD_NEEDS_USERNAME])
922 AC_CHECK_FUNCS([getluid setluid]) 939 AC_CHECK_FUNCS([getluid setluid])
923 MANTYPE=man 940 MANTYPE=man
924 TEST_SHELL=ksh 941 TEST_SHELL=$SHELL # let configure find us a capable shell
925 SKIP_DISABLE_LASTLOG_DEFINE=yes 942 SKIP_DISABLE_LASTLOG_DEFINE=yes
926 ;; 943 ;;
927*-*-unicosmk*) 944*-*-unicosmk*)
@@ -998,9 +1015,6 @@ mips-sony-bsd|mips-sony-newsos4)
998*-*-nto-qnx*) 1015*-*-nto-qnx*)
999 AC_DEFINE([USE_PIPES]) 1016 AC_DEFINE([USE_PIPES])
1000 AC_DEFINE([NO_X11_UNIX_SOCKETS]) 1017 AC_DEFINE([NO_X11_UNIX_SOCKETS])
1001 AC_DEFINE([MISSING_NFDBITS], [1], [Define on *nto-qnx systems])
1002 AC_DEFINE([MISSING_HOWMANY], [1], [Define on *nto-qnx systems])
1003 AC_DEFINE([MISSING_FD_MASK], [1], [Define on *nto-qnx systems])
1004 AC_DEFINE([DISABLE_LASTLOG]) 1018 AC_DEFINE([DISABLE_LASTLOG])
1005 AC_DEFINE([SSHD_ACQUIRES_CTTY]) 1019 AC_DEFINE([SSHD_ACQUIRES_CTTY])
1006 AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken]) 1020 AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
@@ -1021,7 +1035,6 @@ mips-sony-bsd|mips-sony-newsos4)
1021 1035
1022*-*-lynxos) 1036*-*-lynxos)
1023 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 1037 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1024 AC_DEFINE([MISSING_HOWMANY])
1025 AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) 1038 AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation])
1026 ;; 1039 ;;
1027esac 1040esac
@@ -1144,6 +1157,7 @@ AC_ARG_WITH([zlib-version-check],
1144AC_MSG_CHECKING([for possibly buggy zlib]) 1157AC_MSG_CHECKING([for possibly buggy zlib])
1145AC_RUN_IFELSE([AC_LANG_PROGRAM([[ 1158AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1146#include <stdio.h> 1159#include <stdio.h>
1160#include <stdlib.h>
1147#include <zlib.h> 1161#include <zlib.h>
1148 ]], 1162 ]],
1149 [[ 1163 [[
@@ -1193,12 +1207,13 @@ AC_CHECK_FUNCS([utimes],
1193dnl Checks for libutil functions 1207dnl Checks for libutil functions
1194AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) 1208AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1195AC_SEARCH_LIBS([fmt_scaled], [util bsd]) 1209AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1210AC_SEARCH_LIBS([scan_scaled], [util bsd])
1196AC_SEARCH_LIBS([login], [util bsd]) 1211AC_SEARCH_LIBS([login], [util bsd])
1197AC_SEARCH_LIBS([logout], [util bsd]) 1212AC_SEARCH_LIBS([logout], [util bsd])
1198AC_SEARCH_LIBS([logwtmp], [util bsd]) 1213AC_SEARCH_LIBS([logwtmp], [util bsd])
1199AC_SEARCH_LIBS([openpty], [util bsd]) 1214AC_SEARCH_LIBS([openpty], [util bsd])
1200AC_SEARCH_LIBS([updwtmp], [util bsd]) 1215AC_SEARCH_LIBS([updwtmp], [util bsd])
1201AC_CHECK_FUNCS([fmt_scaled login logout openpty updwtmp logwtmp]) 1216AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1202 1217
1203AC_FUNC_STRFTIME 1218AC_FUNC_STRFTIME
1204 1219
@@ -1548,6 +1563,7 @@ AC_CHECK_FUNCS([ \
1548 clock \ 1563 clock \
1549 closefrom \ 1564 closefrom \
1550 dirfd \ 1565 dirfd \
1566 endgrent \
1551 fchmod \ 1567 fchmod \
1552 fchown \ 1568 fchown \
1553 freeaddrinfo \ 1569 freeaddrinfo \
@@ -1572,6 +1588,7 @@ AC_CHECK_FUNCS([ \
1572 inet_ntop \ 1588 inet_ntop \
1573 innetgr \ 1589 innetgr \
1574 login_getcapbool \ 1590 login_getcapbool \
1591 mblen \
1575 md5_crypt \ 1592 md5_crypt \
1576 memmove \ 1593 memmove \
1577 mkdtemp \ 1594 mkdtemp \
@@ -1668,6 +1685,9 @@ const char *gai_strerror(int);
1668AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1], 1685AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1669 [Some systems put nanosleep outside of libc])]) 1686 [Some systems put nanosleep outside of libc])])
1670 1687
1688AC_SEARCH_LIBS([clock_gettime], [rt],
1689 [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1690
1671dnl Make sure prototypes are defined for these before using them. 1691dnl Make sure prototypes are defined for these before using them.
1672AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])]) 1692AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])])
1673AC_CHECK_DECL([strsep], 1693AC_CHECK_DECL([strsep],
@@ -1719,6 +1739,37 @@ AC_CHECK_DECLS([offsetof], , , [
1719#include <stddef.h> 1739#include <stddef.h>
1720 ]) 1740 ])
1721 1741
1742# extra bits for select(2)
1743AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
1744#include <sys/param.h>
1745#include <sys/types.h>
1746#ifdef HAVE_SYS_SYSMACROS_H
1747#include <sys/sysmacros.h>
1748#endif
1749#ifdef HAVE_SYS_SELECT_H
1750#include <sys/select.h>
1751#endif
1752#ifdef HAVE_SYS_TIME_H
1753#include <sys/time.h>
1754#endif
1755#ifdef HAVE_UNISTD_H
1756#include <unistd.h>
1757#endif
1758 ]])
1759AC_CHECK_TYPES([fd_mask], [], [], [[
1760#include <sys/param.h>
1761#include <sys/types.h>
1762#ifdef HAVE_SYS_SELECT_H
1763#include <sys/select.h>
1764#endif
1765#ifdef HAVE_SYS_TIME_H
1766#include <sys/time.h>
1767#endif
1768#ifdef HAVE_UNISTD_H
1769#include <unistd.h>
1770#endif
1771 ]])
1772
1722AC_CHECK_FUNCS([setresuid], [ 1773AC_CHECK_FUNCS([setresuid], [
1723 dnl Some platorms have setresuid that isn't implemented, test for this 1774 dnl Some platorms have setresuid that isn't implemented, test for this
1724 AC_MSG_CHECKING([if setresuid seems to work]) 1775 AC_MSG_CHECKING([if setresuid seems to work])
@@ -2367,6 +2418,8 @@ AC_LINK_IFELSE(
2367 ], 2418 ],
2368 [ 2419 [
2369 AC_MSG_RESULT([no]) 2420 AC_MSG_RESULT([no])
2421 unsupported_algorithms="$unsupported_cipers \
2422 aes128-gcm@openssh.com aes256-gcm@openssh.com"
2370 ] 2423 ]
2371) 2424)
2372 2425
@@ -2404,10 +2457,18 @@ fi
2404if test "x$check_for_libcrypt_later" = "x1"; then 2457if test "x$check_for_libcrypt_later" = "x1"; then
2405 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) 2458 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2406fi 2459fi
2460AC_CHECK_FUNCS([crypt DES_crypt])
2407 2461
2408# Search for SHA256 support in libc and/or OpenSSL 2462# Search for SHA256 support in libc and/or OpenSSL
2409AC_CHECK_FUNCS([SHA256_Update EVP_sha256], [TEST_SSH_SHA256=yes], 2463AC_CHECK_FUNCS([SHA256_Update EVP_sha256],
2410 [TEST_SSH_SHA256=no]) 2464 [TEST_SSH_SHA256=yes],
2465 [TEST_SSH_SHA256=no
2466 unsupported_algorithms="$unsupported_algorithms \
2467 hmac-sha2-256 hmac-sha2-512 \
2468 diffie-hellman-group-exchange-sha256 \
2469 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2470 ]
2471)
2411AC_SUBST([TEST_SSH_SHA256]) 2472AC_SUBST([TEST_SSH_SHA256])
2412 2473
2413# Check complete ECC support in OpenSSL 2474# Check complete ECC support in OpenSSL
@@ -2438,6 +2499,12 @@ AC_LINK_IFELSE(
2438 AC_MSG_RESULT([no]) 2499 AC_MSG_RESULT([no])
2439 TEST_SSH_ECC=no 2500 TEST_SSH_ECC=no
2440 COMMENT_OUT_ECC="#no ecc#" 2501 COMMENT_OUT_ECC="#no ecc#"
2502 unsupported_algorithms="$unsupported_algorithms \
2503 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
2504 ecdsa-sha2-nistp256-cert-v01@openssh.com \
2505 ecdsa-sha2-nistp384-cert-v01@openssh.com \
2506 ecdsa-sha2-nistp521-cert-v01@openssh.com \
2507 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"
2441 ] 2508 ]
2442) 2509)
2443AC_SUBST([TEST_SSH_ECC]) 2510AC_SUBST([TEST_SSH_ECC])
@@ -3325,9 +3392,16 @@ OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
3325OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX]) 3392OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
3326 3393
3327AC_CHECK_MEMBERS([struct stat.st_blksize]) 3394AC_CHECK_MEMBERS([struct stat.st_blksize])
3395AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
3396struct passwd.pw_change, struct passwd.pw_expire],
3397[], [], [[
3398#include <sys/types.h>
3399#include <pwd.h>
3400]])
3401
3328AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state], 3402AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
3329 [Define if we don't have struct __res_state in resolv.h])], 3403 [Define if we don't have struct __res_state in resolv.h])],
3330[ 3404[[
3331#include <stdio.h> 3405#include <stdio.h>
3332#if HAVE_SYS_TYPES_H 3406#if HAVE_SYS_TYPES_H
3333# include <sys/types.h> 3407# include <sys/types.h>
@@ -3335,7 +3409,7 @@ AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [sta
3335#include <netinet/in.h> 3409#include <netinet/in.h>
3336#include <arpa/nameser.h> 3410#include <arpa/nameser.h>
3337#include <resolv.h> 3411#include <resolv.h>
3338]) 3412]])
3339 3413
3340AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], 3414AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
3341 ac_cv_have_ss_family_in_struct_ss, [ 3415 ac_cv_have_ss_family_in_struct_ss, [
@@ -3365,45 +3439,6 @@ if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
3365 [Fields in struct sockaddr_storage]) 3439 [Fields in struct sockaddr_storage])
3366fi 3440fi
3367 3441
3368AC_CACHE_CHECK([for pw_class field in struct passwd],
3369 ac_cv_have_pw_class_in_struct_passwd, [
3370 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <pwd.h> ]],
3371 [[ struct passwd p; p.pw_class = 0; ]])],
3372 [ ac_cv_have_pw_class_in_struct_passwd="yes" ],
3373 [ ac_cv_have_pw_class_in_struct_passwd="no"
3374 ])
3375])
3376if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
3377 AC_DEFINE([HAVE_PW_CLASS_IN_PASSWD], [1],
3378 [Define if your password has a pw_class field])
3379fi
3380
3381AC_CACHE_CHECK([for pw_expire field in struct passwd],
3382 ac_cv_have_pw_expire_in_struct_passwd, [
3383 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <pwd.h> ]],
3384 [[ struct passwd p; p.pw_expire = 0; ]])],
3385 [ ac_cv_have_pw_expire_in_struct_passwd="yes" ],
3386 [ ac_cv_have_pw_expire_in_struct_passwd="no"
3387 ])
3388])
3389if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
3390 AC_DEFINE([HAVE_PW_EXPIRE_IN_PASSWD], [1],
3391 [Define if your password has a pw_expire field])
3392fi
3393
3394AC_CACHE_CHECK([for pw_change field in struct passwd],
3395 ac_cv_have_pw_change_in_struct_passwd, [
3396 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <pwd.h> ]],
3397 [[ struct passwd p; p.pw_change = 0; ]])],
3398 [ ac_cv_have_pw_change_in_struct_passwd="yes" ],
3399 [ ac_cv_have_pw_change_in_struct_passwd="no"
3400 ])
3401])
3402if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
3403 AC_DEFINE([HAVE_PW_CHANGE_IN_PASSWD], [1],
3404 [Define if your password has a pw_change field])
3405fi
3406
3407dnl make sure we're using the real structure members and not defines 3442dnl make sure we're using the real structure members and not defines
3408AC_CACHE_CHECK([for msg_accrights field in struct msghdr], 3443AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
3409 ac_cv_have_accrights_in_msghdr, [ 3444 ac_cv_have_accrights_in_msghdr, [
@@ -3795,6 +3830,11 @@ AC_ARG_WITH([kerberos5],
3795# include <gssapi/gssapi_generic.h> 3830# include <gssapi/gssapi_generic.h>
3796#endif 3831#endif
3797 ]]) 3832 ]])
3833 saved_LIBS="$LIBS"
3834 LIBS="$LIBS $K5LIBS"
3835 AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
3836 LIBS="$saved_LIBS"
3837
3798 fi 3838 fi
3799 ] 3839 ]
3800) 3840)
@@ -4569,6 +4609,7 @@ else
4569fi 4609fi
4570AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) 4610AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no])
4571AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) 4611AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
4612AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
4572 4613
4573AC_EXEEXT 4614AC_EXEEXT
4574AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ 4615AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index ca34bd23a..b460bfff0 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
16 16
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%define version 6.2p2 19%define version 6.3p1
20%if %{use_stable} 20%if %{use_stable}
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
@@ -363,4 +363,4 @@ fi
363* Mon Jan 01 1998 ... 363* Mon Jan 01 1998 ...
364Template Version: 1.31 364Template Version: 1.31
365 365
366$Id: openssh.spec,v 1.79.2.1 2013/05/10 06:02:21 djm Exp $ 366$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 5f911e924..2562b6186 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might
4not run on older versions. Please check http://cygwin.com/ for information 4not run on older versions. Please check http://cygwin.com/ for information
5about current Cygwin releases. 5about current Cygwin releases.
6 6
7Build instructions are at the end of the file. 7==================
8 8Host configuration
9=========================================================================== 9==================
10Important change since 3.7.1p2-2:
11
12The ssh-host-config file doesn't create the /etc/ssh_config and
13/etc/sshd_config files from builtin here-scripts anymore, but it uses
14skeleton files installed in /etc/defaults/etc.
15
16Also it now tries hard to create appropriate permissions on files.
17Same applies for ssh-user-config.
18
19After creating the sshd service with ssh-host-config, it's advisable to
20call ssh-user-config for all affected users, also already exising user
21configurations. In the latter case, file and directory permissions are
22checked and changed, if requireed to match the host configuration.
23
24Important note for Windows 2003 Server users:
25---------------------------------------------
26
272003 Server has a funny new feature. When starting services under SYSTEM
28account, these services have nearly all user rights which SYSTEM holds...
29except for the "Create a token object" right, which is needed to allow
30public key authentication :-(
31
32There's no way around this, except for creating a substitute account which
33has the appropriate privileges. Basically, this account should be member
34of the administrators group, plus it should have the following user rights:
35
36 Create a token object
37 Logon as a service
38 Replace a process level token
39 Increase Quota
40
41The ssh-host-config script asks you, if it should create such an account,
42called "sshd_server". If you say "no" here, you're on your own. Please
43follow the instruction in ssh-host-config exactly if possible. Note that
44ssh-user-config sets the permissions on 2003 Server machines dependent of
45whether a sshd_server account exists or not.
46===========================================================================
47
48===========================================================================
49Important change since 3.4p1-2:
50
51This version adds privilege separation as default setting, see
52/usr/doc/openssh/README.privsep. According to that document the
53privsep feature requires a non-privileged account called 'sshd'.
54
55The new ssh-host-config file which is part of this version asks
56to create 'sshd' as local user if you want to use privilege
57separation. If you confirm, it creates that NT user and adds
58the necessary entry to /etc/passwd.
59
60On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
61since that feature doesn't make any sense on a system which doesn't
62differ between privileged and unprivileged users.
63
64The new ssh-host-config script also adds the /var/empty directory
65needed by privilege separation. When creating the /var/empty directory
66by yourself, please note that in contrast to the README.privsep document
67the owner sshould not be "root" but the user which is running sshd. So,
68in the standard configuration this is SYSTEM. The ssh-host-config script
69chowns /var/empty accordingly.
70===========================================================================
71
72===========================================================================
73Important change since 3.0.1p1-2:
74
75This version introduces the ability to register sshd as service on
76Windows 9x/Me systems. This is done only when the options -D and/or
77-d are not given.
78===========================================================================
79
80===========================================================================
81Important change since 2.9p2:
82
83Since Cygwin is able to switch user context without password beginning
84with version 1.3.2, OpenSSH now allows to do so when it's running under
85a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
86allow that feature.
87===========================================================================
88
89===========================================================================
90Important change since 2.3.0p1:
91
92When using `ntea' or `ntsec' you now have to care for the ownership
93and permission bits of your host key files and your private key files.
94The host key files have to be owned by the NT account which starts
95sshd. The user key files have to be owned by the user. The permission
96bits of the private key files (host and user) have to be at least
97rw------- (0600)!
98
99Note that this is forced under `ntsec' only if the files are on a NTFS
100filesystem (which is recommended) due to the lack of any basic security
101features of the FAT/FAT32 filesystems.
102===========================================================================
103 10
104If you are installing OpenSSH the first time, you can generate global config 11If you are installing OpenSSH the first time, you can generate global config
105files and server keys by running 12files and server keys, as well as installing sshd as a service, by running
106 13
107 /usr/bin/ssh-host-config 14 /usr/bin/ssh-host-config
108 15
109Note that this binary archive doesn't contain default config files in /etc. 16Note that this binary archive doesn't contain default config files in /etc.
110That files are only created if ssh-host-config is started. 17That files are only created if ssh-host-config is started.
111 18
112If you are updating your installation you may run the above ssh-host-config
113as well to move your configuration files to the new location and to
114erase the files at the old location.
115
116To support testing and unattended installation ssh-host-config got 19To support testing and unattended installation ssh-host-config got
117some options: 20some options:
118 21
@@ -123,16 +26,25 @@ Options:
123 --no -n Answer all questions with "no" automatically. 26 --no -n Answer all questions with "no" automatically.
124 --cygwin -c <options> Use "options" as value for CYGWIN environment var. 27 --cygwin -c <options> Use "options" as value for CYGWIN environment var.
125 --port -p <n> sshd listens on port n. 28 --port -p <n> sshd listens on port n.
126 --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'. 29 --user -u <account> privileged user for service, default 'cyg_server'.
30 --pwd -w <passwd> Use "pwd" as password for privileged user.
31 --privileged On Windows XP, require privileged user
32 instead of LocalSystem for sshd service.
127 33
128Additionally ssh-host-config now asks if it should install sshd as a 34Installing sshd as daemon via ssh-host-config is recommended.
129service when running under NT/W2K. This requires cygrunsrv installed.
130 35
131You can create the private and public keys for a user now by running 36Alternatively you can start sshd via inetd, if you have the inetutils
37package installed. Just run ssh-host-config, but answer "no" when asked
38to install sshd as service. The ssh-host-config script also adds the
39required lines to /etc/inetd.conf and /etc/services.
132 40
133 /usr/bin/ssh-user-config 41==================
42User configuration
43==================
44
45Any user can simplify creating the own private and public keys by running
134 46
135under the users account. 47 /usr/bin/ssh-user-config
136 48
137To support testing and unattended installation ssh-user-config got 49To support testing and unattended installation ssh-user-config got
138some options as well: 50some options as well:
@@ -144,88 +56,30 @@ Options:
144 --no -n Answer all questions with "no" automatically. 56 --no -n Answer all questions with "no" automatically.
145 --passphrase -p word Use "word" as passphrase automatically. 57 --passphrase -p word Use "word" as passphrase automatically.
146 58
147Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
148(results in very slow deamon startup!) or from the command line (recommended
149on 9X/ME).
150
151If you start sshd as deamon via cygrunsrv.exe you MUST give the
152"-D" option to sshd. Otherwise the service can't get started at all.
153
154If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
155following line to your inetd.conf file:
156
157ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
158
159Moreover you'll have to add the following line to your
160${SYSTEMROOT}/system32/drivers/etc/services file:
161
162 ssh 22/tcp #SSH daemon
163
164Please note that OpenSSH does never use the value of $HOME to 59Please note that OpenSSH does never use the value of $HOME to
165search for the users configuration files! It always uses the 60search for the users configuration files! It always uses the
166value of the pw_dir field in /etc/passwd as the home directory. 61value of the pw_dir field in /etc/passwd as the home directory.
167If no home diretory is set in /etc/passwd, the root directory 62If no home diretory is set in /etc/passwd, the root directory
168is used instead! 63is used instead!
169 64
170You may use all features of the CYGWIN=ntsec setting the same 65================
171way as they are used by Cygwin's login(1) port: 66Building OpenSSH
172 67================
173 The pw_gecos field may contain an additional field, that begins
174 with (upper case!) "U-", followed by the domain and the username
175 separated by a backslash.
176 CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
177 BTW: The field separator in pw_gecos is the comma.
178 The username in pw_name itself may be any nice name:
179
180 domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
181
182 Now you may use `domuser' as your login name with telnet!
183 This is possible additionally for local users, if you don't like
184 your NT login name ;-) You only have to leave out the domain:
185
186 locuser::1104:513:John Doe,U-user,S-1-5-21-...
187
188Note that the CYGWIN=ntsec setting is required for public key authentication.
189
190SSH2 server and user keys are generated by the `ssh-*-config' scripts
191as well.
192
193If you want to build from source, the following options to
194configure are used for the Cygwin binary distribution:
195
196 --prefix=/usr \
197 --sysconfdir=/etc \
198 --libexecdir='${sbindir}' \
199 --localstatedir=/var \
200 --datadir='${prefix}/share' \
201 --mandir='${datadir}/man' \
202 --infodir='${datadir}/info'
203 --with-tcp-wrappers
204 --with-libedit
205
206If you want to create a Cygwin package, equivalent to the one
207in the Cygwin binary distribution, install like this:
208
209 mkdir /tmp/cygwin-ssh
210 cd ${builddir}
211 make install DESTDIR=/tmp/cygwin-ssh
212 cd ${srcdir}/contrib/cygwin
213 make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
214 cd /tmp/cygwin-ssh
215 find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
216
217You must have installed the following packages to be able to build OpenSSH:
218
219- zlib
220- openssl-devel
221 68
222If you want to build with --with-tcp-wrappers, you also need the package 69Building from source is easy. Just unpack the source archive, cd to that
70directory, and call cygport:
223 71
224- tcp_wrappers 72 cygport openssh.cygport almostall
225 73
226If you want to build with --with-libedit, you also need the package 74You must have installed the following packages to be able to build OpenSSH
75with the aforementioned cygport script:
227 76
228- libedit-devel 77 zlib
78 crypt
79 openssl-devel
80 libwrap-devel
81 libedit-devel
82 libkrb5-devel
229 83
230Please send requests, error reports etc. to cygwin@cygwin.com. 84Please send requests, error reports etc. to cygwin@cygwin.com.
231 85
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 3c9046f5f..c542d5cb6 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -606,9 +606,9 @@ do
606 echo " --no -n Answer all questions with \"no\" automatically." 606 echo " --no -n Answer all questions with \"no\" automatically."
607 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 607 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
608 echo " --port -p <n> sshd listens on port n." 608 echo " --port -p <n> sshd listens on port n."
609 echo " --user -u <account> privileged user for service." 609 echo " --user -u <account> privileged user for service, default 'cyg_server'."
610 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 610 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
611 echo " --privileged On Windows NT/2k/XP, require privileged user" 611 echo " --privileged On Windows XP, require privileged user"
612 echo " instead of LocalSystem for sshd service." 612 echo " instead of LocalSystem for sshd service."
613 echo 613 echo
614 exit 1 614 exit 1
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 027ae6032..8708b7a58 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -222,10 +222,6 @@ do
222 shift 222 shift
223 ;; 223 ;;
224 224
225 --privileged )
226 csih_FORCE_PRIVILEGED_USER=yes
227 ;;
228
229 *) 225 *)
230 echo "usage: ${PROGNAME} [OPTION]..." 226 echo "usage: ${PROGNAME} [OPTION]..."
231 echo 227 echo
@@ -236,8 +232,6 @@ do
236 echo " --yes -y Answer all questions with \"yes\" automatically." 232 echo " --yes -y Answer all questions with \"yes\" automatically."
237 echo " --no -n Answer all questions with \"no\" automatically." 233 echo " --no -n Answer all questions with \"no\" automatically."
238 echo " --passphrase -p word Use \"word\" as passphrase automatically." 234 echo " --passphrase -p word Use \"word\" as passphrase automatically."
239 echo " --privileged On Windows NT/2k/XP, assume privileged user"
240 echo " instead of LocalSystem for sshd service."
241 echo 235 echo
242 exit 1 236 exit 1
243 ;; 237 ;;
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index cd5378ed2..d1191f4e1 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 6.2p2 1%define ver 6.3p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index bb9e50bd9..2866039d1 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 6.2p2 16Version: 6.3p1
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 9ed26d33d..a7359c9c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,16 @@
1openssh (1:6.2p2-7) UNRELEASED; urgency=low 1openssh (1:6.3p1-1) UNRELEASED; urgency=low
2 2
3 * New upstream release (http://www.openssh.com/txt/release-6.3).
4 - sftp(1): add support for resuming partial downloads using the "reget"
5 command and on the sftp commandline or on the "get" commandline using
6 the "-a" (append) option (closes: #158590).
7 - ssh(1): add an "IgnoreUnknown" configuration option to selectively
8 suppress errors arising from unknown configuration directives (closes:
9 #436052).
10 - sftp(1): update progressmeter when data is acknowledged, not when it's
11 sent (partially addresses #708372).
12 - ssh(1): do not fatally exit when attempting to cleanup multiplexing-
13 created channels that are incompletely opened (closes: #651357).
3 * When running under Upstart, only consider the daemon started once it is 14 * When running under Upstart, only consider the daemon started once it is
4 ready to accept connections (by raising SIGSTOP at that point and using 15 ready to accept connections (by raising SIGSTOP at that point and using
5 "expect stop"). 16 "expect stop").
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 206967bc9..a6a842ecd 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -2,7 +2,7 @@ Description: Quieten logs when multiple from= restrictions are used
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug-Debian: http://bugs.debian.org/630606 3Bug-Debian: http://bugs.debian.org/630606
4Forwarded: no 4Forwarded: no
5Last-Update: 2013-05-07 5Last-Update: 2013-09-14
6 6
7Index: b/auth-options.c 7Index: b/auth-options.c
8=================================================================== 8===================================================================
@@ -32,7 +32,7 @@ Index: b/auth-options.c
32@@ -288,10 +299,13 @@ 32@@ -288,10 +299,13 @@
33 /* FALLTHROUGH */ 33 /* FALLTHROUGH */
34 case 0: 34 case 0:
35 xfree(patterns); 35 free(patterns);
36- logit("Authentication tried for %.100s with " 36- logit("Authentication tried for %.100s with "
37- "correct key but not from a permitted " 37- "correct key but not from a permitted "
38- "host (host=%.200s, ip=%.200s).", 38- "host (host=%.200s, ip=%.200s).",
@@ -47,7 +47,7 @@ Index: b/auth-options.c
47 auth_debug_add("Your host '%.200s' is not " 47 auth_debug_add("Your host '%.200s' is not "
48 "permitted to use this key for login.", 48 "permitted to use this key for login.",
49 remote_host); 49 remote_host);
50@@ -512,11 +526,14 @@ 50@@ -513,11 +527,14 @@
51 break; 51 break;
52 case 0: 52 case 0:
53 /* no match */ 53 /* no match */
@@ -83,7 +83,7 @@ Index: b/auth-rsa.c
83=================================================================== 83===================================================================
84--- a/auth-rsa.c 84--- a/auth-rsa.c
85+++ b/auth-rsa.c 85+++ b/auth-rsa.c
86@@ -175,6 +175,8 @@ 86@@ -174,6 +174,8 @@
87 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 87 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
88 return 0; 88 return 0;
89 89
@@ -96,7 +96,7 @@ Index: b/auth2-pubkey.c
96=================================================================== 96===================================================================
97--- a/auth2-pubkey.c 97--- a/auth2-pubkey.c
98+++ b/auth2-pubkey.c 98+++ b/auth2-pubkey.c
99@@ -217,6 +217,7 @@ 99@@ -257,6 +257,7 @@
100 restore_uid(); 100 restore_uid();
101 return 0; 101 return 0;
102 } 102 }
@@ -104,16 +104,15 @@ Index: b/auth2-pubkey.c
104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
105 /* Skip leading whitespace. */ 105 /* Skip leading whitespace. */
106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
107@@ -278,6 +279,8 @@ 107@@ -318,6 +319,7 @@
108 found_key = 0; 108 found_key = 0;
109 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
110 109
110 found = NULL;
111+ auth_start_parse_options(); 111+ auth_start_parse_options();
112+
113 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 112 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
114 char *cp, *key_options = NULL; 113 char *cp, *key_options = NULL;
115 114 if (found != NULL)
116@@ -412,6 +415,7 @@ 115@@ -453,6 +455,7 @@
117 if (key_cert_check_authority(key, 0, 1, 116 if (key_cert_check_authority(key, 0, 1,
118 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 117 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
119 goto fail_reason; 118 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index c6a4b64c6..e48a3cb3e 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -2,13 +2,13 @@ Description: Install authorized_keys(5) as a symlink to sshd(8)
2Author: Tomas Pospisek <tpo_deb@sourcepole.ch> 2Author: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
4Bug-Debian: http://bugs.debian.org/441817 4Bug-Debian: http://bugs.debian.org/441817
5Last-Update: 2013-05-07 5Last-Update: 2013-09-14
6 6
7Index: b/Makefile.in 7Index: b/Makefile.in
8=================================================================== 8===================================================================
9--- a/Makefile.in 9--- a/Makefile.in
10+++ b/Makefile.in 10+++ b/Makefile.in
11@@ -286,6 +286,7 @@ 11@@ -289,6 +289,7 @@
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index 36b3805b9..fd064a848 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,7 +1,7 @@
1Description: Add support for registering ConsoleKit sessions on login 1Description: Add support for registering ConsoleKit sessions on login
2Author: Colin Watson <cjwatson@ubuntu.com> 2Author: Colin Watson <cjwatson@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
4Last-Updated: 2013-05-13 4Last-Updated: 2013-09-14
5 5
6Index: b/Makefile.in 6Index: b/Makefile.in
7=================================================================== 7===================================================================
@@ -21,7 +21,7 @@ Index: b/configure.ac
21=================================================================== 21===================================================================
22--- a/configure.ac 22--- a/configure.ac
23+++ b/configure.ac 23+++ b/configure.ac
24@@ -3801,6 +3801,30 @@ 24@@ -3841,6 +3841,30 @@
25 AC_SUBST([GSSLIBS]) 25 AC_SUBST([GSSLIBS])
26 AC_SUBST([K5LIBS]) 26 AC_SUBST([K5LIBS])
27 27
@@ -52,7 +52,7 @@ Index: b/configure.ac
52 # Looking for programs, paths and files 52 # Looking for programs, paths and files
53 53
54 PRIVSEP_PATH=/var/empty 54 PRIVSEP_PATH=/var/empty
55@@ -4600,6 +4624,7 @@ 55@@ -4641,6 +4665,7 @@
56 echo " libedit support: $LIBEDIT_MSG" 56 echo " libedit support: $LIBEDIT_MSG"
57 echo " Solaris process contract support: $SPC_MSG" 57 echo " Solaris process contract support: $SPC_MSG"
58 echo " Solaris project support: $SP_MSG" 58 echo " Solaris project support: $SP_MSG"
@@ -64,7 +64,7 @@ Index: b/configure
64=================================================================== 64===================================================================
65--- a/configure 65--- a/configure
66+++ b/configure 66+++ b/configure
67@@ -737,6 +737,7 @@ 67@@ -738,6 +738,7 @@
68 with_sandbox 68 with_sandbox
69 with_selinux 69 with_selinux
70 with_kerberos5 70 with_kerberos5
@@ -72,7 +72,7 @@ Index: b/configure
72 with_privsep_path 72 with_privsep_path
73 with_xauth 73 with_xauth
74 enable_strip 74 enable_strip
75@@ -1427,6 +1428,7 @@ 75@@ -1428,6 +1429,7 @@
76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) 76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
77 --with-selinux Enable SELinux support 77 --with-selinux Enable SELinux support
78 --with-kerberos5=PATH Enable Kerberos 5 support 78 --with-kerberos5=PATH Enable Kerberos 5 support
@@ -80,7 +80,7 @@ Index: b/configure
80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
81 --with-xauth=PATH Specify path to xauth program 81 --with-xauth=PATH Specify path to xauth program
82 --with-maildir=/path/to/mail Specify your system mail directory 82 --with-maildir=/path/to/mail Specify your system mail directory
83@@ -16002,6 +16004,135 @@ 83@@ -16375,6 +16377,135 @@
84 84
85 85
86 86
@@ -216,7 +216,7 @@ Index: b/configure
216 # Looking for programs, paths and files 216 # Looking for programs, paths and files
217 217
218 PRIVSEP_PATH=/var/empty 218 PRIVSEP_PATH=/var/empty
219@@ -18527,6 +18658,7 @@ 219@@ -18902,6 +19033,7 @@
220 echo " libedit support: $LIBEDIT_MSG" 220 echo " libedit support: $LIBEDIT_MSG"
221 echo " Solaris process contract support: $SPC_MSG" 221 echo " Solaris process contract support: $SPC_MSG"
222 echo " Solaris project support: $SP_MSG" 222 echo " Solaris project support: $SP_MSG"
@@ -502,17 +502,17 @@ Index: b/monitor.c
502=================================================================== 502===================================================================
503--- a/monitor.c 503--- a/monitor.c
504+++ b/monitor.c 504+++ b/monitor.c
505@@ -97,6 +97,9 @@ 505@@ -98,6 +98,9 @@
506 #include "ssh2.h"
507 #include "jpake.h" 506 #include "jpake.h"
508 #include "roaming.h" 507 #include "roaming.h"
508 #include "authfd.h"
509+#ifdef USE_CONSOLEKIT 509+#ifdef USE_CONSOLEKIT
510+#include "consolekit.h" 510+#include "consolekit.h"
511+#endif 511+#endif
512 512
513 #ifdef GSSAPI 513 #ifdef GSSAPI
514 static Gssctxt *gsscontext = NULL; 514 static Gssctxt *gsscontext = NULL;
515@@ -192,6 +195,10 @@ 515@@ -193,6 +196,10 @@
516 516
517 static int monitor_read_log(struct monitor *); 517 static int monitor_read_log(struct monitor *);
518 518
@@ -523,7 +523,7 @@ Index: b/monitor.c
523 static Authctxt *authctxt; 523 static Authctxt *authctxt;
524 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 524 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
525 525
526@@ -284,6 +291,9 @@ 526@@ -285,6 +292,9 @@
527 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 527 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
528 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 528 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
529 #endif 529 #endif
@@ -533,7 +533,7 @@ Index: b/monitor.c
533 {0, 0, NULL} 533 {0, 0, NULL}
534 }; 534 };
535 535
536@@ -326,6 +336,9 @@ 536@@ -327,6 +337,9 @@
537 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 537 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
538 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 538 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
539 #endif 539 #endif
@@ -553,7 +553,7 @@ Index: b/monitor.c
553 553
554 for (;;) 554 for (;;)
555 monitor_read(pmonitor, mon_dispatch, NULL); 555 monitor_read(pmonitor, mon_dispatch, NULL);
556@@ -2472,3 +2488,31 @@ 556@@ -2492,3 +2508,30 @@
557 } 557 }
558 558
559 #endif /* JPAKE */ 559 #endif /* JPAKE */
@@ -577,10 +577,9 @@ Index: b/monitor.c
577+ buffer_put_cstring(m, cookie != NULL ? cookie : ""); 577+ buffer_put_cstring(m, cookie != NULL ? cookie : "");
578+ mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m); 578+ mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
579+ 579+
580+ if (cookie != NULL) 580+ free(cookie);
581+ xfree(cookie); 581+ free(display);
582+ xfree(display); 582+ free(tty);
583+ xfree(tty);
584+ 583+
585+ return (0); 584+ return (0);
586+} 585+}
@@ -602,7 +601,7 @@ Index: b/monitor_wrap.c
602=================================================================== 601===================================================================
603--- a/monitor_wrap.c 602--- a/monitor_wrap.c
604+++ b/monitor_wrap.c 603+++ b/monitor_wrap.c
605@@ -1514,3 +1514,34 @@ 604@@ -1516,3 +1516,34 @@
606 return success; 605 return success;
607 } 606 }
608 #endif /* JPAKE */ 607 #endif /* JPAKE */
@@ -631,7 +630,7 @@ Index: b/monitor_wrap.c
631+ 630+
632+ /* treat empty cookie as missing cookie */ 631+ /* treat empty cookie as missing cookie */
633+ if (strlen(cookie) == 0) { 632+ if (strlen(cookie) == 0) {
634+ xfree(cookie); 633+ free(cookie);
635+ cookie = NULL; 634+ cookie = NULL;
636+ } 635+ }
637+ return (cookie); 636+ return (cookie);
@@ -654,7 +653,7 @@ Index: b/session.c
654=================================================================== 653===================================================================
655--- a/session.c 654--- a/session.c
656+++ b/session.c 655+++ b/session.c
657@@ -91,6 +91,7 @@ 656@@ -92,6 +92,7 @@
658 #include "kex.h" 657 #include "kex.h"
659 #include "monitor_wrap.h" 658 #include "monitor_wrap.h"
660 #include "sftp.h" 659 #include "sftp.h"
@@ -684,7 +683,7 @@ Index: b/session.c
684 #ifdef USE_PAM 683 #ifdef USE_PAM
685 /* 684 /*
686 * Pull in any environment variables that may have 685 * Pull in any environment variables that may have
687@@ -2308,6 +2317,10 @@ 686@@ -2320,6 +2329,10 @@
688 687
689 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 688 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
690 689
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index d96f2cc59..981cdd697 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -4,13 +4,13 @@ Description: Add DebianBanner server configuration option
4Author: Kees Cook <kees@debian.org> 4Author: Kees Cook <kees@debian.org>
5Bug-Debian: http://bugs.debian.org/562048 5Bug-Debian: http://bugs.debian.org/562048
6Forwarded: not-needed 6Forwarded: not-needed
7Last-Update: 2013-05-07 7Last-Update: 2013-09-14
8 8
9Index: b/servconf.c 9Index: b/servconf.c
10=================================================================== 10===================================================================
11--- a/servconf.c 11--- a/servconf.c
12+++ b/servconf.c 12+++ b/servconf.c
13@@ -150,6 +150,7 @@ 13@@ -157,6 +157,7 @@
14 options->ip_qos_interactive = -1; 14 options->ip_qos_interactive = -1;
15 options->ip_qos_bulk = -1; 15 options->ip_qos_bulk = -1;
16 options->version_addendum = NULL; 16 options->version_addendum = NULL;
@@ -18,7 +18,7 @@ Index: b/servconf.c
18 } 18 }
19 19
20 void 20 void
21@@ -299,6 +300,8 @@ 21@@ -310,6 +311,8 @@
22 options->ip_qos_bulk = IPTOS_THROUGHPUT; 22 options->ip_qos_bulk = IPTOS_THROUGHPUT;
23 if (options->version_addendum == NULL) 23 if (options->version_addendum == NULL)
24 options->version_addendum = xstrdup(""); 24 options->version_addendum = xstrdup("");
@@ -27,15 +27,15 @@ Index: b/servconf.c
27 /* Turn privilege separation on by default */ 27 /* Turn privilege separation on by default */
28 if (use_privsep == -1) 28 if (use_privsep == -1)
29 use_privsep = PRIVSEP_NOSANDBOX; 29 use_privsep = PRIVSEP_NOSANDBOX;
30@@ -349,6 +352,7 @@ 30@@ -360,6 +363,7 @@
31 sKexAlgorithms, sIPQoS, sVersionAddendum, 31 sKexAlgorithms, sIPQoS, sVersionAddendum,
32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
33 sAuthenticationMethods, 33 sAuthenticationMethods, sHostKeyAgent,
34+ sDebianBanner, 34+ sDebianBanner,
35 sDeprecated, sUnsupported 35 sDeprecated, sUnsupported
36 } ServerOpCodes; 36 } ServerOpCodes;
37 37
38@@ -488,6 +492,7 @@ 38@@ -501,6 +505,7 @@
39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -43,7 +43,7 @@ Index: b/servconf.c
43 { NULL, sBadOption, 0 } 43 { NULL, sBadOption, 0 }
44 }; 44 };
45 45
46@@ -1593,6 +1598,10 @@ 46@@ -1648,6 +1653,10 @@
47 } 47 }
48 return 0; 48 return 0;
49 49
@@ -58,7 +58,7 @@ Index: b/servconf.h
58=================================================================== 58===================================================================
59--- a/servconf.h 59--- a/servconf.h
60+++ b/servconf.h 60+++ b/servconf.h
61@@ -184,6 +184,8 @@ 61@@ -188,6 +188,8 @@
62 62
63 u_int num_auth_methods; 63 u_int num_auth_methods;
64 char *auth_methods[MAX_AUTH_METHODS]; 64 char *auth_methods[MAX_AUTH_METHODS];
@@ -71,7 +71,7 @@ Index: b/sshd.c
71=================================================================== 71===================================================================
72--- a/sshd.c 72--- a/sshd.c
73+++ b/sshd.c 73+++ b/sshd.c
74@@ -434,7 +434,8 @@ 74@@ -440,7 +440,8 @@
75 } 75 }
76 76
77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
85=================================================================== 85===================================================================
86--- a/sshd_config.5 86--- a/sshd_config.5
87+++ b/sshd_config.5 87+++ b/sshd_config.5
88@@ -397,6 +397,11 @@ 88@@ -404,6 +404,11 @@
89 .Dq no . 89 .Dq no .
90 The default is 90 The default is
91 .Dq delayed . 91 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 45a8364ca..d005bdc2e 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -18,13 +18,13 @@ Description: Various Debian-specific configuration changes
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Author: Russ Allbery <rra@debian.org> 19Author: Russ Allbery <rra@debian.org>
20Forwarded: not-needed 20Forwarded: not-needed
21Last-Update: 2013-05-16 21Last-Update: 2013-09-14
22 22
23Index: b/readconf.c 23Index: b/readconf.c
24=================================================================== 24===================================================================
25--- a/readconf.c 25--- a/readconf.c
26+++ b/readconf.c 26+++ b/readconf.c
27@@ -1288,7 +1288,7 @@ 27@@ -1298,7 +1298,7 @@
28 if (options->forward_x11 == -1) 28 if (options->forward_x11 == -1)
29 options->forward_x11 = 0; 29 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1) 30 if (options->forward_x11_trusted == -1)
@@ -49,10 +49,10 @@ Index: b/ssh_config
49 # RhostsRSAAuthentication no 49 # RhostsRSAAuthentication no
50 # RSAAuthentication yes 50 # RSAAuthentication yes
51 # PasswordAuthentication yes 51 # PasswordAuthentication yes
52@@ -47,3 +48,7 @@ 52@@ -48,3 +49,7 @@
53 # PermitLocalCommand no
54 # VisualHostKey no 53 # VisualHostKey no
55 # ProxyCommand ssh -q -W %h:%p gateway.example.com 54 # ProxyCommand ssh -q -W %h:%p gateway.example.com
55 # RekeyLimit 1G 1h
56+ SendEnv LANG LC_* 56+ SendEnv LANG LC_*
57+ HashKnownHosts yes 57+ HashKnownHosts yes
58+ GSSAPIAuthentication yes 58+ GSSAPIAuthentication yes
@@ -84,7 +84,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 84 The configuration file has the following format:
85 .Pp 85 .Pp
86 Empty lines and lines starting with 86 Empty lines and lines starting with
87@@ -502,7 +518,8 @@ 87@@ -501,7 +517,8 @@
88 Remote clients will be refused access after this time. 88 Remote clients will be refused access after this time.
89 .Pp 89 .Pp
90 The default is 90 The default is
@@ -98,7 +98,7 @@ Index: b/sshd_config
98=================================================================== 98===================================================================
99--- a/sshd_config 99--- a/sshd_config
100+++ b/sshd_config 100+++ b/sshd_config
101@@ -37,6 +37,7 @@ 101@@ -40,6 +40,7 @@
102 # Authentication: 102 # Authentication:
103 103
104 #LoginGraceTime 2m 104 #LoginGraceTime 2m
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 25201a7d4..4c197323c 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -2,13 +2,13 @@ Description: Document that HashKnownHosts may break tab-completion
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
4Bug-Debian: http://bugs.debian.org/430154 4Bug-Debian: http://bugs.debian.org/430154
5Last-Update: 2013-05-07 5Last-Update: 2013-09-14
6 6
7Index: b/ssh_config.5 7Index: b/ssh_config.5
8=================================================================== 8===================================================================
9--- a/ssh_config.5 9--- a/ssh_config.5
10+++ b/ssh_config.5 10+++ b/ssh_config.5
11@@ -588,6 +588,9 @@ 11@@ -587,6 +587,9 @@
12 will not be converted automatically, 12 will not be converted automatically,
13 but may be manually hashed using 13 but may be manually hashed using
14 .Xr ssh-keygen 1 . 14 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 5f35ac0c8..a471f9c4c 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,13 +1,13 @@
1Description: Refer to ssh's Upstart job as well as its init script 1Description: Refer to ssh's Upstart job as well as its init script
2Author: Colin Watson <cjwatson@ubuntu.com> 2Author: Colin Watson <cjwatson@ubuntu.com>
3Forwarded: not-needed 3Forwarded: not-needed
4Last-Update: 2012-11-26 4Last-Update: 2013-09-14
5 5
6Index: b/sshd.8 6Index: b/sshd.8
7=================================================================== 7===================================================================
8--- a/sshd.8 8--- a/sshd.8
9+++ b/sshd.8 9+++ b/sshd.8
10@@ -69,7 +69,10 @@ 10@@ -70,7 +70,10 @@
11 .Nm 11 .Nm
12 listens for connections from clients. 12 listens for connections from clients.
13 It is normally started at boot from 13 It is normally started at boot from
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 416e2f16c..85c6722f0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13 security history. 13 security history.
14Author: Simon Wilkinson <simon@sxw.org.uk> 14Author: Simon Wilkinson <simon@sxw.org.uk>
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2013-05-16 16Last-Updated: 2013-09-14
17 17
18Index: b/ChangeLog.gssapi 18Index: b/ChangeLog.gssapi
19=================================================================== 19===================================================================
@@ -158,7 +158,7 @@ Index: b/auth-krb5.c
158=================================================================== 158===================================================================
159--- a/auth-krb5.c 159--- a/auth-krb5.c
160+++ b/auth-krb5.c 160+++ b/auth-krb5.c
161@@ -170,8 +170,13 @@ 161@@ -181,8 +181,13 @@
162 162
163 len = strlen(authctxt->krb5_ticket_file) + 6; 163 len = strlen(authctxt->krb5_ticket_file) + 6;
164 authctxt->krb5_ccname = xmalloc(len); 164 authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +172,7 @@ Index: b/auth-krb5.c
172 172
173 #ifdef USE_PAM 173 #ifdef USE_PAM
174 if (options.use_pam) 174 if (options.use_pam)
175@@ -226,15 +231,22 @@ 175@@ -239,15 +244,22 @@
176 #ifndef HEIMDAL 176 #ifndef HEIMDAL
177 krb5_error_code 177 krb5_error_code
178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +197,7 @@ Index: b/auth-krb5.c
197 old_umask = umask(0177); 197 old_umask = umask(0177);
198 tmpfd = mkstemp(ccname + strlen("FILE:")); 198 tmpfd = mkstemp(ccname + strlen("FILE:"));
199 oerrno = errno; 199 oerrno = errno;
200@@ -251,6 +263,7 @@ 200@@ -264,6 +276,7 @@
201 return oerrno; 201 return oerrno;
202 } 202 }
203 close(tmpfd); 203 close(tmpfd);
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c
210--- a/auth2-gss.c 210--- a/auth2-gss.c
211+++ b/auth2-gss.c 211+++ b/auth2-gss.c
212@@ -1,7 +1,7 @@ 212@@ -1,7 +1,7 @@
213 /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ 213 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
214 214
215 /* 215 /*
216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 216- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -251,7 +251,7 @@ Index: b/auth2-gss.c
251+ authctxt->pw)); 251+ authctxt->pw));
252+ 252+
253+ buffer_free(&b); 253+ buffer_free(&b);
254+ xfree(mic.value); 254+ free(mic.value);
255+ 255+
256+ return (authenticated); 256+ return (authenticated);
257+} 257+}
@@ -259,7 +259,7 @@ Index: b/auth2-gss.c
259 /* 259 /*
260 * We only support those mechanisms that we know about (ie ones that we know 260 * We only support those mechanisms that we know about (ie ones that we know
261 * how to check local user kuserok and the like) 261 * how to check local user kuserok and the like)
262@@ -244,7 +278,8 @@ 262@@ -240,7 +274,8 @@
263 263
264 packet_check_eom(); 264 packet_check_eom();
265 265
@@ -269,7 +269,7 @@ Index: b/auth2-gss.c
269 269
270 authctxt->postponed = 0; 270 authctxt->postponed = 0;
271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
272@@ -279,7 +314,8 @@ 272@@ -275,7 +310,8 @@
273 gssbuf.length = buffer_len(&b); 273 gssbuf.length = buffer_len(&b);
274 274
275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +279,7 @@ Index: b/auth2-gss.c
279 else 279 else
280 logit("GSSAPI MIC check failed"); 280 logit("GSSAPI MIC check failed");
281 281
282@@ -294,6 +330,12 @@ 282@@ -290,6 +326,12 @@
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
284 } 284 }
285 285
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327 /* import options */ 327 /* import options */
328 extern Options options; 328 extern Options options;
329 329
330@@ -1599,6 +1603,15 @@ 330@@ -1608,6 +1612,15 @@
331 /* Do channel operations unless rekeying in progress. */ 331 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 332 if (!rekeying) {
333 channel_after_select(readset, writeset); 333 channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347=================================================================== 347===================================================================
348--- a/config.h.in 348--- a/config.h.in
349+++ b/config.h.in 349+++ b/config.h.in
350@@ -1511,6 +1511,9 @@ 350@@ -1546,6 +1546,9 @@
351 /* Use btmp to log bad logins */ 351 /* Use btmp to log bad logins */
352 #undef USE_BTMP 352 #undef USE_BTMP
353 353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357 /* Use libedit for sftp */ 357 /* Use libedit for sftp */
358 #undef USE_LIBEDIT 358 #undef USE_LIBEDIT
359 359
360@@ -1526,6 +1529,9 @@ 360@@ -1561,6 +1564,9 @@
361 /* Use PIPES instead of a socketpair() */ 361 /* Use PIPES instead of a socketpair() */
362 #undef USE_PIPES 362 #undef USE_PIPES
363 363
@@ -371,7 +371,7 @@ Index: b/configure
371=================================================================== 371===================================================================
372--- a/configure 372--- a/configure
373+++ b/configure 373+++ b/configure
374@@ -6588,6 +6588,63 @@ 374@@ -6780,6 +6780,63 @@
375 375
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377 377
@@ -439,7 +439,7 @@ Index: b/configure.ac
439=================================================================== 439===================================================================
440--- a/configure.ac 440--- a/configure.ac
441+++ b/configure.ac 441+++ b/configure.ac
442@@ -533,6 +533,30 @@ 442@@ -548,6 +548,30 @@
443 [Use tunnel device compatibility to OpenBSD]) 443 [Use tunnel device compatibility to OpenBSD])
444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445 [Prepend the address family to IP tunnel traffic]) 445 [Prepend the address family to IP tunnel traffic])
@@ -475,7 +475,7 @@ Index: b/gss-genr.c
475--- a/gss-genr.c 475--- a/gss-genr.c
476+++ b/gss-genr.c 476+++ b/gss-genr.c
477@@ -1,7 +1,7 @@ 477@@ -1,7 +1,7 @@
478 /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ 478 /* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
479 479
480 /* 480 /*
481- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 481- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -549,8 +549,8 @@ Index: b/gss-genr.c
549+ 549+
550+ if (gss_enc2oid != NULL) { 550+ if (gss_enc2oid != NULL) {
551+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) 551+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
552+ xfree(gss_enc2oid[i].encoded); 552+ free(gss_enc2oid[i].encoded);
553+ xfree(gss_enc2oid); 553+ free(gss_enc2oid);
554+ } 554+ }
555+ 555+
556+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * 556+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@@ -607,7 +607,7 @@ Index: b/gss-genr.c
607+ buffer_free(&buf); 607+ buffer_free(&buf);
608+ 608+
609+ if (strlen(mechs) == 0) { 609+ if (strlen(mechs) == 0) {
610+ xfree(mechs); 610+ free(mechs);
611+ mechs = NULL; 611+ mechs = NULL;
612+ } 612+ }
613+ 613+
@@ -826,7 +826,7 @@ Index: b/gss-serv-krb5.c
826--- a/gss-serv-krb5.c 826--- a/gss-serv-krb5.c
827+++ b/gss-serv-krb5.c 827+++ b/gss-serv-krb5.c
828@@ -1,7 +1,7 @@ 828@@ -1,7 +1,7 @@
829 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ 829 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
830 830
831 /* 831 /*
832- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 832- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -834,15 +834,15 @@ Index: b/gss-serv-krb5.c
834 * 834 *
835 * Redistribution and use in source and binary forms, with or without 835 * Redistribution and use in source and binary forms, with or without
836 * modification, are permitted provided that the following conditions 836 * modification, are permitted provided that the following conditions
837@@ -120,6 +120,7 @@ 837@@ -122,6 +122,7 @@
838 krb5_principal princ;
839 OM_uint32 maj_status, min_status; 838 OM_uint32 maj_status, min_status;
840 int len; 839 int len;
840 const char *errmsg;
841+ const char *new_ccname; 841+ const char *new_ccname;
842 842
843 if (client->creds == NULL) { 843 if (client->creds == NULL) {
844 debug("No credentials stored"); 844 debug("No credentials stored");
845@@ -168,11 +169,16 @@ 845@@ -174,11 +175,16 @@
846 return; 846 return;
847 } 847 }
848 848
@@ -863,7 +863,7 @@ Index: b/gss-serv-krb5.c
863 863
864 #ifdef USE_PAM 864 #ifdef USE_PAM
865 if (options.use_pam) 865 if (options.use_pam)
866@@ -184,6 +190,71 @@ 866@@ -190,6 +196,71 @@
867 return; 867 return;
868 } 868 }
869 869
@@ -935,7 +935,7 @@ Index: b/gss-serv-krb5.c
935 ssh_gssapi_mech gssapi_kerberos_mech = { 935 ssh_gssapi_mech gssapi_kerberos_mech = {
936 "toWM5Slw5Ew8Mqkay+al2g==", 936 "toWM5Slw5Ew8Mqkay+al2g==",
937 "Kerberos", 937 "Kerberos",
938@@ -191,7 +262,8 @@ 938@@ -197,7 +268,8 @@
939 NULL, 939 NULL,
940 &ssh_gssapi_krb5_userok, 940 &ssh_gssapi_krb5_userok,
941 NULL, 941 NULL,
@@ -950,7 +950,7 @@ Index: b/gss-serv.c
950--- a/gss-serv.c 950--- a/gss-serv.c
951+++ b/gss-serv.c 951+++ b/gss-serv.c
952@@ -1,7 +1,7 @@ 952@@ -1,7 +1,7 @@
953 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ 953 /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
954 954
955 /* 955 /*
956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 956- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -958,7 +958,7 @@ Index: b/gss-serv.c
958 * 958 *
959 * Redistribution and use in source and binary forms, with or without 959 * Redistribution and use in source and binary forms, with or without
960 * modification, are permitted provided that the following conditions 960 * modification, are permitted provided that the following conditions
961@@ -45,15 +45,20 @@ 961@@ -45,15 +45,21 @@
962 #include "channels.h" 962 #include "channels.h"
963 #include "session.h" 963 #include "session.h"
964 #include "misc.h" 964 #include "misc.h"
@@ -972,8 +972,9 @@ Index: b/gss-serv.c
972 972
973 static ssh_gssapi_client gssapi_client = 973 static ssh_gssapi_client gssapi_client =
974 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 974 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
975- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 975- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
976+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; 976+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
977+ {NULL, NULL, NULL, NULL, NULL}, 0, 0};
977 978
978 ssh_gssapi_mech gssapi_null_mech = 979 ssh_gssapi_mech gssapi_null_mech =
979- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; 980- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@@ -981,7 +982,7 @@ Index: b/gss-serv.c
981 982
982 #ifdef KRB5 983 #ifdef KRB5
983 extern ssh_gssapi_mech gssapi_kerberos_mech; 984 extern ssh_gssapi_mech gssapi_kerberos_mech;
984@@ -81,25 +86,32 @@ 985@@ -81,25 +87,32 @@
985 char lname[MAXHOSTNAMELEN]; 986 char lname[MAXHOSTNAMELEN];
986 gss_OID_set oidset; 987 gss_OID_set oidset;
987 988
@@ -1028,7 +1029,7 @@ Index: b/gss-serv.c
1028 } 1029 }
1029 1030
1030 /* Privileged */ 1031 /* Privileged */
1031@@ -114,6 +126,29 @@ 1032@@ -114,6 +127,29 @@
1032 } 1033 }
1033 1034
1034 /* Unprivileged */ 1035 /* Unprivileged */
@@ -1058,7 +1059,7 @@ Index: b/gss-serv.c
1058 void 1059 void
1059 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1060 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1060 { 1061 {
1061@@ -123,7 +158,9 @@ 1062@@ -123,7 +159,9 @@
1062 gss_OID_set supported; 1063 gss_OID_set supported;
1063 1064
1064 gss_create_empty_oid_set(&min_status, oidset); 1065 gss_create_empty_oid_set(&min_status, oidset);
@@ -1069,7 +1070,7 @@ Index: b/gss-serv.c
1069 1070
1070 while (supported_mechs[i]->name != NULL) { 1071 while (supported_mechs[i]->name != NULL) {
1071 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1072 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1072@@ -249,8 +286,48 @@ 1073@@ -249,8 +287,48 @@
1073 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1074 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1074 { 1075 {
1075 int i = 0; 1076 int i = 0;
@@ -1119,7 +1120,7 @@ Index: b/gss-serv.c
1119 1120
1120 client->mech = NULL; 1121 client->mech = NULL;
1121 1122
1122@@ -265,6 +342,13 @@ 1123@@ -265,6 +343,13 @@
1123 if (client->mech == NULL) 1124 if (client->mech == NULL)
1124 return GSS_S_FAILURE; 1125 return GSS_S_FAILURE;
1125 1126
@@ -1133,7 +1134,7 @@ Index: b/gss-serv.c
1133 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1134 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1134 &client->displayname, NULL))) { 1135 &client->displayname, NULL))) {
1135 ssh_gssapi_error(ctx); 1136 ssh_gssapi_error(ctx);
1136@@ -282,6 +366,8 @@ 1137@@ -282,6 +367,8 @@
1137 return (ctx->major); 1138 return (ctx->major);
1138 } 1139 }
1139 1140
@@ -1142,7 +1143,7 @@ Index: b/gss-serv.c
1142 /* We can't copy this structure, so we just move the pointer to it */ 1143 /* We can't copy this structure, so we just move the pointer to it */
1143 client->creds = ctx->client_creds; 1144 client->creds = ctx->client_creds;
1144 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1145 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1145@@ -329,7 +415,7 @@ 1146@@ -329,7 +416,7 @@
1146 1147
1147 /* Privileged */ 1148 /* Privileged */
1148 int 1149 int
@@ -1151,7 +1152,7 @@ Index: b/gss-serv.c
1151 { 1152 {
1152 OM_uint32 lmin; 1153 OM_uint32 lmin;
1153 1154
1154@@ -339,9 +425,11 @@ 1155@@ -339,9 +426,11 @@
1155 return 0; 1156 return 0;
1156 } 1157 }
1157 if (gssapi_client.mech && gssapi_client.mech->userok) 1158 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1165,7 +1166,7 @@ Index: b/gss-serv.c
1165 /* Destroy delegated credentials if userok fails */ 1166 /* Destroy delegated credentials if userok fails */
1166 gss_release_buffer(&lmin, &gssapi_client.displayname); 1167 gss_release_buffer(&lmin, &gssapi_client.displayname);
1167 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1168 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1168@@ -354,14 +442,90 @@ 1169@@ -354,14 +443,90 @@
1169 return (0); 1170 return (0);
1170 } 1171 }
1171 1172
@@ -1277,32 +1278,37 @@ Index: b/kex.c
1277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1278 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1278 # if defined(HAVE_EVP_SHA256) 1279 # if defined(HAVE_EVP_SHA256)
1279 # define evp_ssh_sha256 EVP_sha256 1280 # define evp_ssh_sha256 EVP_sha256
1280@@ -369,6 +373,20 @@ 1281@@ -82,6 +86,14 @@
1281 k->kex_type = KEX_ECDH_SHA2;
1282 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
1283 #endif 1282 #endif
1283 { NULL, -1, -1, NULL},
1284 };
1285+static const struct kexalg kexalg_prefixes[] = {
1284+#ifdef GSSAPI 1286+#ifdef GSSAPI
1285+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, 1287+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
1286+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { 1288+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
1287+ k->kex_type = KEX_GSS_GEX_SHA1; 1289+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
1288+ k->evp_md = EVP_sha1();
1289+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
1290+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
1291+ k->kex_type = KEX_GSS_GRP1_SHA1;
1292+ k->evp_md = EVP_sha1();
1293+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
1294+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
1295+ k->kex_type = KEX_GSS_GRP14_SHA1;
1296+ k->evp_md = EVP_sha1();
1297+#endif 1290+#endif
1298 } else 1291+ { NULL, -1, -1, NULL },
1299 fatal("bad kex alg %s", k->name); 1292+};
1293
1294 char *
1295 kex_alg_list(void)
1296@@ -110,6 +122,10 @@
1297 if (strcmp(k->name, name) == 0)
1298 return k;
1299 }
1300+ for (k = kexalg_prefixes; k->name != NULL; k++) {
1301+ if (strncmp(k->name, name, strlen(k->name)) == 0)
1302+ return k;
1303+ }
1304 return NULL;
1300 } 1305 }
1306
1301Index: b/kex.h 1307Index: b/kex.h
1302=================================================================== 1308===================================================================
1303--- a/kex.h 1309--- a/kex.h
1304+++ b/kex.h 1310+++ b/kex.h
1305@@ -73,6 +73,9 @@ 1311@@ -74,6 +74,9 @@
1306 KEX_DH_GEX_SHA1, 1312 KEX_DH_GEX_SHA1,
1307 KEX_DH_GEX_SHA256, 1313 KEX_DH_GEX_SHA256,
1308 KEX_ECDH_SHA2, 1314 KEX_ECDH_SHA2,
@@ -1312,10 +1318,10 @@ Index: b/kex.h
1312 KEX_MAX 1318 KEX_MAX
1313 }; 1319 };
1314 1320
1315@@ -131,6 +134,12 @@ 1321@@ -133,6 +136,12 @@
1316 sig_atomic_t done;
1317 int flags; 1322 int flags;
1318 const EVP_MD *evp_md; 1323 const EVP_MD *evp_md;
1324 int ec_nid;
1319+#ifdef GSSAPI 1325+#ifdef GSSAPI
1320+ int gss_deleg_creds; 1326+ int gss_deleg_creds;
1321+ int gss_trust_dns; 1327+ int gss_trust_dns;
@@ -1325,7 +1331,7 @@ Index: b/kex.h
1325 char *client_version_string; 1331 char *client_version_string;
1326 char *server_version_string; 1332 char *server_version_string;
1327 int (*verify_host_key)(Key *); 1333 int (*verify_host_key)(Key *);
1328@@ -158,6 +167,11 @@ 1334@@ -162,6 +171,11 @@
1329 void kexecdh_client(Kex *); 1335 void kexecdh_client(Kex *);
1330 void kexecdh_server(Kex *); 1336 void kexecdh_server(Kex *);
1331 1337
@@ -1341,7 +1347,7 @@ Index: b/kexgssc.c
1341=================================================================== 1347===================================================================
1342--- /dev/null 1348--- /dev/null
1343+++ b/kexgssc.c 1349+++ b/kexgssc.c
1344@@ -0,0 +1,334 @@ 1350@@ -0,0 +1,333 @@
1345+/* 1351+/*
1346+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1352+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1347+ * 1353+ *
@@ -1488,7 +1494,7 @@ Index: b/kexgssc.c
1488+ 1494+
1489+ /* If we've got an old receive buffer get rid of it */ 1495+ /* If we've got an old receive buffer get rid of it */
1490+ if (token_ptr != GSS_C_NO_BUFFER) 1496+ if (token_ptr != GSS_C_NO_BUFFER)
1491+ xfree(recv_tok.value); 1497+ free(recv_tok.value);
1492+ 1498+
1493+ if (maj_status == GSS_S_COMPLETE) { 1499+ if (maj_status == GSS_S_COMPLETE) {
1494+ /* If mutual state flag is not true, kex fails */ 1500+ /* If mutual state flag is not true, kex fails */
@@ -1605,7 +1611,7 @@ Index: b/kexgssc.c
1605+ fatal("kexdh_client: BN_bin2bn failed"); 1611+ fatal("kexdh_client: BN_bin2bn failed");
1606+ 1612+
1607+ memset(kbuf, 0, klen); 1613+ memset(kbuf, 0, klen);
1608+ xfree(kbuf); 1614+ free(kbuf);
1609+ 1615+
1610+ switch (kex->kex_type) { 1616+ switch (kex->kex_type) {
1611+ case KEX_GSS_GRP1_SHA1: 1617+ case KEX_GSS_GRP1_SHA1:
@@ -1648,11 +1654,10 @@ Index: b/kexgssc.c
1648+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) 1654+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
1649+ packet_disconnect("Hash's MIC didn't verify"); 1655+ packet_disconnect("Hash's MIC didn't verify");
1650+ 1656+
1651+ xfree(msg_tok.value); 1657+ free(msg_tok.value);
1652+ 1658+
1653+ DH_free(dh); 1659+ DH_free(dh);
1654+ if (serverhostkey) 1660+ free(serverhostkey);
1655+ xfree(serverhostkey);
1656+ BN_clear_free(dh_server_pub); 1661+ BN_clear_free(dh_server_pub);
1657+ 1662+
1658+ /* save session id */ 1663+ /* save session id */
@@ -1680,7 +1685,7 @@ Index: b/kexgsss.c
1680=================================================================== 1685===================================================================
1681--- /dev/null 1686--- /dev/null
1682+++ b/kexgsss.c 1687+++ b/kexgsss.c
1683@@ -0,0 +1,288 @@ 1688@@ -0,0 +1,289 @@
1684+/* 1689+/*
1685+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1690+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1686+ * 1691+ *
@@ -1761,9 +1766,10 @@ Index: b/kexgsss.c
1761+ * in the GSSAPI code are no longer available. This kludges them back 1766+ * in the GSSAPI code are no longer available. This kludges them back
1762+ * into life 1767+ * into life
1763+ */ 1768+ */
1764+ if (!ssh_gssapi_oid_table_ok()) 1769+ if (!ssh_gssapi_oid_table_ok()) {
1765+ if ((mechs = ssh_gssapi_server_mechanisms())) 1770+ mechs = ssh_gssapi_server_mechanisms();
1766+ xfree(mechs); 1771+ free(mechs);
1772+ }
1767+ 1773+
1768+ debug2("%s: Identifying %s", __func__, kex->name); 1774+ debug2("%s: Identifying %s", __func__, kex->name);
1769+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); 1775+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@@ -1841,7 +1847,7 @@ Index: b/kexgsss.c
1841+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 1847+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
1842+ &send_tok, &ret_flags)); 1848+ &send_tok, &ret_flags));
1843+ 1849+
1844+ xfree(recv_tok.value); 1850+ free(recv_tok.value);
1845+ 1851+
1846+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) 1852+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
1847+ fatal("Zero length token output when incomplete"); 1853+ fatal("Zero length token output when incomplete");
@@ -1890,7 +1896,7 @@ Index: b/kexgsss.c
1890+ fatal("kexgss_server: BN_bin2bn failed"); 1896+ fatal("kexgss_server: BN_bin2bn failed");
1891+ 1897+
1892+ memset(kbuf, 0, klen); 1898+ memset(kbuf, 0, klen);
1893+ xfree(kbuf); 1899+ free(kbuf);
1894+ 1900+
1895+ switch (kex->kex_type) { 1901+ switch (kex->kex_type) {
1896+ case KEX_GSS_GRP1_SHA1: 1902+ case KEX_GSS_GRP1_SHA1:
@@ -1973,24 +1979,14 @@ Index: b/key.c
1973=================================================================== 1979===================================================================
1974--- a/key.c 1980--- a/key.c
1975+++ b/key.c 1981+++ b/key.c
1976@@ -976,6 +976,8 @@ 1982@@ -933,6 +933,7 @@
1977 } 1983 KEY_RSA_CERT_V00, 0, 1 },
1978 break; 1984 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
1979 #endif /* OPENSSL_HAS_ECC */ 1985 KEY_DSA_CERT_V00, 0, 1 },
1980+ case KEY_NULL: 1986+ { "null", "null", KEY_NULL, 0, 0 },
1981+ return "null"; 1987 { NULL, NULL, -1, -1, 0 }
1982 } 1988 };
1983 return "ssh-unknown";
1984 }
1985@@ -1281,6 +1283,8 @@
1986 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1987 return KEY_ECDSA_CERT;
1988 #endif
1989+ } else if (strcmp(name, "null") == 0) {
1990+ return KEY_NULL;
1991 }
1992 1989
1993 debug2("key_type_from_name: unknown key type '%s'", name);
1994Index: b/key.h 1990Index: b/key.h
1995=================================================================== 1991===================================================================
1996--- a/key.h 1992--- a/key.h
@@ -2007,7 +2003,7 @@ Index: b/monitor.c
2007=================================================================== 2003===================================================================
2008--- a/monitor.c 2004--- a/monitor.c
2009+++ b/monitor.c 2005+++ b/monitor.c
2010@@ -180,6 +180,8 @@ 2006@@ -181,6 +181,8 @@
2011 int mm_answer_gss_accept_ctx(int, Buffer *); 2007 int mm_answer_gss_accept_ctx(int, Buffer *);
2012 int mm_answer_gss_userok(int, Buffer *); 2008 int mm_answer_gss_userok(int, Buffer *);
2013 int mm_answer_gss_checkmic(int, Buffer *); 2009 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2016,7 +2012,7 @@ Index: b/monitor.c
2016 #endif 2012 #endif
2017 2013
2018 #ifdef SSH_AUDIT_EVENTS 2014 #ifdef SSH_AUDIT_EVENTS
2019@@ -252,6 +254,7 @@ 2015@@ -253,6 +255,7 @@
2020 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2016 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2021 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2017 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2022 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2018 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2024,7 +2020,7 @@ Index: b/monitor.c
2024 #endif 2020 #endif
2025 #ifdef JPAKE 2021 #ifdef JPAKE
2026 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2022 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2027@@ -264,6 +267,12 @@ 2023@@ -265,6 +268,12 @@
2028 }; 2024 };
2029 2025
2030 struct mon_table mon_dispatch_postauth20[] = { 2026 struct mon_table mon_dispatch_postauth20[] = {
@@ -2037,7 +2033,7 @@ Index: b/monitor.c
2037 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2033 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2038 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2034 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2039 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2035 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2040@@ -372,6 +381,10 @@ 2036@@ -373,6 +382,10 @@
2041 /* Permit requests for moduli and signatures */ 2037 /* Permit requests for moduli and signatures */
2042 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2038 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2043 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2039 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2059,7 +2055,7 @@ Index: b/monitor.c
2059 } else { 2055 } else {
2060 mon_dispatch = mon_dispatch_postauth15; 2056 mon_dispatch = mon_dispatch_postauth15;
2061 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2057 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062@@ -1836,6 +1853,13 @@ 2058@@ -1855,6 +1872,13 @@
2063 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2059 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2060 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2061 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2069,7 @@ Index: b/monitor.c
2073 kex->server = 1; 2069 kex->server = 1;
2074 kex->hostkey_type = buffer_get_int(m); 2070 kex->hostkey_type = buffer_get_int(m);
2075 kex->kex_type = buffer_get_int(m); 2071 kex->kex_type = buffer_get_int(m);
2076@@ -2042,6 +2066,9 @@ 2072@@ -2062,6 +2086,9 @@
2077 OM_uint32 major; 2073 OM_uint32 major;
2078 u_int len; 2074 u_int len;
2079 2075
@@ -2083,7 +2079,7 @@ Index: b/monitor.c
2083 goid.elements = buffer_get_string(m, &len); 2079 goid.elements = buffer_get_string(m, &len);
2084 goid.length = len; 2080 goid.length = len;
2085 2081
2086@@ -2069,6 +2096,9 @@ 2082@@ -2089,6 +2116,9 @@
2087 OM_uint32 flags = 0; /* GSI needs this */ 2083 OM_uint32 flags = 0; /* GSI needs this */
2088 u_int len; 2084 u_int len;
2089 2085
@@ -2093,7 +2089,7 @@ Index: b/monitor.c
2093 in.value = buffer_get_string(m, &len); 2089 in.value = buffer_get_string(m, &len);
2094 in.length = len; 2090 in.length = len;
2095 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2091 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096@@ -2086,6 +2116,7 @@ 2092@@ -2106,6 +2136,7 @@
2097 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2093 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2094 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2095 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2097,7 @@ Index: b/monitor.c
2101 } 2097 }
2102 return (0); 2098 return (0);
2103 } 2099 }
2104@@ -2097,6 +2128,9 @@ 2100@@ -2117,6 +2148,9 @@
2105 OM_uint32 ret; 2101 OM_uint32 ret;
2106 u_int len; 2102 u_int len;
2107 2103
@@ -2111,7 +2107,7 @@ Index: b/monitor.c
2111 gssbuf.value = buffer_get_string(m, &len); 2107 gssbuf.value = buffer_get_string(m, &len);
2112 gssbuf.length = len; 2108 gssbuf.length = len;
2113 mic.value = buffer_get_string(m, &len); 2109 mic.value = buffer_get_string(m, &len);
2114@@ -2123,7 +2157,11 @@ 2110@@ -2143,7 +2177,11 @@
2115 { 2111 {
2116 int authenticated; 2112 int authenticated;
2117 2113
@@ -2124,7 +2120,7 @@ Index: b/monitor.c
2124 2120
2125 buffer_clear(m); 2121 buffer_clear(m);
2126 buffer_put_int(m, authenticated); 2122 buffer_put_int(m, authenticated);
2127@@ -2136,6 +2174,74 @@ 2123@@ -2156,6 +2194,74 @@
2128 /* Monitor loop will terminate if authenticated */ 2124 /* Monitor loop will terminate if authenticated */
2129 return (authenticated); 2125 return (authenticated);
2130 } 2126 }
@@ -2154,7 +2150,7 @@ Index: b/monitor.c
2154+ } 2150+ }
2155+ major = ssh_gssapi_sign(gsscontext, &data, &hash); 2151+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
2156+ 2152+
2157+ xfree(data.value); 2153+ free(data.value);
2158+ 2154+
2159+ buffer_clear(m); 2155+ buffer_clear(m);
2160+ buffer_put_int(m, major); 2156+ buffer_put_int(m, major);
@@ -2184,9 +2180,9 @@ Index: b/monitor.c
2184+ 2180+
2185+ ok = ssh_gssapi_update_creds(&store); 2181+ ok = ssh_gssapi_update_creds(&store);
2186+ 2182+
2187+ xfree(store.filename); 2183+ free(store.filename);
2188+ xfree(store.envvar); 2184+ free(store.envvar);
2189+ xfree(store.envval); 2185+ free(store.envval);
2190+ 2186+
2191+ buffer_clear(m); 2187+ buffer_clear(m);
2192+ buffer_put_int(m, ok); 2188+ buffer_put_int(m, ok);
@@ -2217,7 +2213,7 @@ Index: b/monitor_wrap.c
2217=================================================================== 2213===================================================================
2218--- a/monitor_wrap.c 2214--- a/monitor_wrap.c
2219+++ b/monitor_wrap.c 2215+++ b/monitor_wrap.c
2220@@ -1271,7 +1271,7 @@ 2216@@ -1273,7 +1273,7 @@
2221 } 2217 }
2222 2218
2223 int 2219 int
@@ -2226,7 +2222,7 @@ Index: b/monitor_wrap.c
2226 { 2222 {
2227 Buffer m; 2223 Buffer m;
2228 int authenticated = 0; 2224 int authenticated = 0;
2229@@ -1288,6 +1288,51 @@ 2225@@ -1290,6 +1290,51 @@
2230 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2226 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2231 return (authenticated); 2227 return (authenticated);
2232 } 2228 }
@@ -2298,7 +2294,7 @@ Index: b/readconf.c
2298=================================================================== 2294===================================================================
2299--- a/readconf.c 2295--- a/readconf.c
2300+++ b/readconf.c 2296+++ b/readconf.c
2301@@ -129,6 +129,8 @@ 2297@@ -132,6 +132,8 @@
2302 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2298 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2303 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2299 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2304 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2300 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2307,7 +2303,7 @@ Index: b/readconf.c
2307 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2303 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2308 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2304 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2309 oHashKnownHosts, 2305 oHashKnownHosts,
2310@@ -169,10 +171,19 @@ 2306@@ -172,10 +174,19 @@
2311 { "afstokenpassing", oUnsupported }, 2307 { "afstokenpassing", oUnsupported },
2312 #if defined(GSSAPI) 2308 #if defined(GSSAPI)
2313 { "gssapiauthentication", oGssAuthentication }, 2309 { "gssapiauthentication", oGssAuthentication },
@@ -2327,7 +2323,7 @@ Index: b/readconf.c
2327 #endif 2323 #endif
2328 { "fallbacktorsh", oDeprecated }, 2324 { "fallbacktorsh", oDeprecated },
2329 { "usersh", oDeprecated }, 2325 { "usersh", oDeprecated },
2330@@ -503,10 +514,30 @@ 2326@@ -516,10 +527,30 @@
2331 intptr = &options->gss_authentication; 2327 intptr = &options->gss_authentication;
2332 goto parse_flag; 2328 goto parse_flag;
2333 2329
@@ -2358,7 +2354,7 @@ Index: b/readconf.c
2358 case oBatchMode: 2354 case oBatchMode:
2359 intptr = &options->batch_mode; 2355 intptr = &options->batch_mode;
2360 goto parse_flag; 2356 goto parse_flag;
2361@@ -1158,7 +1189,12 @@ 2357@@ -1168,7 +1199,12 @@
2362 options->pubkey_authentication = -1; 2358 options->pubkey_authentication = -1;
2363 options->challenge_response_authentication = -1; 2359 options->challenge_response_authentication = -1;
2364 options->gss_authentication = -1; 2360 options->gss_authentication = -1;
@@ -2371,7 +2367,7 @@ Index: b/readconf.c
2371 options->password_authentication = -1; 2367 options->password_authentication = -1;
2372 options->kbd_interactive_authentication = -1; 2368 options->kbd_interactive_authentication = -1;
2373 options->kbd_interactive_devices = NULL; 2369 options->kbd_interactive_devices = NULL;
2374@@ -1258,8 +1294,14 @@ 2370@@ -1268,8 +1304,14 @@
2375 options->challenge_response_authentication = 1; 2371 options->challenge_response_authentication = 1;
2376 if (options->gss_authentication == -1) 2372 if (options->gss_authentication == -1)
2377 options->gss_authentication = 0; 2373 options->gss_authentication = 0;
@@ -2407,7 +2403,7 @@ Index: b/servconf.c
2407=================================================================== 2403===================================================================
2408--- a/servconf.c 2404--- a/servconf.c
2409+++ b/servconf.c 2405+++ b/servconf.c
2410@@ -102,7 +102,10 @@ 2406@@ -107,7 +107,10 @@
2411 options->kerberos_ticket_cleanup = -1; 2407 options->kerberos_ticket_cleanup = -1;
2412 options->kerberos_get_afs_token = -1; 2408 options->kerberos_get_afs_token = -1;
2413 options->gss_authentication=-1; 2409 options->gss_authentication=-1;
@@ -2418,7 +2414,7 @@ Index: b/servconf.c
2418 options->password_authentication = -1; 2414 options->password_authentication = -1;
2419 options->kbd_interactive_authentication = -1; 2415 options->kbd_interactive_authentication = -1;
2420 options->challenge_response_authentication = -1; 2416 options->challenge_response_authentication = -1;
2421@@ -233,8 +236,14 @@ 2417@@ -240,8 +243,14 @@
2422 options->kerberos_get_afs_token = 0; 2418 options->kerberos_get_afs_token = 0;
2423 if (options->gss_authentication == -1) 2419 if (options->gss_authentication == -1)
2424 options->gss_authentication = 0; 2420 options->gss_authentication = 0;
@@ -2433,7 +2429,7 @@ Index: b/servconf.c
2433 if (options->password_authentication == -1) 2429 if (options->password_authentication == -1)
2434 options->password_authentication = 1; 2430 options->password_authentication = 1;
2435 if (options->kbd_interactive_authentication == -1) 2431 if (options->kbd_interactive_authentication == -1)
2436@@ -327,7 +336,9 @@ 2432@@ -338,7 +347,9 @@
2437 sBanner, sUseDNS, sHostbasedAuthentication, 2433 sBanner, sUseDNS, sHostbasedAuthentication,
2438 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2434 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2439 sClientAliveCountMax, sAuthorizedKeysFile, 2435 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2444,7 +2440,7 @@ Index: b/servconf.c
2444 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2440 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2445 sUsePrivilegeSeparation, sAllowAgentForwarding, 2441 sUsePrivilegeSeparation, sAllowAgentForwarding,
2446 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2442 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2447@@ -393,10 +404,20 @@ 2443@@ -405,10 +416,20 @@
2448 #ifdef GSSAPI 2444 #ifdef GSSAPI
2449 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2445 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2450 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2446 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2465,7 +2461,7 @@ Index: b/servconf.c
2465 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2461 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2466 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2462 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2467 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2463 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2468@@ -1049,10 +1070,22 @@ 2464@@ -1073,10 +1094,22 @@
2469 intptr = &options->gss_authentication; 2465 intptr = &options->gss_authentication;
2470 goto parse_flag; 2466 goto parse_flag;
2471 2467
@@ -2488,7 +2484,7 @@ Index: b/servconf.c
2488 case sPasswordAuthentication: 2484 case sPasswordAuthentication:
2489 intptr = &options->password_authentication; 2485 intptr = &options->password_authentication;
2490 goto parse_flag; 2486 goto parse_flag;
2491@@ -1927,7 +1960,10 @@ 2487@@ -1983,7 +2016,10 @@
2492 #endif 2488 #endif
2493 #ifdef GSSAPI 2489 #ifdef GSSAPI
2494 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2490 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2503,7 +2499,7 @@ Index: b/servconf.h
2503=================================================================== 2499===================================================================
2504--- a/servconf.h 2500--- a/servconf.h
2505+++ b/servconf.h 2501+++ b/servconf.h
2506@@ -110,7 +110,10 @@ 2502@@ -111,7 +111,10 @@
2507 int kerberos_get_afs_token; /* If true, try to get AFS token if 2503 int kerberos_get_afs_token; /* If true, try to get AFS token if
2508 * authenticated with Kerberos. */ 2504 * authenticated with Kerberos. */
2509 int gss_authentication; /* If true, permit GSSAPI authentication */ 2505 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2632,7 +2628,7 @@ Index: b/ssh_config.5
2632=================================================================== 2628===================================================================
2633--- a/ssh_config.5 2629--- a/ssh_config.5
2634+++ b/ssh_config.5 2630+++ b/ssh_config.5
2635@@ -530,11 +530,43 @@ 2631@@ -529,11 +529,43 @@
2636 The default is 2632 The default is
2637 .Dq no . 2633 .Dq no .
2638 Note that this option applies to protocol version 2 only. 2634 Note that this option applies to protocol version 2 only.
@@ -2727,14 +2723,14 @@ Index: b/sshconnect2.c
2727+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 2723+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
2728+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 2724+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
2729+ "%s,null", orig); 2725+ "%s,null", orig);
2730+ xfree(gss); 2726+ free(gss);
2731+ } 2727+ }
2732+#endif 2728+#endif
2733+ 2729+
2734 if (options.rekey_limit) 2730 if (options.rekey_limit || options.rekey_interval)
2735 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 2731 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2736 2732 (time_t)options.rekey_interval);
2737@@ -207,10 +243,30 @@ 2733@@ -208,10 +244,30 @@
2738 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2734 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2739 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2735 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2740 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2736 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2765,7 +2761,7 @@ Index: b/sshconnect2.c
2765 xxx_kex = kex; 2761 xxx_kex = kex;
2766 2762
2767 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2763 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2768@@ -306,6 +362,7 @@ 2764@@ -307,6 +363,7 @@
2769 void input_gssapi_hash(int type, u_int32_t, void *); 2765 void input_gssapi_hash(int type, u_int32_t, void *);
2770 void input_gssapi_error(int, u_int32_t, void *); 2766 void input_gssapi_error(int, u_int32_t, void *);
2771 void input_gssapi_errtok(int, u_int32_t, void *); 2767 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2773,7 +2769,7 @@ Index: b/sshconnect2.c
2773 #endif 2769 #endif
2774 2770
2775 void userauth(Authctxt *, char *); 2771 void userauth(Authctxt *, char *);
2776@@ -321,6 +378,11 @@ 2772@@ -322,6 +379,11 @@
2777 2773
2778 Authmethod authmethods[] = { 2774 Authmethod authmethods[] = {
2779 #ifdef GSSAPI 2775 #ifdef GSSAPI
@@ -2785,7 +2781,7 @@ Index: b/sshconnect2.c
2785 {"gssapi-with-mic", 2781 {"gssapi-with-mic",
2786 userauth_gssapi, 2782 userauth_gssapi,
2787 NULL, 2783 NULL,
2788@@ -627,19 +689,31 @@ 2784@@ -625,19 +687,31 @@
2789 static u_int mech = 0; 2785 static u_int mech = 0;
2790 OM_uint32 min; 2786 OM_uint32 min;
2791 int ok = 0; 2787 int ok = 0;
@@ -2819,7 +2815,7 @@ Index: b/sshconnect2.c
2819 ok = 1; /* Mechanism works */ 2815 ok = 1; /* Mechanism works */
2820 } else { 2816 } else {
2821 mech++; 2817 mech++;
2822@@ -736,8 +810,8 @@ 2818@@ -734,8 +808,8 @@
2823 { 2819 {
2824 Authctxt *authctxt = ctxt; 2820 Authctxt *authctxt = ctxt;
2825 Gssctxt *gssctxt; 2821 Gssctxt *gssctxt;
@@ -2830,9 +2826,9 @@ Index: b/sshconnect2.c
2830 2826
2831 if (authctxt == NULL) 2827 if (authctxt == NULL)
2832 fatal("input_gssapi_response: no authentication context"); 2828 fatal("input_gssapi_response: no authentication context");
2833@@ -847,6 +921,48 @@ 2829@@ -844,6 +918,48 @@
2834 xfree(msg); 2830 free(msg);
2835 xfree(lang); 2831 free(lang);
2836 } 2832 }
2837+ 2833+
2838+int 2834+int
@@ -2883,7 +2879,7 @@ Index: b/sshd.c
2883=================================================================== 2879===================================================================
2884--- a/sshd.c 2880--- a/sshd.c
2885+++ b/sshd.c 2881+++ b/sshd.c
2886@@ -121,6 +121,10 @@ 2882@@ -122,6 +122,10 @@
2887 #include "ssh-sandbox.h" 2883 #include "ssh-sandbox.h"
2888 #include "version.h" 2884 #include "version.h"
2889 2885
@@ -2894,7 +2890,7 @@ Index: b/sshd.c
2894 #ifdef LIBWRAP 2890 #ifdef LIBWRAP
2895 #include <tcpd.h> 2891 #include <tcpd.h>
2896 #include <syslog.h> 2892 #include <syslog.h>
2897@@ -1645,10 +1649,13 @@ 2893@@ -1703,10 +1707,13 @@
2898 logit("Disabling protocol version 1. Could not load host key"); 2894 logit("Disabling protocol version 1. Could not load host key");
2899 options.protocol &= ~SSH_PROTO_1; 2895 options.protocol &= ~SSH_PROTO_1;
2900 } 2896 }
@@ -2908,7 +2904,7 @@ Index: b/sshd.c
2908 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2904 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2909 logit("sshd: no hostkeys available -- exiting."); 2905 logit("sshd: no hostkeys available -- exiting.");
2910 exit(1); 2906 exit(1);
2911@@ -1976,6 +1983,60 @@ 2907@@ -2035,6 +2042,60 @@
2912 /* Log the connection. */ 2908 /* Log the connection. */
2913 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2909 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2914 2910
@@ -2969,7 +2965,7 @@ Index: b/sshd.c
2969 /* 2965 /*
2970 * We don't want to listen forever unless the other side 2966 * We don't want to listen forever unless the other side
2971 * successfully authenticates itself. So we set up an alarm which is 2967 * successfully authenticates itself. So we set up an alarm which is
2972@@ -2357,6 +2418,48 @@ 2968@@ -2439,6 +2500,48 @@
2973 2969
2974 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2970 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2975 2971
@@ -3018,7 +3014,7 @@ Index: b/sshd.c
3018 /* start key exchange */ 3014 /* start key exchange */
3019 kex = kex_setup(myproposal); 3015 kex = kex_setup(myproposal);
3020 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3016 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3021@@ -2364,6 +2467,13 @@ 3017@@ -2446,6 +2549,13 @@
3022 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3018 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3023 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3019 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3024 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3020 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3036,7 +3032,7 @@ Index: b/sshd_config
3036=================================================================== 3032===================================================================
3037--- a/sshd_config 3033--- a/sshd_config
3038+++ b/sshd_config 3034+++ b/sshd_config
3039@@ -80,6 +80,8 @@ 3035@@ -83,6 +83,8 @@
3040 # GSSAPI options 3036 # GSSAPI options
3041 #GSSAPIAuthentication no 3037 #GSSAPIAuthentication no
3042 #GSSAPICleanupCredentials yes 3038 #GSSAPICleanupCredentials yes
@@ -3049,7 +3045,7 @@ Index: b/sshd_config.5
3049=================================================================== 3045===================================================================
3050--- a/sshd_config.5 3046--- a/sshd_config.5
3051+++ b/sshd_config.5 3047+++ b/sshd_config.5
3052@@ -481,12 +481,40 @@ 3048@@ -484,12 +484,40 @@
3053 The default is 3049 The default is
3054 .Dq no . 3050 .Dq no .
3055 Note that this option applies to protocol version 2 only. 3051 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 98e9f8bdd..a851a91bf 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -12,30 +12,30 @@ Author: Richard Kettlewell <rjk@greenend.org.uk>
12Author: Ian Jackson <ian@chiark.greenend.org.uk> 12Author: Ian Jackson <ian@chiark.greenend.org.uk>
13Author: Matthew Vernon <matthew@debian.org> 13Author: Matthew Vernon <matthew@debian.org>
14Author: Colin Watson <cjwatson@debian.org> 14Author: Colin Watson <cjwatson@debian.org>
15Last-Update: 2013-05-16 15Last-Update: 2013-09-14
16 16
17Index: b/readconf.c 17Index: b/readconf.c
18=================================================================== 18===================================================================
19--- a/readconf.c 19--- a/readconf.c
20+++ b/readconf.c 20+++ b/readconf.c
21@@ -138,6 +138,7 @@ 21@@ -141,6 +141,7 @@
22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
24 oKexAlgorithms, oIPQoS, oRequestTTY, 24 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
25+ oProtocolKeepAlives, oSetupTimeOut, 25+ oProtocolKeepAlives, oSetupTimeOut,
26 oDeprecated, oUnsupported 26 oIgnoredUnknownOption, oDeprecated, oUnsupported
27 } OpCodes; 27 } OpCodes;
28 28
29@@ -259,6 +260,8 @@ 29@@ -263,6 +264,8 @@
30 { "kexalgorithms", oKexAlgorithms },
31 { "ipqos", oIPQoS }, 30 { "ipqos", oIPQoS },
32 { "requesttty", oRequestTTY }, 31 { "requesttty", oRequestTTY },
32 { "ignoreunknown", oIgnoreUnknown },
33+ { "protocolkeepalives", oProtocolKeepAlives }, 33+ { "protocolkeepalives", oProtocolKeepAlives },
34+ { "setuptimeout", oSetupTimeOut }, 34+ { "setuptimeout", oSetupTimeOut },
35 35
36 { NULL, oBadOption } 36 { NULL, oBadOption }
37 }; 37 };
38@@ -933,6 +936,8 @@ 38@@ -939,6 +942,8 @@
39 goto parse_flag; 39 goto parse_flag;
40 40
41 case oServerAliveInterval: 41 case oServerAliveInterval:
@@ -44,8 +44,8 @@ Index: b/readconf.c
44 intptr = &options->server_alive_interval; 44 intptr = &options->server_alive_interval;
45 goto parse_time; 45 goto parse_time;
46 46
47@@ -1392,8 +1397,13 @@ 47@@ -1404,8 +1409,13 @@
48 options->rekey_limit = 0; 48 options->rekey_interval = 0;
49 if (options->verify_host_key_dns == -1) 49 if (options->verify_host_key_dns == -1)
50 options->verify_host_key_dns = 0; 50 options->verify_host_key_dns = 0;
51- if (options->server_alive_interval == -1) 51- if (options->server_alive_interval == -1)
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
78 The argument must be 78 The argument must be
79 .Dq yes 79 .Dq yes
80 or 80 or
81@@ -1113,8 +1117,15 @@ 81@@ -1141,8 +1145,15 @@
82 will send a message through the encrypted 82 will send a message through the encrypted
83 channel to request a response from the server. 83 channel to request a response from the server.
84 The default 84 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 95 .It Cm StrictHostKeyChecking
96 If this flag is set to 96 If this flag is set to
97 .Dq yes , 97 .Dq yes ,
98@@ -1153,6 +1164,12 @@ 98@@ -1181,6 +1192,12 @@
99 other side. 99 other side.
100 If they are sent, death of the connection or crash of one 100 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 101 of the machines will be properly noticed.
@@ -112,7 +112,7 @@ Index: b/sshd_config.5
112=================================================================== 112===================================================================
113--- a/sshd_config.5 113--- a/sshd_config.5
114+++ b/sshd_config.5 114+++ b/sshd_config.5
115@@ -1122,6 +1122,9 @@ 115@@ -1161,6 +1161,9 @@
116 .Pp 116 .Pp
117 To disable TCP keepalive messages, the value should be set to 117 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 118 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 8afabfaba..19ae33b22 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -3,13 +3,13 @@ Description: Fix picky lintian errors about slogin symlinks
3 either way and opted to keep the status quo. We need this patch anyway. 3 either way and opted to keep the status quo. We need this patch anyway.
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
6Last-Update: 2013-05-07 6Last-Update: 2013-09-14
7 7
8Index: b/Makefile.in 8Index: b/Makefile.in
9=================================================================== 9===================================================================
10--- a/Makefile.in 10--- a/Makefile.in
11+++ b/Makefile.in 11+++ b/Makefile.in
12@@ -293,9 +293,9 @@ 12@@ -296,9 +296,9 @@
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 15 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index fd1b6f9f5..55c277031 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -2,13 +2,13 @@ Description: Mention ssh-keygen in ssh fingerprint changed warning
2Author: Scott Moser <smoser@ubuntu.com> 2Author: Scott Moser <smoser@ubuntu.com>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
5Last-Update: 2013-05-16 5Last-Update: 2013-09-14
6 6
7Index: b/sshconnect.c 7Index: b/sshconnect.c
8=================================================================== 8===================================================================
9--- a/sshconnect.c 9--- a/sshconnect.c
10+++ b/sshconnect.c 10+++ b/sshconnect.c
11@@ -982,9 +982,12 @@ 11@@ -981,9 +981,12 @@
12 error("%s. This could either mean that", key_msg); 12 error("%s. This could either mean that", key_msg);
13 error("DNS SPOOFING is happening or the IP address for the host"); 13 error("DNS SPOOFING is happening or the IP address for the host");
14 error("and its host key have changed at the same time."); 14 error("and its host key have changed at the same time.");
@@ -22,7 +22,7 @@ Index: b/sshconnect.c
22 } 22 }
23 /* The host key has changed. */ 23 /* The host key has changed. */
24 warn_changed_key(host_key); 24 warn_changed_key(host_key);
25@@ -992,6 +995,8 @@ 25@@ -991,6 +994,8 @@
26 user_hostfiles[0]); 26 user_hostfiles[0]);
27 error("Offending %s key in %s:%lu", key_type(host_found->key), 27 error("Offending %s key in %s:%lu", key_type(host_found->key),
28 host_found->file, host_found->line); 28 host_found->file, host_found->line);
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 48c3ff598..d4eeee6e8 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -6,7 +6,7 @@ Description: Adjust various OpenBSD-specific references in manual pages
6 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 6 https://bugs.launchpad.net/bugs/456660 (ssl(8))
7Author: Colin Watson <cjwatson@debian.org> 7Author: Colin Watson <cjwatson@debian.org>
8Forwarded: not-needed 8Forwarded: not-needed
9Last-Update: 2013-05-07 9Last-Update: 2013-09-14
10 10
11Index: b/moduli.5 11Index: b/moduli.5
12=================================================================== 12===================================================================
@@ -56,7 +56,7 @@ Index: b/ssh-keygen.1
56 .It Fl a Ar trials 56 .It Fl a Ar trials
57 Specifies the number of primality tests to perform when screening DH-GEX 57 Specifies the number of primality tests to perform when screening DH-GEX
58 candidates using the 58 candidates using the
59@@ -606,7 +602,7 @@ 59@@ -605,7 +601,7 @@
60 Valid generator values are 2, 3, and 5. 60 Valid generator values are 2, 3, and 5.
61 .Pp 61 .Pp
62 Screened DH groups may be installed in 62 Screened DH groups may be installed in
@@ -65,7 +65,7 @@ Index: b/ssh-keygen.1
65 It is important that this file contains moduli of a range of bit lengths and 65 It is important that this file contains moduli of a range of bit lengths and
66 that both ends of a connection share common moduli. 66 that both ends of a connection share common moduli.
67 .Sh CERTIFICATES 67 .Sh CERTIFICATES
68@@ -801,7 +797,7 @@ 68@@ -800,7 +796,7 @@
69 where the user wishes to log in using public key authentication. 69 where the user wishes to log in using public key authentication.
70 There is no need to keep the contents of this file secret. 70 There is no need to keep the contents of this file secret.
71 .Pp 71 .Pp
@@ -78,9 +78,9 @@ Index: b/ssh.1
78=================================================================== 78===================================================================
79--- a/ssh.1 79--- a/ssh.1
80+++ b/ssh.1 80+++ b/ssh.1
81@@ -736,6 +736,10 @@ 81@@ -756,6 +756,10 @@
82 .Sx HISTORY 82 but protocol 2 may use any.
83 section of 83 The HISTORY section of
84 .Xr ssl 8 84 .Xr ssl 8
85+(on non-OpenBSD systems, see 85+(on non-OpenBSD systems, see
86+.nh 86+.nh
@@ -93,7 +93,7 @@ Index: b/sshd.8
93=================================================================== 93===================================================================
94--- a/sshd.8 94--- a/sshd.8
95+++ b/sshd.8 95+++ b/sshd.8
96@@ -69,7 +69,7 @@ 96@@ -70,7 +70,7 @@
97 .Nm 97 .Nm
98 listens for connections from clients. 98 listens for connections from clients.
99 It is normally started at boot from 99 It is normally started at boot from
@@ -102,7 +102,7 @@ Index: b/sshd.8
102 It forks a new 102 It forks a new
103 daemon for each incoming connection. 103 daemon for each incoming connection.
104 The forked daemons handle 104 The forked daemons handle
105@@ -858,7 +858,7 @@ 105@@ -859,7 +859,7 @@
106 .Xr ssh 1 ) . 106 .Xr ssh 1 ) .
107 It should only be writable by root. 107 It should only be writable by root.
108 .Pp 108 .Pp
@@ -111,7 +111,7 @@ Index: b/sshd.8
111 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 111 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
112 The file format is described in 112 The file format is described in
113 .Xr moduli 5 . 113 .Xr moduli 5 .
114@@ -956,7 +956,6 @@ 114@@ -957,7 +957,6 @@
115 .Xr ssh-vulnkey 1 , 115 .Xr ssh-vulnkey 1 ,
116 .Xr chroot 2 , 116 .Xr chroot 2 ,
117 .Xr hosts_access 5 , 117 .Xr hosts_access 5 ,
@@ -123,7 +123,7 @@ Index: b/sshd_config.5
123=================================================================== 123===================================================================
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -276,8 +276,7 @@ 126@@ -283,8 +283,7 @@
127 By default, no banner is displayed. 127 By default, no banner is displayed.
128 .It Cm ChallengeResponseAuthentication 128 .It Cm ChallengeResponseAuthentication
129 Specifies whether challenge-response authentication is allowed (e.g. via 129 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b922a185b..2be45ebf8 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -5,7 +5,7 @@ Description: Include the Debian version in our identification
5 vulnerable-looking version strings. (However, see debian-banner.patch.) 5 vulnerable-looking version strings. (However, see debian-banner.patch.)
6Author: Matthew Vernon <matthew@debian.org> 6Author: Matthew Vernon <matthew@debian.org>
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2013-05-16 8Last-Update: 2013-09-14
9 9
10Index: b/sshconnect.c 10Index: b/sshconnect.c
11=================================================================== 11===================================================================
@@ -28,7 +28,7 @@ Index: b/sshd.c
28=================================================================== 28===================================================================
29--- a/sshd.c 29--- a/sshd.c
30+++ b/sshd.c 30+++ b/sshd.c
31@@ -434,7 +434,7 @@ 31@@ -440,7 +440,7 @@
32 } 32 }
33 33
34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -42,9 +42,9 @@ Index: b/version.h
42--- a/version.h 42--- a/version.h
43+++ b/version.h 43+++ b/version.h
44@@ -3,4 +3,9 @@ 44@@ -3,4 +3,9 @@
45 #define SSH_VERSION "OpenSSH_6.2" 45 #define SSH_VERSION "OpenSSH_6.3"
46 46
47 #define SSH_PORTABLE "p2" 47 #define SSH_PORTABLE "p1"
48-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 48-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
49+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 49+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
50+#ifdef SSH_EXTRAVERSION 50+#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index f25ff89d0..32f4cfc67 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -10,13 +10,13 @@ Author: Peter Samuelson <peter@p12n.org>
10Author: Colin Watson <cjwatson@debian.org> 10Author: Colin Watson <cjwatson@debian.org>
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
12Bug-Debian: http://bugs.debian.org/313371 12Bug-Debian: http://bugs.debian.org/313371
13Last-Update: 2013-05-07 13Last-Update: 2013-09-14
14 14
15Index: b/clientloop.c 15Index: b/clientloop.c
16=================================================================== 16===================================================================
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -1710,8 +1710,10 @@ 19@@ -1717,8 +1717,10 @@
20 exit_status = 0; 20 exit_status = 0;
21 } 21 }
22 22
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index c41c78b3b..f3376c20a 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -5,7 +5,7 @@ Description: Handle SELinux authorisation roles
5Author: Manoj Srivastava <srivasta@debian.org> 5Author: Manoj Srivastava <srivasta@debian.org>
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
7Bug-Debian: http://bugs.debian.org/394795 7Bug-Debian: http://bugs.debian.org/394795
8Last-Update: 2013-05-13 8Last-Update: 2013-09-14
9 9
10Index: b/auth.h 10Index: b/auth.h
11=================================================================== 11===================================================================
@@ -17,13 +17,13 @@ Index: b/auth.h
17 char *style; 17 char *style;
18+ char *role; 18+ char *role;
19 void *kbdintctxt; 19 void *kbdintctxt;
20 char *info; /* Extra info for next auth_log */
20 void *jpake_ctx; 21 void *jpake_ctx;
21 #ifdef BSD_AUTH
22Index: b/auth1.c 22Index: b/auth1.c
23=================================================================== 23===================================================================
24--- a/auth1.c 24--- a/auth1.c
25+++ b/auth1.c 25+++ b/auth1.c
26@@ -385,7 +385,7 @@ 26@@ -380,7 +380,7 @@
27 do_authentication(Authctxt *authctxt) 27 do_authentication(Authctxt *authctxt)
28 { 28 {
29 u_int ulen; 29 u_int ulen;
@@ -32,7 +32,7 @@ Index: b/auth1.c
32 32
33 /* Get the name of the user that we wish to log in as. */ 33 /* Get the name of the user that we wish to log in as. */
34 packet_read_expect(SSH_CMSG_USER); 34 packet_read_expect(SSH_CMSG_USER);
35@@ -394,11 +394,17 @@ 35@@ -389,11 +389,17 @@
36 user = packet_get_cstring(&ulen); 36 user = packet_get_cstring(&ulen);
37 packet_check_eom(); 37 packet_check_eom();
38 38
@@ -54,7 +54,7 @@ Index: b/auth2.c
54=================================================================== 54===================================================================
55--- a/auth2.c 55--- a/auth2.c
56+++ b/auth2.c 56+++ b/auth2.c
57@@ -219,7 +219,7 @@ 57@@ -222,7 +222,7 @@
58 { 58 {
59 Authctxt *authctxt = ctxt; 59 Authctxt *authctxt = ctxt;
60 Authmethod *m = NULL; 60 Authmethod *m = NULL;
@@ -63,7 +63,7 @@ Index: b/auth2.c
63 int authenticated = 0; 63 int authenticated = 0;
64 64
65 if (authctxt == NULL) 65 if (authctxt == NULL)
66@@ -231,8 +231,13 @@ 66@@ -234,8 +234,13 @@
67 debug("userauth-request for user %s service %s method %s", user, service, method); 67 debug("userauth-request for user %s service %s method %s", user, service, method);
68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
69 69
@@ -77,7 +77,7 @@ Index: b/auth2.c
77 77
78 if (authctxt->attempt++ == 0) { 78 if (authctxt->attempt++ == 0) {
79 /* setup auth context */ 79 /* setup auth context */
80@@ -256,8 +261,9 @@ 80@@ -259,8 +264,9 @@
81 use_privsep ? " [net]" : ""); 81 use_privsep ? " [net]" : "");
82 authctxt->service = xstrdup(service); 82 authctxt->service = xstrdup(service);
83 authctxt->style = style ? xstrdup(style) : NULL; 83 authctxt->style = style ? xstrdup(style) : NULL;
@@ -92,7 +92,7 @@ Index: b/monitor.c
92=================================================================== 92===================================================================
93--- a/monitor.c 93--- a/monitor.c
94+++ b/monitor.c 94+++ b/monitor.c
95@@ -145,6 +145,7 @@ 95@@ -146,6 +146,7 @@
96 int mm_answer_pwnamallow(int, Buffer *); 96 int mm_answer_pwnamallow(int, Buffer *);
97 int mm_answer_auth2_read_banner(int, Buffer *); 97 int mm_answer_auth2_read_banner(int, Buffer *);
98 int mm_answer_authserv(int, Buffer *); 98 int mm_answer_authserv(int, Buffer *);
@@ -100,7 +100,7 @@ Index: b/monitor.c
100 int mm_answer_authpassword(int, Buffer *); 100 int mm_answer_authpassword(int, Buffer *);
101 int mm_answer_bsdauthquery(int, Buffer *); 101 int mm_answer_bsdauthquery(int, Buffer *);
102 int mm_answer_bsdauthrespond(int, Buffer *); 102 int mm_answer_bsdauthrespond(int, Buffer *);
103@@ -226,6 +227,7 @@ 103@@ -227,6 +228,7 @@
104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +108,7 @@ Index: b/monitor.c
108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -837,6 +839,7 @@ 111@@ -844,6 +846,7 @@
112 else { 112 else {
113 /* Allow service/style information on the auth context */ 113 /* Allow service/style information on the auth context */
114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +116,7 @@ Index: b/monitor.c
116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117 } 117 }
118 #ifdef USE_PAM 118 #ifdef USE_PAM
119@@ -869,14 +872,37 @@ 119@@ -874,14 +877,37 @@
120 120
121 authctxt->service = buffer_get_string(m, NULL); 121 authctxt->service = buffer_get_string(m, NULL);
122 authctxt->style = buffer_get_string(m, NULL); 122 authctxt->style = buffer_get_string(m, NULL);
@@ -127,12 +127,12 @@ Index: b/monitor.c
127+ __func__, authctxt->service, authctxt->style, authctxt->role); 127+ __func__, authctxt->service, authctxt->style, authctxt->role);
128 128
129 if (strlen(authctxt->style) == 0) { 129 if (strlen(authctxt->style) == 0) {
130 xfree(authctxt->style); 130 free(authctxt->style);
131 authctxt->style = NULL; 131 authctxt->style = NULL;
132 } 132 }
133 133
134+ if (strlen(authctxt->role) == 0) { 134+ if (strlen(authctxt->role) == 0) {
135+ xfree(authctxt->role); 135+ free(authctxt->role);
136+ authctxt->role = NULL; 136+ authctxt->role = NULL;
137+ } 137+ }
138+ 138+
@@ -149,14 +149,14 @@ Index: b/monitor.c
149+ __func__, authctxt->role); 149+ __func__, authctxt->role);
150+ 150+
151+ if (strlen(authctxt->role) == 0) { 151+ if (strlen(authctxt->role) == 0) {
152+ xfree(authctxt->role); 152+ free(authctxt->role);
153+ authctxt->role = NULL; 153+ authctxt->role = NULL;
154+ } 154+ }
155+ 155+
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1471,7 +1497,7 @@ 159@@ -1486,7 +1512,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0) 161 if (res == 0)
162 goto error; 162 goto error;
@@ -182,7 +182,7 @@ Index: b/monitor_wrap.c
182=================================================================== 182===================================================================
183--- a/monitor_wrap.c 183--- a/monitor_wrap.c
184+++ b/monitor_wrap.c 184+++ b/monitor_wrap.c
185@@ -318,10 +318,10 @@ 185@@ -320,10 +320,10 @@
186 return (banner); 186 return (banner);
187 } 187 }
188 188
@@ -195,7 +195,7 @@ Index: b/monitor_wrap.c
195 { 195 {
196 Buffer m; 196 Buffer m;
197 197
198@@ -330,11 +330,29 @@ 198@@ -332,11 +332,29 @@
199 buffer_init(&m); 199 buffer_init(&m);
200 buffer_put_cstring(&m, service); 200 buffer_put_cstring(&m, service);
201 buffer_put_cstring(&m, style ? style : ""); 201 buffer_put_cstring(&m, style ? style : "");
@@ -284,7 +284,7 @@ Index: b/openbsd-compat/port-linux.c
284 #endif 284 #endif
285 285
286 if (r != 0) { 286 if (r != 0) {
287@@ -107,7 +120,7 @@ 287@@ -105,7 +118,7 @@
288 288
289 /* Set the execution context to the default for the specified user */ 289 /* Set the execution context to the default for the specified user */
290 void 290 void
@@ -293,7 +293,7 @@ Index: b/openbsd-compat/port-linux.c
293 { 293 {
294 security_context_t user_ctx = NULL; 294 security_context_t user_ctx = NULL;
295 295
296@@ -116,7 +129,7 @@ 296@@ -114,7 +127,7 @@
297 297
298 debug3("%s: setting execution context", __func__); 298 debug3("%s: setting execution context", __func__);
299 299
@@ -302,7 +302,7 @@ Index: b/openbsd-compat/port-linux.c
302 if (setexeccon(user_ctx) != 0) { 302 if (setexeccon(user_ctx) != 0) {
303 switch (security_getenforce()) { 303 switch (security_getenforce()) {
304 case -1: 304 case -1:
305@@ -138,7 +151,7 @@ 305@@ -136,7 +149,7 @@
306 306
307 /* Set the TTY context for the specified user */ 307 /* Set the TTY context for the specified user */
308 void 308 void
@@ -311,7 +311,7 @@ Index: b/openbsd-compat/port-linux.c
311 { 311 {
312 security_context_t new_tty_ctx = NULL; 312 security_context_t new_tty_ctx = NULL;
313 security_context_t user_ctx = NULL; 313 security_context_t user_ctx = NULL;
314@@ -149,7 +162,7 @@ 314@@ -147,7 +160,7 @@
315 315
316 debug3("%s: setting TTY context on %s", __func__, tty); 316 debug3("%s: setting TTY context on %s", __func__, tty);
317 317
@@ -392,7 +392,7 @@ Index: b/session.c
392 392
393 if (options.chroot_directory != NULL && 393 if (options.chroot_directory != NULL &&
394 strcasecmp(options.chroot_directory, "none") != 0) { 394 strcasecmp(options.chroot_directory, "none") != 0) {
395@@ -1633,7 +1633,7 @@ 395@@ -1646,7 +1646,7 @@
396 396
397 /* Force a password change */ 397 /* Force a password change */
398 if (s->authctxt->force_pwchange) { 398 if (s->authctxt->force_pwchange) {
@@ -401,7 +401,7 @@ Index: b/session.c
401 child_close_fds(); 401 child_close_fds();
402 do_pwchange(s); 402 do_pwchange(s);
403 exit(1); 403 exit(1);
404@@ -1660,7 +1660,7 @@ 404@@ -1673,7 +1673,7 @@
405 /* When PAM is enabled we rely on it to do the nologin check */ 405 /* When PAM is enabled we rely on it to do the nologin check */
406 if (!options.use_pam) 406 if (!options.use_pam)
407 do_nologin(pw); 407 do_nologin(pw);
@@ -410,7 +410,7 @@ Index: b/session.c
410 /* 410 /*
411 * PAM session modules in do_setusercontext may have 411 * PAM session modules in do_setusercontext may have
412 * generated messages, so if this in an interactive 412 * generated messages, so if this in an interactive
413@@ -2072,7 +2072,7 @@ 413@@ -2084,7 +2084,7 @@
414 tty_parse_modes(s->ttyfd, &n_bytes); 414 tty_parse_modes(s->ttyfd, &n_bytes);
415 415
416 if (!use_privsep) 416 if (!use_privsep)
@@ -436,7 +436,7 @@ Index: b/sshd.c
436=================================================================== 436===================================================================
437--- a/sshd.c 437--- a/sshd.c
438+++ b/sshd.c 438+++ b/sshd.c
439@@ -745,7 +745,7 @@ 439@@ -753,7 +753,7 @@
440 RAND_seed(rnd, sizeof(rnd)); 440 RAND_seed(rnd, sizeof(rnd));
441 441
442 /* Drop privileges */ 442 /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index 0e43d9fe9..f5c2ebb52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,7 +26,6 @@ shell-path.patch
26dnssec-sshfp.patch 26dnssec-sshfp.patch
27auth-log-verbosity.patch 27auth-log-verbosity.patch
28mention-ssh-keygen-on-keychange.patch 28mention-ssh-keygen-on-keychange.patch
29ssh-copy-id-portable.patch
30 29
31# Versioning 30# Versioning
32package-versioning.patch 31package-versioning.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index d4cbc3e5f..a1c6efc8d 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -4,7 +4,7 @@ Description: Look for $SHELL on the path for ProxyCommand/LocalCommand
4Author: Colin Watson <cjwatson@debian.org> 4Author: Colin Watson <cjwatson@debian.org>
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
6Bug-Debian: http://bugs.debian.org/492728 6Bug-Debian: http://bugs.debian.org/492728
7Last-Update: 2013-05-16 7Last-Update: 2013-09-14
8 8
9Index: b/sshconnect.c 9Index: b/sshconnect.c
10=================================================================== 10===================================================================
@@ -19,7 +19,7 @@ Index: b/sshconnect.c
19 perror(argv[0]); 19 perror(argv[0]);
20 exit(1); 20 exit(1);
21 } 21 }
22@@ -1299,7 +1299,7 @@ 22@@ -1298,7 +1298,7 @@
23 if (pid == 0) { 23 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL); 24 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 25 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 42bee0739..3311a797c 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,13 +1,13 @@
1Description: Support synchronisation with service supervisor using SIGSTOP 1Description: Support synchronisation with service supervisor using SIGSTOP
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Forwarded: no 3Forwarded: no
4Last-Update: 2013-08-12 4Last-Update: 2013-09-14
5 5
6Index: b/sshd.c 6Index: b/sshd.c
7=================================================================== 7===================================================================
8--- a/sshd.c 8--- a/sshd.c
9+++ b/sshd.c 9+++ b/sshd.c
10@@ -1855,6 +1855,10 @@ 10@@ -1914,6 +1914,10 @@
11 } 11 }
12 } 12 }
13 13
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 6f4a3cd9a..28d144221 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -5,13 +5,13 @@ Description: ssh(1): Refer to ssh-argv0(1)
5 manual page from ssh(1). 5 manual page from ssh(1).
6Bug-Debian: http://bugs.debian.org/111341 6Bug-Debian: http://bugs.debian.org/111341
7Forwarded: not-needed 7Forwarded: not-needed
8Last-Update: 2013-05-07 8Last-Update: 2013-09-14
9 9
10Index: b/ssh.1 10Index: b/ssh.1
11=================================================================== 11===================================================================
12--- a/ssh.1 12--- a/ssh.1
13+++ b/ssh.1 13+++ b/ssh.1
14@@ -1433,6 +1433,7 @@ 14@@ -1451,6 +1451,7 @@
15 .Xr sftp 1 , 15 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 16 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 17 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-copy-id-portable.patch b/debian/patches/ssh-copy-id-portable.patch
deleted file mode 100644
index 9583eab4b..000000000
--- a/debian/patches/ssh-copy-id-portable.patch
+++ /dev/null
@@ -1,20 +0,0 @@
1Description: Fix non-portable shell in ssh-copy-id
2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2117
4Bug-Debian: http://bugs.debian.org/711162
5Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2117
6Last-Update: 2013-06-05
7
8Index: b/contrib/ssh-copy-id
9===================================================================
10--- a/contrib/ssh-copy-id
11+++ b/contrib/ssh-copy-id
12@@ -165,7 +165,7 @@
13
14 eval set -- "$SAVEARGS"
15
16-if [ $# == 0 ] ; then
17+if [ $# = 0 ] ; then
18 usage
19 fi
20 if [ $# != 1 ] ; then
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 03d6f15d9..a56911290 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -8,7 +8,7 @@ Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw
8 See CVE-2008-0166. 8 See CVE-2008-0166.
9Author: Colin Watson <cjwatson@ubuntu.com> 9Author: Colin Watson <cjwatson@ubuntu.com>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2013-05-16 11Last-Update: 2013-09-14
12 12
13Index: b/Makefile.in 13Index: b/Makefile.in
14=================================================================== 14===================================================================
@@ -52,7 +52,7 @@ Index: b/Makefile.in
52 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
53 53
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -174,6 +176,9 @@ 55@@ -176,6 +178,9 @@
56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
58 58
@@ -62,7 +62,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -269,6 +274,7 @@ 65@@ -272,6 +277,7 @@
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +70,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -283,6 +289,7 @@ 73@@ -286,6 +292,7 @@
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -364,6 +371,7 @@ 81@@ -367,6 +374,7 @@
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -376,6 +384,7 @@ 89@@ -379,6 +387,7 @@
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -111,8 +111,8 @@ Index: b/auth-rsa.c
111=================================================================== 111===================================================================
112--- a/auth-rsa.c 112--- a/auth-rsa.c
113+++ b/auth-rsa.c 113+++ b/auth-rsa.c
114@@ -233,7 +233,7 @@ 114@@ -237,7 +237,7 @@
115 file, linenum, BN_num_bits(key->rsa->n), bits); 115 free(fp);
116 116
117 /* Never accept a revoked key */ 117 /* Never accept a revoked key */
118- if (auth_key_is_revoked(key)) 118- if (auth_key_is_revoked(key))
@@ -132,7 +132,7 @@ Index: b/auth.c
132 #include "auth.h" 132 #include "auth.h"
133 #include "auth-options.h" 133 #include "auth-options.h"
134 #include "canohost.h" 134 #include "canohost.h"
135@@ -635,10 +636,34 @@ 135@@ -657,10 +658,34 @@
136 136
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 138 int
@@ -151,7 +151,7 @@ Index: b/auth.c
151+ logit("Public key %s from %s blacklisted (see " 151+ logit("Public key %s from %s blacklisted (see "
152+ "ssh-vulnkey(1)); continuing anyway", 152+ "ssh-vulnkey(1)); continuing anyway",
153+ key_fp, get_remote_ipaddr()); 153+ key_fp, get_remote_ipaddr());
154+ xfree(key_fp); 154+ free(key_fp);
155+ } else { 155+ } else {
156+ if (hostkey) 156+ if (hostkey)
157+ error("Host key %s blacklisted (see " 157+ error("Host key %s blacklisted (see "
@@ -160,7 +160,7 @@ Index: b/auth.c
160+ logit("Public key %s from %s blacklisted (see " 160+ logit("Public key %s from %s blacklisted (see "
161+ "ssh-vulnkey(1))", 161+ "ssh-vulnkey(1))",
162+ key_fp, get_remote_ipaddr()); 162+ key_fp, get_remote_ipaddr());
163+ xfree(key_fp); 163+ free(key_fp);
164+ return 1; 164+ return 1;
165+ } 165+ }
166+ } 166+ }
@@ -172,7 +172,7 @@ Index: b/auth.h
172=================================================================== 172===================================================================
173--- a/auth.h 173--- a/auth.h
174+++ b/auth.h 174+++ b/auth.h
175@@ -185,7 +185,7 @@ 175@@ -191,7 +191,7 @@
176 176
177 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int); 178 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -185,7 +185,7 @@ Index: b/auth2-hostbased.c
185=================================================================== 185===================================================================
186--- a/auth2-hostbased.c 186--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 187+++ b/auth2-hostbased.c
188@@ -146,7 +146,7 @@ 188@@ -150,7 +150,7 @@
189 int len; 189 int len;
190 char *fp; 190 char *fp;
191 191
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
198=================================================================== 198===================================================================
199--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
201@@ -608,9 +608,10 @@ 201@@ -647,9 +647,10 @@
202 u_int success, i; 202 u_int success, i;
203 char *file; 203 char *file;
204 204
@@ -223,7 +223,7 @@ Index: b/authfile.c
223 223
224 #define MAX_KEY_FILE_SIZE (1024 * 1024) 224 #define MAX_KEY_FILE_SIZE (1024 * 1024)
225 225
226@@ -944,3 +945,140 @@ 226@@ -944,3 +945,139 @@
227 return ret; 227 return ret;
228 } 228 }
229 229
@@ -316,10 +316,9 @@ Index: b/authfile.c
316+ } 316+ }
317+ 317+
318+out: 318+out:
319+ if (dgst_packed) 319+ free(dgst_packed);
320+ xfree(dgst_packed);
321+ if (ret != 1 && dgst_hex) { 320+ if (ret != 1 && dgst_hex) {
322+ xfree(dgst_hex); 321+ free(dgst_hex);
323+ dgst_hex = NULL; 322+ dgst_hex = NULL;
324+ } 323+ }
325+ if (fp) 324+ if (fp)
@@ -347,7 +346,7 @@ Index: b/authfile.c
347+ xasprintf(&blacklist_file, "%s.%s-%u", 346+ xasprintf(&blacklist_file, "%s.%s-%u",
348+ _PATH_BLACKLIST, key_type(public), key_size(public)); 347+ _PATH_BLACKLIST, key_type(public), key_size(public));
349+ ret = blacklisted_key_in_file(public, blacklist_file, fp); 348+ ret = blacklisted_key_in_file(public, blacklist_file, fp);
350+ xfree(blacklist_file); 349+ free(blacklist_file);
351+ if (ret > 0) { 350+ if (ret > 0) {
352+ key_free(public); 351+ key_free(public);
353+ return ret; 352+ return ret;
@@ -356,7 +355,7 @@ Index: b/authfile.c
356+ xasprintf(&blacklist_file, "%s.%s-%u", 355+ xasprintf(&blacklist_file, "%s.%s-%u",
357+ _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); 356+ _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
358+ ret2 = blacklisted_key_in_file(public, blacklist_file, fp); 357+ ret2 = blacklisted_key_in_file(public, blacklist_file, fp);
359+ xfree(blacklist_file); 358+ free(blacklist_file);
360+ if (ret2 > ret) 359+ if (ret2 > ret)
361+ ret = ret2; 360+ ret = ret2;
362+ 361+
@@ -404,7 +403,7 @@ Index: b/readconf.c
404=================================================================== 403===================================================================
405--- a/readconf.c 404--- a/readconf.c
406+++ b/readconf.c 405+++ b/readconf.c
407@@ -125,6 +125,7 @@ 406@@ -128,6 +128,7 @@
408 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 407 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
409 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 408 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
410 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 409 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -412,7 +411,7 @@ Index: b/readconf.c
412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 411 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
413 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 412 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 413 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
415@@ -158,6 +159,7 @@ 414@@ -161,6 +162,7 @@
416 { "passwordauthentication", oPasswordAuthentication }, 415 { "passwordauthentication", oPasswordAuthentication },
417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 416 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
418 { "kbdinteractivedevices", oKbdInteractiveDevices }, 417 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +419,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 419 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 420 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 421 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -510,6 +512,10 @@ 422@@ -523,6 +525,10 @@
424 intptr = &options->challenge_response_authentication; 423 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 424 goto parse_flag;
426 425
@@ -431,7 +430,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 430 case oGssAuthentication:
432 intptr = &options->gss_authentication; 431 intptr = &options->gss_authentication;
433 goto parse_flag; 432 goto parse_flag;
434@@ -1200,6 +1206,7 @@ 433@@ -1210,6 +1216,7 @@
435 options->kbd_interactive_devices = NULL; 434 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 435 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 436 options->hostbased_authentication = -1;
@@ -439,7 +438,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 438 options->batch_mode = -1;
440 options->check_host_ip = -1; 439 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 440 options->strict_host_key_checking = -1;
442@@ -1310,6 +1317,8 @@ 441@@ -1320,6 +1327,8 @@
443 options->rhosts_rsa_authentication = 0; 442 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 443 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 444 options->hostbased_authentication = 0;
@@ -464,7 +463,7 @@ Index: b/servconf.c
464=================================================================== 463===================================================================
465--- a/servconf.c 464--- a/servconf.c
466+++ b/servconf.c 465+++ b/servconf.c
467@@ -109,6 +109,7 @@ 466@@ -114,6 +114,7 @@
468 options->password_authentication = -1; 467 options->password_authentication = -1;
469 options->kbd_interactive_authentication = -1; 468 options->kbd_interactive_authentication = -1;
470 options->challenge_response_authentication = -1; 469 options->challenge_response_authentication = -1;
@@ -472,7 +471,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 471 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 472 options->permit_user_env = -1;
474 options->use_login = -1; 473 options->use_login = -1;
475@@ -250,6 +251,8 @@ 474@@ -257,6 +258,8 @@
476 options->kbd_interactive_authentication = 0; 475 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 476 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 477 options->challenge_response_authentication = 1;
@@ -481,16 +480,16 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 480 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 481 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 482 if (options->permit_user_env == -1)
484@@ -327,7 +330,7 @@ 483@@ -338,7 +341,7 @@
485 sListenAddress, sAddressFamily, 484 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 485 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 486 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
488- sStrictModes, sEmptyPasswd, sTCPKeepAlive, 487- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
489+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 488+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 489 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 490 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 491 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -439,6 +442,7 @@ 492@@ -451,6 +454,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 493 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 494 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 495 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +497,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 497 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 498 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 499 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1134,6 +1138,10 @@ 500@@ -1158,6 +1162,10 @@
502 intptr = &options->tcp_keep_alive; 501 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 502 goto parse_flag;
504 503
@@ -509,7 +508,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 508 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 509 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 510 goto parse_flag;
512@@ -1980,6 +1988,7 @@ 511@@ -2036,6 +2044,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 512 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 513 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 514 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -521,7 +520,7 @@ Index: b/servconf.h
521=================================================================== 520===================================================================
522--- a/servconf.h 521--- a/servconf.h
523+++ b/servconf.h 522+++ b/servconf.h
524@@ -120,6 +120,7 @@ 523@@ -121,6 +121,7 @@
525 int challenge_response_authentication; 524 int challenge_response_authentication;
526 int zero_knowledge_password_authentication; 525 int zero_knowledge_password_authentication;
527 /* If true, permit jpake auth */ 526 /* If true, permit jpake auth */
@@ -572,9 +571,9 @@ Index: b/ssh-add.c
572+ if (blacklisted_key(private, &fp) == 1) { 571+ if (blacklisted_key(private, &fp) == 1) {
573+ fprintf(stderr, "Public key %s blacklisted (see " 572+ fprintf(stderr, "Public key %s blacklisted (see "
574+ "ssh-vulnkey(1)); refusing to add it\n", fp); 573+ "ssh-vulnkey(1)); refusing to add it\n", fp);
575+ xfree(fp); 574+ free(fp);
576+ key_free(private); 575+ key_free(private);
577+ xfree(comment); 576+ free(comment);
578+ return -1; 577+ return -1;
579+ } 578+ }
580 579
@@ -584,7 +583,7 @@ Index: b/ssh-keygen.1
584=================================================================== 583===================================================================
585--- a/ssh-keygen.1 584--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 585+++ b/ssh-keygen.1
587@@ -810,6 +810,7 @@ 586@@ -809,6 +809,7 @@
588 .Xr ssh 1 , 587 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 588 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 589 .Xr ssh-agent 1 ,
@@ -843,7 +842,7 @@ Index: b/ssh-vulnkey.c
843=================================================================== 842===================================================================
844--- /dev/null 843--- /dev/null
845+++ b/ssh-vulnkey.c 844+++ b/ssh-vulnkey.c
846@@ -0,0 +1,387 @@ 845@@ -0,0 +1,386 @@
847+/* 846+/*
848+ * Copyright (c) 2008 Canonical Ltd. All rights reserved. 847+ * Copyright (c) 2008 Canonical Ltd. All rights reserved.
849+ * 848+ *
@@ -940,7 +939,7 @@ Index: b/ssh-vulnkey.c
940+ printf(":%lu: %s: %s %u %s %s\n", linenum, msg, 939+ printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
941+ key_type(key), key_size(key), fp, comment); 940+ key_type(key), key_size(key), fp, comment);
942+ } 941+ }
943+ xfree(fp); 942+ free(fp);
944+} 943+}
945+ 944+
946+static int 945+static int
@@ -1093,8 +1092,7 @@ Index: b/ssh-vulnkey.c
1093+ ret = 0; 1092+ ret = 0;
1094+ found = 1; 1093+ found = 1;
1095+ } 1094+ }
1096+ if (comment) 1095+ free(comment);
1097+ xfree(comment);
1098+ } 1096+ }
1099+ 1097+
1100+ return ret; 1098+ return ret;
@@ -1128,12 +1126,12 @@ Index: b/ssh-vulnkey.c
1128+ for (i = 0; default_files[i]; i++) { 1126+ for (i = 0; default_files[i]; i++) {
1129+ xasprintf(&file, "%s/%s", dir, default_files[i]); 1127+ xasprintf(&file, "%s/%s", dir, default_files[i]);
1130+ if (stat(file, &st) < 0 && errno == ENOENT) { 1128+ if (stat(file, &st) < 0 && errno == ENOENT) {
1131+ xfree(file); 1129+ free(file);
1132+ continue; 1130+ continue;
1133+ } 1131+ }
1134+ if (!do_filename(file, 0)) 1132+ if (!do_filename(file, 0))
1135+ ret = 0; 1133+ ret = 0;
1136+ xfree(file); 1134+ free(file);
1137+ } 1135+ }
1138+ 1136+
1139+ return ret; 1137+ return ret;
@@ -1235,7 +1233,7 @@ Index: b/ssh.1
1235=================================================================== 1233===================================================================
1236--- a/ssh.1 1234--- a/ssh.1
1237+++ b/ssh.1 1235+++ b/ssh.1
1238@@ -1429,6 +1429,7 @@ 1236@@ -1447,6 +1447,7 @@
1239 .Xr ssh-agent 1 , 1237 .Xr ssh-agent 1 ,
1240 .Xr ssh-keygen 1 , 1238 .Xr ssh-keygen 1 ,
1241 .Xr ssh-keyscan 1 , 1239 .Xr ssh-keyscan 1 ,
@@ -1247,7 +1245,7 @@ Index: b/ssh.c
1247=================================================================== 1245===================================================================
1248--- a/ssh.c 1246--- a/ssh.c
1249+++ b/ssh.c 1247+++ b/ssh.c
1250@@ -1492,7 +1492,7 @@ 1248@@ -1525,7 +1525,7 @@
1251 static void 1249 static void
1252 load_public_identity_files(void) 1250 load_public_identity_files(void)
1253 { 1251 {
@@ -1256,7 +1254,7 @@ Index: b/ssh.c
1256 char *pwdir = NULL, *pwname = NULL; 1254 char *pwdir = NULL, *pwname = NULL;
1257 int i = 0; 1255 int i = 0;
1258 Key *public; 1256 Key *public;
1259@@ -1550,6 +1550,22 @@ 1257@@ -1583,6 +1583,22 @@
1260 public = key_load_public(filename, NULL); 1258 public = key_load_public(filename, NULL);
1261 debug("identity file %s type %d", filename, 1259 debug("identity file %s type %d", filename,
1262 public ? public->type : -1); 1260 public ? public->type : -1);
@@ -1268,22 +1266,22 @@ Index: b/ssh.c
1268+ logit("Public key %s blacklisted (see " 1266+ logit("Public key %s blacklisted (see "
1269+ "ssh-vulnkey(1)); refusing to send it", 1267+ "ssh-vulnkey(1)); refusing to send it",
1270+ fp); 1268+ fp);
1271+ xfree(fp); 1269+ free(fp);
1272+ if (!options.use_blacklisted_keys) { 1270+ if (!options.use_blacklisted_keys) {
1273+ key_free(public); 1271+ key_free(public);
1274+ xfree(filename); 1272+ free(filename);
1275+ filename = NULL; 1273+ filename = NULL;
1276+ public = NULL; 1274+ public = NULL;
1277+ } 1275+ }
1278+ } 1276+ }
1279 xfree(options.identity_files[i]); 1277 free(options.identity_files[i]);
1280 identity_files[n_ids] = filename; 1278 identity_files[n_ids] = filename;
1281 identity_keys[n_ids] = public; 1279 identity_keys[n_ids] = public;
1282Index: b/ssh_config.5 1280Index: b/ssh_config.5
1283=================================================================== 1281===================================================================
1284--- a/ssh_config.5 1282--- a/ssh_config.5
1285+++ b/ssh_config.5 1283+++ b/ssh_config.5
1286@@ -1201,6 +1201,23 @@ 1284@@ -1229,6 +1229,23 @@
1287 .Dq any . 1285 .Dq any .
1288 The default is 1286 The default is
1289 .Dq any:any . 1287 .Dq any:any .
@@ -1320,7 +1318,7 @@ Index: b/sshconnect2.c
1320 key = options.identity_keys[i]; 1318 key = options.identity_keys[i];
1321 if (key && key->type == KEY_RSA1) 1319 if (key && key->type == KEY_RSA1)
1322 continue; 1320 continue;
1323@@ -1609,7 +1611,7 @@ 1321@@ -1608,7 +1610,7 @@
1324 debug("Offering %s public key: %s", key_type(id->key), 1322 debug("Offering %s public key: %s", key_type(id->key),
1325 id->filename); 1323 id->filename);
1326 sent = send_pubkey_test(authctxt, id); 1324 sent = send_pubkey_test(authctxt, id);
@@ -1333,7 +1331,7 @@ Index: b/sshd.8
1333=================================================================== 1331===================================================================
1334--- a/sshd.8 1332--- a/sshd.8
1335+++ b/sshd.8 1333+++ b/sshd.8
1336@@ -953,6 +953,7 @@ 1334@@ -954,6 +954,7 @@
1337 .Xr ssh-agent 1 , 1335 .Xr ssh-agent 1 ,
1338 .Xr ssh-keygen 1 , 1336 .Xr ssh-keygen 1 ,
1339 .Xr ssh-keyscan 1 , 1337 .Xr ssh-keyscan 1 ,
@@ -1345,23 +1343,23 @@ Index: b/sshd.c
1345=================================================================== 1343===================================================================
1346--- a/sshd.c 1344--- a/sshd.c
1347+++ b/sshd.c 1345+++ b/sshd.c
1348@@ -1631,6 +1631,11 @@ 1346@@ -1688,6 +1688,11 @@
1349 sensitive_data.host_keys[i] = NULL; 1347 sensitive_data.host_pubkeys[i] = NULL;
1350 continue; 1348 continue;
1351 } 1349 }
1352+ if (auth_key_is_revoked(key, 1)) { 1350+ if (auth_key_is_revoked(key != NULL ? key : pubkey, 1)) {
1353+ key_free(key);
1354+ sensitive_data.host_keys[i] = NULL; 1351+ sensitive_data.host_keys[i] = NULL;
1352+ sensitive_data.host_pubkeys[i] = NULL;
1355+ continue; 1353+ continue;
1356+ } 1354+ }
1357 switch (key->type) { 1355
1356 switch (keytype) {
1358 case KEY_RSA1: 1357 case KEY_RSA1:
1359 sensitive_data.ssh1_host_key = key;
1360Index: b/sshd_config.5 1358Index: b/sshd_config.5
1361=================================================================== 1359===================================================================
1362--- a/sshd_config.5 1360--- a/sshd_config.5
1363+++ b/sshd_config.5 1361+++ b/sshd_config.5
1364@@ -870,6 +870,20 @@ 1362@@ -885,6 +885,20 @@
1365 Specifies whether password authentication is allowed. 1363 Specifies whether password authentication is allowed.
1366 The default is 1364 The default is
1367 .Dq yes . 1365 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 87211e8a3..de61e1dd9 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,13 +1,13 @@
1Description: Partial server keep-alive implementation for SSH1 1Description: Partial server keep-alive implementation for SSH1
2Author: Colin Watson <cjwatson@debian.org> 2Author: Colin Watson <cjwatson@debian.org>
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
4Last-Update: 2013-05-07 4Last-Update: 2013-09-14
5 5
6Index: b/clientloop.c 6Index: b/clientloop.c
7=================================================================== 7===================================================================
8--- a/clientloop.c 8--- a/clientloop.c
9+++ b/clientloop.c 9+++ b/clientloop.c
10@@ -565,16 +565,21 @@ 10@@ -563,16 +563,21 @@
11 static void 11 static void
12 server_alive_check(void) 12 server_alive_check(void)
13 { 13 {
@@ -38,20 +38,20 @@ Index: b/clientloop.c
38 } 38 }
39 39
40 /* 40 /*
41@@ -636,7 +641,7 @@ 41@@ -634,7 +639,7 @@
42 */ 42 */
43 43
44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
45- if (options.server_alive_interval > 0 && compat20) 45- if (options.server_alive_interval > 0 && compat20) {
46+ if (options.server_alive_interval > 0) 46+ if (options.server_alive_interval > 0) {
47 timeout_secs = options.server_alive_interval; 47 timeout_secs = options.server_alive_interval;
48 set_control_persist_exit_time(); 48 server_alive_time = now + options.server_alive_interval;
49 if (control_persist_exit_time > 0) { 49 }
50Index: b/ssh_config.5 50Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1102,7 +1102,10 @@ 54@@ -1130,7 +1130,10 @@
55 .Cm ServerAliveCountMax 55 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 56 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 57 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 2bac7c8cb..f8be76c89 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -8,13 +8,13 @@ Description: "LogLevel SILENT" compatibility
8Author: Jonathan David Amery <jdamery@ysolde.ucam.org> 8Author: Jonathan David Amery <jdamery@ysolde.ucam.org>
9Author: Matthew Vernon <matthew@debian.org> 9Author: Matthew Vernon <matthew@debian.org>
10Author: Colin Watson <cjwatson@debian.org> 10Author: Colin Watson <cjwatson@debian.org>
11Last-Update: 2013-05-16 11Last-Update: 2013-09-14
12 12
13Index: b/log.c 13Index: b/log.c
14=================================================================== 14===================================================================
15--- a/log.c 15--- a/log.c
16+++ b/log.c 16+++ b/log.c
17@@ -92,6 +92,7 @@ 17@@ -94,6 +94,7 @@
18 LogLevel val; 18 LogLevel val;
19 } log_levels[] = 19 } log_levels[] =
20 { 20 {
@@ -26,7 +26,7 @@ Index: b/ssh.c
26=================================================================== 26===================================================================
27--- a/ssh.c 27--- a/ssh.c
28+++ b/ssh.c 28+++ b/ssh.c
29@@ -711,7 +711,7 @@ 29@@ -740,7 +740,7 @@
30 /* Do not allocate a tty if stdin is not a tty. */ 30 /* Do not allocate a tty if stdin is not a tty. */
31 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 31 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
32 options.request_tty != REQUEST_TTY_FORCE) { 32 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index d0de9c006..ac00edac6 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -9,7 +9,7 @@ Description: Allow harmless group-writability
9Author: Colin Watson <cjwatson@debian.org> 9Author: Colin Watson <cjwatson@debian.org>
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
12Last-Update: 2013-05-16 12Last-Update: 2013-09-14
13 13
14Index: b/readconf.c 14Index: b/readconf.c
15=================================================================== 15===================================================================
@@ -21,10 +21,10 @@ Index: b/readconf.c
21 #include <unistd.h> 21 #include <unistd.h>
22+#include <pwd.h> 22+#include <pwd.h>
23+#include <grp.h> 23+#include <grp.h>
24 24 #ifdef HAVE_UTIL_H
25 #include "xmalloc.h" 25 #include <util.h>
26 #include "ssh.h" 26 #endif
27@@ -1150,8 +1152,7 @@ 27@@ -1160,8 +1162,7 @@
28 28
29 if (fstat(fileno(f), &sb) == -1) 29 if (fstat(fileno(f), &sb) == -1)
30 fatal("fstat %s: %s", filename, strerror(errno)); 30 fatal("fstat %s: %s", filename, strerror(errno));
@@ -38,10 +38,10 @@ Index: b/ssh.1
38=================================================================== 38===================================================================
39--- a/ssh.1 39--- a/ssh.1
40+++ b/ssh.1 40+++ b/ssh.1
41@@ -1320,6 +1320,8 @@ 41@@ -1338,6 +1338,8 @@
42 .Xr ssh_config 5 . 42 .Xr ssh_config 5 .
43 Because of the potential for abuse, this file must have strict permissions: 43 Because of the potential for abuse, this file must have strict permissions:
44 read/write for the user, and not accessible by others. 44 read/write for the user, and not writable by others.
45+It may be group-writable provided that the group in question contains only 45+It may be group-writable provided that the group in question contains only
46+the user. 46+the user.
47 .Pp 47 .Pp
@@ -51,7 +51,7 @@ Index: b/ssh_config.5
51=================================================================== 51===================================================================
52--- a/ssh_config.5 52--- a/ssh_config.5
53+++ b/ssh_config.5 53+++ b/ssh_config.5
54@@ -1356,6 +1356,8 @@ 54@@ -1382,6 +1382,8 @@
55 This file is used by the SSH client. 55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions: 56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others. 57 read/write for the user, and not accessible by others.
@@ -64,7 +64,7 @@ Index: b/auth.c
64=================================================================== 64===================================================================
65--- a/auth.c 65--- a/auth.c
66+++ b/auth.c 66+++ b/auth.c
67@@ -386,8 +386,7 @@ 67@@ -408,8 +408,7 @@
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 69 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 70 (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +74,7 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 74 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 75 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 76 pw->pw_name, user_hostfile);
77@@ -449,8 +448,7 @@ 77@@ -471,8 +470,7 @@
78 snprintf(err, errlen, "%s is not a regular file", buf); 78 snprintf(err, errlen, "%s is not a regular file", buf);
79 return -1; 79 return -1;
80 } 80 }
@@ -84,7 +84,7 @@ Index: b/auth.c
84 snprintf(err, errlen, "bad ownership or modes for file %s", 84 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 85 buf);
86 return -1; 86 return -1;
87@@ -465,8 +463,7 @@ 87@@ -487,8 +485,7 @@
88 strlcpy(buf, cp, sizeof(buf)); 88 strlcpy(buf, cp, sizeof(buf));
89 89
90 if (stat(buf, &st) < 0 || 90 if (stat(buf, &st) < 0 ||
@@ -117,7 +117,7 @@ Index: b/misc.c
117 117
118 /* remove newline at end of string */ 118 /* remove newline at end of string */
119 char * 119 char *
120@@ -641,6 +643,71 @@ 120@@ -642,6 +644,71 @@
121 return -1; 121 return -1;
122 } 122 }
123 123
@@ -193,7 +193,7 @@ Index: b/misc.h
193=================================================================== 193===================================================================
194--- a/misc.h 194--- a/misc.h
195+++ b/misc.h 195+++ b/misc.h
196@@ -103,4 +103,6 @@ 196@@ -104,4 +104,6 @@
197 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 197 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
198 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 198 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
199 199
diff --git a/defines.h b/defines.h
index 64515c2ff..d5ce52f32 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ 28/* $Id: defines.h,v 1.172 2013/06/01 21:18:48 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -171,11 +171,6 @@ enum
171# define MAP_FAILED ((void *)-1) 171# define MAP_FAILED ((void *)-1)
172#endif 172#endif
173 173
174/* *-*-nto-qnx doesn't define this constant in the system headers */
175#ifdef MISSING_NFDBITS
176# define NFDBITS (8 * sizeof(unsigned long))
177#endif
178
179/* 174/*
180SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but 175SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but
181including rpc/rpc.h breaks Solaris 6 176including rpc/rpc.h breaks Solaris 6
@@ -355,11 +350,19 @@ struct winsize {
355}; 350};
356#endif 351#endif
357 352
358/* *-*-nto-qnx does not define this type in the system headers */ 353/* bits needed for select that may not be in the system headers */
359#ifdef MISSING_FD_MASK 354#ifndef HAVE_FD_MASK
360 typedef unsigned long int fd_mask; 355 typedef unsigned long int fd_mask;
361#endif 356#endif
362 357
358#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0
359# define NFDBITS (8 * sizeof(unsigned long))
360#endif
361
362#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0
363# define howmany(x,y) (((x)+((y)-1))/(y))
364#endif
365
363/* Paths */ 366/* Paths */
364 367
365#ifndef _PATH_BSHELL 368#ifndef _PATH_BSHELL
@@ -484,11 +487,6 @@ struct winsize {
484# define __nonnull__(x) 487# define __nonnull__(x)
485#endif 488#endif
486 489
487/* *-*-nto-qnx doesn't define this macro in the system headers */
488#ifdef MISSING_HOWMANY
489# define howmany(x,y) (((x)+((y)-1))/(y))
490#endif
491
492#ifndef OSSH_ALIGNBYTES 490#ifndef OSSH_ALIGNBYTES
493#define OSSH_ALIGNBYTES (sizeof(int) - 1) 491#define OSSH_ALIGNBYTES (sizeof(int) - 1)
494#endif 492#endif
diff --git a/dh.c b/dh.c
index d943ca1e1..449dd3858 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * 4 *
@@ -48,6 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
48 const char *errstr = NULL; 48 const char *errstr = NULL;
49 long long n; 49 long long n;
50 50
51 dhg->p = dhg->g = NULL;
51 cp = line; 52 cp = line;
52 if ((arg = strdelim(&cp)) == NULL) 53 if ((arg = strdelim(&cp)) == NULL)
53 return 0; 54 return 0;
@@ -59,66 +60,85 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
59 60
60 /* time */ 61 /* time */
61 if (cp == NULL || *arg == '\0') 62 if (cp == NULL || *arg == '\0')
62 goto fail; 63 goto truncated;
63 arg = strsep(&cp, " "); /* type */ 64 arg = strsep(&cp, " "); /* type */
64 if (cp == NULL || *arg == '\0') 65 if (cp == NULL || *arg == '\0')
65 goto fail; 66 goto truncated;
66 /* Ensure this is a safe prime */ 67 /* Ensure this is a safe prime */
67 n = strtonum(arg, 0, 5, &errstr); 68 n = strtonum(arg, 0, 5, &errstr);
68 if (errstr != NULL || n != MODULI_TYPE_SAFE) 69 if (errstr != NULL || n != MODULI_TYPE_SAFE) {
70 error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
69 goto fail; 71 goto fail;
72 }
70 arg = strsep(&cp, " "); /* tests */ 73 arg = strsep(&cp, " "); /* tests */
71 if (cp == NULL || *arg == '\0') 74 if (cp == NULL || *arg == '\0')
72 goto fail; 75 goto truncated;
73 /* Ensure prime has been tested and is not composite */ 76 /* Ensure prime has been tested and is not composite */
74 n = strtonum(arg, 0, 0x1f, &errstr); 77 n = strtonum(arg, 0, 0x1f, &errstr);
75 if (errstr != NULL || 78 if (errstr != NULL ||
76 (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) 79 (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) {
80 error("moduli:%d: invalid moduli tests flag", linenum);
77 goto fail; 81 goto fail;
82 }
78 arg = strsep(&cp, " "); /* tries */ 83 arg = strsep(&cp, " "); /* tries */
79 if (cp == NULL || *arg == '\0') 84 if (cp == NULL || *arg == '\0')
80 goto fail; 85 goto truncated;
81 n = strtonum(arg, 0, 1<<30, &errstr); 86 n = strtonum(arg, 0, 1<<30, &errstr);
82 if (errstr != NULL || n == 0) 87 if (errstr != NULL || n == 0) {
88 error("moduli:%d: invalid primality trial count", linenum);
83 goto fail; 89 goto fail;
90 }
84 strsize = strsep(&cp, " "); /* size */ 91 strsize = strsep(&cp, " "); /* size */
85 if (cp == NULL || *strsize == '\0' || 92 if (cp == NULL || *strsize == '\0' ||
86 (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || 93 (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
87 errstr) 94 errstr) {
95 error("moduli:%d: invalid prime length", linenum);
88 goto fail; 96 goto fail;
97 }
89 /* The whole group is one bit larger */ 98 /* The whole group is one bit larger */
90 dhg->size++; 99 dhg->size++;
91 gen = strsep(&cp, " "); /* gen */ 100 gen = strsep(&cp, " "); /* gen */
92 if (cp == NULL || *gen == '\0') 101 if (cp == NULL || *gen == '\0')
93 goto fail; 102 goto truncated;
94 prime = strsep(&cp, " "); /* prime */ 103 prime = strsep(&cp, " "); /* prime */
95 if (cp != NULL || *prime == '\0') 104 if (cp != NULL || *prime == '\0') {
105 truncated:
106 error("moduli:%d: truncated", linenum);
96 goto fail; 107 goto fail;
108 }
97 109
98 if ((dhg->g = BN_new()) == NULL) 110 if ((dhg->g = BN_new()) == NULL)
99 fatal("parse_prime: BN_new failed"); 111 fatal("parse_prime: BN_new failed");
100 if ((dhg->p = BN_new()) == NULL) 112 if ((dhg->p = BN_new()) == NULL)
101 fatal("parse_prime: BN_new failed"); 113 fatal("parse_prime: BN_new failed");
102 if (BN_hex2bn(&dhg->g, gen) == 0) 114 if (BN_hex2bn(&dhg->g, gen) == 0) {
103 goto failclean; 115 error("moduli:%d: could not parse generator value", linenum);
104 116 goto fail;
105 if (BN_hex2bn(&dhg->p, prime) == 0) 117 }
106 goto failclean; 118 if (BN_hex2bn(&dhg->p, prime) == 0) {
107 119 error("moduli:%d: could not parse prime value", linenum);
108 if (BN_num_bits(dhg->p) != dhg->size) 120 goto fail;
109 goto failclean; 121 }
110 122 if (BN_num_bits(dhg->p) != dhg->size) {
111 if (BN_is_zero(dhg->g) || BN_is_one(dhg->g)) 123 error("moduli:%d: prime has wrong size: actual %d listed %d",
112 goto failclean; 124 linenum, BN_num_bits(dhg->p), dhg->size - 1);
125 goto fail;
126 }
127 if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
128 error("moduli:%d: generator is invalid", linenum);
129 goto fail;
130 }
113 131
114 return (1); 132 return 1;
115 133
116 failclean:
117 BN_clear_free(dhg->g);
118 BN_clear_free(dhg->p);
119 fail: 134 fail:
135 if (dhg->g != NULL)
136 BN_clear_free(dhg->g);
137 if (dhg->p != NULL)
138 BN_clear_free(dhg->p);
139 dhg->g = dhg->p = NULL;
120 error("Bad prime description in line %d", linenum); 140 error("Bad prime description in line %d", linenum);
121 return (0); 141 return 0;
122} 142}
123 143
124DH * 144DH *
diff --git a/dns.c b/dns.c
index bbe7f5023..478c3d9c5 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -273,7 +273,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
273 273
274 if (hostkey_digest_type != dnskey_digest_type) { 274 if (hostkey_digest_type != dnskey_digest_type) {
275 hostkey_digest_type = dnskey_digest_type; 275 hostkey_digest_type = dnskey_digest_type;
276 xfree(hostkey_digest); 276 free(hostkey_digest);
277 277
278 /* Initialize host key parameters */ 278 /* Initialize host key parameters */
279 if (!dns_read_key(&hostkey_algorithm, 279 if (!dns_read_key(&hostkey_algorithm,
@@ -293,10 +293,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
293 hostkey_digest_len) == 0) 293 hostkey_digest_len) == 0)
294 *flags |= DNS_VERIFY_MATCH; 294 *flags |= DNS_VERIFY_MATCH;
295 } 295 }
296 xfree(dnskey_digest); 296 free(dnskey_digest);
297 } 297 }
298 298
299 xfree(hostkey_digest); /* from key_fingerprint_raw() */ 299 free(hostkey_digest); /* from key_fingerprint_raw() */
300 freerrset(fingerprints); 300 freerrset(fingerprints);
301 301
302 if (*flags & DNS_VERIFY_FOUND) 302 if (*flags & DNS_VERIFY_FOUND)
@@ -339,7 +339,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
339 for (i = 0; i < rdata_digest_len; i++) 339 for (i = 0; i < rdata_digest_len; i++)
340 fprintf(f, "%02x", rdata_digest[i]); 340 fprintf(f, "%02x", rdata_digest[i]);
341 fprintf(f, "\n"); 341 fprintf(f, "\n");
342 xfree(rdata_digest); /* from key_fingerprint_raw() */ 342 free(rdata_digest); /* from key_fingerprint_raw() */
343 success = 1; 343 success = 1;
344 } 344 }
345 } 345 }
diff --git a/fixalgorithms b/fixalgorithms
new file mode 100755
index 000000000..115dce81c
--- /dev/null
+++ b/fixalgorithms
@@ -0,0 +1,26 @@
1#!/bin/sh
2#
3# fixciphers - remove unsupported ciphers from man pages.
4# Usage: fixpaths /path/to/sed cipher1 [cipher2] <infile >outfile
5#
6# Author: Darren Tucker (dtucker at zip com.au). Placed in the public domain.
7
8die() {
9 echo $*
10 exit -1
11}
12
13SED=$1
14shift
15
16for c in $*; do
17 subs="$subs -e /.Dq.$c.*$/d"
18 subs="$subs -e s/$c,//g"
19done
20
21# now remove any entirely empty lines
22subs="$subs -e /^$/d"
23
24${SED} $subs
25
26exit 0
diff --git a/groupaccess.c b/groupaccess.c
index 2381aeb15..1eab10b19 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */ 1/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Kevin Steves. All rights reserved. 3 * Copyright (c) 2001 Kevin Steves. All rights reserved.
4 * 4 *
@@ -31,6 +31,7 @@
31#include <grp.h> 31#include <grp.h>
32#include <unistd.h> 32#include <unistd.h>
33#include <stdarg.h> 33#include <stdarg.h>
34#include <stdlib.h>
34#include <string.h> 35#include <string.h>
35 36
36#include "xmalloc.h" 37#include "xmalloc.h"
@@ -68,7 +69,7 @@ ga_init(const char *user, gid_t base)
68 for (i = 0, j = 0; i < ngroups; i++) 69 for (i = 0, j = 0; i < ngroups; i++)
69 if ((gr = getgrgid(groups_bygid[i])) != NULL) 70 if ((gr = getgrgid(groups_bygid[i])) != NULL)
70 groups_byname[j++] = xstrdup(gr->gr_name); 71 groups_byname[j++] = xstrdup(gr->gr_name);
71 xfree(groups_bygid); 72 free(groups_bygid);
72 return (ngroups = j); 73 return (ngroups = j);
73} 74}
74 75
@@ -122,8 +123,8 @@ ga_free(void)
122 123
123 if (ngroups > 0) { 124 if (ngroups > 0) {
124 for (i = 0; i < ngroups; i++) 125 for (i = 0; i < ngroups; i++)
125 xfree(groups_byname[i]); 126 free(groups_byname[i]);
126 ngroups = 0; 127 ngroups = 0;
127 xfree(groups_byname); 128 free(groups_byname);
128 } 129 }
129} 130}
diff --git a/gss-genr.c b/gss-genr.c
index f9b39cfd5..3069347c2 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ 1/* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -101,8 +101,8 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
101 101
102 if (gss_enc2oid != NULL) { 102 if (gss_enc2oid != NULL) {
103 for (i = 0; gss_enc2oid[i].encoded != NULL; i++) 103 for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
104 xfree(gss_enc2oid[i].encoded); 104 free(gss_enc2oid[i].encoded);
105 xfree(gss_enc2oid); 105 free(gss_enc2oid);
106 } 106 }
107 107
108 gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * 108 gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@@ -159,7 +159,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
159 buffer_free(&buf); 159 buffer_free(&buf);
160 160
161 if (strlen(mechs) == 0) { 161 if (strlen(mechs) == 0) {
162 xfree(mechs); 162 free(mechs);
163 mechs = NULL; 163 mechs = NULL;
164 } 164 }
165 165
@@ -214,8 +214,8 @@ void
214ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) 214ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
215{ 215{
216 if (ctx->oid != GSS_C_NO_OID) { 216 if (ctx->oid != GSS_C_NO_OID) {
217 xfree(ctx->oid->elements); 217 free(ctx->oid->elements);
218 xfree(ctx->oid); 218 free(ctx->oid);
219 } 219 }
220 ctx->oid = xmalloc(sizeof(gss_OID_desc)); 220 ctx->oid = xmalloc(sizeof(gss_OID_desc));
221 ctx->oid->length = len; 221 ctx->oid->length = len;
@@ -238,7 +238,7 @@ ssh_gssapi_error(Gssctxt *ctxt)
238 238
239 s = ssh_gssapi_last_error(ctxt, NULL, NULL); 239 s = ssh_gssapi_last_error(ctxt, NULL, NULL);
240 debug("%s", s); 240 debug("%s", s);
241 xfree(s); 241 free(s);
242} 242}
243 243
244char * 244char *
@@ -319,8 +319,8 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx)
319 if ((*ctx)->name != GSS_C_NO_NAME) 319 if ((*ctx)->name != GSS_C_NO_NAME)
320 gss_release_name(&ms, &(*ctx)->name); 320 gss_release_name(&ms, &(*ctx)->name);
321 if ((*ctx)->oid != GSS_C_NO_OID) { 321 if ((*ctx)->oid != GSS_C_NO_OID) {
322 xfree((*ctx)->oid->elements); 322 free((*ctx)->oid->elements);
323 xfree((*ctx)->oid); 323 free((*ctx)->oid);
324 (*ctx)->oid = GSS_C_NO_OID; 324 (*ctx)->oid = GSS_C_NO_OID;
325 } 325 }
326 if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) 326 if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
@@ -330,7 +330,7 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx)
330 if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) 330 if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
331 gss_release_cred(&ms, &(*ctx)->client_creds); 331 gss_release_cred(&ms, &(*ctx)->client_creds);
332 332
333 xfree(*ctx); 333 free(*ctx);
334 *ctx = NULL; 334 *ctx = NULL;
335} 335}
336 336
@@ -377,7 +377,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
377 &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) 377 &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
378 ssh_gssapi_error(ctx); 378 ssh_gssapi_error(ctx);
379 379
380 xfree(gssbuf.value); 380 free(gssbuf.value);
381 return (ctx->major); 381 return (ctx->major);
382} 382}
383 383
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index e7170ee41..c55446a0b 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -48,12 +48,11 @@ extern ServerOptions options;
48 48
49#ifdef HEIMDAL 49#ifdef HEIMDAL
50# include <krb5.h> 50# include <krb5.h>
51#else 51#endif
52# ifdef HAVE_GSSAPI_KRB5_H 52#ifdef HAVE_GSSAPI_KRB5_H
53# include <gssapi_krb5.h> 53# include <gssapi_krb5.h>
54# elif HAVE_GSSAPI_GSSAPI_KRB5_H 54#elif HAVE_GSSAPI_GSSAPI_KRB5_H
55# include <gssapi/gssapi_krb5.h> 55# include <gssapi/gssapi_krb5.h>
56# endif
57#endif 56#endif
58 57
59static krb5_context krb_context = NULL; 58static krb5_context krb_context = NULL;
@@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
87{ 86{
88 krb5_principal princ; 87 krb5_principal princ;
89 int retval; 88 int retval;
89 const char *errmsg;
90 90
91 if (ssh_gssapi_krb5_init() == 0) 91 if (ssh_gssapi_krb5_init() == 0)
92 return 0; 92 return 0;
93 93
94 if ((retval = krb5_parse_name(krb_context, client->exportedname.value, 94 if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
95 &princ))) { 95 &princ))) {
96 logit("krb5_parse_name(): %.100s", 96 errmsg = krb5_get_error_message(krb_context, retval);
97 krb5_get_err_text(krb_context, retval)); 97 logit("krb5_parse_name(): %.100s", errmsg);
98 krb5_free_error_message(krb_context, errmsg);
98 return 0; 99 return 0;
99 } 100 }
100 if (krb5_kuserok(krb_context, princ, name)) { 101 if (krb5_kuserok(krb_context, princ, name)) {
@@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
120 krb5_principal princ; 121 krb5_principal princ;
121 OM_uint32 maj_status, min_status; 122 OM_uint32 maj_status, min_status;
122 int len; 123 int len;
124 const char *errmsg;
123 const char *new_ccname; 125 const char *new_ccname;
124 126
125 if (client->creds == NULL) { 127 if (client->creds == NULL) {
@@ -131,30 +133,34 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
131 return; 133 return;
132 134
133#ifdef HEIMDAL 135#ifdef HEIMDAL
134 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { 136 if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
135 logit("krb5_cc_gen_new(): %.100s", 137 NULL, &ccache)) != 0) {
136 krb5_get_err_text(krb_context, problem)); 138 errmsg = krb5_get_error_message(krb_context, problem);
139 logit("krb5_cc_new_unique(): %.100s", errmsg);
140 krb5_free_error_message(krb_context, errmsg);
137 return; 141 return;
138 } 142 }
139#else 143#else
140 if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { 144 if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
141 logit("ssh_krb5_cc_gen(): %.100s", 145 errmsg = krb5_get_error_message(krb_context, problem);
142 krb5_get_err_text(krb_context, problem)); 146 logit("ssh_krb5_cc_gen(): %.100s", errmsg);
147 krb5_free_error_message(krb_context, errmsg);
143 return; 148 return;
144 } 149 }
145#endif /* #ifdef HEIMDAL */ 150#endif /* #ifdef HEIMDAL */
146 151
147 if ((problem = krb5_parse_name(krb_context, 152 if ((problem = krb5_parse_name(krb_context,
148 client->exportedname.value, &princ))) { 153 client->exportedname.value, &princ))) {
149 logit("krb5_parse_name(): %.100s", 154 errmsg = krb5_get_error_message(krb_context, problem);
150 krb5_get_err_text(krb_context, problem)); 155 logit("krb5_parse_name(): %.100s", errmsg);
151 krb5_cc_destroy(krb_context, ccache); 156 krb5_free_error_message(krb_context, errmsg);
152 return; 157 return;
153 } 158 }
154 159
155 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { 160 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
156 logit("krb5_cc_initialize(): %.100s", 161 errmsg = krb5_get_error_message(krb_context, problem);
157 krb5_get_err_text(krb_context, problem)); 162 logit("krb5_cc_initialize(): %.100s", errmsg);
163 krb5_free_error_message(krb_context, errmsg);
158 krb5_free_principal(krb_context, princ); 164 krb5_free_principal(krb_context, princ);
159 krb5_cc_destroy(krb_context, ccache); 165 krb5_cc_destroy(krb_context, ccache);
160 return; 166 return;
diff --git a/gss-serv.c b/gss-serv.c
index 380895ea5..97f366fdf 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -55,7 +55,8 @@ extern ServerOptions options;
55 55
56static ssh_gssapi_client gssapi_client = 56static ssh_gssapi_client gssapi_client =
57 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 57 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
58 GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; 58 GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
59 {NULL, NULL, NULL, NULL, NULL}, 0, 0};
59 60
60ssh_gssapi_mech gssapi_null_mech = 61ssh_gssapi_mech gssapi_null_mech =
61 { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL}; 62 { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
diff --git a/hostfile.c b/hostfile.c
index b6f924b23..2ff4c48b4 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: hostfile.c,v 1.50 2010/12/04 13:31:37 djm Exp $ */ 1/* $OpenBSD: hostfile.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -64,7 +64,7 @@ struct hostkeys {
64}; 64};
65 65
66static int 66static int
67extract_salt(const char *s, u_int l, char *salt, size_t salt_len) 67extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len)
68{ 68{
69 char *p, *b64salt; 69 char *p, *b64salt;
70 u_int b64len; 70 u_int b64len;
@@ -96,7 +96,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
96 b64salt[b64len] = '\0'; 96 b64salt[b64len] = '\0';
97 97
98 ret = __b64_pton(b64salt, salt, salt_len); 98 ret = __b64_pton(b64salt, salt, salt_len);
99 xfree(b64salt); 99 free(b64salt);
100 if (ret == -1) { 100 if (ret == -1) {
101 debug2("extract_salt: salt decode error"); 101 debug2("extract_salt: salt decode error");
102 return (-1); 102 return (-1);
@@ -115,7 +115,8 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
115{ 115{
116 const EVP_MD *md = EVP_sha1(); 116 const EVP_MD *md = EVP_sha1();
117 HMAC_CTX mac_ctx; 117 HMAC_CTX mac_ctx;
118 char salt[256], result[256], uu_salt[512], uu_result[512]; 118 u_char salt[256], result[256];
119 char uu_salt[512], uu_result[512];
119 static char encoded[1024]; 120 static char encoded[1024];
120 u_int i, len; 121 u_int i, len;
121 122
@@ -133,7 +134,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
133 } 134 }
134 135
135 HMAC_Init(&mac_ctx, salt, len, md); 136 HMAC_Init(&mac_ctx, salt, len, md);
136 HMAC_Update(&mac_ctx, host, strlen(host)); 137 HMAC_Update(&mac_ctx, (u_char *)host, strlen(host));
137 HMAC_Final(&mac_ctx, result, NULL); 138 HMAC_Final(&mac_ctx, result, NULL);
138 HMAC_cleanup(&mac_ctx); 139 HMAC_cleanup(&mac_ctx);
139 140
@@ -153,7 +154,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
153 */ 154 */
154 155
155int 156int
156hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) 157hostfile_read_key(char **cpp, int *bitsp, Key *ret)
157{ 158{
158 char *cp; 159 char *cp;
159 160
@@ -170,8 +171,10 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret)
170 171
171 /* Return results. */ 172 /* Return results. */
172 *cpp = cp; 173 *cpp = cp;
173 if (bitsp != NULL) 174 if (bitsp != NULL) {
174 *bitsp = key_size(ret); 175 if ((*bitsp = key_size(ret)) <= 0)
176 return 0;
177 }
175 return 1; 178 return 1;
176} 179}
177 180
@@ -327,16 +330,14 @@ free_hostkeys(struct hostkeys *hostkeys)
327 u_int i; 330 u_int i;
328 331
329 for (i = 0; i < hostkeys->num_entries; i++) { 332 for (i = 0; i < hostkeys->num_entries; i++) {
330 xfree(hostkeys->entries[i].host); 333 free(hostkeys->entries[i].host);
331 xfree(hostkeys->entries[i].file); 334 free(hostkeys->entries[i].file);
332 key_free(hostkeys->entries[i].key); 335 key_free(hostkeys->entries[i].key);
333 bzero(hostkeys->entries + i, sizeof(*hostkeys->entries)); 336 bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
334 } 337 }
335 if (hostkeys->entries != NULL) 338 free(hostkeys->entries);
336 xfree(hostkeys->entries); 339 bzero(hostkeys, sizeof(*hostkeys));
337 hostkeys->entries = NULL; 340 free(hostkeys);
338 hostkeys->num_entries = 0;
339 xfree(hostkeys);
340} 341}
341 342
342static int 343static int
diff --git a/hostfile.h b/hostfile.h
index d84d422ff..679c034f3 100644
--- a/hostfile.h
+++ b/hostfile.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: hostfile.h,v 1.19 2010/11/29 23:45:51 djm Exp $ */ 1/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -40,7 +40,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, Key *,
40int lookup_key_in_hostkeys_by_type(struct hostkeys *, int, 40int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
41 const struct hostkey_entry **); 41 const struct hostkey_entry **);
42 42
43int hostfile_read_key(char **, u_int *, Key *); 43int hostfile_read_key(char **, int *, Key *);
44int add_host_to_hostfile(const char *, const char *, const Key *, int); 44int add_host_to_hostfile(const char *, const char *, const Key *, int);
45 45
46#define HASH_MAGIC "|1|" 46#define HASH_MAGIC "|1|"
diff --git a/includes.h b/includes.h
index 3e206c899..07bcd89f2 100644
--- a/includes.h
+++ b/includes.h
@@ -18,7 +18,9 @@
18 18
19#include "config.h" 19#include "config.h"
20 20
21#ifndef _GNU_SOURCE
21#define _GNU_SOURCE /* activate extra prototypes for glibc */ 22#define _GNU_SOURCE /* activate extra prototypes for glibc */
23#endif
22 24
23#include <sys/types.h> 25#include <sys/types.h>
24#include <sys/socket.h> /* For CMSG_* */ 26#include <sys/socket.h> /* For CMSG_* */
diff --git a/jpake.c b/jpake.c
index b010dafaa..3dd87916a 100644
--- a/jpake.c
+++ b/jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */ 1/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -106,7 +106,7 @@ jpake_free(struct jpake_ctx *pctx)
106 do { \ 106 do { \
107 if ((v) != NULL) { \ 107 if ((v) != NULL) { \
108 bzero((v), (l)); \ 108 bzero((v), (l)); \
109 xfree(v); \ 109 free(v); \
110 (v) = NULL; \ 110 (v) = NULL; \
111 (l) = 0; \ 111 (l) = 0; \
112 } \ 112 } \
@@ -134,7 +134,7 @@ jpake_free(struct jpake_ctx *pctx)
134#undef JPAKE_BUF_CLEAR_FREE 134#undef JPAKE_BUF_CLEAR_FREE
135 135
136 bzero(pctx, sizeof(*pctx)); 136 bzero(pctx, sizeof(*pctx));
137 xfree(pctx); 137 free(pctx);
138} 138}
139 139
140/* dump entire jpake_ctx. NB. includes private values! */ 140/* dump entire jpake_ctx. NB. includes private values! */
@@ -445,7 +445,7 @@ jpake_check_confirm(const BIGNUM *k,
445 expected_confirm_hash_len) == 0) 445 expected_confirm_hash_len) == 0)
446 success = 1; 446 success = 1;
447 bzero(expected_confirm_hash, expected_confirm_hash_len); 447 bzero(expected_confirm_hash, expected_confirm_hash_len);
448 xfree(expected_confirm_hash); 448 free(expected_confirm_hash);
449 debug3("%s: success = %d", __func__, success); 449 debug3("%s: success = %d", __func__, success);
450 return success; 450 return success;
451} 451}
diff --git a/kex.c b/kex.c
index f9e7a9c09..1ec278245 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -66,6 +66,69 @@ extern const EVP_MD *evp_ssh_sha256(void);
66static void kex_kexinit_finish(Kex *); 66static void kex_kexinit_finish(Kex *);
67static void kex_choose_conf(Kex *); 67static void kex_choose_conf(Kex *);
68 68
69struct kexalg {
70 char *name;
71 int type;
72 int ec_nid;
73 const EVP_MD *(*mdfunc)(void);
74};
75static const struct kexalg kexalgs[] = {
76 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 },
77 { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 },
78 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 },
79#ifdef HAVE_EVP_SHA256
80 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 },
81#endif
82#ifdef OPENSSL_HAS_ECC
83 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 },
84 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
85 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
86#endif
87 { NULL, -1, -1, NULL},
88};
89static const struct kexalg kexalg_prefixes[] = {
90#ifdef GSSAPI
91 { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
92 { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
93 { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
94#endif
95 { NULL, -1, -1, NULL },
96};
97
98char *
99kex_alg_list(void)
100{
101 char *ret = NULL;
102 size_t nlen, rlen = 0;
103 const struct kexalg *k;
104
105 for (k = kexalgs; k->name != NULL; k++) {
106 if (ret != NULL)
107 ret[rlen++] = '\n';
108 nlen = strlen(k->name);
109 ret = xrealloc(ret, 1, rlen + nlen + 2);
110 memcpy(ret + rlen, k->name, nlen + 1);
111 rlen += nlen;
112 }
113 return ret;
114}
115
116static const struct kexalg *
117kex_alg_by_name(const char *name)
118{
119 const struct kexalg *k;
120
121 for (k = kexalgs; k->name != NULL; k++) {
122 if (strcmp(k->name, name) == 0)
123 return k;
124 }
125 for (k = kexalg_prefixes; k->name != NULL; k++) {
126 if (strncmp(k->name, name, strlen(k->name)) == 0)
127 return k;
128 }
129 return NULL;
130}
131
69/* Validate KEX method name list */ 132/* Validate KEX method name list */
70int 133int
71kex_names_valid(const char *names) 134kex_names_valid(const char *names)
@@ -77,20 +140,14 @@ kex_names_valid(const char *names)
77 s = cp = xstrdup(names); 140 s = cp = xstrdup(names);
78 for ((p = strsep(&cp, ",")); p && *p != '\0'; 141 for ((p = strsep(&cp, ",")); p && *p != '\0';
79 (p = strsep(&cp, ","))) { 142 (p = strsep(&cp, ","))) {
80 if (strcmp(p, KEX_DHGEX_SHA256) != 0 && 143 if (kex_alg_by_name(p) == NULL) {
81 strcmp(p, KEX_DHGEX_SHA1) != 0 &&
82 strcmp(p, KEX_DH14) != 0 &&
83 strcmp(p, KEX_DH1) != 0 &&
84 (strncmp(p, KEX_ECDH_SHA2_STEM,
85 sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 ||
86 kex_ecdh_name_to_nid(p) == -1)) {
87 error("Unsupported KEX algorithm \"%.100s\"", p); 144 error("Unsupported KEX algorithm \"%.100s\"", p);
88 xfree(s); 145 free(s);
89 return 0; 146 return 0;
90 } 147 }
91 } 148 }
92 debug3("kex names ok: [%s]", names); 149 debug3("kex names ok: [%s]", names);
93 xfree(s); 150 free(s);
94 return 1; 151 return 1;
95} 152}
96 153
@@ -150,8 +207,8 @@ kex_prop_free(char **proposal)
150 u_int i; 207 u_int i;
151 208
152 for (i = 0; i < PROPOSAL_MAX; i++) 209 for (i = 0; i < PROPOSAL_MAX; i++)
153 xfree(proposal[i]); 210 free(proposal[i]);
154 xfree(proposal); 211 free(proposal);
155} 212}
156 213
157/* ARGSUSED */ 214/* ARGSUSED */
@@ -188,7 +245,7 @@ kex_finish(Kex *kex)
188 buffer_clear(&kex->peer); 245 buffer_clear(&kex->peer);
189 /* buffer_clear(&kex->my); */ 246 /* buffer_clear(&kex->my); */
190 kex->flags &= ~KEX_INIT_SENT; 247 kex->flags &= ~KEX_INIT_SENT;
191 xfree(kex->name); 248 free(kex->name);
192 kex->name = NULL; 249 kex->name = NULL;
193} 250}
194 251
@@ -245,7 +302,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
245 for (i = 0; i < KEX_COOKIE_LEN; i++) 302 for (i = 0; i < KEX_COOKIE_LEN; i++)
246 packet_get_char(); 303 packet_get_char();
247 for (i = 0; i < PROPOSAL_MAX; i++) 304 for (i = 0; i < PROPOSAL_MAX; i++)
248 xfree(packet_get_string(NULL)); 305 free(packet_get_string(NULL));
249 /* 306 /*
250 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 307 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
251 * KEX method has the server move first, but a server might be using 308 * KEX method has the server move first, but a server might be using
@@ -352,43 +409,16 @@ choose_comp(Comp *comp, char *client, char *server)
352static void 409static void
353choose_kex(Kex *k, char *client, char *server) 410choose_kex(Kex *k, char *client, char *server)
354{ 411{
412 const struct kexalg *kexalg;
413
355 k->name = match_list(client, server, NULL); 414 k->name = match_list(client, server, NULL);
356 if (k->name == NULL) 415 if (k->name == NULL)
357 fatal("Unable to negotiate a key exchange method"); 416 fatal("Unable to negotiate a key exchange method");
358 if (strcmp(k->name, KEX_DH1) == 0) { 417 if ((kexalg = kex_alg_by_name(k->name)) == NULL)
359 k->kex_type = KEX_DH_GRP1_SHA1; 418 fatal("unsupported kex alg %s", k->name);
360 k->evp_md = EVP_sha1(); 419 k->kex_type = kexalg->type;
361 } else if (strcmp(k->name, KEX_DH14) == 0) { 420 k->evp_md = kexalg->mdfunc();
362 k->kex_type = KEX_DH_GRP14_SHA1; 421 k->ec_nid = kexalg->ec_nid;
363 k->evp_md = EVP_sha1();
364 } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
365 k->kex_type = KEX_DH_GEX_SHA1;
366 k->evp_md = EVP_sha1();
367#if OPENSSL_VERSION_NUMBER >= 0x00907000L
368 } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
369 k->kex_type = KEX_DH_GEX_SHA256;
370 k->evp_md = evp_ssh_sha256();
371 } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
372 sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
373 k->kex_type = KEX_ECDH_SHA2;
374 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
375#endif
376#ifdef GSSAPI
377 } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
378 sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
379 k->kex_type = KEX_GSS_GEX_SHA1;
380 k->evp_md = EVP_sha1();
381 } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
382 sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
383 k->kex_type = KEX_GSS_GRP1_SHA1;
384 k->evp_md = EVP_sha1();
385 } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
386 sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
387 k->kex_type = KEX_GSS_GRP14_SHA1;
388 k->evp_md = EVP_sha1();
389#endif
390 } else
391 fatal("bad kex alg %s", k->name);
392} 422}
393 423
394static void 424static void
@@ -400,7 +430,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server)
400 k->hostkey_type = key_type_from_name(hostkeyalg); 430 k->hostkey_type = key_type_from_name(hostkeyalg);
401 if (k->hostkey_type == KEY_UNSPEC) 431 if (k->hostkey_type == KEY_UNSPEC)
402 fatal("bad hostkey alg '%s'", hostkeyalg); 432 fatal("bad hostkey alg '%s'", hostkeyalg);
403 xfree(hostkeyalg); 433 free(hostkeyalg);
404} 434}
405 435
406static int 436static int
@@ -454,7 +484,7 @@ kex_choose_conf(Kex *kex)
454 roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL); 484 roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL);
455 if (roaming) { 485 if (roaming) {
456 kex->roaming = 1; 486 kex->roaming = 1;
457 xfree(roaming); 487 free(roaming);
458 } 488 }
459 } 489 }
460 490
diff --git a/kex.h b/kex.h
index 8013ab8a4..d5046c627 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -40,8 +40,9 @@
40#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" 40#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
41#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" 41#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
42#define KEX_RESUME "resume@appgate.com" 42#define KEX_RESUME "resume@appgate.com"
43/* The following represents the family of ECDH methods */ 43#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
44#define KEX_ECDH_SHA2_STEM "ecdh-sha2-" 44#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
45#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
45 46
46#define COMP_NONE 0 47#define COMP_NONE 0
47#define COMP_ZLIB 1 48#define COMP_ZLIB 1
@@ -89,7 +90,7 @@ typedef struct Newkeys Newkeys;
89 90
90struct Enc { 91struct Enc {
91 char *name; 92 char *name;
92 Cipher *cipher; 93 const Cipher *cipher;
93 int enabled; 94 int enabled;
94 u_int key_len; 95 u_int key_len;
95 u_int iv_len; 96 u_int iv_len;
@@ -134,6 +135,7 @@ struct Kex {
134 sig_atomic_t done; 135 sig_atomic_t done;
135 int flags; 136 int flags;
136 const EVP_MD *evp_md; 137 const EVP_MD *evp_md;
138 int ec_nid;
137#ifdef GSSAPI 139#ifdef GSSAPI
138 int gss_deleg_creds; 140 int gss_deleg_creds;
139 int gss_trust_dns; 141 int gss_trust_dns;
@@ -146,10 +148,12 @@ struct Kex {
146 Key *(*load_host_public_key)(int); 148 Key *(*load_host_public_key)(int);
147 Key *(*load_host_private_key)(int); 149 Key *(*load_host_private_key)(int);
148 int (*host_key_index)(Key *); 150 int (*host_key_index)(Key *);
151 void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
149 void (*kex[KEX_MAX])(Kex *); 152 void (*kex[KEX_MAX])(Kex *);
150}; 153};
151 154
152int kex_names_valid(const char *); 155int kex_names_valid(const char *);
156char *kex_alg_list(void);
153 157
154Kex *kex_setup(char *[PROPOSAL_MAX]); 158Kex *kex_setup(char *[PROPOSAL_MAX]);
155void kex_finish(Kex *); 159void kex_finish(Kex *);
@@ -184,11 +188,6 @@ void
184kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, 188kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int,
185 char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, 189 char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
186 const BIGNUM *, u_char **, u_int *); 190 const BIGNUM *, u_char **, u_int *);
187int kex_ecdh_name_to_nid(const char *);
188const EVP_MD *kex_ecdh_name_to_evpmd(const char *);
189#else
190# define kex_ecdh_name_to_nid(x) (-1)
191# define kex_ecdh_name_to_evpmd(x) (NULL)
192#endif 191#endif
193 192
194void 193void
diff --git a/kexdhc.c b/kexdhc.c
index 76ceb5dd8..ccd137cac 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexdhc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexdhc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -125,7 +125,7 @@ kexdh_client(Kex *kex)
125 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 125 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
126 fatal("kexdh_client: BN_bin2bn failed"); 126 fatal("kexdh_client: BN_bin2bn failed");
127 memset(kbuf, 0, klen); 127 memset(kbuf, 0, klen);
128 xfree(kbuf); 128 free(kbuf);
129 129
130 /* calc and verify H */ 130 /* calc and verify H */
131 kex_dh_hash( 131 kex_dh_hash(
@@ -139,14 +139,14 @@ kexdh_client(Kex *kex)
139 shared_secret, 139 shared_secret,
140 &hash, &hashlen 140 &hash, &hashlen
141 ); 141 );
142 xfree(server_host_key_blob); 142 free(server_host_key_blob);
143 BN_clear_free(dh_server_pub); 143 BN_clear_free(dh_server_pub);
144 DH_free(dh); 144 DH_free(dh);
145 145
146 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 146 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
147 fatal("key_verify failed for server_host_key"); 147 fatal("key_verify failed for server_host_key");
148 key_free(server_host_key); 148 key_free(server_host_key);
149 xfree(signature); 149 free(signature);
150 150
151 /* save session id */ 151 /* save session id */
152 if (kex->session_id == NULL) { 152 if (kex->session_id == NULL) {
diff --git a/kexdhs.c b/kexdhs.c
index f56e88764..269d80900 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexdhs.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexdhs.c,v 1.14 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -80,9 +80,6 @@ kexdh_server(Kex *kex)
80 if (server_host_public == NULL) 80 if (server_host_public == NULL)
81 fatal("Unsupported hostkey type %d", kex->hostkey_type); 81 fatal("Unsupported hostkey type %d", kex->hostkey_type);
82 server_host_private = kex->load_host_private_key(kex->hostkey_type); 82 server_host_private = kex->load_host_private_key(kex->hostkey_type);
83 if (server_host_private == NULL)
84 fatal("Missing private key for hostkey type %d",
85 kex->hostkey_type);
86 83
87 /* key, cert */ 84 /* key, cert */
88 if ((dh_client_pub = BN_new()) == NULL) 85 if ((dh_client_pub = BN_new()) == NULL)
@@ -118,7 +115,7 @@ kexdh_server(Kex *kex)
118 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 115 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
119 fatal("kexdh_server: BN_bin2bn failed"); 116 fatal("kexdh_server: BN_bin2bn failed");
120 memset(kbuf, 0, klen); 117 memset(kbuf, 0, klen);
121 xfree(kbuf); 118 free(kbuf);
122 119
123 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); 120 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
124 121
@@ -144,9 +141,8 @@ kexdh_server(Kex *kex)
144 } 141 }
145 142
146 /* sign H */ 143 /* sign H */
147 if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, 144 kex->sign(server_host_private, server_host_public, &signature, &slen,
148 hashlen)) < 0) 145 hash, hashlen);
149 fatal("kexdh_server: key_sign failed");
150 146
151 /* destroy_sensitive_data(); */ 147 /* destroy_sensitive_data(); */
152 148
@@ -157,8 +153,8 @@ kexdh_server(Kex *kex)
157 packet_put_string(signature, slen); 153 packet_put_string(signature, slen);
158 packet_send(); 154 packet_send();
159 155
160 xfree(signature); 156 free(signature);
161 xfree(server_host_key_blob); 157 free(server_host_key_blob);
162 /* have keys, free DH */ 158 /* have keys, free DH */
163 DH_free(dh); 159 DH_free(dh);
164 160
diff --git a/kexecdh.c b/kexecdh.c
index f13f69d3b..c948fe20a 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kexecdh.c,v 1.4 2013/04/19 01:06:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -45,24 +45,6 @@
45#include "kex.h" 45#include "kex.h"
46#include "log.h" 46#include "log.h"
47 47
48int
49kex_ecdh_name_to_nid(const char *kexname)
50{
51 if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1)
52 fatal("%s: kexname too short \"%s\"", __func__, kexname);
53 return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1);
54}
55
56const EVP_MD *
57kex_ecdh_name_to_evpmd(const char *kexname)
58{
59 int nid = kex_ecdh_name_to_nid(kexname);
60
61 if (nid == -1)
62 fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname);
63 return key_ec_nid_to_evpmd(nid);
64}
65
66void 48void
67kex_ecdh_hash( 49kex_ecdh_hash(
68 const EVP_MD *evp_md, 50 const EVP_MD *evp_md,
diff --git a/kexecdhc.c b/kexecdhc.c
index 115d4bf83..6193836c7 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kexecdhc.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -57,11 +57,8 @@ kexecdh_client(Kex *kex)
57 u_char *server_host_key_blob = NULL, *signature = NULL; 57 u_char *server_host_key_blob = NULL, *signature = NULL;
58 u_char *kbuf, *hash; 58 u_char *kbuf, *hash;
59 u_int klen, slen, sbloblen, hashlen; 59 u_int klen, slen, sbloblen, hashlen;
60 int curve_nid;
61 60
62 if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) 61 if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
63 fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
64 if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
65 fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 62 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
66 if (EC_KEY_generate_key(client_key) != 1) 63 if (EC_KEY_generate_key(client_key) != 1)
67 fatal("%s: EC_KEY_generate_key failed", __func__); 64 fatal("%s: EC_KEY_generate_key failed", __func__);
@@ -123,7 +120,7 @@ kexecdh_client(Kex *kex)
123 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) 120 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
124 fatal("%s: BN_bin2bn failed", __func__); 121 fatal("%s: BN_bin2bn failed", __func__);
125 memset(kbuf, 0, klen); 122 memset(kbuf, 0, klen);
126 xfree(kbuf); 123 free(kbuf);
127 124
128 /* calc and verify H */ 125 /* calc and verify H */
129 kex_ecdh_hash( 126 kex_ecdh_hash(
@@ -139,14 +136,14 @@ kexecdh_client(Kex *kex)
139 shared_secret, 136 shared_secret,
140 &hash, &hashlen 137 &hash, &hashlen
141 ); 138 );
142 xfree(server_host_key_blob); 139 free(server_host_key_blob);
143 EC_POINT_clear_free(server_public); 140 EC_POINT_clear_free(server_public);
144 EC_KEY_free(client_key); 141 EC_KEY_free(client_key);
145 142
146 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 143 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
147 fatal("key_verify failed for server_host_key"); 144 fatal("key_verify failed for server_host_key");
148 key_free(server_host_key); 145 key_free(server_host_key);
149 xfree(signature); 146 free(signature);
150 147
151 /* save session id */ 148 /* save session id */
152 if (kex->session_id == NULL) { 149 if (kex->session_id == NULL) {
diff --git a/kexecdhs.c b/kexecdhs.c
index 8c515dfa6..3a580aacf 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kexecdhs.c,v 1.5 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -59,11 +59,8 @@ kexecdh_server(Kex *kex)
59 u_char *server_host_key_blob = NULL, *signature = NULL; 59 u_char *server_host_key_blob = NULL, *signature = NULL;
60 u_char *kbuf, *hash; 60 u_char *kbuf, *hash;
61 u_int klen, slen, sbloblen, hashlen; 61 u_int klen, slen, sbloblen, hashlen;
62 int curve_nid;
63 62
64 if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) 63 if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
65 fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
66 if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
67 fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 64 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
68 if (EC_KEY_generate_key(server_key) != 1) 65 if (EC_KEY_generate_key(server_key) != 1)
69 fatal("%s: EC_KEY_generate_key failed", __func__); 66 fatal("%s: EC_KEY_generate_key failed", __func__);
@@ -81,9 +78,6 @@ kexecdh_server(Kex *kex)
81 if (server_host_public == NULL) 78 if (server_host_public == NULL)
82 fatal("Unsupported hostkey type %d", kex->hostkey_type); 79 fatal("Unsupported hostkey type %d", kex->hostkey_type);
83 server_host_private = kex->load_host_private_key(kex->hostkey_type); 80 server_host_private = kex->load_host_private_key(kex->hostkey_type);
84 if (server_host_private == NULL)
85 fatal("Missing private key for hostkey type %d",
86 kex->hostkey_type);
87 81
88 debug("expecting SSH2_MSG_KEX_ECDH_INIT"); 82 debug("expecting SSH2_MSG_KEX_ECDH_INIT");
89 packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); 83 packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
@@ -115,7 +109,7 @@ kexecdh_server(Kex *kex)
115 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) 109 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
116 fatal("%s: BN_bin2bn failed", __func__); 110 fatal("%s: BN_bin2bn failed", __func__);
117 memset(kbuf, 0, klen); 111 memset(kbuf, 0, klen);
118 xfree(kbuf); 112 free(kbuf);
119 113
120 /* calc H */ 114 /* calc H */
121 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); 115 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
@@ -142,9 +136,8 @@ kexecdh_server(Kex *kex)
142 } 136 }
143 137
144 /* sign H */ 138 /* sign H */
145 if (PRIVSEP(key_sign(server_host_private, &signature, &slen, 139 kex->sign(server_host_private, server_host_public, &signature, &slen,
146 hash, hashlen)) < 0) 140 hash, hashlen);
147 fatal("kexdh_server: key_sign failed");
148 141
149 /* destroy_sensitive_data(); */ 142 /* destroy_sensitive_data(); */
150 143
@@ -155,8 +148,8 @@ kexecdh_server(Kex *kex)
155 packet_put_string(signature, slen); 148 packet_put_string(signature, slen);
156 packet_send(); 149 packet_send();
157 150
158 xfree(signature); 151 free(signature);
159 xfree(server_host_key_blob); 152 free(server_host_key_blob);
160 /* have keys, free server key */ 153 /* have keys, free server key */
161 EC_KEY_free(server_key); 154 EC_KEY_free(server_key);
162 155
diff --git a/kexgexc.c b/kexgexc.c
index 79552d709..5a3be2005 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -163,7 +163,7 @@ kexgex_client(Kex *kex)
163 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 163 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
164 fatal("kexgex_client: BN_bin2bn failed"); 164 fatal("kexgex_client: BN_bin2bn failed");
165 memset(kbuf, 0, klen); 165 memset(kbuf, 0, klen);
166 xfree(kbuf); 166 free(kbuf);
167 167
168 if (datafellows & SSH_OLD_DHGEX) 168 if (datafellows & SSH_OLD_DHGEX)
169 min = max = -1; 169 min = max = -1;
@@ -186,13 +186,13 @@ kexgex_client(Kex *kex)
186 186
187 /* have keys, free DH */ 187 /* have keys, free DH */
188 DH_free(dh); 188 DH_free(dh);
189 xfree(server_host_key_blob); 189 free(server_host_key_blob);
190 BN_clear_free(dh_server_pub); 190 BN_clear_free(dh_server_pub);
191 191
192 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 192 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
193 fatal("key_verify failed for server_host_key"); 193 fatal("key_verify failed for server_host_key");
194 key_free(server_host_key); 194 key_free(server_host_key);
195 xfree(signature); 195 free(signature);
196 196
197 /* save session id */ 197 /* save session id */
198 if (kex->session_id == NULL) { 198 if (kex->session_id == NULL) {
diff --git a/kexgexs.c b/kexgexs.c
index a5e3df7bc..4e473fc73 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexgexs.c,v 1.14 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexgexs.c,v 1.16 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -68,10 +68,6 @@ kexgex_server(Kex *kex)
68 if (server_host_public == NULL) 68 if (server_host_public == NULL)
69 fatal("Unsupported hostkey type %d", kex->hostkey_type); 69 fatal("Unsupported hostkey type %d", kex->hostkey_type);
70 server_host_private = kex->load_host_private_key(kex->hostkey_type); 70 server_host_private = kex->load_host_private_key(kex->hostkey_type);
71 if (server_host_private == NULL)
72 fatal("Missing private key for hostkey type %d",
73 kex->hostkey_type);
74
75 71
76 type = packet_read(); 72 type = packet_read();
77 switch (type) { 73 switch (type) {
@@ -155,7 +151,7 @@ kexgex_server(Kex *kex)
155 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 151 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
156 fatal("kexgex_server: BN_bin2bn failed"); 152 fatal("kexgex_server: BN_bin2bn failed");
157 memset(kbuf, 0, klen); 153 memset(kbuf, 0, klen);
158 xfree(kbuf); 154 free(kbuf);
159 155
160 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); 156 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
161 157
@@ -187,9 +183,8 @@ kexgex_server(Kex *kex)
187 } 183 }
188 184
189 /* sign H */ 185 /* sign H */
190 if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, 186 kex->sign(server_host_private, server_host_public, &signature, &slen,
191 hashlen)) < 0) 187 hash, hashlen);
192 fatal("kexgex_server: key_sign failed");
193 188
194 /* destroy_sensitive_data(); */ 189 /* destroy_sensitive_data(); */
195 190
@@ -201,8 +196,8 @@ kexgex_server(Kex *kex)
201 packet_put_string(signature, slen); 196 packet_put_string(signature, slen);
202 packet_send(); 197 packet_send();
203 198
204 xfree(signature); 199 free(signature);
205 xfree(server_host_key_blob); 200 free(server_host_key_blob);
206 /* have keys, free DH */ 201 /* have keys, free DH */
207 DH_free(dh); 202 DH_free(dh);
208 203
diff --git a/kexgssc.c b/kexgssc.c
index 39be40531..616893c7e 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -144,7 +144,7 @@ kexgss_client(Kex *kex) {
144 144
145 /* If we've got an old receive buffer get rid of it */ 145 /* If we've got an old receive buffer get rid of it */
146 if (token_ptr != GSS_C_NO_BUFFER) 146 if (token_ptr != GSS_C_NO_BUFFER)
147 xfree(recv_tok.value); 147 free(recv_tok.value);
148 148
149 if (maj_status == GSS_S_COMPLETE) { 149 if (maj_status == GSS_S_COMPLETE) {
150 /* If mutual state flag is not true, kex fails */ 150 /* If mutual state flag is not true, kex fails */
@@ -261,7 +261,7 @@ kexgss_client(Kex *kex) {
261 fatal("kexdh_client: BN_bin2bn failed"); 261 fatal("kexdh_client: BN_bin2bn failed");
262 262
263 memset(kbuf, 0, klen); 263 memset(kbuf, 0, klen);
264 xfree(kbuf); 264 free(kbuf);
265 265
266 switch (kex->kex_type) { 266 switch (kex->kex_type) {
267 case KEX_GSS_GRP1_SHA1: 267 case KEX_GSS_GRP1_SHA1:
@@ -304,11 +304,10 @@ kexgss_client(Kex *kex) {
304 if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) 304 if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
305 packet_disconnect("Hash's MIC didn't verify"); 305 packet_disconnect("Hash's MIC didn't verify");
306 306
307 xfree(msg_tok.value); 307 free(msg_tok.value);
308 308
309 DH_free(dh); 309 DH_free(dh);
310 if (serverhostkey) 310 free(serverhostkey);
311 xfree(serverhostkey);
312 BN_clear_free(dh_server_pub); 311 BN_clear_free(dh_server_pub);
313 312
314 /* save session id */ 313 /* save session id */
diff --git a/kexgsss.c b/kexgsss.c
index 0c3eeaa63..18b065b10 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -78,9 +78,10 @@ kexgss_server(Kex *kex)
78 * in the GSSAPI code are no longer available. This kludges them back 78 * in the GSSAPI code are no longer available. This kludges them back
79 * into life 79 * into life
80 */ 80 */
81 if (!ssh_gssapi_oid_table_ok()) 81 if (!ssh_gssapi_oid_table_ok()) {
82 if ((mechs = ssh_gssapi_server_mechanisms())) 82 mechs = ssh_gssapi_server_mechanisms();
83 xfree(mechs); 83 free(mechs);
84 }
84 85
85 debug2("%s: Identifying %s", __func__, kex->name); 86 debug2("%s: Identifying %s", __func__, kex->name);
86 oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); 87 oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@@ -158,7 +159,7 @@ kexgss_server(Kex *kex)
158 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 159 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
159 &send_tok, &ret_flags)); 160 &send_tok, &ret_flags));
160 161
161 xfree(recv_tok.value); 162 free(recv_tok.value);
162 163
163 if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) 164 if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
164 fatal("Zero length token output when incomplete"); 165 fatal("Zero length token output when incomplete");
@@ -207,7 +208,7 @@ kexgss_server(Kex *kex)
207 fatal("kexgss_server: BN_bin2bn failed"); 208 fatal("kexgss_server: BN_bin2bn failed");
208 209
209 memset(kbuf, 0, klen); 210 memset(kbuf, 0, klen);
210 xfree(kbuf); 211 free(kbuf);
211 212
212 switch (kex->kex_type) { 213 switch (kex->kex_type) {
213 case KEX_GSS_GRP1_SHA1: 214 case KEX_GSS_GRP1_SHA1:
diff --git a/key.c b/key.c
index fdfed5c56..2591635bc 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ 1/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * read_bignum(): 3 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -187,14 +187,13 @@ cert_free(struct KeyCert *cert)
187 buffer_free(&cert->certblob); 187 buffer_free(&cert->certblob);
188 buffer_free(&cert->critical); 188 buffer_free(&cert->critical);
189 buffer_free(&cert->extensions); 189 buffer_free(&cert->extensions);
190 if (cert->key_id != NULL) 190 free(cert->key_id);
191 xfree(cert->key_id);
192 for (i = 0; i < cert->nprincipals; i++) 191 for (i = 0; i < cert->nprincipals; i++)
193 xfree(cert->principals[i]); 192 free(cert->principals[i]);
194 if (cert->principals != NULL) 193 free(cert->principals);
195 xfree(cert->principals);
196 if (cert->signature_key != NULL) 194 if (cert->signature_key != NULL)
197 key_free(cert->signature_key); 195 key_free(cert->signature_key);
196 free(cert);
198} 197}
199 198
200void 199void
@@ -238,7 +237,7 @@ key_free(Key *k)
238 k->cert = NULL; 237 k->cert = NULL;
239 } 238 }
240 239
241 xfree(k); 240 free(k);
242} 241}
243 242
244static int 243static int
@@ -388,7 +387,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
388 EVP_DigestUpdate(&ctx, blob, len); 387 EVP_DigestUpdate(&ctx, blob, len);
389 EVP_DigestFinal(&ctx, retval, dgst_raw_length); 388 EVP_DigestFinal(&ctx, retval, dgst_raw_length);
390 memset(blob, 0, len); 389 memset(blob, 0, len);
391 xfree(blob); 390 free(blob);
392 } else { 391 } else {
393 fatal("key_fingerprint_raw: blob is null"); 392 fatal("key_fingerprint_raw: blob is null");
394 } 393 }
@@ -570,7 +569,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
570} 569}
571 570
572char * 571char *
573key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) 572key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
574{ 573{
575 char *retval = NULL; 574 char *retval = NULL;
576 u_char *dgst_raw; 575 u_char *dgst_raw;
@@ -595,7 +594,7 @@ key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
595 break; 594 break;
596 } 595 }
597 memset(dgst_raw, 0, dgst_raw_len); 596 memset(dgst_raw, 0, dgst_raw_len);
598 xfree(dgst_raw); 597 free(dgst_raw);
599 return retval; 598 return retval;
600} 599}
601 600
@@ -740,11 +739,11 @@ key_read(Key *ret, char **cpp)
740 n = uudecode(cp, blob, len); 739 n = uudecode(cp, blob, len);
741 if (n < 0) { 740 if (n < 0) {
742 error("key_read: uudecode %s failed", cp); 741 error("key_read: uudecode %s failed", cp);
743 xfree(blob); 742 free(blob);
744 return -1; 743 return -1;
745 } 744 }
746 k = key_from_blob(blob, (u_int)n); 745 k = key_from_blob(blob, (u_int)n);
747 xfree(blob); 746 free(blob);
748 if (k == NULL) { 747 if (k == NULL) {
749 error("key_read: key_from_blob %s failed", cp); 748 error("key_read: key_from_blob %s failed", cp);
750 return -1; 749 return -1;
@@ -885,43 +884,13 @@ key_write(const Key *key, FILE *f)
885 fprintf(f, "%s %s", key_ssh_name(key), uu); 884 fprintf(f, "%s %s", key_ssh_name(key), uu);
886 success = 1; 885 success = 1;
887 } 886 }
888 xfree(blob); 887 free(blob);
889 xfree(uu); 888 free(uu);
890 889
891 return success; 890 return success;
892} 891}
893 892
894const char * 893const char *
895key_type(const Key *k)
896{
897 switch (k->type) {
898 case KEY_RSA1:
899 return "RSA1";
900 case KEY_RSA:
901 return "RSA";
902 case KEY_DSA:
903 return "DSA";
904#ifdef OPENSSL_HAS_ECC
905 case KEY_ECDSA:
906 return "ECDSA";
907#endif
908 case KEY_RSA_CERT_V00:
909 return "RSA-CERT-V00";
910 case KEY_DSA_CERT_V00:
911 return "DSA-CERT-V00";
912 case KEY_RSA_CERT:
913 return "RSA-CERT";
914 case KEY_DSA_CERT:
915 return "DSA-CERT";
916#ifdef OPENSSL_HAS_ECC
917 case KEY_ECDSA_CERT:
918 return "ECDSA-CERT";
919#endif
920 }
921 return "unknown";
922}
923
924const char *
925key_cert_type(const Key *k) 894key_cert_type(const Key *k)
926{ 895{
927 switch (k->cert->type) { 896 switch (k->cert->type) {
@@ -934,50 +903,60 @@ key_cert_type(const Key *k)
934 } 903 }
935} 904}
936 905
906struct keytype {
907 char *name;
908 char *shortname;
909 int type;
910 int nid;
911 int cert;
912};
913static const struct keytype keytypes[] = {
914 { NULL, "RSA1", KEY_RSA1, 0, 0 },
915 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
916 { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
917#ifdef OPENSSL_HAS_ECC
918 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
919 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
920 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
921#endif /* OPENSSL_HAS_ECC */
922 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
923 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
924#ifdef OPENSSL_HAS_ECC
925 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
926 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
927 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
928 KEY_ECDSA_CERT, NID_secp384r1, 1 },
929 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
930 KEY_ECDSA_CERT, NID_secp521r1, 1 },
931#endif /* OPENSSL_HAS_ECC */
932 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
933 KEY_RSA_CERT_V00, 0, 1 },
934 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
935 KEY_DSA_CERT_V00, 0, 1 },
936 { "null", "null", KEY_NULL, 0, 0 },
937 { NULL, NULL, -1, -1, 0 }
938};
939
940const char *
941key_type(const Key *k)
942{
943 const struct keytype *kt;
944
945 for (kt = keytypes; kt->type != -1; kt++) {
946 if (kt->type == k->type)
947 return kt->shortname;
948 }
949 return "unknown";
950}
951
937static const char * 952static const char *
938key_ssh_name_from_type_nid(int type, int nid) 953key_ssh_name_from_type_nid(int type, int nid)
939{ 954{
940 switch (type) { 955 const struct keytype *kt;
941 case KEY_RSA: 956
942 return "ssh-rsa"; 957 for (kt = keytypes; kt->type != -1; kt++) {
943 case KEY_DSA: 958 if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
944 return "ssh-dss"; 959 return kt->name;
945 case KEY_RSA_CERT_V00:
946 return "ssh-rsa-cert-v00@openssh.com";
947 case KEY_DSA_CERT_V00:
948 return "ssh-dss-cert-v00@openssh.com";
949 case KEY_RSA_CERT:
950 return "ssh-rsa-cert-v01@openssh.com";
951 case KEY_DSA_CERT:
952 return "ssh-dss-cert-v01@openssh.com";
953#ifdef OPENSSL_HAS_ECC
954 case KEY_ECDSA:
955 switch (nid) {
956 case NID_X9_62_prime256v1:
957 return "ecdsa-sha2-nistp256";
958 case NID_secp384r1:
959 return "ecdsa-sha2-nistp384";
960 case NID_secp521r1:
961 return "ecdsa-sha2-nistp521";
962 default:
963 break;
964 }
965 break;
966 case KEY_ECDSA_CERT:
967 switch (nid) {
968 case NID_X9_62_prime256v1:
969 return "ecdsa-sha2-nistp256-cert-v01@openssh.com";
970 case NID_secp384r1:
971 return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
972 case NID_secp521r1:
973 return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
974 default:
975 break;
976 }
977 break;
978#endif /* OPENSSL_HAS_ECC */
979 case KEY_NULL:
980 return "null";
981 } 960 }
982 return "ssh-unknown"; 961 return "ssh-unknown";
983} 962}
@@ -995,6 +974,56 @@ key_ssh_name_plain(const Key *k)
995 k->ecdsa_nid); 974 k->ecdsa_nid);
996} 975}
997 976
977int
978key_type_from_name(char *name)
979{
980 const struct keytype *kt;
981
982 for (kt = keytypes; kt->type != -1; kt++) {
983 /* Only allow shortname matches for plain key types */
984 if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
985 (!kt->cert && strcasecmp(kt->shortname, name) == 0))
986 return kt->type;
987 }
988 debug2("key_type_from_name: unknown key type '%s'", name);
989 return KEY_UNSPEC;
990}
991
992int
993key_ecdsa_nid_from_name(const char *name)
994{
995 const struct keytype *kt;
996
997 for (kt = keytypes; kt->type != -1; kt++) {
998 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
999 continue;
1000 if (kt->name != NULL && strcmp(name, kt->name) == 0)
1001 return kt->nid;
1002 }
1003 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1004 return -1;
1005}
1006
1007char *
1008key_alg_list(void)
1009{
1010 char *ret = NULL;
1011 size_t nlen, rlen = 0;
1012 const struct keytype *kt;
1013
1014 for (kt = keytypes; kt->type != -1; kt++) {
1015 if (kt->name == NULL)
1016 continue;
1017 if (ret != NULL)
1018 ret[rlen++] = '\n';
1019 nlen = strlen(kt->name);
1020 ret = xrealloc(ret, 1, rlen + nlen + 2);
1021 memcpy(ret + rlen, kt->name, nlen + 1);
1022 rlen += nlen;
1023 }
1024 return ret;
1025}
1026
998u_int 1027u_int
999key_size(const Key *k) 1028key_size(const Key *k)
1000{ 1029{
@@ -1250,67 +1279,6 @@ key_from_private(const Key *k)
1250} 1279}
1251 1280
1252int 1281int
1253key_type_from_name(char *name)
1254{
1255 if (strcmp(name, "rsa1") == 0) {
1256 return KEY_RSA1;
1257 } else if (strcmp(name, "rsa") == 0) {
1258 return KEY_RSA;
1259 } else if (strcmp(name, "dsa") == 0) {
1260 return KEY_DSA;
1261 } else if (strcmp(name, "ssh-rsa") == 0) {
1262 return KEY_RSA;
1263 } else if (strcmp(name, "ssh-dss") == 0) {
1264 return KEY_DSA;
1265#ifdef OPENSSL_HAS_ECC
1266 } else if (strcmp(name, "ecdsa") == 0 ||
1267 strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
1268 strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
1269 strcmp(name, "ecdsa-sha2-nistp521") == 0) {
1270 return KEY_ECDSA;
1271#endif
1272 } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
1273 return KEY_RSA_CERT_V00;
1274 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
1275 return KEY_DSA_CERT_V00;
1276 } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
1277 return KEY_RSA_CERT;
1278 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
1279 return KEY_DSA_CERT;
1280#ifdef OPENSSL_HAS_ECC
1281 } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
1282 strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
1283 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1284 return KEY_ECDSA_CERT;
1285#endif
1286 } else if (strcmp(name, "null") == 0) {
1287 return KEY_NULL;
1288 }
1289
1290 debug2("key_type_from_name: unknown key type '%s'", name);
1291 return KEY_UNSPEC;
1292}
1293
1294int
1295key_ecdsa_nid_from_name(const char *name)
1296{
1297#ifdef OPENSSL_HAS_ECC
1298 if (strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
1299 strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0)
1300 return NID_X9_62_prime256v1;
1301 if (strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
1302 strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0)
1303 return NID_secp384r1;
1304 if (strcmp(name, "ecdsa-sha2-nistp521") == 0 ||
1305 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0)
1306 return NID_secp521r1;
1307#endif /* OPENSSL_HAS_ECC */
1308
1309 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1310 return -1;
1311}
1312
1313int
1314key_names_valid2(const char *names) 1282key_names_valid2(const char *names)
1315{ 1283{
1316 char *s, *cp, *p; 1284 char *s, *cp, *p;
@@ -1323,12 +1291,12 @@ key_names_valid2(const char *names)
1323 switch (key_type_from_name(p)) { 1291 switch (key_type_from_name(p)) {
1324 case KEY_RSA1: 1292 case KEY_RSA1:
1325 case KEY_UNSPEC: 1293 case KEY_UNSPEC:
1326 xfree(s); 1294 free(s);
1327 return 0; 1295 return 0;
1328 } 1296 }
1329 } 1297 }
1330 debug3("key names ok: [%s]", names); 1298 debug3("key names ok: [%s]", names);
1331 xfree(s); 1299 free(s);
1332 return 1; 1300 return 1;
1333} 1301}
1334 1302
@@ -1450,16 +1418,11 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1450 1418
1451 out: 1419 out:
1452 buffer_free(&tmp); 1420 buffer_free(&tmp);
1453 if (principals != NULL) 1421 free(principals);
1454 xfree(principals); 1422 free(critical);
1455 if (critical != NULL) 1423 free(exts);
1456 xfree(critical); 1424 free(sig_key);
1457 if (exts != NULL) 1425 free(sig);
1458 xfree(exts);
1459 if (sig_key != NULL)
1460 xfree(sig_key);
1461 if (sig != NULL)
1462 xfree(sig);
1463 return ret; 1426 return ret;
1464} 1427}
1465 1428
@@ -1579,10 +1542,8 @@ key_from_blob(const u_char *blob, u_int blen)
1579 if (key != NULL && rlen != 0) 1542 if (key != NULL && rlen != 0)
1580 error("key_from_blob: remaining bytes in key blob %d", rlen); 1543 error("key_from_blob: remaining bytes in key blob %d", rlen);
1581 out: 1544 out:
1582 if (ktype != NULL) 1545 free(ktype);
1583 xfree(ktype); 1546 free(curve);
1584 if (curve != NULL)
1585 xfree(curve);
1586#ifdef OPENSSL_HAS_ECC 1547#ifdef OPENSSL_HAS_ECC
1587 if (q != NULL) 1548 if (q != NULL)
1588 EC_POINT_free(q); 1549 EC_POINT_free(q);
@@ -1932,7 +1893,7 @@ key_certify(Key *k, Key *ca)
1932 default: 1893 default:
1933 error("%s: key has incorrect type %s", __func__, key_type(k)); 1894 error("%s: key has incorrect type %s", __func__, key_type(k));
1934 buffer_clear(&k->cert->certblob); 1895 buffer_clear(&k->cert->certblob);
1935 xfree(ca_blob); 1896 free(ca_blob);
1936 return -1; 1897 return -1;
1937 } 1898 }
1938 1899
@@ -1968,7 +1929,7 @@ key_certify(Key *k, Key *ca)
1968 1929
1969 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1930 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1970 buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1931 buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1971 xfree(ca_blob); 1932 free(ca_blob);
1972 1933
1973 /* Sign the whole mess */ 1934 /* Sign the whole mess */
1974 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1935 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
@@ -1979,7 +1940,7 @@ key_certify(Key *k, Key *ca)
1979 } 1940 }
1980 /* Append signature and we are done */ 1941 /* Append signature and we are done */
1981 buffer_put_string(&k->cert->certblob, sig_blob, sig_len); 1942 buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1982 xfree(sig_blob); 1943 free(sig_blob);
1983 1944
1984 return 0; 1945 return 0;
1985} 1946}
diff --git a/key.h b/key.h
index 4beaf202e..b57d6a4c4 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ 1/* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -96,7 +96,7 @@ void key_free(Key *);
96Key *key_demote(const Key *); 96Key *key_demote(const Key *);
97int key_equal_public(const Key *, const Key *); 97int key_equal_public(const Key *, const Key *);
98int key_equal(const Key *, const Key *); 98int key_equal(const Key *, const Key *);
99char *key_fingerprint(Key *, enum fp_type, enum fp_rep); 99char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
100u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); 100u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
101const char *key_type(const Key *); 101const char *key_type(const Key *);
102const char *key_cert_type(const Key *); 102const char *key_cert_type(const Key *);
@@ -119,15 +119,16 @@ int key_cert_is_legacy(const Key *);
119 119
120int key_ecdsa_nid_from_name(const char *); 120int key_ecdsa_nid_from_name(const char *);
121int key_curve_name_to_nid(const char *); 121int key_curve_name_to_nid(const char *);
122const char * key_curve_nid_to_name(int); 122const char *key_curve_nid_to_name(int);
123u_int key_curve_nid_to_bits(int); 123u_int key_curve_nid_to_bits(int);
124int key_ecdsa_bits_to_nid(int); 124int key_ecdsa_bits_to_nid(int);
125#ifdef OPENSSL_HAS_ECC 125#ifdef OPENSSL_HAS_ECC
126int key_ecdsa_key_to_nid(EC_KEY *); 126int key_ecdsa_key_to_nid(EC_KEY *);
127const EVP_MD * key_ec_nid_to_evpmd(int nid); 127const EVP_MD *key_ec_nid_to_evpmd(int nid);
128int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); 128int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
129int key_ec_validate_private(const EC_KEY *); 129int key_ec_validate_private(const EC_KEY *);
130#endif 130#endif
131char *key_alg_list(void);
131 132
132Key *key_from_blob(const u_char *, u_int); 133Key *key_from_blob(const u_char *, u_int);
133int key_to_blob(const Key *, u_char **, u_int *); 134int key_to_blob(const Key *, u_char **, u_int *);
diff --git a/krl.c b/krl.c
index 0d9bb5411..b2d0354f2 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ 17/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */
18 18
19#include "includes.h" 19#include "includes.h"
20 20
@@ -502,8 +502,11 @@ choose_next_state(int current_state, u_int64_t contig, int final,
502 } 502 }
503 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" 503 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
504 "list %llu range %llu bitmap %llu new bitmap %llu, " 504 "list %llu range %llu bitmap %llu new bitmap %llu, "
505 "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, 505 "selected 0x%02x%s", __func__, (long long unsigned)contig,
506 cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, 506 (long long unsigned)last_gap, (long long unsigned)next_gap, final,
507 (long long unsigned)cost_list, (long long unsigned)cost_range,
508 (long long unsigned)cost_bitmap,
509 (long long unsigned)cost_bitmap_restart, new_state,
507 *force_new_section ? " restart" : ""); 510 *force_new_section ? " restart" : "");
508 return new_state; 511 return new_state;
509} 512}
@@ -539,7 +542,8 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
539 rs != NULL; 542 rs != NULL;
540 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { 543 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
541 debug3("%s: serial %llu:%llu state 0x%02x", __func__, 544 debug3("%s: serial %llu:%llu state 0x%02x", __func__,
542 rs->lo, rs->hi, state); 545 (long long unsigned)rs->lo, (long long unsigned)rs->hi,
546 state);
543 547
544 /* Check contiguous length and gap to next section (if any) */ 548 /* Check contiguous length and gap to next section (if any) */
545 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); 549 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
@@ -883,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
883 char timestamp[64]; 887 char timestamp[64];
884 int ret = -1, r, sig_seen; 888 int ret = -1, r, sig_seen;
885 Key *key = NULL, **ca_used = NULL; 889 Key *key = NULL, **ca_used = NULL;
886 u_char type, *blob; 890 u_char type, *blob, *rdata = NULL;
887 u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; 891 u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used;
888 892
893 nca_used = 0;
889 *krlp = NULL; 894 *krlp = NULL;
890 if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || 895 if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 ||
891 memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { 896 memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) {
@@ -928,8 +933,9 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
928 } 933 }
929 934
930 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); 935 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
931 debug("KRL version %llu generated at %s%s%s", krl->krl_version, 936 debug("KRL version %llu generated at %s%s%s",
932 timestamp, *krl->comment ? ": " : "", krl->comment); 937 (long long unsigned)krl->krl_version, timestamp,
938 *krl->comment ? ": " : "", krl->comment);
933 939
934 /* 940 /*
935 * 1st pass: verify signatures, if any. This is done to avoid 941 * 1st pass: verify signatures, if any. This is done to avoid
@@ -967,7 +973,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
967 } 973 }
968 /* Check signature over entire KRL up to this point */ 974 /* Check signature over entire KRL up to this point */
969 if (key_verify(key, blob, blen, 975 if (key_verify(key, blob, blen,
970 buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { 976 buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) {
971 error("bad signaure on KRL"); 977 error("bad signaure on KRL");
972 goto out; 978 goto out;
973 } 979 }
@@ -1010,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
1010 case KRL_SECTION_EXPLICIT_KEY: 1016 case KRL_SECTION_EXPLICIT_KEY:
1011 case KRL_SECTION_FINGERPRINT_SHA1: 1017 case KRL_SECTION_FINGERPRINT_SHA1:
1012 while (buffer_len(&sect) > 0) { 1018 while (buffer_len(&sect) > 0) {
1013 if ((blob = buffer_get_string_ret(&sect, 1019 if ((rdata = buffer_get_string_ret(&sect,
1014 &blen)) == NULL) { 1020 &rlen)) == NULL) {
1015 error("%s: buffer error", __func__); 1021 error("%s: buffer error", __func__);
1016 goto out; 1022 goto out;
1017 } 1023 }
1018 if (type == KRL_SECTION_FINGERPRINT_SHA1 && 1024 if (type == KRL_SECTION_FINGERPRINT_SHA1 &&
1019 blen != 20) { 1025 rlen != 20) {
1020 error("%s: bad SHA1 length", __func__); 1026 error("%s: bad SHA1 length", __func__);
1021 goto out; 1027 goto out;
1022 } 1028 }
1023 if (revoke_blob( 1029 if (revoke_blob(
1024 type == KRL_SECTION_EXPLICIT_KEY ? 1030 type == KRL_SECTION_EXPLICIT_KEY ?
1025 &krl->revoked_keys : &krl->revoked_sha1s, 1031 &krl->revoked_keys : &krl->revoked_sha1s,
1026 blob, blen) != 0) 1032 rdata, rlen) != 0)
1027 goto out; /* revoke_blob frees blob */ 1033 goto out;
1034 rdata = NULL; /* revoke_blob frees blob */
1028 } 1035 }
1029 break; 1036 break;
1030 case KRL_SECTION_SIGNATURE: 1037 case KRL_SECTION_SIGNATURE:
@@ -1090,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
1090 key_free(ca_used[i]); 1097 key_free(ca_used[i]);
1091 } 1098 }
1092 free(ca_used); 1099 free(ca_used);
1100 free(rdata);
1093 if (key != NULL) 1101 if (key != NULL)
1094 key_free(key); 1102 key_free(key);
1095 buffer_free(&copy); 1103 buffer_free(&copy);
diff --git a/log.c b/log.c
index dabee1407..53e7b6561 100644
--- a/log.c
+++ b/log.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ 1/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -38,6 +38,7 @@
38 38
39#include <sys/types.h> 39#include <sys/types.h>
40 40
41#include <fcntl.h>
41#include <stdarg.h> 42#include <stdarg.h>
42#include <stdio.h> 43#include <stdio.h>
43#include <stdlib.h> 44#include <stdlib.h>
@@ -54,6 +55,7 @@
54 55
55static LogLevel log_level = SYSLOG_LEVEL_INFO; 56static LogLevel log_level = SYSLOG_LEVEL_INFO;
56static int log_on_stderr = 1; 57static int log_on_stderr = 1;
58static int log_stderr_fd = STDERR_FILENO;
57static int log_facility = LOG_AUTH; 59static int log_facility = LOG_AUTH;
58static char *argv0; 60static char *argv0;
59static log_handler_fn *log_handler; 61static log_handler_fn *log_handler;
@@ -345,6 +347,20 @@ log_is_on_stderr(void)
345 return log_on_stderr; 347 return log_on_stderr;
346} 348}
347 349
350/* redirect what would usually get written to stderr to specified file */
351void
352log_redirect_stderr_to(const char *logfile)
353{
354 int fd;
355
356 if ((fd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0600)) == -1) {
357 fprintf(stderr, "Couldn't open logfile %s: %s\n", logfile,
358 strerror(errno));
359 exit(1);
360 }
361 log_stderr_fd = fd;
362}
363
348#define MSGBUFSIZ 1024 364#define MSGBUFSIZ 1024
349 365
350void 366void
@@ -430,7 +446,7 @@ do_log(LogLevel level, const char *fmt, va_list args)
430 log_handler = tmp_handler; 446 log_handler = tmp_handler;
431 } else if (log_on_stderr) { 447 } else if (log_on_stderr) {
432 snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); 448 snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
433 write(STDERR_FILENO, msgbuf, strlen(msgbuf)); 449 (void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
434 } else { 450 } else {
435#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) 451#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
436 openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); 452 openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
diff --git a/log.h b/log.h
index e3e328b06..ae7df25d3 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ 1/* $OpenBSD: log.h,v 1.20 2013/04/07 02:10:33 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -51,6 +51,7 @@ typedef void (log_handler_fn)(LogLevel, const char *, void *);
51void log_init(char *, LogLevel, SyslogFacility, int); 51void log_init(char *, LogLevel, SyslogFacility, int);
52void log_change_level(LogLevel); 52void log_change_level(LogLevel);
53int log_is_on_stderr(void); 53int log_is_on_stderr(void);
54void log_redirect_stderr_to(const char *);
54 55
55SyslogFacility log_facility_number(char *); 56SyslogFacility log_facility_number(char *);
56const char * log_facility_name(SyslogFacility); 57const char * log_facility_name(SyslogFacility);
diff --git a/loginrec.c b/loginrec.c
index f9662fa5c..59e8a44ee 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -347,7 +347,7 @@ logininfo *login_alloc_entry(pid_t pid, const char *username,
347void 347void
348login_free_entry(struct logininfo *li) 348login_free_entry(struct logininfo *li)
349{ 349{
350 xfree(li); 350 free(li);
351} 351}
352 352
353 353
diff --git a/mac.c b/mac.c
index 3f2dc6f2a..c4dfb501d 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ 1/* $OpenBSD: mac.c,v 1.24 2013/06/03 00:03:18 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -50,7 +50,7 @@
50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ 50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
51#define SSH_UMAC128 3 51#define SSH_UMAC128 3
52 52
53struct { 53struct macalg {
54 char *name; 54 char *name;
55 int type; 55 int type;
56 const EVP_MD * (*mdfunc)(void); 56 const EVP_MD * (*mdfunc)(void);
@@ -58,7 +58,9 @@ struct {
58 int key_len; /* just for UMAC */ 58 int key_len; /* just for UMAC */
59 int len; /* just for UMAC */ 59 int len; /* just for UMAC */
60 int etm; /* Encrypt-then-MAC */ 60 int etm; /* Encrypt-then-MAC */
61} macs[] = { 61};
62
63static const struct macalg macs[] = {
62 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ 64 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
63 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, 65 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
64 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, 66 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@@ -89,38 +91,58 @@ struct {
89 { NULL, 0, NULL, 0, 0, 0, 0 } 91 { NULL, 0, NULL, 0, 0, 0, 0 }
90}; 92};
91 93
94/* Returns a comma-separated list of supported MACs. */
95char *
96mac_alg_list(void)
97{
98 char *ret = NULL;
99 size_t nlen, rlen = 0;
100 const struct macalg *m;
101
102 for (m = macs; m->name != NULL; m++) {
103 if (ret != NULL)
104 ret[rlen++] = '\n';
105 nlen = strlen(m->name);
106 ret = xrealloc(ret, 1, rlen + nlen + 2);
107 memcpy(ret + rlen, m->name, nlen + 1);
108 rlen += nlen;
109 }
110 return ret;
111}
112
92static void 113static void
93mac_setup_by_id(Mac *mac, int which) 114mac_setup_by_alg(Mac *mac, const struct macalg *macalg)
94{ 115{
95 int evp_len; 116 int evp_len;
96 mac->type = macs[which].type; 117
118 mac->type = macalg->type;
97 if (mac->type == SSH_EVP) { 119 if (mac->type == SSH_EVP) {
98 mac->evp_md = (*macs[which].mdfunc)(); 120 mac->evp_md = macalg->mdfunc();
99 if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0) 121 if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
100 fatal("mac %s len %d", mac->name, evp_len); 122 fatal("mac %s len %d", mac->name, evp_len);
101 mac->key_len = mac->mac_len = (u_int)evp_len; 123 mac->key_len = mac->mac_len = (u_int)evp_len;
102 } else { 124 } else {
103 mac->mac_len = macs[which].len / 8; 125 mac->mac_len = macalg->len / 8;
104 mac->key_len = macs[which].key_len / 8; 126 mac->key_len = macalg->key_len / 8;
105 mac->umac_ctx = NULL; 127 mac->umac_ctx = NULL;
106 } 128 }
107 if (macs[which].truncatebits != 0) 129 if (macalg->truncatebits != 0)
108 mac->mac_len = macs[which].truncatebits / 8; 130 mac->mac_len = macalg->truncatebits / 8;
109 mac->etm = macs[which].etm; 131 mac->etm = macalg->etm;
110} 132}
111 133
112int 134int
113mac_setup(Mac *mac, char *name) 135mac_setup(Mac *mac, char *name)
114{ 136{
115 int i; 137 const struct macalg *m;
116 138
117 for (i = 0; macs[i].name; i++) { 139 for (m = macs; m->name != NULL; m++) {
118 if (strcmp(name, macs[i].name) == 0) { 140 if (strcmp(name, m->name) != 0)
119 if (mac != NULL) 141 continue;
120 mac_setup_by_id(mac, i); 142 if (mac != NULL)
121 debug2("mac_setup: found %s", name); 143 mac_setup_by_alg(mac, m);
122 return (0); 144 debug2("mac_setup: found %s", name);
123 } 145 return (0);
124 } 146 }
125 debug2("mac_setup: unknown %s", name); 147 debug2("mac_setup: unknown %s", name);
126 return (-1); 148 return (-1);
@@ -152,12 +174,15 @@ mac_init(Mac *mac)
152u_char * 174u_char *
153mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) 175mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
154{ 176{
155 static u_char m[EVP_MAX_MD_SIZE]; 177 static union {
178 u_char m[EVP_MAX_MD_SIZE];
179 u_int64_t for_align;
180 } u;
156 u_char b[4], nonce[8]; 181 u_char b[4], nonce[8];
157 182
158 if (mac->mac_len > sizeof(m)) 183 if (mac->mac_len > sizeof(u))
159 fatal("mac_compute: mac too long %u %lu", 184 fatal("mac_compute: mac too long %u %lu",
160 mac->mac_len, (u_long)sizeof(m)); 185 mac->mac_len, (u_long)sizeof(u));
161 186
162 switch (mac->type) { 187 switch (mac->type) {
163 case SSH_EVP: 188 case SSH_EVP:
@@ -166,22 +191,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
166 HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); 191 HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
167 HMAC_Update(&mac->evp_ctx, b, sizeof(b)); 192 HMAC_Update(&mac->evp_ctx, b, sizeof(b));
168 HMAC_Update(&mac->evp_ctx, data, datalen); 193 HMAC_Update(&mac->evp_ctx, data, datalen);
169 HMAC_Final(&mac->evp_ctx, m, NULL); 194 HMAC_Final(&mac->evp_ctx, u.m, NULL);
170 break; 195 break;
171 case SSH_UMAC: 196 case SSH_UMAC:
172 put_u64(nonce, seqno); 197 put_u64(nonce, seqno);
173 umac_update(mac->umac_ctx, data, datalen); 198 umac_update(mac->umac_ctx, data, datalen);
174 umac_final(mac->umac_ctx, m, nonce); 199 umac_final(mac->umac_ctx, u.m, nonce);
175 break; 200 break;
176 case SSH_UMAC128: 201 case SSH_UMAC128:
177 put_u64(nonce, seqno); 202 put_u64(nonce, seqno);
178 umac128_update(mac->umac_ctx, data, datalen); 203 umac128_update(mac->umac_ctx, data, datalen);
179 umac128_final(mac->umac_ctx, m, nonce); 204 umac128_final(mac->umac_ctx, u.m, nonce);
180 break; 205 break;
181 default: 206 default:
182 fatal("mac_compute: unknown MAC type"); 207 fatal("mac_compute: unknown MAC type");
183 } 208 }
184 return (m); 209 return (u.m);
185} 210}
186 211
187void 212void
@@ -213,13 +238,13 @@ mac_valid(const char *names)
213 (p = strsep(&cp, MAC_SEP))) { 238 (p = strsep(&cp, MAC_SEP))) {
214 if (mac_setup(NULL, p) < 0) { 239 if (mac_setup(NULL, p) < 0) {
215 debug("bad mac %s [%s]", p, names); 240 debug("bad mac %s [%s]", p, names);
216 xfree(maclist); 241 free(maclist);
217 return (0); 242 return (0);
218 } else { 243 } else {
219 debug3("mac ok: %s [%s]", p, names); 244 debug3("mac ok: %s [%s]", p, names);
220 } 245 }
221 } 246 }
222 debug3("macs ok: [%s]", names); 247 debug3("macs ok: [%s]", names);
223 xfree(maclist); 248 free(maclist);
224 return (1); 249 return (1);
225} 250}
diff --git a/mac.h b/mac.h
index 39f564dd3..260798ab3 100644
--- a/mac.h
+++ b/mac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */ 1/* $OpenBSD: mac.h,v 1.7 2013/04/19 01:06:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -24,6 +24,7 @@
24 */ 24 */
25 25
26int mac_valid(const char *); 26int mac_valid(const char *);
27char *mac_alg_list(void);
27int mac_setup(Mac *, char *); 28int mac_setup(Mac *, char *);
28int mac_init(Mac *); 29int mac_init(Mac *);
29u_char *mac_compute(Mac *, u_int32_t, u_char *, int); 30u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
diff --git a/match.c b/match.c
index 238947778..7be7d2c5c 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ 1/* $OpenBSD: match.c,v 1.28 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -40,6 +40,7 @@
40#include <sys/types.h> 40#include <sys/types.h>
41 41
42#include <ctype.h> 42#include <ctype.h>
43#include <stdlib.h>
43#include <string.h> 44#include <string.h>
44 45
45#include "xmalloc.h" 46#include "xmalloc.h"
@@ -226,14 +227,14 @@ match_user(const char *user, const char *host, const char *ipaddr,
226 227
227 if ((ret = match_pattern(user, pat)) == 1) 228 if ((ret = match_pattern(user, pat)) == 1)
228 ret = match_host_and_ip(host, ipaddr, p); 229 ret = match_host_and_ip(host, ipaddr, p);
229 xfree(pat); 230 free(pat);
230 231
231 return ret; 232 return ret;
232} 233}
233 234
234/* 235/*
235 * Returns first item from client-list that is also supported by server-list, 236 * Returns first item from client-list that is also supported by server-list,
236 * caller must xfree() returned string. 237 * caller must free the returned string.
237 */ 238 */
238#define MAX_PROP 40 239#define MAX_PROP 40
239#define SEP "," 240#define SEP ","
@@ -264,15 +265,15 @@ match_list(const char *client, const char *server, u_int *next)
264 if (next != NULL) 265 if (next != NULL)
265 *next = (cp == NULL) ? 266 *next = (cp == NULL) ?
266 strlen(c) : (u_int)(cp - c); 267 strlen(c) : (u_int)(cp - c);
267 xfree(c); 268 free(c);
268 xfree(s); 269 free(s);
269 return ret; 270 return ret;
270 } 271 }
271 } 272 }
272 } 273 }
273 if (next != NULL) 274 if (next != NULL)
274 *next = strlen(c); 275 *next = strlen(c);
275 xfree(c); 276 free(c);
276 xfree(s); 277 free(s);
277 return NULL; 278 return NULL;
278} 279}
diff --git a/misc.c b/misc.c
index 2adb8c6a8..eb57bfc1b 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */ 1/* $OpenBSD: misc.c,v 1.91 2013/07/12 00:43:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved. 4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -129,7 +129,7 @@ unset_nonblock(int fd)
129const char * 129const char *
130ssh_gai_strerror(int gaierr) 130ssh_gai_strerror(int gaierr)
131{ 131{
132 if (gaierr == EAI_SYSTEM) 132 if (gaierr == EAI_SYSTEM && errno != 0)
133 return strerror(errno); 133 return strerror(errno);
134 return gai_strerror(gaierr); 134 return gai_strerror(gaierr);
135} 135}
@@ -208,16 +208,18 @@ pwcopy(struct passwd *pw)
208 208
209 copy->pw_name = xstrdup(pw->pw_name); 209 copy->pw_name = xstrdup(pw->pw_name);
210 copy->pw_passwd = xstrdup(pw->pw_passwd); 210 copy->pw_passwd = xstrdup(pw->pw_passwd);
211#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
211 copy->pw_gecos = xstrdup(pw->pw_gecos); 212 copy->pw_gecos = xstrdup(pw->pw_gecos);
213#endif
212 copy->pw_uid = pw->pw_uid; 214 copy->pw_uid = pw->pw_uid;
213 copy->pw_gid = pw->pw_gid; 215 copy->pw_gid = pw->pw_gid;
214#ifdef HAVE_PW_EXPIRE_IN_PASSWD 216#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
215 copy->pw_expire = pw->pw_expire; 217 copy->pw_expire = pw->pw_expire;
216#endif 218#endif
217#ifdef HAVE_PW_CHANGE_IN_PASSWD 219#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE
218 copy->pw_change = pw->pw_change; 220 copy->pw_change = pw->pw_change;
219#endif 221#endif
220#ifdef HAVE_PW_CLASS_IN_PASSWD 222#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
221 copy->pw_class = xstrdup(pw->pw_class); 223 copy->pw_class = xstrdup(pw->pw_class);
222#endif 224#endif
223 copy->pw_dir = xstrdup(pw->pw_dir); 225 copy->pw_dir = xstrdup(pw->pw_dir);
@@ -253,13 +255,13 @@ a2tun(const char *s, int *remote)
253 *remote = SSH_TUNID_ANY; 255 *remote = SSH_TUNID_ANY;
254 sp = xstrdup(s); 256 sp = xstrdup(s);
255 if ((ep = strchr(sp, ':')) == NULL) { 257 if ((ep = strchr(sp, ':')) == NULL) {
256 xfree(sp); 258 free(sp);
257 return (a2tun(s, NULL)); 259 return (a2tun(s, NULL));
258 } 260 }
259 ep[0] = '\0'; ep++; 261 ep[0] = '\0'; ep++;
260 *remote = a2tun(ep, NULL); 262 *remote = a2tun(ep, NULL);
261 tun = a2tun(sp, NULL); 263 tun = a2tun(sp, NULL);
262 xfree(sp); 264 free(sp);
263 return (*remote == SSH_TUNID_ERR ? *remote : tun); 265 return (*remote == SSH_TUNID_ERR ? *remote : tun);
264 } 266 }
265 267
@@ -492,7 +494,7 @@ replacearg(arglist *args, u_int which, char *fmt, ...)
492 if (which >= args->num) 494 if (which >= args->num)
493 fatal("replacearg: tried to replace invalid arg %d >= %d", 495 fatal("replacearg: tried to replace invalid arg %d >= %d",
494 which, args->num); 496 which, args->num);
495 xfree(args->list[which]); 497 free(args->list[which]);
496 args->list[which] = cp; 498 args->list[which] = cp;
497} 499}
498 500
@@ -503,8 +505,8 @@ freeargs(arglist *args)
503 505
504 if (args->list != NULL) { 506 if (args->list != NULL) {
505 for (i = 0; i < args->num; i++) 507 for (i = 0; i < args->num; i++)
506 xfree(args->list[i]); 508 free(args->list[i]);
507 xfree(args->list); 509 free(args->list);
508 args->nalloc = args->num = 0; 510 args->nalloc = args->num = 0;
509 args->list = NULL; 511 args->list = NULL;
510 } 512 }
@@ -517,8 +519,8 @@ freeargs(arglist *args)
517char * 519char *
518tilde_expand_filename(const char *filename, uid_t uid) 520tilde_expand_filename(const char *filename, uid_t uid)
519{ 521{
520 const char *path; 522 const char *path, *sep;
521 char user[128], ret[MAXPATHLEN]; 523 char user[128], *ret;
522 struct passwd *pw; 524 struct passwd *pw;
523 u_int len, slash; 525 u_int len, slash;
524 526
@@ -538,22 +540,21 @@ tilde_expand_filename(const char *filename, uid_t uid)
538 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ 540 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
539 fatal("tilde_expand_filename: No such uid %ld", (long)uid); 541 fatal("tilde_expand_filename: No such uid %ld", (long)uid);
540 542
541 if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
542 fatal("tilde_expand_filename: Path too long");
543
544 /* Make sure directory has a trailing '/' */ 543 /* Make sure directory has a trailing '/' */
545 len = strlen(pw->pw_dir); 544 len = strlen(pw->pw_dir);
546 if ((len == 0 || pw->pw_dir[len - 1] != '/') && 545 if (len == 0 || pw->pw_dir[len - 1] != '/')
547 strlcat(ret, "/", sizeof(ret)) >= sizeof(ret)) 546 sep = "/";
548 fatal("tilde_expand_filename: Path too long"); 547 else
548 sep = "";
549 549
550 /* Skip leading '/' from specified path */ 550 /* Skip leading '/' from specified path */
551 if (path != NULL) 551 if (path != NULL)
552 filename = path + 1; 552 filename = path + 1;
553 if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret)) 553
554 if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= MAXPATHLEN)
554 fatal("tilde_expand_filename: Path too long"); 555 fatal("tilde_expand_filename: Path too long");
555 556
556 return (xstrdup(ret)); 557 return (ret);
557} 558}
558 559
559/* 560/*
@@ -920,6 +921,24 @@ ms_to_timeval(struct timeval *tv, int ms)
920 tv->tv_usec = (ms % 1000) * 1000; 921 tv->tv_usec = (ms % 1000) * 1000;
921} 922}
922 923
924time_t
925monotime(void)
926{
927#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
928 struct timespec ts;
929 static int gettime_failed = 0;
930
931 if (!gettime_failed) {
932 if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
933 return (ts.tv_sec);
934 debug3("clock_gettime: %s", strerror(errno));
935 gettime_failed = 1;
936 }
937#endif
938
939 return time(NULL);
940}
941
923void 942void
924bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) 943bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen)
925{ 944{
diff --git a/misc.h b/misc.h
index 904edc704..51ba182e1 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */ 1/* $OpenBSD: misc.h,v 1.49 2013/06/01 13:15:52 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,6 +35,7 @@ char *tohex(const void *, size_t);
35void sanitise_stdfd(void); 35void sanitise_stdfd(void);
36void ms_subtract_diff(struct timeval *, int *); 36void ms_subtract_diff(struct timeval *, int *);
37void ms_to_timeval(struct timeval *, int); 37void ms_to_timeval(struct timeval *, int);
38time_t monotime(void);
38void sock_set_v6only(int); 39void sock_set_v6only(int);
39 40
40struct passwd *pwcopy(struct passwd *); 41struct passwd *pwcopy(struct passwd *);
diff --git a/moduli.0 b/moduli.0
index 77dfa4295..7dc2cd540 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
71 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, 71 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
72 2006. 72 2006.
73 73
74OpenBSD 5.3 September 26, 2012 OpenBSD 5.3 74OpenBSD 5.4 September 26, 2012 OpenBSD 5.4
diff --git a/moduli.c b/moduli.c
index 5267bb9ab..294ff8fde 100644
--- a/moduli.c
+++ b/moduli.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */ 1/* $OpenBSD: moduli.c,v 1.27 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright 1994 Phil Karn <karn@qualcomm.com> 3 * Copyright 1994 Phil Karn <karn@qualcomm.com>
4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com> 4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@@ -433,9 +433,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
433 433
434 time(&time_stop); 434 time(&time_stop);
435 435
436 xfree(LargeSieve); 436 free(LargeSieve);
437 xfree(SmallSieve); 437 free(SmallSieve);
438 xfree(TinySieve); 438 free(TinySieve);
439 439
440 logit("%.24s Found %u candidates", ctime(&time_stop), r); 440 logit("%.24s Found %u candidates", ctime(&time_stop), r);
441 441
@@ -709,7 +709,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
709 } 709 }
710 710
711 time(&time_stop); 711 time(&time_stop);
712 xfree(lp); 712 free(lp);
713 BN_free(p); 713 BN_free(p);
714 BN_free(q); 714 BN_free(q);
715 BN_CTX_free(ctx); 715 BN_CTX_free(ctx);
diff --git a/monitor.c b/monitor.c
index a9021fc4d..9bc4f0b2e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ 1/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -97,6 +97,7 @@
97#include "ssh2.h" 97#include "ssh2.h"
98#include "jpake.h" 98#include "jpake.h"
99#include "roaming.h" 99#include "roaming.h"
100#include "authfd.h"
100#ifdef USE_CONSOLEKIT 101#ifdef USE_CONSOLEKIT
101#include "consolekit.h" 102#include "consolekit.h"
102#endif 103#endif
@@ -420,7 +421,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
420 "with SSH protocol 1"); 421 "with SSH protocol 1");
421 if (authenticated && 422 if (authenticated &&
422 !auth2_update_methods_lists(authctxt, 423 !auth2_update_methods_lists(authctxt,
423 auth_method)) { 424 auth_method, auth_submethod)) {
424 debug3("%s: method %s: partial", __func__, 425 debug3("%s: method %s: partial", __func__,
425 auth_method); 426 auth_method);
426 authenticated = 0; 427 authenticated = 0;
@@ -450,8 +451,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
450 } 451 }
451 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 452 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
452 auth_log(authctxt, authenticated, partial, 453 auth_log(authctxt, authenticated, partial,
453 auth_method, auth_submethod, 454 auth_method, auth_submethod);
454 compat20 ? " ssh2" : "");
455 if (!authenticated) 455 if (!authenticated)
456 authctxt->failures++; 456 authctxt->failures++;
457 } 457 }
@@ -586,7 +586,7 @@ monitor_read_log(struct monitor *pmonitor)
586 do_log2(level, "%s [preauth]", msg); 586 do_log2(level, "%s [preauth]", msg);
587 587
588 buffer_free(&logmsg); 588 buffer_free(&logmsg);
589 xfree(msg); 589 free(msg);
590 590
591 return 0; 591 return 0;
592} 592}
@@ -677,12 +677,9 @@ static void
677monitor_reset_key_state(void) 677monitor_reset_key_state(void)
678{ 678{
679 /* reset state */ 679 /* reset state */
680 if (key_blob != NULL) 680 free(key_blob);
681 xfree(key_blob); 681 free(hostbased_cuser);
682 if (hostbased_cuser != NULL) 682 free(hostbased_chost);
683 xfree(hostbased_cuser);
684 if (hostbased_chost != NULL)
685 xfree(hostbased_chost);
686 key_blob = NULL; 683 key_blob = NULL;
687 key_bloblen = 0; 684 key_bloblen = 0;
688 key_blobtype = MM_NOKEY; 685 key_blobtype = MM_NOKEY;
@@ -725,6 +722,8 @@ mm_answer_moduli(int sock, Buffer *m)
725 return (0); 722 return (0);
726} 723}
727 724
725extern AuthenticationConnection *auth_conn;
726
728int 727int
729mm_answer_sign(int sock, Buffer *m) 728mm_answer_sign(int sock, Buffer *m)
730{ 729{
@@ -753,18 +752,24 @@ mm_answer_sign(int sock, Buffer *m)
753 memcpy(session_id2, p, session_id2_len); 752 memcpy(session_id2, p, session_id2_len);
754 } 753 }
755 754
756 if ((key = get_hostkey_by_index(keyid)) == NULL) 755 if ((key = get_hostkey_by_index(keyid)) != NULL) {
756 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
757 fatal("%s: key_sign failed", __func__);
758 } else if ((key = get_hostkey_public_by_index(keyid)) != NULL &&
759 auth_conn != NULL) {
760 if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p,
761 datlen) < 0)
762 fatal("%s: ssh_agent_sign failed", __func__);
763 } else
757 fatal("%s: no hostkey from index %d", __func__, keyid); 764 fatal("%s: no hostkey from index %d", __func__, keyid);
758 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
759 fatal("%s: key_sign failed", __func__);
760 765
761 debug3("%s: signature %p(%u)", __func__, signature, siglen); 766 debug3("%s: signature %p(%u)", __func__, signature, siglen);
762 767
763 buffer_clear(m); 768 buffer_clear(m);
764 buffer_put_string(m, signature, siglen); 769 buffer_put_string(m, signature, siglen);
765 770
766 xfree(p); 771 free(p);
767 xfree(signature); 772 free(signature);
768 773
769 mm_request_send(sock, MONITOR_ANS_SIGN, m); 774 mm_request_send(sock, MONITOR_ANS_SIGN, m);
770 775
@@ -795,7 +800,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
795 800
796 authctxt->user = xstrdup(username); 801 authctxt->user = xstrdup(username);
797 setproctitle("%s [priv]", pwent ? username : "unknown"); 802 setproctitle("%s [priv]", pwent ? username : "unknown");
798 xfree(username); 803 free(username);
799 804
800 buffer_clear(m); 805 buffer_clear(m);
801 806
@@ -813,8 +818,10 @@ mm_answer_pwnamallow(int sock, Buffer *m)
813 buffer_put_string(m, pwent, sizeof(struct passwd)); 818 buffer_put_string(m, pwent, sizeof(struct passwd));
814 buffer_put_cstring(m, pwent->pw_name); 819 buffer_put_cstring(m, pwent->pw_name);
815 buffer_put_cstring(m, "*"); 820 buffer_put_cstring(m, "*");
821#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
816 buffer_put_cstring(m, pwent->pw_gecos); 822 buffer_put_cstring(m, pwent->pw_gecos);
817#ifdef HAVE_PW_CLASS_IN_PASSWD 823#endif
824#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
818 buffer_put_cstring(m, pwent->pw_class); 825 buffer_put_cstring(m, pwent->pw_class);
819#endif 826#endif
820 buffer_put_cstring(m, pwent->pw_dir); 827 buffer_put_cstring(m, pwent->pw_dir);
@@ -874,9 +881,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m)
874 banner = auth2_read_banner(); 881 banner = auth2_read_banner();
875 buffer_put_cstring(m, banner != NULL ? banner : ""); 882 buffer_put_cstring(m, banner != NULL ? banner : "");
876 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); 883 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
877 884 free(banner);
878 if (banner != NULL)
879 xfree(banner);
880 885
881 return (0); 886 return (0);
882} 887}
@@ -893,12 +898,12 @@ mm_answer_authserv(int sock, Buffer *m)
893 __func__, authctxt->service, authctxt->style, authctxt->role); 898 __func__, authctxt->service, authctxt->style, authctxt->role);
894 899
895 if (strlen(authctxt->style) == 0) { 900 if (strlen(authctxt->style) == 0) {
896 xfree(authctxt->style); 901 free(authctxt->style);
897 authctxt->style = NULL; 902 authctxt->style = NULL;
898 } 903 }
899 904
900 if (strlen(authctxt->role) == 0) { 905 if (strlen(authctxt->role) == 0) {
901 xfree(authctxt->role); 906 free(authctxt->role);
902 authctxt->role = NULL; 907 authctxt->role = NULL;
903 } 908 }
904 909
@@ -915,7 +920,7 @@ mm_answer_authrole(int sock, Buffer *m)
915 __func__, authctxt->role); 920 __func__, authctxt->role);
916 921
917 if (strlen(authctxt->role) == 0) { 922 if (strlen(authctxt->role) == 0) {
918 xfree(authctxt->role); 923 free(authctxt->role);
919 authctxt->role = NULL; 924 authctxt->role = NULL;
920 } 925 }
921 926
@@ -935,7 +940,7 @@ mm_answer_authpassword(int sock, Buffer *m)
935 authenticated = options.password_authentication && 940 authenticated = options.password_authentication &&
936 auth_password(authctxt, passwd); 941 auth_password(authctxt, passwd);
937 memset(passwd, 0, strlen(passwd)); 942 memset(passwd, 0, strlen(passwd));
938 xfree(passwd); 943 free(passwd);
939 944
940 buffer_clear(m); 945 buffer_clear(m);
941 buffer_put_int(m, authenticated); 946 buffer_put_int(m, authenticated);
@@ -975,10 +980,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
975 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); 980 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
976 981
977 if (success) { 982 if (success) {
978 xfree(name); 983 free(name);
979 xfree(infotxt); 984 free(infotxt);
980 xfree(prompts); 985 free(prompts);
981 xfree(echo_on); 986 free(echo_on);
982 } 987 }
983 988
984 return (0); 989 return (0);
@@ -998,7 +1003,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
998 auth_userresponse(authctxt->as, response, 0); 1003 auth_userresponse(authctxt->as, response, 0);
999 authctxt->as = NULL; 1004 authctxt->as = NULL;
1000 debug3("%s: <%s> = <%d>", __func__, response, authok); 1005 debug3("%s: <%s> = <%d>", __func__, response, authok);
1001 xfree(response); 1006 free(response);
1002 1007
1003 buffer_clear(m); 1008 buffer_clear(m);
1004 buffer_put_int(m, authok); 1009 buffer_put_int(m, authok);
@@ -1006,9 +1011,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
1006 debug3("%s: sending authenticated: %d", __func__, authok); 1011 debug3("%s: sending authenticated: %d", __func__, authok);
1007 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 1012 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
1008 1013
1009 if (compat20) 1014 if (compat20) {
1010 auth_method = "keyboard-interactive"; /* XXX auth_submethod */ 1015 auth_method = "keyboard-interactive";
1011 else 1016 auth_submethod = "bsdauth";
1017 } else
1012 auth_method = "bsdauth"; 1018 auth_method = "bsdauth";
1013 1019
1014 return (authok != 0); 1020 return (authok != 0);
@@ -1050,7 +1056,7 @@ mm_answer_skeyrespond(int sock, Buffer *m)
1050 skey_haskey(authctxt->pw->pw_name) == 0 && 1056 skey_haskey(authctxt->pw->pw_name) == 0 &&
1051 skey_passcheck(authctxt->pw->pw_name, response) != -1); 1057 skey_passcheck(authctxt->pw->pw_name, response) != -1);
1052 1058
1053 xfree(response); 1059 free(response);
1054 1060
1055 buffer_clear(m); 1061 buffer_clear(m);
1056 buffer_put_int(m, authok); 1062 buffer_put_int(m, authok);
@@ -1135,19 +1141,17 @@ mm_answer_pam_query(int sock, Buffer *m)
1135 buffer_clear(m); 1141 buffer_clear(m);
1136 buffer_put_int(m, ret); 1142 buffer_put_int(m, ret);
1137 buffer_put_cstring(m, name); 1143 buffer_put_cstring(m, name);
1138 xfree(name); 1144 free(name);
1139 buffer_put_cstring(m, info); 1145 buffer_put_cstring(m, info);
1140 xfree(info); 1146 free(info);
1141 buffer_put_int(m, num); 1147 buffer_put_int(m, num);
1142 for (i = 0; i < num; ++i) { 1148 for (i = 0; i < num; ++i) {
1143 buffer_put_cstring(m, prompts[i]); 1149 buffer_put_cstring(m, prompts[i]);
1144 xfree(prompts[i]); 1150 free(prompts[i]);
1145 buffer_put_int(m, echo_on[i]); 1151 buffer_put_int(m, echo_on[i]);
1146 } 1152 }
1147 if (prompts != NULL) 1153 free(prompts);
1148 xfree(prompts); 1154 free(echo_on);
1149 if (echo_on != NULL)
1150 xfree(echo_on);
1151 auth_method = "keyboard-interactive"; 1155 auth_method = "keyboard-interactive";
1152 auth_submethod = "pam"; 1156 auth_submethod = "pam";
1153 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1157 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
@@ -1170,8 +1174,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
1170 resp[i] = buffer_get_string(m, NULL); 1174 resp[i] = buffer_get_string(m, NULL);
1171 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); 1175 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
1172 for (i = 0; i < num; ++i) 1176 for (i = 0; i < num; ++i)
1173 xfree(resp[i]); 1177 free(resp[i]);
1174 xfree(resp); 1178 free(resp);
1175 } else { 1179 } else {
1176 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); 1180 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
1177 } 1181 }
@@ -1229,6 +1233,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1229 case MM_USERKEY: 1233 case MM_USERKEY:
1230 allowed = options.pubkey_authentication && 1234 allowed = options.pubkey_authentication &&
1231 user_key_allowed(authctxt->pw, key); 1235 user_key_allowed(authctxt->pw, key);
1236 pubkey_auth_info(authctxt, key, NULL);
1232 auth_method = "publickey"; 1237 auth_method = "publickey";
1233 if (options.pubkey_authentication && allowed != 1) 1238 if (options.pubkey_authentication && allowed != 1)
1234 auth_clear_options(); 1239 auth_clear_options();
@@ -1237,6 +1242,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
1237 allowed = options.hostbased_authentication && 1242 allowed = options.hostbased_authentication &&
1238 hostbased_key_allowed(authctxt->pw, 1243 hostbased_key_allowed(authctxt->pw,
1239 cuser, chost, key); 1244 cuser, chost, key);
1245 pubkey_auth_info(authctxt, key,
1246 "client user \"%.100s\", client host \"%.100s\"",
1247 cuser, chost);
1240 auth_method = "hostbased"; 1248 auth_method = "hostbased";
1241 break; 1249 break;
1242 case MM_RSAHOSTKEY: 1250 case MM_RSAHOSTKEY:
@@ -1268,11 +1276,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
1268 hostbased_chost = chost; 1276 hostbased_chost = chost;
1269 } else { 1277 } else {
1270 /* Log failed attempt */ 1278 /* Log failed attempt */
1271 auth_log(authctxt, 0, 0, auth_method, NULL, 1279 auth_log(authctxt, 0, 0, auth_method, NULL);
1272 compat20 ? " ssh2" : ""); 1280 free(blob);
1273 xfree(blob); 1281 free(cuser);
1274 xfree(cuser); 1282 free(chost);
1275 xfree(chost);
1276 } 1283 }
1277 1284
1278 debug3("%s: key %p is %s", 1285 debug3("%s: key %p is %s",
@@ -1294,7 +1301,7 @@ static int
1294monitor_valid_userblob(u_char *data, u_int datalen) 1301monitor_valid_userblob(u_char *data, u_int datalen)
1295{ 1302{
1296 Buffer b; 1303 Buffer b;
1297 char *p; 1304 char *p, *userstyle;
1298 u_int len; 1305 u_int len;
1299 int fail = 0; 1306 int fail = 0;
1300 1307
@@ -1315,26 +1322,30 @@ monitor_valid_userblob(u_char *data, u_int datalen)
1315 (len != session_id2_len) || 1322 (len != session_id2_len) ||
1316 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1323 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
1317 fail++; 1324 fail++;
1318 xfree(p); 1325 free(p);
1319 } 1326 }
1320 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1327 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1321 fail++; 1328 fail++;
1322 p = buffer_get_string(&b, NULL); 1329 p = buffer_get_cstring(&b, NULL);
1323 if (strcmp(authctxt->user, p) != 0) { 1330 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1331 authctxt->style ? ":" : "",
1332 authctxt->style ? authctxt->style : "");
1333 if (strcmp(userstyle, p) != 0) {
1324 logit("wrong user name passed to monitor: expected %s != %.100s", 1334 logit("wrong user name passed to monitor: expected %s != %.100s",
1325 authctxt->user, p); 1335 userstyle, p);
1326 fail++; 1336 fail++;
1327 } 1337 }
1328 xfree(p); 1338 free(userstyle);
1339 free(p);
1329 buffer_skip_string(&b); 1340 buffer_skip_string(&b);
1330 if (datafellows & SSH_BUG_PKAUTH) { 1341 if (datafellows & SSH_BUG_PKAUTH) {
1331 if (!buffer_get_char(&b)) 1342 if (!buffer_get_char(&b))
1332 fail++; 1343 fail++;
1333 } else { 1344 } else {
1334 p = buffer_get_string(&b, NULL); 1345 p = buffer_get_cstring(&b, NULL);
1335 if (strcmp("publickey", p) != 0) 1346 if (strcmp("publickey", p) != 0)
1336 fail++; 1347 fail++;
1337 xfree(p); 1348 free(p);
1338 if (!buffer_get_char(&b)) 1349 if (!buffer_get_char(&b))
1339 fail++; 1350 fail++;
1340 buffer_skip_string(&b); 1351 buffer_skip_string(&b);
@@ -1351,7 +1362,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1351 char *chost) 1362 char *chost)
1352{ 1363{
1353 Buffer b; 1364 Buffer b;
1354 char *p; 1365 char *p, *userstyle;
1355 u_int len; 1366 u_int len;
1356 int fail = 0; 1367 int fail = 0;
1357 1368
@@ -1363,22 +1374,26 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1363 (len != session_id2_len) || 1374 (len != session_id2_len) ||
1364 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1375 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
1365 fail++; 1376 fail++;
1366 xfree(p); 1377 free(p);
1367 1378
1368 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1379 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1369 fail++; 1380 fail++;
1370 p = buffer_get_string(&b, NULL); 1381 p = buffer_get_cstring(&b, NULL);
1371 if (strcmp(authctxt->user, p) != 0) { 1382 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1383 authctxt->style ? ":" : "",
1384 authctxt->style ? authctxt->style : "");
1385 if (strcmp(userstyle, p) != 0) {
1372 logit("wrong user name passed to monitor: expected %s != %.100s", 1386 logit("wrong user name passed to monitor: expected %s != %.100s",
1373 authctxt->user, p); 1387 userstyle, p);
1374 fail++; 1388 fail++;
1375 } 1389 }
1376 xfree(p); 1390 free(userstyle);
1391 free(p);
1377 buffer_skip_string(&b); /* service */ 1392 buffer_skip_string(&b); /* service */
1378 p = buffer_get_string(&b, NULL); 1393 p = buffer_get_cstring(&b, NULL);
1379 if (strcmp(p, "hostbased") != 0) 1394 if (strcmp(p, "hostbased") != 0)
1380 fail++; 1395 fail++;
1381 xfree(p); 1396 free(p);
1382 buffer_skip_string(&b); /* pkalg */ 1397 buffer_skip_string(&b); /* pkalg */
1383 buffer_skip_string(&b); /* pkblob */ 1398 buffer_skip_string(&b); /* pkblob */
1384 1399
@@ -1388,13 +1403,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1388 p[len - 1] = '\0'; 1403 p[len - 1] = '\0';
1389 if (strcmp(p, chost) != 0) 1404 if (strcmp(p, chost) != 0)
1390 fail++; 1405 fail++;
1391 xfree(p); 1406 free(p);
1392 1407
1393 /* verify client user */ 1408 /* verify client user */
1394 p = buffer_get_string(&b, NULL); 1409 p = buffer_get_string(&b, NULL);
1395 if (strcmp(p, cuser) != 0) 1410 if (strcmp(p, cuser) != 0)
1396 fail++; 1411 fail++;
1397 xfree(p); 1412 free(p);
1398 1413
1399 if (buffer_len(&b) != 0) 1414 if (buffer_len(&b) != 0)
1400 fail++; 1415 fail++;
@@ -1443,9 +1458,9 @@ mm_answer_keyverify(int sock, Buffer *m)
1443 __func__, key, (verified == 1) ? "verified" : "unverified"); 1458 __func__, key, (verified == 1) ? "verified" : "unverified");
1444 1459
1445 key_free(key); 1460 key_free(key);
1446 xfree(blob); 1461 free(blob);
1447 xfree(signature); 1462 free(signature);
1448 xfree(data); 1463 free(data);
1449 1464
1450 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; 1465 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1451 1466
@@ -1573,7 +1588,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
1573 if ((s = session_by_tty(tty)) != NULL) 1588 if ((s = session_by_tty(tty)) != NULL)
1574 mm_session_close(s); 1589 mm_session_close(s);
1575 buffer_clear(m); 1590 buffer_clear(m);
1576 xfree(tty); 1591 free(tty);
1577 return (0); 1592 return (0);
1578} 1593}
1579 1594
@@ -1705,7 +1720,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
1705 1720
1706 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); 1721 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
1707 1722
1708 xfree(blob); 1723 free(blob);
1709 key_free(key); 1724 key_free(key);
1710 return (0); 1725 return (0);
1711} 1726}
@@ -1737,9 +1752,9 @@ mm_answer_rsa_response(int sock, Buffer *m)
1737 fatal("%s: received bad response to challenge", __func__); 1752 fatal("%s: received bad response to challenge", __func__);
1738 success = auth_rsa_verify_response(key, ssh1_challenge, response); 1753 success = auth_rsa_verify_response(key, ssh1_challenge, response);
1739 1754
1740 xfree(blob); 1755 free(blob);
1741 key_free(key); 1756 key_free(key);
1742 xfree(response); 1757 free(response);
1743 1758
1744 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; 1759 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
1745 1760
@@ -1818,7 +1833,7 @@ mm_answer_audit_command(int socket, Buffer *m)
1818 cmd = buffer_get_string(m, &len); 1833 cmd = buffer_get_string(m, &len);
1819 /* sanity check command, if so how? */ 1834 /* sanity check command, if so how? */
1820 audit_run_command(cmd); 1835 audit_run_command(cmd);
1821 xfree(cmd); 1836 free(cmd);
1822 return (0); 1837 return (0);
1823} 1838}
1824#endif /* SSH_AUDIT_EVENTS */ 1839#endif /* SSH_AUDIT_EVENTS */
@@ -1833,20 +1848,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
1833 packet_set_protocol_flags(child_state.ssh1protoflags); 1848 packet_set_protocol_flags(child_state.ssh1protoflags);
1834 packet_set_encryption_key(child_state.ssh1key, 1849 packet_set_encryption_key(child_state.ssh1key,
1835 child_state.ssh1keylen, child_state.ssh1cipher); 1850 child_state.ssh1keylen, child_state.ssh1cipher);
1836 xfree(child_state.ssh1key); 1851 free(child_state.ssh1key);
1837 } 1852 }
1838 1853
1839 /* for rc4 and other stateful ciphers */ 1854 /* for rc4 and other stateful ciphers */
1840 packet_set_keycontext(MODE_OUT, child_state.keyout); 1855 packet_set_keycontext(MODE_OUT, child_state.keyout);
1841 xfree(child_state.keyout); 1856 free(child_state.keyout);
1842 packet_set_keycontext(MODE_IN, child_state.keyin); 1857 packet_set_keycontext(MODE_IN, child_state.keyin);
1843 xfree(child_state.keyin); 1858 free(child_state.keyin);
1844 1859
1845 if (!compat20) { 1860 if (!compat20) {
1846 packet_set_iv(MODE_OUT, child_state.ivout); 1861 packet_set_iv(MODE_OUT, child_state.ivout);
1847 xfree(child_state.ivout); 1862 free(child_state.ivout);
1848 packet_set_iv(MODE_IN, child_state.ivin); 1863 packet_set_iv(MODE_IN, child_state.ivin);
1849 xfree(child_state.ivin); 1864 free(child_state.ivin);
1850 } 1865 }
1851 1866
1852 memcpy(&incoming_stream, &child_state.incoming, 1867 memcpy(&incoming_stream, &child_state.incoming,
@@ -1858,18 +1873,22 @@ monitor_apply_keystate(struct monitor *pmonitor)
1858 if (options.compression) 1873 if (options.compression)
1859 mm_init_compression(pmonitor->m_zlib); 1874 mm_init_compression(pmonitor->m_zlib);
1860 1875
1876 if (options.rekey_limit || options.rekey_interval)
1877 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
1878 (time_t)options.rekey_interval);
1879
1861 /* Network I/O buffers */ 1880 /* Network I/O buffers */
1862 /* XXX inefficient for large buffers, need: buffer_init_from_string */ 1881 /* XXX inefficient for large buffers, need: buffer_init_from_string */
1863 buffer_clear(packet_get_input()); 1882 buffer_clear(packet_get_input());
1864 buffer_append(packet_get_input(), child_state.input, child_state.ilen); 1883 buffer_append(packet_get_input(), child_state.input, child_state.ilen);
1865 memset(child_state.input, 0, child_state.ilen); 1884 memset(child_state.input, 0, child_state.ilen);
1866 xfree(child_state.input); 1885 free(child_state.input);
1867 1886
1868 buffer_clear(packet_get_output()); 1887 buffer_clear(packet_get_output());
1869 buffer_append(packet_get_output(), child_state.output, 1888 buffer_append(packet_get_output(), child_state.output,
1870 child_state.olen); 1889 child_state.olen);
1871 memset(child_state.output, 0, child_state.olen); 1890 memset(child_state.output, 0, child_state.olen);
1872 xfree(child_state.output); 1891 free(child_state.output);
1873 1892
1874 /* Roaming */ 1893 /* Roaming */
1875 if (compat20) 1894 if (compat20)
@@ -1908,11 +1927,11 @@ mm_get_kex(Buffer *m)
1908 blob = buffer_get_string(m, &bloblen); 1927 blob = buffer_get_string(m, &bloblen);
1909 buffer_init(&kex->my); 1928 buffer_init(&kex->my);
1910 buffer_append(&kex->my, blob, bloblen); 1929 buffer_append(&kex->my, blob, bloblen);
1911 xfree(blob); 1930 free(blob);
1912 blob = buffer_get_string(m, &bloblen); 1931 blob = buffer_get_string(m, &bloblen);
1913 buffer_init(&kex->peer); 1932 buffer_init(&kex->peer);
1914 buffer_append(&kex->peer, blob, bloblen); 1933 buffer_append(&kex->peer, blob, bloblen);
1915 xfree(blob); 1934 free(blob);
1916 kex->done = 1; 1935 kex->done = 1;
1917 kex->flags = buffer_get_int(m); 1936 kex->flags = buffer_get_int(m);
1918 kex->client_version_string = buffer_get_string(m, NULL); 1937 kex->client_version_string = buffer_get_string(m, NULL);
@@ -1920,6 +1939,7 @@ mm_get_kex(Buffer *m)
1920 kex->load_host_public_key=&get_hostkey_public_by_type; 1939 kex->load_host_public_key=&get_hostkey_public_by_type;
1921 kex->load_host_private_key=&get_hostkey_private_by_type; 1940 kex->load_host_private_key=&get_hostkey_private_by_type;
1922 kex->host_key_index=&get_hostkey_index; 1941 kex->host_key_index=&get_hostkey_index;
1942 kex->sign = sshd_hostkey_sign;
1923 1943
1924 return (kex); 1944 return (kex);
1925} 1945}
@@ -1955,12 +1975,12 @@ mm_get_keystate(struct monitor *pmonitor)
1955 1975
1956 blob = buffer_get_string(&m, &bloblen); 1976 blob = buffer_get_string(&m, &bloblen);
1957 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); 1977 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
1958 xfree(blob); 1978 free(blob);
1959 1979
1960 debug3("%s: Waiting for second key", __func__); 1980 debug3("%s: Waiting for second key", __func__);
1961 blob = buffer_get_string(&m, &bloblen); 1981 blob = buffer_get_string(&m, &bloblen);
1962 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); 1982 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
1963 xfree(blob); 1983 free(blob);
1964 1984
1965 /* Now get sequence numbers for the packets */ 1985 /* Now get sequence numbers for the packets */
1966 seqnr = buffer_get_int(&m); 1986 seqnr = buffer_get_int(&m);
@@ -1985,13 +2005,13 @@ mm_get_keystate(struct monitor *pmonitor)
1985 if (plen != sizeof(child_state.outgoing)) 2005 if (plen != sizeof(child_state.outgoing))
1986 fatal("%s: bad request size", __func__); 2006 fatal("%s: bad request size", __func__);
1987 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); 2007 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
1988 xfree(p); 2008 free(p);
1989 2009
1990 p = buffer_get_string(&m, &plen); 2010 p = buffer_get_string(&m, &plen);
1991 if (plen != sizeof(child_state.incoming)) 2011 if (plen != sizeof(child_state.incoming))
1992 fatal("%s: bad request size", __func__); 2012 fatal("%s: bad request size", __func__);
1993 memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); 2013 memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
1994 xfree(p); 2014 free(p);
1995 2015
1996 /* Network I/O buffers */ 2016 /* Network I/O buffers */
1997 debug3("%s: Getting Network I/O buffers", __func__); 2017 debug3("%s: Getting Network I/O buffers", __func__);
@@ -2116,7 +2136,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2116 2136
2117 major = ssh_gssapi_server_ctx(&gsscontext, &goid); 2137 major = ssh_gssapi_server_ctx(&gsscontext, &goid);
2118 2138
2119 xfree(goid.elements); 2139 free(goid.elements);
2120 2140
2121 buffer_clear(m); 2141 buffer_clear(m);
2122 buffer_put_int(m, major); 2142 buffer_put_int(m, major);
@@ -2144,7 +2164,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2144 in.value = buffer_get_string(m, &len); 2164 in.value = buffer_get_string(m, &len);
2145 in.length = len; 2165 in.length = len;
2146 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2166 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2147 xfree(in.value); 2167 free(in.value);
2148 2168
2149 buffer_clear(m); 2169 buffer_clear(m);
2150 buffer_put_int(m, major); 2170 buffer_put_int(m, major);
@@ -2180,8 +2200,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2180 2200
2181 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); 2201 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
2182 2202
2183 xfree(gssbuf.value); 2203 free(gssbuf.value);
2184 xfree(mic.value); 2204 free(mic.value);
2185 2205
2186 buffer_clear(m); 2206 buffer_clear(m);
2187 buffer_put_int(m, ret); 2207 buffer_put_int(m, ret);
@@ -2242,7 +2262,7 @@ mm_answer_gss_sign(int socket, Buffer *m)
2242 } 2262 }
2243 major = ssh_gssapi_sign(gsscontext, &data, &hash); 2263 major = ssh_gssapi_sign(gsscontext, &data, &hash);
2244 2264
2245 xfree(data.value); 2265 free(data.value);
2246 2266
2247 buffer_clear(m); 2267 buffer_clear(m);
2248 buffer_put_int(m, major); 2268 buffer_put_int(m, major);
@@ -2272,9 +2292,9 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
2272 2292
2273 ok = ssh_gssapi_update_creds(&store); 2293 ok = ssh_gssapi_update_creds(&store);
2274 2294
2275 xfree(store.filename); 2295 free(store.filename);
2276 xfree(store.envvar); 2296 free(store.envvar);
2277 xfree(store.envval); 2297 free(store.envval);
2278 2298
2279 buffer_clear(m); 2299 buffer_clear(m);
2280 buffer_put_int(m, ok); 2300 buffer_put_int(m, ok);
@@ -2323,8 +2343,8 @@ mm_answer_jpake_step1(int sock, Buffer *m)
2323 2343
2324 bzero(x3_proof, x3_proof_len); 2344 bzero(x3_proof, x3_proof_len);
2325 bzero(x4_proof, x4_proof_len); 2345 bzero(x4_proof, x4_proof_len);
2326 xfree(x3_proof); 2346 free(x3_proof);
2327 xfree(x4_proof); 2347 free(x4_proof);
2328 2348
2329 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1); 2349 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
2330 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0); 2350 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
@@ -2353,8 +2373,8 @@ mm_answer_jpake_get_pwdata(int sock, Buffer *m)
2353 2373
2354 bzero(hash_scheme, strlen(hash_scheme)); 2374 bzero(hash_scheme, strlen(hash_scheme));
2355 bzero(salt, strlen(salt)); 2375 bzero(salt, strlen(salt));
2356 xfree(hash_scheme); 2376 free(hash_scheme);
2357 xfree(salt); 2377 free(salt);
2358 2378
2359 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1); 2379 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
2360 2380
@@ -2393,8 +2413,8 @@ mm_answer_jpake_step2(int sock, Buffer *m)
2393 2413
2394 bzero(x1_proof, x1_proof_len); 2414 bzero(x1_proof, x1_proof_len);
2395 bzero(x2_proof, x2_proof_len); 2415 bzero(x2_proof, x2_proof_len);
2396 xfree(x1_proof); 2416 free(x1_proof);
2397 xfree(x2_proof); 2417 free(x2_proof);
2398 2418
2399 buffer_clear(m); 2419 buffer_clear(m);
2400 2420
@@ -2405,7 +2425,7 @@ mm_answer_jpake_step2(int sock, Buffer *m)
2405 mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); 2425 mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
2406 2426
2407 bzero(x4_s_proof, x4_s_proof_len); 2427 bzero(x4_s_proof, x4_s_proof_len);
2408 xfree(x4_s_proof); 2428 free(x4_s_proof);
2409 2429
2410 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); 2430 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
2411 2431
@@ -2473,7 +2493,7 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
2473 JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); 2493 JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
2474 2494
2475 bzero(peer_confirm_hash, peer_confirm_hash_len); 2495 bzero(peer_confirm_hash, peer_confirm_hash_len);
2476 xfree(peer_confirm_hash); 2496 free(peer_confirm_hash);
2477 2497
2478 buffer_clear(m); 2498 buffer_clear(m);
2479 buffer_put_int(m, authenticated); 2499 buffer_put_int(m, authenticated);
@@ -2508,10 +2528,9 @@ mm_answer_consolekit_register(int sock, Buffer *m)
2508 buffer_put_cstring(m, cookie != NULL ? cookie : ""); 2528 buffer_put_cstring(m, cookie != NULL ? cookie : "");
2509 mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m); 2529 mm_request_send(sock, MONITOR_ANS_CONSOLEKIT_REGISTER, m);
2510 2530
2511 if (cookie != NULL) 2531 free(cookie);
2512 xfree(cookie); 2532 free(display);
2513 xfree(display); 2533 free(tty);
2514 xfree(tty);
2515 2534
2516 return (0); 2535 return (0);
2517} 2536}
diff --git a/monitor_mm.c b/monitor_mm.c
index faf9f3dcb..ee7bad4b4 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */ 1/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * All rights reserved. 4 * All rights reserved.
@@ -35,6 +35,7 @@
35 35
36#include <errno.h> 36#include <errno.h>
37#include <stdarg.h> 37#include <stdarg.h>
38#include <stdlib.h>
38#include <string.h> 39#include <string.h>
39 40
40#include "xmalloc.h" 41#include "xmalloc.h"
@@ -124,7 +125,7 @@ mm_freelist(struct mm_master *mmalloc, struct mmtree *head)
124 next = RB_NEXT(mmtree, head, mms); 125 next = RB_NEXT(mmtree, head, mms);
125 RB_REMOVE(mmtree, head, mms); 126 RB_REMOVE(mmtree, head, mms);
126 if (mmalloc == NULL) 127 if (mmalloc == NULL)
127 xfree(mms); 128 free(mms);
128 else 129 else
129 mm_free(mmalloc, mms); 130 mm_free(mmalloc, mms);
130 } 131 }
@@ -147,7 +148,7 @@ mm_destroy(struct mm_master *mm)
147 __func__); 148 __func__);
148#endif 149#endif
149 if (mm->mmalloc == NULL) 150 if (mm->mmalloc == NULL)
150 xfree(mm); 151 free(mm);
151 else 152 else
152 mm_free(mm->mmalloc, mm); 153 mm_free(mm->mmalloc, mm);
153} 154}
@@ -198,7 +199,7 @@ mm_malloc(struct mm_master *mm, size_t size)
198 if (mms->size == 0) { 199 if (mms->size == 0) {
199 RB_REMOVE(mmtree, &mm->rb_free, mms); 200 RB_REMOVE(mmtree, &mm->rb_free, mms);
200 if (mm->mmalloc == NULL) 201 if (mm->mmalloc == NULL)
201 xfree(mms); 202 free(mms);
202 else 203 else
203 mm_free(mm->mmalloc, mms); 204 mm_free(mm->mmalloc, mms);
204 } 205 }
@@ -254,7 +255,7 @@ mm_free(struct mm_master *mm, void *address)
254 prev->size += mms->size; 255 prev->size += mms->size;
255 RB_REMOVE(mmtree, &mm->rb_free, mms); 256 RB_REMOVE(mmtree, &mm->rb_free, mms);
256 if (mm->mmalloc == NULL) 257 if (mm->mmalloc == NULL)
257 xfree(mms); 258 free(mms);
258 else 259 else
259 mm_free(mm->mmalloc, mms); 260 mm_free(mm->mmalloc, mms);
260 } else 261 } else
@@ -278,7 +279,7 @@ mm_free(struct mm_master *mm, void *address)
278 RB_REMOVE(mmtree, &mm->rb_free, mms); 279 RB_REMOVE(mmtree, &mm->rb_free, mms);
279 280
280 if (mm->mmalloc == NULL) 281 if (mm->mmalloc == NULL)
281 xfree(mms); 282 free(mms);
282 else 283 else
283 mm_free(mm->mmalloc, mms); 284 mm_free(mm->mmalloc, mms);
284} 285}
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e62650342..9662a4c63 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: monitor_wrap.c,v 1.76 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -259,8 +259,10 @@ mm_getpwnamallow(const char *username)
259 fatal("%s: struct passwd size mismatch", __func__); 259 fatal("%s: struct passwd size mismatch", __func__);
260 pw->pw_name = buffer_get_string(&m, NULL); 260 pw->pw_name = buffer_get_string(&m, NULL);
261 pw->pw_passwd = buffer_get_string(&m, NULL); 261 pw->pw_passwd = buffer_get_string(&m, NULL);
262#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
262 pw->pw_gecos = buffer_get_string(&m, NULL); 263 pw->pw_gecos = buffer_get_string(&m, NULL);
263#ifdef HAVE_PW_CLASS_IN_PASSWD 264#endif
265#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
264 pw->pw_class = buffer_get_string(&m, NULL); 266 pw->pw_class = buffer_get_string(&m, NULL);
265#endif 267#endif
266 pw->pw_dir = buffer_get_string(&m, NULL); 268 pw->pw_dir = buffer_get_string(&m, NULL);
@@ -286,7 +288,7 @@ out:
286#undef M_CP_STRARRAYOPT 288#undef M_CP_STRARRAYOPT
287 289
288 copy_set_server_options(&options, newopts, 1); 290 copy_set_server_options(&options, newopts, 1);
289 xfree(newopts); 291 free(newopts);
290 292
291 buffer_free(&m); 293 buffer_free(&m);
292 294
@@ -312,7 +314,7 @@ mm_auth2_read_banner(void)
312 314
313 /* treat empty banner as missing banner */ 315 /* treat empty banner as missing banner */
314 if (strlen(banner) == 0) { 316 if (strlen(banner) == 0) {
315 xfree(banner); 317 free(banner);
316 banner = NULL; 318 banner = NULL;
317 } 319 }
318 return (banner); 320 return (banner);
@@ -423,7 +425,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
423 buffer_put_cstring(&m, user ? user : ""); 425 buffer_put_cstring(&m, user ? user : "");
424 buffer_put_cstring(&m, host ? host : ""); 426 buffer_put_cstring(&m, host ? host : "");
425 buffer_put_string(&m, blob, len); 427 buffer_put_string(&m, blob, len);
426 xfree(blob); 428 free(blob);
427 429
428 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 430 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
429 431
@@ -466,7 +468,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
466 buffer_put_string(&m, blob, len); 468 buffer_put_string(&m, blob, len);
467 buffer_put_string(&m, sig, siglen); 469 buffer_put_string(&m, sig, siglen);
468 buffer_put_string(&m, data, datalen); 470 buffer_put_string(&m, data, datalen);
469 xfree(blob); 471 free(blob);
470 472
471 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 473 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
472 474
@@ -635,7 +637,7 @@ mm_send_keystate(struct monitor *monitor)
635 keylen = packet_get_encryption_key(key); 637 keylen = packet_get_encryption_key(key);
636 buffer_put_string(&m, key, keylen); 638 buffer_put_string(&m, key, keylen);
637 memset(key, 0, keylen); 639 memset(key, 0, keylen);
638 xfree(key); 640 free(key);
639 641
640 ivlen = packet_get_keyiv_len(MODE_OUT); 642 ivlen = packet_get_keyiv_len(MODE_OUT);
641 packet_get_keyiv(MODE_OUT, iv, ivlen); 643 packet_get_keyiv(MODE_OUT, iv, ivlen);
@@ -658,13 +660,13 @@ mm_send_keystate(struct monitor *monitor)
658 fatal("%s: conversion of newkeys failed", __func__); 660 fatal("%s: conversion of newkeys failed", __func__);
659 661
660 buffer_put_string(&m, blob, bloblen); 662 buffer_put_string(&m, blob, bloblen);
661 xfree(blob); 663 free(blob);
662 664
663 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 665 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
664 fatal("%s: conversion of newkeys failed", __func__); 666 fatal("%s: conversion of newkeys failed", __func__);
665 667
666 buffer_put_string(&m, blob, bloblen); 668 buffer_put_string(&m, blob, bloblen);
667 xfree(blob); 669 free(blob);
668 670
669 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); 671 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
670 buffer_put_int(&m, seqnr); 672 buffer_put_int(&m, seqnr);
@@ -684,13 +686,13 @@ mm_send_keystate(struct monitor *monitor)
684 p = xmalloc(plen+1); 686 p = xmalloc(plen+1);
685 packet_get_keycontext(MODE_OUT, p); 687 packet_get_keycontext(MODE_OUT, p);
686 buffer_put_string(&m, p, plen); 688 buffer_put_string(&m, p, plen);
687 xfree(p); 689 free(p);
688 690
689 plen = packet_get_keycontext(MODE_IN, NULL); 691 plen = packet_get_keycontext(MODE_IN, NULL);
690 p = xmalloc(plen+1); 692 p = xmalloc(plen+1);
691 packet_get_keycontext(MODE_IN, p); 693 packet_get_keycontext(MODE_IN, p);
692 buffer_put_string(&m, p, plen); 694 buffer_put_string(&m, p, plen);
693 xfree(p); 695 free(p);
694 696
695 /* Compression state */ 697 /* Compression state */
696 debug3("%s: Sending compression state", __func__); 698 debug3("%s: Sending compression state", __func__);
@@ -752,10 +754,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
752 buffer_free(&m); 754 buffer_free(&m);
753 755
754 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 756 strlcpy(namebuf, p, namebuflen); /* Possible truncation */
755 xfree(p); 757 free(p);
756 758
757 buffer_append(&loginmsg, msg, strlen(msg)); 759 buffer_append(&loginmsg, msg, strlen(msg));
758 xfree(msg); 760 free(msg);
759 761
760 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || 762 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 ||
761 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) 763 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1)
@@ -821,7 +823,7 @@ mm_do_pam_account(void)
821 ret = buffer_get_int(&m); 823 ret = buffer_get_int(&m);
822 msg = buffer_get_string(&m, NULL); 824 msg = buffer_get_string(&m, NULL);
823 buffer_append(&loginmsg, msg, strlen(msg)); 825 buffer_append(&loginmsg, msg, strlen(msg));
824 xfree(msg); 826 free(msg);
825 827
826 buffer_free(&m); 828 buffer_free(&m);
827 829
@@ -1051,7 +1053,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
1051 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 1053 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
1052 1054
1053 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); 1055 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
1054 xfree(challenge); 1056 free(challenge);
1055 1057
1056 return (0); 1058 return (0);
1057} 1059}
@@ -1125,7 +1127,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
1125 if ((key = key_from_blob(blob, blen)) == NULL) 1127 if ((key = key_from_blob(blob, blen)) == NULL)
1126 fatal("%s: key_from_blob failed", __func__); 1128 fatal("%s: key_from_blob failed", __func__);
1127 *rkey = key; 1129 *rkey = key;
1128 xfree(blob); 1130 free(blob);
1129 } 1131 }
1130 buffer_free(&m); 1132 buffer_free(&m);
1131 1133
@@ -1152,7 +1154,7 @@ mm_auth_rsa_generate_challenge(Key *key)
1152 1154
1153 buffer_init(&m); 1155 buffer_init(&m);
1154 buffer_put_string(&m, blob, blen); 1156 buffer_put_string(&m, blob, blen);
1155 xfree(blob); 1157 free(blob);
1156 1158
1157 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 1159 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m);
1158 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 1160 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m);
@@ -1181,7 +1183,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
1181 buffer_init(&m); 1183 buffer_init(&m);
1182 buffer_put_string(&m, blob, blen); 1184 buffer_put_string(&m, blob, blen);
1183 buffer_put_string(&m, response, 16); 1185 buffer_put_string(&m, response, 16);
1184 xfree(blob); 1186 free(blob);
1185 1187
1186 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 1188 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m);
1187 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 1189 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m);
@@ -1539,7 +1541,7 @@ mm_consolekit_register(Session *s, const char *display)
1539 1541
1540 /* treat empty cookie as missing cookie */ 1542 /* treat empty cookie as missing cookie */
1541 if (strlen(cookie) == 0) { 1543 if (strlen(cookie) == 0) {
1542 xfree(cookie); 1544 free(cookie);
1543 cookie = NULL; 1545 cookie = NULL;
1544 } 1546 }
1545 return (cookie); 1547 return (cookie);
diff --git a/mux.c b/mux.c
index 1ae0e0915..882fa61b5 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ 1/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -184,7 +184,7 @@ static const struct {
184 184
185/* Cleanup callback fired on closure of mux slave _session_ channel */ 185/* Cleanup callback fired on closure of mux slave _session_ channel */
186/* ARGSUSED */ 186/* ARGSUSED */
187void 187static void
188mux_master_session_cleanup_cb(int cid, void *unused) 188mux_master_session_cleanup_cb(int cid, void *unused)
189{ 189{
190 Channel *cc, *c = channel_by_id(cid); 190 Channel *cc, *c = channel_by_id(cid);
@@ -219,7 +219,8 @@ mux_master_control_cleanup_cb(int cid, void *unused)
219 __func__, c->self, c->remote_id); 219 __func__, c->self, c->remote_id);
220 c->remote_id = -1; 220 c->remote_id = -1;
221 sc->ctl_chan = -1; 221 sc->ctl_chan = -1;
222 if (sc->type != SSH_CHANNEL_OPEN) { 222 if (sc->type != SSH_CHANNEL_OPEN &&
223 sc->type != SSH_CHANNEL_OPENING) {
223 debug2("%s: channel %d: not open", __func__, sc->self); 224 debug2("%s: channel %d: not open", __func__, sc->self);
224 chan_mark_dead(sc); 225 chan_mark_dead(sc);
225 } else { 226 } else {
@@ -286,13 +287,13 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r)
286 char *value = buffer_get_string_ret(m, NULL); 287 char *value = buffer_get_string_ret(m, NULL);
287 288
288 if (name == NULL || value == NULL) { 289 if (name == NULL || value == NULL) {
289 if (name != NULL) 290 free(name);
290 xfree(name); 291 free(value);
291 goto malf; 292 goto malf;
292 } 293 }
293 debug2("Unrecognised slave extension \"%s\"", name); 294 debug2("Unrecognised slave extension \"%s\"", name);
294 xfree(name); 295 free(name);
295 xfree(value); 296 free(value);
296 } 297 }
297 state->hello_rcvd = 1; 298 state->hello_rcvd = 1;
298 return 0; 299 return 0;
@@ -323,21 +324,17 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
323 (cctx->term = buffer_get_string_ret(m, &len)) == NULL || 324 (cctx->term = buffer_get_string_ret(m, &len)) == NULL ||
324 (cmd = buffer_get_string_ret(m, &len)) == NULL) { 325 (cmd = buffer_get_string_ret(m, &len)) == NULL) {
325 malf: 326 malf:
326 if (cmd != NULL) 327 free(cmd);
327 xfree(cmd); 328 free(reserved);
328 if (reserved != NULL)
329 xfree(reserved);
330 for (j = 0; j < env_len; j++) 329 for (j = 0; j < env_len; j++)
331 xfree(cctx->env[j]); 330 free(cctx->env[j]);
332 if (env_len > 0) 331 free(cctx->env);
333 xfree(cctx->env); 332 free(cctx->term);
334 if (cctx->term != NULL) 333 free(cctx);
335 xfree(cctx->term);
336 xfree(cctx);
337 error("%s: malformed message", __func__); 334 error("%s: malformed message", __func__);
338 return -1; 335 return -1;
339 } 336 }
340 xfree(reserved); 337 free(reserved);
341 reserved = NULL; 338 reserved = NULL;
342 339
343 while (buffer_len(m) > 0) { 340 while (buffer_len(m) > 0) {
@@ -345,7 +342,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
345 if ((cp = buffer_get_string_ret(m, &len)) == NULL) 342 if ((cp = buffer_get_string_ret(m, &len)) == NULL)
346 goto malf; 343 goto malf;
347 if (!env_permitted(cp)) { 344 if (!env_permitted(cp)) {
348 xfree(cp); 345 free(cp);
349 continue; 346 continue;
350 } 347 }
351 cctx->env = xrealloc(cctx->env, env_len + 2, 348 cctx->env = xrealloc(cctx->env, env_len + 2,
@@ -366,7 +363,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
366 363
367 buffer_init(&cctx->cmd); 364 buffer_init(&cctx->cmd);
368 buffer_append(&cctx->cmd, cmd, strlen(cmd)); 365 buffer_append(&cctx->cmd, cmd, strlen(cmd));
369 xfree(cmd); 366 free(cmd);
370 cmd = NULL; 367 cmd = NULL;
371 368
372 /* Gather fds from client */ 369 /* Gather fds from client */
@@ -377,12 +374,11 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
377 for (j = 0; j < i; j++) 374 for (j = 0; j < i; j++)
378 close(new_fd[j]); 375 close(new_fd[j]);
379 for (j = 0; j < env_len; j++) 376 for (j = 0; j < env_len; j++)
380 xfree(cctx->env[j]); 377 free(cctx->env[j]);
381 if (env_len > 0) 378 free(cctx->env);
382 xfree(cctx->env); 379 free(cctx->term);
383 xfree(cctx->term);
384 buffer_free(&cctx->cmd); 380 buffer_free(&cctx->cmd);
385 xfree(cctx); 381 free(cctx);
386 382
387 /* prepare reply */ 383 /* prepare reply */
388 buffer_put_int(r, MUX_S_FAILURE); 384 buffer_put_int(r, MUX_S_FAILURE);
@@ -407,14 +403,14 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
407 close(new_fd[0]); 403 close(new_fd[0]);
408 close(new_fd[1]); 404 close(new_fd[1]);
409 close(new_fd[2]); 405 close(new_fd[2]);
410 xfree(cctx->term); 406 free(cctx->term);
411 if (env_len != 0) { 407 if (env_len != 0) {
412 for (i = 0; i < env_len; i++) 408 for (i = 0; i < env_len; i++)
413 xfree(cctx->env[i]); 409 free(cctx->env[i]);
414 xfree(cctx->env); 410 free(cctx->env);
415 } 411 }
416 buffer_free(&cctx->cmd); 412 buffer_free(&cctx->cmd);
417 xfree(cctx); 413 free(cctx);
418 return 0; 414 return 0;
419 } 415 }
420 416
@@ -619,7 +615,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
619 buffer_put_int(&out, MUX_S_FAILURE); 615 buffer_put_int(&out, MUX_S_FAILURE);
620 buffer_put_int(&out, fctx->rid); 616 buffer_put_int(&out, fctx->rid);
621 buffer_put_cstring(&out, failmsg); 617 buffer_put_cstring(&out, failmsg);
622 xfree(failmsg); 618 free(failmsg);
623 out: 619 out:
624 buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); 620 buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out));
625 buffer_free(&out); 621 buffer_free(&out);
@@ -634,25 +630,28 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
634 Forward fwd; 630 Forward fwd;
635 char *fwd_desc = NULL; 631 char *fwd_desc = NULL;
636 u_int ftype; 632 u_int ftype;
633 u_int lport, cport;
637 int i, ret = 0, freefwd = 1; 634 int i, ret = 0, freefwd = 1;
638 635
639 fwd.listen_host = fwd.connect_host = NULL; 636 fwd.listen_host = fwd.connect_host = NULL;
640 if (buffer_get_int_ret(&ftype, m) != 0 || 637 if (buffer_get_int_ret(&ftype, m) != 0 ||
641 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || 638 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
642 buffer_get_int_ret(&fwd.listen_port, m) != 0 || 639 buffer_get_int_ret(&lport, m) != 0 ||
643 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || 640 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
644 buffer_get_int_ret(&fwd.connect_port, m) != 0) { 641 buffer_get_int_ret(&cport, m) != 0 ||
642 lport > 65535 || cport > 65535) {
645 error("%s: malformed message", __func__); 643 error("%s: malformed message", __func__);
646 ret = -1; 644 ret = -1;
647 goto out; 645 goto out;
648 } 646 }
649 647 fwd.listen_port = lport;
648 fwd.connect_port = cport;
650 if (*fwd.listen_host == '\0') { 649 if (*fwd.listen_host == '\0') {
651 xfree(fwd.listen_host); 650 free(fwd.listen_host);
652 fwd.listen_host = NULL; 651 fwd.listen_host = NULL;
653 } 652 }
654 if (*fwd.connect_host == '\0') { 653 if (*fwd.connect_host == '\0') {
655 xfree(fwd.connect_host); 654 free(fwd.connect_host);
656 fwd.connect_host = NULL; 655 fwd.connect_host = NULL;
657 } 656 }
658 657
@@ -663,10 +662,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
663 ftype != MUX_FWD_DYNAMIC) { 662 ftype != MUX_FWD_DYNAMIC) {
664 logit("%s: invalid forwarding type %u", __func__, ftype); 663 logit("%s: invalid forwarding type %u", __func__, ftype);
665 invalid: 664 invalid:
666 if (fwd.listen_host) 665 free(fwd.listen_host);
667 xfree(fwd.listen_host); 666 free(fwd.connect_host);
668 if (fwd.connect_host)
669 xfree(fwd.connect_host);
670 buffer_put_int(r, MUX_S_FAILURE); 667 buffer_put_int(r, MUX_S_FAILURE);
671 buffer_put_int(r, rid); 668 buffer_put_int(r, rid);
672 buffer_put_cstring(r, "Invalid forwarding request"); 669 buffer_put_cstring(r, "Invalid forwarding request");
@@ -768,13 +765,10 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
768 buffer_put_int(r, MUX_S_OK); 765 buffer_put_int(r, MUX_S_OK);
769 buffer_put_int(r, rid); 766 buffer_put_int(r, rid);
770 out: 767 out:
771 if (fwd_desc != NULL) 768 free(fwd_desc);
772 xfree(fwd_desc);
773 if (freefwd) { 769 if (freefwd) {
774 if (fwd.listen_host != NULL) 770 free(fwd.listen_host);
775 xfree(fwd.listen_host); 771 free(fwd.connect_host);
776 if (fwd.connect_host != NULL)
777 xfree(fwd.connect_host);
778 } 772 }
779 return ret; 773 return ret;
780} 774}
@@ -787,24 +781,28 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
787 const char *error_reason = NULL; 781 const char *error_reason = NULL;
788 u_int ftype; 782 u_int ftype;
789 int i, listen_port, ret = 0; 783 int i, listen_port, ret = 0;
784 u_int lport, cport;
790 785
791 fwd.listen_host = fwd.connect_host = NULL; 786 fwd.listen_host = fwd.connect_host = NULL;
792 if (buffer_get_int_ret(&ftype, m) != 0 || 787 if (buffer_get_int_ret(&ftype, m) != 0 ||
793 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || 788 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
794 buffer_get_int_ret(&fwd.listen_port, m) != 0 || 789 buffer_get_int_ret(&lport, m) != 0 ||
795 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || 790 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
796 buffer_get_int_ret(&fwd.connect_port, m) != 0) { 791 buffer_get_int_ret(&cport, m) != 0 ||
792 lport > 65535 || cport > 65535) {
797 error("%s: malformed message", __func__); 793 error("%s: malformed message", __func__);
798 ret = -1; 794 ret = -1;
799 goto out; 795 goto out;
800 } 796 }
797 fwd.listen_port = lport;
798 fwd.connect_port = cport;
801 799
802 if (*fwd.listen_host == '\0') { 800 if (*fwd.listen_host == '\0') {
803 xfree(fwd.listen_host); 801 free(fwd.listen_host);
804 fwd.listen_host = NULL; 802 fwd.listen_host = NULL;
805 } 803 }
806 if (*fwd.connect_host == '\0') { 804 if (*fwd.connect_host == '\0') {
807 xfree(fwd.connect_host); 805 free(fwd.connect_host);
808 fwd.connect_host = NULL; 806 fwd.connect_host = NULL;
809 } 807 }
810 808
@@ -861,10 +859,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
861 buffer_put_int(r, MUX_S_OK); 859 buffer_put_int(r, MUX_S_OK);
862 buffer_put_int(r, rid); 860 buffer_put_int(r, rid);
863 861
864 if (found_fwd->listen_host != NULL) 862 free(found_fwd->listen_host);
865 xfree(found_fwd->listen_host); 863 free(found_fwd->connect_host);
866 if (found_fwd->connect_host != NULL)
867 xfree(found_fwd->connect_host);
868 found_fwd->listen_host = found_fwd->connect_host = NULL; 864 found_fwd->listen_host = found_fwd->connect_host = NULL;
869 found_fwd->listen_port = found_fwd->connect_port = 0; 865 found_fwd->listen_port = found_fwd->connect_port = 0;
870 } else { 866 } else {
@@ -873,12 +869,9 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
873 buffer_put_cstring(r, error_reason); 869 buffer_put_cstring(r, error_reason);
874 } 870 }
875 out: 871 out:
876 if (fwd_desc != NULL) 872 free(fwd_desc);
877 xfree(fwd_desc); 873 free(fwd.listen_host);
878 if (fwd.listen_host != NULL) 874 free(fwd.connect_host);
879 xfree(fwd.listen_host);
880 if (fwd.connect_host != NULL)
881 xfree(fwd.connect_host);
882 875
883 return ret; 876 return ret;
884} 877}
@@ -895,14 +888,12 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
895 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 888 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
896 (chost = buffer_get_string_ret(m, NULL)) == NULL || 889 (chost = buffer_get_string_ret(m, NULL)) == NULL ||
897 buffer_get_int_ret(&cport, m) != 0) { 890 buffer_get_int_ret(&cport, m) != 0) {
898 if (reserved != NULL) 891 free(reserved);
899 xfree(reserved); 892 free(chost);
900 if (chost != NULL)
901 xfree(chost);
902 error("%s: malformed message", __func__); 893 error("%s: malformed message", __func__);
903 return -1; 894 return -1;
904 } 895 }
905 xfree(reserved); 896 free(reserved);
906 897
907 debug2("%s: channel %d: request stdio fwd to %s:%u", 898 debug2("%s: channel %d: request stdio fwd to %s:%u",
908 __func__, c->self, chost, cport); 899 __func__, c->self, chost, cport);
@@ -914,7 +905,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
914 __func__, i); 905 __func__, i);
915 for (j = 0; j < i; j++) 906 for (j = 0; j < i; j++)
916 close(new_fd[j]); 907 close(new_fd[j]);
917 xfree(chost); 908 free(chost);
918 909
919 /* prepare reply */ 910 /* prepare reply */
920 buffer_put_int(r, MUX_S_FAILURE); 911 buffer_put_int(r, MUX_S_FAILURE);
@@ -938,7 +929,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
938 cleanup: 929 cleanup:
939 close(new_fd[0]); 930 close(new_fd[0]);
940 close(new_fd[1]); 931 close(new_fd[1]);
941 xfree(chost); 932 free(chost);
942 return 0; 933 return 0;
943 } 934 }
944 935
@@ -1000,7 +991,7 @@ process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r)
1000 if (mux_listener_channel != NULL) { 991 if (mux_listener_channel != NULL) {
1001 channel_free(mux_listener_channel); 992 channel_free(mux_listener_channel);
1002 client_stop_mux(); 993 client_stop_mux();
1003 xfree(options.control_path); 994 free(options.control_path);
1004 options.control_path = NULL; 995 options.control_path = NULL;
1005 mux_listener_channel = NULL; 996 mux_listener_channel = NULL;
1006 muxserver_sock = -1; 997 muxserver_sock = -1;
@@ -1100,7 +1091,7 @@ mux_exit_message(Channel *c, int exitval)
1100 Buffer m; 1091 Buffer m;
1101 Channel *mux_chan; 1092 Channel *mux_chan;
1102 1093
1103 debug3("%s: channel %d: exit message, evitval %d", __func__, c->self, 1094 debug3("%s: channel %d: exit message, exitval %d", __func__, c->self,
1104 exitval); 1095 exitval);
1105 1096
1106 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) 1097 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL)
@@ -1197,8 +1188,8 @@ muxserver_listen(void)
1197 close(muxserver_sock); 1188 close(muxserver_sock);
1198 muxserver_sock = -1; 1189 muxserver_sock = -1;
1199 } 1190 }
1200 xfree(orig_control_path); 1191 free(orig_control_path);
1201 xfree(options.control_path); 1192 free(options.control_path);
1202 options.control_path = NULL; 1193 options.control_path = NULL;
1203 options.control_master = SSHCTL_MASTER_NO; 1194 options.control_master = SSHCTL_MASTER_NO;
1204 return; 1195 return;
@@ -1223,7 +1214,7 @@ muxserver_listen(void)
1223 goto disable_mux_master; 1214 goto disable_mux_master;
1224 } 1215 }
1225 unlink(options.control_path); 1216 unlink(options.control_path);
1226 xfree(options.control_path); 1217 free(options.control_path);
1227 options.control_path = orig_control_path; 1218 options.control_path = orig_control_path;
1228 1219
1229 set_nonblock(muxserver_sock); 1220 set_nonblock(muxserver_sock);
@@ -1308,13 +1299,13 @@ mux_session_confirm(int id, int success, void *arg)
1308 cc->mux_pause = 0; /* start processing messages again */ 1299 cc->mux_pause = 0; /* start processing messages again */
1309 c->open_confirm_ctx = NULL; 1300 c->open_confirm_ctx = NULL;
1310 buffer_free(&cctx->cmd); 1301 buffer_free(&cctx->cmd);
1311 xfree(cctx->term); 1302 free(cctx->term);
1312 if (cctx->env != NULL) { 1303 if (cctx->env != NULL) {
1313 for (i = 0; cctx->env[i] != NULL; i++) 1304 for (i = 0; cctx->env[i] != NULL; i++)
1314 xfree(cctx->env[i]); 1305 free(cctx->env[i]);
1315 xfree(cctx->env); 1306 free(cctx->env);
1316 } 1307 }
1317 xfree(cctx); 1308 free(cctx);
1318} 1309}
1319 1310
1320/* ** Multiplexing client support */ 1311/* ** Multiplexing client support */
@@ -1444,7 +1435,9 @@ mux_client_read_packet(int fd, Buffer *m)
1444 buffer_init(&queue); 1435 buffer_init(&queue);
1445 if (mux_client_read(fd, &queue, 4) != 0) { 1436 if (mux_client_read(fd, &queue, 4) != 0) {
1446 if ((oerrno = errno) == EPIPE) 1437 if ((oerrno = errno) == EPIPE)
1447 debug3("%s: read header failed: %s", __func__, strerror(errno)); 1438 debug3("%s: read header failed: %s", __func__,
1439 strerror(errno));
1440 buffer_free(&queue);
1448 errno = oerrno; 1441 errno = oerrno;
1449 return -1; 1442 return -1;
1450 } 1443 }
@@ -1452,6 +1445,7 @@ mux_client_read_packet(int fd, Buffer *m)
1452 if (mux_client_read(fd, &queue, need) != 0) { 1445 if (mux_client_read(fd, &queue, need) != 0) {
1453 oerrno = errno; 1446 oerrno = errno;
1454 debug3("%s: read body failed: %s", __func__, strerror(errno)); 1447 debug3("%s: read body failed: %s", __func__, strerror(errno));
1448 buffer_free(&queue);
1455 errno = oerrno; 1449 errno = oerrno;
1456 return -1; 1450 return -1;
1457 } 1451 }
@@ -1498,8 +1492,8 @@ mux_client_hello_exchange(int fd)
1498 char *value = buffer_get_string(&m, NULL); 1492 char *value = buffer_get_string(&m, NULL);
1499 1493
1500 debug2("Unrecognised master extension \"%s\"", name); 1494 debug2("Unrecognised master extension \"%s\"", name);
1501 xfree(name); 1495 free(name);
1502 xfree(value); 1496 free(value);
1503 } 1497 }
1504 buffer_free(&m); 1498 buffer_free(&m);
1505 return 0; 1499 return 0;
@@ -1608,7 +1602,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
1608 fwd_desc = format_forward(ftype, fwd); 1602 fwd_desc = format_forward(ftype, fwd);
1609 debug("Requesting %s %s", 1603 debug("Requesting %s %s",
1610 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1604 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1611 xfree(fwd_desc); 1605 free(fwd_desc);
1612 1606
1613 buffer_init(&m); 1607 buffer_init(&m);
1614 buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD); 1608 buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
diff --git a/myproposal.h b/myproposal.h
index 99d093461..4e913e3ce 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -26,6 +26,8 @@
26 26
27#include <openssl/opensslv.h> 27#include <openssl/opensslv.h>
28 28
29/* conditional algorithm support */
30
29#ifdef OPENSSL_HAS_ECC 31#ifdef OPENSSL_HAS_ECC
30# define KEX_ECDH_METHODS \ 32# define KEX_ECDH_METHODS \
31 "ecdh-sha2-nistp256," \ 33 "ecdh-sha2-nistp256," \
@@ -45,12 +47,22 @@
45# define HOSTKEY_ECDSA_METHODS 47# define HOSTKEY_ECDSA_METHODS
46#endif 48#endif
47 49
48/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ 50#ifdef OPENSSL_HAVE_EVPGCM
49#if OPENSSL_VERSION_NUMBER >= 0x00907000L 51# define AESGCM_CIPHER_MODES \
52 "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
53#else
54# define AESGCM_CIPHER_MODES
55#endif
56
57#ifdef HAVE_EVP_SHA256
50# define KEX_SHA256_METHODS \ 58# define KEX_SHA256_METHODS \
51 "diffie-hellman-group-exchange-sha256," 59 "diffie-hellman-group-exchange-sha256,"
60#define SHA2_HMAC_MODES \
61 "hmac-sha2-256," \
62 "hmac-sha2-512,"
52#else 63#else
53# define KEX_SHA256_METHODS 64# define KEX_SHA256_METHODS
65# define SHA2_HMAC_MODES
54#endif 66#endif
55 67
56# define KEX_DEFAULT_KEX \ 68# define KEX_DEFAULT_KEX \
@@ -70,19 +82,15 @@
70 "ssh-rsa," \ 82 "ssh-rsa," \
71 "ssh-dss" 83 "ssh-dss"
72 84
85/* the actual algorithms */
86
73#define KEX_DEFAULT_ENCRYPT \ 87#define KEX_DEFAULT_ENCRYPT \
74 "aes128-ctr,aes192-ctr,aes256-ctr," \ 88 "aes128-ctr,aes192-ctr,aes256-ctr," \
75 "arcfour256,arcfour128," \ 89 "arcfour256,arcfour128," \
76 "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ 90 AESGCM_CIPHER_MODES \
77 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ 91 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
78 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" 92 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
79#ifdef HAVE_EVP_SHA256 93
80#define SHA2_HMAC_MODES \
81 "hmac-sha2-256," \
82 "hmac-sha2-512,"
83#else
84# define SHA2_HMAC_MODES
85#endif
86#define KEX_DEFAULT_MAC \ 94#define KEX_DEFAULT_MAC \
87 "hmac-md5-etm@openssh.com," \ 95 "hmac-md5-etm@openssh.com," \
88 "hmac-sha1-etm@openssh.com," \ 96 "hmac-sha1-etm@openssh.com," \
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index e1c3651e8..365cf006d 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $ 1# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@
16INSTALL=@INSTALL@ 16INSTALL=@INSTALL@
17LDFLAGS=-L. @LDFLAGS@ 17LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index d3d2d913a..267e77a11 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -97,7 +97,7 @@ fetch_windows_environment(void)
97void 97void
98free_windows_environment(char **p) 98free_windows_environment(char **p)
99{ 99{
100 xfree(p); 100 free(p);
101} 101}
102 102
103#endif /* HAVE_CYGWIN */ 103#endif /* HAVE_CYGWIN */
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 6061a6b01..372e41955 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-cygwin_util.h,v 1.15.4.1 2013/04/04 23:53:31 dtucker Exp $ */ 1/* $Id: bsd-cygwin_util.h,v 1.16 2013/04/01 01:40:49 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com> 4 * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index 430066376..65c18ec2f 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ 1/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> 4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -110,4 +110,16 @@ int isblank(int);
110pid_t getpgid(pid_t); 110pid_t getpgid(pid_t);
111#endif 111#endif
112 112
113#ifndef HAVE_ENDGRENT
114# define endgrent() {}
115#endif
116
117#ifndef HAVE_KRB5_GET_ERROR_MESSAGE
118# define krb5_get_error_message krb5_get_err_text
119#endif
120
121#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE
122# define krb5_free_error_message(a,b) while(0)
123#endif
124
113#endif /* _BSD_MISC_H */ 125#endif /* _BSD_MISC_H */
diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c
deleted file mode 100644
index 5450e43d9..000000000
--- a/openbsd-compat/getopt.c
+++ /dev/null
@@ -1,123 +0,0 @@
1/*
2 * Copyright (c) 1987, 1993, 1994
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
31
32#include "includes.h"
33#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
34
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42
43int BSDopterr = 1, /* if error message should be printed */
44 BSDoptind = 1, /* index into parent argv vector */
45 BSDoptopt, /* character checked for validity */
46 BSDoptreset; /* reset getopt */
47char *BSDoptarg; /* argument associated with option */
48
49#define BADCH (int)'?'
50#define BADARG (int)':'
51#define EMSG ""
52
53/*
54 * getopt --
55 * Parse argc/argv argument vector.
56 */
57int
58BSDgetopt(nargc, nargv, ostr)
59 int nargc;
60 char * const *nargv;
61 const char *ostr;
62{
63 extern char *__progname;
64 static char *place = EMSG; /* option letter processing */
65 char *oli; /* option letter list index */
66
67 if (ostr == NULL)
68 return (-1);
69
70 if (BSDoptreset || !*place) { /* update scanning pointer */
71 BSDoptreset = 0;
72 if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') {
73 place = EMSG;
74 return (-1);
75 }
76 if (place[1] && *++place == '-') { /* found "--" */
77 ++BSDoptind;
78 place = EMSG;
79 return (-1);
80 }
81 } /* option letter okay? */
82 if ((BSDoptopt = (int)*place++) == (int)':' ||
83 !(oli = strchr(ostr, BSDoptopt))) {
84 /*
85 * if the user didn't specify '-' as an option,
86 * assume it means -1.
87 */
88 if (BSDoptopt == (int)'-')
89 return (-1);
90 if (!*place)
91 ++BSDoptind;
92 if (BSDopterr && *ostr != ':')
93 (void)fprintf(stderr,
94 "%s: illegal option -- %c\n", __progname, BSDoptopt);
95 return (BADCH);
96 }
97 if (*++oli != ':') { /* don't need argument */
98 BSDoptarg = NULL;
99 if (!*place)
100 ++BSDoptind;
101 }
102 else { /* need an argument */
103 if (*place) /* no white space */
104 BSDoptarg = place;
105 else if (nargc <= ++BSDoptind) { /* no arg */
106 place = EMSG;
107 if (*ostr == ':')
108 return (BADARG);
109 if (BSDopterr)
110 (void)fprintf(stderr,
111 "%s: option requires an argument -- %c\n",
112 __progname, BSDoptopt);
113 return (BADCH);
114 }
115 else /* white space */
116 BSDoptarg = nargv[BSDoptind];
117 place = EMSG;
118 ++BSDoptind;
119 }
120 return (BSDoptopt); /* dump back option letter */
121}
122
123#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */
diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h
new file mode 100644
index 000000000..8eb12447e
--- /dev/null
+++ b/openbsd-compat/getopt.h
@@ -0,0 +1,74 @@
1/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */
2/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */
3
4/*-
5 * Copyright (c) 2000 The NetBSD Foundation, Inc.
6 * All rights reserved.
7 *
8 * This code is derived from software contributed to The NetBSD Foundation
9 * by Dieter Baron and Thomas Klausner.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
24 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#ifndef _GETOPT_H_
34#define _GETOPT_H_
35
36/*
37 * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions
38 */
39#define no_argument 0
40#define required_argument 1
41#define optional_argument 2
42
43struct option {
44 /* name of long option */
45 const char *name;
46 /*
47 * one of no_argument, required_argument, and optional_argument:
48 * whether option takes an argument
49 */
50 int has_arg;
51 /* if not NULL, set *flag to val when option found */
52 int *flag;
53 /* if flag not NULL, value to set *flag to; else return value */
54 int val;
55};
56
57int getopt_long(int, char * const *, const char *,
58 const struct option *, int *);
59int getopt_long_only(int, char * const *, const char *,
60 const struct option *, int *);
61#ifndef _GETOPT_DEFINED_
62#define _GETOPT_DEFINED_
63int getopt(int, char * const *, const char *);
64int getsubopt(char **, char * const *, char **);
65
66extern char *optarg; /* getopt(3) external variables */
67extern int opterr;
68extern int optind;
69extern int optopt;
70extern int optreset;
71extern char *suboptarg; /* getsubopt(3) external variable */
72#endif
73
74#endif /* !_GETOPT_H_ */
diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c
new file mode 100644
index 000000000..e28947430
--- /dev/null
+++ b/openbsd-compat/getopt_long.c
@@ -0,0 +1,532 @@
1/* $OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $ */
2/* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */
3
4/*
5 * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 *
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
22 */
23/*-
24 * Copyright (c) 2000 The NetBSD Foundation, Inc.
25 * All rights reserved.
26 *
27 * This code is derived from software contributed to The NetBSD Foundation
28 * by Dieter Baron and Thomas Klausner.
29 *
30 * Redistribution and use in source and binary forms, with or without
31 * modification, are permitted provided that the following conditions
32 * are met:
33 * 1. Redistributions of source code must retain the above copyright
34 * notice, this list of conditions and the following disclaimer.
35 * 2. Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer in the
37 * documentation and/or other materials provided with the distribution.
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
40 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
41 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
43 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
44 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
45 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
46 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
47 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
49 * POSSIBILITY OF SUCH DAMAGE.
50 */
51
52/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt_long.c */
53#include "includes.h"
54
55#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
56
57/*
58 * Some defines to make it easier to keep the code in sync with upstream.
59 * getopt opterr optind optopt optreset optarg are all in defines.h which is
60 * pulled in by includes.h.
61 */
62#define warnx logit
63
64#if 0
65#include <err.h>
66#include <getopt.h>
67#endif
68#include <errno.h>
69#include <stdlib.h>
70#include <string.h>
71#include <stdarg.h>
72
73#include "log.h"
74
75int opterr = 1; /* if error message should be printed */
76int optind = 1; /* index into parent argv vector */
77int optopt = '?'; /* character checked for validity */
78int optreset; /* reset getopt */
79char *optarg; /* argument associated with option */
80
81#define PRINT_ERROR ((opterr) && (*options != ':'))
82
83#define FLAG_PERMUTE 0x01 /* permute non-options to the end of argv */
84#define FLAG_ALLARGS 0x02 /* treat non-options as args to option "-1" */
85#define FLAG_LONGONLY 0x04 /* operate as getopt_long_only */
86
87/* return values */
88#define BADCH (int)'?'
89#define BADARG ((*options == ':') ? (int)':' : (int)'?')
90#define INORDER (int)1
91
92#define EMSG ""
93
94static int getopt_internal(int, char * const *, const char *,
95 const struct option *, int *, int);
96static int parse_long_options(char * const *, const char *,
97 const struct option *, int *, int);
98static int gcd(int, int);
99static void permute_args(int, int, int, char * const *);
100
101static char *place = EMSG; /* option letter processing */
102
103/* XXX: set optreset to 1 rather than these two */
104static int nonopt_start = -1; /* first non option argument (for permute) */
105static int nonopt_end = -1; /* first option after non options (for permute) */
106
107/* Error messages */
108static const char recargchar[] = "option requires an argument -- %c";
109static const char recargstring[] = "option requires an argument -- %s";
110static const char ambig[] = "ambiguous option -- %.*s";
111static const char noarg[] = "option doesn't take an argument -- %.*s";
112static const char illoptchar[] = "unknown option -- %c";
113static const char illoptstring[] = "unknown option -- %s";
114
115/*
116 * Compute the greatest common divisor of a and b.
117 */
118static int
119gcd(int a, int b)
120{
121 int c;
122
123 c = a % b;
124 while (c != 0) {
125 a = b;
126 b = c;
127 c = a % b;
128 }
129
130 return (b);
131}
132
133/*
134 * Exchange the block from nonopt_start to nonopt_end with the block
135 * from nonopt_end to opt_end (keeping the same order of arguments
136 * in each block).
137 */
138static void
139permute_args(int panonopt_start, int panonopt_end, int opt_end,
140 char * const *nargv)
141{
142 int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos;
143 char *swap;
144
145 /*
146 * compute lengths of blocks and number and size of cycles
147 */
148 nnonopts = panonopt_end - panonopt_start;
149 nopts = opt_end - panonopt_end;
150 ncycle = gcd(nnonopts, nopts);
151 cyclelen = (opt_end - panonopt_start) / ncycle;
152
153 for (i = 0; i < ncycle; i++) {
154 cstart = panonopt_end+i;
155 pos = cstart;
156 for (j = 0; j < cyclelen; j++) {
157 if (pos >= panonopt_end)
158 pos -= nnonopts;
159 else
160 pos += nopts;
161 swap = nargv[pos];
162 /* LINTED const cast */
163 ((char **) nargv)[pos] = nargv[cstart];
164 /* LINTED const cast */
165 ((char **)nargv)[cstart] = swap;
166 }
167 }
168}
169
170/*
171 * parse_long_options --
172 * Parse long options in argc/argv argument vector.
173 * Returns -1 if short_too is set and the option does not match long_options.
174 */
175static int
176parse_long_options(char * const *nargv, const char *options,
177 const struct option *long_options, int *idx, int short_too)
178{
179 char *current_argv, *has_equal;
180 size_t current_argv_len;
181 int i, match;
182
183 current_argv = place;
184 match = -1;
185
186 optind++;
187
188 if ((has_equal = strchr(current_argv, '=')) != NULL) {
189 /* argument found (--option=arg) */
190 current_argv_len = has_equal - current_argv;
191 has_equal++;
192 } else
193 current_argv_len = strlen(current_argv);
194
195 for (i = 0; long_options[i].name; i++) {
196 /* find matching long option */
197 if (strncmp(current_argv, long_options[i].name,
198 current_argv_len))
199 continue;
200
201 if (strlen(long_options[i].name) == current_argv_len) {
202 /* exact match */
203 match = i;
204 break;
205 }
206 /*
207 * If this is a known short option, don't allow
208 * a partial match of a single character.
209 */
210 if (short_too && current_argv_len == 1)
211 continue;
212
213 if (match == -1) /* partial match */
214 match = i;
215 else {
216 /* ambiguous abbreviation */
217 if (PRINT_ERROR)
218 warnx(ambig, (int)current_argv_len,
219 current_argv);
220 optopt = 0;
221 return (BADCH);
222 }
223 }
224 if (match != -1) { /* option found */
225 if (long_options[match].has_arg == no_argument
226 && has_equal) {
227 if (PRINT_ERROR)
228 warnx(noarg, (int)current_argv_len,
229 current_argv);
230 /*
231 * XXX: GNU sets optopt to val regardless of flag
232 */
233 if (long_options[match].flag == NULL)
234 optopt = long_options[match].val;
235 else
236 optopt = 0;
237 return (BADARG);
238 }
239 if (long_options[match].has_arg == required_argument ||
240 long_options[match].has_arg == optional_argument) {
241 if (has_equal)
242 optarg = has_equal;
243 else if (long_options[match].has_arg ==
244 required_argument) {
245 /*
246 * optional argument doesn't use next nargv
247 */
248 optarg = nargv[optind++];
249 }
250 }
251 if ((long_options[match].has_arg == required_argument)
252 && (optarg == NULL)) {
253 /*
254 * Missing argument; leading ':' indicates no error
255 * should be generated.
256 */
257 if (PRINT_ERROR)
258 warnx(recargstring,
259 current_argv);
260 /*
261 * XXX: GNU sets optopt to val regardless of flag
262 */
263 if (long_options[match].flag == NULL)
264 optopt = long_options[match].val;
265 else
266 optopt = 0;
267 --optind;
268 return (BADARG);
269 }
270 } else { /* unknown option */
271 if (short_too) {
272 --optind;
273 return (-1);
274 }
275 if (PRINT_ERROR)
276 warnx(illoptstring, current_argv);
277 optopt = 0;
278 return (BADCH);
279 }
280 if (idx)
281 *idx = match;
282 if (long_options[match].flag) {
283 *long_options[match].flag = long_options[match].val;
284 return (0);
285 } else
286 return (long_options[match].val);
287}
288
289/*
290 * getopt_internal --
291 * Parse argc/argv argument vector. Called by user level routines.
292 */
293static int
294getopt_internal(int nargc, char * const *nargv, const char *options,
295 const struct option *long_options, int *idx, int flags)
296{
297 char *oli; /* option letter list index */
298 int optchar, short_too;
299 static int posixly_correct = -1;
300
301 if (options == NULL)
302 return (-1);
303
304 /*
305 * XXX Some GNU programs (like cvs) set optind to 0 instead of
306 * XXX using optreset. Work around this braindamage.
307 */
308 if (optind == 0)
309 optind = optreset = 1;
310
311 /*
312 * Disable GNU extensions if POSIXLY_CORRECT is set or options
313 * string begins with a '+'.
314 */
315 if (posixly_correct == -1 || optreset)
316 posixly_correct = (getenv("POSIXLY_CORRECT") != NULL);
317 if (*options == '-')
318 flags |= FLAG_ALLARGS;
319 else if (posixly_correct || *options == '+')
320 flags &= ~FLAG_PERMUTE;
321 if (*options == '+' || *options == '-')
322 options++;
323
324 optarg = NULL;
325 if (optreset)
326 nonopt_start = nonopt_end = -1;
327start:
328 if (optreset || !*place) { /* update scanning pointer */
329 optreset = 0;
330 if (optind >= nargc) { /* end of argument vector */
331 place = EMSG;
332 if (nonopt_end != -1) {
333 /* do permutation, if we have to */
334 permute_args(nonopt_start, nonopt_end,
335 optind, nargv);
336 optind -= nonopt_end - nonopt_start;
337 }
338 else if (nonopt_start != -1) {
339 /*
340 * If we skipped non-options, set optind
341 * to the first of them.
342 */
343 optind = nonopt_start;
344 }
345 nonopt_start = nonopt_end = -1;
346 return (-1);
347 }
348 if (*(place = nargv[optind]) != '-' ||
349 (place[1] == '\0' && strchr(options, '-') == NULL)) {
350 place = EMSG; /* found non-option */
351 if (flags & FLAG_ALLARGS) {
352 /*
353 * GNU extension:
354 * return non-option as argument to option 1
355 */
356 optarg = nargv[optind++];
357 return (INORDER);
358 }
359 if (!(flags & FLAG_PERMUTE)) {
360 /*
361 * If no permutation wanted, stop parsing
362 * at first non-option.
363 */
364 return (-1);
365 }
366 /* do permutation */
367 if (nonopt_start == -1)
368 nonopt_start = optind;
369 else if (nonopt_end != -1) {
370 permute_args(nonopt_start, nonopt_end,
371 optind, nargv);
372 nonopt_start = optind -
373 (nonopt_end - nonopt_start);
374 nonopt_end = -1;
375 }
376 optind++;
377 /* process next argument */
378 goto start;
379 }
380 if (nonopt_start != -1 && nonopt_end == -1)
381 nonopt_end = optind;
382
383 /*
384 * If we have "-" do nothing, if "--" we are done.
385 */
386 if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
387 optind++;
388 place = EMSG;
389 /*
390 * We found an option (--), so if we skipped
391 * non-options, we have to permute.
392 */
393 if (nonopt_end != -1) {
394 permute_args(nonopt_start, nonopt_end,
395 optind, nargv);
396 optind -= nonopt_end - nonopt_start;
397 }
398 nonopt_start = nonopt_end = -1;
399 return (-1);
400 }
401 }
402
403 /*
404 * Check long options if:
405 * 1) we were passed some
406 * 2) the arg is not just "-"
407 * 3) either the arg starts with -- we are getopt_long_only()
408 */
409 if (long_options != NULL && place != nargv[optind] &&
410 (*place == '-' || (flags & FLAG_LONGONLY))) {
411 short_too = 0;
412 if (*place == '-')
413 place++; /* --foo long option */
414 else if (*place != ':' && strchr(options, *place) != NULL)
415 short_too = 1; /* could be short option too */
416
417 optchar = parse_long_options(nargv, options, long_options,
418 idx, short_too);
419 if (optchar != -1) {
420 place = EMSG;
421 return (optchar);
422 }
423 }
424
425 if ((optchar = (int)*place++) == (int)':' ||
426 (optchar == (int)'-' && *place != '\0') ||
427 (oli = strchr(options, optchar)) == NULL) {
428 /*
429 * If the user specified "-" and '-' isn't listed in
430 * options, return -1 (non-option) as per POSIX.
431 * Otherwise, it is an unknown option character (or ':').
432 */
433 if (optchar == (int)'-' && *place == '\0')
434 return (-1);
435 if (!*place)
436 ++optind;
437 if (PRINT_ERROR)
438 warnx(illoptchar, optchar);
439 optopt = optchar;
440 return (BADCH);
441 }
442 if (long_options != NULL && optchar == 'W' && oli[1] == ';') {
443 /* -W long-option */
444 if (*place) /* no space */
445 /* NOTHING */;
446 else if (++optind >= nargc) { /* no arg */
447 place = EMSG;
448 if (PRINT_ERROR)
449 warnx(recargchar, optchar);
450 optopt = optchar;
451 return (BADARG);
452 } else /* white space */
453 place = nargv[optind];
454 optchar = parse_long_options(nargv, options, long_options,
455 idx, 0);
456 place = EMSG;
457 return (optchar);
458 }
459 if (*++oli != ':') { /* doesn't take argument */
460 if (!*place)
461 ++optind;
462 } else { /* takes (optional) argument */
463 optarg = NULL;
464 if (*place) /* no white space */
465 optarg = place;
466 else if (oli[1] != ':') { /* arg not optional */
467 if (++optind >= nargc) { /* no arg */
468 place = EMSG;
469 if (PRINT_ERROR)
470 warnx(recargchar, optchar);
471 optopt = optchar;
472 return (BADARG);
473 } else
474 optarg = nargv[optind];
475 }
476 place = EMSG;
477 ++optind;
478 }
479 /* dump back option letter */
480 return (optchar);
481}
482
483/*
484 * getopt --
485 * Parse argc/argv argument vector.
486 *
487 * [eventually this will replace the BSD getopt]
488 */
489int
490getopt(int nargc, char * const *nargv, const char *options)
491{
492
493 /*
494 * We don't pass FLAG_PERMUTE to getopt_internal() since
495 * the BSD getopt(3) (unlike GNU) has never done this.
496 *
497 * Furthermore, since many privileged programs call getopt()
498 * before dropping privileges it makes sense to keep things
499 * as simple (and bug-free) as possible.
500 */
501 return (getopt_internal(nargc, nargv, options, NULL, NULL, 0));
502}
503
504#if 0
505/*
506 * getopt_long --
507 * Parse argc/argv argument vector.
508 */
509int
510getopt_long(int nargc, char * const *nargv, const char *options,
511 const struct option *long_options, int *idx)
512{
513
514 return (getopt_internal(nargc, nargv, options, long_options, idx,
515 FLAG_PERMUTE));
516}
517
518/*
519 * getopt_long_only --
520 * Parse argc/argv argument vector.
521 */
522int
523getopt_long_only(int nargc, char * const *nargv, const char *options,
524 const struct option *long_options, int *idx)
525{
526
527 return (getopt_internal(nargc, nargv, options, long_options, idx,
528 FLAG_PERMUTE|FLAG_LONGONLY));
529}
530#endif
531
532#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */
diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c
index 19666346b..343720f10 100644
--- a/openbsd-compat/getrrsetbyname-ldns.c
+++ b/openbsd-compat/getrrsetbyname-ldns.c
@@ -58,7 +58,6 @@
58 58
59#define malloc(x) (xmalloc(x)) 59#define malloc(x) (xmalloc(x))
60#define calloc(x, y) (xcalloc((x),(y))) 60#define calloc(x, y) (xcalloc((x),(y)))
61#define free(x) (xfree(x))
62 61
63int 62int
64getrrsetbyname(const char *hostname, unsigned int rdclass, 63getrrsetbyname(const char *hostname, unsigned int rdclass,
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index a8c579f49..392fa38dc 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ 1/* $Id: openbsd-compat.h,v 1.58 2013/06/05 22:30:21 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -111,6 +111,10 @@ char *dirname(const char *path);
111int fmt_scaled(long long number, char *result); 111int fmt_scaled(long long number, char *result);
112#endif 112#endif
113 113
114#ifndef HAVE_SCAN_SCALED
115int scan_scaled(char *, long long *);
116#endif
117
114#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) 118#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
115char *inet_ntoa(struct in_addr in); 119char *inet_ntoa(struct in_addr in);
116#endif 120#endif
@@ -139,6 +143,7 @@ int getgrouplist(const char *, gid_t, gid_t *, int *);
139 143
140#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) 144#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
141int BSDgetopt(int argc, char * const *argv, const char *opts); 145int BSDgetopt(int argc, char * const *argv, const char *opts);
146#include "openbsd-compat/getopt.h"
142#endif 147#endif
143 148
144#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0 149#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0
@@ -202,6 +207,11 @@ unsigned long long strtoull(const char *, char **, int);
202long long strtonum(const char *, long long, long long, const char **); 207long long strtonum(const char *, long long, long long, const char **);
203#endif 208#endif
204 209
210/* multibyte character support */
211#ifndef HAVE_MBLEN
212# define mblen(x, y) 1
213#endif
214
205#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF) 215#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF)
206# include <stdarg.h> 216# include <stdarg.h>
207#endif 217#endif
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 0bdefbf6d..8da367d48 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -86,7 +86,7 @@ aix_usrinfo(struct passwd *pw)
86 fatal("Couldn't set usrinfo: %s", strerror(errno)); 86 fatal("Couldn't set usrinfo: %s", strerror(errno));
87 debug3("AIX/UsrInfo: set len %d", i); 87 debug3("AIX/UsrInfo: set len %d", i);
88 88
89 xfree(cp); 89 free(cp);
90} 90}
91 91
92# ifdef WITH_AIXAUTHENTICATE 92# ifdef WITH_AIXAUTHENTICATE
@@ -215,16 +215,14 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
215 default: /* user can't change(2) or other error (-1) */ 215 default: /* user can't change(2) or other error (-1) */
216 logit("Password can't be changed for user %s: %.100s", 216 logit("Password can't be changed for user %s: %.100s",
217 name, msg); 217 name, msg);
218 if (msg) 218 free(msg);
219 xfree(msg);
220 authsuccess = 0; 219 authsuccess = 0;
221 } 220 }
222 221
223 aix_restoreauthdb(); 222 aix_restoreauthdb();
224 } 223 }
225 224
226 if (authmsg != NULL) 225 free(authmsg);
227 xfree(authmsg);
228 226
229 return authsuccess; 227 return authsuccess;
230} 228}
@@ -269,7 +267,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
269 267
270 if (!permitted) 268 if (!permitted)
271 logit("Login restricted for %s: %.100s", pw->pw_name, msg); 269 logit("Login restricted for %s: %.100s", pw->pw_name, msg);
272 xfree(msg); 270 free(msg);
273 return permitted; 271 return permitted;
274} 272}
275 273
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 2b8a14a59..de6ad3fd7 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
1/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */ 1/* $Id: port-linux.c,v 1.18 2013/06/01 22:07:32 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> 4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -109,10 +109,8 @@ ssh_selinux_getctxbyname(char *pwname, const char *role)
109 } 109 }
110 110
111#ifdef HAVE_GETSEUSERBYNAME 111#ifdef HAVE_GETSEUSERBYNAME
112 if (sename != NULL) 112 free(sename);
113 xfree(sename); 113 free(lvl);
114 if (lvl != NULL)
115 xfree(lvl);
116#endif 114#endif
117 115
118 return sc; 116 return sc;
@@ -230,8 +228,8 @@ ssh_selinux_change_context(const char *newname)
230 if (setcon(newctx) < 0) 228 if (setcon(newctx) < 0)
231 switchlog("%s: setcon %s from %s failed with %s", __func__, 229 switchlog("%s: setcon %s from %s failed with %s", __func__,
232 newctx, oldctx, strerror(errno)); 230 newctx, oldctx, strerror(errno));
233 xfree(oldctx); 231 free(oldctx);
234 xfree(newctx); 232 free(newctx);
235} 233}
236 234
237void 235void
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 6291e2884..c8aea461d 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -55,7 +55,12 @@
55 55
56# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) 56# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
57# include "md5crypt.h" 57# include "md5crypt.h"
58# endif 58# endif
59
60# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
61# include <openssl/des.h>
62# define crypt DES_crypt
63# endif
59 64
60char * 65char *
61xcrypt(const char *password, const char *salt) 66xcrypt(const char *password, const char *salt)
diff --git a/packet.c b/packet.c
index 3e835d360..0d27e7592 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ 1/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -58,6 +58,7 @@
58#include <string.h> 58#include <string.h>
59#include <unistd.h> 59#include <unistd.h>
60#include <signal.h> 60#include <signal.h>
61#include <time.h>
61 62
62#include "xmalloc.h" 63#include "xmalloc.h"
63#include "buffer.h" 64#include "buffer.h"
@@ -165,9 +166,14 @@ struct session_state {
165 Newkeys *newkeys[MODE_MAX]; 166 Newkeys *newkeys[MODE_MAX];
166 struct packet_state p_read, p_send; 167 struct packet_state p_read, p_send;
167 168
169 /* Volume-based rekeying */
168 u_int64_t max_blocks_in, max_blocks_out; 170 u_int64_t max_blocks_in, max_blocks_out;
169 u_int32_t rekey_limit; 171 u_int32_t rekey_limit;
170 172
173 /* Time-based rekeying */
174 time_t rekey_interval; /* how often in seconds */
175 time_t rekey_time; /* time of last rekeying */
176
171 /* Session key for protocol v1 */ 177 /* Session key for protocol v1 */
172 u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; 178 u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
173 u_int ssh1_keylen; 179 u_int ssh1_keylen;
@@ -215,7 +221,7 @@ alloc_session_state(void)
215void 221void
216packet_set_connection(int fd_in, int fd_out) 222packet_set_connection(int fd_in, int fd_out)
217{ 223{
218 Cipher *none = cipher_by_name("none"); 224 const Cipher *none = cipher_by_name("none");
219 225
220 if (none == NULL) 226 if (none == NULL)
221 fatal("packet_set_connection: cannot load cipher 'none'"); 227 fatal("packet_set_connection: cannot load cipher 'none'");
@@ -545,7 +551,7 @@ packet_start_compression(int level)
545void 551void
546packet_set_encryption_key(const u_char *key, u_int keylen, int number) 552packet_set_encryption_key(const u_char *key, u_int keylen, int number)
547{ 553{
548 Cipher *cipher = cipher_by_number(number); 554 const Cipher *cipher = cipher_by_number(number);
549 555
550 if (cipher == NULL) 556 if (cipher == NULL)
551 fatal("packet_set_encryption_key: unknown cipher number %d", number); 557 fatal("packet_set_encryption_key: unknown cipher number %d", number);
@@ -760,13 +766,13 @@ set_newkeys(int mode)
760 memset(enc->iv, 0, enc->iv_len); 766 memset(enc->iv, 0, enc->iv_len);
761 memset(enc->key, 0, enc->key_len); 767 memset(enc->key, 0, enc->key_len);
762 memset(mac->key, 0, mac->key_len); 768 memset(mac->key, 0, mac->key_len);
763 xfree(enc->name); 769 free(enc->name);
764 xfree(enc->iv); 770 free(enc->iv);
765 xfree(enc->key); 771 free(enc->key);
766 xfree(mac->name); 772 free(mac->name);
767 xfree(mac->key); 773 free(mac->key);
768 xfree(comp->name); 774 free(comp->name);
769 xfree(active_state->newkeys[mode]); 775 free(active_state->newkeys[mode]);
770 } 776 }
771 active_state->newkeys[mode] = kex_get_newkeys(mode); 777 active_state->newkeys[mode] = kex_get_newkeys(mode);
772 if (active_state->newkeys[mode] == NULL) 778 if (active_state->newkeys[mode] == NULL)
@@ -1009,6 +1015,7 @@ packet_send2(void)
1009 /* after a NEWKEYS message we can send the complete queue */ 1015 /* after a NEWKEYS message we can send the complete queue */
1010 if (type == SSH2_MSG_NEWKEYS) { 1016 if (type == SSH2_MSG_NEWKEYS) {
1011 active_state->rekeying = 0; 1017 active_state->rekeying = 0;
1018 active_state->rekey_time = monotime();
1012 while ((p = TAILQ_FIRST(&active_state->outgoing))) { 1019 while ((p = TAILQ_FIRST(&active_state->outgoing))) {
1013 type = p->type; 1020 type = p->type;
1014 debug("dequeue packet: %u", type); 1021 debug("dequeue packet: %u", type);
@@ -1016,7 +1023,7 @@ packet_send2(void)
1016 memcpy(&active_state->outgoing_packet, &p->payload, 1023 memcpy(&active_state->outgoing_packet, &p->payload,
1017 sizeof(Buffer)); 1024 sizeof(Buffer));
1018 TAILQ_REMOVE(&active_state->outgoing, p, next); 1025 TAILQ_REMOVE(&active_state->outgoing, p, next);
1019 xfree(p); 1026 free(p);
1020 packet_send2_wrapped(); 1027 packet_send2_wrapped();
1021 } 1028 }
1022 } 1029 }
@@ -1041,7 +1048,7 @@ packet_send(void)
1041int 1048int
1042packet_read_seqnr(u_int32_t *seqnr_p) 1049packet_read_seqnr(u_int32_t *seqnr_p)
1043{ 1050{
1044 int type, len, ret, ms_remain, cont; 1051 int type, len, ret, cont, ms_remain = 0;
1045 fd_set *setp; 1052 fd_set *setp;
1046 char buf[8192]; 1053 char buf[8192];
1047 struct timeval timeout, start, *timeoutp = NULL; 1054 struct timeval timeout, start, *timeoutp = NULL;
@@ -1066,7 +1073,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
1066 packet_check_eom(); 1073 packet_check_eom();
1067 /* If we got a packet, return it. */ 1074 /* If we got a packet, return it. */
1068 if (type != SSH_MSG_NONE) { 1075 if (type != SSH_MSG_NONE) {
1069 xfree(setp); 1076 free(setp);
1070 return type; 1077 return type;
1071 } 1078 }
1072 /* 1079 /*
@@ -1453,9 +1460,9 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1453 packet_get_char(); 1460 packet_get_char();
1454 msg = packet_get_string(NULL); 1461 msg = packet_get_string(NULL);
1455 debug("Remote: %.900s", msg); 1462 debug("Remote: %.900s", msg);
1456 xfree(msg); 1463 free(msg);
1457 msg = packet_get_string(NULL); 1464 msg = packet_get_string(NULL);
1458 xfree(msg); 1465 free(msg);
1459 break; 1466 break;
1460 case SSH2_MSG_DISCONNECT: 1467 case SSH2_MSG_DISCONNECT:
1461 reason = packet_get_int(); 1468 reason = packet_get_int();
@@ -1466,7 +1473,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1466 SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, 1473 SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
1467 "Received disconnect from %s: %u: %.400s", 1474 "Received disconnect from %s: %u: %.400s",
1468 get_remote_ipaddr(), reason, msg); 1475 get_remote_ipaddr(), reason, msg);
1469 xfree(msg); 1476 free(msg);
1470 cleanup_exit(255); 1477 cleanup_exit(255);
1471 break; 1478 break;
1472 case SSH2_MSG_UNIMPLEMENTED: 1479 case SSH2_MSG_UNIMPLEMENTED:
@@ -1480,12 +1487,14 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1480 } else { 1487 } else {
1481 type = packet_read_poll1(); 1488 type = packet_read_poll1();
1482 switch (type) { 1489 switch (type) {
1490 case SSH_MSG_NONE:
1491 return SSH_MSG_NONE;
1483 case SSH_MSG_IGNORE: 1492 case SSH_MSG_IGNORE:
1484 break; 1493 break;
1485 case SSH_MSG_DEBUG: 1494 case SSH_MSG_DEBUG:
1486 msg = packet_get_string(NULL); 1495 msg = packet_get_string(NULL);
1487 debug("Remote: %.900s", msg); 1496 debug("Remote: %.900s", msg);
1488 xfree(msg); 1497 free(msg);
1489 break; 1498 break;
1490 case SSH_MSG_DISCONNECT: 1499 case SSH_MSG_DISCONNECT:
1491 msg = packet_get_string(NULL); 1500 msg = packet_get_string(NULL);
@@ -1494,8 +1503,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1494 cleanup_exit(255); 1503 cleanup_exit(255);
1495 break; 1504 break;
1496 default: 1505 default:
1497 if (type) 1506 DBG(debug("received packet type %d", type));
1498 DBG(debug("received packet type %d", type));
1499 return type; 1507 return type;
1500 } 1508 }
1501 } 1509 }
@@ -1732,7 +1740,7 @@ void
1732packet_write_wait(void) 1740packet_write_wait(void)
1733{ 1741{
1734 fd_set *setp; 1742 fd_set *setp;
1735 int ret, ms_remain; 1743 int ret, ms_remain = 0;
1736 struct timeval start, timeout, *timeoutp = NULL; 1744 struct timeval start, timeout, *timeoutp = NULL;
1737 1745
1738 setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, 1746 setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
@@ -1773,7 +1781,7 @@ packet_write_wait(void)
1773 } 1781 }
1774 packet_write_poll(); 1782 packet_write_poll();
1775 } 1783 }
1776 xfree(setp); 1784 free(setp);
1777} 1785}
1778 1786
1779/* Returns true if there is buffered data to write to the connection. */ 1787/* Returns true if there is buffered data to write to the connection. */
@@ -1933,13 +1941,33 @@ packet_need_rekeying(void)
1933 (active_state->max_blocks_out && 1941 (active_state->max_blocks_out &&
1934 (active_state->p_send.blocks > active_state->max_blocks_out)) || 1942 (active_state->p_send.blocks > active_state->max_blocks_out)) ||
1935 (active_state->max_blocks_in && 1943 (active_state->max_blocks_in &&
1936 (active_state->p_read.blocks > active_state->max_blocks_in)); 1944 (active_state->p_read.blocks > active_state->max_blocks_in)) ||
1945 (active_state->rekey_interval != 0 && active_state->rekey_time +
1946 active_state->rekey_interval <= monotime());
1937} 1947}
1938 1948
1939void 1949void
1940packet_set_rekey_limit(u_int32_t bytes) 1950packet_set_rekey_limits(u_int32_t bytes, time_t seconds)
1941{ 1951{
1952 debug3("rekey after %lld bytes, %d seconds", (long long)bytes,
1953 (int)seconds);
1942 active_state->rekey_limit = bytes; 1954 active_state->rekey_limit = bytes;
1955 active_state->rekey_interval = seconds;
1956 /*
1957 * We set the time here so that in post-auth privsep slave we count
1958 * from the completion of the authentication.
1959 */
1960 active_state->rekey_time = monotime();
1961}
1962
1963time_t
1964packet_get_rekey_timeout(void)
1965{
1966 time_t seconds;
1967
1968 seconds = active_state->rekey_time + active_state->rekey_interval -
1969 monotime();
1970 return (seconds <= 0 ? 1 : seconds);
1943} 1971}
1944 1972
1945void 1973void
diff --git a/packet.h b/packet.h
index 09ba07951..f8edf851c 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */ 1/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -71,7 +71,7 @@ void *packet_get_raw(u_int *length_ptr);
71void *packet_get_string(u_int *length_ptr); 71void *packet_get_string(u_int *length_ptr);
72char *packet_get_cstring(u_int *length_ptr); 72char *packet_get_cstring(u_int *length_ptr);
73void *packet_get_string_ptr(u_int *length_ptr); 73void *packet_get_string_ptr(u_int *length_ptr);
74void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); 74void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2)));
75void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); 75void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
76 76
77void set_newkeys(int mode); 77void set_newkeys(int mode);
@@ -115,7 +115,8 @@ do { \
115} while (0) 115} while (0)
116 116
117int packet_need_rekeying(void); 117int packet_need_rekeying(void);
118void packet_set_rekey_limit(u_int32_t); 118void packet_set_rekey_limits(u_int32_t, time_t);
119time_t packet_get_rekey_timeout(void);
119 120
120void packet_backup_state(void); 121void packet_backup_state(void);
121void packet_restore_state(void); 122void packet_restore_state(void);
diff --git a/pathnames.h b/pathnames.h
index 0cdfcef7f..47f7867d5 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */ 1/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -72,18 +72,18 @@
72 * readable by anyone except the user him/herself, though this does not 72 * readable by anyone except the user him/herself, though this does not
73 * contain anything particularly secret. 73 * contain anything particularly secret.
74 */ 74 */
75#define _PATH_SSH_USER_HOSTFILE "~/.ssh/known_hosts" 75#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts"
76/* backward compat for protocol 2 */ 76/* backward compat for protocol 2 */
77#define _PATH_SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2" 77#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2"
78 78
79/* 79/*
80 * Name of the default file containing client-side authentication key. This 80 * Name of the default file containing client-side authentication key. This
81 * file should only be readable by the user him/herself. 81 * file should only be readable by the user him/herself.
82 */ 82 */
83#define _PATH_SSH_CLIENT_IDENTITY ".ssh/identity" 83#define _PATH_SSH_CLIENT_IDENTITY _PATH_SSH_USER_DIR "/identity"
84#define _PATH_SSH_CLIENT_ID_DSA ".ssh/id_dsa" 84#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
85#define _PATH_SSH_CLIENT_ID_ECDSA ".ssh/id_ecdsa" 85#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
86#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa" 86#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
87 87
88/* 88/*
89 * Configuration file in user's home directory. This file need not be 89 * Configuration file in user's home directory. This file need not be
@@ -91,7 +91,7 @@
91 * particularly secret. If the user's home directory resides on an NFS 91 * particularly secret. If the user's home directory resides on an NFS
92 * volume where root is mapped to nobody, this may need to be world-readable. 92 * volume where root is mapped to nobody, this may need to be world-readable.
93 */ 93 */
94#define _PATH_SSH_USER_CONFFILE ".ssh/config" 94#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
95 95
96/* 96/*
97 * File containing a list of those rsa keys that permit logging in as this 97 * File containing a list of those rsa keys that permit logging in as this
@@ -101,10 +101,10 @@
101 * may need to be world-readable. (This file is read by the daemon which is 101 * may need to be world-readable. (This file is read by the daemon which is
102 * running as root.) 102 * running as root.)
103 */ 103 */
104#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" 104#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys"
105 105
106/* backward compat for protocol v2 */ 106/* backward compat for protocol v2 */
107#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" 107#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2"
108 108
109/* 109/*
110 * Per-user and system-wide ssh "rc" files. These files are executed with 110 * Per-user and system-wide ssh "rc" files. These files are executed with
@@ -112,7 +112,7 @@
112 * passed "proto cookie" as arguments if X11 forwarding with spoofing is in 112 * passed "proto cookie" as arguments if X11 forwarding with spoofing is in
113 * use. xauth will be run if neither of these exists. 113 * use. xauth will be run if neither of these exists.
114 */ 114 */
115#define _PATH_SSH_USER_RC ".ssh/rc" 115#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc"
116#define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc" 116#define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc"
117 117
118/* 118/*
diff --git a/progressmeter.c b/progressmeter.c
index 0f95222d2..332bd3c99 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: progressmeter.c,v 1.39 2013/06/02 13:33:05 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2003 Nils Nordman. All rights reserved. 3 * Copyright (c) 2003 Nils Nordman. All rights reserved.
4 * 4 *
@@ -131,7 +131,7 @@ refresh_progress_meter(void)
131 131
132 transferred = *counter - cur_pos; 132 transferred = *counter - cur_pos;
133 cur_pos = *counter; 133 cur_pos = *counter;
134 now = time(NULL); 134 now = monotime();
135 bytes_left = end_pos - cur_pos; 135 bytes_left = end_pos - cur_pos;
136 136
137 if (bytes_left > 0) 137 if (bytes_left > 0)
@@ -249,7 +249,7 @@ update_progress_meter(int ignore)
249void 249void
250start_progress_meter(char *f, off_t filesize, off_t *ctr) 250start_progress_meter(char *f, off_t filesize, off_t *ctr)
251{ 251{
252 start = last_update = time(NULL); 252 start = last_update = monotime();
253 file = f; 253 file = f;
254 end_pos = filesize; 254 end_pos = filesize;
255 cur_pos = 0; 255 cur_pos = 0;
diff --git a/readconf.c b/readconf.c
index 0b26a6735..2778176c6 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ 1/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -32,6 +32,9 @@
32#include <unistd.h> 32#include <unistd.h>
33#include <pwd.h> 33#include <pwd.h>
34#include <grp.h> 34#include <grp.h>
35#ifdef HAVE_UTIL_H
36#include <util.h>
37#endif
35 38
36#include "xmalloc.h" 39#include "xmalloc.h"
37#include "ssh.h" 40#include "ssh.h"
@@ -139,9 +142,9 @@ typedef enum {
139 oHashKnownHosts, 142 oHashKnownHosts,
140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 143 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 144 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
142 oKexAlgorithms, oIPQoS, oRequestTTY, 145 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
143 oProtocolKeepAlives, oSetupTimeOut, 146 oProtocolKeepAlives, oSetupTimeOut,
144 oDeprecated, oUnsupported 147 oIgnoredUnknownOption, oDeprecated, oUnsupported
145} OpCodes; 148} OpCodes;
146 149
147/* Textual representations of the tokens. */ 150/* Textual representations of the tokens. */
@@ -262,6 +265,7 @@ static struct {
262 { "kexalgorithms", oKexAlgorithms }, 265 { "kexalgorithms", oKexAlgorithms },
263 { "ipqos", oIPQoS }, 266 { "ipqos", oIPQoS },
264 { "requesttty", oRequestTTY }, 267 { "requesttty", oRequestTTY },
268 { "ignoreunknown", oIgnoreUnknown },
265 { "protocolkeepalives", oProtocolKeepAlives }, 269 { "protocolkeepalives", oProtocolKeepAlives },
266 { "setuptimeout", oSetupTimeOut }, 270 { "setuptimeout", oSetupTimeOut },
267 271
@@ -322,22 +326,20 @@ clear_forwardings(Options *options)
322 int i; 326 int i;
323 327
324 for (i = 0; i < options->num_local_forwards; i++) { 328 for (i = 0; i < options->num_local_forwards; i++) {
325 if (options->local_forwards[i].listen_host != NULL) 329 free(options->local_forwards[i].listen_host);
326 xfree(options->local_forwards[i].listen_host); 330 free(options->local_forwards[i].connect_host);
327 xfree(options->local_forwards[i].connect_host);
328 } 331 }
329 if (options->num_local_forwards > 0) { 332 if (options->num_local_forwards > 0) {
330 xfree(options->local_forwards); 333 free(options->local_forwards);
331 options->local_forwards = NULL; 334 options->local_forwards = NULL;
332 } 335 }
333 options->num_local_forwards = 0; 336 options->num_local_forwards = 0;
334 for (i = 0; i < options->num_remote_forwards; i++) { 337 for (i = 0; i < options->num_remote_forwards; i++) {
335 if (options->remote_forwards[i].listen_host != NULL) 338 free(options->remote_forwards[i].listen_host);
336 xfree(options->remote_forwards[i].listen_host); 339 free(options->remote_forwards[i].connect_host);
337 xfree(options->remote_forwards[i].connect_host);
338 } 340 }
339 if (options->num_remote_forwards > 0) { 341 if (options->num_remote_forwards > 0) {
340 xfree(options->remote_forwards); 342 free(options->remote_forwards);
341 options->remote_forwards = NULL; 343 options->remote_forwards = NULL;
342 } 344 }
343 options->num_remote_forwards = 0; 345 options->num_remote_forwards = 0;
@@ -369,14 +371,17 @@ add_identity_file(Options *options, const char *dir, const char *filename,
369 */ 371 */
370 372
371static OpCodes 373static OpCodes
372parse_token(const char *cp, const char *filename, int linenum) 374parse_token(const char *cp, const char *filename, int linenum,
375 const char *ignored_unknown)
373{ 376{
374 u_int i; 377 int i;
375 378
376 for (i = 0; keywords[i].name; i++) 379 for (i = 0; keywords[i].name; i++)
377 if (strcasecmp(cp, keywords[i].name) == 0) 380 if (strcmp(cp, keywords[i].name) == 0)
378 return keywords[i].opcode; 381 return keywords[i].opcode;
379 382 if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
383 strlen(ignored_unknown), 1) == 1)
384 return oIgnoredUnknownOption;
380 error("%s: line %d: Bad configuration option: %s", 385 error("%s: line %d: Bad configuration option: %s",
381 filename, linenum, cp); 386 filename, linenum, cp);
382 return oBadOption; 387 return oBadOption;
@@ -395,10 +400,10 @@ process_config_line(Options *options, const char *host,
395{ 400{
396 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; 401 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
397 char **cpptr, fwdarg[256]; 402 char **cpptr, fwdarg[256];
398 u_int *uintptr, max_entries = 0; 403 u_int i, *uintptr, max_entries = 0;
399 int negated, opcode, *intptr, value, value2, scale; 404 int negated, opcode, *intptr, value, value2;
400 LogLevel *log_level_ptr; 405 LogLevel *log_level_ptr;
401 long long orig, val64; 406 long long val64;
402 size_t len; 407 size_t len;
403 Forward fwd; 408 Forward fwd;
404 409
@@ -418,14 +423,22 @@ process_config_line(Options *options, const char *host,
418 keyword = strdelim(&s); 423 keyword = strdelim(&s);
419 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') 424 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
420 return 0; 425 return 0;
426 /* Match lowercase keyword */
427 for (i = 0; i < strlen(keyword); i++)
428 keyword[i] = tolower(keyword[i]);
421 429
422 opcode = parse_token(keyword, filename, linenum); 430 opcode = parse_token(keyword, filename, linenum,
431 options->ignored_unknown);
423 432
424 switch (opcode) { 433 switch (opcode) {
425 case oBadOption: 434 case oBadOption:
426 /* don't panic, but count bad options */ 435 /* don't panic, but count bad options */
427 return -1; 436 return -1;
428 /* NOTREACHED */ 437 /* NOTREACHED */
438 case oIgnoredUnknownOption:
439 debug("%s line %d: Ignored unknown option \"%s\"",
440 filename, linenum, keyword);
441 return 0;
429 case oConnectTimeout: 442 case oConnectTimeout:
430 intptr = &options->connection_timeout; 443 intptr = &options->connection_timeout;
431parse_time: 444parse_time:
@@ -604,39 +617,32 @@ parse_yesnoask:
604 case oRekeyLimit: 617 case oRekeyLimit:
605 arg = strdelim(&s); 618 arg = strdelim(&s);
606 if (!arg || *arg == '\0') 619 if (!arg || *arg == '\0')
607 fatal("%.200s line %d: Missing argument.", filename, linenum); 620 fatal("%.200s line %d: Missing argument.", filename,
608 if (arg[0] < '0' || arg[0] > '9') 621 linenum);
609 fatal("%.200s line %d: Bad number.", filename, linenum); 622 if (strcmp(arg, "default") == 0) {
610 orig = val64 = strtoll(arg, &endofnumber, 10); 623 val64 = 0;
611 if (arg == endofnumber) 624 } else {
612 fatal("%.200s line %d: Bad number.", filename, linenum); 625 if (scan_scaled(arg, &val64) == -1)
613 switch (toupper(*endofnumber)) { 626 fatal("%.200s line %d: Bad number '%s': %s",
614 case '\0': 627 filename, linenum, arg, strerror(errno));
615 scale = 1; 628 /* check for too-large or too-small limits */
616 break; 629 if (val64 > UINT_MAX)
617 case 'K': 630 fatal("%.200s line %d: RekeyLimit too large",
618 scale = 1<<10; 631 filename, linenum);
619 break; 632 if (val64 != 0 && val64 < 16)
620 case 'M': 633 fatal("%.200s line %d: RekeyLimit too small",
621 scale = 1<<20; 634 filename, linenum);
622 break;
623 case 'G':
624 scale = 1<<30;
625 break;
626 default:
627 fatal("%.200s line %d: Invalid RekeyLimit suffix",
628 filename, linenum);
629 } 635 }
630 val64 *= scale;
631 /* detect integer wrap and too-large limits */
632 if ((val64 / scale) != orig || val64 > UINT_MAX)
633 fatal("%.200s line %d: RekeyLimit too large",
634 filename, linenum);
635 if (val64 < 16)
636 fatal("%.200s line %d: RekeyLimit too small",
637 filename, linenum);
638 if (*activep && options->rekey_limit == -1) 636 if (*activep && options->rekey_limit == -1)
639 options->rekey_limit = (u_int32_t)val64; 637 options->rekey_limit = (u_int32_t)val64;
638 if (s != NULL) { /* optional rekey interval present */
639 if (strcmp(s, "none") == 0) {
640 (void)strdelim(&s); /* discard */
641 break;
642 }
643 intptr = &options->rekey_interval;
644 goto parse_time;
645 }
640 break; 646 break;
641 647
642 case oIdentityFile: 648 case oIdentityFile:
@@ -1106,6 +1112,10 @@ parse_int:
1106 *intptr = value; 1112 *intptr = value;
1107 break; 1113 break;
1108 1114
1115 case oIgnoreUnknown:
1116 charptr = &options->ignored_unknown;
1117 goto parse_string;
1118
1109 case oDeprecated: 1119 case oDeprecated:
1110 debug("%s line %d: Deprecated option \"%s\"", 1120 debug("%s line %d: Deprecated option \"%s\"",
1111 filename, linenum, keyword); 1121 filename, linenum, keyword);
@@ -1251,6 +1261,7 @@ initialize_options(Options * options)
1251 options->no_host_authentication_for_localhost = - 1; 1261 options->no_host_authentication_for_localhost = - 1;
1252 options->identities_only = - 1; 1262 options->identities_only = - 1;
1253 options->rekey_limit = - 1; 1263 options->rekey_limit = - 1;
1264 options->rekey_interval = -1;
1254 options->verify_host_key_dns = -1; 1265 options->verify_host_key_dns = -1;
1255 options->server_alive_interval = -1; 1266 options->server_alive_interval = -1;
1256 options->server_alive_count_max = -1; 1267 options->server_alive_count_max = -1;
@@ -1271,6 +1282,7 @@ initialize_options(Options * options)
1271 options->ip_qos_interactive = -1; 1282 options->ip_qos_interactive = -1;
1272 options->ip_qos_bulk = -1; 1283 options->ip_qos_bulk = -1;
1273 options->request_tty = -1; 1284 options->request_tty = -1;
1285 options->ignored_unknown = NULL;
1274} 1286}
1275 1287
1276/* 1288/*
@@ -1281,8 +1293,6 @@ initialize_options(Options * options)
1281void 1293void
1282fill_default_options(Options * options) 1294fill_default_options(Options * options)
1283{ 1295{
1284 int len;
1285
1286 if (options->forward_agent == -1) 1296 if (options->forward_agent == -1)
1287 options->forward_agent = 0; 1297 options->forward_agent = 0;
1288 if (options->forward_x11 == -1) 1298 if (options->forward_x11 == -1)
@@ -1396,6 +1406,8 @@ fill_default_options(Options * options)
1396 options->enable_ssh_keysign = 0; 1406 options->enable_ssh_keysign = 0;
1397 if (options->rekey_limit == -1) 1407 if (options->rekey_limit == -1)
1398 options->rekey_limit = 0; 1408 options->rekey_limit = 0;
1409 if (options->rekey_interval == -1)
1410 options->rekey_interval = 0;
1399 if (options->verify_host_key_dns == -1) 1411 if (options->verify_host_key_dns == -1)
1400 options->verify_host_key_dns = 0; 1412 options->verify_host_key_dns = 0;
1401 if (options->server_alive_interval == -1) { 1413 if (options->server_alive_interval == -1) {
@@ -1504,7 +1516,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1504 i = 0; /* failure */ 1516 i = 0; /* failure */
1505 } 1517 }
1506 1518
1507 xfree(p); 1519 free(p);
1508 1520
1509 if (dynamicfwd) { 1521 if (dynamicfwd) {
1510 if (!(i == 1 || i == 2)) 1522 if (!(i == 1 || i == 2))
@@ -1530,13 +1542,9 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1530 return (i); 1542 return (i);
1531 1543
1532 fail_free: 1544 fail_free:
1533 if (fwd->connect_host != NULL) { 1545 free(fwd->connect_host);
1534 xfree(fwd->connect_host); 1546 fwd->connect_host = NULL;
1535 fwd->connect_host = NULL; 1547 free(fwd->listen_host);
1536 } 1548 fwd->listen_host = NULL;
1537 if (fwd->listen_host != NULL) {
1538 xfree(fwd->listen_host);
1539 fwd->listen_host = NULL;
1540 }
1541 return (0); 1549 return (0);
1542} 1550}
diff --git a/readconf.h b/readconf.h
index 6ecbf281e..a508151f7 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ 1/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -116,6 +116,7 @@ typedef struct {
116 116
117 int enable_ssh_keysign; 117 int enable_ssh_keysign;
118 int64_t rekey_limit; 118 int64_t rekey_limit;
119 int rekey_interval;
119 int no_host_authentication_for_localhost; 120 int no_host_authentication_for_localhost;
120 int identities_only; 121 int identities_only;
121 int server_alive_interval; 122 int server_alive_interval;
@@ -142,6 +143,8 @@ typedef struct {
142 int use_roaming; 143 int use_roaming;
143 144
144 int request_tty; 145 int request_tty;
146
147 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
145} Options; 148} Options;
146 149
147#define SSHCTL_MASTER_NO 0 150#define SSHCTL_MASTER_NO 0
diff --git a/readpass.c b/readpass.c
index 599c8ef9a..e37d31158 100644
--- a/readpass.c
+++ b/readpass.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readpass.c,v 1.48 2010/12/15 00:49:27 djm Exp $ */ 1/* $OpenBSD: readpass.c,v 1.49 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -186,7 +186,7 @@ ask_permission(const char *fmt, ...)
186 if (*p == '\0' || *p == '\n' || 186 if (*p == '\0' || *p == '\n' ||
187 strcasecmp(p, "yes") == 0) 187 strcasecmp(p, "yes") == 0)
188 allowed = 1; 188 allowed = 1;
189 xfree(p); 189 free(p);
190 } 190 }
191 191
192 return (allowed); 192 return (allowed);
diff --git a/regress/Makefile b/regress/Makefile
index 6ef5d9cce..ab2a6ae7b 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ 1# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -8,6 +8,7 @@ interop interop-tests: t-exec-interop
8 8
9clean: 9clean:
10 for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done 10 for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
11 test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN}
11 rm -rf $(OBJ).putty 12 rm -rf $(OBJ).putty
12 13
13distclean: clean 14distclean: clean
@@ -38,6 +39,7 @@ LTESTS= connect \
38 key-options \ 39 key-options \
39 scp \ 40 scp \
40 sftp \ 41 sftp \
42 sftp-chroot \
41 sftp-cmds \ 43 sftp-cmds \
42 sftp-badcmds \ 44 sftp-badcmds \
43 sftp-batch \ 45 sftp-batch \
@@ -82,8 +84,11 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
82 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 84 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
83 key.rsa-* key.dsa-* key.ecdsa-* \ 85 key.rsa-* key.dsa-* key.ecdsa-* \
84 authorized_principals_${USER} expect actual ready \ 86 authorized_principals_${USER} expect actual ready \
85 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* 87 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
88 ssh.log failed-ssh.log sshd.log failed-sshd.log \
89 regress.log failed-regress.log ssh-log-wrapper.sh
86 90
91SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
87 92
88# Enable all malloc(3) randomisations and checks 93# Enable all malloc(3) randomisations and checks
89TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 94TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
@@ -150,14 +155,14 @@ t-exec: ${LTESTS:=.sh}
150 @if [ "x$?" = "x" ]; then exit 0; fi; \ 155 @if [ "x$?" = "x" ]; then exit 0; fi; \
151 for TEST in ""$?; do \ 156 for TEST in ""$?; do \
152 echo "run test $${TEST}" ... 1>&2; \ 157 echo "run test $${TEST}" ... 1>&2; \
153 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 158 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
154 done 159 done
155 160
156t-exec-interop: ${INTEROP_TESTS:=.sh} 161t-exec-interop: ${INTEROP_TESTS:=.sh}
157 @if [ "x$?" = "x" ]; then exit 0; fi; \ 162 @if [ "x$?" = "x" ]; then exit 0; fi; \
158 for TEST in ""$?; do \ 163 for TEST in ""$?; do \
159 echo "run test $${TEST}" ... 1>&2; \ 164 echo "run test $${TEST}" ... 1>&2; \
160 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 165 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
161 done 166 done
162 167
163# Not run by default 168# Not run by default
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index faf654c04..d5ae2d6e2 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.4 2007/11/25 15:35:09 jmc Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -18,7 +18,6 @@ if [ -z "$SUDO" ]; then
18 exit 0 18 exit 0
19fi 19fi
20 20
21
22trace "start agent" 21trace "start agent"
23eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null 22eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
24r=$? 23r=$?
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 3a40e7af8..68826594e 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $ 1# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="agent timeout test" 4tid="agent timeout test"
diff --git a/regress/agent.sh b/regress/agent.sh
index 094cf694b..be7d91334 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.7 2007/11/25 15:35:09 jmc Exp $ 1# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -19,7 +19,7 @@ else
19 fail "ssh-add -l did not fail with exit code 1" 19 fail "ssh-add -l did not fail with exit code 1"
20 fi 20 fi
21 trace "overwrite authorized keys" 21 trace "overwrite authorized keys"
22 echon > $OBJ/authorized_keys_$USER 22 printf '' > $OBJ/authorized_keys_$USER
23 for t in rsa rsa1; do 23 for t in rsa rsa1; do
24 # generate user key for agent 24 # generate user key for agent
25 rm -f $OBJ/$t-agent 25 rm -f $OBJ/$t-agent
diff --git a/regress/bsd.regress.mk b/regress/bsd.regress.mk
deleted file mode 100644
index 9b8011a01..000000000
--- a/regress/bsd.regress.mk
+++ /dev/null
@@ -1,79 +0,0 @@
1# $OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $
2# No man pages for regression tests.
3NOMAN=
4
5# No installation.
6install:
7
8# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG
9.if defined(REGRESSTARGETS) && !defined(PROG)
10NOPROG=
11.endif
12
13.include <bsd.prog.mk>
14
15.MAIN: all
16all: regress
17
18# XXX - Need full path to REGRESSLOG, otherwise there will be much pain.
19
20REGRESSLOG?=/dev/null
21REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///}
22
23.if defined(PROG) && !empty(PROG)
24run-regress-${PROG}: ${PROG}
25 ./${PROG}
26.endif
27
28.if !defined(REGRESSTARGETS)
29REGRESSTARGETS=run-regress-${PROG}
30. if defined(REGRESSSKIP)
31REGRESSSKIPTARGETS=run-regress-${PROG}
32. endif
33.endif
34
35REGRESSSKIPSLOW?=no
36
37#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS)
38
39.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS)
40REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS}
41.endif
42
43.if defined(REGRESSROOTTARGETS)
44ROOTUSER!=id -g
45SUDO?=
46. if (${ROOTUSER} != 0) && empty(SUDO)
47REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS}
48. endif
49.endif
50
51REGRESSSKIPTARGETS?=
52
53regress:
54.for RT in ${REGRESSTARGETS}
55. if ${REGRESSSKIPTARGETS:M${RT}}
56 @echo -n "SKIP " >> ${REGRESSLOG}
57. else
58# XXX - we need a better method to see if a test fails due to timeout or just
59# normal failure.
60. if !defined(REGRESSMAXTIME)
61 @if cd ${.CURDIR} && ${MAKE} ${RT}; then \
62 echo -n "SUCCESS " >> ${REGRESSLOG} ; \
63 else \
64 echo -n "FAIL " >> ${REGRESSLOG} ; \
65 echo FAILED ; \
66 fi
67. else
68 @if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \
69 echo -n "SUCCESS " >> ${REGRESSLOG} ; \
70 else \
71 echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \
72 echo FAILED ; \
73 fi
74. endif
75. endif
76 @echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG}
77.endfor
78
79.PHONY: regress
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 6216abd87..35cd39293 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -18,8 +18,8 @@ HOSTS='localhost-with-alias,127.0.0.1,::1'
18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
19 fail "ssh-keygen of host_ca_key failed" 19 fail "ssh-keygen of host_ca_key failed"
20( 20(
21 echon '@cert-authority ' 21 printf '@cert-authority '
22 echon "$HOSTS " 22 printf "$HOSTS "
23 cat $OBJ/host_ca_key.pub 23 cat $OBJ/host_ca_key.pub
24) > $OBJ/known_hosts-cert 24) > $OBJ/known_hosts-cert
25 25
@@ -66,25 +66,25 @@ done
66 66
67# Revoked certificates with key present 67# Revoked certificates with key present
68( 68(
69 echon '@cert-authority ' 69 printf '@cert-authority '
70 echon "$HOSTS " 70 printf "$HOSTS "
71 cat $OBJ/host_ca_key.pub 71 cat $OBJ/host_ca_key.pub
72 echon '@revoked ' 72 printf '@revoked '
73 echon "* " 73 printf "* "
74 cat $OBJ/cert_host_key_rsa.pub 74 cat $OBJ/cert_host_key_rsa.pub
75 if test "x$TEST_SSH_ECC" = "xyes"; then 75 if test "x$TEST_SSH_ECC" = "xyes"; then
76 echon '@revoked ' 76 printf '@revoked '
77 echon "* " 77 printf "* "
78 cat $OBJ/cert_host_key_ecdsa.pub 78 cat $OBJ/cert_host_key_ecdsa.pub
79 fi 79 fi
80 echon '@revoked ' 80 printf '@revoked '
81 echon "* " 81 printf "* "
82 cat $OBJ/cert_host_key_dsa.pub 82 cat $OBJ/cert_host_key_dsa.pub
83 echon '@revoked ' 83 printf '@revoked '
84 echon "* " 84 printf "* "
85 cat $OBJ/cert_host_key_rsa_v00.pub 85 cat $OBJ/cert_host_key_rsa_v00.pub
86 echon '@revoked ' 86 printf '@revoked '
87 echon "* " 87 printf "* "
88 cat $OBJ/cert_host_key_dsa_v00.pub 88 cat $OBJ/cert_host_key_dsa_v00.pub
89) > $OBJ/known_hosts-cert 89) > $OBJ/known_hosts-cert
90for privsep in yes no ; do 90for privsep in yes no ; do
@@ -108,11 +108,11 @@ done
108 108
109# Revoked CA 109# Revoked CA
110( 110(
111 echon '@cert-authority ' 111 printf '@cert-authority '
112 echon "$HOSTS " 112 printf "$HOSTS "
113 cat $OBJ/host_ca_key.pub 113 cat $OBJ/host_ca_key.pub
114 echon '@revoked ' 114 printf '@revoked '
115 echon "* " 115 printf "* "
116 cat $OBJ/host_ca_key.pub 116 cat $OBJ/host_ca_key.pub
117) > $OBJ/known_hosts-cert 117) > $OBJ/known_hosts-cert
118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
@@ -132,8 +132,8 @@ done
132 132
133# Create a CA key and add it to known hosts 133# Create a CA key and add it to known hosts
134( 134(
135 echon '@cert-authority ' 135 printf '@cert-authority '
136 echon "$HOSTS " 136 printf "$HOSTS "
137 cat $OBJ/host_ca_key.pub 137 cat $OBJ/host_ca_key.pub
138) > $OBJ/known_hosts-cert 138) > $OBJ/known_hosts-cert
139 139
@@ -200,7 +200,7 @@ for v in v01 v00 ; do
200 -n $HOSTS $OBJ/cert_host_key_${ktype} || 200 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
201 fail "couldn't sign cert_host_key_${ktype}" 201 fail "couldn't sign cert_host_key_${ktype}"
202 ( 202 (
203 echon "$HOSTS " 203 printf "$HOSTS "
204 cat $OBJ/cert_host_key_${ktype}.pub 204 cat $OBJ/cert_host_key_${ktype}.pub
205 ) > $OBJ/known_hosts-cert 205 ) > $OBJ/known_hosts-cert
206 ( 206 (
@@ -220,8 +220,8 @@ done
220 220
221# Wrong certificate 221# Wrong certificate
222( 222(
223 echon '@cert-authority ' 223 printf '@cert-authority '
224 echon "$HOSTS " 224 printf "$HOSTS "
225 cat $OBJ/host_ca_key.pub 225 cat $OBJ/host_ca_key.pub
226) > $OBJ/known_hosts-cert 226) > $OBJ/known_hosts-cert
227for v in v01 v00 ; do 227for v in v01 v00 ; do
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 3bba9f8f2..6018b38f4 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -126,7 +126,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
126 # Wrong principals list 126 # Wrong principals list
127 verbose "$tid: ${_prefix} wrong principals key option" 127 verbose "$tid: ${_prefix} wrong principals key option"
128 ( 128 (
129 echon 'cert-authority,principals="gregorsamsa" ' 129 printf 'cert-authority,principals="gregorsamsa" '
130 cat $OBJ/user_ca_key.pub 130 cat $OBJ/user_ca_key.pub
131 ) > $OBJ/authorized_keys_$USER 131 ) > $OBJ/authorized_keys_$USER
132 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 132 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -138,7 +138,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
138 # Correct principals list 138 # Correct principals list
139 verbose "$tid: ${_prefix} correct principals key option" 139 verbose "$tid: ${_prefix} correct principals key option"
140 ( 140 (
141 echon 'cert-authority,principals="mekmitasdigoat" ' 141 printf 'cert-authority,principals="mekmitasdigoat" '
142 cat $OBJ/user_ca_key.pub 142 cat $OBJ/user_ca_key.pub
143 ) > $OBJ/authorized_keys_$USER 143 ) > $OBJ/authorized_keys_$USER
144 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 144 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -154,7 +154,7 @@ basic_tests() {
154 if test "x$auth" = "xauthorized_keys" ; then 154 if test "x$auth" = "xauthorized_keys" ; then
155 # Add CA to authorized_keys 155 # Add CA to authorized_keys
156 ( 156 (
157 echon 'cert-authority ' 157 printf 'cert-authority '
158 cat $OBJ/user_ca_key.pub 158 cat $OBJ/user_ca_key.pub
159 ) > $OBJ/authorized_keys_$USER 159 ) > $OBJ/authorized_keys_$USER
160 else 160 else
@@ -264,7 +264,7 @@ test_one() {
264 if test "x$auth" = "xauthorized_keys" ; then 264 if test "x$auth" = "xauthorized_keys" ; then
265 # Add CA to authorized_keys 265 # Add CA to authorized_keys
266 ( 266 (
267 echon "cert-authority${auth_opt} " 267 printf "cert-authority${auth_opt} "
268 cat $OBJ/user_ca_key.pub 268 cat $OBJ/user_ca_key.pub
269 ) > $OBJ/authorized_keys_$USER 269 ) > $OBJ/authorized_keys_$USER
270 else 270 else
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 0603fab64..80cf22930 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -15,7 +15,7 @@ start_client()
15 rm -f $pidfile 15 rm -f $pidfile
16 ${SSH} -q -$p $fwd "$@" somehost \ 16 ${SSH} -q -$p $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_SSH_LOGFILE 2>&1 & 18 >>$TEST_REGRESS_LOGFILE 2>&1 &
19 client_pid=$! 19 client_pid=$!
20 # Wait for remote end 20 # Wait for remote end
21 n=0 21 n=0
@@ -34,21 +34,20 @@ stop_client()
34 pid=`cat $pidfile` 34 pid=`cat $pidfile`
35 if [ ! -z "$pid" ]; then 35 if [ ! -z "$pid" ]; then
36 kill $pid 36 kill $pid
37 sleep 1
38 fi 37 fi
39 wait 38 wait
40} 39}
41 40
42cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
43grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
44echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
45echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 42echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
46echo "Match user $USER" >>$OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
48echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
49echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 44echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
50 45
46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
51echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 48echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49echo "Match user $USER" >>$OBJ/sshd_proxy
50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
52echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
53echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 52echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
54 53
@@ -75,9 +74,9 @@ for p in 1 2; do
75done 74done
76 75
77# Retry previous with key option, should also be denied. 76# Retry previous with key option, should also be denied.
78echon 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER 77printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
79cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 78cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
80echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 79printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
81cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 80cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
82for p in 1 2; do 81for p in 1 2; do
83 trace "match permitopen proxy w/key opts proto $p" 82 trace "match permitopen proxy w/key opts proto $p"
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 65e5f35ec..489d9f5fa 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 5b65cd993..199d863a0 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: conch-ciphers.sh,v 1.2 2008/06/30 10:43:03 djm Exp $ 1# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="conch ciphers" 4tid="conch ciphers"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then 6if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
10 echo "conch interop tests not enabled" 7 echo "conch interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index d1ab8059b..42fa8acdc 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,12 +1,10 @@
1# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $ 1# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dynamic forwarding" 4tid="dynamic forwarding"
5 5
6FWDPORT=`expr $PORT + 1` 6FWDPORT=`expr $PORT + 1`
7 7
8DATA=/bin/ls${EXEEXT}
9
10if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then 8if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
11 proxycmd="nc -x 127.0.0.1:$FWDPORT -X" 9 proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
12elif have_prog connect; then 10elif have_prog connect; then
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
index 99e51a60f..44d2b7ffd 100644
--- a/regress/forcecommand.sh
+++ b/regress/forcecommand.sh
@@ -1,13 +1,13 @@
1# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $ 1# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="forced command" 4tid="forced command"
5 5
6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
7 7
8echon 'command="true" ' >$OBJ/authorized_keys_$USER 8printf 'command="true" ' >$OBJ/authorized_keys_$USER
9cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 9cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
10echon 'command="true" ' >>$OBJ/authorized_keys_$USER 10printf 'command="true" ' >>$OBJ/authorized_keys_$USER
11cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 11cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
12 12
13for p in 1 2; do 13for p in 1 2; do
@@ -16,9 +16,9 @@ for p in 1 2; do
16 fail "forced command in key proto $p" 16 fail "forced command in key proto $p"
17done 17done
18 18
19echon 'command="false" ' >$OBJ/authorized_keys_$USER 19printf 'command="false" ' >$OBJ/authorized_keys_$USER
20cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 20cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
21echon 'command="false" ' >>$OBJ/authorized_keys_$USER 21printf 'command="false" ' >>$OBJ/authorized_keys_$USER
22cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 22cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
23 23
24cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 24cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index f9c367beb..94873f22c 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,7 +1,8 @@
1# $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $ 1# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
5
5DATA=/bin/ls${EXEEXT} 6DATA=/bin/ls${EXEEXT}
6 7
7start_sshd 8start_sshd
@@ -26,9 +27,9 @@ for p in 1 2; do
26 27
27 trace "transfer over forwarded channels and check result" 28 trace "transfer over forwarded channels and check result"
28 ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ 29 ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
29 somehost cat $DATA > $OBJ/ls.copy 30 somehost cat ${DATA} > ${COPY}
30 test -f $OBJ/ls.copy || fail "failed copy $DATA" 31 test -f ${COPY} || fail "failed copy of ${DATA}"
31 cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" 32 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
32 33
33 sleep 10 34 sleep 10
34done 35done
@@ -75,7 +76,7 @@ for p in 1 2; do
75 else 76 else
76 # this one should fail 77 # this one should fail
77 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ 78 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
78 2>>$TEST_SSH_LOGFILE && \ 79 >>$TEST_REGRESS_LOGFILE 2>&1 && \
79 fail "local forwarding not cleared" 80 fail "local forwarding not cleared"
80 fi 81 fi
81 sleep 10 82 sleep 10
@@ -88,7 +89,7 @@ for p in 1 2; do
88 else 89 else
89 # this one should fail 90 # this one should fail
90 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ 91 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
91 2>>$TEST_SSH_LOGFILE && \ 92 >>$TEST_REGRESS_LOGFILE 2>&1 && \
92 fail "remote forwarding not cleared" 93 fail "remote forwarding not cleared"
93 fi 94 fi
94 sleep 10 95 sleep 10
@@ -103,3 +104,18 @@ for p in 2; do
103 fail "stdio forwarding proto $p" 104 fail "stdio forwarding proto $p"
104 fi 105 fi
105done 106done
107
108echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
109echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
110for p in 1 2; do
111 trace "config file: start forwarding, fork to background"
112 ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10
113
114 trace "config file: transfer over forwarded channels and check result"
115 ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
116 somehost cat ${DATA} > ${COPY}
117 test -f ${COPY} || fail "failed copy of ${DATA}"
118 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
119
120 wait
121done
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 4d46926d5..1d17fe10a 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ 1# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -21,12 +21,13 @@ config_defined HAVE_EVP_SHA256 &&
21config_defined OPENSSL_HAVE_EVPGCM && \ 21config_defined OPENSSL_HAVE_EVPGCM && \
22 macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" 22 macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
23 23
24# sshd-command for proxy (see test-exec.sh) 24# avoid DH group exchange as the extra traffic makes it harder to get the
25cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" 25# offset into the stream right.
26echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
27 >> $OBJ/ssh_proxy
26 28
27jot() { 29# sshd-command for proxy (see test-exec.sh)
28 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" 30cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
29}
30 31
31for m in $macs; do 32for m in $macs; do
32 trace "test $tid: mac $m" 33 trace "test $tid: mac $m"
@@ -47,14 +48,15 @@ for m in $macs; do
47 aes*gcm*) macopt="-c $m";; 48 aes*gcm*) macopt="-c $m";;
48 *) macopt="-m $m";; 49 *) macopt="-m $m";;
49 esac 50 esac
50 output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 51 verbose "test $tid: $m @$off"
51 999.999.999.999 'printf "%4096s" " "' 2>&1` 52 ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
53 999.999.999.999 'printf "%4096s" " "' >/dev/null
52 if [ $? -eq 0 ]; then 54 if [ $? -eq 0 ]; then
53 fail "ssh -m $m succeeds with bit-flip at $off" 55 fail "ssh -m $m succeeds with bit-flip at $off"
54 fi 56 fi
55 ecnt=`expr $ecnt + 1` 57 ecnt=`expr $ecnt + 1`
56 output=`echo $output | tr -s '\r\n' '.'` 58 output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
57 verbose "test $tid: $m @$off $output" 59 tr -s '\r\n' '.')
58 case "$output" in 60 case "$output" in
59 Bad?packet*) elen=`expr $elen + 1`; skip=3;; 61 Bad?packet*) elen=`expr $elen + 1`; skip=3;;
60 Corrupted?MAC* | Decryption?integrity?check?failed*) 62 Corrupted?MAC* | Decryption?integrity?check?failed*)
diff --git a/regress/keytype.sh b/regress/keytype.sh
index cb40c6864..59586bf0d 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.1 2010/09/02 16:12:55 markus Exp $ 1# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -40,7 +40,7 @@ for ut in $ktypes; do
40 echo IdentityFile $OBJ/key.$ut 40 echo IdentityFile $OBJ/key.$ut
41 ) > $OBJ/ssh_proxy 41 ) > $OBJ/ssh_proxy
42 ( 42 (
43 echon 'localhost-with-alias,127.0.0.1,::1 ' 43 printf 'localhost-with-alias,127.0.0.1,::1 '
44 cat $OBJ/key.$ht.pub 44 cat $OBJ/key.$ht.pub
45 ) > $OBJ/known_hosts 45 ) > $OBJ/known_hosts
46 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER 46 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
diff --git a/regress/krl.sh b/regress/krl.sh
index 62a239c38..de9cc8764 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -39,10 +39,6 @@ serial: 799
39serial: 599-701 39serial: 599-701
40EOF 40EOF
41 41
42jot() {
43 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
44}
45
46# A specification that revokes some certificated by key ID. 42# A specification that revokes some certificated by key ID.
47touch $OBJ/revoked-keyid 43touch $OBJ/revoked-keyid
48for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 44for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
diff --git a/regress/localcommand.sh b/regress/localcommand.sh
index feade7a9d..8a9b56971 100644
--- a/regress/localcommand.sh
+++ b/regress/localcommand.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: localcommand.sh,v 1.1 2007/10/29 06:57:13 dtucker Exp $ 1# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="localcommand" 4tid="localcommand"
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 55fbb324d..d73923b9c 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $ 1# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect after login grace timeout" 4tid="connect after login grace timeout"
diff --git a/regress/modpipe.c b/regress/modpipe.c
index 9629aa80b..85747cf7d 100755
--- a/regress/modpipe.c
+++ b/regress/modpipe.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ 17/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
18 18
19#include "includes.h" 19#include "includes.h"
20 20
@@ -25,7 +25,7 @@
25#include <stdarg.h> 25#include <stdarg.h>
26#include <stdlib.h> 26#include <stdlib.h>
27#include <errno.h> 27#include <errno.h>
28#include "openbsd-compat/getopt.c" 28#include "openbsd-compat/getopt_long.c"
29 29
30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); 30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); 31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 1e6cc7606..3e697e691 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $ 1# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -10,8 +10,7 @@ if config_defined DISABLE_FD_PASSING ; then
10 exit 0 10 exit 0
11fi 11fi
12 12
13DATA=/bin/ls${EXEEXT} 13P=3301 # test port
14COPY=$OBJ/ls.copy
15 14
16wait_for_mux_master_ready() 15wait_for_mux_master_ready()
17{ 16{
@@ -25,10 +24,16 @@ wait_for_mux_master_ready()
25 24
26start_sshd 25start_sshd
27 26
28trace "start master, fork to background" 27start_mux_master()
29${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & 28{
30MASTER_PID=$! 29 trace "start master, fork to background"
31wait_for_mux_master_ready 30 ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
31 -E $TEST_REGRESS_LOGFILE 2>&1 &
32 MASTER_PID=$!
33 wait_for_mux_master_ready
34}
35
36start_mux_master
32 37
33verbose "test $tid: envpass" 38verbose "test $tid: envpass"
34trace "env passing over multiplexed connection" 39trace "env passing over multiplexed connection"
@@ -55,13 +60,13 @@ cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
55rm -f ${COPY} 60rm -f ${COPY}
56trace "sftp transfer over multiplexed connection and check result" 61trace "sftp transfer over multiplexed connection and check result"
57echo "get ${DATA} ${COPY}" | \ 62echo "get ${DATA} ${COPY}" | \
58 ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_SSH_LOGFILE 2>&1 63 ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1
59test -f ${COPY} || fail "sftp: failed copy ${DATA}" 64test -f ${COPY} || fail "sftp: failed copy ${DATA}"
60cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" 65cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}"
61 66
62rm -f ${COPY} 67rm -f ${COPY}
63trace "scp transfer over multiplexed connection and check result" 68trace "scp transfer over multiplexed connection and check result"
64${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_SSH_LOGFILE 2>&1 69${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1
65test -f ${COPY} || fail "scp: failed copy ${DATA}" 70test -f ${COPY} || fail "scp: failed copy ${DATA}"
66cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" 71cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}"
67 72
@@ -87,11 +92,31 @@ for s in 0 1 4 5 44; do
87done 92done
88 93
89verbose "test $tid: cmd check" 94verbose "test $tid: cmd check"
90${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \ 95${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
91 || fail "check command failed" 96 || fail "check command failed"
92 97
98verbose "test $tid: cmd forward local"
99${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
100 || fail "request local forward failed"
101${SSH} -F $OBJ/ssh_config -p$P otherhost true \
102 || fail "connect to local forward port failed"
103${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
104 || fail "cancel local forward failed"
105${SSH} -F $OBJ/ssh_config -p$P otherhost true \
106 && fail "local forward port still listening"
107
108verbose "test $tid: cmd forward remote"
109${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
110 || fail "request remote forward failed"
111${SSH} -F $OBJ/ssh_config -p$P otherhost true \
112 || fail "connect to remote forwarded port failed"
113${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
114 || fail "cancel remote forward failed"
115${SSH} -F $OBJ/ssh_config -p$P otherhost true \
116 && fail "remote forward port still listening"
117
93verbose "test $tid: cmd exit" 118verbose "test $tid: cmd exit"
94${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ 119${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
95 || fail "send exit command failed" 120 || fail "send exit command failed"
96 121
97# Wait for master to exit 122# Wait for master to exit
@@ -101,15 +126,13 @@ kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
101# Restart master and test -O stop command with master using -N 126# Restart master and test -O stop command with master using -N
102verbose "test $tid: cmd stop" 127verbose "test $tid: cmd stop"
103trace "restart master, fork to background" 128trace "restart master, fork to background"
104${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & 129start_mux_master
105MASTER_PID=$!
106wait_for_mux_master_ready
107 130
108# start a long-running command then immediately request a stop 131# start a long-running command then immediately request a stop
109${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ 132${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
110 >>$TEST_SSH_LOGFILE 2>&1 & 133 >>$TEST_REGRESS_LOGFILE 2>&1 &
111SLEEP_PID=$! 134SLEEP_PID=$!
112${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ 135${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
113 || fail "send stop command failed" 136 || fail "send stop command failed"
114 137
115# wait until both long-running command and master have exited. 138# wait until both long-running command and master have exited.
diff --git a/regress/portnum.sh b/regress/portnum.sh
index 1de0680fe..c56b869a3 100644
--- a/regress/portnum.sh
+++ b/regress/portnum.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: portnum.sh,v 1.1 2009/08/13 00:57:17 djm Exp $ 1# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="port number parsing" 4tid="port number parsing"
diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index 1651a69e1..b876dd7ec 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ 1# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd version with different protocol combinations" 4tid="sshd version with different protocol combinations"
@@ -8,7 +8,7 @@ check_version ()
8{ 8{
9 version=$1 9 version=$1
10 expect=$2 10 expect=$2
11 banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` 11 banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
12 case ${banner} in 12 case ${banner} in
13 SSH-1.99-*) 13 SSH-1.99-*)
14 proto=199 14 proto=199
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index 6a36b2513..76e602dd6 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,8 +1,9 @@
1# $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $ 1# $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect" 4tid="proxy connect"
5 5
6verbose "plain username"
6for p in 1 2; do 7for p in 1 2; do
7 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true 8 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
8 if [ $? -ne 0 ]; then 9 if [ $? -ne 0 ]; then
@@ -16,3 +17,10 @@ for p in 1 2; do
16 fail "bad SSH_CONNECTION" 17 fail "bad SSH_CONNECTION"
17 fi 18 fi
18done 19done
20
21verbose "username with style"
22for p in 1 2; do
23 ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
24 fail "ssh proxyconnect protocol $p failed"
25done
26
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 928ea60d2..724a98cc1 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: putty-ciphers.sh,v 1.3 2008/11/10 02:06:35 djm Exp $ 1# $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty ciphers" 4tid="putty ciphers"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then 6if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
10 echo "putty interop tests not enabled" 7 echo "putty interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index 293885a8a..1844d6599 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: putty-kex.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ 1# $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty KEX" 4tid="putty KEX"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then 6if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
10 echo "putty interop tests not enabled" 7 echo "putty interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 9e1e1550a..aec0e04ee 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: putty-transfer.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ 1# $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty transfer data" 4tid="putty transfer data"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then 6if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
10 echo "putty interop tests not enabled" 7 echo "putty interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 9464eb699..433573f06 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,12 +1,10 @@
1# $OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $ 1# $OpenBSD: reexec.sh,v 1.7 2013/05/17 10:23:52 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="reexec tests" 4tid="reexec tests"
5 5
6DATA=/bin/ls${EXEEXT} 6SSHD_ORIG=$SSHD
7COPY=${OBJ}/copy 7SSHD_COPY=$OBJ/sshd
8SSHD_ORIG=$SSHD${EXEEXT}
9SSHD_COPY=$OBJ/sshd${EXEEXT}
10 8
11# Start a sshd and then delete it 9# Start a sshd and then delete it
12start_sshd_copy () 10start_sshd_copy ()
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 3c5f266fc..8eb7efaf9 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,23 +1,18 @@
1# $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $ 1# $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="rekey during transfer data" 4tid="rekey"
5 5
6DATA=${OBJ}/data 6LOG=${TEST_SSH_LOGFILE}
7COPY=${OBJ}/copy
8LOG=${OBJ}/log
9 7
10rm -f ${COPY} ${LOG} ${DATA} 8rm -f ${LOG}
11touch ${DATA}
12dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1
13 9
14for s in 16 1k 128k 256k; do 10for s in 16 1k 128k 256k; do
15 trace "rekeylimit ${s}" 11 verbose "client rekeylimit ${s}"
16 rm -f ${COPY} 12 rm -f ${COPY} ${LOG}
17 cat $DATA | \ 13 cat $DATA | \
18 ${SSH} -oCompression=no -oRekeyLimit=$s \ 14 ${SSH} -oCompression=no -oRekeyLimit=$s \
19 -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \ 15 -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
20 2> ${LOG}
21 if [ $? -ne 0 ]; then 16 if [ $? -ne 0 ]; then
22 fail "ssh failed" 17 fail "ssh failed"
23 fi 18 fi
@@ -29,4 +24,86 @@ for s in 16 1k 128k 256k; do
29 fail "no rekeying occured" 24 fail "no rekeying occured"
30 fi 25 fi
31done 26done
32rm -f ${COPY} ${LOG} ${DATA} 27
28for s in 5 10; do
29 verbose "client rekeylimit default ${s}"
30 rm -f ${COPY} ${LOG}
31 cat $DATA | \
32 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
33 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
34 if [ $? -ne 0 ]; then
35 fail "ssh failed"
36 fi
37 cmp $DATA ${COPY} || fail "corrupted copy"
38 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
39 n=`expr $n - 1`
40 trace "$n rekeying(s)"
41 if [ $n -lt 1 ]; then
42 fail "no rekeying occured"
43 fi
44done
45
46for s in 5 10; do
47 verbose "client rekeylimit default ${s} no data"
48 rm -f ${COPY} ${LOG}
49 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
50 $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
51 if [ $? -ne 0 ]; then
52 fail "ssh failed"
53 fi
54 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
55 n=`expr $n - 1`
56 trace "$n rekeying(s)"
57 if [ $n -lt 1 ]; then
58 fail "no rekeying occured"
59 fi
60done
61
62echo "rekeylimit default 5" >>$OBJ/sshd_proxy
63for s in 5 10; do
64 verbose "server rekeylimit default ${s} no data"
65 rm -f ${COPY} ${LOG}
66 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
67 if [ $? -ne 0 ]; then
68 fail "ssh failed"
69 fi
70 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
71 n=`expr $n - 1`
72 trace "$n rekeying(s)"
73 if [ $n -lt 1 ]; then
74 fail "no rekeying occured"
75 fi
76done
77
78verbose "rekeylimit parsing"
79for size in 16 1k 1K 1m 1M 1g 1G; do
80 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
81 case $size in
82 16) bytes=16 ;;
83 1k|1K) bytes=1024 ;;
84 1m|1M) bytes=1048576 ;;
85 1g|1G) bytes=1073741824 ;;
86 esac
87 case $time in
88 1) seconds=1 ;;
89 1m|1M) seconds=60 ;;
90 1h|1H) seconds=3600 ;;
91 1d|1D) seconds=86400 ;;
92 1w|1W) seconds=604800 ;;
93 esac
94
95 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
96 awk '/rekeylimit/{print $2}'`
97 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
98 awk '/rekeylimit/{print $3}'`
99
100 if [ "$bytes" != "$b" ]; then
101 fatal "rekeylimit size: expected $bytes got $b"
102 fi
103 if [ "$seconds" != "$s" ]; then
104 fatal "rekeylimit time: expected $time got $s"
105 fi
106 done
107done
108
109rm -f ${COPY} ${DATA}
diff --git a/regress/runtests.sh b/regress/runtests.sh
deleted file mode 100755
index 9808eb8a7..000000000
--- a/regress/runtests.sh
+++ /dev/null
@@ -1,13 +0,0 @@
1#!/bin/sh
2
3TEST_SSH_SSH=../ssh
4TEST_SSH_SSHD=../sshd
5TEST_SSH_SSHAGENT=../ssh-agent
6TEST_SSH_SSHADD=../ssh-add
7TEST_SSH_SSHKEYGEN=../ssh-keygen
8TEST_SSH_SSHKEYSCAN=../ssh-keyscan
9TEST_SSH_SFTP=../sftp
10TEST_SSH_SFTPSERVER=../sftp-server
11
12pmake
13
diff --git a/regress/scp.sh b/regress/scp.sh
index c5d412dd9..29c5b35d4 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $ 1# $OpenBSD: scp.sh,v 1.9 2013/05/17 10:35:43 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="scp" 4tid="scp"
@@ -12,8 +12,6 @@ else
12 DIFFOPT="-r" 12 DIFFOPT="-r"
13fi 13fi
14 14
15DATA=/bin/ls${EXEEXT}
16COPY=${OBJ}/copy
17COPY2=${OBJ}/copy2 15COPY2=${OBJ}/copy2
18DIR=${COPY}.dd 16DIR=${COPY}.dd
19DIR2=${COPY}.dd2 17DIR2=${COPY}.dd2
diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh
index 08009f26b..7f85c4f22 100644
--- a/regress/sftp-badcmds.sh
+++ b/regress/sftp-badcmds.sh
@@ -1,12 +1,10 @@
1# $OpenBSD: sftp-badcmds.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ 1# $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sftp invalid commands" 4tid="sftp invalid commands"
5 5
6DATA=/bin/ls${EXEEXT}
7DATA2=/bin/sh${EXEEXT} 6DATA2=/bin/sh${EXEEXT}
8NONEXIST=/NONEXIST.$$ 7NONEXIST=/NONEXIST.$$
9COPY=${OBJ}/copy
10GLOBFILES=`(cd /bin;echo l*)` 8GLOBFILES=`(cd /bin;echo l*)`
11 9
12rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd 10rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh
index a51ef0782..41011549b 100644
--- a/regress/sftp-batch.sh
+++ b/regress/sftp-batch.sh
@@ -1,10 +1,8 @@
1# $OpenBSD: sftp-batch.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ 1# $OpenBSD: sftp-batch.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sftp batchfile" 4tid="sftp batchfile"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8BATCH=${OBJ}/sftp.bb 6BATCH=${OBJ}/sftp.bb
9 7
10rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* 8rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
new file mode 100644
index 000000000..03b9bc6d7
--- /dev/null
+++ b/regress/sftp-chroot.sh
@@ -0,0 +1,25 @@
1# $OpenBSD: sftp-chroot.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="sftp in chroot"
5
6CHROOT=/var/run
7FILENAME=testdata_${USER}
8PRIVDATA=${CHROOT}/${FILENAME}
9
10if [ -z "$SUDO" ]; then
11 echo "skipped: need SUDO to create file in /var/run, test won't work without"
12 exit 0
13fi
14
15$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \
16 fatal "create $PRIVDATA failed"
17
18start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /"
19
20verbose "test $tid: get"
21${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \
22 fatal "Fetch ${FILENAME} failed"
23cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ"
24
25$SUDO rm $PRIVDATA
diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh
index 2e0300e16..aad7fcac2 100644
--- a/regress/sftp-cmds.sh
+++ b/regress/sftp-cmds.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: sftp-cmds.sh,v 1.12 2012/06/01 00:52:52 djm Exp $ 1# $OpenBSD: sftp-cmds.sh,v 1.14 2013/06/21 02:26:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4# XXX - TODO: 4# XXX - TODO:
@@ -7,8 +7,6 @@
7 7
8tid="sftp commands" 8tid="sftp commands"
9 9
10DATA=/bin/ls${EXEEXT}
11COPY=${OBJ}/copy
12# test that these files are readable! 10# test that these files are readable!
13for i in `(cd /bin;echo l*)` 11for i in `(cd /bin;echo l*)`
14do 12do
@@ -108,7 +106,7 @@ rm -f ${COPY}.dd/*
108verbose "$tid: get to directory" 106verbose "$tid: get to directory"
109echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 107echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
110 || fail "get failed" 108 || fail "get failed"
111cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" 109cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
112 110
113rm -f ${COPY}.dd/* 111rm -f ${COPY}.dd/*
114verbose "$tid: glob get to directory" 112verbose "$tid: glob get to directory"
@@ -122,7 +120,7 @@ rm -f ${COPY}.dd/*
122verbose "$tid: get to local dir" 120verbose "$tid: get to local dir"
123(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 121(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
124 || fail "get failed" 122 || fail "get failed"
125cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" 123cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
126 124
127rm -f ${COPY}.dd/* 125rm -f ${COPY}.dd/*
128verbose "$tid: glob get to local dir" 126verbose "$tid: glob get to local dir"
@@ -156,7 +154,7 @@ rm -f ${COPY}.dd/*
156verbose "$tid: put to directory" 154verbose "$tid: put to directory"
157echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 155echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
158 || fail "put failed" 156 || fail "put failed"
159cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" 157cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
160 158
161rm -f ${COPY}.dd/* 159rm -f ${COPY}.dd/*
162verbose "$tid: glob put to directory" 160verbose "$tid: glob put to directory"
@@ -170,7 +168,7 @@ rm -f ${COPY}.dd/*
170verbose "$tid: put to local dir" 168verbose "$tid: put to local dir"
171(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 169(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
172 || fail "put failed" 170 || fail "put failed"
173cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" 171cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
174 172
175rm -f ${COPY}.dd/* 173rm -f ${COPY}.dd/*
176verbose "$tid: glob put to local dir" 174verbose "$tid: glob put to local dir"
diff --git a/regress/sftp.sh b/regress/sftp.sh
index f84fa6f4e..b8e9f7527 100644
--- a/regress/sftp.sh
+++ b/regress/sftp.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: sftp.sh,v 1.3 2009/08/13 01:11:55 djm Exp $ 1# $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="basic sftp put/get" 4tid="basic sftp put/get"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8
9SFTPCMDFILE=${OBJ}/batch 6SFTPCMDFILE=${OBJ}/batch
10cat >$SFTPCMDFILE <<EOF 7cat >$SFTPCMDFILE <<EOF
11version 8version
diff --git a/regress/ssh-com-client.sh b/regress/ssh-com-client.sh
index 324a0a723..e4f80cf0a 100644
--- a/regress/ssh-com-client.sh
+++ b/regress/ssh-com-client.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $ 1# $OpenBSD: ssh-com-client.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect with ssh.com client" 4tid="connect with ssh.com client"
@@ -67,10 +67,6 @@ EOF
67# we need a real server (no ProxyConnect option) 67# we need a real server (no ProxyConnect option)
68start_sshd 68start_sshd
69 69
70DATA=/bin/ls${EXEEXT}
71COPY=${OBJ}/copy
72rm -f ${COPY}
73
74# go for it 70# go for it
75for v in ${VERSIONS}; do 71for v in ${VERSIONS}; do
76 ssh2=${TEST_COMBASE}/${v}/ssh2 72 ssh2=${TEST_COMBASE}/${v}/ssh2
diff --git a/regress/ssh-com-sftp.sh b/regress/ssh-com-sftp.sh
index be6f4e0dc..fabfa4983 100644
--- a/regress/ssh-com-sftp.sh
+++ b/regress/ssh-com-sftp.sh
@@ -1,10 +1,8 @@
1# $OpenBSD: ssh-com-sftp.sh,v 1.6 2009/08/20 18:43:07 djm Exp $ 1# $OpenBSD: ssh-com-sftp.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="basic sftp put/get with ssh.com server" 4tid="basic sftp put/get with ssh.com server"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8SFTPCMDFILE=${OBJ}/batch 6SFTPCMDFILE=${OBJ}/batch
9 7
10cat >$SFTPCMDFILE <<EOF 8cat >$SFTPCMDFILE <<EOF
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index 7bcd85b65..6c5cfe888 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $ 1# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect to ssh.com server" 4tid="connect to ssh.com server"
@@ -70,7 +70,7 @@ done
70 70
71# convert and append DSA hostkey 71# convert and append DSA hostkey
72( 72(
73 echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' 73 printf 'ssh2-localhost-with-alias,127.0.0.1,::1 '
74 ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub 74 ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
75) >> $OBJ/known_hosts 75) >> $OBJ/known_hosts
76 76
diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh
index c7a5ef3a6..a9386be4d 100644
--- a/regress/sshd-log-wrapper.sh
+++ b/regress/sshd-log-wrapper.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $ 2# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $
3# Placed in the Public Domain. 3# Placed in the Public Domain.
4# 4#
5# simple wrapper for sshd proxy mode to catch stderr output 5# simple wrapper for sshd proxy mode to catch stderr output
@@ -10,4 +10,4 @@ log=$2
10shift 10shift
11shift 11shift
12 12
13exec $sshd $@ -e 2>>$log 13exec $sshd -E$log $@
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh
index 05a5ea56d..218ac6b68 100644
--- a/regress/stderr-after-eof.sh
+++ b/regress/stderr-after-eof.sh
@@ -1,29 +1,13 @@
1# $OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $ 1# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="stderr data after eof" 4tid="stderr data after eof"
5 5
6DATA=/etc/motd
7DATA=${OBJ}/data
8COPY=${OBJ}/copy
9
10if have_prog md5sum; then
11 CHECKSUM=md5sum
12elif have_prog openssl; then
13 CHECKSUM="openssl md5"
14elif have_prog cksum; then
15 CHECKSUM=cksum
16elif have_prog sum; then
17 CHECKSUM=sum
18else
19 fatal "No checksum program available, aborting $tid test"
20fi
21
22# setup data 6# setup data
23rm -f ${DATA} ${COPY} 7rm -f ${DATA} ${COPY}
24cp /dev/null ${DATA} 8cp /dev/null ${DATA}
25for i in 1 2 3 4 5 6; do 9for i in 1 2 3 4 5 6; do
26 (date;echo $i) | $CHECKSUM >> ${DATA} 10 (date;echo $i) | md5 >> ${DATA}
27done 11done
28 12
29${SSH} -2 -F $OBJ/ssh_proxy otherhost \ 13${SSH} -2 -F $OBJ/ssh_proxy otherhost \
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh
index 1daf79bb5..b0bd2355c 100644
--- a/regress/stderr-data.sh
+++ b/regress/stderr-data.sh
@@ -1,12 +1,8 @@
1# $OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $ 1# $OpenBSD: stderr-data.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="stderr data transfer" 4tid="stderr data transfer"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8rm -f ${COPY}
9
10for n in '' -n; do 6for n in '' -n; do
11for p in 1 2; do 7for p in 1 2; do
12 verbose "test $tid: proto $p ($n)" 8 verbose "test $tid: proto $p ($n)"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index aa4e6e5c0..eee446264 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.37 2010/02/24 06:21:56 djm Exp $ 1# $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -136,30 +136,49 @@ case "$SSHD" in
136*) SSHD=`which sshd` ;; 136*) SSHD=`which sshd` ;;
137esac 137esac
138 138
139# Logfiles.
140# SSH_LOGFILE should be the debug output of ssh(1) only
141# SSHD_LOGFILE should be the debug output of sshd(8) only
142# REGRESS_LOGFILE is the output of the test itself stdout and stderr
139if [ "x$TEST_SSH_LOGFILE" = "x" ]; then 143if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
140 TEST_SSH_LOGFILE=/dev/null 144 TEST_SSH_LOGFILE=$OBJ/ssh.log
145fi
146if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then
147 TEST_SSHD_LOGFILE=$OBJ/sshd.log
148fi
149if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then
150 TEST_REGRESS_LOGFILE=$OBJ/regress.log
141fi 151fi
142 152
143# Some data for test copies 153# truncate logfiles
144DATA=$OBJ/testdata 154>$TEST_SSH_LOGFILE
145cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA 155>$TEST_SSHD_LOGFILE
156>$TEST_REGRESS_LOGFILE
157
158# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..."
159# because sftp and scp don't handle spaces in arguments.
160SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh
161echo "#!/bin/sh" > $SSHLOGWRAP
162echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
163
164chmod a+rx $OBJ/ssh-log-wrapper.sh
165SSH="$SSHLOGWRAP"
166
167# Some test data. We make a copy because some tests will overwrite it.
168# The tests may assume that $DATA exists and is writable and $COPY does
169# not exist.
170DATANAME=data
171DATA=$OBJ/${DATANAME}
172cat $SSHD $SSHD $SSHD $SSHD >${DATA}
173chmod u+w ${DATA}
174COPY=$OBJ/copy
175rm -f ${COPY}
146 176
147# these should be used in tests 177# these should be used in tests
148export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 178export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
149#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 179#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
150 180
151# helper 181# Portable specific functions
152echon()
153{
154 if [ "x`echo -n`" = "x" ]; then
155 echo -n "$@"
156 elif [ "x`echo '\c'`" = "x" ]; then
157 echo "$@\c"
158 else
159 fatal "Don't know how to echo without newline."
160 fi
161}
162
163have_prog() 182have_prog()
164{ 183{
165 saved_IFS="$IFS" 184 saved_IFS="$IFS"
@@ -175,6 +194,37 @@ have_prog()
175 return 1 194 return 1
176} 195}
177 196
197jot() {
198 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
199}
200
201# Check whether preprocessor symbols are defined in config.h.
202config_defined ()
203{
204 str=$1
205 while test "x$2" != "x" ; do
206 str="$str|$2"
207 shift
208 done
209 egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
210}
211
212md5 () {
213 if have_prog md5sum; then
214 md5sum
215 elif have_prog openssl; then
216 openssl md5
217 elif have_prog cksum; then
218 cksum
219 elif have_prog sum; then
220 sum
221 else
222 wc -c
223 fi
224}
225# End of portable specific functions
226
227# helper
178cleanup () 228cleanup ()
179{ 229{
180 if [ -f $PIDFILE ]; then 230 if [ -f $PIDFILE ]; then
@@ -199,9 +249,26 @@ cleanup ()
199 fi 249 fi
200} 250}
201 251
252start_debug_log ()
253{
254 echo "trace: $@" >$TEST_REGRESS_LOGFILE
255 echo "trace: $@" >$TEST_SSH_LOGFILE
256 echo "trace: $@" >$TEST_SSHD_LOGFILE
257}
258
259save_debug_log ()
260{
261 echo $@ >>$TEST_REGRESS_LOGFILE
262 echo $@ >>$TEST_SSH_LOGFILE
263 echo $@ >>$TEST_SSHD_LOGFILE
264 (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log
265 (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log
266 (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log
267}
268
202trace () 269trace ()
203{ 270{
204 echo "trace: $@" >>$TEST_SSH_LOGFILE 271 start_debug_log $@
205 if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then 272 if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
206 echo "$@" 273 echo "$@"
207 fi 274 fi
@@ -209,7 +276,7 @@ trace ()
209 276
210verbose () 277verbose ()
211{ 278{
212 echo "verbose: $@" >>$TEST_SSH_LOGFILE 279 start_debug_log $@
213 if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then 280 if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
214 echo "$@" 281 echo "$@"
215 fi 282 fi
@@ -223,31 +290,21 @@ warn ()
223 290
224fail () 291fail ()
225{ 292{
226 echo "FAIL: $@" >>$TEST_SSH_LOGFILE 293 save_debug_log "FAIL: $@"
227 RESULT=1 294 RESULT=1
228 echo "$@" 295 echo "$@"
296
229} 297}
230 298
231fatal () 299fatal ()
232{ 300{
233 echo "FATAL: $@" >>$TEST_SSH_LOGFILE 301 save_debug_log "FATAL: $@"
234 echon "FATAL: " 302 printf "FATAL: "
235 fail "$@" 303 fail "$@"
236 cleanup 304 cleanup
237 exit $RESULT 305 exit $RESULT
238} 306}
239 307
240# Check whether preprocessor symbols are defined in config.h.
241config_defined ()
242{
243 str=$1
244 while test "x$2" != "x" ; do
245 str="$str|$2"
246 shift
247 done
248 egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
249}
250
251RESULT=0 308RESULT=0
252PIDFILE=$OBJ/pidfile 309PIDFILE=$OBJ/pidfile
253 310
@@ -263,7 +320,7 @@ cat << EOF > $OBJ/sshd_config
263 #ListenAddress ::1 320 #ListenAddress ::1
264 PidFile $PIDFILE 321 PidFile $PIDFILE
265 AuthorizedKeysFile $OBJ/authorized_keys_%u 322 AuthorizedKeysFile $OBJ/authorized_keys_%u
266 LogLevel VERBOSE 323 LogLevel DEBUG3
267 AcceptEnv _XXX_TEST_* 324 AcceptEnv _XXX_TEST_*
268 AcceptEnv _XXX_TEST 325 AcceptEnv _XXX_TEST
269 Subsystem sftp $SFTPSERVER 326 Subsystem sftp $SFTPSERVER
@@ -295,8 +352,10 @@ Host *
295 ChallengeResponseAuthentication no 352 ChallengeResponseAuthentication no
296 HostbasedAuthentication no 353 HostbasedAuthentication no
297 PasswordAuthentication no 354 PasswordAuthentication no
355 RhostsRSAAuthentication no
298 BatchMode yes 356 BatchMode yes
299 StrictHostKeyChecking yes 357 StrictHostKeyChecking yes
358 LogLevel DEBUG3
300EOF 359EOF
301 360
302if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then 361if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
@@ -309,13 +368,15 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
309trace "generate keys" 368trace "generate keys"
310for t in rsa rsa1; do 369for t in rsa rsa1; do
311 # generate user key 370 # generate user key
312 rm -f $OBJ/$t 371 if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then
313 ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\ 372 rm -f $OBJ/$t
314 fail "ssh-keygen for $t failed" 373 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\
374 fail "ssh-keygen for $t failed"
375 fi
315 376
316 # known hosts file for client 377 # known hosts file for client
317 ( 378 (
318 echon 'localhost-with-alias,127.0.0.1,::1 ' 379 printf 'localhost-with-alias,127.0.0.1,::1 '
319 cat $OBJ/$t.pub 380 cat $OBJ/$t.pub
320 ) >> $OBJ/known_hosts 381 ) >> $OBJ/known_hosts
321 382
@@ -370,7 +431,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
370 echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy 431 echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
371 echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy 432 echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
372 echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy 433 echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
373 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy 434 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
374 435
375 REGRESS_INTEROP_PUTTY=yes 436 REGRESS_INTEROP_PUTTY=yes
376fi 437fi
@@ -378,7 +439,7 @@ fi
378# create a proxy version of the client config 439# create a proxy version of the client config
379( 440(
380 cat $OBJ/ssh_config 441 cat $OBJ/ssh_config
381 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy 442 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy
382) > $OBJ/ssh_proxy 443) > $OBJ/ssh_proxy
383 444
384# check proxy config 445# check proxy config
@@ -388,7 +449,7 @@ start_sshd ()
388{ 449{
389 # start sshd 450 # start sshd
390 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" 451 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
391 $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSH_LOGFILE 2>&1 452 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE
392 453
393 trace "wait for sshd" 454 trace "wait for sshd"
394 i=0; 455 i=0;
diff --git a/regress/transfer.sh b/regress/transfer.sh
index 13ea367d5..1ae3ef5bf 100644
--- a/regress/transfer.sh
+++ b/regress/transfer.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $ 1# $OpenBSD: transfer.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="transfer data" 4tid="transfer data"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8
9for p in 1 2; do 6for p in 1 2; do
10 verbose "$tid: proto $p" 7 verbose "$tid: proto $p"
11 rm -f ${COPY} 8 rm -f ${COPY}
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 084a1457a..e17c9f5e9 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
diff --git a/roaming_client.c b/roaming_client.c
index 48009d781..81c496827 100644
--- a/roaming_client.c
+++ b/roaming_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: roaming_client.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2004-2009 AppGate Network Security AB 3 * Copyright (c) 2004-2009 AppGate Network Security AB
4 * 4 *
@@ -187,10 +187,10 @@ roaming_resume(void)
187 debug("server doesn't allow resume"); 187 debug("server doesn't allow resume");
188 goto fail; 188 goto fail;
189 } 189 }
190 xfree(str); 190 free(str);
191 for (i = 1; i < PROPOSAL_MAX; i++) { 191 for (i = 1; i < PROPOSAL_MAX; i++) {
192 /* kex algorithm taken care of so start with i=1 and not 0 */ 192 /* kex algorithm taken care of so start with i=1 and not 0 */
193 xfree(packet_get_string(&len)); 193 free(packet_get_string(&len));
194 } 194 }
195 i = packet_get_char(); /* first_kex_packet_follows */ 195 i = packet_get_char(); /* first_kex_packet_follows */
196 if (i && (c = strchr(kexlist, ','))) 196 if (i && (c = strchr(kexlist, ',')))
@@ -226,8 +226,7 @@ roaming_resume(void)
226 return 0; 226 return 0;
227 227
228fail: 228fail:
229 if (kexlist) 229 free(kexlist);
230 xfree(kexlist);
231 if (packet_get_connection_in() == packet_get_connection_out()) 230 if (packet_get_connection_in() == packet_get_connection_out())
232 close(packet_get_connection_in()); 231 close(packet_get_connection_in());
233 else { 232 else {
diff --git a/roaming_common.c b/roaming_common.c
index 8d0b6054a..50d6177d0 100644
--- a/roaming_common.c
+++ b/roaming_common.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: roaming_common.c,v 1.10 2013/07/12 00:19:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2004-2009 AppGate Network Security AB 3 * Copyright (c) 2004-2009 AppGate Network Security AB
4 * 4 *
@@ -227,7 +227,7 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge)
227{ 227{
228 const EVP_MD *md = EVP_sha1(); 228 const EVP_MD *md = EVP_sha1();
229 EVP_MD_CTX ctx; 229 EVP_MD_CTX ctx;
230 char hash[EVP_MAX_MD_SIZE]; 230 u_char hash[EVP_MAX_MD_SIZE];
231 Buffer b; 231 Buffer b;
232 232
233 buffer_init(&b); 233 buffer_init(&b);
diff --git a/rsa.c b/rsa.c
index bec1d190b..a9ee6b0ed 100644
--- a/rsa.c
+++ b/rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ 1/* $OpenBSD: rsa.c,v 1.30 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -96,8 +96,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
96 96
97 memset(outbuf, 0, olen); 97 memset(outbuf, 0, olen);
98 memset(inbuf, 0, ilen); 98 memset(inbuf, 0, ilen);
99 xfree(outbuf); 99 free(outbuf);
100 xfree(inbuf); 100 free(inbuf);
101} 101}
102 102
103int 103int
@@ -122,8 +122,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
122 } 122 }
123 memset(outbuf, 0, olen); 123 memset(outbuf, 0, olen);
124 memset(inbuf, 0, ilen); 124 memset(inbuf, 0, ilen);
125 xfree(outbuf); 125 free(outbuf);
126 xfree(inbuf); 126 free(inbuf);
127 return len; 127 return len;
128} 128}
129 129
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e12418399..cc1465305 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -91,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
91 SC_DENY(open, EACCES), 91 SC_DENY(open, EACCES),
92 SC_ALLOW(getpid), 92 SC_ALLOW(getpid),
93 SC_ALLOW(gettimeofday), 93 SC_ALLOW(gettimeofday),
94 SC_ALLOW(clock_gettime),
94#ifdef __NR_time /* not defined on EABI ARM */ 95#ifdef __NR_time /* not defined on EABI ARM */
95 SC_ALLOW(time), 96 SC_ALLOW(time),
96#endif 97#endif
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 2d16a627f..cc0db46c4 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */ 1/* $OpenBSD: sandbox-systrace.c,v 1.7 2013/06/01 13:15:52 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -57,6 +57,7 @@ static const struct sandbox_policy preauth_policy[] = {
57 { SYS_exit, SYSTR_POLICY_PERMIT }, 57 { SYS_exit, SYSTR_POLICY_PERMIT },
58 { SYS_getpid, SYSTR_POLICY_PERMIT }, 58 { SYS_getpid, SYSTR_POLICY_PERMIT },
59 { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, 59 { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
60 { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
60 { SYS_madvise, SYSTR_POLICY_PERMIT }, 61 { SYS_madvise, SYSTR_POLICY_PERMIT },
61 { SYS_mmap, SYSTR_POLICY_PERMIT }, 62 { SYS_mmap, SYSTR_POLICY_PERMIT },
62 { SYS_mprotect, SYSTR_POLICY_PERMIT }, 63 { SYS_mprotect, SYSTR_POLICY_PERMIT },
diff --git a/schnorr.c b/schnorr.c
index 4d54d6881..9549dcf0e 100644
--- a/schnorr.c
+++ b/schnorr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: schnorr.c,v 1.5 2010/12/03 23:49:26 djm Exp $ */ 1/* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -102,7 +102,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
102 out: 102 out:
103 buffer_free(&b); 103 buffer_free(&b);
104 bzero(digest, digest_len); 104 bzero(digest, digest_len);
105 xfree(digest); 105 free(digest);
106 digest_len = 0; 106 digest_len = 0;
107 if (success == 0) 107 if (success == 0)
108 return h; 108 return h;
@@ -488,12 +488,13 @@ debug3_bn(const BIGNUM *n, const char *fmt, ...)
488{ 488{
489 char *out, *h; 489 char *out, *h;
490 va_list args; 490 va_list args;
491 int ret;
491 492
492 out = NULL; 493 out = NULL;
493 va_start(args, fmt); 494 va_start(args, fmt);
494 vasprintf(&out, fmt, args); 495 ret = vasprintf(&out, fmt, args);
495 va_end(args); 496 va_end(args);
496 if (out == NULL) 497 if (ret == -1 || out == NULL)
497 fatal("%s: vasprintf failed", __func__); 498 fatal("%s: vasprintf failed", __func__);
498 499
499 if (n == NULL) 500 if (n == NULL)
@@ -513,12 +514,13 @@ debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
513 char *out, h[65]; 514 char *out, h[65];
514 u_int i, j; 515 u_int i, j;
515 va_list args; 516 va_list args;
517 int ret;
516 518
517 out = NULL; 519 out = NULL;
518 va_start(args, fmt); 520 va_start(args, fmt);
519 vasprintf(&out, fmt, args); 521 ret = vasprintf(&out, fmt, args);
520 va_end(args); 522 va_end(args);
521 if (out == NULL) 523 if (ret == -1 || out == NULL)
522 fatal("%s: vasprintf failed", __func__); 524 fatal("%s: vasprintf failed", __func__);
523 525
524 debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : ""); 526 debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
@@ -571,7 +573,7 @@ modp_group_free(struct modp_group *grp)
571 if (grp->q != NULL) 573 if (grp->q != NULL)
572 BN_clear_free(grp->q); 574 BN_clear_free(grp->q);
573 bzero(grp, sizeof(*grp)); 575 bzero(grp, sizeof(*grp));
574 xfree(grp); 576 free(grp);
575} 577}
576 578
577/* main() function for self-test */ 579/* main() function for self-test */
@@ -606,7 +608,7 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
606 if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4, 608 if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
607 sig, siglen) != 0) 609 sig, siglen) != 0)
608 fatal("%s: verify should have failed (bit error)", __func__); 610 fatal("%s: verify should have failed (bit error)", __func__);
609 xfree(sig); 611 free(sig);
610 BN_free(g_x); 612 BN_free(g_x);
611 BN_CTX_free(bn_ctx); 613 BN_CTX_free(bn_ctx);
612} 614}
diff --git a/scp.0 b/scp.0
index 119d9293b..fe7087bc4 100644
--- a/scp.0
+++ b/scp.0
@@ -155,4 +155,4 @@ AUTHORS
155 Timo Rinne <tri@iki.fi> 155 Timo Rinne <tri@iki.fi>
156 Tatu Ylonen <ylo@cs.hut.fi> 156 Tatu Ylonen <ylo@cs.hut.fi>
157 157
158OpenBSD 5.3 September 5, 2011 OpenBSD 5.3 158OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/scp.1 b/scp.1
index 734b97bb1..c83012c92 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
8.\" 8.\"
9.\" Created: Sun May 7 00:14:37 1995 ylo 9.\" Created: Sun May 7 00:14:37 1995 ylo
10.\" 10.\"
11.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $ 11.\" $OpenBSD: scp.1,v 1.59 2013/07/16 00:07:52 schwarze Exp $
12.\" 12.\"
13.Dd $Mdocdate: September 5 2011 $ 13.Dd $Mdocdate: July 16 2013 $
14.Dt SCP 1 14.Dt SCP 1
15.Os 15.Os
16.Sh NAME 16.Sh NAME
@@ -235,5 +235,5 @@ is based on the
235program in BSD source code from the Regents of the University of 235program in BSD source code from the Regents of the University of
236California. 236California.
237.Sh AUTHORS 237.Sh AUTHORS
238.An Timo Rinne Aq tri@iki.fi 238.An Timo Rinne Aq Mt tri@iki.fi
239.An Tatu Ylonen Aq ylo@cs.hut.fi 239.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
diff --git a/scp.c b/scp.c
index e1fdd3985..b7a17abfe 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */ 1/* $OpenBSD: scp.c,v 1.178 2013/06/22 06:31:57 djm Exp $ */
2/* 2/*
3 * scp - secure remote copy. This is basically patched BSD rcp which 3 * scp - secure remote copy. This is basically patched BSD rcp which
4 * uses ssh to do the data transfer (instead of using rcmd). 4 * uses ssh to do the data transfer (instead of using rcmd).
@@ -558,6 +558,24 @@ scpio(void *_cnt, size_t s)
558 return 0; 558 return 0;
559} 559}
560 560
561static int
562do_times(int fd, int verb, const struct stat *sb)
563{
564 /* strlen(2^64) == 20; strlen(10^6) == 7 */
565 char buf[(20 + 7 + 2) * 2 + 2];
566
567 (void)snprintf(buf, sizeof(buf), "T%llu 0 %llu 0\n",
568 (unsigned long long) (sb->st_mtime < 0 ? 0 : sb->st_mtime),
569 (unsigned long long) (sb->st_atime < 0 ? 0 : sb->st_atime));
570 if (verb) {
571 fprintf(stderr, "File mtime %lld atime %lld\n",
572 (long long)sb->st_mtime, (long long)sb->st_atime);
573 fprintf(stderr, "Sending file timestamps: %s", buf);
574 }
575 (void) atomicio(vwrite, fd, buf, strlen(buf));
576 return (response());
577}
578
561void 579void
562toremote(char *targ, int argc, char **argv) 580toremote(char *targ, int argc, char **argv)
563{ 581{
@@ -586,7 +604,7 @@ toremote(char *targ, int argc, char **argv)
586 } 604 }
587 605
588 if (tuser != NULL && !okname(tuser)) { 606 if (tuser != NULL && !okname(tuser)) {
589 xfree(arg); 607 free(arg);
590 return; 608 return;
591 } 609 }
592 610
@@ -613,13 +631,13 @@ toremote(char *targ, int argc, char **argv)
613 *src == '-' ? "-- " : "", src); 631 *src == '-' ? "-- " : "", src);
614 if (do_cmd(host, suser, bp, &remin, &remout) < 0) 632 if (do_cmd(host, suser, bp, &remin, &remout) < 0)
615 exit(1); 633 exit(1);
616 (void) xfree(bp); 634 free(bp);
617 host = cleanhostname(thost); 635 host = cleanhostname(thost);
618 xasprintf(&bp, "%s -t %s%s", cmd, 636 xasprintf(&bp, "%s -t %s%s", cmd,
619 *targ == '-' ? "-- " : "", targ); 637 *targ == '-' ? "-- " : "", targ);
620 if (do_cmd2(host, tuser, bp, remin, remout) < 0) 638 if (do_cmd2(host, tuser, bp, remin, remout) < 0)
621 exit(1); 639 exit(1);
622 (void) xfree(bp); 640 free(bp);
623 (void) close(remin); 641 (void) close(remin);
624 (void) close(remout); 642 (void) close(remout);
625 remin = remout = -1; 643 remin = remout = -1;
@@ -670,12 +688,12 @@ toremote(char *targ, int argc, char **argv)
670 exit(1); 688 exit(1);
671 if (response() < 0) 689 if (response() < 0)
672 exit(1); 690 exit(1);
673 (void) xfree(bp); 691 free(bp);
674 } 692 }
675 source(1, argv + i); 693 source(1, argv + i);
676 } 694 }
677 } 695 }
678 xfree(arg); 696 free(arg);
679} 697}
680 698
681void 699void
@@ -719,11 +737,11 @@ tolocal(int argc, char **argv)
719 xasprintf(&bp, "%s -f %s%s", 737 xasprintf(&bp, "%s -f %s%s",
720 cmd, *src == '-' ? "-- " : "", src); 738 cmd, *src == '-' ? "-- " : "", src);
721 if (do_cmd(host, suser, bp, &remin, &remout) < 0) { 739 if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
722 (void) xfree(bp); 740 free(bp);
723 ++errs; 741 ++errs;
724 continue; 742 continue;
725 } 743 }
726 xfree(bp); 744 free(bp);
727 sink(1, argv + argc - 1); 745 sink(1, argv + argc - 1);
728 (void) close(remin); 746 (void) close(remin);
729 remin = remout = -1; 747 remin = remout = -1;
@@ -782,21 +800,7 @@ syserr: run_err("%s: %s", name, strerror(errno));
782 ++last; 800 ++last;
783 curfile = last; 801 curfile = last;
784 if (pflag) { 802 if (pflag) {
785 /* 803 if (do_times(remout, verbose_mode, &stb) < 0)
786 * Make it compatible with possible future
787 * versions expecting microseconds.
788 */
789 (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n",
790 (u_long) (stb.st_mtime < 0 ? 0 : stb.st_mtime),
791 (u_long) (stb.st_atime < 0 ? 0 : stb.st_atime));
792 if (verbose_mode) {
793 fprintf(stderr, "File mtime %ld atime %ld\n",
794 (long)stb.st_mtime, (long)stb.st_atime);
795 fprintf(stderr, "Sending file timestamps: %s",
796 buf);
797 }
798 (void) atomicio(vwrite, remout, buf, strlen(buf));
799 if (response() < 0)
800 goto next; 804 goto next;
801 } 805 }
802#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) 806#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
@@ -858,7 +862,7 @@ rsource(char *name, struct stat *statp)
858{ 862{
859 DIR *dirp; 863 DIR *dirp;
860 struct dirent *dp; 864 struct dirent *dp;
861 char *last, *vect[1], path[1100]; 865 char *last, *vect[1], path[MAXPATHLEN];
862 866
863 if (!(dirp = opendir(name))) { 867 if (!(dirp = opendir(name))) {
864 run_err("%s: %s", name, strerror(errno)); 868 run_err("%s: %s", name, strerror(errno));
@@ -870,11 +874,7 @@ rsource(char *name, struct stat *statp)
870 else 874 else
871 last++; 875 last++;
872 if (pflag) { 876 if (pflag) {
873 (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n", 877 if (do_times(remout, verbose_mode, statp) < 0) {
874 (u_long) statp->st_mtime,
875 (u_long) statp->st_atime);
876 (void) atomicio(vwrite, remout, path, strlen(path));
877 if (response() < 0) {
878 closedir(dirp); 878 closedir(dirp);
879 return; 879 return;
880 } 880 }
@@ -920,6 +920,7 @@ sink(int argc, char **argv)
920 int amt, exists, first, ofd; 920 int amt, exists, first, ofd;
921 mode_t mode, omode, mask; 921 mode_t mode, omode, mask;
922 off_t size, statbytes; 922 off_t size, statbytes;
923 unsigned long long ull;
923 int setimes, targisdir, wrerrno = 0; 924 int setimes, targisdir, wrerrno = 0;
924 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; 925 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
925 struct timeval tv[2]; 926 struct timeval tv[2];
@@ -978,17 +979,31 @@ sink(int argc, char **argv)
978 if (*cp == 'T') { 979 if (*cp == 'T') {
979 setimes++; 980 setimes++;
980 cp++; 981 cp++;
981 mtime.tv_sec = strtol(cp, &cp, 10); 982 if (!isdigit((unsigned char)*cp))
983 SCREWUP("mtime.sec not present");
984 ull = strtoull(cp, &cp, 10);
982 if (!cp || *cp++ != ' ') 985 if (!cp || *cp++ != ' ')
983 SCREWUP("mtime.sec not delimited"); 986 SCREWUP("mtime.sec not delimited");
987 if ((time_t)ull < 0 ||
988 (unsigned long long)(time_t)ull != ull)
989 setimes = 0; /* out of range */
990 mtime.tv_sec = ull;
984 mtime.tv_usec = strtol(cp, &cp, 10); 991 mtime.tv_usec = strtol(cp, &cp, 10);
985 if (!cp || *cp++ != ' ') 992 if (!cp || *cp++ != ' ' || mtime.tv_usec < 0 ||
993 mtime.tv_usec > 999999)
986 SCREWUP("mtime.usec not delimited"); 994 SCREWUP("mtime.usec not delimited");
987 atime.tv_sec = strtol(cp, &cp, 10); 995 if (!isdigit((unsigned char)*cp))
996 SCREWUP("atime.sec not present");
997 ull = strtoull(cp, &cp, 10);
988 if (!cp || *cp++ != ' ') 998 if (!cp || *cp++ != ' ')
989 SCREWUP("atime.sec not delimited"); 999 SCREWUP("atime.sec not delimited");
1000 if ((time_t)ull < 0 ||
1001 (unsigned long long)(time_t)ull != ull)
1002 setimes = 0; /* out of range */
1003 atime.tv_sec = ull;
990 atime.tv_usec = strtol(cp, &cp, 10); 1004 atime.tv_usec = strtol(cp, &cp, 10);
991 if (!cp || *cp++ != '\0') 1005 if (!cp || *cp++ != '\0' || atime.tv_usec < 0 ||
1006 atime.tv_usec > 999999)
992 SCREWUP("atime.usec not delimited"); 1007 SCREWUP("atime.usec not delimited");
993 (void) atomicio(vwrite, remout, "", 1); 1008 (void) atomicio(vwrite, remout, "", 1);
994 continue; 1009 continue;
@@ -1031,8 +1046,7 @@ sink(int argc, char **argv)
1031 1046
1032 need = strlen(targ) + strlen(cp) + 250; 1047 need = strlen(targ) + strlen(cp) + 250;
1033 if (need > cursize) { 1048 if (need > cursize) {
1034 if (namebuf) 1049 free(namebuf);
1035 xfree(namebuf);
1036 namebuf = xmalloc(need); 1050 namebuf = xmalloc(need);
1037 cursize = need; 1051 cursize = need;
1038 } 1052 }
@@ -1071,12 +1085,11 @@ sink(int argc, char **argv)
1071 } 1085 }
1072 if (mod_flag) 1086 if (mod_flag)
1073 (void) chmod(vect[0], mode); 1087 (void) chmod(vect[0], mode);
1074 if (vect[0]) 1088 free(vect[0]);
1075 xfree(vect[0]);
1076 continue; 1089 continue;
1077 } 1090 }
1078 omode = mode; 1091 omode = mode;
1079 mode |= S_IWRITE; 1092 mode |= S_IWUSR;
1080 if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { 1093 if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
1081bad: run_err("%s: %s", np, strerror(errno)); 1094bad: run_err("%s: %s", np, strerror(errno));
1082 continue; 1095 continue;
@@ -1333,7 +1346,7 @@ void
1333lostconn(int signo) 1346lostconn(int signo)
1334{ 1347{
1335 if (!iamremote) 1348 if (!iamremote)
1336 write(STDERR_FILENO, "lost connection\n", 16); 1349 (void)write(STDERR_FILENO, "lost connection\n", 16);
1337 if (signo) 1350 if (signo)
1338 _exit(1); 1351 _exit(1);
1339 else 1352 else
diff --git a/servconf.c b/servconf.c
index 1700d5aa6..a2928ff57 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -20,6 +20,7 @@
20#include <netinet/in_systm.h> 20#include <netinet/in_systm.h>
21#include <netinet/ip.h> 21#include <netinet/ip.h>
22 22
23#include <ctype.h>
23#include <netdb.h> 24#include <netdb.h>
24#include <pwd.h> 25#include <pwd.h>
25#include <stdio.h> 26#include <stdio.h>
@@ -29,6 +30,9 @@
29#include <unistd.h> 30#include <unistd.h>
30#include <stdarg.h> 31#include <stdarg.h>
31#include <errno.h> 32#include <errno.h>
33#ifdef HAVE_UTIL_H
34#include <util.h>
35#endif
32 36
33#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
34#include "xmalloc.h" 38#include "xmalloc.h"
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options)
75 options->address_family = -1; 79 options->address_family = -1;
76 options->num_host_key_files = 0; 80 options->num_host_key_files = 0;
77 options->num_host_cert_files = 0; 81 options->num_host_cert_files = 0;
82 options->host_key_agent = NULL;
78 options->pid_file = NULL; 83 options->pid_file = NULL;
79 options->server_key_bits = -1; 84 options->server_key_bits = -1;
80 options->login_grace_time = -1; 85 options->login_grace_time = -1;
@@ -114,6 +119,8 @@ initialize_server_options(ServerOptions *options)
114 options->permit_user_env = -1; 119 options->permit_user_env = -1;
115 options->use_login = -1; 120 options->use_login = -1;
116 options->compression = -1; 121 options->compression = -1;
122 options->rekey_limit = -1;
123 options->rekey_interval = -1;
117 options->allow_tcp_forwarding = -1; 124 options->allow_tcp_forwarding = -1;
118 options->allow_agent_forwarding = -1; 125 options->allow_agent_forwarding = -1;
119 options->num_allow_users = 0; 126 options->num_allow_users = 0;
@@ -262,6 +269,10 @@ fill_default_server_options(ServerOptions *options)
262 options->use_login = 0; 269 options->use_login = 0;
263 if (options->compression == -1) 270 if (options->compression == -1)
264 options->compression = COMP_DELAYED; 271 options->compression = COMP_DELAYED;
272 if (options->rekey_limit == -1)
273 options->rekey_limit = 0;
274 if (options->rekey_interval == -1)
275 options->rekey_interval = 0;
265 if (options->allow_tcp_forwarding == -1) 276 if (options->allow_tcp_forwarding == -1)
266 options->allow_tcp_forwarding = FORWARD_ALLOW; 277 options->allow_tcp_forwarding = FORWARD_ALLOW;
267 if (options->allow_agent_forwarding == -1) 278 if (options->allow_agent_forwarding == -1)
@@ -335,7 +346,7 @@ typedef enum {
335 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 346 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
336 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 347 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
337 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 348 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
338 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 349 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
339 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 350 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
340 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 351 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
341 sMaxStartups, sMaxAuthTries, sMaxSessions, 352 sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -351,7 +362,7 @@ typedef enum {
351 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 362 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
352 sKexAlgorithms, sIPQoS, sVersionAddendum, 363 sKexAlgorithms, sIPQoS, sVersionAddendum,
353 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 364 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
354 sAuthenticationMethods, 365 sAuthenticationMethods, sHostKeyAgent,
355 sDebianBanner, 366 sDebianBanner,
356 sDeprecated, sUnsupported 367 sDeprecated, sUnsupported
357} ServerOpCodes; 368} ServerOpCodes;
@@ -377,6 +388,7 @@ static struct {
377 { "port", sPort, SSHCFG_GLOBAL }, 388 { "port", sPort, SSHCFG_GLOBAL },
378 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 389 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
379 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 390 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
391 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
380 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 392 { "pidfile", sPidFile, SSHCFG_GLOBAL },
381 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 393 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
382 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 394 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
@@ -451,6 +463,7 @@ static struct {
451 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 463 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
452 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 464 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
453 { "compression", sCompression, SSHCFG_GLOBAL }, 465 { "compression", sCompression, SSHCFG_GLOBAL },
466 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
454 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 467 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
455 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 468 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
456 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 469 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
@@ -539,7 +552,7 @@ derelativise_path(const char *path)
539 if (getcwd(cwd, sizeof(cwd)) == NULL) 552 if (getcwd(cwd, sizeof(cwd)) == NULL)
540 fatal("%s: getcwd: %s", __func__, strerror(errno)); 553 fatal("%s: getcwd: %s", __func__, strerror(errno));
541 xasprintf(&ret, "%s/%s", cwd, expanded); 554 xasprintf(&ret, "%s/%s", cwd, expanded);
542 xfree(expanded); 555 free(expanded);
543 return ret; 556 return ret;
544} 557}
545 558
@@ -831,13 +844,13 @@ process_server_config_line(ServerOptions *options, char *line,
831 struct connection_info *connectinfo) 844 struct connection_info *connectinfo)
832{ 845{
833 char *cp, **charptr, *arg, *p; 846 char *cp, **charptr, *arg, *p;
834 int cmdline = 0, *intptr, value, value2, n; 847 int cmdline = 0, *intptr, value, value2, n, port;
835 SyslogFacility *log_facility_ptr; 848 SyslogFacility *log_facility_ptr;
836 LogLevel *log_level_ptr; 849 LogLevel *log_level_ptr;
837 ServerOpCodes opcode; 850 ServerOpCodes opcode;
838 int port;
839 u_int i, flags = 0; 851 u_int i, flags = 0;
840 size_t len; 852 size_t len;
853 long long val64;
841 const struct multistate *multistate_ptr; 854 const struct multistate *multistate_ptr;
842 855
843 cp = line; 856 cp = line;
@@ -997,6 +1010,17 @@ process_server_config_line(ServerOptions *options, char *line,
997 } 1010 }
998 break; 1011 break;
999 1012
1013 case sHostKeyAgent:
1014 charptr = &options->host_key_agent;
1015 arg = strdelim(&cp);
1016 if (!arg || *arg == '\0')
1017 fatal("%s line %d: missing socket name.",
1018 filename, linenum);
1019 if (*activep && *charptr == NULL)
1020 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1021 xstrdup(arg) : derelativise_path(arg);
1022 break;
1023
1000 case sHostCertificate: 1024 case sHostCertificate:
1001 intptr = &options->num_host_cert_files; 1025 intptr = &options->num_host_cert_files;
1002 if (*intptr >= MAX_HOSTKEYS) 1026 if (*intptr >= MAX_HOSTKEYS)
@@ -1164,6 +1188,37 @@ process_server_config_line(ServerOptions *options, char *line,
1164 multistate_ptr = multistate_compression; 1188 multistate_ptr = multistate_compression;
1165 goto parse_multistate; 1189 goto parse_multistate;
1166 1190
1191 case sRekeyLimit:
1192 arg = strdelim(&cp);
1193 if (!arg || *arg == '\0')
1194 fatal("%.200s line %d: Missing argument.", filename,
1195 linenum);
1196 if (strcmp(arg, "default") == 0) {
1197 val64 = 0;
1198 } else {
1199 if (scan_scaled(arg, &val64) == -1)
1200 fatal("%.200s line %d: Bad number '%s': %s",
1201 filename, linenum, arg, strerror(errno));
1202 /* check for too-large or too-small limits */
1203 if (val64 > UINT_MAX)
1204 fatal("%.200s line %d: RekeyLimit too large",
1205 filename, linenum);
1206 if (val64 != 0 && val64 < 16)
1207 fatal("%.200s line %d: RekeyLimit too small",
1208 filename, linenum);
1209 }
1210 if (*activep && options->rekey_limit == -1)
1211 options->rekey_limit = (u_int32_t)val64;
1212 if (cp != NULL) { /* optional rekey interval present */
1213 if (strcmp(cp, "none") == 0) {
1214 (void)strdelim(&cp); /* discard */
1215 break;
1216 }
1217 intptr = &options->rekey_interval;
1218 goto parse_time;
1219 }
1220 break;
1221
1167 case sGatewayPorts: 1222 case sGatewayPorts:
1168 intptr = &options->gateway_ports; 1223 intptr = &options->gateway_ports;
1169 multistate_ptr = multistate_gatewayports; 1224 multistate_ptr = multistate_gatewayports;
@@ -1721,8 +1776,7 @@ int server_match_spec_complete(struct connection_info *ci)
1721} while (0) 1776} while (0)
1722#define M_CP_STROPT(n) do {\ 1777#define M_CP_STROPT(n) do {\
1723 if (src->n != NULL) { \ 1778 if (src->n != NULL) { \
1724 if (dst->n != NULL) \ 1779 free(dst->n); \
1725 xfree(dst->n); \
1726 dst->n = src->n; \ 1780 dst->n = src->n; \
1727 } \ 1781 } \
1728} while(0) 1782} while(0)
@@ -1768,6 +1822,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1768 M_CP_INTOPT(max_authtries); 1822 M_CP_INTOPT(max_authtries);
1769 M_CP_INTOPT(ip_qos_interactive); 1823 M_CP_INTOPT(ip_qos_interactive);
1770 M_CP_INTOPT(ip_qos_bulk); 1824 M_CP_INTOPT(ip_qos_bulk);
1825 M_CP_INTOPT(rekey_limit);
1826 M_CP_INTOPT(rekey_interval);
1771 1827
1772 /* See comment in servconf.h */ 1828 /* See comment in servconf.h */
1773 COPY_MATCH_STRING_OPTS(); 1829 COPY_MATCH_STRING_OPTS();
@@ -1804,7 +1860,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1804 linenum++, &active, connectinfo) != 0) 1860 linenum++, &active, connectinfo) != 0)
1805 bad_options++; 1861 bad_options++;
1806 } 1862 }
1807 xfree(obuf); 1863 free(obuf);
1808 if (bad_options > 0) 1864 if (bad_options > 0)
1809 fatal("%s: terminating, %d bad configuration options", 1865 fatal("%s: terminating, %d bad configuration options",
1810 filename, bad_options); 1866 filename, bad_options);
@@ -2022,6 +2078,7 @@ dump_config(ServerOptions *o)
2022 dump_cfg_string(sVersionAddendum, o->version_addendum); 2078 dump_cfg_string(sVersionAddendum, o->version_addendum);
2023 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2079 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2024 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2080 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2081 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2025 2082
2026 /* string arguments requiring a lookup */ 2083 /* string arguments requiring a lookup */
2027 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2084 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2060,5 +2117,7 @@ dump_config(ServerOptions *o)
2060 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2117 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2061 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2118 printf("%s\n", iptos2str(o->ip_qos_bulk));
2062 2119
2120 printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval);
2121
2063 channel_print_adm_permitted_opens(); 2122 channel_print_adm_permitted_opens();
2064} 2123}
diff --git a/servconf.h b/servconf.h
index bc0536927..fd72ce2a3 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,6 +65,7 @@ typedef struct {
65 int num_host_key_files; /* Number of files for host keys. */ 65 int num_host_key_files; /* Number of files for host keys. */
66 char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ 66 char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */
67 int num_host_cert_files; /* Number of files for host certs. */ 67 int num_host_cert_files; /* Number of files for host certs. */
68 char *host_key_agent; /* ssh-agent socket for host keys. */
68 char *pid_file; /* Where to put our pid */ 69 char *pid_file; /* Where to put our pid */
69 int server_key_bits;/* Size of the server key. */ 70 int server_key_bits;/* Size of the server key. */
70 int login_grace_time; /* Disconnect if no auth in this time 71 int login_grace_time; /* Disconnect if no auth in this time
@@ -180,6 +181,9 @@ typedef struct {
180 char *authorized_keys_command; 181 char *authorized_keys_command;
181 char *authorized_keys_command_user; 182 char *authorized_keys_command_user;
182 183
184 int64_t rekey_limit;
185 int rekey_interval;
186
183 char *version_addendum; /* Appended to SSH banner */ 187 char *version_addendum; /* Appended to SSH banner */
184 188
185 u_int num_auth_methods; 189 u_int num_auth_methods;
diff --git a/serverloop.c b/serverloop.c
index 9e5fa555e..5f22df3df 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ 1/* $OpenBSD: serverloop.c,v 1.168 2013/07/12 00:19:59 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -148,7 +148,7 @@ static void
148notify_parent(void) 148notify_parent(void)
149{ 149{
150 if (notify_pipe[1] != -1) 150 if (notify_pipe[1] != -1)
151 write(notify_pipe[1], "", 1); 151 (void)write(notify_pipe[1], "", 1);
152} 152}
153static void 153static void
154notify_prepare(fd_set *readset) 154notify_prepare(fd_set *readset)
@@ -277,7 +277,7 @@ client_alive_check(void)
277 */ 277 */
278static void 278static void
279wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 279wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
280 u_int *nallocp, u_int max_time_milliseconds) 280 u_int *nallocp, u_int64_t max_time_milliseconds)
281{ 281{
282 struct timeval tv, *tvp; 282 struct timeval tv, *tvp;
283 int ret; 283 int ret;
@@ -563,7 +563,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
563 int wait_status; /* Status returned by wait(). */ 563 int wait_status; /* Status returned by wait(). */
564 pid_t wait_pid; /* pid returned by wait(). */ 564 pid_t wait_pid; /* pid returned by wait(). */
565 int waiting_termination = 0; /* Have displayed waiting close message. */ 565 int waiting_termination = 0; /* Have displayed waiting close message. */
566 u_int max_time_milliseconds; 566 u_int64_t max_time_milliseconds;
567 u_int previous_stdout_buffer_bytes; 567 u_int previous_stdout_buffer_bytes;
568 u_int stdout_buffer_bytes; 568 u_int stdout_buffer_bytes;
569 int type; 569 int type;
@@ -694,7 +694,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
694 /* Display list of open channels. */ 694 /* Display list of open channels. */
695 cp = channel_open_message(); 695 cp = channel_open_message();
696 buffer_append(&stderr_buffer, cp, strlen(cp)); 696 buffer_append(&stderr_buffer, cp, strlen(cp));
697 xfree(cp); 697 free(cp);
698 } 698 }
699 } 699 }
700 max_fd = MAX(connection_in, connection_out); 700 max_fd = MAX(connection_in, connection_out);
@@ -722,10 +722,8 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
722 /* Process output to the client and to program stdin. */ 722 /* Process output to the client and to program stdin. */
723 process_output(writeset); 723 process_output(writeset);
724 } 724 }
725 if (readset) 725 free(readset);
726 xfree(readset); 726 free(writeset);
727 if (writeset)
728 xfree(writeset);
729 727
730 /* Cleanup and termination code. */ 728 /* Cleanup and termination code. */
731 729
@@ -825,7 +823,9 @@ void
825server_loop2(Authctxt *authctxt) 823server_loop2(Authctxt *authctxt)
826{ 824{
827 fd_set *readset = NULL, *writeset = NULL; 825 fd_set *readset = NULL, *writeset = NULL;
828 int rekeying = 0, max_fd, nalloc = 0; 826 int rekeying = 0, max_fd;
827 u_int nalloc = 0;
828 u_int64_t rekey_timeout_ms = 0;
829 829
830 debug("Entering interactive session for SSH2."); 830 debug("Entering interactive session for SSH2.");
831 831
@@ -854,8 +854,13 @@ server_loop2(Authctxt *authctxt)
854 854
855 if (!rekeying && packet_not_very_much_data_to_write()) 855 if (!rekeying && packet_not_very_much_data_to_write())
856 channel_output_poll(); 856 channel_output_poll();
857 if (options.rekey_interval > 0 && compat20 && !rekeying)
858 rekey_timeout_ms = packet_get_rekey_timeout() * 1000;
859 else
860 rekey_timeout_ms = 0;
861
857 wait_until_can_do_something(&readset, &writeset, &max_fd, 862 wait_until_can_do_something(&readset, &writeset, &max_fd,
858 &nalloc, 0); 863 &nalloc, rekey_timeout_ms);
859 864
860 if (received_sigterm) { 865 if (received_sigterm) {
861 logit("Exiting on signal %d", (int)received_sigterm); 866 logit("Exiting on signal %d", (int)received_sigterm);
@@ -879,10 +884,8 @@ server_loop2(Authctxt *authctxt)
879 } 884 }
880 collect_children(); 885 collect_children();
881 886
882 if (readset) 887 free(readset);
883 xfree(readset); 888 free(writeset);
884 if (writeset)
885 xfree(writeset);
886 889
887 /* free all channels, no more reads and writes */ 890 /* free all channels, no more reads and writes */
888 channel_free_all(); 891 channel_free_all();
@@ -917,7 +920,7 @@ server_input_stdin_data(int type, u_int32_t seq, void *ctxt)
917 packet_check_eom(); 920 packet_check_eom();
918 buffer_append(&stdin_buffer, data, data_len); 921 buffer_append(&stdin_buffer, data, data_len);
919 memset(data, 0, data_len); 922 memset(data, 0, data_len);
920 xfree(data); 923 free(data);
921} 924}
922 925
923static void 926static void
@@ -974,8 +977,8 @@ server_request_direct_tcpip(void)
974 originator, originator_port, target, target_port); 977 originator, originator_port, target, target_port);
975 } 978 }
976 979
977 xfree(originator); 980 free(originator);
978 xfree(target); 981 free(target);
979 982
980 return c; 983 return c;
981} 984}
@@ -1104,7 +1107,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
1104 } 1107 }
1105 packet_send(); 1108 packet_send();
1106 } 1109 }
1107 xfree(ctype); 1110 free(ctype);
1108} 1111}
1109 1112
1110static void 1113static void
@@ -1149,7 +1152,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1149 listen_address, listen_port, 1152 listen_address, listen_port,
1150 &allocated_listen_port, options.gateway_ports); 1153 &allocated_listen_port, options.gateway_ports);
1151 } 1154 }
1152 xfree(listen_address); 1155 free(listen_address);
1153 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { 1156 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
1154 char *cancel_address; 1157 char *cancel_address;
1155 u_short cancel_port; 1158 u_short cancel_port;
@@ -1161,7 +1164,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1161 1164
1162 success = channel_cancel_rport_listener(cancel_address, 1165 success = channel_cancel_rport_listener(cancel_address,
1163 cancel_port); 1166 cancel_port);
1164 xfree(cancel_address); 1167 free(cancel_address);
1165 } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { 1168 } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) {
1166 no_more_sessions = 1; 1169 no_more_sessions = 1;
1167 success = 1; 1170 success = 1;
@@ -1174,7 +1177,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1174 packet_send(); 1177 packet_send();
1175 packet_write_wait(); 1178 packet_write_wait();
1176 } 1179 }
1177 xfree(rtype); 1180 free(rtype);
1178} 1181}
1179 1182
1180static void 1183static void
@@ -1206,7 +1209,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt)
1206 packet_put_int(c->remote_id); 1209 packet_put_int(c->remote_id);
1207 packet_send(); 1210 packet_send();
1208 } 1211 }
1209 xfree(rtype); 1212 free(rtype);
1210} 1213}
1211 1214
1212static void 1215static void
diff --git a/session.c b/session.c
index cff14cd5a..15bdb1bee 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -80,6 +80,7 @@
80#include "hostfile.h" 80#include "hostfile.h"
81#include "auth.h" 81#include "auth.h"
82#include "auth-options.h" 82#include "auth-options.h"
83#include "authfd.h"
83#include "pathnames.h" 84#include "pathnames.h"
84#include "log.h" 85#include "log.h"
85#include "servconf.h" 86#include "servconf.h"
@@ -200,7 +201,7 @@ auth_input_request_forwarding(struct passwd * pw)
200 packet_send_debug("Agent forwarding disabled: " 201 packet_send_debug("Agent forwarding disabled: "
201 "mkdtemp() failed: %.100s", strerror(errno)); 202 "mkdtemp() failed: %.100s", strerror(errno));
202 restore_uid(); 203 restore_uid();
203 xfree(auth_sock_dir); 204 free(auth_sock_dir);
204 auth_sock_dir = NULL; 205 auth_sock_dir = NULL;
205 goto authsock_err; 206 goto authsock_err;
206 } 207 }
@@ -245,11 +246,10 @@ auth_input_request_forwarding(struct passwd * pw)
245 return 1; 246 return 1;
246 247
247 authsock_err: 248 authsock_err:
248 if (auth_sock_name != NULL) 249 free(auth_sock_name);
249 xfree(auth_sock_name);
250 if (auth_sock_dir != NULL) { 250 if (auth_sock_dir != NULL) {
251 rmdir(auth_sock_dir); 251 rmdir(auth_sock_dir);
252 xfree(auth_sock_dir); 252 free(auth_sock_dir);
253 } 253 }
254 if (sock != -1) 254 if (sock != -1)
255 close(sock); 255 close(sock);
@@ -365,8 +365,8 @@ do_authenticated1(Authctxt *authctxt)
365 packet_check_eom(); 365 packet_check_eom();
366 success = session_setup_x11fwd(s); 366 success = session_setup_x11fwd(s);
367 if (!success) { 367 if (!success) {
368 xfree(s->auth_proto); 368 free(s->auth_proto);
369 xfree(s->auth_data); 369 free(s->auth_data);
370 s->auth_proto = NULL; 370 s->auth_proto = NULL;
371 s->auth_data = NULL; 371 s->auth_data = NULL;
372 } 372 }
@@ -413,7 +413,7 @@ do_authenticated1(Authctxt *authctxt)
413 if (do_exec(s, command) != 0) 413 if (do_exec(s, command) != 0)
414 packet_disconnect( 414 packet_disconnect(
415 "command execution failed"); 415 "command execution failed");
416 xfree(command); 416 free(command);
417 } else { 417 } else {
418 if (do_exec(s, NULL) != 0) 418 if (do_exec(s, NULL) != 0)
419 packet_disconnect( 419 packet_disconnect(
@@ -978,7 +978,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
978 break; 978 break;
979 if (env[i]) { 979 if (env[i]) {
980 /* Reuse the slot. */ 980 /* Reuse the slot. */
981 xfree(env[i]); 981 free(env[i]);
982 } else { 982 } else {
983 /* New variable. Expand if necessary. */ 983 /* New variable. Expand if necessary. */
984 envsize = *envsizep; 984 envsize = *envsizep;
@@ -1094,8 +1094,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
1094 umask((mode_t)mask); 1094 umask((mode_t)mask);
1095 1095
1096 for (i = 0; tmpenv[i] != NULL; i++) 1096 for (i = 0; tmpenv[i] != NULL; i++)
1097 xfree(tmpenv[i]); 1097 free(tmpenv[i]);
1098 xfree(tmpenv); 1098 free(tmpenv);
1099} 1099}
1100#endif /* HAVE_ETC_DEFAULT_LOGIN */ 1100#endif /* HAVE_ETC_DEFAULT_LOGIN */
1101 1101
@@ -1111,7 +1111,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
1111 for(i = 0; source[i] != NULL; i++) { 1111 for(i = 0; source[i] != NULL; i++) {
1112 var_name = xstrdup(source[i]); 1112 var_name = xstrdup(source[i]);
1113 if ((var_val = strstr(var_name, "=")) == NULL) { 1113 if ((var_val = strstr(var_name, "=")) == NULL) {
1114 xfree(var_name); 1114 free(var_name);
1115 continue; 1115 continue;
1116 } 1116 }
1117 *var_val++ = '\0'; 1117 *var_val++ = '\0';
@@ -1119,7 +1119,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
1119 debug3("Copy environment: %s=%s", var_name, var_val); 1119 debug3("Copy environment: %s=%s", var_name, var_val);
1120 child_set_env(env, envsize, var_name, var_val); 1120 child_set_env(env, envsize, var_name, var_val);
1121 1121
1122 xfree(var_name); 1122 free(var_name);
1123 } 1123 }
1124} 1124}
1125 1125
@@ -1223,8 +1223,8 @@ do_setup_env(Session *s, const char *shell)
1223 child_set_env(&env, &envsize, str, str + i + 1); 1223 child_set_env(&env, &envsize, str, str + i + 1);
1224 } 1224 }
1225 custom_environment = ce->next; 1225 custom_environment = ce->next;
1226 xfree(ce->s); 1226 free(ce->s);
1227 xfree(ce); 1227 free(ce);
1228 } 1228 }
1229 } 1229 }
1230 1230
@@ -1236,7 +1236,7 @@ do_setup_env(Session *s, const char *shell)
1236 laddr = get_local_ipaddr(packet_get_connection_in()); 1236 laddr = get_local_ipaddr(packet_get_connection_in());
1237 snprintf(buf, sizeof buf, "%.50s %d %.50s %d", 1237 snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
1238 get_remote_ipaddr(), get_remote_port(), laddr, get_local_port()); 1238 get_remote_ipaddr(), get_remote_port(), laddr, get_local_port());
1239 xfree(laddr); 1239 free(laddr);
1240 child_set_env(&env, &envsize, "SSH_CONNECTION", buf); 1240 child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
1241 1241
1242 if (s->ttyfd != -1) 1242 if (s->ttyfd != -1)
@@ -1412,7 +1412,7 @@ do_nologin(struct passwd *pw)
1412#endif 1412#endif
1413 if (stat(nl, &sb) == -1) { 1413 if (stat(nl, &sb) == -1) {
1414 if (nl != def_nl) 1414 if (nl != def_nl)
1415 xfree(nl); 1415 free(nl);
1416 return; 1416 return;
1417 } 1417 }
1418 1418
@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw, const char *role)
1522 safely_chroot(chroot_path, pw->pw_uid); 1522 safely_chroot(chroot_path, pw->pw_uid);
1523 free(tmp); 1523 free(tmp);
1524 free(chroot_path); 1524 free(chroot_path);
1525 /* Make sure we don't attempt to chroot again */
1526 free(options.chroot_directory);
1527 options.chroot_directory = NULL;
1525 } 1528 }
1526 1529
1527#ifdef HAVE_LOGIN_CAP 1530#ifdef HAVE_LOGIN_CAP
@@ -1538,6 +1541,9 @@ do_setusercontext(struct passwd *pw, const char *role)
1538 /* Permanently switch to the desired uid. */ 1541 /* Permanently switch to the desired uid. */
1539 permanently_set_uid(pw); 1542 permanently_set_uid(pw);
1540#endif 1543#endif
1544 } else if (options.chroot_directory != NULL &&
1545 strcasecmp(options.chroot_directory, "none") != 0) {
1546 fatal("server lacks privileges to chroot to ChrootDirectory");
1541 } 1547 }
1542 1548
1543 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) 1549 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
@@ -1593,6 +1599,13 @@ launch_login(struct passwd *pw, const char *hostname)
1593static void 1599static void
1594child_close_fds(void) 1600child_close_fds(void)
1595{ 1601{
1602 extern AuthenticationConnection *auth_conn;
1603
1604 if (auth_conn) {
1605 ssh_close_authentication_connection(auth_conn);
1606 auth_conn = NULL;
1607 }
1608
1596 if (packet_get_connection_in() == packet_get_connection_out()) 1609 if (packet_get_connection_in() == packet_get_connection_out())
1597 close(packet_get_connection_in()); 1610 close(packet_get_connection_in());
1598 else { 1611 else {
@@ -2057,7 +2070,7 @@ session_pty_req(Session *s)
2057 s->ypixel = packet_get_int(); 2070 s->ypixel = packet_get_int();
2058 2071
2059 if (strcmp(s->term, "") == 0) { 2072 if (strcmp(s->term, "") == 0) {
2060 xfree(s->term); 2073 free(s->term);
2061 s->term = NULL; 2074 s->term = NULL;
2062 } 2075 }
2063 2076
@@ -2065,8 +2078,7 @@ session_pty_req(Session *s)
2065 debug("Allocating pty."); 2078 debug("Allocating pty.");
2066 if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, 2079 if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
2067 sizeof(s->tty)))) { 2080 sizeof(s->tty)))) {
2068 if (s->term) 2081 free(s->term);
2069 xfree(s->term);
2070 s->term = NULL; 2082 s->term = NULL;
2071 s->ptyfd = -1; 2083 s->ptyfd = -1;
2072 s->ttyfd = -1; 2084 s->ttyfd = -1;
@@ -2127,7 +2139,7 @@ session_subsystem_req(Session *s)
2127 logit("subsystem request for %.100s failed, subsystem not found", 2139 logit("subsystem request for %.100s failed, subsystem not found",
2128 subsys); 2140 subsys);
2129 2141
2130 xfree(subsys); 2142 free(subsys);
2131 return success; 2143 return success;
2132} 2144}
2133 2145
@@ -2149,8 +2161,8 @@ session_x11_req(Session *s)
2149 2161
2150 success = session_setup_x11fwd(s); 2162 success = session_setup_x11fwd(s);
2151 if (!success) { 2163 if (!success) {
2152 xfree(s->auth_proto); 2164 free(s->auth_proto);
2153 xfree(s->auth_data); 2165 free(s->auth_data);
2154 s->auth_proto = NULL; 2166 s->auth_proto = NULL;
2155 s->auth_data = NULL; 2167 s->auth_data = NULL;
2156 } 2168 }
@@ -2172,7 +2184,7 @@ session_exec_req(Session *s)
2172 char *command = packet_get_string(&len); 2184 char *command = packet_get_string(&len);
2173 packet_check_eom(); 2185 packet_check_eom();
2174 success = do_exec(s, command) == 0; 2186 success = do_exec(s, command) == 0;
2175 xfree(command); 2187 free(command);
2176 return success; 2188 return success;
2177} 2189}
2178 2190
@@ -2218,8 +2230,8 @@ session_env_req(Session *s)
2218 debug2("Ignoring env request %s: disallowed name", name); 2230 debug2("Ignoring env request %s: disallowed name", name);
2219 2231
2220 fail: 2232 fail:
2221 xfree(name); 2233 free(name);
2222 xfree(val); 2234 free(val);
2223 return (0); 2235 return (0);
2224} 2236}
2225 2237
@@ -2405,24 +2417,16 @@ session_close_single_x11(int id, void *arg)
2405 if (s->x11_chanids[i] != id) 2417 if (s->x11_chanids[i] != id)
2406 session_close_x11(s->x11_chanids[i]); 2418 session_close_x11(s->x11_chanids[i]);
2407 } 2419 }
2408 xfree(s->x11_chanids); 2420 free(s->x11_chanids);
2409 s->x11_chanids = NULL; 2421 s->x11_chanids = NULL;
2410 if (s->display) { 2422 free(s->display);
2411 xfree(s->display); 2423 s->display = NULL;
2412 s->display = NULL; 2424 free(s->auth_proto);
2413 } 2425 s->auth_proto = NULL;
2414 if (s->auth_proto) { 2426 free(s->auth_data);
2415 xfree(s->auth_proto); 2427 s->auth_data = NULL;
2416 s->auth_proto = NULL; 2428 free(s->auth_display);
2417 } 2429 s->auth_display = NULL;
2418 if (s->auth_data) {
2419 xfree(s->auth_data);
2420 s->auth_data = NULL;
2421 }
2422 if (s->auth_display) {
2423 xfree(s->auth_display);
2424 s->auth_display = NULL;
2425 }
2426} 2430}
2427 2431
2428static void 2432static void
@@ -2484,24 +2488,18 @@ session_close(Session *s)
2484 debug("session_close: session %d pid %ld", s->self, (long)s->pid); 2488 debug("session_close: session %d pid %ld", s->self, (long)s->pid);
2485 if (s->ttyfd != -1) 2489 if (s->ttyfd != -1)
2486 session_pty_cleanup(s); 2490 session_pty_cleanup(s);
2487 if (s->term) 2491 free(s->term);
2488 xfree(s->term); 2492 free(s->display);
2489 if (s->display) 2493 free(s->x11_chanids);
2490 xfree(s->display); 2494 free(s->auth_display);
2491 if (s->x11_chanids) 2495 free(s->auth_data);
2492 xfree(s->x11_chanids); 2496 free(s->auth_proto);
2493 if (s->auth_display)
2494 xfree(s->auth_display);
2495 if (s->auth_data)
2496 xfree(s->auth_data);
2497 if (s->auth_proto)
2498 xfree(s->auth_proto);
2499 if (s->env != NULL) { 2497 if (s->env != NULL) {
2500 for (i = 0; i < s->num_env; i++) { 2498 for (i = 0; i < s->num_env; i++) {
2501 xfree(s->env[i].name); 2499 free(s->env[i].name);
2502 xfree(s->env[i].val); 2500 free(s->env[i].val);
2503 } 2501 }
2504 xfree(s->env); 2502 free(s->env);
2505 } 2503 }
2506 session_proctitle(s); 2504 session_proctitle(s);
2507 session_unused(s->self); 2505 session_unused(s->self);
diff --git a/sftp-client.c b/sftp-client.c
index 85f2bd444..f4f1970b6 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-client.c,v 1.97 2012/07/02 12:13:26 dtucker Exp $ */ 1/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -112,7 +112,7 @@ send_msg(struct sftp_conn *conn, Buffer *m)
112 iov[1].iov_len = buffer_len(m); 112 iov[1].iov_len = buffer_len(m);
113 113
114 if (atomiciov6(writev, conn->fd_out, iov, 2, 114 if (atomiciov6(writev, conn->fd_out, iov, 2,
115 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != 115 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
116 buffer_len(m) + sizeof(mlen)) 116 buffer_len(m) + sizeof(mlen))
117 fatal("Couldn't send packet: %s", strerror(errno)); 117 fatal("Couldn't send packet: %s", strerror(errno));
118 118
@@ -394,8 +394,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests,
394 } else { 394 } else {
395 debug2("Unrecognised server extension \"%s\"", name); 395 debug2("Unrecognised server extension \"%s\"", name);
396 } 396 }
397 xfree(name); 397 free(name);
398 xfree(value); 398 free(value);
399 } 399 }
400 400
401 buffer_free(&msg); 401 buffer_free(&msg);
@@ -509,7 +509,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
509 error("Couldn't read directory: %s", 509 error("Couldn't read directory: %s",
510 fx2txt(status)); 510 fx2txt(status));
511 do_close(conn, handle, handle_len); 511 do_close(conn, handle, handle_len);
512 xfree(handle); 512 free(handle);
513 buffer_free(&msg); 513 buffer_free(&msg);
514 return(status); 514 return(status);
515 } 515 }
@@ -552,14 +552,14 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
552 (*dir)[++ents] = NULL; 552 (*dir)[++ents] = NULL;
553 } 553 }
554 next: 554 next:
555 xfree(filename); 555 free(filename);
556 xfree(longname); 556 free(longname);
557 } 557 }
558 } 558 }
559 559
560 buffer_free(&msg); 560 buffer_free(&msg);
561 do_close(conn, handle, handle_len); 561 do_close(conn, handle, handle_len);
562 xfree(handle); 562 free(handle);
563 563
564 /* Don't return partial matches on interrupt */ 564 /* Don't return partial matches on interrupt */
565 if (interrupted && dir != NULL && *dir != NULL) { 565 if (interrupted && dir != NULL && *dir != NULL) {
@@ -582,11 +582,11 @@ void free_sftp_dirents(SFTP_DIRENT **s)
582 int i; 582 int i;
583 583
584 for (i = 0; s[i]; i++) { 584 for (i = 0; s[i]; i++) {
585 xfree(s[i]->filename); 585 free(s[i]->filename);
586 xfree(s[i]->longname); 586 free(s[i]->longname);
587 xfree(s[i]); 587 free(s[i]);
588 } 588 }
589 xfree(s); 589 free(s);
590} 590}
591 591
592int 592int
@@ -760,7 +760,7 @@ do_realpath(struct sftp_conn *conn, char *path)
760 debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename, 760 debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename,
761 (unsigned long)a->size); 761 (unsigned long)a->size);
762 762
763 xfree(longname); 763 free(longname);
764 764
765 buffer_free(&msg); 765 buffer_free(&msg);
766 766
@@ -907,7 +907,7 @@ do_readlink(struct sftp_conn *conn, char *path)
907 907
908 debug3("SSH_FXP_READLINK %s -> %s", path, filename); 908 debug3("SSH_FXP_READLINK %s -> %s", path, filename);
909 909
910 xfree(longname); 910 free(longname);
911 911
912 buffer_free(&msg); 912 buffer_free(&msg);
913 913
@@ -988,16 +988,17 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
988 988
989int 989int
990do_download(struct sftp_conn *conn, char *remote_path, char *local_path, 990do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
991 Attrib *a, int pflag) 991 Attrib *a, int pflag, int resume)
992{ 992{
993 Attrib junk; 993 Attrib junk;
994 Buffer msg; 994 Buffer msg;
995 char *handle; 995 char *handle;
996 int local_fd, status = 0, write_error; 996 int local_fd = -1, status = 0, write_error;
997 int read_error, write_errno; 997 int read_error, write_errno, reordered = 0;
998 u_int64_t offset, size; 998 u_int64_t offset = 0, size, highwater;
999 u_int handle_len, mode, type, id, buflen, num_req, max_req; 999 u_int handle_len, mode, type, id, buflen, num_req, max_req;
1000 off_t progress_counter; 1000 off_t progress_counter;
1001 struct stat st;
1001 struct request { 1002 struct request {
1002 u_int id; 1003 u_int id;
1003 u_int len; 1004 u_int len;
@@ -1050,21 +1051,36 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1050 return(-1); 1051 return(-1);
1051 } 1052 }
1052 1053
1053 local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, 1054 local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? 0 : O_TRUNC),
1054 mode | S_IWRITE); 1055 mode | S_IWUSR);
1055 if (local_fd == -1) { 1056 if (local_fd == -1) {
1056 error("Couldn't open local file \"%s\" for writing: %s", 1057 error("Couldn't open local file \"%s\" for writing: %s",
1057 local_path, strerror(errno)); 1058 local_path, strerror(errno));
1058 do_close(conn, handle, handle_len); 1059 goto fail;
1059 buffer_free(&msg); 1060 }
1060 xfree(handle); 1061 offset = highwater = 0;
1061 return(-1); 1062 if (resume) {
1063 if (fstat(local_fd, &st) == -1) {
1064 error("Unable to stat local file \"%s\": %s",
1065 local_path, strerror(errno));
1066 goto fail;
1067 }
1068 if ((size_t)st.st_size > size) {
1069 error("Unable to resume download of \"%s\": "
1070 "local file is larger than remote", local_path);
1071 fail:
1072 do_close(conn, handle, handle_len);
1073 buffer_free(&msg);
1074 free(handle);
1075 return -1;
1076 }
1077 offset = highwater = st.st_size;
1062 } 1078 }
1063 1079
1064 /* Read from remote and write to local */ 1080 /* Read from remote and write to local */
1065 write_error = read_error = write_errno = num_req = offset = 0; 1081 write_error = read_error = write_errno = num_req = 0;
1066 max_req = 1; 1082 max_req = 1;
1067 progress_counter = 0; 1083 progress_counter = offset;
1068 1084
1069 if (showprogress && size != 0) 1085 if (showprogress && size != 0)
1070 start_progress_meter(remote_path, size, &progress_counter); 1086 start_progress_meter(remote_path, size, &progress_counter);
@@ -1121,7 +1137,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1121 read_error = 1; 1137 read_error = 1;
1122 max_req = 0; 1138 max_req = 0;
1123 TAILQ_REMOVE(&requests, req, tq); 1139 TAILQ_REMOVE(&requests, req, tq);
1124 xfree(req); 1140 free(req);
1125 num_req--; 1141 num_req--;
1126 break; 1142 break;
1127 case SSH2_FXP_DATA: 1143 case SSH2_FXP_DATA:
@@ -1139,12 +1155,16 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1139 write_error = 1; 1155 write_error = 1;
1140 max_req = 0; 1156 max_req = 0;
1141 } 1157 }
1158 else if (!reordered && req->offset <= highwater)
1159 highwater = req->offset + len;
1160 else if (!reordered && req->offset > highwater)
1161 reordered = 1;
1142 progress_counter += len; 1162 progress_counter += len;
1143 xfree(data); 1163 free(data);
1144 1164
1145 if (len == req->len) { 1165 if (len == req->len) {
1146 TAILQ_REMOVE(&requests, req, tq); 1166 TAILQ_REMOVE(&requests, req, tq);
1147 xfree(req); 1167 free(req);
1148 num_req--; 1168 num_req--;
1149 } else { 1169 } else {
1150 /* Resend the request for the missing data */ 1170 /* Resend the request for the missing data */
@@ -1187,7 +1207,15 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1187 /* Sanity check */ 1207 /* Sanity check */
1188 if (TAILQ_FIRST(&requests) != NULL) 1208 if (TAILQ_FIRST(&requests) != NULL)
1189 fatal("Transfer complete, but requests still in queue"); 1209 fatal("Transfer complete, but requests still in queue");
1190 1210 /* Truncate at highest contiguous point to avoid holes on interrupt */
1211 if (read_error || write_error || interrupted) {
1212 if (reordered && resume) {
1213 error("Unable to resume download of \"%s\": "
1214 "server reordered requests", local_path);
1215 }
1216 debug("truncating at %llu", (unsigned long long)highwater);
1217 ftruncate(local_fd, highwater);
1218 }
1191 if (read_error) { 1219 if (read_error) {
1192 error("Couldn't read from remote file \"%s\" : %s", 1220 error("Couldn't read from remote file \"%s\" : %s",
1193 remote_path, fx2txt(status)); 1221 remote_path, fx2txt(status));
@@ -1199,7 +1227,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1199 do_close(conn, handle, handle_len); 1227 do_close(conn, handle, handle_len);
1200 } else { 1228 } else {
1201 status = do_close(conn, handle, handle_len); 1229 status = do_close(conn, handle, handle_len);
1202 1230 if (interrupted)
1231 status = -1;
1203 /* Override umask and utimes if asked */ 1232 /* Override umask and utimes if asked */
1204#ifdef HAVE_FCHMOD 1233#ifdef HAVE_FCHMOD
1205 if (pflag && fchmod(local_fd, mode) == -1) 1234 if (pflag && fchmod(local_fd, mode) == -1)
@@ -1220,14 +1249,14 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1220 } 1249 }
1221 close(local_fd); 1250 close(local_fd);
1222 buffer_free(&msg); 1251 buffer_free(&msg);
1223 xfree(handle); 1252 free(handle);
1224 1253
1225 return(status); 1254 return(status);
1226} 1255}
1227 1256
1228static int 1257static int
1229download_dir_internal(struct sftp_conn *conn, char *src, char *dst, 1258download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1230 Attrib *dirattrib, int pflag, int printflag, int depth) 1259 Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
1231{ 1260{
1232 int i, ret = 0; 1261 int i, ret = 0;
1233 SFTP_DIRENT **dir_entries; 1262 SFTP_DIRENT **dir_entries;
@@ -1280,11 +1309,11 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1280 continue; 1309 continue;
1281 if (download_dir_internal(conn, new_src, new_dst, 1310 if (download_dir_internal(conn, new_src, new_dst,
1282 &(dir_entries[i]->a), pflag, printflag, 1311 &(dir_entries[i]->a), pflag, printflag,
1283 depth + 1) == -1) 1312 depth + 1, resume) == -1)
1284 ret = -1; 1313 ret = -1;
1285 } else if (S_ISREG(dir_entries[i]->a.perm) ) { 1314 } else if (S_ISREG(dir_entries[i]->a.perm) ) {
1286 if (do_download(conn, new_src, new_dst, 1315 if (do_download(conn, new_src, new_dst,
1287 &(dir_entries[i]->a), pflag) == -1) { 1316 &(dir_entries[i]->a), pflag, resume) == -1) {
1288 error("Download of file %s to %s failed", 1317 error("Download of file %s to %s failed",
1289 new_src, new_dst); 1318 new_src, new_dst);
1290 ret = -1; 1319 ret = -1;
@@ -1292,8 +1321,8 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1292 } else 1321 } else
1293 logit("%s: not a regular file\n", new_src); 1322 logit("%s: not a regular file\n", new_src);
1294 1323
1295 xfree(new_dst); 1324 free(new_dst);
1296 xfree(new_src); 1325 free(new_src);
1297 } 1326 }
1298 1327
1299 if (pflag) { 1328 if (pflag) {
@@ -1317,7 +1346,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1317 1346
1318int 1347int
1319download_dir(struct sftp_conn *conn, char *src, char *dst, 1348download_dir(struct sftp_conn *conn, char *src, char *dst,
1320 Attrib *dirattrib, int pflag, int printflag) 1349 Attrib *dirattrib, int pflag, int printflag, int resume)
1321{ 1350{
1322 char *src_canon; 1351 char *src_canon;
1323 int ret; 1352 int ret;
@@ -1328,8 +1357,8 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
1328 } 1357 }
1329 1358
1330 ret = download_dir_internal(conn, src_canon, dst, 1359 ret = download_dir_internal(conn, src_canon, dst,
1331 dirattrib, pflag, printflag, 0); 1360 dirattrib, pflag, printflag, 0, resume);
1332 xfree(src_canon); 1361 free(src_canon);
1333 return ret; 1362 return ret;
1334} 1363}
1335 1364
@@ -1340,7 +1369,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1340 int local_fd; 1369 int local_fd;
1341 int status = SSH2_FX_OK; 1370 int status = SSH2_FX_OK;
1342 u_int handle_len, id, type; 1371 u_int handle_len, id, type;
1343 off_t offset; 1372 off_t offset, progress_counter;
1344 char *handle, *data; 1373 char *handle, *data;
1345 Buffer msg; 1374 Buffer msg;
1346 struct stat sb; 1375 struct stat sb;
@@ -1408,9 +1437,10 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1408 data = xmalloc(conn->transfer_buflen); 1437 data = xmalloc(conn->transfer_buflen);
1409 1438
1410 /* Read from local and write to remote */ 1439 /* Read from local and write to remote */
1411 offset = 0; 1440 offset = progress_counter = 0;
1412 if (showprogress) 1441 if (showprogress)
1413 start_progress_meter(local_path, sb.st_size, &offset); 1442 start_progress_meter(local_path, sb.st_size,
1443 &progress_counter);
1414 1444
1415 for (;;) { 1445 for (;;) {
1416 int len; 1446 int len;
@@ -1481,7 +1511,8 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1481 debug3("In write loop, ack for %u %u bytes at %lld", 1511 debug3("In write loop, ack for %u %u bytes at %lld",
1482 ack->id, ack->len, (long long)ack->offset); 1512 ack->id, ack->len, (long long)ack->offset);
1483 ++ackid; 1513 ++ackid;
1484 xfree(ack); 1514 progress_counter += ack->len;
1515 free(ack);
1485 } 1516 }
1486 offset += len; 1517 offset += len;
1487 if (offset < 0) 1518 if (offset < 0)
@@ -1491,7 +1522,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1491 1522
1492 if (showprogress) 1523 if (showprogress)
1493 stop_progress_meter(); 1524 stop_progress_meter();
1494 xfree(data); 1525 free(data);
1495 1526
1496 if (status != SSH2_FX_OK) { 1527 if (status != SSH2_FX_OK) {
1497 error("Couldn't write to remote file \"%s\": %s", 1528 error("Couldn't write to remote file \"%s\": %s",
@@ -1511,7 +1542,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1511 1542
1512 if (do_close(conn, handle, handle_len) != SSH2_FX_OK) 1543 if (do_close(conn, handle, handle_len) != SSH2_FX_OK)
1513 status = -1; 1544 status = -1;
1514 xfree(handle); 1545 free(handle);
1515 1546
1516 return status; 1547 return status;
1517} 1548}
@@ -1551,7 +1582,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1551 a.perm &= 01777; 1582 a.perm &= 01777;
1552 if (!pflag) 1583 if (!pflag)
1553 a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; 1584 a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME;
1554 1585
1555 status = do_mkdir(conn, dst, &a, 0); 1586 status = do_mkdir(conn, dst, &a, 0);
1556 /* 1587 /*
1557 * we lack a portable status for errno EEXIST, 1588 * we lack a portable status for errno EEXIST,
@@ -1561,7 +1592,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1561 if (status != SSH2_FX_OK) { 1592 if (status != SSH2_FX_OK) {
1562 if (status != SSH2_FX_FAILURE) 1593 if (status != SSH2_FX_FAILURE)
1563 return -1; 1594 return -1;
1564 if (do_stat(conn, dst, 0) == NULL) 1595 if (do_stat(conn, dst, 0) == NULL)
1565 return -1; 1596 return -1;
1566 } 1597 }
1567 1598
@@ -1569,7 +1600,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1569 error("Failed to open dir \"%s\": %s", src, strerror(errno)); 1600 error("Failed to open dir \"%s\": %s", src, strerror(errno));
1570 return -1; 1601 return -1;
1571 } 1602 }
1572 1603
1573 while (((dp = readdir(dirp)) != NULL) && !interrupted) { 1604 while (((dp = readdir(dirp)) != NULL) && !interrupted) {
1574 if (dp->d_ino == 0) 1605 if (dp->d_ino == 0)
1575 continue; 1606 continue;
@@ -1597,8 +1628,8 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1597 } 1628 }
1598 } else 1629 } else
1599 logit("%s: not a regular file\n", filename); 1630 logit("%s: not a regular file\n", filename);
1600 xfree(new_dst); 1631 free(new_dst);
1601 xfree(new_src); 1632 free(new_src);
1602 } 1633 }
1603 1634
1604 do_setstat(conn, dst, &a); 1635 do_setstat(conn, dst, &a);
@@ -1620,7 +1651,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag,
1620 } 1651 }
1621 1652
1622 ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0); 1653 ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0);
1623 xfree(dst_canon); 1654 free(dst_canon);
1624 return ret; 1655 return ret;
1625} 1656}
1626 1657
diff --git a/sftp-client.h b/sftp-client.h
index aef54ef49..111a998c8 100644
--- a/sftp-client.h
+++ b/sftp-client.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-client.h,v 1.20 2010/12/04 00:18:01 djm Exp $ */ 1/* $OpenBSD: sftp-client.h,v 1.21 2013/07/25 00:56:51 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 4 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
@@ -106,13 +106,13 @@ int do_symlink(struct sftp_conn *, char *, char *);
106 * Download 'remote_path' to 'local_path'. Preserve permissions and times 106 * Download 'remote_path' to 'local_path'. Preserve permissions and times
107 * if 'pflag' is set 107 * if 'pflag' is set
108 */ 108 */
109int do_download(struct sftp_conn *, char *, char *, Attrib *, int); 109int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
110 110
111/* 111/*
112 * Recursively download 'remote_directory' to 'local_directory'. Preserve 112 * Recursively download 'remote_directory' to 'local_directory'. Preserve
113 * times if 'pflag' is set 113 * times if 'pflag' is set
114 */ 114 */
115int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); 115int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
116 116
117/* 117/*
118 * Upload 'local_path' to 'remote_path'. Preserve permissions and times 118 * Upload 'local_path' to 'remote_path'. Preserve permissions and times
diff --git a/sftp-common.c b/sftp-common.c
index a042875c6..413efc209 100644
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-common.c,v 1.23 2010/01/15 09:24:23 markus Exp $ */ 1/* $OpenBSD: sftp-common.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Damien Miller. All rights reserved. 4 * Copyright (c) 2001 Damien Miller. All rights reserved.
@@ -128,8 +128,8 @@ decode_attrib(Buffer *b)
128 type = buffer_get_string(b, NULL); 128 type = buffer_get_string(b, NULL);
129 data = buffer_get_string(b, NULL); 129 data = buffer_get_string(b, NULL);
130 debug3("Got file attribute \"%s\"", type); 130 debug3("Got file attribute \"%s\"", type);
131 xfree(type); 131 free(type);
132 xfree(data); 132 free(data);
133 } 133 }
134 } 134 }
135 return &a; 135 return &a;
diff --git a/sftp-glob.c b/sftp-glob.c
index 06bf157ca..79b7bdb2f 100644
--- a/sftp-glob.c
+++ b/sftp-glob.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */ 1/* $OpenBSD: sftp-glob.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -51,7 +51,7 @@ fudge_opendir(const char *path)
51 r = xmalloc(sizeof(*r)); 51 r = xmalloc(sizeof(*r));
52 52
53 if (do_readdir(cur.conn, (char *)path, &r->dir)) { 53 if (do_readdir(cur.conn, (char *)path, &r->dir)) {
54 xfree(r); 54 free(r);
55 return(NULL); 55 return(NULL);
56 } 56 }
57 57
@@ -103,7 +103,7 @@ static void
103fudge_closedir(struct SFTP_OPENDIR *od) 103fudge_closedir(struct SFTP_OPENDIR *od)
104{ 104{
105 free_sftp_dirents(od->dir); 105 free_sftp_dirents(od->dir);
106 xfree(od); 106 free(od);
107} 107}
108 108
109static int 109static int
diff --git a/sftp-server.0 b/sftp-server.0
index 6beddcc13..bca318b38 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -62,7 +62,7 @@ SEE ALSO
62 sftp(1), ssh(1), sshd_config(5), sshd(8) 62 sftp(1), ssh(1), sshd_config(5), sshd(8)
63 63
64 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, 64 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol,
65 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress 65 draft-ietf-secsh-filexfer-02.txt, October 2001, work in progress
66 material. 66 material.
67 67
68HISTORY 68HISTORY
@@ -71,4 +71,4 @@ HISTORY
71AUTHORS 71AUTHORS
72 Markus Friedl <markus@openbsd.org> 72 Markus Friedl <markus@openbsd.org>
73 73
74OpenBSD 5.3 January 4, 2013 OpenBSD 5.3 74OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/sftp-server.8 b/sftp-server.8
index 2fd3df20c..cc925b96e 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ 1.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2000 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: January 4 2013 $ 25.Dd $Mdocdate: July 16 2013 $
26.Dt SFTP-SERVER 8 26.Dt SFTP-SERVER 8
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -124,8 +124,8 @@ establish a logging socket inside the chroot directory.
124.%A T. Ylonen 124.%A T. Ylonen
125.%A S. Lehtinen 125.%A S. Lehtinen
126.%T "SSH File Transfer Protocol" 126.%T "SSH File Transfer Protocol"
127.%N draft-ietf-secsh-filexfer-00.txt 127.%N draft-ietf-secsh-filexfer-02.txt
128.%D January 2001 128.%D October 2001
129.%O work in progress material 129.%O work in progress material
130.Re 130.Re
131.Sh HISTORY 131.Sh HISTORY
@@ -133,4 +133,4 @@ establish a logging socket inside the chroot directory.
133first appeared in 133first appeared in
134.Ox 2.8 . 134.Ox 2.8 .
135.Sh AUTHORS 135.Sh AUTHORS
136.An Markus Friedl Aq markus@openbsd.org 136.An Markus Friedl Aq Mt markus@openbsd.org
diff --git a/sftp-server.c b/sftp-server.c
index cce074a56..285f21aaf 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ 1/* $OpenBSD: sftp-server.c,v 1.97 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
4 * 4 *
@@ -319,11 +319,11 @@ handle_close(int handle)
319 319
320 if (handle_is_ok(handle, HANDLE_FILE)) { 320 if (handle_is_ok(handle, HANDLE_FILE)) {
321 ret = close(handles[handle].fd); 321 ret = close(handles[handle].fd);
322 xfree(handles[handle].name); 322 free(handles[handle].name);
323 handle_unused(handle); 323 handle_unused(handle);
324 } else if (handle_is_ok(handle, HANDLE_DIR)) { 324 } else if (handle_is_ok(handle, HANDLE_DIR)) {
325 ret = closedir(handles[handle].dirp); 325 ret = closedir(handles[handle].dirp);
326 xfree(handles[handle].name); 326 free(handles[handle].name);
327 handle_unused(handle); 327 handle_unused(handle);
328 } else { 328 } else {
329 errno = ENOENT; 329 errno = ENOENT;
@@ -367,7 +367,7 @@ get_handle(void)
367 handle = get_string(&hlen); 367 handle = get_string(&hlen);
368 if (hlen < 256) 368 if (hlen < 256)
369 val = handle_from_string(handle, hlen); 369 val = handle_from_string(handle, hlen);
370 xfree(handle); 370 free(handle);
371 return val; 371 return val;
372} 372}
373 373
@@ -450,7 +450,7 @@ send_handle(u_int32_t id, int handle)
450 handle_to_string(handle, &string, &hlen); 450 handle_to_string(handle, &string, &hlen);
451 debug("request %u: sent handle handle %d", id, handle); 451 debug("request %u: sent handle handle %d", id, handle);
452 send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); 452 send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen);
453 xfree(string); 453 free(string);
454} 454}
455 455
456static void 456static void
@@ -578,7 +578,7 @@ process_open(void)
578 } 578 }
579 if (status != SSH2_FX_OK) 579 if (status != SSH2_FX_OK)
580 send_status(id, status); 580 send_status(id, status);
581 xfree(name); 581 free(name);
582} 582}
583 583
584static void 584static void
@@ -679,7 +679,7 @@ process_write(void)
679 } 679 }
680 } 680 }
681 send_status(id, status); 681 send_status(id, status);
682 xfree(data); 682 free(data);
683} 683}
684 684
685static void 685static void
@@ -705,7 +705,7 @@ process_do_stat(int do_lstat)
705 } 705 }
706 if (status != SSH2_FX_OK) 706 if (status != SSH2_FX_OK)
707 send_status(id, status); 707 send_status(id, status);
708 xfree(name); 708 free(name);
709} 709}
710 710
711static void 711static void
@@ -807,7 +807,7 @@ process_setstat(void)
807 status = errno_to_portable(errno); 807 status = errno_to_portable(errno);
808 } 808 }
809 send_status(id, status); 809 send_status(id, status);
810 xfree(name); 810 free(name);
811} 811}
812 812
813static void 813static void
@@ -904,7 +904,7 @@ process_opendir(void)
904 } 904 }
905 if (status != SSH2_FX_OK) 905 if (status != SSH2_FX_OK)
906 send_status(id, status); 906 send_status(id, status);
907 xfree(path); 907 free(path);
908} 908}
909 909
910static void 910static void
@@ -953,13 +953,13 @@ process_readdir(void)
953 if (count > 0) { 953 if (count > 0) {
954 send_names(id, count, stats); 954 send_names(id, count, stats);
955 for (i = 0; i < count; i++) { 955 for (i = 0; i < count; i++) {
956 xfree(stats[i].name); 956 free(stats[i].name);
957 xfree(stats[i].long_name); 957 free(stats[i].long_name);
958 } 958 }
959 } else { 959 } else {
960 send_status(id, SSH2_FX_EOF); 960 send_status(id, SSH2_FX_EOF);
961 } 961 }
962 xfree(stats); 962 free(stats);
963 } 963 }
964} 964}
965 965
@@ -982,7 +982,7 @@ process_remove(void)
982 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 982 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
983 } 983 }
984 send_status(id, status); 984 send_status(id, status);
985 xfree(name); 985 free(name);
986} 986}
987 987
988static void 988static void
@@ -1007,7 +1007,7 @@ process_mkdir(void)
1007 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1007 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1008 } 1008 }
1009 send_status(id, status); 1009 send_status(id, status);
1010 xfree(name); 1010 free(name);
1011} 1011}
1012 1012
1013static void 1013static void
@@ -1028,7 +1028,7 @@ process_rmdir(void)
1028 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1028 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1029 } 1029 }
1030 send_status(id, status); 1030 send_status(id, status);
1031 xfree(name); 1031 free(name);
1032} 1032}
1033 1033
1034static void 1034static void
@@ -1041,7 +1041,7 @@ process_realpath(void)
1041 id = get_int(); 1041 id = get_int();
1042 path = get_string(NULL); 1042 path = get_string(NULL);
1043 if (path[0] == '\0') { 1043 if (path[0] == '\0') {
1044 xfree(path); 1044 free(path);
1045 path = xstrdup("."); 1045 path = xstrdup(".");
1046 } 1046 }
1047 debug3("request %u: realpath", id); 1047 debug3("request %u: realpath", id);
@@ -1054,7 +1054,7 @@ process_realpath(void)
1054 s.name = s.long_name = resolvedname; 1054 s.name = s.long_name = resolvedname;
1055 send_names(id, 1, &s); 1055 send_names(id, 1, &s);
1056 } 1056 }
1057 xfree(path); 1057 free(path);
1058} 1058}
1059 1059
1060static void 1060static void
@@ -1115,8 +1115,8 @@ process_rename(void)
1115 status = SSH2_FX_OK; 1115 status = SSH2_FX_OK;
1116 } 1116 }
1117 send_status(id, status); 1117 send_status(id, status);
1118 xfree(oldpath); 1118 free(oldpath);
1119 xfree(newpath); 1119 free(newpath);
1120} 1120}
1121 1121
1122static void 1122static void
@@ -1141,7 +1141,7 @@ process_readlink(void)
1141 s.name = s.long_name = buf; 1141 s.name = s.long_name = buf;
1142 send_names(id, 1, &s); 1142 send_names(id, 1, &s);
1143 } 1143 }
1144 xfree(path); 1144 free(path);
1145} 1145}
1146 1146
1147static void 1147static void
@@ -1164,8 +1164,8 @@ process_symlink(void)
1164 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1164 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1165 } 1165 }
1166 send_status(id, status); 1166 send_status(id, status);
1167 xfree(oldpath); 1167 free(oldpath);
1168 xfree(newpath); 1168 free(newpath);
1169} 1169}
1170 1170
1171static void 1171static void
@@ -1185,8 +1185,8 @@ process_extended_posix_rename(u_int32_t id)
1185 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1185 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1186 } 1186 }
1187 send_status(id, status); 1187 send_status(id, status);
1188 xfree(oldpath); 1188 free(oldpath);
1189 xfree(newpath); 1189 free(newpath);
1190} 1190}
1191 1191
1192static void 1192static void
@@ -1203,7 +1203,7 @@ process_extended_statvfs(u_int32_t id)
1203 send_status(id, errno_to_portable(errno)); 1203 send_status(id, errno_to_portable(errno));
1204 else 1204 else
1205 send_statvfs(id, &st); 1205 send_statvfs(id, &st);
1206 xfree(path); 1206 free(path);
1207} 1207}
1208 1208
1209static void 1209static void
@@ -1242,8 +1242,8 @@ process_extended_hardlink(u_int32_t id)
1242 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1242 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1243 } 1243 }
1244 send_status(id, status); 1244 send_status(id, status);
1245 xfree(oldpath); 1245 free(oldpath);
1246 xfree(newpath); 1246 free(newpath);
1247} 1247}
1248 1248
1249static void 1249static void
@@ -1264,7 +1264,7 @@ process_extended(void)
1264 process_extended_hardlink(id); 1264 process_extended_hardlink(id);
1265 else 1265 else
1266 send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ 1266 send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */
1267 xfree(request); 1267 free(request);
1268} 1268}
1269 1269
1270/* stolen from ssh-agent */ 1270/* stolen from ssh-agent */
diff --git a/sftp.0 b/sftp.0
index dd1da5241..c5fa17892 100644
--- a/sftp.0
+++ b/sftp.0
@@ -55,10 +55,10 @@ DESCRIPTION
55 used in conjunction with non-interactive authentication. A 55 used in conjunction with non-interactive authentication. A
56 batchfile of `-' may be used to indicate standard input. sftp 56 batchfile of `-' may be used to indicate standard input. sftp
57 will abort if any of the following commands fail: get, put, 57 will abort if any of the following commands fail: get, put,
58 rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp, 58 reget, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown,
59 lpwd, df, symlink, and lmkdir. Termination on error can be 59 chgrp, lpwd, df, symlink, and lmkdir. Termination on error can
60 suppressed on a command by command basis by prefixing the command 60 be suppressed on a command by command basis by prefixing the
61 with a `-' character (for example, -rm /tmp/blah*). 61 command with a `-' character (for example, -rm /tmp/blah*).
62 62
63 -C Enables compression (via ssh's -C flag). 63 -C Enables compression (via ssh's -C flag).
64 64
@@ -209,7 +209,7 @@ INTERACTIVE COMMANDS
209 209
210 exit Quit sftp. 210 exit Quit sftp.
211 211
212 get [-Ppr] remote-path [local-path] 212 get [-aPpr] remote-path [local-path]
213 Retrieve the remote-path and store it on the local machine. If 213 Retrieve the remote-path and store it on the local machine. If
214 the local path name is not specified, it is given the same name 214 the local path name is not specified, it is given the same name
215 it has on the remote machine. remote-path may contain glob(3) 215 it has on the remote machine. remote-path may contain glob(3)
@@ -217,6 +217,12 @@ INTERACTIVE COMMANDS
217 local-path is specified, then local-path must specify a 217 local-path is specified, then local-path must specify a
218 directory. 218 directory.
219 219
220 If the -a flag is specified, then attempt to resume partial
221 transfers of existing files. Note that resumption assumes that
222 any partial copy of the local file matches the remote copy. If
223 the remote file differs from the partial local copy then the
224 resultant file is likely to be corrupt.
225
220 If either the -P or -p flag is specified, then full file 226 If either the -P or -p flag is specified, then full file
221 permissions and access times are copied too. 227 permissions and access times are copied too.
222 228
@@ -306,6 +312,10 @@ INTERACTIVE COMMANDS
306 312
307 quit Quit sftp. 313 quit Quit sftp.
308 314
315 reget [-Ppr] remote-path [local-path]
316 Resume download of remote-path. Equivalent to get with the -a
317 flag set.
318
309 rename oldpath newpath 319 rename oldpath newpath
310 Rename remote file from oldpath to newpath. 320 Rename remote file from oldpath to newpath.
311 321
@@ -336,4 +346,4 @@ SEE ALSO
336 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress 346 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
337 material. 347 material.
338 348
339OpenBSD 5.3 September 5, 2011 OpenBSD 5.3 349OpenBSD 5.4 July 25, 2013 OpenBSD 5.4
diff --git a/sftp.1 b/sftp.1
index bcb472144..2577fe875 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $ 1.\" $OpenBSD: sftp.1,v 1.92 2013/07/25 00:56:51 djm Exp $
2.\" 2.\"
3.\" Copyright (c) 2001 Damien Miller. All rights reserved. 3.\" Copyright (c) 2001 Damien Miller. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: September 5 2011 $ 25.Dd $Mdocdate: July 25 2013 $
26.Dt SFTP 1 26.Dt SFTP 1
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -129,7 +129,7 @@ may be used to indicate standard input.
129.Nm 129.Nm
130will abort if any of the following 130will abort if any of the following
131commands fail: 131commands fail:
132.Ic get , put , rename , ln , 132.Ic get , put , reget , rename , ln ,
133.Ic rm , mkdir , chdir , ls , 133.Ic rm , mkdir , chdir , ls ,
134.Ic lchdir , chmod , chown , 134.Ic lchdir , chmod , chown ,
135.Ic chgrp , lpwd , df , symlink , 135.Ic chgrp , lpwd , df , symlink ,
@@ -343,7 +343,7 @@ extension.
343Quit 343Quit
344.Nm sftp . 344.Nm sftp .
345.It Xo Ic get 345.It Xo Ic get
346.Op Fl Ppr 346.Op Fl aPpr
347.Ar remote-path 347.Ar remote-path
348.Op Ar local-path 348.Op Ar local-path
349.Xc 349.Xc
@@ -363,6 +363,14 @@ is specified, then
363.Ar local-path 363.Ar local-path
364must specify a directory. 364must specify a directory.
365.Pp 365.Pp
366If the
367.Fl a
368flag is specified, then attempt to resume partial transfers of existing files.
369Note that resumption assumes that any partial copy of the local file matches
370the remote copy.
371If the remote file differs from the partial local copy then the resultant file
372is likely to be corrupt.
373.Pp
366If either the 374If either the
367.Fl P 375.Fl P
368or 376or
@@ -503,6 +511,18 @@ Display remote working directory.
503.It Ic quit 511.It Ic quit
504Quit 512Quit
505.Nm sftp . 513.Nm sftp .
514.It Xo Ic reget
515.Op Fl Ppr
516.Ar remote-path
517.Op Ar local-path
518.Xc
519Resume download of
520.Ar remote-path .
521Equivalent to
522.Ic get
523with the
524.Fl a
525flag set.
506.It Ic rename Ar oldpath Ar newpath 526.It Ic rename Ar oldpath Ar newpath
507Rename remote file from 527Rename remote file from
508.Ar oldpath 528.Ar oldpath
diff --git a/sftp.c b/sftp.c
index 342ae7efc..969328de4 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ 1/* $OpenBSD: sftp.c,v 1.148 2013/07/25 00:56:52 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -38,6 +38,9 @@
38#ifdef HAVE_LIBGEN_H 38#ifdef HAVE_LIBGEN_H
39#include <libgen.h> 39#include <libgen.h>
40#endif 40#endif
41#ifdef HAVE_LOCALE_H
42# include <locale.h>
43#endif
41#ifdef USE_LIBEDIT 44#ifdef USE_LIBEDIT
42#include <histedit.h> 45#include <histedit.h>
43#else 46#else
@@ -76,12 +79,18 @@ int batchmode = 0;
76/* PID of ssh transport process */ 79/* PID of ssh transport process */
77static pid_t sshpid = -1; 80static pid_t sshpid = -1;
78 81
82/* Suppress diagnositic messages */
83int quiet = 0;
84
79/* This is set to 0 if the progressmeter is not desired. */ 85/* This is set to 0 if the progressmeter is not desired. */
80int showprogress = 1; 86int showprogress = 1;
81 87
82/* When this option is set, we always recursively download/upload directories */ 88/* When this option is set, we always recursively download/upload directories */
83int global_rflag = 0; 89int global_rflag = 0;
84 90
91/* When this option is set, we resume download if possible */
92int global_aflag = 0;
93
85/* When this option is set, the file transfers will always preserve times */ 94/* When this option is set, the file transfers will always preserve times */
86int global_pflag = 0; 95int global_pflag = 0;
87 96
@@ -145,6 +154,7 @@ extern char *__progname;
145#define I_SYMLINK 21 154#define I_SYMLINK 21
146#define I_VERSION 22 155#define I_VERSION 22
147#define I_PROGRESS 23 156#define I_PROGRESS 23
157#define I_REGET 26
148 158
149struct CMD { 159struct CMD {
150 const char *c; 160 const char *c;
@@ -184,6 +194,7 @@ static const struct CMD cmds[] = {
184 { "put", I_PUT, LOCAL }, 194 { "put", I_PUT, LOCAL },
185 { "pwd", I_PWD, REMOTE }, 195 { "pwd", I_PWD, REMOTE },
186 { "quit", I_QUIT, NOARGS }, 196 { "quit", I_QUIT, NOARGS },
197 { "reget", I_REGET, REMOTE },
187 { "rename", I_RENAME, REMOTE }, 198 { "rename", I_RENAME, REMOTE },
188 { "rm", I_RM, REMOTE }, 199 { "rm", I_RM, REMOTE },
189 { "rmdir", I_RMDIR, REMOTE }, 200 { "rmdir", I_RMDIR, REMOTE },
@@ -215,7 +226,7 @@ cmd_interrupt(int signo)
215 const char msg[] = "\rInterrupt \n"; 226 const char msg[] = "\rInterrupt \n";
216 int olderrno = errno; 227 int olderrno = errno;
217 228
218 write(STDERR_FILENO, msg, sizeof(msg) - 1); 229 (void)write(STDERR_FILENO, msg, sizeof(msg) - 1);
219 interrupted = 1; 230 interrupted = 1;
220 errno = olderrno; 231 errno = olderrno;
221} 232}
@@ -233,6 +244,7 @@ help(void)
233 " filesystem containing 'path'\n" 244 " filesystem containing 'path'\n"
234 "exit Quit sftp\n" 245 "exit Quit sftp\n"
235 "get [-Ppr] remote [local] Download file\n" 246 "get [-Ppr] remote [local] Download file\n"
247 "reget remote [local] Resume download file\n"
236 "help Display this help text\n" 248 "help Display this help text\n"
237 "lcd path Change local directory to 'path'\n" 249 "lcd path Change local directory to 'path'\n"
238 "lls [ls-options [path]] Display local directory listing\n" 250 "lls [ls-options [path]] Display local directory listing\n"
@@ -306,7 +318,7 @@ local_do_ls(const char *args)
306 /* XXX: quoting - rip quoting code from ftp? */ 318 /* XXX: quoting - rip quoting code from ftp? */
307 snprintf(buf, len, _PATH_LS " %s", args); 319 snprintf(buf, len, _PATH_LS " %s", args);
308 local_do_shell(buf); 320 local_do_shell(buf);
309 xfree(buf); 321 free(buf);
310 } 322 }
311} 323}
312 324
@@ -337,15 +349,15 @@ make_absolute(char *p, char *pwd)
337 /* Derelativise */ 349 /* Derelativise */
338 if (p && p[0] != '/') { 350 if (p && p[0] != '/') {
339 abs_str = path_append(pwd, p); 351 abs_str = path_append(pwd, p);
340 xfree(p); 352 free(p);
341 return(abs_str); 353 return(abs_str);
342 } else 354 } else
343 return(p); 355 return(p);
344} 356}
345 357
346static int 358static int
347parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, 359parse_getput_flags(const char *cmd, char **argv, int argc,
348 int *rflag) 360 int *aflag, int *pflag, int *rflag)
349{ 361{
350 extern int opterr, optind, optopt, optreset; 362 extern int opterr, optind, optopt, optreset;
351 int ch; 363 int ch;
@@ -353,9 +365,12 @@ parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag,
353 optind = optreset = 1; 365 optind = optreset = 1;
354 opterr = 0; 366 opterr = 0;
355 367
356 *rflag = *pflag = 0; 368 *aflag = *rflag = *pflag = 0;
357 while ((ch = getopt(argc, argv, "PpRr")) != -1) { 369 while ((ch = getopt(argc, argv, "aPpRr")) != -1) {
358 switch (ch) { 370 switch (ch) {
371 case 'a':
372 *aflag = 1;
373 break;
359 case 'p': 374 case 'p':
360 case 'P': 375 case 'P':
361 *pflag = 1; 376 *pflag = 1;
@@ -513,7 +528,7 @@ pathname_is_dir(char *pathname)
513 528
514static int 529static int
515process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, 530process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
516 int pflag, int rflag) 531 int pflag, int rflag, int resume)
517{ 532{
518 char *abs_src = NULL; 533 char *abs_src = NULL;
519 char *abs_dst = NULL; 534 char *abs_dst = NULL;
@@ -547,7 +562,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
547 tmp = xstrdup(g.gl_pathv[i]); 562 tmp = xstrdup(g.gl_pathv[i]);
548 if ((filename = basename(tmp)) == NULL) { 563 if ((filename = basename(tmp)) == NULL) {
549 error("basename %s: %s", tmp, strerror(errno)); 564 error("basename %s: %s", tmp, strerror(errno));
550 xfree(tmp); 565 free(tmp);
551 err = -1; 566 err = -1;
552 goto out; 567 goto out;
553 } 568 }
@@ -563,24 +578,28 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
563 } else { 578 } else {
564 abs_dst = xstrdup(filename); 579 abs_dst = xstrdup(filename);
565 } 580 }
566 xfree(tmp); 581 free(tmp);
567 582
568 printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); 583 resume |= global_aflag;
584 if (!quiet && resume)
585 printf("Resuming %s to %s\n", g.gl_pathv[i], abs_dst);
586 else if (!quiet && !resume)
587 printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
569 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { 588 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
570 if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, 589 if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL,
571 pflag || global_pflag, 1) == -1) 590 pflag || global_pflag, 1, resume) == -1)
572 err = -1; 591 err = -1;
573 } else { 592 } else {
574 if (do_download(conn, g.gl_pathv[i], abs_dst, NULL, 593 if (do_download(conn, g.gl_pathv[i], abs_dst, NULL,
575 pflag || global_pflag) == -1) 594 pflag || global_pflag, resume) == -1)
576 err = -1; 595 err = -1;
577 } 596 }
578 xfree(abs_dst); 597 free(abs_dst);
579 abs_dst = NULL; 598 abs_dst = NULL;
580 } 599 }
581 600
582out: 601out:
583 xfree(abs_src); 602 free(abs_src);
584 globfree(&g); 603 globfree(&g);
585 return(err); 604 return(err);
586} 605}
@@ -632,7 +651,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
632 tmp = xstrdup(g.gl_pathv[i]); 651 tmp = xstrdup(g.gl_pathv[i]);
633 if ((filename = basename(tmp)) == NULL) { 652 if ((filename = basename(tmp)) == NULL) {
634 error("basename %s: %s", tmp, strerror(errno)); 653 error("basename %s: %s", tmp, strerror(errno));
635 xfree(tmp); 654 free(tmp);
636 err = -1; 655 err = -1;
637 goto out; 656 goto out;
638 } 657 }
@@ -648,9 +667,10 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
648 } else { 667 } else {
649 abs_dst = make_absolute(xstrdup(filename), pwd); 668 abs_dst = make_absolute(xstrdup(filename), pwd);
650 } 669 }
651 xfree(tmp); 670 free(tmp);
652 671
653 printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); 672 if (!quiet)
673 printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst);
654 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { 674 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
655 if (upload_dir(conn, g.gl_pathv[i], abs_dst, 675 if (upload_dir(conn, g.gl_pathv[i], abs_dst,
656 pflag || global_pflag, 1) == -1) 676 pflag || global_pflag, 1) == -1)
@@ -663,10 +683,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
663 } 683 }
664 684
665out: 685out:
666 if (abs_dst) 686 free(abs_dst);
667 xfree(abs_dst); 687 free(tmp_dst);
668 if (tmp_dst)
669 xfree(tmp_dst);
670 globfree(&g); 688 globfree(&g);
671 return(err); 689 return(err);
672} 690}
@@ -714,7 +732,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
714 /* Add any subpath that also needs to be counted */ 732 /* Add any subpath that also needs to be counted */
715 tmp = path_strip(path, strip_path); 733 tmp = path_strip(path, strip_path);
716 m += strlen(tmp); 734 m += strlen(tmp);
717 xfree(tmp); 735 free(tmp);
718 736
719 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) 737 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1)
720 width = ws.ws_col; 738 width = ws.ws_col;
@@ -740,7 +758,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
740 758
741 tmp = path_append(path, d[n]->filename); 759 tmp = path_append(path, d[n]->filename);
742 fname = path_strip(tmp, strip_path); 760 fname = path_strip(tmp, strip_path);
743 xfree(tmp); 761 free(tmp);
744 762
745 if (lflag & LS_LONG_VIEW) { 763 if (lflag & LS_LONG_VIEW) {
746 if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) { 764 if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) {
@@ -752,7 +770,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
752 lname = ls_file(fname, &sb, 1, 770 lname = ls_file(fname, &sb, 1,
753 (lflag & LS_SI_UNITS)); 771 (lflag & LS_SI_UNITS));
754 printf("%s\n", lname); 772 printf("%s\n", lname);
755 xfree(lname); 773 free(lname);
756 } else 774 } else
757 printf("%s\n", d[n]->longname); 775 printf("%s\n", d[n]->longname);
758 } else { 776 } else {
@@ -764,7 +782,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
764 c++; 782 c++;
765 } 783 }
766 784
767 xfree(fname); 785 free(fname);
768 } 786 }
769 787
770 if (!(lflag & LS_LONG_VIEW) && (c != 1)) 788 if (!(lflag & LS_LONG_VIEW) && (c != 1))
@@ -834,7 +852,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
834 lname = ls_file(fname, g.gl_statv[i], 1, 852 lname = ls_file(fname, g.gl_statv[i], 1,
835 (lflag & LS_SI_UNITS)); 853 (lflag & LS_SI_UNITS));
836 printf("%s\n", lname); 854 printf("%s\n", lname);
837 xfree(lname); 855 free(lname);
838 } else { 856 } else {
839 printf("%-*s", colspace, fname); 857 printf("%-*s", colspace, fname);
840 if (c >= columns) { 858 if (c >= columns) {
@@ -843,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
843 } else 861 } else
844 c++; 862 c++;
845 } 863 }
846 xfree(fname); 864 free(fname);
847 } 865 }
848 866
849 if (!(lflag & LS_LONG_VIEW) && (c != 1)) 867 if (!(lflag & LS_LONG_VIEW) && (c != 1))
@@ -1112,8 +1130,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
1112} 1130}
1113 1131
1114static int 1132static int
1115parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, 1133parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag,
1116 int *hflag, int *sflag, unsigned long *n_arg, char **path1, char **path2) 1134 int *pflag, int *rflag, int *sflag, unsigned long *n_arg,
1135 char **path1, char **path2)
1117{ 1136{
1118 const char *cmd, *cp = *cpp; 1137 const char *cmd, *cp = *cpp;
1119 char *cp2, **argv; 1138 char *cp2, **argv;
@@ -1157,14 +1176,15 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag,
1157 } 1176 }
1158 1177
1159 /* Get arguments and parse flags */ 1178 /* Get arguments and parse flags */
1160 *lflag = *pflag = *rflag = *hflag = *n_arg = 0; 1179 *aflag = *lflag = *pflag = *rflag = *hflag = *n_arg = 0;
1161 *path1 = *path2 = NULL; 1180 *path1 = *path2 = NULL;
1162 optidx = 1; 1181 optidx = 1;
1163 switch (cmdnum) { 1182 switch (cmdnum) {
1164 case I_GET: 1183 case I_GET:
1184 case I_REGET:
1165 case I_PUT: 1185 case I_PUT:
1166 if ((optidx = parse_getput_flags(cmd, argv, argc, 1186 if ((optidx = parse_getput_flags(cmd, argv, argc,
1167 pflag, rflag)) == -1) 1187 aflag, pflag, rflag)) == -1)
1168 return -1; 1188 return -1;
1169 /* Get first pathname (mandatory) */ 1189 /* Get first pathname (mandatory) */
1170 if (argc - optidx < 1) { 1190 if (argc - optidx < 1) {
@@ -1179,6 +1199,11 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag,
1179 /* Destination is not globbed */ 1199 /* Destination is not globbed */
1180 undo_glob_escape(*path2); 1200 undo_glob_escape(*path2);
1181 } 1201 }
1202 if (*aflag && cmdnum == I_PUT) {
1203 /* XXX implement resume for uploads */
1204 error("Resume is not supported for uploads");
1205 return -1;
1206 }
1182 break; 1207 break;
1183 case I_LINK: 1208 case I_LINK:
1184 if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) 1209 if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1)
@@ -1287,7 +1312,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1287 int err_abort) 1312 int err_abort)
1288{ 1313{
1289 char *path1, *path2, *tmp; 1314 char *path1, *path2, *tmp;
1290 int pflag = 0, rflag = 0, lflag = 0, iflag = 0, hflag = 0, sflag = 0; 1315 int aflag = 0, hflag = 0, iflag = 0, lflag = 0, pflag = 0;
1316 int rflag = 0, sflag = 0;
1291 int cmdnum, i; 1317 int cmdnum, i;
1292 unsigned long n_arg = 0; 1318 unsigned long n_arg = 0;
1293 Attrib a, *aa; 1319 Attrib a, *aa;
@@ -1296,9 +1322,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1296 glob_t g; 1322 glob_t g;
1297 1323
1298 path1 = path2 = NULL; 1324 path1 = path2 = NULL;
1299 cmdnum = parse_args(&cmd, &pflag, &rflag, &lflag, &iflag, &hflag, 1325 cmdnum = parse_args(&cmd, &aflag, &hflag, &iflag, &lflag, &pflag,
1300 &sflag, &n_arg, &path1, &path2); 1326 &rflag, &sflag, &n_arg, &path1, &path2);
1301
1302 if (iflag != 0) 1327 if (iflag != 0)
1303 err_abort = 0; 1328 err_abort = 0;
1304 1329
@@ -1313,8 +1338,12 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1313 /* Unrecognized command */ 1338 /* Unrecognized command */
1314 err = -1; 1339 err = -1;
1315 break; 1340 break;
1341 case I_REGET:
1342 aflag = 1;
1343 /* FALLTHROUGH */
1316 case I_GET: 1344 case I_GET:
1317 err = process_get(conn, path1, path2, *pwd, pflag, rflag); 1345 err = process_get(conn, path1, path2, *pwd, pflag,
1346 rflag, aflag);
1318 break; 1347 break;
1319 case I_PUT: 1348 case I_PUT:
1320 err = process_put(conn, path1, path2, *pwd, pflag, rflag); 1349 err = process_put(conn, path1, path2, *pwd, pflag, rflag);
@@ -1335,7 +1364,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1335 path1 = make_absolute(path1, *pwd); 1364 path1 = make_absolute(path1, *pwd);
1336 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); 1365 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
1337 for (i = 0; g.gl_pathv[i] && !interrupted; i++) { 1366 for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
1338 printf("Removing %s\n", g.gl_pathv[i]); 1367 if (!quiet)
1368 printf("Removing %s\n", g.gl_pathv[i]);
1339 err = do_rm(conn, g.gl_pathv[i]); 1369 err = do_rm(conn, g.gl_pathv[i]);
1340 if (err != 0 && err_abort) 1370 if (err != 0 && err_abort)
1341 break; 1371 break;
@@ -1359,24 +1389,24 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1359 break; 1389 break;
1360 } 1390 }
1361 if ((aa = do_stat(conn, tmp, 0)) == NULL) { 1391 if ((aa = do_stat(conn, tmp, 0)) == NULL) {
1362 xfree(tmp); 1392 free(tmp);
1363 err = 1; 1393 err = 1;
1364 break; 1394 break;
1365 } 1395 }
1366 if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { 1396 if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) {
1367 error("Can't change directory: Can't check target"); 1397 error("Can't change directory: Can't check target");
1368 xfree(tmp); 1398 free(tmp);
1369 err = 1; 1399 err = 1;
1370 break; 1400 break;
1371 } 1401 }
1372 if (!S_ISDIR(aa->perm)) { 1402 if (!S_ISDIR(aa->perm)) {
1373 error("Can't change directory: \"%s\" is not " 1403 error("Can't change directory: \"%s\" is not "
1374 "a directory", tmp); 1404 "a directory", tmp);
1375 xfree(tmp); 1405 free(tmp);
1376 err = 1; 1406 err = 1;
1377 break; 1407 break;
1378 } 1408 }
1379 xfree(*pwd); 1409 free(*pwd);
1380 *pwd = tmp; 1410 *pwd = tmp;
1381 break; 1411 break;
1382 case I_LS: 1412 case I_LS:
@@ -1431,7 +1461,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1431 a.perm = n_arg; 1461 a.perm = n_arg;
1432 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); 1462 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
1433 for (i = 0; g.gl_pathv[i] && !interrupted; i++) { 1463 for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
1434 printf("Changing mode on %s\n", g.gl_pathv[i]); 1464 if (!quiet)
1465 printf("Changing mode on %s\n", g.gl_pathv[i]);
1435 err = do_setstat(conn, g.gl_pathv[i], &a); 1466 err = do_setstat(conn, g.gl_pathv[i], &a);
1436 if (err != 0 && err_abort) 1467 if (err != 0 && err_abort)
1437 break; 1468 break;
@@ -1460,10 +1491,14 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1460 } 1491 }
1461 aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; 1492 aa->flags &= SSH2_FILEXFER_ATTR_UIDGID;
1462 if (cmdnum == I_CHOWN) { 1493 if (cmdnum == I_CHOWN) {
1463 printf("Changing owner on %s\n", g.gl_pathv[i]); 1494 if (!quiet)
1495 printf("Changing owner on %s\n",
1496 g.gl_pathv[i]);
1464 aa->uid = n_arg; 1497 aa->uid = n_arg;
1465 } else { 1498 } else {
1466 printf("Changing group on %s\n", g.gl_pathv[i]); 1499 if (!quiet)
1500 printf("Changing group on %s\n",
1501 g.gl_pathv[i]);
1467 aa->gid = n_arg; 1502 aa->gid = n_arg;
1468 } 1503 }
1469 err = do_setstat(conn, g.gl_pathv[i], aa); 1504 err = do_setstat(conn, g.gl_pathv[i], aa);
@@ -1504,10 +1539,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1504 1539
1505 if (g.gl_pathc) 1540 if (g.gl_pathc)
1506 globfree(&g); 1541 globfree(&g);
1507 if (path1) 1542 free(path1);
1508 xfree(path1); 1543 free(path2);
1509 if (path2)
1510 xfree(path2);
1511 1544
1512 /* If an unignored error occurs in batch mode we should abort. */ 1545 /* If an unignored error occurs in batch mode we should abort. */
1513 if (err_abort && err != 0) 1546 if (err_abort && err != 0)
@@ -1617,8 +1650,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1617 complete_display(list, 0); 1650 complete_display(list, 0);
1618 1651
1619 for (y = 0; list[y] != NULL; y++) 1652 for (y = 0; list[y] != NULL; y++)
1620 xfree(list[y]); 1653 free(list[y]);
1621 xfree(list); 1654 free(list);
1622 return count; 1655 return count;
1623 } 1656 }
1624 1657
@@ -1631,7 +1664,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1631 list[count] = NULL; 1664 list[count] = NULL;
1632 1665
1633 if (count == 0) { 1666 if (count == 0) {
1634 xfree(list); 1667 free(list);
1635 return 0; 1668 return 0;
1636 } 1669 }
1637 1670
@@ -1641,8 +1674,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1641 complete_display(list, 0); 1674 complete_display(list, 0);
1642 1675
1643 for (y = 0; list[y]; y++) 1676 for (y = 0; list[y]; y++)
1644 xfree(list[y]); 1677 free(list[y]);
1645 xfree(list); 1678 free(list);
1646 1679
1647 if (tmp != NULL) { 1680 if (tmp != NULL) {
1648 tmplen = strlen(tmp); 1681 tmplen = strlen(tmp);
@@ -1663,7 +1696,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1663 if (y > 0 && el_insertstr(el, argterm) == -1) 1696 if (y > 0 && el_insertstr(el, argterm) == -1)
1664 fatal("el_insertstr failed."); 1697 fatal("el_insertstr failed.");
1665 } 1698 }
1666 xfree(tmp); 1699 free(tmp);
1667 } 1700 }
1668 1701
1669 return count; 1702 return count;
@@ -1694,8 +1727,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1694 char *file, int remote, int lastarg, char quote, int terminated) 1727 char *file, int remote, int lastarg, char quote, int terminated)
1695{ 1728{
1696 glob_t g; 1729 glob_t g;
1697 char *tmp, *tmp2, ins[3]; 1730 char *tmp, *tmp2, ins[8];
1698 u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; 1731 u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
1732 int clen;
1699 const LineInfo *lf; 1733 const LineInfo *lf;
1700 1734
1701 /* Glob from "file" location */ 1735 /* Glob from "file" location */
@@ -1727,7 +1761,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1727 if (tmp[tmplen] == '/') 1761 if (tmp[tmplen] == '/')
1728 pwdlen = tmplen + 1; /* track last seen '/' */ 1762 pwdlen = tmplen + 1; /* track last seen '/' */
1729 } 1763 }
1730 xfree(tmp); 1764 free(tmp);
1731 1765
1732 if (g.gl_matchc == 0) 1766 if (g.gl_matchc == 0)
1733 goto out; 1767 goto out;
@@ -1742,7 +1776,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1742 1776
1743 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); 1777 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc);
1744 tmp = path_strip(tmp2, isabs ? NULL : remote_path); 1778 tmp = path_strip(tmp2, isabs ? NULL : remote_path);
1745 xfree(tmp2); 1779 free(tmp2);
1746 1780
1747 if (tmp == NULL) 1781 if (tmp == NULL)
1748 goto out; 1782 goto out;
@@ -1764,10 +1798,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1764 tmp2 = tmp + filelen - cesc; 1798 tmp2 = tmp + filelen - cesc;
1765 len = strlen(tmp2); 1799 len = strlen(tmp2);
1766 /* quote argument on way out */ 1800 /* quote argument on way out */
1767 for (i = 0; i < len; i++) { 1801 for (i = 0; i < len; i += clen) {
1802 if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
1803 (size_t)clen > sizeof(ins) - 2)
1804 fatal("invalid multibyte character");
1768 ins[0] = '\\'; 1805 ins[0] = '\\';
1769 ins[1] = tmp2[i]; 1806 memcpy(ins + 1, tmp2 + i, clen);
1770 ins[2] = '\0'; 1807 ins[clen + 1] = '\0';
1771 switch (tmp2[i]) { 1808 switch (tmp2[i]) {
1772 case '\'': 1809 case '\'':
1773 case '"': 1810 case '"':
@@ -1804,7 +1841,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1804 if (i > 0 && el_insertstr(el, ins) == -1) 1841 if (i > 0 && el_insertstr(el, ins) == -1)
1805 fatal("el_insertstr failed."); 1842 fatal("el_insertstr failed.");
1806 } 1843 }
1807 xfree(tmp); 1844 free(tmp);
1808 1845
1809 out: 1846 out:
1810 globfree(&g); 1847 globfree(&g);
@@ -1816,7 +1853,8 @@ static unsigned char
1816complete(EditLine *el, int ch) 1853complete(EditLine *el, int ch)
1817{ 1854{
1818 char **argv, *line, quote; 1855 char **argv, *line, quote;
1819 u_int argc, carg, cursor, len, terminated, ret = CC_ERROR; 1856 int argc, carg;
1857 u_int cursor, len, terminated, ret = CC_ERROR;
1820 const LineInfo *lf; 1858 const LineInfo *lf;
1821 struct complete_ctx *complete_ctx; 1859 struct complete_ctx *complete_ctx;
1822 1860
@@ -1830,7 +1868,7 @@ complete(EditLine *el, int ch)
1830 memcpy(line, lf->buffer, cursor); 1868 memcpy(line, lf->buffer, cursor);
1831 line[cursor] = '\0'; 1869 line[cursor] = '\0';
1832 argv = makeargv(line, &carg, 1, &quote, &terminated); 1870 argv = makeargv(line, &carg, 1, &quote, &terminated);
1833 xfree(line); 1871 free(line);
1834 1872
1835 /* Get all the arguments on the line */ 1873 /* Get all the arguments on the line */
1836 len = lf->lastchar - lf->buffer; 1874 len = lf->lastchar - lf->buffer;
@@ -1842,7 +1880,7 @@ complete(EditLine *el, int ch)
1842 /* Ensure cursor is at EOL or a argument boundary */ 1880 /* Ensure cursor is at EOL or a argument boundary */
1843 if (line[cursor] != ' ' && line[cursor] != '\0' && 1881 if (line[cursor] != ' ' && line[cursor] != '\0' &&
1844 line[cursor] != '\n') { 1882 line[cursor] != '\n') {
1845 xfree(line); 1883 free(line);
1846 return ret; 1884 return ret;
1847 } 1885 }
1848 1886
@@ -1870,7 +1908,7 @@ complete(EditLine *el, int ch)
1870 ret = CC_REDISPLAY; 1908 ret = CC_REDISPLAY;
1871 } 1909 }
1872 1910
1873 xfree(line); 1911 free(line);
1874 return ret; 1912 return ret;
1875} 1913}
1876#endif /* USE_LIBEDIT */ 1914#endif /* USE_LIBEDIT */
@@ -1922,31 +1960,30 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
1922 dir = make_absolute(dir, remote_path); 1960 dir = make_absolute(dir, remote_path);
1923 1961
1924 if (remote_is_dir(conn, dir) && file2 == NULL) { 1962 if (remote_is_dir(conn, dir) && file2 == NULL) {
1925 printf("Changing to: %s\n", dir); 1963 if (!quiet)
1964 printf("Changing to: %s\n", dir);
1926 snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); 1965 snprintf(cmd, sizeof cmd, "cd \"%s\"", dir);
1927 if (parse_dispatch_command(conn, cmd, 1966 if (parse_dispatch_command(conn, cmd,
1928 &remote_path, 1) != 0) { 1967 &remote_path, 1) != 0) {
1929 xfree(dir); 1968 free(dir);
1930 xfree(remote_path); 1969 free(remote_path);
1931 xfree(conn); 1970 free(conn);
1932 return (-1); 1971 return (-1);
1933 } 1972 }
1934 } else { 1973 } else {
1935 /* XXX this is wrong wrt quoting */ 1974 /* XXX this is wrong wrt quoting */
1936 if (file2 == NULL) 1975 snprintf(cmd, sizeof cmd, "get%s %s%s%s",
1937 snprintf(cmd, sizeof cmd, "get %s", dir); 1976 global_aflag ? " -a" : "", dir,
1938 else 1977 file2 == NULL ? "" : " ",
1939 snprintf(cmd, sizeof cmd, "get %s %s", dir, 1978 file2 == NULL ? "" : file2);
1940 file2);
1941
1942 err = parse_dispatch_command(conn, cmd, 1979 err = parse_dispatch_command(conn, cmd,
1943 &remote_path, 1); 1980 &remote_path, 1);
1944 xfree(dir); 1981 free(dir);
1945 xfree(remote_path); 1982 free(remote_path);
1946 xfree(conn); 1983 free(conn);
1947 return (err); 1984 return (err);
1948 } 1985 }
1949 xfree(dir); 1986 free(dir);
1950 } 1987 }
1951 1988
1952 setlinebuf(stdout); 1989 setlinebuf(stdout);
@@ -2004,8 +2041,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
2004 if (err != 0) 2041 if (err != 0)
2005 break; 2042 break;
2006 } 2043 }
2007 xfree(remote_path); 2044 free(remote_path);
2008 xfree(conn); 2045 free(conn);
2009 2046
2010#ifdef USE_LIBEDIT 2047#ifdef USE_LIBEDIT
2011 if (el != NULL) 2048 if (el != NULL)
@@ -2112,6 +2149,7 @@ main(int argc, char **argv)
2112 2149
2113 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ 2150 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
2114 sanitise_stdfd(); 2151 sanitise_stdfd();
2152 setlocale(LC_CTYPE, "");
2115 2153
2116 __progname = ssh_get_progname(argv[0]); 2154 __progname = ssh_get_progname(argv[0]);
2117 memset(&args, '\0', sizeof(args)); 2155 memset(&args, '\0', sizeof(args));
@@ -2126,7 +2164,7 @@ main(int argc, char **argv)
2126 infile = stdin; 2164 infile = stdin;
2127 2165
2128 while ((ch = getopt(argc, argv, 2166 while ((ch = getopt(argc, argv,
2129 "1246hpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { 2167 "1246ahpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
2130 switch (ch) { 2168 switch (ch) {
2131 /* Passed through to ssh(1) */ 2169 /* Passed through to ssh(1) */
2132 case '4': 2170 case '4':
@@ -2143,6 +2181,8 @@ main(int argc, char **argv)
2143 addargs(&args, "%s", optarg); 2181 addargs(&args, "%s", optarg);
2144 break; 2182 break;
2145 case 'q': 2183 case 'q':
2184 ll = SYSLOG_LEVEL_ERROR;
2185 quiet = 1;
2146 showprogress = 0; 2186 showprogress = 0;
2147 addargs(&args, "-%c", ch); 2187 addargs(&args, "-%c", ch);
2148 break; 2188 break;
@@ -2164,6 +2204,9 @@ main(int argc, char **argv)
2164 case '2': 2204 case '2':
2165 sshver = 2; 2205 sshver = 2;
2166 break; 2206 break;
2207 case 'a':
2208 global_aflag = 1;
2209 break;
2167 case 'B': 2210 case 'B':
2168 copy_buffer_len = strtol(optarg, &cp, 10); 2211 copy_buffer_len = strtol(optarg, &cp, 10);
2169 if (copy_buffer_len == 0 || *cp != '\0') 2212 if (copy_buffer_len == 0 || *cp != '\0')
@@ -2178,7 +2221,7 @@ main(int argc, char **argv)
2178 (infile = fopen(optarg, "r")) == NULL) 2221 (infile = fopen(optarg, "r")) == NULL)
2179 fatal("%s (%s).", strerror(errno), optarg); 2222 fatal("%s (%s).", strerror(errno), optarg);
2180 showprogress = 0; 2223 showprogress = 0;
2181 batchmode = 1; 2224 quiet = batchmode = 1;
2182 addargs(&args, "-obatchmode yes"); 2225 addargs(&args, "-obatchmode yes");
2183 break; 2226 break;
2184 case 'p': 2227 case 'p':
@@ -2275,7 +2318,7 @@ main(int argc, char **argv)
2275 if (conn == NULL) 2318 if (conn == NULL)
2276 fatal("Couldn't initialise connection to server"); 2319 fatal("Couldn't initialise connection to server");
2277 2320
2278 if (!batchmode) { 2321 if (!quiet) {
2279 if (sftp_direct == NULL) 2322 if (sftp_direct == NULL)
2280 fprintf(stderr, "Connected to %s.\n", host); 2323 fprintf(stderr, "Connected to %s.\n", host);
2281 else 2324 else
diff --git a/ssh-add.0 b/ssh-add.0
index ed43dc8cc..bcd1e7322 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -116,4 +116,4 @@ AUTHORS
116 created OpenSSH. Markus Friedl contributed the support for SSH protocol 116 created OpenSSH. Markus Friedl contributed the support for SSH protocol
117 versions 1.5 and 2.0. 117 versions 1.5 and 2.0.
118 118
119OpenBSD 5.3 December 3, 2012 OpenBSD 5.3 119OpenBSD 5.4 December 3, 2012 OpenBSD 5.4
diff --git a/ssh-add.c b/ssh-add.c
index b9c7a0211..b309582f5 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.106 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -90,7 +90,7 @@ clear_pass(void)
90{ 90{
91 if (pass) { 91 if (pass) {
92 memset(pass, 0, strlen(pass)); 92 memset(pass, 0, strlen(pass));
93 xfree(pass); 93 free(pass);
94 pass = NULL; 94 pass = NULL;
95 } 95 }
96} 96}
@@ -215,7 +215,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
215 pass = read_passphrase(msg, RP_ALLOW_STDIN); 215 pass = read_passphrase(msg, RP_ALLOW_STDIN);
216 if (strcmp(pass, "") == 0) { 216 if (strcmp(pass, "") == 0) {
217 clear_pass(); 217 clear_pass();
218 xfree(comment); 218 free(comment);
219 buffer_free(&keyblob); 219 buffer_free(&keyblob);
220 return -1; 220 return -1;
221 } 221 }
@@ -246,9 +246,9 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
246 if (blacklisted_key(private, &fp) == 1) { 246 if (blacklisted_key(private, &fp) == 1) {
247 fprintf(stderr, "Public key %s blacklisted (see " 247 fprintf(stderr, "Public key %s blacklisted (see "
248 "ssh-vulnkey(1)); refusing to add it\n", fp); 248 "ssh-vulnkey(1)); refusing to add it\n", fp);
249 xfree(fp); 249 free(fp);
250 key_free(private); 250 key_free(private);
251 xfree(comment); 251 free(comment);
252 return -1; 252 return -1;
253 } 253 }
254 254
@@ -290,8 +290,8 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
290 fprintf(stderr, "The user must confirm each use of the key\n"); 290 fprintf(stderr, "The user must confirm each use of the key\n");
291 out: 291 out:
292 if (certpath != NULL) 292 if (certpath != NULL)
293 xfree(certpath); 293 free(certpath);
294 xfree(comment); 294 free(comment);
295 key_free(private); 295 key_free(private);
296 296
297 return ret; 297 return ret;
@@ -316,7 +316,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id)
316 add ? "add" : "remove", id); 316 add ? "add" : "remove", id);
317 ret = -1; 317 ret = -1;
318 } 318 }
319 xfree(pin); 319 free(pin);
320 return ret; 320 return ret;
321} 321}
322 322
@@ -338,14 +338,14 @@ list_identities(AuthenticationConnection *ac, int do_fp)
338 SSH_FP_HEX); 338 SSH_FP_HEX);
339 printf("%d %s %s (%s)\n", 339 printf("%d %s %s (%s)\n",
340 key_size(key), fp, comment, key_type(key)); 340 key_size(key), fp, comment, key_type(key));
341 xfree(fp); 341 free(fp);
342 } else { 342 } else {
343 if (!key_write(key, stdout)) 343 if (!key_write(key, stdout))
344 fprintf(stderr, "key_write failed"); 344 fprintf(stderr, "key_write failed");
345 fprintf(stdout, " %s\n", comment); 345 fprintf(stdout, " %s\n", comment);
346 } 346 }
347 key_free(key); 347 key_free(key);
348 xfree(comment); 348 free(comment);
349 } 349 }
350 } 350 }
351 if (!had_identities) { 351 if (!had_identities) {
@@ -371,7 +371,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
371 passok = 0; 371 passok = 0;
372 } 372 }
373 memset(p2, 0, strlen(p2)); 373 memset(p2, 0, strlen(p2));
374 xfree(p2); 374 free(p2);
375 } 375 }
376 if (passok && ssh_lock_agent(ac, lock, p1)) { 376 if (passok && ssh_lock_agent(ac, lock, p1)) {
377 fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un"); 377 fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un");
@@ -379,7 +379,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
379 } else 379 } else
380 fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un"); 380 fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un");
381 memset(p1, 0, strlen(p1)); 381 memset(p1, 0, strlen(p1));
382 xfree(p1); 382 free(p1);
383 return (ret); 383 return (ret);
384} 384}
385 385
diff --git a/ssh-agent.0 b/ssh-agent.0
index 578984815..e5f0f7342 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -120,4 +120,4 @@ AUTHORS
120 created OpenSSH. Markus Friedl contributed the support for SSH protocol 120 created OpenSSH. Markus Friedl contributed the support for SSH protocol
121 versions 1.5 and 2.0. 121 versions 1.5 and 2.0.
122 122
123OpenBSD 5.3 November 21, 2010 OpenBSD 5.3 123OpenBSD 5.4 November 21, 2010 OpenBSD 5.4
diff --git a/ssh-agent.c b/ssh-agent.c
index b9498e6ef..c3b11729c 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.172 2011/06/03 01:37:40 dtucker Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.177 2013/07/20 01:50:20 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -106,7 +106,7 @@ typedef struct identity {
106 Key *key; 106 Key *key;
107 char *comment; 107 char *comment;
108 char *provider; 108 char *provider;
109 u_int death; 109 time_t death;
110 u_int confirm; 110 u_int confirm;
111} Identity; 111} Identity;
112 112
@@ -122,7 +122,7 @@ int max_fd = 0;
122 122
123/* pid of shell == parent of agent */ 123/* pid of shell == parent of agent */
124pid_t parent_pid = -1; 124pid_t parent_pid = -1;
125u_int parent_alive_interval = 0; 125time_t parent_alive_interval = 0;
126 126
127/* pathname and directory for AUTH_SOCKET */ 127/* pathname and directory for AUTH_SOCKET */
128char socket_name[MAXPATHLEN]; 128char socket_name[MAXPATHLEN];
@@ -134,8 +134,8 @@ char *lock_passwd = NULL;
134 134
135extern char *__progname; 135extern char *__progname;
136 136
137/* Default lifetime (0 == forever) */ 137/* Default lifetime in seconds (0 == forever) */
138static int lifetime = 0; 138static long lifetime = 0;
139 139
140static void 140static void
141close_socket(SocketEntry *e) 141close_socket(SocketEntry *e)
@@ -172,10 +172,9 @@ static void
172free_identity(Identity *id) 172free_identity(Identity *id)
173{ 173{
174 key_free(id->key); 174 key_free(id->key);
175 if (id->provider != NULL) 175 free(id->provider);
176 xfree(id->provider); 176 free(id->comment);
177 xfree(id->comment); 177 free(id);
178 xfree(id);
179} 178}
180 179
181/* return matching private key for given public key */ 180/* return matching private key for given public key */
@@ -203,7 +202,7 @@ confirm_key(Identity *id)
203 if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", 202 if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
204 id->comment, p)) 203 id->comment, p))
205 ret = 0; 204 ret = 0;
206 xfree(p); 205 free(p);
207 206
208 return (ret); 207 return (ret);
209} 208}
@@ -230,7 +229,7 @@ process_request_identities(SocketEntry *e, int version)
230 u_int blen; 229 u_int blen;
231 key_to_blob(id->key, &blob, &blen); 230 key_to_blob(id->key, &blob, &blen);
232 buffer_put_string(&msg, blob, blen); 231 buffer_put_string(&msg, blob, blen);
233 xfree(blob); 232 free(blob);
234 } 233 }
235 buffer_put_cstring(&msg, id->comment); 234 buffer_put_cstring(&msg, id->comment);
236 } 235 }
@@ -348,10 +347,9 @@ process_sign_request2(SocketEntry *e)
348 buffer_append(&e->output, buffer_ptr(&msg), 347 buffer_append(&e->output, buffer_ptr(&msg),
349 buffer_len(&msg)); 348 buffer_len(&msg));
350 buffer_free(&msg); 349 buffer_free(&msg);
351 xfree(data); 350 free(data);
352 xfree(blob); 351 free(blob);
353 if (signature != NULL) 352 free(signature);
354 xfree(signature);
355 datafellows = odatafellows; 353 datafellows = odatafellows;
356} 354}
357 355
@@ -378,7 +376,7 @@ process_remove_identity(SocketEntry *e, int version)
378 case 2: 376 case 2:
379 blob = buffer_get_string(&e->request, &blen); 377 blob = buffer_get_string(&e->request, &blen);
380 key = key_from_blob(blob, blen); 378 key = key_from_blob(blob, blen);
381 xfree(blob); 379 free(blob);
382 break; 380 break;
383 } 381 }
384 if (key != NULL) { 382 if (key != NULL) {
@@ -430,10 +428,10 @@ process_remove_all_identities(SocketEntry *e, int version)
430} 428}
431 429
432/* removes expired keys and returns number of seconds until the next expiry */ 430/* removes expired keys and returns number of seconds until the next expiry */
433static u_int 431static time_t
434reaper(void) 432reaper(void)
435{ 433{
436 u_int deadline = 0, now = time(NULL); 434 time_t deadline = 0, now = monotime();
437 Identity *id, *nxt; 435 Identity *id, *nxt;
438 int version; 436 int version;
439 Idtab *tab; 437 Idtab *tab;
@@ -465,8 +463,9 @@ process_add_identity(SocketEntry *e, int version)
465{ 463{
466 Idtab *tab = idtab_lookup(version); 464 Idtab *tab = idtab_lookup(version);
467 Identity *id; 465 Identity *id;
468 int type, success = 0, death = 0, confirm = 0; 466 int type, success = 0, confirm = 0;
469 char *type_name, *comment; 467 char *type_name, *comment;
468 time_t death = 0;
470 Key *k = NULL; 469 Key *k = NULL;
471#ifdef OPENSSL_HAS_ECC 470#ifdef OPENSSL_HAS_ECC
472 BIGNUM *exponent; 471 BIGNUM *exponent;
@@ -509,7 +508,7 @@ process_add_identity(SocketEntry *e, int version)
509 cert = buffer_get_string(&e->request, &len); 508 cert = buffer_get_string(&e->request, &len);
510 if ((k = key_from_blob(cert, len)) == NULL) 509 if ((k = key_from_blob(cert, len)) == NULL)
511 fatal("Certificate parse failed"); 510 fatal("Certificate parse failed");
512 xfree(cert); 511 free(cert);
513 key_add_private(k); 512 key_add_private(k);
514 buffer_get_bignum2(&e->request, k->dsa->priv_key); 513 buffer_get_bignum2(&e->request, k->dsa->priv_key);
515 break; 514 break;
@@ -520,7 +519,7 @@ process_add_identity(SocketEntry *e, int version)
520 curve = buffer_get_string(&e->request, NULL); 519 curve = buffer_get_string(&e->request, NULL);
521 if (k->ecdsa_nid != key_curve_name_to_nid(curve)) 520 if (k->ecdsa_nid != key_curve_name_to_nid(curve))
522 fatal("%s: curve names mismatch", __func__); 521 fatal("%s: curve names mismatch", __func__);
523 xfree(curve); 522 free(curve);
524 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 523 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
525 if (k->ecdsa == NULL) 524 if (k->ecdsa == NULL)
526 fatal("%s: EC_KEY_new_by_curve_name failed", 525 fatal("%s: EC_KEY_new_by_curve_name failed",
@@ -551,7 +550,7 @@ process_add_identity(SocketEntry *e, int version)
551 cert = buffer_get_string(&e->request, &len); 550 cert = buffer_get_string(&e->request, &len);
552 if ((k = key_from_blob(cert, len)) == NULL) 551 if ((k = key_from_blob(cert, len)) == NULL)
553 fatal("Certificate parse failed"); 552 fatal("Certificate parse failed");
554 xfree(cert); 553 free(cert);
555 key_add_private(k); 554 key_add_private(k);
556 if ((exponent = BN_new()) == NULL) 555 if ((exponent = BN_new()) == NULL)
557 fatal("%s: BN_new failed", __func__); 556 fatal("%s: BN_new failed", __func__);
@@ -583,7 +582,7 @@ process_add_identity(SocketEntry *e, int version)
583 cert = buffer_get_string(&e->request, &len); 582 cert = buffer_get_string(&e->request, &len);
584 if ((k = key_from_blob(cert, len)) == NULL) 583 if ((k = key_from_blob(cert, len)) == NULL)
585 fatal("Certificate parse failed"); 584 fatal("Certificate parse failed");
586 xfree(cert); 585 free(cert);
587 key_add_private(k); 586 key_add_private(k);
588 buffer_get_bignum2(&e->request, k->rsa->d); 587 buffer_get_bignum2(&e->request, k->rsa->d);
589 buffer_get_bignum2(&e->request, k->rsa->iqmp); 588 buffer_get_bignum2(&e->request, k->rsa->iqmp);
@@ -591,11 +590,11 @@ process_add_identity(SocketEntry *e, int version)
591 buffer_get_bignum2(&e->request, k->rsa->q); 590 buffer_get_bignum2(&e->request, k->rsa->q);
592 break; 591 break;
593 default: 592 default:
594 xfree(type_name); 593 free(type_name);
595 buffer_clear(&e->request); 594 buffer_clear(&e->request);
596 goto send; 595 goto send;
597 } 596 }
598 xfree(type_name); 597 free(type_name);
599 break; 598 break;
600 } 599 }
601 /* enable blinding */ 600 /* enable blinding */
@@ -613,13 +612,13 @@ process_add_identity(SocketEntry *e, int version)
613 } 612 }
614 comment = buffer_get_string(&e->request, NULL); 613 comment = buffer_get_string(&e->request, NULL);
615 if (k == NULL) { 614 if (k == NULL) {
616 xfree(comment); 615 free(comment);
617 goto send; 616 goto send;
618 } 617 }
619 while (buffer_len(&e->request)) { 618 while (buffer_len(&e->request)) {
620 switch ((type = buffer_get_char(&e->request))) { 619 switch ((type = buffer_get_char(&e->request))) {
621 case SSH_AGENT_CONSTRAIN_LIFETIME: 620 case SSH_AGENT_CONSTRAIN_LIFETIME:
622 death = time(NULL) + buffer_get_int(&e->request); 621 death = monotime() + buffer_get_int(&e->request);
623 break; 622 break;
624 case SSH_AGENT_CONSTRAIN_CONFIRM: 623 case SSH_AGENT_CONSTRAIN_CONFIRM:
625 confirm = 1; 624 confirm = 1;
@@ -627,14 +626,14 @@ process_add_identity(SocketEntry *e, int version)
627 default: 626 default:
628 error("process_add_identity: " 627 error("process_add_identity: "
629 "Unknown constraint type %d", type); 628 "Unknown constraint type %d", type);
630 xfree(comment); 629 free(comment);
631 key_free(k); 630 key_free(k);
632 goto send; 631 goto send;
633 } 632 }
634 } 633 }
635 success = 1; 634 success = 1;
636 if (lifetime && !death) 635 if (lifetime && !death)
637 death = time(NULL) + lifetime; 636 death = monotime() + lifetime;
638 if ((id = lookup_identity(k, version)) == NULL) { 637 if ((id = lookup_identity(k, version)) == NULL) {
639 id = xcalloc(1, sizeof(Identity)); 638 id = xcalloc(1, sizeof(Identity));
640 id->key = k; 639 id->key = k;
@@ -643,7 +642,7 @@ process_add_identity(SocketEntry *e, int version)
643 tab->nentries++; 642 tab->nentries++;
644 } else { 643 } else {
645 key_free(k); 644 key_free(k);
646 xfree(id->comment); 645 free(id->comment);
647 } 646 }
648 id->comment = comment; 647 id->comment = comment;
649 id->death = death; 648 id->death = death;
@@ -665,7 +664,7 @@ process_lock_agent(SocketEntry *e, int lock)
665 if (locked && !lock && strcmp(passwd, lock_passwd) == 0) { 664 if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
666 locked = 0; 665 locked = 0;
667 memset(lock_passwd, 0, strlen(lock_passwd)); 666 memset(lock_passwd, 0, strlen(lock_passwd));
668 xfree(lock_passwd); 667 free(lock_passwd);
669 lock_passwd = NULL; 668 lock_passwd = NULL;
670 success = 1; 669 success = 1;
671 } else if (!locked && lock) { 670 } else if (!locked && lock) {
@@ -674,7 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
674 success = 1; 673 success = 1;
675 } 674 }
676 memset(passwd, 0, strlen(passwd)); 675 memset(passwd, 0, strlen(passwd));
677 xfree(passwd); 676 free(passwd);
678 677
679 buffer_put_int(&e->output, 1); 678 buffer_put_int(&e->output, 1);
680 buffer_put_char(&e->output, 679 buffer_put_char(&e->output,
@@ -701,7 +700,8 @@ static void
701process_add_smartcard_key(SocketEntry *e) 700process_add_smartcard_key(SocketEntry *e)
702{ 701{
703 char *provider = NULL, *pin; 702 char *provider = NULL, *pin;
704 int i, type, version, count = 0, success = 0, death = 0, confirm = 0; 703 int i, type, version, count = 0, success = 0, confirm = 0;
704 time_t death = 0;
705 Key **keys = NULL, *k; 705 Key **keys = NULL, *k;
706 Identity *id; 706 Identity *id;
707 Idtab *tab; 707 Idtab *tab;
@@ -712,7 +712,7 @@ process_add_smartcard_key(SocketEntry *e)
712 while (buffer_len(&e->request)) { 712 while (buffer_len(&e->request)) {
713 switch ((type = buffer_get_char(&e->request))) { 713 switch ((type = buffer_get_char(&e->request))) {
714 case SSH_AGENT_CONSTRAIN_LIFETIME: 714 case SSH_AGENT_CONSTRAIN_LIFETIME:
715 death = time(NULL) + buffer_get_int(&e->request); 715 death = monotime() + buffer_get_int(&e->request);
716 break; 716 break;
717 case SSH_AGENT_CONSTRAIN_CONFIRM: 717 case SSH_AGENT_CONSTRAIN_CONFIRM:
718 confirm = 1; 718 confirm = 1;
@@ -724,7 +724,7 @@ process_add_smartcard_key(SocketEntry *e)
724 } 724 }
725 } 725 }
726 if (lifetime && !death) 726 if (lifetime && !death)
727 death = time(NULL) + lifetime; 727 death = monotime() + lifetime;
728 728
729 count = pkcs11_add_provider(provider, pin, &keys); 729 count = pkcs11_add_provider(provider, pin, &keys);
730 for (i = 0; i < count; i++) { 730 for (i = 0; i < count; i++) {
@@ -747,12 +747,9 @@ process_add_smartcard_key(SocketEntry *e)
747 keys[i] = NULL; 747 keys[i] = NULL;
748 } 748 }
749send: 749send:
750 if (pin) 750 free(pin);
751 xfree(pin); 751 free(provider);
752 if (provider) 752 free(keys);
753 xfree(provider);
754 if (keys)
755 xfree(keys);
756 buffer_put_int(&e->output, 1); 753 buffer_put_int(&e->output, 1);
757 buffer_put_char(&e->output, 754 buffer_put_char(&e->output,
758 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); 755 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
@@ -768,7 +765,7 @@ process_remove_smartcard_key(SocketEntry *e)
768 765
769 provider = buffer_get_string(&e->request, NULL); 766 provider = buffer_get_string(&e->request, NULL);
770 pin = buffer_get_string(&e->request, NULL); 767 pin = buffer_get_string(&e->request, NULL);
771 xfree(pin); 768 free(pin);
772 769
773 for (version = 1; version < 3; version++) { 770 for (version = 1; version < 3; version++) {
774 tab = idtab_lookup(version); 771 tab = idtab_lookup(version);
@@ -786,7 +783,7 @@ process_remove_smartcard_key(SocketEntry *e)
786 else 783 else
787 error("process_remove_smartcard_key:" 784 error("process_remove_smartcard_key:"
788 " pkcs11_del_provider failed"); 785 " pkcs11_del_provider failed");
789 xfree(provider); 786 free(provider);
790 buffer_put_int(&e->output, 1); 787 buffer_put_int(&e->output, 1);
791 buffer_put_char(&e->output, 788 buffer_put_char(&e->output,
792 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); 789 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
@@ -931,9 +928,10 @@ static int
931prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, 928prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
932 struct timeval **tvpp) 929 struct timeval **tvpp)
933{ 930{
934 u_int i, sz, deadline; 931 u_int i, sz;
935 int n = 0; 932 int n = 0;
936 static struct timeval tv; 933 static struct timeval tv;
934 time_t deadline;
937 935
938 for (i = 0; i < sockets_alloc; i++) { 936 for (i = 0; i < sockets_alloc; i++) {
939 switch (sockets[i].type) { 937 switch (sockets[i].type) {
@@ -951,10 +949,8 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
951 949
952 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); 950 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
953 if (*fdrp == NULL || sz > *nallocp) { 951 if (*fdrp == NULL || sz > *nallocp) {
954 if (*fdrp) 952 free(*fdrp);
955 xfree(*fdrp); 953 free(*fdwp);
956 if (*fdwp)
957 xfree(*fdwp);
958 *fdrp = xmalloc(sz); 954 *fdrp = xmalloc(sz);
959 *fdwp = xmalloc(sz); 955 *fdwp = xmalloc(sz);
960 *nallocp = sz; 956 *nallocp = sz;
@@ -1348,9 +1344,8 @@ skip:
1348 if (ac > 0) 1344 if (ac > 0)
1349 parent_alive_interval = 10; 1345 parent_alive_interval = 10;
1350 idtab_init(); 1346 idtab_init();
1351 if (!d_flag)
1352 signal(SIGINT, SIG_IGN);
1353 signal(SIGPIPE, SIG_IGN); 1347 signal(SIGPIPE, SIG_IGN);
1348 signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
1354 signal(SIGHUP, cleanup_handler); 1349 signal(SIGHUP, cleanup_handler);
1355 signal(SIGTERM, cleanup_handler); 1350 signal(SIGTERM, cleanup_handler);
1356 nalloc = 0; 1351 nalloc = 0;
diff --git a/ssh-dss.c b/ssh-dss.c
index ede5e21e5..322ec9fd8 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-dss.c,v 1.27 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: ssh-dss.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -137,17 +137,17 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
137 if (strcmp("ssh-dss", ktype) != 0) { 137 if (strcmp("ssh-dss", ktype) != 0) {
138 error("ssh_dss_verify: cannot handle type %s", ktype); 138 error("ssh_dss_verify: cannot handle type %s", ktype);
139 buffer_free(&b); 139 buffer_free(&b);
140 xfree(ktype); 140 free(ktype);
141 return -1; 141 return -1;
142 } 142 }
143 xfree(ktype); 143 free(ktype);
144 sigblob = buffer_get_string(&b, &len); 144 sigblob = buffer_get_string(&b, &len);
145 rlen = buffer_len(&b); 145 rlen = buffer_len(&b);
146 buffer_free(&b); 146 buffer_free(&b);
147 if (rlen != 0) { 147 if (rlen != 0) {
148 error("ssh_dss_verify: " 148 error("ssh_dss_verify: "
149 "remaining bytes in signature %d", rlen); 149 "remaining bytes in signature %d", rlen);
150 xfree(sigblob); 150 free(sigblob);
151 return -1; 151 return -1;
152 } 152 }
153 } 153 }
@@ -169,7 +169,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
169 169
170 /* clean up */ 170 /* clean up */
171 memset(sigblob, 0, len); 171 memset(sigblob, 0, len);
172 xfree(sigblob); 172 free(sigblob);
173 173
174 /* sha1 the data */ 174 /* sha1 the data */
175 EVP_DigestInit(&md, evp_md); 175 EVP_DigestInit(&md, evp_md);
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 085468ee7..766338941 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */ 1/* $OpenBSD: ssh-ecdsa.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -119,16 +119,16 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
119 if (strcmp(key_ssh_name_plain(key), ktype) != 0) { 119 if (strcmp(key_ssh_name_plain(key), ktype) != 0) {
120 error("%s: cannot handle type %s", __func__, ktype); 120 error("%s: cannot handle type %s", __func__, ktype);
121 buffer_free(&b); 121 buffer_free(&b);
122 xfree(ktype); 122 free(ktype);
123 return -1; 123 return -1;
124 } 124 }
125 xfree(ktype); 125 free(ktype);
126 sigblob = buffer_get_string(&b, &len); 126 sigblob = buffer_get_string(&b, &len);
127 rlen = buffer_len(&b); 127 rlen = buffer_len(&b);
128 buffer_free(&b); 128 buffer_free(&b);
129 if (rlen != 0) { 129 if (rlen != 0) {
130 error("%s: remaining bytes in signature %d", __func__, rlen); 130 error("%s: remaining bytes in signature %d", __func__, rlen);
131 xfree(sigblob); 131 free(sigblob);
132 return -1; 132 return -1;
133 } 133 }
134 134
@@ -149,7 +149,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
149 149
150 /* clean up */ 150 /* clean up */
151 memset(sigblob, 0, len); 151 memset(sigblob, 0, len);
152 xfree(sigblob); 152 free(sigblob);
153 153
154 /* hash the data */ 154 /* hash the data */
155 EVP_DigestInit(&md, evp_md); 155 EVP_DigestInit(&md, evp_md);
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 3c7a64753..2b0e9a692 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -543,4 +543,4 @@ AUTHORS
543 created OpenSSH. Markus Friedl contributed the support for SSH protocol 543 created OpenSSH. Markus Friedl contributed the support for SSH protocol
544 versions 1.5 and 2.0. 544 versions 1.5 and 2.0.
545 545
546OpenBSD 5.3 January 19, 2013 OpenBSD 5.3 546OpenBSD 5.4 June 27, 2013 OpenBSD 5.4
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 0d84ebd1e..753cc625b 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: January 19 2013 $ 38.Dd $Mdocdate: June 27 2013 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -512,8 +512,7 @@ of two times separated by a colon to indicate an explicit time interval.
512The start time may be specified as a date in YYYYMMDD format, a time 512The start time may be specified as a date in YYYYMMDD format, a time
513in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 513in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
514of a minus sign followed by a relative time in the format described in the 514of a minus sign followed by a relative time in the format described in the
515.Sx TIME FORMATS 515TIME FORMATS section of
516section of
517.Xr sshd_config 5 . 516.Xr sshd_config 5 .
518The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 517The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
519a relative time starting with a plus character. 518a relative time starting with a plus character.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index d1a205e18..03c444d42 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.230 2013/07/20 01:44:37 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -252,7 +252,7 @@ load_identity(char *filename)
252 RP_ALLOW_STDIN); 252 RP_ALLOW_STDIN);
253 prv = key_load_private(filename, pass, NULL); 253 prv = key_load_private(filename, pass, NULL);
254 memset(pass, 0, strlen(pass)); 254 memset(pass, 0, strlen(pass));
255 xfree(pass); 255 free(pass);
256 } 256 }
257 return prv; 257 return prv;
258} 258}
@@ -288,7 +288,7 @@ do_convert_to_ssh2(struct passwd *pw, Key *k)
288 dump_base64(stdout, blob, len); 288 dump_base64(stdout, blob, len);
289 fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); 289 fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
290 key_free(k); 290 key_free(k);
291 xfree(blob); 291 free(blob);
292 exit(0); 292 exit(0);
293} 293}
294 294
@@ -415,12 +415,12 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
415 debug("ignore (%d %d %d %d)", i1, i2, i3, i4); 415 debug("ignore (%d %d %d %d)", i1, i2, i3, i4);
416 if (strcmp(cipher, "none") != 0) { 416 if (strcmp(cipher, "none") != 0) {
417 error("unsupported cipher %s", cipher); 417 error("unsupported cipher %s", cipher);
418 xfree(cipher); 418 free(cipher);
419 buffer_free(&b); 419 buffer_free(&b);
420 xfree(type); 420 free(type);
421 return NULL; 421 return NULL;
422 } 422 }
423 xfree(cipher); 423 free(cipher);
424 424
425 if (strstr(type, "dsa")) { 425 if (strstr(type, "dsa")) {
426 ktype = KEY_DSA; 426 ktype = KEY_DSA;
@@ -428,11 +428,11 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
428 ktype = KEY_RSA; 428 ktype = KEY_RSA;
429 } else { 429 } else {
430 buffer_free(&b); 430 buffer_free(&b);
431 xfree(type); 431 free(type);
432 return NULL; 432 return NULL;
433 } 433 }
434 key = key_new_private(ktype); 434 key = key_new_private(ktype);
435 xfree(type); 435 free(type);
436 436
437 switch (key->type) { 437 switch (key->type) {
438 case KEY_DSA: 438 case KEY_DSA:
@@ -475,7 +475,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
475 /* try the key */ 475 /* try the key */
476 key_sign(key, &sig, &slen, data, sizeof(data)); 476 key_sign(key, &sig, &slen, data, sizeof(data));
477 key_verify(key, sig, slen, data, sizeof(data)); 477 key_verify(key, sig, slen, data, sizeof(data));
478 xfree(sig); 478 free(sig);
479 return key; 479 return key;
480} 480}
481 481
@@ -524,7 +524,7 @@ do_convert_from_ssh2(struct passwd *pw, Key **k, int *private)
524 fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); 524 fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
525 encoded[0] = '\0'; 525 encoded[0] = '\0';
526 while ((blen = get_line(fp, line, sizeof(line))) != -1) { 526 while ((blen = get_line(fp, line, sizeof(line))) != -1) {
527 if (line[blen - 1] == '\\') 527 if (blen > 0 && line[blen - 1] == '\\')
528 escaped++; 528 escaped++;
529 if (strncmp(line, "----", 4) == 0 || 529 if (strncmp(line, "----", 4) == 0 ||
530 strstr(line, ": ") != NULL) { 530 strstr(line, ": ") != NULL) {
@@ -746,15 +746,15 @@ do_download(struct passwd *pw)
746 fp, key_type(keys[i])); 746 fp, key_type(keys[i]));
747 if (log_level >= SYSLOG_LEVEL_VERBOSE) 747 if (log_level >= SYSLOG_LEVEL_VERBOSE)
748 printf("%s\n", ra); 748 printf("%s\n", ra);
749 xfree(ra); 749 free(ra);
750 xfree(fp); 750 free(fp);
751 } else { 751 } else {
752 key_write(keys[i], stdout); 752 key_write(keys[i], stdout);
753 fprintf(stdout, "\n"); 753 fprintf(stdout, "\n");
754 } 754 }
755 key_free(keys[i]); 755 key_free(keys[i]);
756 } 756 }
757 xfree(keys); 757 free(keys);
758 pkcs11_terminate(); 758 pkcs11_terminate();
759 exit(0); 759 exit(0);
760#else 760#else
@@ -791,13 +791,13 @@ do_fingerprint(struct passwd *pw)
791 if (log_level >= SYSLOG_LEVEL_VERBOSE) 791 if (log_level >= SYSLOG_LEVEL_VERBOSE)
792 printf("%s\n", ra); 792 printf("%s\n", ra);
793 key_free(public); 793 key_free(public);
794 xfree(comment); 794 free(comment);
795 xfree(ra); 795 free(ra);
796 xfree(fp); 796 free(fp);
797 exit(0); 797 exit(0);
798 } 798 }
799 if (comment) { 799 if (comment) {
800 xfree(comment); 800 free(comment);
801 comment = NULL; 801 comment = NULL;
802 } 802 }
803 803
@@ -856,8 +856,8 @@ do_fingerprint(struct passwd *pw)
856 comment ? comment : "no comment", key_type(public)); 856 comment ? comment : "no comment", key_type(public));
857 if (log_level >= SYSLOG_LEVEL_VERBOSE) 857 if (log_level >= SYSLOG_LEVEL_VERBOSE)
858 printf("%s\n", ra); 858 printf("%s\n", ra);
859 xfree(ra); 859 free(ra);
860 xfree(fp); 860 free(fp);
861 key_free(public); 861 key_free(public);
862 invalid = 0; 862 invalid = 0;
863 } 863 }
@@ -980,8 +980,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
980 key_type(public)); 980 key_type(public));
981 if (log_level >= SYSLOG_LEVEL_VERBOSE) 981 if (log_level >= SYSLOG_LEVEL_VERBOSE)
982 printf("%s\n", ra); 982 printf("%s\n", ra);
983 xfree(ra); 983 free(ra);
984 xfree(fp); 984 free(fp);
985 } else { 985 } else {
986 if (hash && (name = host_hash(name, NULL, 0)) == NULL) 986 if (hash && (name = host_hash(name, NULL, 0)) == NULL)
987 fatal("hash_host failed"); 987 fatal("hash_host failed");
@@ -1007,7 +1007,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1007 if (strlcpy(identity_file, cp, sizeof(identity_file)) >= 1007 if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
1008 sizeof(identity_file)) 1008 sizeof(identity_file))
1009 fatal("Specified known hosts path too long"); 1009 fatal("Specified known hosts path too long");
1010 xfree(cp); 1010 free(cp);
1011 have_identity = 1; 1011 have_identity = 1;
1012 } 1012 }
1013 if ((in = fopen(identity_file, "r")) == NULL) 1013 if ((in = fopen(identity_file, "r")) == NULL)
@@ -1238,7 +1238,7 @@ do_change_passphrase(struct passwd *pw)
1238 private = key_load_private(identity_file, old_passphrase, 1238 private = key_load_private(identity_file, old_passphrase,
1239 &comment); 1239 &comment);
1240 memset(old_passphrase, 0, strlen(old_passphrase)); 1240 memset(old_passphrase, 0, strlen(old_passphrase));
1241 xfree(old_passphrase); 1241 free(old_passphrase);
1242 if (private == NULL) { 1242 if (private == NULL) {
1243 printf("Bad passphrase.\n"); 1243 printf("Bad passphrase.\n");
1244 exit(1); 1244 exit(1);
@@ -1261,30 +1261,30 @@ do_change_passphrase(struct passwd *pw)
1261 if (strcmp(passphrase1, passphrase2) != 0) { 1261 if (strcmp(passphrase1, passphrase2) != 0) {
1262 memset(passphrase1, 0, strlen(passphrase1)); 1262 memset(passphrase1, 0, strlen(passphrase1));
1263 memset(passphrase2, 0, strlen(passphrase2)); 1263 memset(passphrase2, 0, strlen(passphrase2));
1264 xfree(passphrase1); 1264 free(passphrase1);
1265 xfree(passphrase2); 1265 free(passphrase2);
1266 printf("Pass phrases do not match. Try again.\n"); 1266 printf("Pass phrases do not match. Try again.\n");
1267 exit(1); 1267 exit(1);
1268 } 1268 }
1269 /* Destroy the other copy. */ 1269 /* Destroy the other copy. */
1270 memset(passphrase2, 0, strlen(passphrase2)); 1270 memset(passphrase2, 0, strlen(passphrase2));
1271 xfree(passphrase2); 1271 free(passphrase2);
1272 } 1272 }
1273 1273
1274 /* Save the file using the new passphrase. */ 1274 /* Save the file using the new passphrase. */
1275 if (!key_save_private(private, identity_file, passphrase1, comment)) { 1275 if (!key_save_private(private, identity_file, passphrase1, comment)) {
1276 printf("Saving the key failed: %s.\n", identity_file); 1276 printf("Saving the key failed: %s.\n", identity_file);
1277 memset(passphrase1, 0, strlen(passphrase1)); 1277 memset(passphrase1, 0, strlen(passphrase1));
1278 xfree(passphrase1); 1278 free(passphrase1);
1279 key_free(private); 1279 key_free(private);
1280 xfree(comment); 1280 free(comment);
1281 exit(1); 1281 exit(1);
1282 } 1282 }
1283 /* Destroy the passphrase and the copy of the key in memory. */ 1283 /* Destroy the passphrase and the copy of the key in memory. */
1284 memset(passphrase1, 0, strlen(passphrase1)); 1284 memset(passphrase1, 0, strlen(passphrase1));
1285 xfree(passphrase1); 1285 free(passphrase1);
1286 key_free(private); /* Destroys contents */ 1286 key_free(private); /* Destroys contents */
1287 xfree(comment); 1287 free(comment);
1288 1288
1289 printf("Your identification has been saved with the new passphrase.\n"); 1289 printf("Your identification has been saved with the new passphrase.\n");
1290 exit(0); 1290 exit(0);
@@ -1301,7 +1301,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname)
1301 struct stat st; 1301 struct stat st;
1302 1302
1303 if (fname == NULL) 1303 if (fname == NULL)
1304 ask_filename(pw, "Enter file in which the key is"); 1304 fatal("%s: no filename", __func__);
1305 if (stat(fname, &st) < 0) { 1305 if (stat(fname, &st) < 0) {
1306 if (errno == ENOENT) 1306 if (errno == ENOENT)
1307 return 0; 1307 return 0;
@@ -1312,11 +1312,11 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname)
1312 if (public != NULL) { 1312 if (public != NULL) {
1313 export_dns_rr(hname, public, stdout, print_generic); 1313 export_dns_rr(hname, public, stdout, print_generic);
1314 key_free(public); 1314 key_free(public);
1315 xfree(comment); 1315 free(comment);
1316 return 1; 1316 return 1;
1317 } 1317 }
1318 if (comment) 1318 if (comment)
1319 xfree(comment); 1319 free(comment);
1320 1320
1321 printf("failed to read v2 public key from %s.\n", fname); 1321 printf("failed to read v2 public key from %s.\n", fname);
1322 exit(1); 1322 exit(1);
@@ -1354,7 +1354,7 @@ do_change_comment(struct passwd *pw)
1354 private = key_load_private(identity_file, passphrase, &comment); 1354 private = key_load_private(identity_file, passphrase, &comment);
1355 if (private == NULL) { 1355 if (private == NULL) {
1356 memset(passphrase, 0, strlen(passphrase)); 1356 memset(passphrase, 0, strlen(passphrase));
1357 xfree(passphrase); 1357 free(passphrase);
1358 printf("Bad passphrase.\n"); 1358 printf("Bad passphrase.\n");
1359 exit(1); 1359 exit(1);
1360 } 1360 }
@@ -1385,13 +1385,13 @@ do_change_comment(struct passwd *pw)
1385 if (!key_save_private(private, identity_file, passphrase, new_comment)) { 1385 if (!key_save_private(private, identity_file, passphrase, new_comment)) {
1386 printf("Saving the key failed: %s.\n", identity_file); 1386 printf("Saving the key failed: %s.\n", identity_file);
1387 memset(passphrase, 0, strlen(passphrase)); 1387 memset(passphrase, 0, strlen(passphrase));
1388 xfree(passphrase); 1388 free(passphrase);
1389 key_free(private); 1389 key_free(private);
1390 xfree(comment); 1390 free(comment);
1391 exit(1); 1391 exit(1);
1392 } 1392 }
1393 memset(passphrase, 0, strlen(passphrase)); 1393 memset(passphrase, 0, strlen(passphrase));
1394 xfree(passphrase); 1394 free(passphrase);
1395 public = key_from_private(private); 1395 public = key_from_private(private);
1396 key_free(private); 1396 key_free(private);
1397 1397
@@ -1412,7 +1412,7 @@ do_change_comment(struct passwd *pw)
1412 fprintf(f, " %s\n", new_comment); 1412 fprintf(f, " %s\n", new_comment);
1413 fclose(f); 1413 fclose(f);
1414 1414
1415 xfree(comment); 1415 free(comment);
1416 1416
1417 printf("The comment in your key file has been changed.\n"); 1417 printf("The comment in your key file has been changed.\n");
1418 exit(0); 1418 exit(0);
@@ -1529,7 +1529,7 @@ load_pkcs11_key(char *path)
1529 } 1529 }
1530 key_free(keys[i]); 1530 key_free(keys[i]);
1531 } 1531 }
1532 xfree(keys); 1532 free(keys);
1533 key_free(public); 1533 key_free(public);
1534 return private; 1534 return private;
1535#else 1535#else
@@ -1573,7 +1573,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1573 fatal("No PKCS#11 key matching %s found", ca_key_path); 1573 fatal("No PKCS#11 key matching %s found", ca_key_path);
1574 } else if ((ca = load_identity(tmp)) == NULL) 1574 } else if ((ca = load_identity(tmp)) == NULL)
1575 fatal("Couldn't load CA key \"%s\"", tmp); 1575 fatal("Couldn't load CA key \"%s\"", tmp);
1576 xfree(tmp); 1576 free(tmp);
1577 1577
1578 for (i = 0; i < argc; i++) { 1578 for (i = 0; i < argc; i++) {
1579 /* Split list of principals */ 1579 /* Split list of principals */
@@ -1586,7 +1586,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1586 if (*(plist[n] = xstrdup(cp)) == '\0') 1586 if (*(plist[n] = xstrdup(cp)) == '\0')
1587 fatal("Empty principal name"); 1587 fatal("Empty principal name");
1588 } 1588 }
1589 xfree(otmp); 1589 free(otmp);
1590 } 1590 }
1591 1591
1592 tmp = tilde_expand_filename(argv[i], pw->pw_uid); 1592 tmp = tilde_expand_filename(argv[i], pw->pw_uid);
@@ -1624,7 +1624,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1624 if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) 1624 if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
1625 *cp = '\0'; 1625 *cp = '\0';
1626 xasprintf(&out, "%s-cert.pub", tmp); 1626 xasprintf(&out, "%s-cert.pub", tmp);
1627 xfree(tmp); 1627 free(tmp);
1628 1628
1629 if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) 1629 if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
1630 fatal("Could not open \"%s\" for writing: %s", out, 1630 fatal("Could not open \"%s\" for writing: %s", out,
@@ -1647,7 +1647,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1647 } 1647 }
1648 1648
1649 key_free(public); 1649 key_free(public);
1650 xfree(out); 1650 free(out);
1651 } 1651 }
1652 pkcs11_terminate(); 1652 pkcs11_terminate();
1653 exit(0); 1653 exit(0);
@@ -1744,7 +1744,7 @@ parse_cert_times(char *timespec)
1744 1744
1745 if (cert_valid_to <= cert_valid_from) 1745 if (cert_valid_to <= cert_valid_from)
1746 fatal("Empty certificate validity interval"); 1746 fatal("Empty certificate validity interval");
1747 xfree(from); 1747 free(from);
1748} 1748}
1749 1749
1750static void 1750static void
@@ -1797,7 +1797,8 @@ add_cert_option(char *opt)
1797static void 1797static void
1798show_options(const Buffer *optbuf, int v00, int in_critical) 1798show_options(const Buffer *optbuf, int v00, int in_critical)
1799{ 1799{
1800 u_char *name, *data; 1800 char *name;
1801 u_char *data;
1801 u_int dlen; 1802 u_int dlen;
1802 Buffer options, option; 1803 Buffer options, option;
1803 1804
@@ -1822,13 +1823,13 @@ show_options(const Buffer *optbuf, int v00, int in_critical)
1822 strcmp(name, "source-address") == 0)) { 1823 strcmp(name, "source-address") == 0)) {
1823 data = buffer_get_string(&option, NULL); 1824 data = buffer_get_string(&option, NULL);
1824 printf(" %s\n", data); 1825 printf(" %s\n", data);
1825 xfree(data); 1826 free(data);
1826 } else { 1827 } else {
1827 printf(" UNKNOWN OPTION (len %u)\n", 1828 printf(" UNKNOWN OPTION (len %u)\n",
1828 buffer_len(&option)); 1829 buffer_len(&option));
1829 buffer_clear(&option); 1830 buffer_clear(&option);
1830 } 1831 }
1831 xfree(name); 1832 free(name);
1832 if (buffer_len(&option) != 0) 1833 if (buffer_len(&option) != 0)
1833 fatal("Option corrupt: extra data at end"); 1834 fatal("Option corrupt: extra data at end");
1834 } 1835 }
@@ -2038,6 +2039,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
2038 } 2039 }
2039 if (strcmp(path, "-") != 0) 2040 if (strcmp(path, "-") != 0)
2040 fclose(krl_spec); 2041 fclose(krl_spec);
2042 free(path);
2041} 2043}
2042 2044
2043static void 2045static void
@@ -2063,7 +2065,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2063 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); 2065 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
2064 if ((ca = key_load_public(tmp, NULL)) == NULL) 2066 if ((ca = key_load_public(tmp, NULL)) == NULL)
2065 fatal("Cannot load CA public key %s", tmp); 2067 fatal("Cannot load CA public key %s", tmp);
2066 xfree(tmp); 2068 free(tmp);
2067 } 2069 }
2068 2070
2069 if (updating) 2071 if (updating)
@@ -2090,6 +2092,8 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2090 close(fd); 2092 close(fd);
2091 buffer_free(&kbuf); 2093 buffer_free(&kbuf);
2092 ssh_krl_free(krl); 2094 ssh_krl_free(krl);
2095 if (ca != NULL)
2096 key_free(ca);
2093} 2097}
2094 2098
2095static void 2099static void
@@ -2210,7 +2214,7 @@ main(int argc, char **argv)
2210 /* we need this for the home * directory. */ 2214 /* we need this for the home * directory. */
2211 pw = getpwuid(getuid()); 2215 pw = getpwuid(getuid());
2212 if (!pw) { 2216 if (!pw) {
2213 printf("You don't exist, go away!\n"); 2217 printf("No user exists for uid %lu\n", (u_long)getuid());
2214 exit(1); 2218 exit(1);
2215 } 2219 }
2216 if (gethostname(hostname, sizeof(hostname)) < 0) { 2220 if (gethostname(hostname, sizeof(hostname)) < 0) {
@@ -2599,14 +2603,14 @@ passphrase_again:
2599 */ 2603 */
2600 memset(passphrase1, 0, strlen(passphrase1)); 2604 memset(passphrase1, 0, strlen(passphrase1));
2601 memset(passphrase2, 0, strlen(passphrase2)); 2605 memset(passphrase2, 0, strlen(passphrase2));
2602 xfree(passphrase1); 2606 free(passphrase1);
2603 xfree(passphrase2); 2607 free(passphrase2);
2604 printf("Passphrases do not match. Try again.\n"); 2608 printf("Passphrases do not match. Try again.\n");
2605 goto passphrase_again; 2609 goto passphrase_again;
2606 } 2610 }
2607 /* Clear the other copy of the passphrase. */ 2611 /* Clear the other copy of the passphrase. */
2608 memset(passphrase2, 0, strlen(passphrase2)); 2612 memset(passphrase2, 0, strlen(passphrase2));
2609 xfree(passphrase2); 2613 free(passphrase2);
2610 } 2614 }
2611 2615
2612 if (identity_comment) { 2616 if (identity_comment) {
@@ -2620,12 +2624,12 @@ passphrase_again:
2620 if (!key_save_private(private, identity_file, passphrase1, comment)) { 2624 if (!key_save_private(private, identity_file, passphrase1, comment)) {
2621 printf("Saving the key failed: %s.\n", identity_file); 2625 printf("Saving the key failed: %s.\n", identity_file);
2622 memset(passphrase1, 0, strlen(passphrase1)); 2626 memset(passphrase1, 0, strlen(passphrase1));
2623 xfree(passphrase1); 2627 free(passphrase1);
2624 exit(1); 2628 exit(1);
2625 } 2629 }
2626 /* Clear the passphrase. */ 2630 /* Clear the passphrase. */
2627 memset(passphrase1, 0, strlen(passphrase1)); 2631 memset(passphrase1, 0, strlen(passphrase1));
2628 xfree(passphrase1); 2632 free(passphrase1);
2629 2633
2630 /* Clear the private key and the random number generator. */ 2634 /* Clear the private key and the random number generator. */
2631 key_free(private); 2635 key_free(private);
@@ -2660,8 +2664,8 @@ passphrase_again:
2660 printf("%s %s\n", fp, comment); 2664 printf("%s %s\n", fp, comment);
2661 printf("The key's randomart image is:\n"); 2665 printf("The key's randomart image is:\n");
2662 printf("%s\n", ra); 2666 printf("%s\n", ra);
2663 xfree(ra); 2667 free(ra);
2664 xfree(fp); 2668 free(fp);
2665 } 2669 }
2666 2670
2667 key_free(public); 2671 key_free(public);
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 559c5a1f4..3ea99c320 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -106,4 +106,4 @@ BUGS
106 This is because it opens a connection to the ssh port, reads the public 106 This is because it opens a connection to the ssh port, reads the public
107 key, and drops the connection as soon as it gets the key. 107 key, and drops the connection as soon as it gets the key.
108 108
109OpenBSD 5.3 April 11, 2012 OpenBSD 5.3 109OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index f2b0fc8fa..c35ea05e0 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.30 2012/04/11 13:34:17 djm Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.31 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,7 +6,7 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: April 11 2012 $ 9.Dd $Mdocdate: July 16 2013 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
@@ -164,9 +164,9 @@ $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
164.Xr sshd 8 164.Xr sshd 8
165.Sh AUTHORS 165.Sh AUTHORS
166.An -nosplit 166.An -nosplit
167.An David Mazieres Aq dm@lcs.mit.edu 167.An David Mazieres Aq Mt dm@lcs.mit.edu
168wrote the initial version, and 168wrote the initial version, and
169.An Wayne Davison Aq wayned@users.sourceforge.net 169.An Wayne Davison Aq Mt wayned@users.sourceforge.net
170added support for protocol version 2. 170added support for protocol version 2.
171.Sh BUGS 171.Sh BUGS
172It generates "Connection closed by remote host" messages on the consoles 172It generates "Connection closed by remote host" messages on the consoles
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index c9de130f4..8b807c10a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keyscan.c,v 1.86 2012/04/11 13:34:17 djm Exp $ */ 1/* $OpenBSD: ssh-keyscan.c,v 1.87 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4 * 4 *
@@ -263,7 +263,7 @@ keygrab_ssh2(con *c)
263 exit(1); 263 exit(1);
264 } 264 }
265 nonfatal_fatal = 0; 265 nonfatal_fatal = 0;
266 xfree(c->c_kex); 266 free(c->c_kex);
267 c->c_kex = NULL; 267 c->c_kex = NULL;
268 packet_close(); 268 packet_close();
269 269
@@ -329,7 +329,7 @@ conalloc(char *iname, char *oname, int keytype)
329 do { 329 do {
330 name = xstrsep(&namelist, ","); 330 name = xstrsep(&namelist, ",");
331 if (!name) { 331 if (!name) {
332 xfree(namebase); 332 free(namebase);
333 return (-1); 333 return (-1);
334 } 334 }
335 } while ((s = tcpconnect(name)) < 0); 335 } while ((s = tcpconnect(name)) < 0);
@@ -363,10 +363,10 @@ confree(int s)
363 if (s >= maxfd || fdcon[s].c_status == CS_UNUSED) 363 if (s >= maxfd || fdcon[s].c_status == CS_UNUSED)
364 fatal("confree: attempt to free bad fdno %d", s); 364 fatal("confree: attempt to free bad fdno %d", s);
365 close(s); 365 close(s);
366 xfree(fdcon[s].c_namebase); 366 free(fdcon[s].c_namebase);
367 xfree(fdcon[s].c_output_name); 367 free(fdcon[s].c_output_name);
368 if (fdcon[s].c_status == CS_KEYS) 368 if (fdcon[s].c_status == CS_KEYS)
369 xfree(fdcon[s].c_data); 369 free(fdcon[s].c_data);
370 fdcon[s].c_status = CS_UNUSED; 370 fdcon[s].c_status = CS_UNUSED;
371 fdcon[s].c_keytype = 0; 371 fdcon[s].c_keytype = 0;
372 TAILQ_REMOVE(&tq, &fdcon[s], c_link); 372 TAILQ_REMOVE(&tq, &fdcon[s], c_link);
@@ -553,8 +553,8 @@ conloop(void)
553 } else if (FD_ISSET(i, r)) 553 } else if (FD_ISSET(i, r))
554 conread(i); 554 conread(i);
555 } 555 }
556 xfree(r); 556 free(r);
557 xfree(e); 557 free(e);
558 558
559 c = TAILQ_FIRST(&tq); 559 c = TAILQ_FIRST(&tq);
560 while (c && (c->c_tv.tv_sec < now.tv_sec || 560 while (c && (c->c_tv.tv_sec < now.tv_sec ||
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index a2e9eec2b..808828a07 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -48,4 +48,4 @@ HISTORY
48AUTHORS 48AUTHORS
49 Markus Friedl <markus@openbsd.org> 49 Markus Friedl <markus@openbsd.org>
50 50
51OpenBSD 5.3 August 31, 2010 OpenBSD 5.3 51OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 5e09e0271..5e0b2d232 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keysign.8,v 1.12 2010/08/31 11:54:45 djm Exp $ 1.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2002 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: August 31 2010 $ 25.Dd $Mdocdate: July 16 2013 $
26.Dt SSH-KEYSIGN 8 26.Dt SSH-KEYSIGN 8
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -88,4 +88,4 @@ information corresponding with the private keys above.
88first appeared in 88first appeared in
89.Ox 3.2 . 89.Ox 3.2 .
90.Sh AUTHORS 90.Sh AUTHORS
91.An Markus Friedl Aq markus@openbsd.org 91.An Markus Friedl Aq Mt markus@openbsd.org
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 1deb7e141..9a6653c7c 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keysign.c,v 1.36 2011/02/16 00:31:14 djm Exp $ */ 1/* $OpenBSD: ssh-keysign.c,v 1.37 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -78,7 +78,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
78 p = buffer_get_string(&b, &len); 78 p = buffer_get_string(&b, &len);
79 if (len != 20 && len != 32) 79 if (len != 20 && len != 32)
80 fail++; 80 fail++;
81 xfree(p); 81 free(p);
82 82
83 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 83 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
84 fail++; 84 fail++;
@@ -90,13 +90,13 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
90 p = buffer_get_string(&b, NULL); 90 p = buffer_get_string(&b, NULL);
91 if (strcmp("ssh-connection", p) != 0) 91 if (strcmp("ssh-connection", p) != 0)
92 fail++; 92 fail++;
93 xfree(p); 93 free(p);
94 94
95 /* method */ 95 /* method */
96 p = buffer_get_string(&b, NULL); 96 p = buffer_get_string(&b, NULL);
97 if (strcmp("hostbased", p) != 0) 97 if (strcmp("hostbased", p) != 0)
98 fail++; 98 fail++;
99 xfree(p); 99 free(p);
100 100
101 /* pubkey */ 101 /* pubkey */
102 pkalg = buffer_get_string(&b, NULL); 102 pkalg = buffer_get_string(&b, NULL);
@@ -109,8 +109,8 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
109 fail++; 109 fail++;
110 else if (key->type != pktype) 110 else if (key->type != pktype)
111 fail++; 111 fail++;
112 xfree(pkalg); 112 free(pkalg);
113 xfree(pkblob); 113 free(pkblob);
114 114
115 /* client host name, handle trailing dot */ 115 /* client host name, handle trailing dot */
116 p = buffer_get_string(&b, &len); 116 p = buffer_get_string(&b, &len);
@@ -121,14 +121,14 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
121 fail++; 121 fail++;
122 else if (strncasecmp(host, p, len - 1) != 0) 122 else if (strncasecmp(host, p, len - 1) != 0)
123 fail++; 123 fail++;
124 xfree(p); 124 free(p);
125 125
126 /* local user */ 126 /* local user */
127 p = buffer_get_string(&b, NULL); 127 p = buffer_get_string(&b, NULL);
128 128
129 if (strcmp(pw->pw_name, p) != 0) 129 if (strcmp(pw->pw_name, p) != 0)
130 fail++; 130 fail++;
131 xfree(p); 131 free(p);
132 132
133 /* end of message */ 133 /* end of message */
134 if (buffer_len(&b) != 0) 134 if (buffer_len(&b) != 0)
@@ -233,7 +233,7 @@ main(int argc, char **argv)
233 data = buffer_get_string(&b, &dlen); 233 data = buffer_get_string(&b, &dlen);
234 if (valid_request(pw, host, &key, data, dlen) < 0) 234 if (valid_request(pw, host, &key, data, dlen) < 0)
235 fatal("not a valid request"); 235 fatal("not a valid request");
236 xfree(host); 236 free(host);
237 237
238 found = 0; 238 found = 0;
239 for (i = 0; i < NUM_KEYTYPES; i++) { 239 for (i = 0; i < NUM_KEYTYPES; i++) {
@@ -248,7 +248,7 @@ main(int argc, char **argv)
248 248
249 if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) 249 if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
250 fatal("key_sign failed"); 250 fatal("key_sign failed");
251 xfree(data); 251 free(data);
252 252
253 /* send reply */ 253 /* send reply */
254 buffer_clear(&b); 254 buffer_clear(&b);
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
index 82b11daf5..6c9f9d2c1 100644
--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */ 1/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -121,7 +121,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
121 buffer_put_string(&msg, blob, blen); 121 buffer_put_string(&msg, blob, blen);
122 buffer_put_string(&msg, from, flen); 122 buffer_put_string(&msg, from, flen);
123 buffer_put_int(&msg, 0); 123 buffer_put_int(&msg, 0);
124 xfree(blob); 124 free(blob);
125 send_msg(&msg); 125 send_msg(&msg);
126 buffer_clear(&msg); 126 buffer_clear(&msg);
127 127
@@ -131,7 +131,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
131 memcpy(to, signature, slen); 131 memcpy(to, signature, slen);
132 ret = slen; 132 ret = slen;
133 } 133 }
134 xfree(signature); 134 free(signature);
135 } 135 }
136 buffer_free(&msg); 136 buffer_free(&msg);
137 return (ret); 137 return (ret);
@@ -205,11 +205,11 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp)
205 *keysp = xcalloc(nkeys, sizeof(Key *)); 205 *keysp = xcalloc(nkeys, sizeof(Key *));
206 for (i = 0; i < nkeys; i++) { 206 for (i = 0; i < nkeys; i++) {
207 blob = buffer_get_string(&msg, &blen); 207 blob = buffer_get_string(&msg, &blen);
208 xfree(buffer_get_string(&msg, NULL)); 208 free(buffer_get_string(&msg, NULL));
209 k = key_from_blob(blob, blen); 209 k = key_from_blob(blob, blen);
210 wrap_key(k->rsa); 210 wrap_key(k->rsa);
211 (*keysp)[i] = k; 211 (*keysp)[i] = k;
212 xfree(blob); 212 free(blob);
213 } 213 }
214 } else { 214 } else {
215 nkeys = -1; 215 nkeys = -1;
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index dcfaa222a..d9ea34248 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
22AUTHORS 22AUTHORS
23 Markus Friedl <markus@openbsd.org> 23 Markus Friedl <markus@openbsd.org>
24 24
25OpenBSD 5.3 February 10, 2010 OpenBSD 5.3 25OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/ssh-pkcs11-helper.8 b/ssh-pkcs11-helper.8
index 9bdaadc01..3728c4e4e 100644
--- a/ssh-pkcs11-helper.8
+++ b/ssh-pkcs11-helper.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.3 2010/02/10 23:20:38 markus Exp $ 1.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.4 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2010 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2010 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: February 10 2010 $ 17.Dd $Mdocdate: July 16 2013 $
18.Dt SSH-PKCS11-HELPER 8 18.Dt SSH-PKCS11-HELPER 8
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -40,4 +40,4 @@ is not intended to be invoked by the user, but from
40first appeared in 40first appeared in
41.Ox 4.7 . 41.Ox 4.7 .
42.Sh AUTHORS 42.Sh AUTHORS
43.An Markus Friedl Aq markus@openbsd.org 43.An Markus Friedl Aq Mt markus@openbsd.org
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index fcb5defc0..39b2e7c56 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11-helper.c,v 1.4 2012/07/02 12:13:26 dtucker Exp $ */ 1/* $OpenBSD: ssh-pkcs11-helper.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -79,7 +79,7 @@ del_keys_by_name(char *name)
79 nxt = TAILQ_NEXT(ki, next); 79 nxt = TAILQ_NEXT(ki, next);
80 if (!strcmp(ki->providername, name)) { 80 if (!strcmp(ki->providername, name)) {
81 TAILQ_REMOVE(&pkcs11_keylist, ki, next); 81 TAILQ_REMOVE(&pkcs11_keylist, ki, next);
82 xfree(ki->providername); 82 free(ki->providername);
83 key_free(ki->key); 83 key_free(ki->key);
84 free(ki); 84 free(ki);
85 } 85 }
@@ -130,15 +130,15 @@ process_add(void)
130 key_to_blob(keys[i], &blob, &blen); 130 key_to_blob(keys[i], &blob, &blen);
131 buffer_put_string(&msg, blob, blen); 131 buffer_put_string(&msg, blob, blen);
132 buffer_put_cstring(&msg, name); 132 buffer_put_cstring(&msg, name);
133 xfree(blob); 133 free(blob);
134 add_key(keys[i], name); 134 add_key(keys[i], name);
135 } 135 }
136 xfree(keys); 136 free(keys);
137 } else { 137 } else {
138 buffer_put_char(&msg, SSH_AGENT_FAILURE); 138 buffer_put_char(&msg, SSH_AGENT_FAILURE);
139 } 139 }
140 xfree(pin); 140 free(pin);
141 xfree(name); 141 free(name);
142 send_msg(&msg); 142 send_msg(&msg);
143 buffer_free(&msg); 143 buffer_free(&msg);
144} 144}
@@ -157,8 +157,8 @@ process_del(void)
157 buffer_put_char(&msg, SSH_AGENT_SUCCESS); 157 buffer_put_char(&msg, SSH_AGENT_SUCCESS);
158 else 158 else
159 buffer_put_char(&msg, SSH_AGENT_FAILURE); 159 buffer_put_char(&msg, SSH_AGENT_FAILURE);
160 xfree(pin); 160 free(pin);
161 xfree(name); 161 free(name);
162 send_msg(&msg); 162 send_msg(&msg);
163 buffer_free(&msg); 163 buffer_free(&msg);
164} 164}
@@ -195,10 +195,9 @@ process_sign(void)
195 } else { 195 } else {
196 buffer_put_char(&msg, SSH_AGENT_FAILURE); 196 buffer_put_char(&msg, SSH_AGENT_FAILURE);
197 } 197 }
198 xfree(data); 198 free(data);
199 xfree(blob); 199 free(blob);
200 if (signature != NULL) 200 free(signature);
201 xfree(signature);
202 send_msg(&msg); 201 send_msg(&msg);
203 buffer_free(&msg); 202 buffer_free(&msg);
204} 203}
@@ -274,7 +273,6 @@ main(int argc, char **argv)
274 LogLevel log_level = SYSLOG_LEVEL_ERROR; 273 LogLevel log_level = SYSLOG_LEVEL_ERROR;
275 char buf[4*4096]; 274 char buf[4*4096];
276 275
277 extern char *optarg;
278 extern char *__progname; 276 extern char *__progname;
279 277
280 TAILQ_INIT(&pkcs11_keylist); 278 TAILQ_INIT(&pkcs11_keylist);
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 1f4c1c8e4..618c07526 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */ 1/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -120,9 +120,9 @@ pkcs11_provider_unref(struct pkcs11_provider *p)
120 if (--p->refcount <= 0) { 120 if (--p->refcount <= 0) {
121 if (p->valid) 121 if (p->valid)
122 error("pkcs11_provider_unref: %p still valid", p); 122 error("pkcs11_provider_unref: %p still valid", p);
123 xfree(p->slotlist); 123 free(p->slotlist);
124 xfree(p->slotinfo); 124 free(p->slotinfo);
125 xfree(p); 125 free(p);
126 } 126 }
127} 127}
128 128
@@ -180,9 +180,8 @@ pkcs11_rsa_finish(RSA *rsa)
180 rv = k11->orig_finish(rsa); 180 rv = k11->orig_finish(rsa);
181 if (k11->provider) 181 if (k11->provider)
182 pkcs11_provider_unref(k11->provider); 182 pkcs11_provider_unref(k11->provider);
183 if (k11->keyid) 183 free(k11->keyid);
184 xfree(k11->keyid); 184 free(k11);
185 xfree(k11);
186 } 185 }
187 return (rv); 186 return (rv);
188} 187}
@@ -264,13 +263,13 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
264 pin = read_passphrase(prompt, RP_ALLOW_EOF); 263 pin = read_passphrase(prompt, RP_ALLOW_EOF);
265 if (pin == NULL) 264 if (pin == NULL)
266 return (-1); /* bail out */ 265 return (-1); /* bail out */
267 if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) 266 if ((rv = f->C_Login(si->session, CKU_USER,
268 != CKR_OK) { 267 (u_char *)pin, strlen(pin))) != CKR_OK) {
269 xfree(pin); 268 free(pin);
270 error("C_Login failed: %lu", rv); 269 error("C_Login failed: %lu", rv);
271 return (-1); 270 return (-1);
272 } 271 }
273 xfree(pin); 272 free(pin);
274 si->logged_in = 1; 273 si->logged_in = 1;
275 } 274 }
276 key_filter[1].pValue = k11->keyid; 275 key_filter[1].pValue = k11->keyid;
@@ -329,7 +328,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
329 328
330/* remove trailing spaces */ 329/* remove trailing spaces */
331static void 330static void
332rmspace(char *buf, size_t len) 331rmspace(u_char *buf, size_t len)
333{ 332{
334 size_t i; 333 size_t i;
335 334
@@ -367,8 +366,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
367 return (-1); 366 return (-1);
368 } 367 }
369 if (login_required && pin) { 368 if (login_required && pin) {
370 if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin))) 369 if ((rv = f->C_Login(session, CKU_USER,
371 != CKR_OK) { 370 (u_char *)pin, strlen(pin))) != CKR_OK) {
372 error("C_Login failed: %lu", rv); 371 error("C_Login failed: %lu", rv);
373 if ((rv = f->C_CloseSession(session)) != CKR_OK) 372 if ((rv = f->C_CloseSession(session)) != CKR_OK)
374 error("C_CloseSession failed: %lu", rv); 373 error("C_CloseSession failed: %lu", rv);
@@ -470,7 +469,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
470 } 469 }
471 } 470 }
472 for (i = 0; i < 3; i++) 471 for (i = 0; i < 3; i++)
473 xfree(attribs[i].pValue); 472 free(attribs[i].pValue);
474 } 473 }
475 if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) 474 if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
476 error("C_FindObjectsFinal failed: %lu", rv); 475 error("C_FindObjectsFinal failed: %lu", rv);
@@ -579,11 +578,9 @@ fail:
579 if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK) 578 if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)
580 error("C_Finalize failed: %lu", rv); 579 error("C_Finalize failed: %lu", rv);
581 if (p) { 580 if (p) {
582 if (p->slotlist) 581 free(p->slotlist);
583 xfree(p->slotlist); 582 free(p->slotinfo);
584 if (p->slotinfo) 583 free(p);
585 xfree(p->slotinfo);
586 xfree(p);
587 } 584 }
588 if (handle) 585 if (handle)
589 dlclose(handle); 586 dlclose(handle);
diff --git a/ssh-rsa.c b/ssh-rsa.c
index c6355fa09..30f96abc2 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: ssh-rsa.c,v 1.46 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> 3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
4 * 4 *
@@ -72,7 +72,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
72 72
73 error("ssh_rsa_sign: RSA_sign failed: %s", 73 error("ssh_rsa_sign: RSA_sign failed: %s",
74 ERR_error_string(ecode, NULL)); 74 ERR_error_string(ecode, NULL));
75 xfree(sig); 75 free(sig);
76 return -1; 76 return -1;
77 } 77 }
78 if (len < slen) { 78 if (len < slen) {
@@ -82,7 +82,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
82 memset(sig, 0, diff); 82 memset(sig, 0, diff);
83 } else if (len > slen) { 83 } else if (len > slen) {
84 error("ssh_rsa_sign: slen %u slen2 %u", slen, len); 84 error("ssh_rsa_sign: slen %u slen2 %u", slen, len);
85 xfree(sig); 85 free(sig);
86 return -1; 86 return -1;
87 } 87 }
88 /* encode signature */ 88 /* encode signature */
@@ -98,7 +98,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
98 } 98 }
99 buffer_free(&b); 99 buffer_free(&b);
100 memset(sig, 's', slen); 100 memset(sig, 's', slen);
101 xfree(sig); 101 free(sig);
102 102
103 return 0; 103 return 0;
104} 104}
@@ -131,23 +131,23 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
131 if (strcmp("ssh-rsa", ktype) != 0) { 131 if (strcmp("ssh-rsa", ktype) != 0) {
132 error("ssh_rsa_verify: cannot handle type %s", ktype); 132 error("ssh_rsa_verify: cannot handle type %s", ktype);
133 buffer_free(&b); 133 buffer_free(&b);
134 xfree(ktype); 134 free(ktype);
135 return -1; 135 return -1;
136 } 136 }
137 xfree(ktype); 137 free(ktype);
138 sigblob = buffer_get_string(&b, &len); 138 sigblob = buffer_get_string(&b, &len);
139 rlen = buffer_len(&b); 139 rlen = buffer_len(&b);
140 buffer_free(&b); 140 buffer_free(&b);
141 if (rlen != 0) { 141 if (rlen != 0) {
142 error("ssh_rsa_verify: remaining bytes in signature %d", rlen); 142 error("ssh_rsa_verify: remaining bytes in signature %d", rlen);
143 xfree(sigblob); 143 free(sigblob);
144 return -1; 144 return -1;
145 } 145 }
146 /* RSA_verify expects a signature of RSA_size */ 146 /* RSA_verify expects a signature of RSA_size */
147 modlen = RSA_size(key->rsa); 147 modlen = RSA_size(key->rsa);
148 if (len > modlen) { 148 if (len > modlen) {
149 error("ssh_rsa_verify: len %u > modlen %u", len, modlen); 149 error("ssh_rsa_verify: len %u > modlen %u", len, modlen);
150 xfree(sigblob); 150 free(sigblob);
151 return -1; 151 return -1;
152 } else if (len < modlen) { 152 } else if (len < modlen) {
153 u_int diff = modlen - len; 153 u_int diff = modlen - len;
@@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
161 nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; 161 nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
162 if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { 162 if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
163 error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); 163 error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
164 xfree(sigblob); 164 free(sigblob);
165 return -1; 165 return -1;
166 } 166 }
167 EVP_DigestInit(&md, evp_md); 167 EVP_DigestInit(&md, evp_md);
@@ -171,7 +171,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
171 ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); 171 ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
172 memset(digest, 'd', sizeof(digest)); 172 memset(digest, 'd', sizeof(digest));
173 memset(sigblob, 's', len); 173 memset(sigblob, 's', len);
174 xfree(sigblob); 174 free(sigblob);
175 debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); 175 debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
176 return ret; 176 return ret;
177} 177}
@@ -262,7 +262,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
262 } 262 }
263 ret = 1; 263 ret = 1;
264done: 264done:
265 if (decrypted) 265 free(decrypted);
266 xfree(decrypted);
267 return ret; 266 return ret;
268} 267}
diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
index f8125e0bb..ca1a5be74 100644
--- a/ssh-vulnkey.c
+++ b/ssh-vulnkey.c
@@ -94,7 +94,7 @@ describe_key(const char *filename, u_long linenum, const char *msg,
94 printf(":%lu: %s: %s %u %s %s\n", linenum, msg, 94 printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
95 key_type(key), key_size(key), fp, comment); 95 key_type(key), key_size(key), fp, comment);
96 } 96 }
97 xfree(fp); 97 free(fp);
98} 98}
99 99
100static int 100static int
@@ -247,8 +247,7 @@ do_filename(const char *filename, int quiet_open)
247 ret = 0; 247 ret = 0;
248 found = 1; 248 found = 1;
249 } 249 }
250 if (comment) 250 free(comment);
251 xfree(comment);
252 } 251 }
253 252
254 return ret; 253 return ret;
@@ -282,12 +281,12 @@ do_user(const char *dir)
282 for (i = 0; default_files[i]; i++) { 281 for (i = 0; default_files[i]; i++) {
283 xasprintf(&file, "%s/%s", dir, default_files[i]); 282 xasprintf(&file, "%s/%s", dir, default_files[i]);
284 if (stat(file, &st) < 0 && errno == ENOENT) { 283 if (stat(file, &st) < 0 && errno == ENOENT) {
285 xfree(file); 284 free(file);
286 continue; 285 continue;
287 } 286 }
288 if (!do_filename(file, 0)) 287 if (!do_filename(file, 0))
289 ret = 0; 288 ret = 0;
290 xfree(file); 289 free(file);
291 } 290 }
292 291
293 return ret; 292 return ret;
diff --git a/ssh.0 b/ssh.0
index f6b642bc8..adc1ee421 100644
--- a/ssh.0
+++ b/ssh.0
@@ -5,11 +5,13 @@ NAME
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] 7 ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
8 [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] 8 [-D [bind_address:]port] [-E log_file] [-e escape_char]
9 [-i identity_file] [-L [bind_address:]port:host:hostport] 9 [-F configfile] [-I pkcs11] [-i identity_file]
10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] 10 [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
11 [-O ctl_cmd] [-o option] [-p port]
11 [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] 12 [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
12 [-w local_tun[:remote_tun]] [user@]hostname [command] 13 [-w local_tun[:remote_tun]] [user@]hostname [command]
14 ssh -Q protocol_feature
13 15
14DESCRIPTION 16DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for 17 ssh (SSH client) is a program for logging into a remote machine and for
@@ -102,6 +104,9 @@ DESCRIPTION
102 be bound for local use only, while an empty address or `*' 104 be bound for local use only, while an empty address or `*'
103 indicates that the port should be available from all interfaces. 105 indicates that the port should be available from all interfaces.
104 106
107 -E log_file
108 Append debug logs to log_file instead of standard error.
109
105 -e escape_char 110 -e escape_char
106 Sets the escape character for sessions with a pty (default: `~'). 111 Sets the escape character for sessions with a pty (default: `~').
107 The escape character is only recognized at the beginning of a 112 The escape character is only recognized at the beginning of a
@@ -289,6 +294,14 @@ DESCRIPTION
289 Port to connect to on the remote host. This can be specified on 294 Port to connect to on the remote host. This can be specified on
290 a per-host basis in the configuration file. 295 a per-host basis in the configuration file.
291 296
297 -Q protocol_feature
298 Queries ssh for the algorithms supported for the specified
299 version 2 protocol_feature. The queriable features are:
300 ``cipher'' (supported symmetric ciphers), ``MAC'' (supported
301 message integrity codes), ``KEX'' (key exchange algorithms),
302 ``key'' (key types). Protocol features are treated case-
303 insensitively.
304
292 -q Quiet mode. Causes most warning and diagnostic messages to be 305 -q Quiet mode. Causes most warning and diagnostic messages to be
293 suppressed. 306 suppressed.
294 307
@@ -788,7 +801,7 @@ FILES
788 This is the per-user configuration file. The file format and 801 This is the per-user configuration file. The file format and
789 configuration options are described in ssh_config(5). Because of 802 configuration options are described in ssh_config(5). Because of
790 the potential for abuse, this file must have strict permissions: 803 the potential for abuse, this file must have strict permissions:
791 read/write for the user, and not accessible by others. 804 read/write for the user, and not writable by others.
792 805
793 ~/.ssh/environment 806 ~/.ssh/environment
794 Contains additional definitions for environment variables; see 807 Contains additional definitions for environment variables; see
@@ -919,4 +932,4 @@ AUTHORS
919 created OpenSSH. Markus Friedl contributed the support for SSH protocol 932 created OpenSSH. Markus Friedl contributed the support for SSH protocol
920 versions 1.5 and 2.0. 933 versions 1.5 and 2.0.
921 934
922OpenBSD 5.3 October 4, 2012 OpenBSD 5.3 935OpenBSD 5.4 July 18, 2013 OpenBSD 5.4
diff --git a/ssh.1 b/ssh.1
index 5ac75e992..c0cc12f43 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ 36.\" $OpenBSD: ssh.1,v 1.334 2013/07/18 01:12:26 djm Exp $
37.Dd $Mdocdate: October 4 2012 $ 37.Dd $Mdocdate: July 18 2013 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -47,6 +47,7 @@
47.Op Fl b Ar bind_address 47.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec 48.Op Fl c Ar cipher_spec
49.Op Fl D Oo Ar bind_address : Oc Ns Ar port 49.Op Fl D Oo Ar bind_address : Oc Ns Ar port
50.Op Fl E Ar log_file
50.Op Fl e Ar escape_char 51.Op Fl e Ar escape_char
51.Op Fl F Ar configfile 52.Op Fl F Ar configfile
52.Op Fl I Ar pkcs11 53.Op Fl I Ar pkcs11
@@ -64,6 +65,8 @@
64.Oo Ar user Ns @ Oc Ns Ar hostname 65.Oo Ar user Ns @ Oc Ns Ar hostname
65.Op Ar command 66.Op Ar command
66.Ek 67.Ek
68.Nm
69.Fl Q Ar protocol_feature
67.Sh DESCRIPTION 70.Sh DESCRIPTION
68.Nm 71.Nm
69(SSH client) is a program for logging into a remote machine and for 72(SSH client) is a program for logging into a remote machine and for
@@ -217,6 +220,10 @@ indicates that the listening port be bound for local use only, while an
217empty address or 220empty address or
218.Sq * 221.Sq *
219indicates that the port should be available from all interfaces. 222indicates that the port should be available from all interfaces.
223.It Fl E Ar log_file
224Append debug logs to
225.Ar log_file
226instead of standard error.
220.It Fl e Ar escape_char 227.It Fl e Ar escape_char
221Sets the escape character for sessions with a pty (default: 228Sets the escape character for sessions with a pty (default:
222.Ql ~ ) . 229.Ql ~ ) .
@@ -482,6 +489,21 @@ For full details of the options listed below, and their possible values, see
482Port to connect to on the remote host. 489Port to connect to on the remote host.
483This can be specified on a 490This can be specified on a
484per-host basis in the configuration file. 491per-host basis in the configuration file.
492.It Fl Q Ar protocol_feature
493Queries
494.Nm
495for the algorithms supported for the specified version 2
496.Ar protocol_feature .
497The queriable features are:
498.Dq cipher
499(supported symmetric ciphers),
500.Dq MAC
501(supported message integrity codes),
502.Dq KEX
503(key exchange algorithms),
504.Dq key
505(key types).
506Protocol features are treated case-insensitively.
485.It Fl q 507.It Fl q
486Quiet mode. 508Quiet mode.
487Causes most warning and diagnostic messages to be suppressed. 509Causes most warning and diagnostic messages to be suppressed.
@@ -732,9 +754,7 @@ implements public key authentication protocol automatically,
732using one of the DSA, ECDSA or RSA algorithms. 754using one of the DSA, ECDSA or RSA algorithms.
733Protocol 1 is restricted to using only RSA keys, 755Protocol 1 is restricted to using only RSA keys,
734but protocol 2 may use any. 756but protocol 2 may use any.
735The 757The HISTORY section of
736.Sx HISTORY
737section of
738.Xr ssl 8 758.Xr ssl 8
739(on non-OpenBSD systems, see 759(on non-OpenBSD systems, see
740.nh 760.nh
@@ -794,9 +814,7 @@ instead of a set of public/private keys,
794signed certificates are used. 814signed certificates are used.
795This has the advantage that a single trusted certification authority 815This has the advantage that a single trusted certification authority
796can be used in place of many public/private keys. 816can be used in place of many public/private keys.
797See the 817See the CERTIFICATES section of
798.Sx CERTIFICATES
799section of
800.Xr ssh-keygen 1 818.Xr ssh-keygen 1
801for more information. 819for more information.
802.Pp 820.Pp
@@ -1323,7 +1341,7 @@ This is the per-user configuration file.
1323The file format and configuration options are described in 1341The file format and configuration options are described in
1324.Xr ssh_config 5 . 1342.Xr ssh_config 5 .
1325Because of the potential for abuse, this file must have strict permissions: 1343Because of the potential for abuse, this file must have strict permissions:
1326read/write for the user, and not accessible by others. 1344read/write for the user, and not writable by others.
1327It may be group-writable provided that the group in question contains only 1345It may be group-writable provided that the group in question contains only
1328the user. 1346the user.
1329.Pp 1347.Pp
diff --git a/ssh.c b/ssh.c
index 19732cb4d..219a46677 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ 1/* $OpenBSD: ssh.c,v 1.381 2013/07/25 00:29:10 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -197,9 +197,9 @@ usage(void)
197{ 197{
198 fprintf(stderr, 198 fprintf(stderr,
199"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" 199"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
200" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" 200" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
201" [-I pkcs11] [-i identity_file]\n" 201" [-F configfile] [-I pkcs11] [-i identity_file]\n"
202" [-L [bind_address:]port:host:hostport]\n" 202" [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n"
203" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 203" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
204" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" 204" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
205" [-W host:port] [-w local_tun[:remote_tun]]\n" 205" [-W host:port] [-w local_tun[:remote_tun]]\n"
@@ -226,7 +226,7 @@ tilde_expand_paths(char **paths, u_int num_paths)
226 226
227 for (i = 0; i < num_paths; i++) { 227 for (i = 0; i < num_paths; i++) {
228 cp = tilde_expand_filename(paths[i], original_real_uid); 228 cp = tilde_expand_filename(paths[i], original_real_uid);
229 xfree(paths[i]); 229 free(paths[i]);
230 paths[i] = cp; 230 paths[i] = cp;
231 } 231 }
232} 232}
@@ -238,7 +238,7 @@ int
238main(int ac, char **av) 238main(int ac, char **av)
239{ 239{
240 int i, r, opt, exit_status, use_syslog; 240 int i, r, opt, exit_status, use_syslog;
241 char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; 241 char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile;
242 char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; 242 char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
243 struct stat st; 243 struct stat st;
244 struct passwd *pw; 244 struct passwd *pw;
@@ -299,7 +299,7 @@ main(int ac, char **av)
299 /* Get user data. */ 299 /* Get user data. */
300 pw = getpwuid(original_real_uid); 300 pw = getpwuid(original_real_uid);
301 if (!pw) { 301 if (!pw) {
302 logit("You don't exist, go away!"); 302 logit("No user exists for uid %lu", (u_long)original_real_uid);
303 exit(255); 303 exit(255);
304 } 304 }
305 /* Take a copy of the returned structure. */ 305 /* Take a copy of the returned structure. */
@@ -322,11 +322,12 @@ main(int ac, char **av)
322 /* Parse command-line arguments. */ 322 /* Parse command-line arguments. */
323 host = NULL; 323 host = NULL;
324 use_syslog = 0; 324 use_syslog = 0;
325 logfile = NULL;
325 argv0 = av[0]; 326 argv0 = av[0];
326 327
327 again: 328 again:
328 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 329 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
329 "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { 330 "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
330 switch (opt) { 331 switch (opt) {
331 case '1': 332 case '1':
332 options.protocol = SSH_PROTO_1; 333 options.protocol = SSH_PROTO_1;
@@ -356,6 +357,9 @@ main(int ac, char **av)
356 case 'y': 357 case 'y':
357 use_syslog = 1; 358 use_syslog = 1;
358 break; 359 break;
360 case 'E':
361 logfile = xstrdup(optarg);
362 break;
359 case 'Y': 363 case 'Y':
360 options.forward_x11 = 1; 364 options.forward_x11 = 1;
361 options.forward_x11_trusted = 1; 365 options.forward_x11_trusted = 1;
@@ -385,6 +389,22 @@ main(int ac, char **av)
385 case 'P': /* deprecated */ 389 case 'P': /* deprecated */
386 options.use_privileged_port = 0; 390 options.use_privileged_port = 0;
387 break; 391 break;
392 case 'Q': /* deprecated */
393 cp = NULL;
394 if (strcasecmp(optarg, "cipher") == 0)
395 cp = cipher_alg_list();
396 else if (strcasecmp(optarg, "mac") == 0)
397 cp = mac_alg_list();
398 else if (strcasecmp(optarg, "kex") == 0)
399 cp = kex_alg_list();
400 else if (strcasecmp(optarg, "key") == 0)
401 cp = key_alg_list();
402 if (cp == NULL)
403 fatal("Unsupported query \"%s\"", optarg);
404 printf("%s\n", cp);
405 free(cp);
406 exit(0);
407 break;
388 case 'a': 408 case 'a':
389 options.forward_agent = 0; 409 options.forward_agent = 0;
390 break; 410 break;
@@ -427,9 +447,8 @@ main(int ac, char **av)
427 } else { 447 } else {
428 if (options.log_level < SYSLOG_LEVEL_DEBUG3) 448 if (options.log_level < SYSLOG_LEVEL_DEBUG3)
429 options.log_level++; 449 options.log_level++;
430 break;
431 } 450 }
432 /* FALLTHROUGH */ 451 break;
433 case 'V': 452 case 'V':
434 fprintf(stderr, "%s, %s\n", 453 fprintf(stderr, "%s, %s\n",
435 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); 454 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
@@ -454,7 +473,7 @@ main(int ac, char **av)
454 if (parse_forward(&fwd, optarg, 1, 0)) { 473 if (parse_forward(&fwd, optarg, 1, 0)) {
455 stdio_forward_host = fwd.listen_host; 474 stdio_forward_host = fwd.listen_host;
456 stdio_forward_port = fwd.listen_port; 475 stdio_forward_port = fwd.listen_port;
457 xfree(fwd.connect_host); 476 free(fwd.connect_host);
458 } else { 477 } else {
459 fprintf(stderr, 478 fprintf(stderr,
460 "Bad stdio forwarding specification '%s'\n", 479 "Bad stdio forwarding specification '%s'\n",
@@ -582,7 +601,7 @@ main(int ac, char **av)
582 line, "command-line", 0, &dummy, SSHCONF_USERCONF) 601 line, "command-line", 0, &dummy, SSHCONF_USERCONF)
583 != 0) 602 != 0)
584 exit(255); 603 exit(255);
585 xfree(line); 604 free(line);
586 break; 605 break;
587 case 's': 606 case 's':
588 subsystem_flag = 1; 607 subsystem_flag = 1;
@@ -663,18 +682,28 @@ main(int ac, char **av)
663 682
664 /* 683 /*
665 * Initialize "log" output. Since we are the client all output 684 * Initialize "log" output. Since we are the client all output
666 * actually goes to stderr. 685 * goes to stderr unless otherwise specified by -y or -E.
667 */ 686 */
687 if (use_syslog && logfile != NULL)
688 fatal("Can't specify both -y and -E");
689 if (logfile != NULL) {
690 log_redirect_stderr_to(logfile);
691 free(logfile);
692 }
668 log_init(argv0, 693 log_init(argv0,
669 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, 694 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
670 SYSLOG_FACILITY_USER, !use_syslog); 695 SYSLOG_FACILITY_USER, !use_syslog);
671 696
697 if (debug_flag)
698 logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
699
672 /* 700 /*
673 * Read per-user configuration file. Ignore the system wide config 701 * Read per-user configuration file. Ignore the system wide config
674 * file if the user specifies a config file on the command line. 702 * file if the user specifies a config file on the command line.
675 */ 703 */
676 if (config != NULL) { 704 if (config != NULL) {
677 if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) 705 if (strcasecmp(config, "none") != 0 &&
706 !read_config_file(config, host, &options, SSHCONF_USERCONF))
678 fatal("Can't open user config file %.100s: " 707 fatal("Can't open user config file %.100s: "
679 "%.100s", config, strerror(errno)); 708 "%.100s", config, strerror(errno));
680 } else { 709 } else {
@@ -749,7 +778,7 @@ main(int ac, char **av)
749 "p", portstr, "u", pw->pw_name, "L", shorthost, 778 "p", portstr, "u", pw->pw_name, "L", shorthost,
750 (char *)NULL); 779 (char *)NULL);
751 debug3("expanded LocalCommand: %s", options.local_command); 780 debug3("expanded LocalCommand: %s", options.local_command);
752 xfree(cp); 781 free(cp);
753 } 782 }
754 783
755 /* force lowercase for hostkey matching */ 784 /* force lowercase for hostkey matching */
@@ -761,24 +790,24 @@ main(int ac, char **av)
761 790
762 if (options.proxy_command != NULL && 791 if (options.proxy_command != NULL &&
763 strcmp(options.proxy_command, "none") == 0) { 792 strcmp(options.proxy_command, "none") == 0) {
764 xfree(options.proxy_command); 793 free(options.proxy_command);
765 options.proxy_command = NULL; 794 options.proxy_command = NULL;
766 } 795 }
767 if (options.control_path != NULL && 796 if (options.control_path != NULL &&
768 strcmp(options.control_path, "none") == 0) { 797 strcmp(options.control_path, "none") == 0) {
769 xfree(options.control_path); 798 free(options.control_path);
770 options.control_path = NULL; 799 options.control_path = NULL;
771 } 800 }
772 801
773 if (options.control_path != NULL) { 802 if (options.control_path != NULL) {
774 cp = tilde_expand_filename(options.control_path, 803 cp = tilde_expand_filename(options.control_path,
775 original_real_uid); 804 original_real_uid);
776 xfree(options.control_path); 805 free(options.control_path);
777 options.control_path = percent_expand(cp, "h", host, 806 options.control_path = percent_expand(cp, "h", host,
778 "l", thishost, "n", host_arg, "r", options.user, 807 "l", thishost, "n", host_arg, "r", options.user,
779 "p", portstr, "u", pw->pw_name, "L", shorthost, 808 "p", portstr, "u", pw->pw_name, "L", shorthost,
780 (char *)NULL); 809 (char *)NULL);
781 xfree(cp); 810 free(cp);
782 } 811 }
783 if (muxclient_command != 0 && options.control_path == NULL) 812 if (muxclient_command != 0 && options.control_path == NULL)
784 fatal("No ControlPath specified for \"-O\" command"); 813 fatal("No ControlPath specified for \"-O\" command");
@@ -929,13 +958,11 @@ main(int ac, char **av)
929 sensitive_data.keys[i] = NULL; 958 sensitive_data.keys[i] = NULL;
930 } 959 }
931 } 960 }
932 xfree(sensitive_data.keys); 961 free(sensitive_data.keys);
933 } 962 }
934 for (i = 0; i < options.num_identity_files; i++) { 963 for (i = 0; i < options.num_identity_files; i++) {
935 if (options.identity_files[i]) { 964 free(options.identity_files[i]);
936 xfree(options.identity_files[i]); 965 options.identity_files[i] = NULL;
937 options.identity_files[i] = NULL;
938 }
939 if (options.identity_keys[i]) { 966 if (options.identity_keys[i]) {
940 key_free(options.identity_keys[i]); 967 key_free(options.identity_keys[i]);
941 options.identity_keys[i] = NULL; 968 options.identity_keys[i] = NULL;
@@ -995,6 +1022,7 @@ control_persist_detach(void)
995 if (devnull > STDERR_FILENO) 1022 if (devnull > STDERR_FILENO)
996 close(devnull); 1023 close(devnull);
997 } 1024 }
1025 daemon(1, 1);
998 setproctitle("%s [mux]", options.control_path); 1026 setproctitle("%s [mux]", options.control_path);
999} 1027}
1000 1028
@@ -1453,6 +1481,11 @@ ssh_session2(void)
1453 1481
1454 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) 1482 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
1455 id = ssh_session2_open(); 1483 id = ssh_session2_open();
1484 else {
1485 packet_set_interactive(
1486 options.control_master == SSHCTL_MASTER_NO,
1487 options.ip_qos_interactive, options.ip_qos_bulk);
1488 }
1456 1489
1457 /* If we don't expect to open a new session, then disallow it */ 1490 /* If we don't expect to open a new session, then disallow it */
1458 if (options.control_master == SSHCTL_MASTER_NO && 1491 if (options.control_master == SSHCTL_MASTER_NO &&
@@ -1525,7 +1558,7 @@ load_public_identity_files(void)
1525 xstrdup(options.pkcs11_provider); /* XXX */ 1558 xstrdup(options.pkcs11_provider); /* XXX */
1526 n_ids++; 1559 n_ids++;
1527 } 1560 }
1528 xfree(keys); 1561 free(keys);
1529 } 1562 }
1530#endif /* ENABLE_PKCS11 */ 1563#endif /* ENABLE_PKCS11 */
1531 if ((pw = getpwuid(original_real_uid)) == NULL) 1564 if ((pw = getpwuid(original_real_uid)) == NULL)
@@ -1538,7 +1571,7 @@ load_public_identity_files(void)
1538 for (i = 0; i < options.num_identity_files; i++) { 1571 for (i = 0; i < options.num_identity_files; i++) {
1539 if (n_ids >= SSH_MAX_IDENTITY_FILES || 1572 if (n_ids >= SSH_MAX_IDENTITY_FILES ||
1540 strcasecmp(options.identity_files[i], "none") == 0) { 1573 strcasecmp(options.identity_files[i], "none") == 0) {
1541 xfree(options.identity_files[i]); 1574 free(options.identity_files[i]);
1542 continue; 1575 continue;
1543 } 1576 }
1544 cp = tilde_expand_filename(options.identity_files[i], 1577 cp = tilde_expand_filename(options.identity_files[i],
@@ -1546,7 +1579,7 @@ load_public_identity_files(void)
1546 filename = percent_expand(cp, "d", pwdir, 1579 filename = percent_expand(cp, "d", pwdir,
1547 "u", pwname, "l", thishost, "h", host, 1580 "u", pwname, "l", thishost, "h", host,
1548 "r", options.user, (char *)NULL); 1581 "r", options.user, (char *)NULL);
1549 xfree(cp); 1582 free(cp);
1550 public = key_load_public(filename, NULL); 1583 public = key_load_public(filename, NULL);
1551 debug("identity file %s type %d", filename, 1584 debug("identity file %s type %d", filename,
1552 public ? public->type : -1); 1585 public ? public->type : -1);
@@ -1558,15 +1591,15 @@ load_public_identity_files(void)
1558 logit("Public key %s blacklisted (see " 1591 logit("Public key %s blacklisted (see "
1559 "ssh-vulnkey(1)); refusing to send it", 1592 "ssh-vulnkey(1)); refusing to send it",
1560 fp); 1593 fp);
1561 xfree(fp); 1594 free(fp);
1562 if (!options.use_blacklisted_keys) { 1595 if (!options.use_blacklisted_keys) {
1563 key_free(public); 1596 key_free(public);
1564 xfree(filename); 1597 free(filename);
1565 filename = NULL; 1598 filename = NULL;
1566 public = NULL; 1599 public = NULL;
1567 } 1600 }
1568 } 1601 }
1569 xfree(options.identity_files[i]); 1602 free(options.identity_files[i]);
1570 identity_files[n_ids] = filename; 1603 identity_files[n_ids] = filename;
1571 identity_keys[n_ids] = public; 1604 identity_keys[n_ids] = public;
1572 1605
@@ -1579,14 +1612,14 @@ load_public_identity_files(void)
1579 debug("identity file %s type %d", cp, 1612 debug("identity file %s type %d", cp,
1580 public ? public->type : -1); 1613 public ? public->type : -1);
1581 if (public == NULL) { 1614 if (public == NULL) {
1582 xfree(cp); 1615 free(cp);
1583 continue; 1616 continue;
1584 } 1617 }
1585 if (!key_is_cert(public)) { 1618 if (!key_is_cert(public)) {
1586 debug("%s: key %s type %s is not a certificate", 1619 debug("%s: key %s type %s is not a certificate",
1587 __func__, cp, key_type(public)); 1620 __func__, cp, key_type(public));
1588 key_free(public); 1621 key_free(public);
1589 xfree(cp); 1622 free(cp);
1590 continue; 1623 continue;
1591 } 1624 }
1592 identity_keys[n_ids] = public; 1625 identity_keys[n_ids] = public;
@@ -1599,9 +1632,9 @@ load_public_identity_files(void)
1599 memcpy(options.identity_keys, identity_keys, sizeof(identity_keys)); 1632 memcpy(options.identity_keys, identity_keys, sizeof(identity_keys));
1600 1633
1601 bzero(pwname, strlen(pwname)); 1634 bzero(pwname, strlen(pwname));
1602 xfree(pwname); 1635 free(pwname);
1603 bzero(pwdir, strlen(pwdir)); 1636 bzero(pwdir, strlen(pwdir));
1604 xfree(pwdir); 1637 free(pwdir);
1605} 1638}
1606 1639
1607static void 1640static void
diff --git a/ssh_config b/ssh_config
index 4281e7317..064b59359 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ 1# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $
2 2
3# This is the ssh client system-wide configuration file. See 3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for 4# ssh_config(5) for more information. This file provides defaults for
@@ -48,6 +48,7 @@ Host *
48# PermitLocalCommand no 48# PermitLocalCommand no
49# VisualHostKey no 49# VisualHostKey no
50# ProxyCommand ssh -q -W %h:%p gateway.example.com 50# ProxyCommand ssh -q -W %h:%p gateway.example.com
51# RekeyLimit 1G 1h
51 SendEnv LANG LC_* 52 SendEnv LANG LC_*
52 HashKnownHosts yes 53 HashKnownHosts yes
53 GSSAPIAuthentication yes 54 GSSAPIAuthentication yes
diff --git a/ssh_config.0 b/ssh_config.0
index 164d11817..bd9e1ad51 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -369,9 +369,9 @@ DESCRIPTION
369 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and 369 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and
370 ~/.ssh/id_rsa for protocol version 2. Additionally, any 370 ~/.ssh/id_rsa for protocol version 2. Additionally, any
371 identities represented by the authentication agent will be used 371 identities represented by the authentication agent will be used
372 for authentication. ssh(1) will try to load certificate 372 for authentication unless IdentitiesOnly is set. ssh(1) will try
373 information from the filename obtained by appending -cert.pub to 373 to load certificate information from the filename obtained by
374 the path of a specified IdentityFile. 374 appending -cert.pub to the path of a specified IdentityFile.
375 375
376 The file name may use the tilde syntax to refer to a user's home 376 The file name may use the tilde syntax to refer to a user's home
377 directory or one of the following escape characters: `%d' (local 377 directory or one of the following escape characters: `%d' (local
@@ -384,6 +384,18 @@ DESCRIPTION
384 of identities tried (this behaviour differs from that of other 384 of identities tried (this behaviour differs from that of other
385 configuration directives). 385 configuration directives).
386 386
387 IdentityFile may be used in conjunction with IdentitiesOnly to
388 select which identities in an agent are offered during
389 authentication.
390
391 IgnoreUnknown
392 Specifies a pattern-list of unknown options to be ignored if they
393 are encountered in configuration parsing. This may be used to
394 suppress errors if ssh_config contains options that are
395 unrecognised by ssh(1). It is recommended that IgnoreUnknown be
396 listed early in the configuration file as it will not be applied
397 to unknown options that appear before it.
398
387 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. 399 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
388 Accepted values are ``af11'', ``af12'', ``af13'', ``af21'', 400 Accepted values are ``af11'', ``af12'', ``af13'', ``af21'',
389 ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'', 401 ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'',
@@ -552,11 +564,18 @@ DESCRIPTION
552 564
553 RekeyLimit 565 RekeyLimit
554 Specifies the maximum amount of data that may be transmitted 566 Specifies the maximum amount of data that may be transmitted
555 before the session key is renegotiated. The argument is the 567 before the session key is renegotiated, optionally followed a
556 number of bytes, with an optional suffix of `K', `M', or `G' to 568 maximum amount of time that may pass before the session key is
557 indicate Kilobytes, Megabytes, or Gigabytes, respectively. The 569 renegotiated. The first argument is specified in bytes and may
558 default is between `1G' and `4G', depending on the cipher. This 570 have a suffix of `K', `M', or `G' to indicate Kilobytes,
559 option applies to protocol version 2 only. 571 Megabytes, or Gigabytes, respectively. The default is between
572 `1G' and `4G', depending on the cipher. The optional second
573 value is specified in seconds and may use any of the units
574 documented in the TIME FORMATS section of sshd_config(5). The
575 default value for RekeyLimit is ``default none'', which means
576 that rekeying is performed after the cipher's default amount of
577 data has been sent or received and no time based rekeying is
578 done. This option applies to protocol version 2 only.
560 579
561 RemoteForward 580 RemoteForward
562 Specifies that a TCP port on the remote machine be forwarded over 581 Specifies that a TCP port on the remote machine be forwarded over
@@ -773,4 +792,4 @@ AUTHORS
773 created OpenSSH. Markus Friedl contributed the support for SSH protocol 792 created OpenSSH. Markus Friedl contributed the support for SSH protocol
774 versions 1.5 and 2.0. 793 versions 1.5 and 2.0.
775 794
776OpenBSD 5.3 January 8, 2013 OpenBSD 5.3 795OpenBSD 5.4 June 27, 2013 OpenBSD 5.4
diff --git a/ssh_config.5 b/ssh_config.5
index fa852acb1..127540a60 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $
37.Dd $Mdocdate: January 8 2013 $ 37.Dd $Mdocdate: June 27 2013 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -494,8 +494,7 @@ option is also enabled.
494.It Cm ForwardX11Timeout 494.It Cm ForwardX11Timeout
495Specify a timeout for untrusted X11 forwarding 495Specify a timeout for untrusted X11 forwarding
496using the format described in the 496using the format described in the
497.Sx TIME FORMATS 497TIME FORMATS section of
498section of
499.Xr sshd_config 5 . 498.Xr sshd_config 5 .
500X11 connections received by 499X11 connections received by
501.Xr ssh 1 500.Xr ssh 1
@@ -684,7 +683,9 @@ and
684.Pa ~/.ssh/id_rsa 683.Pa ~/.ssh/id_rsa
685for protocol version 2. 684for protocol version 2.
686Additionally, any identities represented by the authentication agent 685Additionally, any identities represented by the authentication agent
687will be used for authentication. 686will be used for authentication unless
687.Cm IdentitiesOnly
688is set.
688.Xr ssh 1 689.Xr ssh 1
689will try to load certificate information from the filename obtained by 690will try to load certificate information from the filename obtained by
690appending 691appending
@@ -713,6 +714,22 @@ Multiple
713.Cm IdentityFile 714.Cm IdentityFile
714directives will add to the list of identities tried (this behaviour 715directives will add to the list of identities tried (this behaviour
715differs from that of other configuration directives). 716differs from that of other configuration directives).
717.Pp
718.Cm IdentityFile
719may be used in conjunction with
720.Cm IdentitiesOnly
721to select which identities in an agent are offered during authentication.
722.It Cm IgnoreUnknown
723Specifies a pattern-list of unknown options to be ignored if they are
724encountered in configuration parsing.
725This may be used to suppress errors if
726.Nm
727contains options that are unrecognised by
728.Xr ssh 1 .
729It is recommended that
730.Cm IgnoreUnknown
731be listed early in the configuration file as it will not be applied
732to unknown options that appear before it.
716.It Cm IPQoS 733.It Cm IPQoS
717Specifies the IPv4 type-of-service or DSCP class for connections. 734Specifies the IPv4 type-of-service or DSCP class for connections.
718Accepted values are 735Accepted values are
@@ -987,8 +1004,9 @@ The default is
987This option applies to protocol version 2 only. 1004This option applies to protocol version 2 only.
988.It Cm RekeyLimit 1005.It Cm RekeyLimit
989Specifies the maximum amount of data that may be transmitted before the 1006Specifies the maximum amount of data that may be transmitted before the
990session key is renegotiated. 1007session key is renegotiated, optionally followed a maximum amount of
991The argument is the number of bytes, with an optional suffix of 1008time that may pass before the session key is renegotiated.
1009The first argument is specified in bytes and may have a suffix of
992.Sq K , 1010.Sq K ,
993.Sq M , 1011.Sq M ,
994or 1012or
@@ -999,6 +1017,16 @@ The default is between
999and 1017and
1000.Sq 4G , 1018.Sq 4G ,
1001depending on the cipher. 1019depending on the cipher.
1020The optional second value is specified in seconds and may use any of the
1021units documented in the
1022TIME FORMATS section of
1023.Xr sshd_config 5 .
1024The default value for
1025.Cm RekeyLimit
1026is
1027.Dq default none ,
1028which means that rekeying is performed after the cipher's default amount
1029of data has been sent or received and no time based rekeying is done.
1002This option applies to protocol version 2 only. 1030This option applies to protocol version 2 only.
1003.It Cm RemoteForward 1031.It Cm RemoteForward
1004Specifies that a TCP port on the remote machine be forwarded over 1032Specifies that a TCP port on the remote machine be forwarded over
@@ -1310,9 +1338,7 @@ The default is
1310.Dq no . 1338.Dq no .
1311Note that this option applies to protocol version 2 only. 1339Note that this option applies to protocol version 2 only.
1312.Pp 1340.Pp
1313See also 1341See also VERIFYING HOST KEYS in
1314.Sx VERIFYING HOST KEYS
1315in
1316.Xr ssh 1 . 1342.Xr ssh 1 .
1317.It Cm VisualHostKey 1343.It Cm VisualHostKey
1318If this flag is set to 1344If this flag is set to
diff --git a/sshconnect.c b/sshconnect.c
index 1fa1d5963..ad960fdbf 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -112,7 +112,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
112 xasprintf(&tmp, "exec %s", proxy_command); 112 xasprintf(&tmp, "exec %s", proxy_command);
113 command_string = percent_expand(tmp, "h", host, "p", strport, 113 command_string = percent_expand(tmp, "h", host, "p", strport,
114 "r", options.user, (char *)NULL); 114 "r", options.user, (char *)NULL);
115 xfree(tmp); 115 free(tmp);
116 116
117 /* Create pipes for communicating with the proxy. */ 117 /* Create pipes for communicating with the proxy. */
118 if (pipe(pin) < 0 || pipe(pout) < 0) 118 if (pipe(pin) < 0 || pipe(pout) < 0)
@@ -166,7 +166,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
166 close(pout[1]); 166 close(pout[1]);
167 167
168 /* Free the command name. */ 168 /* Free the command name. */
169 xfree(command_string); 169 free(command_string);
170 170
171 /* Set the connection file descriptors. */ 171 /* Set the connection file descriptors. */
172 packet_set_connection(pout[0], pin[1]); 172 packet_set_connection(pout[0], pin[1]);
@@ -315,7 +315,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
315 fatal("Bogus return (%d) from select()", rc); 315 fatal("Bogus return (%d) from select()", rc);
316 } 316 }
317 317
318 xfree(fdset); 318 free(fdset);
319 319
320 done: 320 done:
321 if (result == 0 && *timeoutp > 0) { 321 if (result == 0 && *timeoutp > 0) {
@@ -534,7 +534,7 @@ ssh_exchange_identification(int timeout_ms)
534 debug("ssh_exchange_identification: %s", buf); 534 debug("ssh_exchange_identification: %s", buf);
535 } 535 }
536 server_version_string = xstrdup(buf); 536 server_version_string = xstrdup(buf);
537 xfree(fdset); 537 free(fdset);
538 538
539 /* 539 /*
540 * Check that the versions match. In future this might accept 540 * Check that the versions match. In future this might accept
@@ -610,8 +610,7 @@ confirm(const char *prompt)
610 ret = 0; 610 ret = 0;
611 if (p && strncasecmp(p, "yes", 3) == 0) 611 if (p && strncasecmp(p, "yes", 3) == 0)
612 ret = 1; 612 ret = 1;
613 if (p) 613 free(p);
614 xfree(p);
615 if (ret != -1) 614 if (ret != -1)
616 return ret; 615 return ret;
617 } 616 }
@@ -835,8 +834,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
835 ra = key_fingerprint(host_key, SSH_FP_MD5, 834 ra = key_fingerprint(host_key, SSH_FP_MD5,
836 SSH_FP_RANDOMART); 835 SSH_FP_RANDOMART);
837 logit("Host key fingerprint is %s\n%s\n", fp, ra); 836 logit("Host key fingerprint is %s\n%s\n", fp, ra);
838 xfree(ra); 837 free(ra);
839 xfree(fp); 838 free(fp);
840 } 839 }
841 break; 840 break;
842 case HOST_NEW: 841 case HOST_NEW:
@@ -896,8 +895,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
896 options.visual_host_key ? "\n" : "", 895 options.visual_host_key ? "\n" : "",
897 options.visual_host_key ? ra : "", 896 options.visual_host_key ? ra : "",
898 msg2); 897 msg2);
899 xfree(ra); 898 free(ra);
900 xfree(fp); 899 free(fp);
901 if (!confirm(msg)) 900 if (!confirm(msg))
902 goto fail; 901 goto fail;
903 } 902 }
@@ -1103,8 +1102,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
1103 } 1102 }
1104 } 1103 }
1105 1104
1106 xfree(ip); 1105 free(ip);
1107 xfree(host); 1106 free(host);
1108 if (host_hostkeys != NULL) 1107 if (host_hostkeys != NULL)
1109 free_hostkeys(host_hostkeys); 1108 free_hostkeys(host_hostkeys);
1110 if (ip_hostkeys != NULL) 1109 if (ip_hostkeys != NULL)
@@ -1126,8 +1125,8 @@ fail:
1126 } 1125 }
1127 if (raw_key != NULL) 1126 if (raw_key != NULL)
1128 key_free(raw_key); 1127 key_free(raw_key);
1129 xfree(ip); 1128 free(ip);
1130 xfree(host); 1129 free(host);
1131 if (host_hostkeys != NULL) 1130 if (host_hostkeys != NULL)
1132 free_hostkeys(host_hostkeys); 1131 free_hostkeys(host_hostkeys);
1133 if (ip_hostkeys != NULL) 1132 if (ip_hostkeys != NULL)
@@ -1144,7 +1143,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1144 1143
1145 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); 1144 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
1146 debug("Server host key: %s %s", key_type(host_key), fp); 1145 debug("Server host key: %s %s", key_type(host_key), fp);
1147 xfree(fp); 1146 free(fp);
1148 1147
1149 /* XXX certs are not yet supported for DNS */ 1148 /* XXX certs are not yet supported for DNS */
1150 if (!key_is_cert(host_key) && options.verify_host_key_dns && 1149 if (!key_is_cert(host_key) && options.verify_host_key_dns &&
@@ -1209,7 +1208,7 @@ ssh_login(Sensitive *sensitive, const char *orighost,
1209 ssh_kex(host, hostaddr); 1208 ssh_kex(host, hostaddr);
1210 ssh_userauth1(local_user, server_user, host, sensitive); 1209 ssh_userauth1(local_user, server_user, host, sensitive);
1211 } 1210 }
1212 xfree(local_user); 1211 free(local_user);
1213} 1212}
1214 1213
1215void 1214void
@@ -1227,7 +1226,7 @@ ssh_put_password(char *password)
1227 strlcpy(padded, password, size); 1226 strlcpy(padded, password, size);
1228 packet_put_string(padded, size); 1227 packet_put_string(padded, size);
1229 memset(padded, 0, size); 1228 memset(padded, 0, size);
1230 xfree(padded); 1229 free(padded);
1231} 1230}
1232 1231
1233/* print all known host keys for a given host, but skip keys of given type */ 1232/* print all known host keys for a given host, but skip keys of given type */
@@ -1254,8 +1253,8 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
1254 key_type(found->key), fp); 1253 key_type(found->key), fp);
1255 if (options.visual_host_key) 1254 if (options.visual_host_key)
1256 logit("%s", ra); 1255 logit("%s", ra);
1257 xfree(ra); 1256 free(ra);
1258 xfree(fp); 1257 free(fp);
1259 ret = 1; 1258 ret = 1;
1260 } 1259 }
1261 return ret; 1260 return ret;
@@ -1278,7 +1277,7 @@ warn_changed_key(Key *host_key)
1278 key_type(host_key), fp); 1277 key_type(host_key), fp);
1279 error("Please contact your system administrator."); 1278 error("Please contact your system administrator.");
1280 1279
1281 xfree(fp); 1280 free(fp);
1282} 1281}
1283 1282
1284/* 1283/*
diff --git a/sshconnect1.c b/sshconnect1.c
index fd07bbf74..d285e23c0 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ 1/* $OpenBSD: sshconnect1.c,v 1.71 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -84,7 +84,7 @@ try_agent_authentication(void)
84 84
85 /* Try this identity. */ 85 /* Try this identity. */
86 debug("Trying RSA authentication via agent with '%.100s'", comment); 86 debug("Trying RSA authentication via agent with '%.100s'", comment);
87 xfree(comment); 87 free(comment);
88 88
89 /* Tell the server that we are willing to authenticate using this key. */ 89 /* Tell the server that we are willing to authenticate using this key. */
90 packet_start(SSH_CMSG_AUTH_RSA); 90 packet_start(SSH_CMSG_AUTH_RSA);
@@ -231,7 +231,7 @@ try_rsa_authentication(int idx)
231 */ 231 */
232 if (type == SSH_SMSG_FAILURE) { 232 if (type == SSH_SMSG_FAILURE) {
233 debug("Server refused our key."); 233 debug("Server refused our key.");
234 xfree(comment); 234 free(comment);
235 return 0; 235 return 0;
236 } 236 }
237 /* Otherwise, the server should respond with a challenge. */ 237 /* Otherwise, the server should respond with a challenge. */
@@ -270,14 +270,14 @@ try_rsa_authentication(int idx)
270 quit = 1; 270 quit = 1;
271 } 271 }
272 memset(passphrase, 0, strlen(passphrase)); 272 memset(passphrase, 0, strlen(passphrase));
273 xfree(passphrase); 273 free(passphrase);
274 if (private != NULL || quit) 274 if (private != NULL || quit)
275 break; 275 break;
276 debug2("bad passphrase given, try again..."); 276 debug2("bad passphrase given, try again...");
277 } 277 }
278 } 278 }
279 /* We no longer need the comment. */ 279 /* We no longer need the comment. */
280 xfree(comment); 280 free(comment);
281 281
282 if (private == NULL) { 282 if (private == NULL) {
283 if (!options.batch_mode && perm_ok) 283 if (!options.batch_mode && perm_ok)
@@ -412,7 +412,7 @@ try_challenge_response_authentication(void)
412 packet_check_eom(); 412 packet_check_eom();
413 snprintf(prompt, sizeof prompt, "%s%s", challenge, 413 snprintf(prompt, sizeof prompt, "%s%s", challenge,
414 strchr(challenge, '\n') ? "" : "\nResponse: "); 414 strchr(challenge, '\n') ? "" : "\nResponse: ");
415 xfree(challenge); 415 free(challenge);
416 if (i != 0) 416 if (i != 0)
417 error("Permission denied, please try again."); 417 error("Permission denied, please try again.");
418 if (options.cipher == SSH_CIPHER_NONE) 418 if (options.cipher == SSH_CIPHER_NONE)
@@ -420,13 +420,13 @@ try_challenge_response_authentication(void)
420 "Response will be transmitted in clear text."); 420 "Response will be transmitted in clear text.");
421 response = read_passphrase(prompt, 0); 421 response = read_passphrase(prompt, 0);
422 if (strcmp(response, "") == 0) { 422 if (strcmp(response, "") == 0) {
423 xfree(response); 423 free(response);
424 break; 424 break;
425 } 425 }
426 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 426 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
427 ssh_put_password(response); 427 ssh_put_password(response);
428 memset(response, 0, strlen(response)); 428 memset(response, 0, strlen(response));
429 xfree(response); 429 free(response);
430 packet_send(); 430 packet_send();
431 packet_write_wait(); 431 packet_write_wait();
432 type = packet_read(); 432 type = packet_read();
@@ -459,7 +459,7 @@ try_password_authentication(char *prompt)
459 packet_start(SSH_CMSG_AUTH_PASSWORD); 459 packet_start(SSH_CMSG_AUTH_PASSWORD);
460 ssh_put_password(password); 460 ssh_put_password(password);
461 memset(password, 0, strlen(password)); 461 memset(password, 0, strlen(password));
462 xfree(password); 462 free(password);
463 packet_send(); 463 packet_send();
464 packet_write_wait(); 464 packet_write_wait();
465 465
diff --git a/sshconnect2.c b/sshconnect2.c
index 77b02e3bf..93818c991 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -146,10 +146,10 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
146 if (*first != '\0') 146 if (*first != '\0')
147 debug3("%s: prefer hostkeyalgs: %s", __func__, first); 147 debug3("%s: prefer hostkeyalgs: %s", __func__, first);
148 148
149 xfree(first); 149 free(first);
150 xfree(last); 150 free(last);
151 xfree(hostname); 151 free(hostname);
152 xfree(oavail); 152 free(oavail);
153 free_hostkeys(hostkeys); 153 free_hostkeys(hostkeys);
154 154
155 return ret; 155 return ret;
@@ -229,12 +229,13 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
229 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 229 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
230 xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 230 xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
231 "%s,null", orig); 231 "%s,null", orig);
232 xfree(gss); 232 free(gss);
233 } 233 }
234#endif 234#endif
235 235
236 if (options.rekey_limit) 236 if (options.rekey_limit || options.rekey_interval)
237 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 237 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
238 (time_t)options.rekey_interval);
238 239
239 /* start key exchange */ 240 /* start key exchange */
240 kex = kex_setup(myproposal); 241 kex = kex_setup(myproposal);
@@ -445,7 +446,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
445 if (packet_remaining() > 0) { 446 if (packet_remaining() > 0) {
446 char *reply = packet_get_string(NULL); 447 char *reply = packet_get_string(NULL);
447 debug2("service_accept: %s", reply); 448 debug2("service_accept: %s", reply);
448 xfree(reply); 449 free(reply);
449 } else { 450 } else {
450 debug2("buggy server: service_accept w/o service"); 451 debug2("buggy server: service_accept w/o service");
451 } 452 }
@@ -492,15 +493,12 @@ userauth(Authctxt *authctxt, char *authlist)
492 if (authctxt->method != NULL && authctxt->method->cleanup != NULL) 493 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
493 authctxt->method->cleanup(authctxt); 494 authctxt->method->cleanup(authctxt);
494 495
495 if (authctxt->methoddata) { 496 free(authctxt->methoddata);
496 xfree(authctxt->methoddata); 497 authctxt->methoddata = NULL;
497 authctxt->methoddata = NULL;
498 }
499 if (authlist == NULL) { 498 if (authlist == NULL) {
500 authlist = authctxt->authlist; 499 authlist = authctxt->authlist;
501 } else { 500 } else {
502 if (authctxt->authlist) 501 free(authctxt->authlist);
503 xfree(authctxt->authlist);
504 authctxt->authlist = authlist; 502 authctxt->authlist = authlist;
505 } 503 }
506 for (;;) { 504 for (;;) {
@@ -548,10 +546,10 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
548 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ 546 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
549 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); 547 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
550 fprintf(stderr, "%s", msg); 548 fprintf(stderr, "%s", msg);
551 xfree(msg); 549 free(msg);
552 } 550 }
553 xfree(raw); 551 free(raw);
554 xfree(lang); 552 free(lang);
555} 553}
556 554
557/* ARGSUSED */ 555/* ARGSUSED */
@@ -562,16 +560,12 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
562 560
563 if (authctxt == NULL) 561 if (authctxt == NULL)
564 fatal("input_userauth_success: no authentication context"); 562 fatal("input_userauth_success: no authentication context");
565 if (authctxt->authlist) { 563 free(authctxt->authlist);
566 xfree(authctxt->authlist); 564 authctxt->authlist = NULL;
567 authctxt->authlist = NULL;
568 }
569 if (authctxt->method != NULL && authctxt->method->cleanup != NULL) 565 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
570 authctxt->method->cleanup(authctxt); 566 authctxt->method->cleanup(authctxt);
571 if (authctxt->methoddata) { 567 free(authctxt->methoddata);
572 xfree(authctxt->methoddata); 568 authctxt->methoddata = NULL;
573 authctxt->methoddata = NULL;
574 }
575 authctxt->success = 1; /* break out */ 569 authctxt->success = 1; /* break out */
576} 570}
577 571
@@ -602,8 +596,12 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
602 partial = packet_get_char(); 596 partial = packet_get_char();
603 packet_check_eom(); 597 packet_check_eom();
604 598
605 if (partial != 0) 599 if (partial != 0) {
606 logit("Authenticated with partial success."); 600 logit("Authenticated with partial success.");
601 /* reset state */
602 pubkey_cleanup(authctxt);
603 pubkey_prepare(authctxt);
604 }
607 debug("Authentications that can continue: %s", authlist); 605 debug("Authentications that can continue: %s", authlist);
608 606
609 userauth(authctxt, authlist); 607 userauth(authctxt, authlist);
@@ -656,7 +654,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
656 } 654 }
657 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 655 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
658 debug2("input_userauth_pk_ok: fp %s", fp); 656 debug2("input_userauth_pk_ok: fp %s", fp);
659 xfree(fp); 657 free(fp);
660 658
661 /* 659 /*
662 * search keys in the reverse order, because last candidate has been 660 * search keys in the reverse order, because last candidate has been
@@ -672,8 +670,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
672done: 670done:
673 if (key != NULL) 671 if (key != NULL)
674 key_free(key); 672 key_free(key);
675 xfree(pkalg); 673 free(pkalg);
676 xfree(pkblob); 674 free(pkblob);
677 675
678 /* try another method if we did not send a packet */ 676 /* try another method if we did not send a packet */
679 if (sent == 0) 677 if (sent == 0)
@@ -823,7 +821,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
823 if (oidlen <= 2 || 821 if (oidlen <= 2 ||
824 oidv[0] != SSH_GSS_OIDTYPE || 822 oidv[0] != SSH_GSS_OIDTYPE ||
825 oidv[1] != oidlen - 2) { 823 oidv[1] != oidlen - 2) {
826 xfree(oidv); 824 free(oidv);
827 debug("Badly encoded mechanism OID received"); 825 debug("Badly encoded mechanism OID received");
828 userauth(authctxt, NULL); 826 userauth(authctxt, NULL);
829 return; 827 return;
@@ -834,7 +832,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
834 832
835 packet_check_eom(); 833 packet_check_eom();
836 834
837 xfree(oidv); 835 free(oidv);
838 836
839 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { 837 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
840 /* Start again with next method on list */ 838 /* Start again with next method on list */
@@ -863,7 +861,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
863 861
864 status = process_gssapi_token(ctxt, &recv_tok); 862 status = process_gssapi_token(ctxt, &recv_tok);
865 863
866 xfree(recv_tok.value); 864 free(recv_tok.value);
867 865
868 if (GSS_ERROR(status)) { 866 if (GSS_ERROR(status)) {
869 /* Start again with the next method in the list */ 867 /* Start again with the next method in the list */
@@ -880,7 +878,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
880 Gssctxt *gssctxt; 878 Gssctxt *gssctxt;
881 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 879 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
882 gss_buffer_desc recv_tok; 880 gss_buffer_desc recv_tok;
883 OM_uint32 status, ms; 881 OM_uint32 ms;
884 u_int len; 882 u_int len;
885 883
886 if (authctxt == NULL) 884 if (authctxt == NULL)
@@ -893,10 +891,10 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
893 packet_check_eom(); 891 packet_check_eom();
894 892
895 /* Stick it into GSSAPI and see what it says */ 893 /* Stick it into GSSAPI and see what it says */
896 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, 894 (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
897 &recv_tok, &send_tok, NULL); 895 &recv_tok, &send_tok, NULL);
898 896
899 xfree(recv_tok.value); 897 free(recv_tok.value);
900 gss_release_buffer(&ms, &send_tok); 898 gss_release_buffer(&ms, &send_tok);
901 899
902 /* Server will be returning a failed packet after this one */ 900 /* Server will be returning a failed packet after this one */
@@ -906,20 +904,19 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
906void 904void
907input_gssapi_error(int type, u_int32_t plen, void *ctxt) 905input_gssapi_error(int type, u_int32_t plen, void *ctxt)
908{ 906{
909 OM_uint32 maj, min;
910 char *msg; 907 char *msg;
911 char *lang; 908 char *lang;
912 909
913 maj=packet_get_int(); 910 /* maj */(void)packet_get_int();
914 min=packet_get_int(); 911 /* min */(void)packet_get_int();
915 msg=packet_get_string(NULL); 912 msg=packet_get_string(NULL);
916 lang=packet_get_string(NULL); 913 lang=packet_get_string(NULL);
917 914
918 packet_check_eom(); 915 packet_check_eom();
919 916
920 debug("Server GSSAPI Error:\n%s", msg); 917 debug("Server GSSAPI Error:\n%s", msg);
921 xfree(msg); 918 free(msg);
922 xfree(lang); 919 free(lang);
923} 920}
924 921
925int 922int
@@ -1002,7 +999,7 @@ userauth_passwd(Authctxt *authctxt)
1002 packet_put_char(0); 999 packet_put_char(0);
1003 packet_put_cstring(password); 1000 packet_put_cstring(password);
1004 memset(password, 0, strlen(password)); 1001 memset(password, 0, strlen(password));
1005 xfree(password); 1002 free(password);
1006 packet_add_padding(64); 1003 packet_add_padding(64);
1007 packet_send(); 1004 packet_send();
1008 1005
@@ -1035,8 +1032,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
1035 lang = packet_get_string(NULL); 1032 lang = packet_get_string(NULL);
1036 if (strlen(info) > 0) 1033 if (strlen(info) > 0)
1037 logit("%s", info); 1034 logit("%s", info);
1038 xfree(info); 1035 free(info);
1039 xfree(lang); 1036 free(lang);
1040 packet_start(SSH2_MSG_USERAUTH_REQUEST); 1037 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1041 packet_put_cstring(authctxt->server_user); 1038 packet_put_cstring(authctxt->server_user);
1042 packet_put_cstring(authctxt->service); 1039 packet_put_cstring(authctxt->service);
@@ -1048,7 +1045,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
1048 password = read_passphrase(prompt, 0); 1045 password = read_passphrase(prompt, 0);
1049 packet_put_cstring(password); 1046 packet_put_cstring(password);
1050 memset(password, 0, strlen(password)); 1047 memset(password, 0, strlen(password));
1051 xfree(password); 1048 free(password);
1052 password = NULL; 1049 password = NULL;
1053 while (password == NULL) { 1050 while (password == NULL) {
1054 snprintf(prompt, sizeof(prompt), 1051 snprintf(prompt, sizeof(prompt),
@@ -1065,16 +1062,16 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
1065 retype = read_passphrase(prompt, 0); 1062 retype = read_passphrase(prompt, 0);
1066 if (strcmp(password, retype) != 0) { 1063 if (strcmp(password, retype) != 0) {
1067 memset(password, 0, strlen(password)); 1064 memset(password, 0, strlen(password));
1068 xfree(password); 1065 free(password);
1069 logit("Mismatch; try again, EOF to quit."); 1066 logit("Mismatch; try again, EOF to quit.");
1070 password = NULL; 1067 password = NULL;
1071 } 1068 }
1072 memset(retype, 0, strlen(retype)); 1069 memset(retype, 0, strlen(retype));
1073 xfree(retype); 1070 free(retype);
1074 } 1071 }
1075 packet_put_cstring(password); 1072 packet_put_cstring(password);
1076 memset(password, 0, strlen(password)); 1073 memset(password, 0, strlen(password));
1077 xfree(password); 1074 free(password);
1078 packet_add_padding(64); 1075 packet_add_padding(64);
1079 packet_send(); 1076 packet_send();
1080 1077
@@ -1129,13 +1126,13 @@ jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
1129 1126
1130 bzero(password, strlen(password)); 1127 bzero(password, strlen(password));
1131 bzero(crypted, strlen(crypted)); 1128 bzero(crypted, strlen(crypted));
1132 xfree(password); 1129 free(password);
1133 xfree(crypted); 1130 free(crypted);
1134 1131
1135 if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL) 1132 if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
1136 fatal("%s: BN_bin2bn (secret)", __func__); 1133 fatal("%s: BN_bin2bn (secret)", __func__);
1137 bzero(secret, secret_len); 1134 bzero(secret, secret_len);
1138 xfree(secret); 1135 free(secret);
1139 1136
1140 return ret; 1137 return ret;
1141} 1138}
@@ -1173,8 +1170,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1173 pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt); 1170 pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
1174 bzero(crypt_scheme, strlen(crypt_scheme)); 1171 bzero(crypt_scheme, strlen(crypt_scheme));
1175 bzero(salt, strlen(salt)); 1172 bzero(salt, strlen(salt));
1176 xfree(crypt_scheme); 1173 free(crypt_scheme);
1177 xfree(salt); 1174 free(salt);
1178 JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__)); 1175 JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
1179 1176
1180 /* Calculate step 2 values */ 1177 /* Calculate step 2 values */
@@ -1189,8 +1186,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1189 1186
1190 bzero(x3_proof, x3_proof_len); 1187 bzero(x3_proof, x3_proof_len);
1191 bzero(x4_proof, x4_proof_len); 1188 bzero(x4_proof, x4_proof_len);
1192 xfree(x3_proof); 1189 free(x3_proof);
1193 xfree(x4_proof); 1190 free(x4_proof);
1194 1191
1195 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); 1192 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
1196 1193
@@ -1201,7 +1198,7 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1201 packet_send(); 1198 packet_send();
1202 1199
1203 bzero(x2_s_proof, x2_s_proof_len); 1200 bzero(x2_s_proof, x2_s_proof_len);
1204 xfree(x2_s_proof); 1201 free(x2_s_proof);
1205 1202
1206 /* Expect step 2 packet from peer */ 1203 /* Expect step 2 packet from peer */
1207 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, 1204 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
@@ -1241,7 +1238,7 @@ input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
1241 &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len); 1238 &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
1242 1239
1243 bzero(x4_s_proof, x4_s_proof_len); 1240 bzero(x4_s_proof, x4_s_proof_len);
1244 xfree(x4_s_proof); 1241 free(x4_s_proof);
1245 1242
1246 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); 1243 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
1247 1244
@@ -1323,7 +1320,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1323 1320
1324 fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); 1321 fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
1325 debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); 1322 debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
1326 xfree(fp); 1323 free(fp);
1327 1324
1328 if (key_to_blob(id->key, &blob, &bloblen) == 0) { 1325 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1329 /* we cannot handle this key */ 1326 /* we cannot handle this key */
@@ -1358,7 +1355,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1358 ret = identity_sign(id, &signature, &slen, 1355 ret = identity_sign(id, &signature, &slen,
1359 buffer_ptr(&b), buffer_len(&b)); 1356 buffer_ptr(&b), buffer_len(&b));
1360 if (ret == -1) { 1357 if (ret == -1) {
1361 xfree(blob); 1358 free(blob);
1362 buffer_free(&b); 1359 buffer_free(&b);
1363 return 0; 1360 return 0;
1364 } 1361 }
@@ -1378,11 +1375,11 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1378 buffer_put_cstring(&b, key_ssh_name(id->key)); 1375 buffer_put_cstring(&b, key_ssh_name(id->key));
1379 buffer_put_string(&b, blob, bloblen); 1376 buffer_put_string(&b, blob, bloblen);
1380 } 1377 }
1381 xfree(blob); 1378 free(blob);
1382 1379
1383 /* append signature */ 1380 /* append signature */
1384 buffer_put_string(&b, signature, slen); 1381 buffer_put_string(&b, signature, slen);
1385 xfree(signature); 1382 free(signature);
1386 1383
1387 /* skip session id and packet type */ 1384 /* skip session id and packet type */
1388 if (buffer_len(&b) < skip + 1) 1385 if (buffer_len(&b) < skip + 1)
@@ -1422,7 +1419,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
1422 if (!(datafellows & SSH_BUG_PKAUTH)) 1419 if (!(datafellows & SSH_BUG_PKAUTH))
1423 packet_put_cstring(key_ssh_name(id->key)); 1420 packet_put_cstring(key_ssh_name(id->key));
1424 packet_put_string(blob, bloblen); 1421 packet_put_string(blob, bloblen);
1425 xfree(blob); 1422 free(blob);
1426 packet_send(); 1423 packet_send();
1427 return 1; 1424 return 1;
1428} 1425}
@@ -1441,8 +1438,11 @@ load_identity_file(char *filename, int userprovided)
1441 return NULL; 1438 return NULL;
1442 } 1439 }
1443 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); 1440 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
1444 if (!perm_ok) 1441 if (!perm_ok) {
1442 if (private != NULL)
1443 key_free(private);
1445 return NULL; 1444 return NULL;
1445 }
1446 if (private == NULL) { 1446 if (private == NULL) {
1447 if (options.batch_mode) 1447 if (options.batch_mode)
1448 return NULL; 1448 return NULL;
@@ -1459,7 +1459,7 @@ load_identity_file(char *filename, int userprovided)
1459 quit = 1; 1459 quit = 1;
1460 } 1460 }
1461 memset(passphrase, 0, strlen(passphrase)); 1461 memset(passphrase, 0, strlen(passphrase));
1462 xfree(passphrase); 1462 free(passphrase);
1463 if (private != NULL || quit) 1463 if (private != NULL || quit)
1464 break; 1464 break;
1465 debug2("bad passphrase given, try again..."); 1465 debug2("bad passphrase given, try again...");
@@ -1524,7 +1524,7 @@ pubkey_prepare(Authctxt *authctxt)
1524 /* If IdentitiesOnly set and key not found then don't use it */ 1524 /* If IdentitiesOnly set and key not found then don't use it */
1525 if (!found && options.identities_only) { 1525 if (!found && options.identities_only) {
1526 TAILQ_REMOVE(&files, id, next); 1526 TAILQ_REMOVE(&files, id, next);
1527 bzero(id, sizeof(id)); 1527 bzero(id, sizeof(*id));
1528 free(id); 1528 free(id);
1529 } 1529 }
1530 } 1530 }
@@ -1538,7 +1538,7 @@ pubkey_prepare(Authctxt *authctxt)
1538 /* agent keys from the config file are preferred */ 1538 /* agent keys from the config file are preferred */
1539 if (key_equal(key, id->key)) { 1539 if (key_equal(key, id->key)) {
1540 key_free(key); 1540 key_free(key);
1541 xfree(comment); 1541 free(comment);
1542 TAILQ_REMOVE(&files, id, next); 1542 TAILQ_REMOVE(&files, id, next);
1543 TAILQ_INSERT_TAIL(preferred, id, next); 1543 TAILQ_INSERT_TAIL(preferred, id, next);
1544 id->ac = ac; 1544 id->ac = ac;
@@ -1584,9 +1584,8 @@ pubkey_cleanup(Authctxt *authctxt)
1584 TAILQ_REMOVE(&authctxt->keys, id, next); 1584 TAILQ_REMOVE(&authctxt->keys, id, next);
1585 if (id->key) 1585 if (id->key)
1586 key_free(id->key); 1586 key_free(id->key);
1587 if (id->filename) 1587 free(id->filename);
1588 xfree(id->filename); 1588 free(id);
1589 xfree(id);
1590 } 1589 }
1591} 1590}
1592 1591
@@ -1684,9 +1683,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1684 logit("%s", name); 1683 logit("%s", name);
1685 if (strlen(inst) > 0) 1684 if (strlen(inst) > 0)
1686 logit("%s", inst); 1685 logit("%s", inst);
1687 xfree(name); 1686 free(name);
1688 xfree(inst); 1687 free(inst);
1689 xfree(lang); 1688 free(lang);
1690 1689
1691 num_prompts = packet_get_int(); 1690 num_prompts = packet_get_int();
1692 /* 1691 /*
@@ -1707,8 +1706,8 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1707 1706
1708 packet_put_cstring(response); 1707 packet_put_cstring(response);
1709 memset(response, 0, strlen(response)); 1708 memset(response, 0, strlen(response));
1710 xfree(response); 1709 free(response);
1711 xfree(prompt); 1710 free(prompt);
1712 } 1711 }
1713 packet_check_eom(); /* done with parsing incoming message. */ 1712 packet_check_eom(); /* done with parsing incoming message. */
1714 1713
@@ -1828,12 +1827,12 @@ userauth_hostbased(Authctxt *authctxt)
1828 if (p == NULL) { 1827 if (p == NULL) {
1829 error("userauth_hostbased: cannot get local ipaddr/name"); 1828 error("userauth_hostbased: cannot get local ipaddr/name");
1830 key_free(private); 1829 key_free(private);
1831 xfree(blob); 1830 free(blob);
1832 return 0; 1831 return 0;
1833 } 1832 }
1834 xasprintf(&chost, "%s.", p); 1833 xasprintf(&chost, "%s.", p);
1835 debug2("userauth_hostbased: chost %s", chost); 1834 debug2("userauth_hostbased: chost %s", chost);
1836 xfree(p); 1835 free(p);
1837 1836
1838 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : 1837 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1839 authctxt->service; 1838 authctxt->service;
@@ -1862,9 +1861,9 @@ userauth_hostbased(Authctxt *authctxt)
1862 buffer_free(&b); 1861 buffer_free(&b);
1863 if (ok != 0) { 1862 if (ok != 0) {
1864 error("key_sign failed"); 1863 error("key_sign failed");
1865 xfree(chost); 1864 free(chost);
1866 xfree(pkalg); 1865 free(pkalg);
1867 xfree(blob); 1866 free(blob);
1868 return 0; 1867 return 0;
1869 } 1868 }
1870 packet_start(SSH2_MSG_USERAUTH_REQUEST); 1869 packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -1877,10 +1876,10 @@ userauth_hostbased(Authctxt *authctxt)
1877 packet_put_cstring(authctxt->local_user); 1876 packet_put_cstring(authctxt->local_user);
1878 packet_put_string(signature, slen); 1877 packet_put_string(signature, slen);
1879 memset(signature, 's', slen); 1878 memset(signature, 's', slen);
1880 xfree(signature); 1879 free(signature);
1881 xfree(chost); 1880 free(chost);
1882 xfree(pkalg); 1881 free(pkalg);
1883 xfree(blob); 1882 free(blob);
1884 1883
1885 packet_send(); 1884 packet_send();
1886 return 1; 1885 return 1;
@@ -1935,8 +1934,8 @@ userauth_jpake(Authctxt *authctxt)
1935 1934
1936 bzero(x1_proof, x1_proof_len); 1935 bzero(x1_proof, x1_proof_len);
1937 bzero(x2_proof, x2_proof_len); 1936 bzero(x2_proof, x2_proof_len);
1938 xfree(x1_proof); 1937 free(x1_proof);
1939 xfree(x2_proof); 1938 free(x2_proof);
1940 1939
1941 /* Expect step 1 packet from peer */ 1940 /* Expect step 1 packet from peer */
1942 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, 1941 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
@@ -2013,8 +2012,7 @@ authmethod_get(char *authlist)
2013 2012
2014 if (supported == NULL || strcmp(authlist, supported) != 0) { 2013 if (supported == NULL || strcmp(authlist, supported) != 0) {
2015 debug3("start over, passed a different list %s", authlist); 2014 debug3("start over, passed a different list %s", authlist);
2016 if (supported != NULL) 2015 free(supported);
2017 xfree(supported);
2018 supported = xstrdup(authlist); 2016 supported = xstrdup(authlist);
2019 preferred = options.preferred_authentications; 2017 preferred = options.preferred_authentications;
2020 debug3("preferred %s", preferred); 2018 debug3("preferred %s", preferred);
@@ -2035,9 +2033,10 @@ authmethod_get(char *authlist)
2035 authmethod_is_enabled(current)) { 2033 authmethod_is_enabled(current)) {
2036 debug3("authmethod_is_enabled %s", name); 2034 debug3("authmethod_is_enabled %s", name);
2037 debug("Next authentication method: %s", name); 2035 debug("Next authentication method: %s", name);
2038 xfree(name); 2036 free(name);
2039 return current; 2037 return current;
2040 } 2038 }
2039 free(name);
2041 } 2040 }
2042} 2041}
2043 2042
diff --git a/sshd.0 b/sshd.0
index 83f9a881b..c48b987f9 100644
--- a/sshd.0
+++ b/sshd.0
@@ -5,8 +5,9 @@ NAME
5 5
6SYNOPSIS 6SYNOPSIS
7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec] 7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec]
8 [-c host_certificate_file] [-f config_file] [-g login_grace_time] 8 [-c host_certificate_file] [-E log_file] [-f config_file]
9 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] 9 [-g login_grace_time] [-h host_key_file] [-k key_gen_time]
10 [-o option] [-p port] [-u len]
10 11
11DESCRIPTION 12DESCRIPTION
12 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 13 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
@@ -60,8 +61,10 @@ DESCRIPTION
60 option is only intended for debugging for the server. Multiple 61 option is only intended for debugging for the server. Multiple
61 -d options increase the debugging level. Maximum is 3. 62 -d options increase the debugging level. Maximum is 3.
62 63
63 -e When this option is specified, sshd will send the output to the 64 -E log_file
64 standard error instead of the system log. 65 Append debug logs to log_file instead of the system log.
66
67 -e Write debug logs to standard error instead of the system log.
65 68
66 -f config_file 69 -f config_file
67 Specifies the name of the configuration file. The default is 70 Specifies the name of the configuration file. The default is
@@ -634,4 +637,4 @@ CAVEATS
634 System security is not improved unless rshd, rlogind, and rexecd are 637 System security is not improved unless rshd, rlogind, and rexecd are
635 disabled (thus completely disabling rlogin and rsh into the machine). 638 disabled (thus completely disabling rlogin and rsh into the machine).
636 639
637OpenBSD 5.3 October 4, 2012 OpenBSD 5.3 640OpenBSD 5.4 June 27, 2013 OpenBSD 5.4
diff --git a/sshd.8 b/sshd.8
index e7ec82e64..b91f08cff 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ 36.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $
37.Dd $Mdocdate: October 4 2012 $ 37.Dd $Mdocdate: June 27 2013 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -47,6 +47,7 @@
47.Op Fl b Ar bits 47.Op Fl b Ar bits
48.Op Fl C Ar connection_spec 48.Op Fl C Ar connection_spec
49.Op Fl c Ar host_certificate_file 49.Op Fl c Ar host_certificate_file
50.Op Fl E Ar log_file
50.Op Fl f Ar config_file 51.Op Fl f Ar config_file
51.Op Fl g Ar login_grace_time 52.Op Fl g Ar login_grace_time
52.Op Fl h Ar host_key_file 53.Op Fl h Ar host_key_file
@@ -149,10 +150,12 @@ Multiple
149.Fl d 150.Fl d
150options increase the debugging level. 151options increase the debugging level.
151Maximum is 3. 152Maximum is 3.
153.It Fl E Ar log_file
154Append debug logs to
155.Ar log_file
156instead of the system log.
152.It Fl e 157.It Fl e
153When this option is specified, 158Write debug logs to standard error instead of the system log.
154.Nm
155will send the output to the standard error instead of the system log.
156.It Fl f Ar config_file 159.It Fl f Ar config_file
157Specifies the name of the configuration file. 160Specifies the name of the configuration file.
158The default is 161The default is
@@ -567,9 +570,7 @@ is enabled.
567Specifies that in addition to public key authentication, either the canonical 570Specifies that in addition to public key authentication, either the canonical
568name of the remote host or its IP address must be present in the 571name of the remote host or its IP address must be present in the
569comma-separated list of patterns. 572comma-separated list of patterns.
570See 573See PATTERNS in
571.Sx PATTERNS
572in
573.Xr ssh_config 5 574.Xr ssh_config 5
574for more information on patterns. 575for more information on patterns.
575.Pp 576.Pp
diff --git a/sshd.c b/sshd.c
index 0c260a50d..72e9eaf47 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ 1/* $OpenBSD: sshd.c,v 1.404 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -106,6 +106,7 @@
106#include "canohost.h" 106#include "canohost.h"
107#include "hostfile.h" 107#include "hostfile.h"
108#include "auth.h" 108#include "auth.h"
109#include "authfd.h"
109#include "misc.h" 110#include "misc.h"
110#include "msg.h" 111#include "msg.h"
111#include "dispatch.h" 112#include "dispatch.h"
@@ -198,6 +199,10 @@ char *server_version_string = NULL;
198/* for rekeying XXX fixme */ 199/* for rekeying XXX fixme */
199Kex *xxx_kex; 200Kex *xxx_kex;
200 201
202/* Daemon's agent connection */
203AuthenticationConnection *auth_conn = NULL;
204int have_agent = 0;
205
201/* 206/*
202 * Any really sensitive data in the application is contained in this 207 * Any really sensitive data in the application is contained in this
203 * structure. The idea is that this structure could be locked into memory so 208 * structure. The idea is that this structure could be locked into memory so
@@ -210,6 +215,7 @@ struct {
210 Key *server_key; /* ephemeral server key */ 215 Key *server_key; /* ephemeral server key */
211 Key *ssh1_host_key; /* ssh1 host key */ 216 Key *ssh1_host_key; /* ssh1 host key */
212 Key **host_keys; /* all private host keys */ 217 Key **host_keys; /* all private host keys */
218 Key **host_pubkeys; /* all public host keys */
213 Key **host_certificates; /* all public host certificates */ 219 Key **host_certificates; /* all public host certificates */
214 int have_ssh1_key; 220 int have_ssh1_key;
215 int have_ssh2_key; 221 int have_ssh2_key;
@@ -658,6 +664,8 @@ privsep_preauth(Authctxt *authctxt)
658 debug2("Network child is on pid %ld", (long)pid); 664 debug2("Network child is on pid %ld", (long)pid);
659 665
660 pmonitor->m_pid = pid; 666 pmonitor->m_pid = pid;
667 if (have_agent)
668 auth_conn = ssh_get_authentication_connection();
661 if (box != NULL) 669 if (box != NULL)
662 ssh_sandbox_parent_preauth(box, pid); 670 ssh_sandbox_parent_preauth(box, pid);
663 monitor_child_preauth(authctxt, pmonitor); 671 monitor_child_preauth(authctxt, pmonitor);
@@ -772,6 +780,8 @@ list_hostkey_types(void)
772 for (i = 0; i < options.num_host_key_files; i++) { 780 for (i = 0; i < options.num_host_key_files; i++) {
773 key = sensitive_data.host_keys[i]; 781 key = sensitive_data.host_keys[i];
774 if (key == NULL) 782 if (key == NULL)
783 key = sensitive_data.host_pubkeys[i];
784 if (key == NULL)
775 continue; 785 continue;
776 switch (key->type) { 786 switch (key->type) {
777 case KEY_RSA: 787 case KEY_RSA:
@@ -824,6 +834,8 @@ get_hostkey_by_type(int type, int need_private)
824 break; 834 break;
825 default: 835 default:
826 key = sensitive_data.host_keys[i]; 836 key = sensitive_data.host_keys[i];
837 if (key == NULL && !need_private)
838 key = sensitive_data.host_pubkeys[i];
827 break; 839 break;
828 } 840 }
829 if (key != NULL && key->type == type) 841 if (key != NULL && key->type == type)
@@ -853,6 +865,14 @@ get_hostkey_by_index(int ind)
853 return (sensitive_data.host_keys[ind]); 865 return (sensitive_data.host_keys[ind]);
854} 866}
855 867
868Key *
869get_hostkey_public_by_index(int ind)
870{
871 if (ind < 0 || ind >= options.num_host_key_files)
872 return (NULL);
873 return (sensitive_data.host_pubkeys[ind]);
874}
875
856int 876int
857get_hostkey_index(Key *key) 877get_hostkey_index(Key *key)
858{ 878{
@@ -865,6 +885,8 @@ get_hostkey_index(Key *key)
865 } else { 885 } else {
866 if (key == sensitive_data.host_keys[i]) 886 if (key == sensitive_data.host_keys[i])
867 return (i); 887 return (i);
888 if (key == sensitive_data.host_pubkeys[i])
889 return (i);
868 } 890 }
869 } 891 }
870 return (-1); 892 return (-1);
@@ -905,8 +927,9 @@ usage(void)
905 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); 927 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
906 fprintf(stderr, 928 fprintf(stderr,
907"usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" 929"usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
908" [-f config_file] [-g login_grace_time] [-h host_key_file]\n" 930" [-E log_file] [-f config_file] [-g login_grace_time]\n"
909" [-k key_gen_time] [-o option] [-p port] [-u len]\n" 931" [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n"
932" [-u len]\n"
910 ); 933 );
911 exit(1); 934 exit(1);
912} 935}
@@ -977,7 +1000,7 @@ recv_rexec_state(int fd, Buffer *conf)
977 cp = buffer_get_string(&m, &len); 1000 cp = buffer_get_string(&m, &len);
978 if (conf != NULL) 1001 if (conf != NULL)
979 buffer_append(conf, cp, len + 1); 1002 buffer_append(conf, cp, len + 1);
980 xfree(cp); 1003 free(cp);
981 1004
982 if (buffer_get_int(&m)) { 1005 if (buffer_get_int(&m)) {
983 if (sensitive_data.server_key != NULL) 1006 if (sensitive_data.server_key != NULL)
@@ -1028,7 +1051,9 @@ server_accept_inetd(int *sock_in, int *sock_out)
1028 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { 1051 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
1029 dup2(fd, STDIN_FILENO); 1052 dup2(fd, STDIN_FILENO);
1030 dup2(fd, STDOUT_FILENO); 1053 dup2(fd, STDOUT_FILENO);
1031 if (fd > STDOUT_FILENO) 1054 if (!log_stderr)
1055 dup2(fd, STDERR_FILENO);
1056 if (fd > (log_stderr ? STDERR_FILENO : STDOUT_FILENO))
1032 close(fd); 1057 close(fd);
1033 } 1058 }
1034 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); 1059 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
@@ -1139,7 +1164,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1139 if (received_sighup) 1164 if (received_sighup)
1140 sighup_restart(); 1165 sighup_restart();
1141 if (fdset != NULL) 1166 if (fdset != NULL)
1142 xfree(fdset); 1167 free(fdset);
1143 fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), 1168 fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
1144 sizeof(fd_mask)); 1169 sizeof(fd_mask));
1145 1170
@@ -1188,8 +1213,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1188 *newsock = accept(listen_socks[i], 1213 *newsock = accept(listen_socks[i],
1189 (struct sockaddr *)&from, &fromlen); 1214 (struct sockaddr *)&from, &fromlen);
1190 if (*newsock < 0) { 1215 if (*newsock < 0) {
1191 if (errno != EINTR && errno != EAGAIN && 1216 if (errno != EINTR && errno != EWOULDBLOCK &&
1192 errno != EWOULDBLOCK) 1217 errno != ECONNABORTED && errno != EAGAIN)
1193 error("accept: %.100s", 1218 error("accept: %.100s",
1194 strerror(errno)); 1219 strerror(errno));
1195 if (errno == EMFILE || errno == ENFILE) 1220 if (errno == EMFILE || errno == ENFILE)
@@ -1340,12 +1365,14 @@ main(int ac, char **av)
1340 int sock_in = -1, sock_out = -1, newsock = -1; 1365 int sock_in = -1, sock_out = -1, newsock = -1;
1341 const char *remote_ip; 1366 const char *remote_ip;
1342 int remote_port; 1367 int remote_port;
1343 char *line; 1368 char *line, *logfile = NULL;
1344 int config_s[2] = { -1 , -1 }; 1369 int config_s[2] = { -1 , -1 };
1345 u_int n; 1370 u_int n;
1346 u_int64_t ibytes, obytes; 1371 u_int64_t ibytes, obytes;
1347 mode_t new_umask; 1372 mode_t new_umask;
1348 Key *key; 1373 Key *key;
1374 Key *pubkey;
1375 int keytype;
1349 Authctxt *authctxt; 1376 Authctxt *authctxt;
1350 struct connection_info *connection_info = get_connection_info(0, 0); 1377 struct connection_info *connection_info = get_connection_info(0, 0);
1351 1378
@@ -1378,7 +1405,7 @@ main(int ac, char **av)
1378 initialize_server_options(&options); 1405 initialize_server_options(&options);
1379 1406
1380 /* Parse command-line arguments. */ 1407 /* Parse command-line arguments. */
1381 while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) { 1408 while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeE:iqrtQRT46")) != -1) {
1382 switch (opt) { 1409 switch (opt) {
1383 case '4': 1410 case '4':
1384 options.address_family = AF_INET; 1411 options.address_family = AF_INET;
@@ -1407,6 +1434,9 @@ main(int ac, char **av)
1407 case 'D': 1434 case 'D':
1408 no_daemon_flag = 1; 1435 no_daemon_flag = 1;
1409 break; 1436 break;
1437 case 'E':
1438 logfile = xstrdup(optarg);
1439 /* FALLTHROUGH */
1410 case 'e': 1440 case 'e':
1411 log_stderr = 1; 1441 log_stderr = 1;
1412 break; 1442 break;
@@ -1485,7 +1515,7 @@ main(int ac, char **av)
1485 if (process_server_config_line(&options, line, 1515 if (process_server_config_line(&options, line,
1486 "command-line", 0, NULL, NULL) != 0) 1516 "command-line", 0, NULL, NULL) != 0)
1487 exit(1); 1517 exit(1);
1488 xfree(line); 1518 free(line);
1489 break; 1519 break;
1490 case '?': 1520 case '?':
1491 default: 1521 default:
@@ -1504,6 +1534,11 @@ main(int ac, char **av)
1504 1534
1505 OpenSSL_add_all_algorithms(); 1535 OpenSSL_add_all_algorithms();
1506 1536
1537 /* If requested, redirect the logs to the specified logfile. */
1538 if (logfile != NULL) {
1539 log_redirect_stderr_to(logfile);
1540 free(logfile);
1541 }
1507 /* 1542 /*
1508 * Force logging to stderr until we have loaded the private host 1543 * Force logging to stderr until we have loaded the private host
1509 * key (unless started from inetd) 1544 * key (unless started from inetd)
@@ -1612,32 +1647,55 @@ main(int ac, char **av)
1612 } else { 1647 } else {
1613 memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); 1648 memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
1614 privsep_pw = pwcopy(privsep_pw); 1649 privsep_pw = pwcopy(privsep_pw);
1615 xfree(privsep_pw->pw_passwd); 1650 free(privsep_pw->pw_passwd);
1616 privsep_pw->pw_passwd = xstrdup("*"); 1651 privsep_pw->pw_passwd = xstrdup("*");
1617 } 1652 }
1618 endpwent(); 1653 endpwent();
1619 1654
1620 /* load private host keys */ 1655 /* load host keys */
1621 sensitive_data.host_keys = xcalloc(options.num_host_key_files, 1656 sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1622 sizeof(Key *)); 1657 sizeof(Key *));
1623 for (i = 0; i < options.num_host_key_files; i++) 1658 sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
1659 sizeof(Key *));
1660 for (i = 0; i < options.num_host_key_files; i++) {
1624 sensitive_data.host_keys[i] = NULL; 1661 sensitive_data.host_keys[i] = NULL;
1662 sensitive_data.host_pubkeys[i] = NULL;
1663 }
1664
1665 if (options.host_key_agent) {
1666 if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME))
1667 setenv(SSH_AUTHSOCKET_ENV_NAME,
1668 options.host_key_agent, 1);
1669 have_agent = ssh_agent_present();
1670 }
1625 1671
1626 for (i = 0; i < options.num_host_key_files; i++) { 1672 for (i = 0; i < options.num_host_key_files; i++) {
1627 key = key_load_private(options.host_key_files[i], "", NULL); 1673 key = key_load_private(options.host_key_files[i], "", NULL);
1674 pubkey = key_load_public(options.host_key_files[i], NULL);
1628 sensitive_data.host_keys[i] = key; 1675 sensitive_data.host_keys[i] = key;
1629 if (key == NULL) { 1676 sensitive_data.host_pubkeys[i] = pubkey;
1677
1678 if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 &&
1679 have_agent) {
1680 debug("will rely on agent for hostkey %s",
1681 options.host_key_files[i]);
1682 keytype = pubkey->type;
1683 } else if (key != NULL) {
1684 keytype = key->type;
1685 } else {
1630 error("Could not load host key: %s", 1686 error("Could not load host key: %s",
1631 options.host_key_files[i]); 1687 options.host_key_files[i]);
1632 sensitive_data.host_keys[i] = NULL; 1688 sensitive_data.host_keys[i] = NULL;
1689 sensitive_data.host_pubkeys[i] = NULL;
1633 continue; 1690 continue;
1634 } 1691 }
1635 if (auth_key_is_revoked(key, 1)) { 1692 if (auth_key_is_revoked(key != NULL ? key : pubkey, 1)) {
1636 key_free(key);
1637 sensitive_data.host_keys[i] = NULL; 1693 sensitive_data.host_keys[i] = NULL;
1694 sensitive_data.host_pubkeys[i] = NULL;
1638 continue; 1695 continue;
1639 } 1696 }
1640 switch (key->type) { 1697
1698 switch (keytype) {
1641 case KEY_RSA1: 1699 case KEY_RSA1:
1642 sensitive_data.ssh1_host_key = key; 1700 sensitive_data.ssh1_host_key = key;
1643 sensitive_data.have_ssh1_key = 1; 1701 sensitive_data.have_ssh1_key = 1;
@@ -1648,8 +1706,8 @@ main(int ac, char **av)
1648 sensitive_data.have_ssh2_key = 1; 1706 sensitive_data.have_ssh2_key = 1;
1649 break; 1707 break;
1650 } 1708 }
1651 debug("private host key: #%d type %d %s", i, key->type, 1709 debug("private host key: #%d type %d %s", i, keytype,
1652 key_type(key)); 1710 key_type(key ? key : pubkey));
1653 } 1711 }
1654 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { 1712 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1655 logit("Disabling protocol version 1. Could not load host key"); 1713 logit("Disabling protocol version 1. Could not load host key");
@@ -1819,7 +1877,8 @@ main(int ac, char **av)
1819 1877
1820 /* Chdir to the root directory so that the current disk can be 1878 /* Chdir to the root directory so that the current disk can be
1821 unmounted if desired. */ 1879 unmounted if desired. */
1822 chdir("/"); 1880 if (chdir("/") == -1)
1881 error("chdir(\"/\"): %s", strerror(errno));
1823 1882
1824 /* ignore SIGPIPE */ 1883 /* ignore SIGPIPE */
1825 signal(SIGPIPE, SIG_IGN); 1884 signal(SIGPIPE, SIG_IGN);
@@ -2079,9 +2138,11 @@ main(int ac, char **av)
2079 buffer_init(&loginmsg); 2138 buffer_init(&loginmsg);
2080 auth_debug_reset(); 2139 auth_debug_reset();
2081 2140
2082 if (use_privsep) 2141 if (use_privsep) {
2083 if (privsep_preauth(authctxt) == 1) 2142 if (privsep_preauth(authctxt) == 1)
2084 goto authenticated; 2143 goto authenticated;
2144 } else if (compat20 && have_agent)
2145 auth_conn = ssh_get_authentication_connection();
2085 2146
2086 /* perform the key exchange */ 2147 /* perform the key exchange */
2087 /* authenticate user and start session */ 2148 /* authenticate user and start session */
@@ -2368,7 +2429,7 @@ do_ssh1_kex(void)
2368 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); 2429 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
2369 MD5_Final(session_key + 16, &md); 2430 MD5_Final(session_key + 16, &md);
2370 memset(buf, 0, bytes); 2431 memset(buf, 0, bytes);
2371 xfree(buf); 2432 free(buf);
2372 for (i = 0; i < 16; i++) 2433 for (i = 0; i < 16; i++)
2373 session_id[i] = session_key[i] ^ session_key[i + 16]; 2434 session_id[i] = session_key[i] ^ session_key[i + 16];
2374 } 2435 }
@@ -2395,6 +2456,23 @@ do_ssh1_kex(void)
2395 packet_write_wait(); 2456 packet_write_wait();
2396} 2457}
2397 2458
2459void
2460sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
2461 u_char *data, u_int dlen)
2462{
2463 if (privkey) {
2464 if (PRIVSEP(key_sign(privkey, signature, slen, data, dlen) < 0))
2465 fatal("%s: key_sign failed", __func__);
2466 } else if (use_privsep) {
2467 if (mm_key_sign(pubkey, signature, slen, data, dlen) < 0)
2468 fatal("%s: pubkey_sign failed", __func__);
2469 } else {
2470 if (ssh_agent_sign(auth_conn, pubkey, signature, slen, data,
2471 dlen))
2472 fatal("%s: ssh_agent_sign failed", __func__);
2473 }
2474}
2475
2398/* 2476/*
2399 * SSH2 key exchange: diffie-hellman-group1-sha1 2477 * SSH2 key exchange: diffie-hellman-group1-sha1
2400 */ 2478 */
@@ -2426,6 +2504,10 @@ do_ssh2_kex(void)
2426 if (options.kex_algorithms != NULL) 2504 if (options.kex_algorithms != NULL)
2427 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2505 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2428 2506
2507 if (options.rekey_limit || options.rekey_interval)
2508 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2509 (time_t)options.rekey_interval);
2510
2429 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2511 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2430 2512
2431#ifdef GSSAPI 2513#ifdef GSSAPI
@@ -2490,6 +2572,7 @@ do_ssh2_kex(void)
2490 kex->load_host_public_key=&get_hostkey_public_by_type; 2572 kex->load_host_public_key=&get_hostkey_public_by_type;
2491 kex->load_host_private_key=&get_hostkey_private_by_type; 2573 kex->load_host_private_key=&get_hostkey_private_by_type;
2492 kex->host_key_index=&get_hostkey_index; 2574 kex->host_key_index=&get_hostkey_index;
2575 kex->sign = sshd_hostkey_sign;
2493 2576
2494 xxx_kex = kex; 2577 xxx_kex = kex;
2495 2578
diff --git a/sshd_config b/sshd_config
index 5de6846ef..9cfe28d03 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 1# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -29,6 +29,9 @@
29#KeyRegenerationInterval 1h 29#KeyRegenerationInterval 1h
30#ServerKeyBits 1024 30#ServerKeyBits 1024
31 31
32# Ciphers and keying
33#RekeyLimit default none
34
32# Logging 35# Logging
33# obsoletes QuietMode and FascistLogging 36# obsoletes QuietMode and FascistLogging
34#SyslogFacility AUTH 37#SyslogFacility AUTH
diff --git a/sshd_config.0 b/sshd_config.0
index 2648db3d4..5f1df7b58 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -90,6 +90,13 @@ DESCRIPTION
90 example, it would not be possible to attempt password or 90 example, it would not be possible to attempt password or
91 keyboard-interactive authentication before public key. 91 keyboard-interactive authentication before public key.
92 92
93 For keyboard interactive authentication it is also possible to
94 restrict authentication to a specific device by appending a colon
95 followed by the device identifier ``bsdauth'', ``pam'', or
96 ``skey'', depending on the server configuration. For example,
97 ``keyboard-interactive:bsdauth'' would restrict keyboard
98 interactive authentication to the ``bsdauth'' device.
99
93 This option is only available for SSH protocol 2 and will yield a 100 This option is only available for SSH protocol 2 and will yield a
94 fatal error if enabled if protocol 1 is also enabled. Note that 101 fatal error if enabled if protocol 1 is also enabled. Note that
95 each authentication method listed should also be explicitly 102 each authentication method listed should also be explicitly
@@ -99,7 +106,8 @@ DESCRIPTION
99 106
100 AuthorizedKeysCommand 107 AuthorizedKeysCommand
101 Specifies a program to be used to look up the user's public keys. 108 Specifies a program to be used to look up the user's public keys.
102 The program will be invoked with a single argument of the 109 The program must be owned by root and not writable by group or
110 others. It will be invoked with a single argument of the
103 username being authenticated, and should produce on standard 111 username being authenticated, and should produce on standard
104 output zero or more lines of authorized_keys output (see 112 output zero or more lines of authorized_keys output (see
105 AUTHORIZED_KEYS in sshd(8)). If a key supplied by 113 AUTHORIZED_KEYS in sshd(8)). If a key supplied by
@@ -322,7 +330,16 @@ DESCRIPTION
322 sshd(8) will refuse to use a file if it is group/world- 330 sshd(8) will refuse to use a file if it is group/world-
323 accessible. It is possible to have multiple host key files. 331 accessible. It is possible to have multiple host key files.
324 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or 332 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or
325 ``rsa'' are used for version 2 of the SSH protocol. 333 ``rsa'' are used for version 2 of the SSH protocol. It is also
334 possible to specify public host key files instead. In this case
335 operations on the private key will be delegated to an
336 ssh-agent(1).
337
338 HostKeyAgent
339 Identifies the UNIX-domain socket used to communicate with an
340 agent that has access to the private host keys. If
341 ``SSH_AUTH_SOCK'' is specified, the location of the socket will
342 be read from the SSH_AUTH_SOCK environment variable.
326 343
327 IgnoreRhosts 344 IgnoreRhosts
328 Specifies that .rhosts and .shosts files will not be used in 345 Specifies that .rhosts and .shosts files will not be used in
@@ -461,8 +478,9 @@ DESCRIPTION
461 KbdInteractiveAuthentication, KerberosAuthentication, 478 KbdInteractiveAuthentication, KerberosAuthentication,
462 MaxAuthTries, MaxSessions, PasswordAuthentication, 479 MaxAuthTries, MaxSessions, PasswordAuthentication,
463 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, 480 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
464 PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, 481 PubkeyAuthentication, RekeyLimit, RhostsRSAAuthentication,
465 X11DisplayOffset, X11Forwarding and X11UseLocalHost. 482 RSAAuthentication, X11DisplayOffset, X11Forwarding and
483 X11UseLocalHost.
466 484
467 MaxAuthTries 485 MaxAuthTries
468 Specifies the maximum number of authentication attempts permitted 486 Specifies the maximum number of authentication attempts permitted
@@ -571,6 +589,21 @@ DESCRIPTION
571 default is ``yes''. Note that this option applies to protocol 589 default is ``yes''. Note that this option applies to protocol
572 version 2 only. 590 version 2 only.
573 591
592 RekeyLimit
593 Specifies the maximum amount of data that may be transmitted
594 before the session key is renegotiated, optionally followed a
595 maximum amount of time that may pass before the session key is
596 renegotiated. The first argument is specified in bytes and may
597 have a suffix of `K', `M', or `G' to indicate Kilobytes,
598 Megabytes, or Gigabytes, respectively. The default is between
599 `1G' and `4G', depending on the cipher. The optional second
600 value is specified in seconds and may use any of the units
601 documented in the TIME FORMATS section. The default value for
602 RekeyLimit is ``default none'', which means that rekeying is
603 performed after the cipher's default amount of data has been sent
604 or received and no time based rekeying is done. This option
605 applies to protocol version 2 only.
606
574 RevokedKeys 607 RevokedKeys
575 Specifies revoked public keys. Keys listed in this file will be 608 Specifies revoked public keys. Keys listed in this file will be
576 refused for public key authentication. Note that if this file is 609 refused for public key authentication. Note that if this file is
@@ -777,4 +810,4 @@ AUTHORS
777 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 810 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
778 for privilege separation. 811 for privilege separation.
779 812
780OpenBSD 5.3 February 6, 2013 OpenBSD 5.3 813OpenBSD 5.4 July 19, 2013 OpenBSD 5.4
diff --git a/sshd_config.5 b/sshd_config.5
index 251d847fd..faf93fc90 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
37.Dd $Mdocdate: February 6 2013 $ 37.Dd $Mdocdate: July 19 2013 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -144,9 +144,7 @@ The allow/deny directives are processed in the following order:
144and finally 144and finally
145.Cm AllowGroups . 145.Cm AllowGroups .
146.Pp 146.Pp
147See 147See PATTERNS in
148.Sx PATTERNS
149in
150.Xr ssh_config 5 148.Xr ssh_config 5
151for more information on patterns. 149for more information on patterns.
152.It Cm AllowTcpForwarding 150.It Cm AllowTcpForwarding
@@ -186,9 +184,7 @@ The allow/deny directives are processed in the following order:
186and finally 184and finally
187.Cm AllowGroups . 185.Cm AllowGroups .
188.Pp 186.Pp
189See 187See PATTERNS in
190.Sx PATTERNS
191in
192.Xr ssh_config 5 188.Xr ssh_config 5
193for more information on patterns. 189for more information on patterns.
194.It Cm AuthenticationMethods 190.It Cm AuthenticationMethods
@@ -207,6 +203,20 @@ Only methods that are next in one or more lists are offered at each stage,
207so for this example, it would not be possible to attempt password or 203so for this example, it would not be possible to attempt password or
208keyboard-interactive authentication before public key. 204keyboard-interactive authentication before public key.
209.Pp 205.Pp
206For keyboard interactive authentication it is also possible to
207restrict authentication to a specific device by appending a
208colon followed by the device identifier
209.Dq bsdauth ,
210.Dq pam ,
211or
212.Dq skey ,
213depending on the server configuration.
214For example,
215.Dq keyboard-interactive:bsdauth
216would restrict keyboard interactive authentication to the
217.Dq bsdauth
218device.
219.Pp
210This option is only available for SSH protocol 2 and will yield a fatal 220This option is only available for SSH protocol 2 and will yield a fatal
211error if enabled if protocol 1 is also enabled. 221error if enabled if protocol 1 is also enabled.
212Note that each authentication method listed should also be explicitly enabled 222Note that each authentication method listed should also be explicitly enabled
@@ -215,11 +225,10 @@ The default is not to require multiple authentication; successful completion
215of a single authentication method is sufficient. 225of a single authentication method is sufficient.
216.It Cm AuthorizedKeysCommand 226.It Cm AuthorizedKeysCommand
217Specifies a program to be used to look up the user's public keys. 227Specifies a program to be used to look up the user's public keys.
218The program will be invoked with a single argument of the username 228The program must be owned by root and not writable by group or others.
229It will be invoked with a single argument of the username
219being authenticated, and should produce on standard output zero or 230being authenticated, and should produce on standard output zero or
220more lines of authorized_keys output (see 231more lines of authorized_keys output (see AUTHORIZED_KEYS in
221.Sx AUTHORIZED_KEYS
222in
223.Xr sshd 8 ) . 232.Xr sshd 8 ) .
224If a key supplied by AuthorizedKeysCommand does not successfully authenticate 233If a key supplied by AuthorizedKeysCommand does not successfully authenticate
225and authorize the user then public key authentication continues using the usual 234and authorize the user then public key authentication continues using the usual
@@ -234,7 +243,7 @@ than running authorized keys commands.
234Specifies the file that contains the public keys that can be used 243Specifies the file that contains the public keys that can be used
235for user authentication. 244for user authentication.
236The format is described in the 245The format is described in the
237.Sx AUTHORIZED_KEYS FILE FORMAT 246AUTHORIZED_KEYS FILE FORMAT
238section of 247section of
239.Xr sshd 8 . 248.Xr sshd 8 .
240.Cm AuthorizedKeysFile 249.Cm AuthorizedKeysFile
@@ -258,9 +267,7 @@ When using certificates signed by a key listed in
258this file lists names, one of which must appear in the certificate for it 267this file lists names, one of which must appear in the certificate for it
259to be accepted for authentication. 268to be accepted for authentication.
260Names are listed one per line preceded by key options (as described 269Names are listed one per line preceded by key options (as described
261in 270in AUTHORIZED_KEYS FILE FORMAT in
262.Sx AUTHORIZED_KEYS FILE FORMAT
263in
264.Xr sshd 8 ) . 271.Xr sshd 8 ) .
265Empty lines and comments starting with 272Empty lines and comments starting with
266.Ql # 273.Ql #
@@ -442,9 +449,7 @@ The allow/deny directives are processed in the following order:
442and finally 449and finally
443.Cm AllowGroups . 450.Cm AllowGroups .
444.Pp 451.Pp
445See 452See PATTERNS in
446.Sx PATTERNS
447in
448.Xr ssh_config 5 453.Xr ssh_config 5
449for more information on patterns. 454for more information on patterns.
450.It Cm DenyUsers 455.It Cm DenyUsers
@@ -463,9 +468,7 @@ The allow/deny directives are processed in the following order:
463and finally 468and finally
464.Cm AllowGroups . 469.Cm AllowGroups .
465.Pp 470.Pp
466See 471See PATTERNS in
467.Sx PATTERNS
468in
469.Xr ssh_config 5 472.Xr ssh_config 5
470for more information on patterns. 473for more information on patterns.
471.It Cm ForceCommand 474.It Cm ForceCommand
@@ -602,6 +605,18 @@ keys are used for version 1 and
602or 605or
603.Dq rsa 606.Dq rsa
604are used for version 2 of the SSH protocol. 607are used for version 2 of the SSH protocol.
608It is also possible to specify public host key files instead.
609In this case operations on the private key will be delegated
610to an
611.Xr ssh-agent 1 .
612.It Cm HostKeyAgent
613Identifies the UNIX-domain socket used to communicate
614with an agent that has access to the private host keys.
615If
616.Dq SSH_AUTH_SOCK
617is specified, the location of the socket will be read from the
618.Ev SSH_AUTH_SOCK
619environment variable.
605.It Cm IgnoreRhosts 620.It Cm IgnoreRhosts
606Specifies that 621Specifies that
607.Pa .rhosts 622.Pa .rhosts
@@ -805,8 +820,7 @@ and
805.Cm Address . 820.Cm Address .
806The match patterns may consist of single entries or comma-separated 821The match patterns may consist of single entries or comma-separated
807lists and may use the wildcard and negation operators described in the 822lists and may use the wildcard and negation operators described in the
808.Sx PATTERNS 823PATTERNS section of
809section of
810.Xr ssh_config 5 . 824.Xr ssh_config 5 .
811.Pp 825.Pp
812The patterns in an 826The patterns in an
@@ -858,6 +872,7 @@ Available keywords are
858.Cm PermitRootLogin , 872.Cm PermitRootLogin ,
859.Cm PermitTunnel , 873.Cm PermitTunnel ,
860.Cm PubkeyAuthentication , 874.Cm PubkeyAuthentication ,
875.Cm RekeyLimit ,
861.Cm RhostsRSAAuthentication , 876.Cm RhostsRSAAuthentication ,
862.Cm RSAAuthentication , 877.Cm RSAAuthentication ,
863.Cm X11DisplayOffset , 878.Cm X11DisplayOffset ,
@@ -1066,6 +1081,32 @@ Specifies whether public key authentication is allowed.
1066The default is 1081The default is
1067.Dq yes . 1082.Dq yes .
1068Note that this option applies to protocol version 2 only. 1083Note that this option applies to protocol version 2 only.
1084.It Cm RekeyLimit
1085Specifies the maximum amount of data that may be transmitted before the
1086session key is renegotiated, optionally followed a maximum amount of
1087time that may pass before the session key is renegotiated.
1088The first argument is specified in bytes and may have a suffix of
1089.Sq K ,
1090.Sq M ,
1091or
1092.Sq G
1093to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1094The default is between
1095.Sq 1G
1096and
1097.Sq 4G ,
1098depending on the cipher.
1099The optional second value is specified in seconds and may use any of the
1100units documented in the
1101.Sx TIME FORMATS
1102section.
1103The default value for
1104.Cm RekeyLimit
1105is
1106.Dq default none ,
1107which means that rekeying is performed after the cipher's default amount
1108of data has been sent or received and no time based rekeying is done.
1109This option applies to protocol version 2 only.
1069.It Cm RevokedKeys 1110.It Cm RevokedKeys
1070Specifies revoked public keys. 1111Specifies revoked public keys.
1071Keys listed in this file will be refused for public key authentication. 1112Keys listed in this file will be refused for public key authentication.
@@ -1074,9 +1115,7 @@ be refused for all users.
1074Keys may be specified as a text file, listing one public key per line, or as 1115Keys may be specified as a text file, listing one public key per line, or as
1075an OpenSSH Key Revocation List (KRL) as generated by 1116an OpenSSH Key Revocation List (KRL) as generated by
1076.Xr ssh-keygen 1 . 1117.Xr ssh-keygen 1 .
1077For more information on KRLs, see the 1118For more information on KRLs, see the KEY REVOCATION LISTS section in
1078.Sx KEY REVOCATION LISTS
1079section in
1080.Xr ssh-keygen 1 . 1119.Xr ssh-keygen 1 .
1081.It Cm RhostsRSAAuthentication 1120.It Cm RhostsRSAAuthentication
1082Specifies whether rhosts or /etc/hosts.equiv authentication together 1121Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1168,9 +1207,7 @@ listed in the certificate's principals list.
1168Note that certificates that lack a list of principals will not be permitted 1207Note that certificates that lack a list of principals will not be permitted
1169for authentication using 1208for authentication using
1170.Cm TrustedUserCAKeys . 1209.Cm TrustedUserCAKeys .
1171For more details on certificates, see the 1210For more details on certificates, see the CERTIFICATES section in
1172.Sx CERTIFICATES
1173section in
1174.Xr ssh-keygen 1 . 1211.Xr ssh-keygen 1 .
1175.It Cm UseDNS 1212.It Cm UseDNS
1176Specifies whether 1213Specifies whether
diff --git a/sshlogin.c b/sshlogin.c
index 54629f747..2688d8d7b 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -97,7 +97,7 @@ store_lastlog_message(const char *user, uid_t uid)
97 time_string = sys_auth_get_lastlogin_msg(user, uid); 97 time_string = sys_auth_get_lastlogin_msg(user, uid);
98 if (time_string != NULL) { 98 if (time_string != NULL) {
99 buffer_append(&loginmsg, time_string, strlen(time_string)); 99 buffer_append(&loginmsg, time_string, strlen(time_string));
100 xfree(time_string); 100 free(time_string);
101 } 101 }
102# else 102# else
103 last_login_time = get_last_login_time(uid, user, hostname, 103 last_login_time = get_last_login_time(uid, user, hostname,
diff --git a/sshlogin.h b/sshlogin.h
index 500d3fefd..52119a979 100644
--- a/sshlogin.h
+++ b/sshlogin.h
@@ -15,7 +15,7 @@
15void record_login(pid_t, const char *, const char *, uid_t, 15void record_login(pid_t, const char *, const char *, uid_t,
16 const char *, struct sockaddr *, socklen_t); 16 const char *, struct sockaddr *, socklen_t);
17void record_logout(pid_t, const char *, const char *); 17void record_logout(pid_t, const char *, const char *);
18time_t get_last_login_time(uid_t, const char *, char *, u_int); 18time_t get_last_login_time(uid_t, const char *, char *, size_t);
19 19
20#ifdef LOGIN_NEEDS_UTMPX 20#ifdef LOGIN_NEEDS_UTMPX
21void record_utmp_only(pid_t, const char *, const char *, const char *, 21void record_utmp_only(pid_t, const char *, const char *, const char *,
diff --git a/uidswap.c b/uidswap.c
index cdd7309e3..26d17f93a 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -90,8 +90,7 @@ temporarily_use_uid(struct passwd *pw)
90 if (getgroups(saved_egroupslen, saved_egroups) < 0) 90 if (getgroups(saved_egroupslen, saved_egroups) < 0)
91 fatal("getgroups: %.100s", strerror(errno)); 91 fatal("getgroups: %.100s", strerror(errno));
92 } else { /* saved_egroupslen == 0 */ 92 } else { /* saved_egroupslen == 0 */
93 if (saved_egroups != NULL) 93 free(saved_egroups);
94 xfree(saved_egroups);
95 } 94 }
96 95
97 /* set and save the user's groups */ 96 /* set and save the user's groups */
@@ -109,8 +108,7 @@ temporarily_use_uid(struct passwd *pw)
109 if (getgroups(user_groupslen, user_groups) < 0) 108 if (getgroups(user_groupslen, user_groups) < 0)
110 fatal("getgroups: %.100s", strerror(errno)); 109 fatal("getgroups: %.100s", strerror(errno));
111 } else { /* user_groupslen == 0 */ 110 } else { /* user_groupslen == 0 */
112 if (user_groups) 111 free(user_groups);
113 xfree(user_groups);
114 } 112 }
115 } 113 }
116 /* Set the effective uid to the given (unprivileged) uid. */ 114 /* Set the effective uid to the given (unprivileged) uid. */
diff --git a/umac.c b/umac.c
index 0567c37f9..99416a510 100644
--- a/umac.c
+++ b/umac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */ 1/* $OpenBSD: umac.c,v 1.7 2013/07/22 05:00:17 djm Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.c -- C Implementation UMAC Message Authentication 4 * umac.c -- C Implementation UMAC Message Authentication
@@ -132,13 +132,13 @@ typedef unsigned int UWORD; /* Register */
132/* ---------------------------------------------------------------------- */ 132/* ---------------------------------------------------------------------- */
133 133
134#if HAVE_SWAP32 134#if HAVE_SWAP32
135#define LOAD_UINT32_REVERSED(p) (swap32(*(UINT32 *)(p))) 135#define LOAD_UINT32_REVERSED(p) (swap32(*(const UINT32 *)(p)))
136#define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v)) 136#define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v))
137#else /* HAVE_SWAP32 */ 137#else /* HAVE_SWAP32 */
138 138
139static UINT32 LOAD_UINT32_REVERSED(void *ptr) 139static UINT32 LOAD_UINT32_REVERSED(const void *ptr)
140{ 140{
141 UINT32 temp = *(UINT32 *)ptr; 141 UINT32 temp = *(const UINT32 *)ptr;
142 temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 ) 142 temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 )
143 | ((temp & 0x0000FF00) << 8 ) | (temp << 24); 143 | ((temp & 0x0000FF00) << 8 ) | (temp << 24);
144 return (UINT32)temp; 144 return (UINT32)temp;
@@ -159,7 +159,7 @@ static void STORE_UINT32_REVERSED(void *ptr, UINT32 x)
159 */ 159 */
160 160
161#if (__LITTLE_ENDIAN__) 161#if (__LITTLE_ENDIAN__)
162#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr)) 162#define LOAD_UINT32_LITTLE(ptr) (*(const UINT32 *)(ptr))
163#define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x) 163#define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x)
164#else 164#else
165#define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr) 165#define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr)
@@ -184,7 +184,7 @@ typedef AES_KEY aes_int_key[1];
184#define aes_encryption(in,out,int_key) \ 184#define aes_encryption(in,out,int_key) \
185 AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key) 185 AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key)
186#define aes_key_setup(key,int_key) \ 186#define aes_key_setup(key,int_key) \
187 AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key) 187 AES_set_encrypt_key((const u_char *)(key),UMAC_KEY_LEN*8,int_key)
188 188
189/* The user-supplied UMAC key is stretched using AES in a counter 189/* The user-supplied UMAC key is stretched using AES in a counter
190 * mode to supply all random bits needed by UMAC. The kdf function takes 190 * mode to supply all random bits needed by UMAC. The kdf function takes
@@ -240,7 +240,7 @@ static void pdf_init(pdf_ctx *pc, aes_int_key prf_key)
240 aes_encryption(pc->nonce, pc->cache, pc->prf_key); 240 aes_encryption(pc->nonce, pc->cache, pc->prf_key);
241} 241}
242 242
243static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) 243static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8])
244{ 244{
245 /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes 245 /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes
246 * of the AES output. If last time around we returned the ndx-1st 246 * of the AES output. If last time around we returned the ndx-1st
@@ -254,19 +254,21 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8])
254#elif (UMAC_OUTPUT_LEN > 8) 254#elif (UMAC_OUTPUT_LEN > 8)
255#define LOW_BIT_MASK 0 255#define LOW_BIT_MASK 0
256#endif 256#endif
257 257 union {
258 UINT8 tmp_nonce_lo[4]; 258 UINT8 tmp_nonce_lo[4];
259 UINT32 align;
260 } t;
259#if LOW_BIT_MASK != 0 261#if LOW_BIT_MASK != 0
260 int ndx = nonce[7] & LOW_BIT_MASK; 262 int ndx = nonce[7] & LOW_BIT_MASK;
261#endif 263#endif
262 *(UINT32 *)tmp_nonce_lo = ((UINT32 *)nonce)[1]; 264 *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1];
263 tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ 265 t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */
264 266
265 if ( (((UINT32 *)tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || 267 if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) ||
266 (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) 268 (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) )
267 { 269 {
268 ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; 270 ((UINT32 *)pc->nonce)[0] = ((const UINT32 *)nonce)[0];
269 ((UINT32 *)pc->nonce)[1] = ((UINT32 *)tmp_nonce_lo)[0]; 271 ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0];
270 aes_encryption(pc->nonce, pc->cache, pc->prf_key); 272 aes_encryption(pc->nonce, pc->cache, pc->prf_key);
271 } 273 }
272 274
@@ -333,7 +335,7 @@ typedef struct {
333 335
334#if (UMAC_OUTPUT_LEN == 4) 336#if (UMAC_OUTPUT_LEN == 4)
335 337
336static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 338static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
337/* NH hashing primitive. Previous (partial) hash result is loaded and 339/* NH hashing primitive. Previous (partial) hash result is loaded and
338* then stored via hp pointer. The length of the data pointed at by "dp", 340* then stored via hp pointer. The length of the data pointed at by "dp",
339* "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key 341* "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key
@@ -343,7 +345,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
343 UINT64 h; 345 UINT64 h;
344 UWORD c = dlen / 32; 346 UWORD c = dlen / 32;
345 UINT32 *k = (UINT32 *)kp; 347 UINT32 *k = (UINT32 *)kp;
346 UINT32 *d = (UINT32 *)dp; 348 const UINT32 *d = (const UINT32 *)dp;
347 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 349 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
348 UINT32 k0,k1,k2,k3,k4,k5,k6,k7; 350 UINT32 k0,k1,k2,k3,k4,k5,k6,k7;
349 351
@@ -368,7 +370,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
368 370
369#elif (UMAC_OUTPUT_LEN == 8) 371#elif (UMAC_OUTPUT_LEN == 8)
370 372
371static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 373static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
372/* Same as previous nh_aux, but two streams are handled in one pass, 374/* Same as previous nh_aux, but two streams are handled in one pass,
373 * reading and writing 16 bytes of hash-state per call. 375 * reading and writing 16 bytes of hash-state per call.
374 */ 376 */
@@ -376,7 +378,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
376 UINT64 h1,h2; 378 UINT64 h1,h2;
377 UWORD c = dlen / 32; 379 UWORD c = dlen / 32;
378 UINT32 *k = (UINT32 *)kp; 380 UINT32 *k = (UINT32 *)kp;
379 UINT32 *d = (UINT32 *)dp; 381 const UINT32 *d = (const UINT32 *)dp;
380 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 382 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
381 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 383 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
382 k8,k9,k10,k11; 384 k8,k9,k10,k11;
@@ -415,7 +417,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
415 417
416#elif (UMAC_OUTPUT_LEN == 12) 418#elif (UMAC_OUTPUT_LEN == 12)
417 419
418static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 420static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
419/* Same as previous nh_aux, but two streams are handled in one pass, 421/* Same as previous nh_aux, but two streams are handled in one pass,
420 * reading and writing 24 bytes of hash-state per call. 422 * reading and writing 24 bytes of hash-state per call.
421*/ 423*/
@@ -423,7 +425,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
423 UINT64 h1,h2,h3; 425 UINT64 h1,h2,h3;
424 UWORD c = dlen / 32; 426 UWORD c = dlen / 32;
425 UINT32 *k = (UINT32 *)kp; 427 UINT32 *k = (UINT32 *)kp;
426 UINT32 *d = (UINT32 *)dp; 428 const UINT32 *d = (const UINT32 *)dp;
427 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 429 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
428 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 430 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
429 k8,k9,k10,k11,k12,k13,k14,k15; 431 k8,k9,k10,k11,k12,k13,k14,k15;
@@ -470,7 +472,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
470 472
471#elif (UMAC_OUTPUT_LEN == 16) 473#elif (UMAC_OUTPUT_LEN == 16)
472 474
473static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 475static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
474/* Same as previous nh_aux, but two streams are handled in one pass, 476/* Same as previous nh_aux, but two streams are handled in one pass,
475 * reading and writing 24 bytes of hash-state per call. 477 * reading and writing 24 bytes of hash-state per call.
476*/ 478*/
@@ -478,7 +480,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
478 UINT64 h1,h2,h3,h4; 480 UINT64 h1,h2,h3,h4;
479 UWORD c = dlen / 32; 481 UWORD c = dlen / 32;
480 UINT32 *k = (UINT32 *)kp; 482 UINT32 *k = (UINT32 *)kp;
481 UINT32 *d = (UINT32 *)dp; 483 const UINT32 *d = (const UINT32 *)dp;
482 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 484 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
483 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 485 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
484 k8,k9,k10,k11,k12,k13,k14,k15, 486 k8,k9,k10,k11,k12,k13,k14,k15,
@@ -539,7 +541,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
539 541
540/* ---------------------------------------------------------------------- */ 542/* ---------------------------------------------------------------------- */
541 543
542static void nh_transform(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) 544static void nh_transform(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes)
543/* This function is a wrapper for the primitive NH hash functions. It takes 545/* This function is a wrapper for the primitive NH hash functions. It takes
544 * as argument "hc" the current hash context and a buffer which must be a 546 * as argument "hc" the current hash context and a buffer which must be a
545 * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset 547 * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset
@@ -614,7 +616,7 @@ static void nh_init(nh_ctx *hc, aes_int_key prf_key)
614 616
615/* ---------------------------------------------------------------------- */ 617/* ---------------------------------------------------------------------- */
616 618
617static void nh_update(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) 619static void nh_update(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes)
618/* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */ 620/* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */
619/* even multiple of HASH_BUF_BYTES. */ 621/* even multiple of HASH_BUF_BYTES. */
620{ 622{
@@ -709,7 +711,7 @@ static void nh_final(nh_ctx *hc, UINT8 *result)
709 711
710/* ---------------------------------------------------------------------- */ 712/* ---------------------------------------------------------------------- */
711 713
712static void nh(nh_ctx *hc, UINT8 *buf, UINT32 padded_len, 714static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len,
713 UINT32 unpadded_len, UINT8 *result) 715 UINT32 unpadded_len, UINT8 *result)
714/* All-in-one nh_update() and nh_final() equivalent. 716/* All-in-one nh_update() and nh_final() equivalent.
715 * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is 717 * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is
@@ -1047,7 +1049,7 @@ static int uhash_free(uhash_ctx_t ctx)
1047#endif 1049#endif
1048/* ---------------------------------------------------------------------- */ 1050/* ---------------------------------------------------------------------- */
1049 1051
1050static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) 1052static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len)
1051/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and 1053/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and
1052 * hash each one with NH, calling the polyhash on each NH output. 1054 * hash each one with NH, calling the polyhash on each NH output.
1053 */ 1055 */
@@ -1057,7 +1059,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1057 UINT8 *nh_result = (UINT8 *)&result_buf; 1059 UINT8 *nh_result = (UINT8 *)&result_buf;
1058 1060
1059 if (ctx->msg_len + len <= L1_KEY_LEN) { 1061 if (ctx->msg_len + len <= L1_KEY_LEN) {
1060 nh_update(&ctx->hash, (UINT8 *)input, len); 1062 nh_update(&ctx->hash, (const UINT8 *)input, len);
1061 ctx->msg_len += len; 1063 ctx->msg_len += len;
1062 } else { 1064 } else {
1063 1065
@@ -1072,7 +1074,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1072 /* bytes to complete the current nh_block. */ 1074 /* bytes to complete the current nh_block. */
1073 if (bytes_hashed) { 1075 if (bytes_hashed) {
1074 bytes_remaining = (L1_KEY_LEN - bytes_hashed); 1076 bytes_remaining = (L1_KEY_LEN - bytes_hashed);
1075 nh_update(&ctx->hash, (UINT8 *)input, bytes_remaining); 1077 nh_update(&ctx->hash, (const UINT8 *)input, bytes_remaining);
1076 nh_final(&ctx->hash, nh_result); 1078 nh_final(&ctx->hash, nh_result);
1077 ctx->msg_len += bytes_remaining; 1079 ctx->msg_len += bytes_remaining;
1078 poly_hash(ctx,(UINT32 *)nh_result); 1080 poly_hash(ctx,(UINT32 *)nh_result);
@@ -1082,7 +1084,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1082 1084
1083 /* Hash directly from input stream if enough bytes */ 1085 /* Hash directly from input stream if enough bytes */
1084 while (len >= L1_KEY_LEN) { 1086 while (len >= L1_KEY_LEN) {
1085 nh(&ctx->hash, (UINT8 *)input, L1_KEY_LEN, 1087 nh(&ctx->hash, (const UINT8 *)input, L1_KEY_LEN,
1086 L1_KEY_LEN, nh_result); 1088 L1_KEY_LEN, nh_result);
1087 ctx->msg_len += L1_KEY_LEN; 1089 ctx->msg_len += L1_KEY_LEN;
1088 len -= L1_KEY_LEN; 1090 len -= L1_KEY_LEN;
@@ -1093,7 +1095,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1093 1095
1094 /* pass remaining < L1_KEY_LEN bytes of input data to NH */ 1096 /* pass remaining < L1_KEY_LEN bytes of input data to NH */
1095 if (len) { 1097 if (len) {
1096 nh_update(&ctx->hash, (UINT8 *)input, len); 1098 nh_update(&ctx->hash, (const UINT8 *)input, len);
1097 ctx->msg_len += len; 1099 ctx->msg_len += len;
1098 } 1100 }
1099 } 1101 }
@@ -1209,14 +1211,14 @@ int umac_delete(struct umac_ctx *ctx)
1209 if (ctx) { 1211 if (ctx) {
1210 if (ALLOC_BOUNDARY) 1212 if (ALLOC_BOUNDARY)
1211 ctx = (struct umac_ctx *)ctx->free_ptr; 1213 ctx = (struct umac_ctx *)ctx->free_ptr;
1212 xfree(ctx); 1214 free(ctx);
1213 } 1215 }
1214 return (1); 1216 return (1);
1215} 1217}
1216 1218
1217/* ---------------------------------------------------------------------- */ 1219/* ---------------------------------------------------------------------- */
1218 1220
1219struct umac_ctx *umac_new(u_char key[]) 1221struct umac_ctx *umac_new(const u_char key[])
1220/* Dynamically allocate a umac_ctx struct, initialize variables, 1222/* Dynamically allocate a umac_ctx struct, initialize variables,
1221 * generate subkeys from key. Align to 16-byte boundary. 1223 * generate subkeys from key. Align to 16-byte boundary.
1222 */ 1224 */
@@ -1233,7 +1235,7 @@ struct umac_ctx *umac_new(u_char key[])
1233 ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add); 1235 ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add);
1234 } 1236 }
1235 ctx->free_ptr = octx; 1237 ctx->free_ptr = octx;
1236 aes_key_setup(key,prf_key); 1238 aes_key_setup(key, prf_key);
1237 pdf_init(&ctx->pdf, prf_key); 1239 pdf_init(&ctx->pdf, prf_key);
1238 uhash_init(&ctx->hash, prf_key); 1240 uhash_init(&ctx->hash, prf_key);
1239 } 1241 }
@@ -1243,18 +1245,18 @@ struct umac_ctx *umac_new(u_char key[])
1243 1245
1244/* ---------------------------------------------------------------------- */ 1246/* ---------------------------------------------------------------------- */
1245 1247
1246int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]) 1248int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8])
1247/* Incorporate any pending data, pad, and generate tag */ 1249/* Incorporate any pending data, pad, and generate tag */
1248{ 1250{
1249 uhash_final(&ctx->hash, (u_char *)tag); 1251 uhash_final(&ctx->hash, (u_char *)tag);
1250 pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); 1252 pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag);
1251 1253
1252 return (1); 1254 return (1);
1253} 1255}
1254 1256
1255/* ---------------------------------------------------------------------- */ 1257/* ---------------------------------------------------------------------- */
1256 1258
1257int umac_update(struct umac_ctx *ctx, u_char *input, long len) 1259int umac_update(struct umac_ctx *ctx, const u_char *input, long len)
1258/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */ 1260/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */
1259/* hash each one, calling the PDF on the hashed output whenever the hash- */ 1261/* hash each one, calling the PDF on the hashed output whenever the hash- */
1260/* output buffer is full. */ 1262/* output buffer is full. */
diff --git a/umac.h b/umac.h
index 6795112a3..7fb770f8a 100644
--- a/umac.h
+++ b/umac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ 1/* $OpenBSD: umac.h,v 1.3 2013/07/22 12:20:02 djm Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.h -- C Implementation UMAC Message Authentication 4 * umac.h -- C Implementation UMAC Message Authentication
@@ -52,7 +52,7 @@
52 extern "C" { 52 extern "C" {
53#endif 53#endif
54 54
55struct umac_ctx *umac_new(u_char key[]); 55struct umac_ctx *umac_new(const u_char key[]);
56/* Dynamically allocate a umac_ctx struct, initialize variables, 56/* Dynamically allocate a umac_ctx struct, initialize variables,
57 * generate subkeys from key. 57 * generate subkeys from key.
58 */ 58 */
@@ -62,10 +62,10 @@ int umac_reset(struct umac_ctx *ctx);
62/* Reset a umac_ctx to begin authenicating a new message */ 62/* Reset a umac_ctx to begin authenicating a new message */
63#endif 63#endif
64 64
65int umac_update(struct umac_ctx *ctx, u_char *input, long len); 65int umac_update(struct umac_ctx *ctx, const u_char *input, long len);
66/* Incorporate len bytes pointed to by input into context ctx */ 66/* Incorporate len bytes pointed to by input into context ctx */
67 67
68int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); 68int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]);
69/* Incorporate any pending data and the ctr value, and return tag. 69/* Incorporate any pending data and the ctr value, and return tag.
70 * This function returns error code if ctr < 0. 70 * This function returns error code if ctr < 0.
71 */ 71 */
@@ -117,9 +117,9 @@ int uhash(uhash_ctx_t ctx,
117#endif 117#endif
118 118
119/* matching umac-128 API, we reuse umac_ctx, since it's opaque */ 119/* matching umac-128 API, we reuse umac_ctx, since it's opaque */
120struct umac_ctx *umac128_new(u_char key[]); 120struct umac_ctx *umac128_new(const u_char key[]);
121int umac128_update(struct umac_ctx *ctx, u_char *input, long len); 121int umac128_update(struct umac_ctx *ctx, const u_char *input, long len);
122int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); 122int umac128_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]);
123int umac128_delete(struct umac_ctx *ctx); 123int umac128_delete(struct umac_ctx *ctx);
124 124
125#ifdef __cplusplus 125#ifdef __cplusplus
diff --git a/uuencode.c b/uuencode.c
index 09d80d2fc..294c74304 100644
--- a/uuencode.c
+++ b/uuencode.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: uuencode.c,v 1.26 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: uuencode.c,v 1.27 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -29,6 +29,7 @@
29#include <netinet/in.h> 29#include <netinet/in.h>
30#include <resolv.h> 30#include <resolv.h>
31#include <stdio.h> 31#include <stdio.h>
32#include <stdlib.h>
32 33
33#include "xmalloc.h" 34#include "xmalloc.h"
34#include "uuencode.h" 35#include "uuencode.h"
@@ -67,7 +68,7 @@ uudecode(const char *src, u_char *target, size_t targsize)
67 /* and remove trailing whitespace because __b64_pton needs this */ 68 /* and remove trailing whitespace because __b64_pton needs this */
68 *p = '\0'; 69 *p = '\0';
69 len = __b64_pton(encoded, target, targsize); 70 len = __b64_pton(encoded, target, targsize);
70 xfree(encoded); 71 free(encoded);
71 return len; 72 return len;
72} 73}
73 74
@@ -90,5 +91,5 @@ dump_base64(FILE *fp, const u_char *data, u_int len)
90 } 91 }
91 if (i % 70 != 69) 92 if (i % 70 != 69)
92 fprintf(fp, "\n"); 93 fprintf(fp, "\n");
93 xfree(buf); 94 free(buf);
94} 95}
diff --git a/version.h b/version.h
index f4f5a68c8..7a30d0dd7 100644
--- a/version.h
+++ b/version.h
@@ -1,8 +1,8 @@
1/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ 1/* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_6.2" 3#define SSH_VERSION "OpenSSH_6.3"
4 4
5#define SSH_PORTABLE "p2" 5#define SSH_PORTABLE "p1"
6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
7#ifdef SSH_EXTRAVERSION 7#ifdef SSH_EXTRAVERSION
8#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION 8#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
diff --git a/xmalloc.c b/xmalloc.c
index 9985b4cc2..92f781fd0 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: xmalloc.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -73,14 +73,6 @@ xrealloc(void *ptr, size_t nmemb, size_t size)
73 return new_ptr; 73 return new_ptr;
74} 74}
75 75
76void
77xfree(void *ptr)
78{
79 if (ptr == NULL)
80 fatal("xfree: NULL pointer given as argument");
81 free(ptr);
82}
83
84char * 76char *
85xstrdup(const char *str) 77xstrdup(const char *str)
86{ 78{
diff --git a/xmalloc.h b/xmalloc.h
index fb217a45c..261dfd612 100644
--- a/xmalloc.h
+++ b/xmalloc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: xmalloc.h,v 1.14 2013/05/17 00:13:14 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -19,7 +19,6 @@
19void *xmalloc(size_t); 19void *xmalloc(size_t);
20void *xcalloc(size_t, size_t); 20void *xcalloc(size_t, size_t);
21void *xrealloc(void *, size_t, size_t); 21void *xrealloc(void *, size_t, size_t);
22void xfree(void *);
23char *xstrdup(const char *); 22char *xstrdup(const char *);
24int xasprintf(char **, const char *, ...) 23int xasprintf(char **, const char *, ...)
25 __attribute__((__format__ (printf, 2, 3))) 24 __attribute__((__format__ (printf, 2, 3)))