summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog631
-rw-r--r--Makefile.in20
-rw-r--r--README4
-rw-r--r--aclocal.m413
-rw-r--r--addrmatch.c6
-rw-r--r--auth-chall.c22
-rw-r--r--auth-krb5.c27
-rw-r--r--auth-options.c66
-rw-r--r--auth-pam.c44
-rw-r--r--auth-rsa.c23
-rw-r--r--auth.c48
-rw-r--r--auth.h16
-rw-r--r--auth1.c47
-rw-r--r--auth2-chall.c37
-rw-r--r--auth2-gss.c20
-rw-r--r--auth2-hostbased.c18
-rw-r--r--auth2-jpake.c24
-rw-r--r--auth2-kbdint.c6
-rw-r--r--auth2-passwd.c6
-rw-r--r--auth2-pubkey.c85
-rw-r--r--auth2.c93
-rw-r--r--authfd.c10
-rw-r--r--authfile.c14
-rw-r--r--bufaux.c12
-rw-r--r--bufbn.c18
-rw-r--r--bufec.c6
-rw-r--r--buffer.c4
-rw-r--r--buffer.h4
-rw-r--r--canohost.c10
-rw-r--r--channels.c137
-rw-r--r--channels.h9
-rw-r--r--cipher-3des1.c6
-rw-r--r--cipher-aes.c2
-rw-r--r--cipher-ctr.c2
-rw-r--r--cipher.c63
-rw-r--r--cipher.h13
-rw-r--r--clientloop.c91
-rw-r--r--clientloop.h3
-rw-r--r--compat.c6
-rwxr-xr-xconfig.guess262
-rw-r--r--config.h.in71
-rwxr-xr-xconfig.sub190
-rwxr-xr-xconfigure647
-rw-r--r--configure.ac147
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/cygwin/README212
-rw-r--r--contrib/cygwin/ssh-host-config4
-rw-r--r--contrib/cygwin/ssh-user-config6
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/ssh-copy-id2
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--defines.h24
-rw-r--r--dh.c74
-rw-r--r--dns.c10
-rwxr-xr-xfixalgorithms26
-rw-r--r--groupaccess.c9
-rw-r--r--gss-genr.c16
-rw-r--r--gss-serv-krb5.c44
-rw-r--r--gss-serv.c5
-rw-r--r--hostfile.c31
-rw-r--r--hostfile.h4
-rw-r--r--includes.h2
-rw-r--r--jpake.c8
-rw-r--r--kex.c130
-rw-r--r--kex.h17
-rw-r--r--kexdhc.c8
-rw-r--r--kexdhs.c16
-rw-r--r--kexecdh.c20
-rw-r--r--kexecdhc.c13
-rw-r--r--kexecdhs.c21
-rw-r--r--kexgexc.c8
-rw-r--r--kexgexs.c17
-rw-r--r--key.c291
-rw-r--r--key.h9
-rw-r--r--krl.c36
-rw-r--r--log.c20
-rw-r--r--log.h3
-rw-r--r--loginrec.c2
-rw-r--r--mac.c83
-rw-r--r--mac.h3
-rw-r--r--match.c15
-rw-r--r--misc.c59
-rw-r--r--misc.h3
-rw-r--r--moduli.02
-rw-r--r--moduli.c10
-rw-r--r--monitor.c214
-rw-r--r--monitor_mm.c13
-rw-r--r--monitor_wrap.c38
-rw-r--r--mux.c152
-rw-r--r--myproposal.h28
-rw-r--r--openbsd-compat/Makefile.in4
-rw-r--r--openbsd-compat/bsd-cygwin_util.c2
-rw-r--r--openbsd-compat/bsd-cygwin_util.h2
-rw-r--r--openbsd-compat/bsd-misc.h14
-rw-r--r--openbsd-compat/getopt.c123
-rw-r--r--openbsd-compat/getopt.h74
-rw-r--r--openbsd-compat/getopt_long.c532
-rw-r--r--openbsd-compat/getrrsetbyname-ldns.c1
-rw-r--r--openbsd-compat/openbsd-compat.h12
-rw-r--r--openbsd-compat/port-aix.c10
-rw-r--r--openbsd-compat/port-linux.c12
-rw-r--r--openbsd-compat/xcrypt.c7
-rw-r--r--packet.c74
-rw-r--r--packet.h7
-rw-r--r--pathnames.h22
-rw-r--r--progressmeter.c6
-rw-r--r--readconf.c128
-rw-r--r--readconf.h5
-rw-r--r--readpass.c4
-rw-r--r--regress/Makefile13
-rw-r--r--regress/agent-getpeereid.sh3
-rw-r--r--regress/agent-timeout.sh2
-rw-r--r--regress/agent.sh4
-rw-r--r--regress/bsd.regress.mk79
-rw-r--r--regress/cert-hostkey.sh48
-rw-r--r--regress/cert-userkey.sh10
-rw-r--r--regress/cfgmatch.sh17
-rw-r--r--regress/cipher-speed.sh2
-rw-r--r--regress/conch-ciphers.sh5
-rw-r--r--regress/dynamic-forward.sh4
-rw-r--r--regress/forcecommand.sh10
-rw-r--r--regress/forwarding.sh28
-rw-r--r--regress/integrity.sh22
-rw-r--r--regress/keytype.sh4
-rw-r--r--regress/krl.sh4
-rw-r--r--regress/localcommand.sh2
-rw-r--r--regress/login-timeout.sh2
-rwxr-xr-xregress/modpipe.c4
-rw-r--r--regress/multiplex.sh55
-rw-r--r--regress/portnum.sh2
-rw-r--r--regress/proto-version.sh4
-rw-r--r--regress/proxy-connect.sh10
-rw-r--r--regress/putty-ciphers.sh5
-rw-r--r--regress/putty-kex.sh5
-rw-r--r--regress/putty-transfer.sh5
-rw-r--r--regress/reexec.sh8
-rw-r--r--regress/rekey.sh103
-rwxr-xr-xregress/runtests.sh13
-rw-r--r--regress/scp.sh4
-rw-r--r--regress/sftp-badcmds.sh4
-rw-r--r--regress/sftp-batch.sh4
-rw-r--r--regress/sftp-chroot.sh25
-rw-r--r--regress/sftp-cmds.sh12
-rw-r--r--regress/sftp.sh5
-rw-r--r--regress/ssh-com-client.sh6
-rw-r--r--regress/ssh-com-sftp.sh4
-rw-r--r--regress/ssh-com.sh4
-rw-r--r--regress/sshd-log-wrapper.sh4
-rw-r--r--regress/stderr-after-eof.sh20
-rw-r--r--regress/stderr-data.sh6
-rw-r--r--regress/test-exec.sh143
-rw-r--r--regress/transfer.sh5
-rw-r--r--regress/try-ciphers.sh2
-rw-r--r--roaming_client.c9
-rw-r--r--roaming_common.c4
-rw-r--r--rsa.c10
-rw-r--r--sandbox-seccomp-filter.c1
-rw-r--r--sandbox-systrace.c3
-rw-r--r--schnorr.c18
-rw-r--r--scp.02
-rw-r--r--scp.18
-rw-r--r--scp.c91
-rw-r--r--servconf.c77
-rw-r--r--servconf.h6
-rw-r--r--serverloop.c49
-rw-r--r--session.c114
-rw-r--r--sftp-client.c135
-rw-r--r--sftp-client.h6
-rw-r--r--sftp-common.c6
-rw-r--r--sftp-glob.c6
-rw-r--r--sftp-server.04
-rw-r--r--sftp-server.810
-rw-r--r--sftp-server.c58
-rw-r--r--sftp.022
-rw-r--r--sftp.128
-rw-r--r--sftp.c217
-rw-r--r--ssh-add.02
-rw-r--r--ssh-add.c20
-rw-r--r--ssh-agent.02
-rw-r--r--ssh-agent.c95
-rw-r--r--ssh-dss.c10
-rw-r--r--ssh-ecdsa.c10
-rw-r--r--ssh-keygen.02
-rw-r--r--ssh-keygen.17
-rw-r--r--ssh-keygen.c116
-rw-r--r--ssh-keyscan.02
-rw-r--r--ssh-keyscan.18
-rw-r--r--ssh-keyscan.c16
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-keysign.86
-rw-r--r--ssh-keysign.c20
-rw-r--r--ssh-pkcs11-client.c10
-rw-r--r--ssh-pkcs11-helper.02
-rw-r--r--ssh-pkcs11-helper.86
-rw-r--r--ssh-pkcs11-helper.c24
-rw-r--r--ssh-pkcs11.c37
-rw-r--r--ssh-rsa.c23
-rw-r--r--ssh.023
-rw-r--r--ssh.136
-rw-r--r--ssh.c97
-rw-r--r--ssh_config3
-rw-r--r--ssh_config.037
-rw-r--r--ssh_config.546
-rw-r--r--sshconnect.c41
-rw-r--r--sshconnect1.c18
-rw-r--r--sshconnect2.c173
-rw-r--r--sshd.013
-rw-r--r--sshd.817
-rw-r--r--sshd.c125
-rw-r--r--sshd_config5
-rw-r--r--sshd_config.043
-rw-r--r--sshd_config.597
-rw-r--r--sshlogin.c2
-rw-r--r--sshlogin.h2
-rw-r--r--uidswap.c6
-rw-r--r--umac.c76
-rw-r--r--umac.h14
-rw-r--r--uuencode.c7
-rw-r--r--version.h6
-rw-r--r--xmalloc.c10
-rw-r--r--xmalloc.h3
221 files changed, 5477 insertions, 3186 deletions
diff --git a/ChangeLog b/ChangeLog
index f5e2df0d0..1a0d2545e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,17 +1,628 @@
120130913
2 - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code;
3 ok dtucker@
4 - (djm) [channels.c] sigh, typo s/buffet_/buffer_/
5 - (djm) Release 6.3p1
6
720130808
8 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt
9 since some platforms (eg really old FreeBSD) don't have it. Instead,
10 run "make clean" before a complete regress run. ok djm.
11 - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(
12 CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
13 CLOCK_MONOTONIC define but don't actually support it. Found and tested
14 by Kevin Brott, ok djm.
15 - (dtucker) [misc.c] Remove define added for fallback testing that was
16 mistakenly included in the previous commit.
17 - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt
18 removal. The "make clean" removes modpipe which is built by the top-level
19 directory before running the tests. Spotted by tim@
20
2120130804
22 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support
23 for building with older Heimdal versions. ok djm.
24
2520130801
26 - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
27 blocking connecting socket will clear any stored errno that might
28 otherwise have been retrievable via getsockopt(). A hack to limit writes
29 to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
30 it in an #ifdef. Diagnosis and patch from Ivo Raisr.
31 - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134
32
3320130725
34 - (djm) OpenBSD CVS Sync
35 - djm@cvs.openbsd.org 2013/07/20 22:20:42
36 [krl.c]
37 fix verification error in (as-yet usused) KRL signature checking path
38 - djm@cvs.openbsd.org 2013/07/22 05:00:17
39 [umac.c]
40 make MAC key, data to be hashed and nonce for final hash const;
41 checked with -Wcast-qual
42 - djm@cvs.openbsd.org 2013/07/22 12:20:02
43 [umac.h]
44 oops, forgot to commit corresponding header change;
45 spotted by jsg and jasper
46 - djm@cvs.openbsd.org 2013/07/25 00:29:10
47 [ssh.c]
48 daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
49 it is fully detached from its controlling terminal. based on debugging
50 - djm@cvs.openbsd.org 2013/07/25 00:56:52
51 [sftp-client.c sftp-client.h sftp.1 sftp.c]
52 sftp support for resuming partial downloads; patch mostly by Loganaden
53 Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
54 "Just be careful" deraadt@
55 - djm@cvs.openbsd.org 2013/07/25 00:57:37
56 [version.h]
57 openssh-6.3 for release
58 - dtucker@cvs.openbsd.org 2013/05/30 20:12:32
59 [regress/test-exec.sh]
60 use ssh and sshd as testdata since it needs to be >256k for the rekey test
61 - dtucker@cvs.openbsd.org 2013/06/10 21:56:43
62 [regress/forwarding.sh]
63 Add test for forward config parsing
64 - djm@cvs.openbsd.org 2013/06/21 02:26:26
65 [regress/sftp-cmds.sh regress/test-exec.sh]
66 unbreak sftp-cmds for renamed test data (s/ls/data/)
67 - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on
68 Solaris and UnixWare. Feedback and OK djm@
69 - (tim) [regress/forwarding.sh] Fix for building outside source tree.
70
7120130720
72 - (djm) OpenBSD CVS Sync
73 - markus@cvs.openbsd.org 2013/07/19 07:37:48
74 [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
75 [servconf.h session.c sshd.c sshd_config.5]
76 add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
77 or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
78 ok djm@
79 - djm@cvs.openbsd.org 2013/07/20 01:43:46
80 [umac.c]
81 use a union to ensure correct alignment; ok deraadt
82 - djm@cvs.openbsd.org 2013/07/20 01:44:37
83 [ssh-keygen.c ssh.c]
84 More useful error message on missing current user in /etc/passwd
85 - djm@cvs.openbsd.org 2013/07/20 01:50:20
86 [ssh-agent.c]
87 call cleanup_handler on SIGINT when in debug mode to ensure sockets
88 are cleaned up on manual exit; bz#2120
89 - djm@cvs.openbsd.org 2013/07/20 01:55:13
90 [auth-krb5.c gss-serv-krb5.c gss-serv.c]
91 fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
92
9320130718
94 - (djm) OpenBSD CVS Sync
95 - dtucker@cvs.openbsd.org 2013/06/10 19:19:44
96 [readconf.c]
97 revert 1.203 while we investigate crashes reported by okan@
98 - guenther@cvs.openbsd.org 2013/06/17 04:48:42
99 [scp.c]
100 Handle time_t values as long long's when formatting them and when
101 parsing them from remote servers.
102 Improve error checking in parsing of 'T' lines.
103 ok dtucker@ deraadt@
104 - markus@cvs.openbsd.org 2013/06/20 19:15:06
105 [krl.c]
106 don't leak the rdata blob on errors; ok djm@
107 - djm@cvs.openbsd.org 2013/06/21 00:34:49
108 [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
109 for hostbased authentication, print the client host and user on
110 the auth success/failure line; bz#2064, ok dtucker@
111 - djm@cvs.openbsd.org 2013/06/21 00:37:49
112 [ssh_config.5]
113 explicitly mention that IdentitiesOnly can be used with IdentityFile
114 to control which keys are offered from an agent.
115 - djm@cvs.openbsd.org 2013/06/21 05:42:32
116 [dh.c]
117 sprinkle in some error() to explain moduli(5) parse failures
118 - djm@cvs.openbsd.org 2013/06/21 05:43:10
119 [scp.c]
120 make this -Wsign-compare clean after time_t conversion
121 - djm@cvs.openbsd.org 2013/06/22 06:31:57
122 [scp.c]
123 improved time_t overflow check suggested by guenther@
124 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
125 [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
126 do not use Sx for sections outwith the man page - ingo informs me that
127 stuff like html will render with broken links;
128 issue reported by Eric S. Raymond, via djm
129 - markus@cvs.openbsd.org 2013/07/02 12:31:43
130 [dh.c]
131 remove extra whitespace
132 - djm@cvs.openbsd.org 2013/07/12 00:19:59
133 [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
134 [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
135 fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
136 - djm@cvs.openbsd.org 2013/07/12 00:20:00
137 [sftp.c ssh-keygen.c ssh-pkcs11.c]
138 fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
139 - djm@cvs.openbsd.org 2013/07/12 00:43:50
140 [misc.c]
141 in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
142 errno == 0. Avoids confusing error message in some broken resolver
143 cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
144 - djm@cvs.openbsd.org 2013/07/12 05:42:03
145 [ssh-keygen.c]
146 do_print_resource_record() can never be called with a NULL filename, so
147 don't attempt (and bungle) asking for one if it has not been specified
148 bz#2127 ok dtucker@
149 - djm@cvs.openbsd.org 2013/07/12 05:48:55
150 [ssh.c]
151 set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
152 - schwarze@cvs.openbsd.org 2013/07/16 00:07:52
153 [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8]
154 use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
155 - djm@cvs.openbsd.org 2013/07/18 01:12:26
156 [ssh.1]
157 be more exact wrt perms for ~/.ssh/config; bz#2078
158
15920130702
160 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
161 contrib/cygwin/ssh-user-config] Modernizes and improve readability of
162 the Cygwin README file (which hasn't been updated for ages), drop
163 unsupported OSes from the ssh-host-config help text, and drop an
164 unneeded option from ssh-user-config. Patch from vinschen at redhat com.
165
16620130610
167 - (djm) OpenBSD CVS Sync
168 - dtucker@cvs.openbsd.org 2013/06/07 15:37:52
169 [channels.c channels.h clientloop.c]
170 Add an "ABANDONED" channel state and use for mux sessions that are
171 disconnected via the ~. escape sequence. Channels in this state will
172 be able to close if the server responds, but do not count as active channels.
173 This means that if you ~. all of the mux clients when using ControlPersist
174 on a broken network, the backgrounded mux master will exit when the
175 Control Persist time expires rather than hanging around indefinitely.
176 bz#1917, also reported and tested by tedu@. ok djm@ markus@.
177 - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported
178 algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages.
179 - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
180 the required OpenSSL support. Patch from naddy at freebsd.
181 - (dtucker) [myproposal.h] Make the conditional algorithm support consistent
182 and add some comments so it's clear what goes where.
183
18420130605
185 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of
186 the necessary functions, not from the openssl version.
187 - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test.
188 Patch from cjwatson at debian.
189 - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the
190 forwarding test is extremely slow copying data on some machines so switch
191 back to copying the much smaller ls binary until we can figure out why
192 this is.
193 - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building
194 modpipe in case there's anything in there we need.
195 - (dtucker) OpenBSD CVS Sync
196 - dtucker@cvs.openbsd.org 2013/06/02 21:01:51
197 [channels.h]
198 typo in comment
199 - dtucker@cvs.openbsd.org 2013/06/02 23:36:29
200 [clientloop.h clientloop.c mux.c]
201 No need for the mux cleanup callback to be visible so restore it to static
202 and call it through the detach_user function pointer. ok djm@
203 - dtucker@cvs.openbsd.org 2013/06/03 00:03:18
204 [mac.c]
205 force the MAC output to be 64-bit aligned so umac won't see unaligned
206 accesses on strict-alignment architectures. bz#2101, patch from
207 tomas.kuthan at oracle.com, ok djm@
208 - dtucker@cvs.openbsd.org 2013/06/04 19:12:23
209 [scp.c]
210 use MAXPATHLEN for buffer size instead of fixed value. ok markus
211 - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
212 [sftp.c]
213 Make sftp's libedit interface marginally multibyte aware by building up
214 the quoted string by character instead of by byte. Prevents failures
215 when linked against a libedit built with wide character support (bz#1990).
216 "looks ok" djm
217 - dtucker@cvs.openbsd.org 2013/06/05 02:07:29
218 [mux.c]
219 fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967,
220 ok djm
221 - dtucker@cvs.openbsd.org 2013/06/05 02:27:50
222 [sshd.c]
223 When running sshd -D, close stderr unless we have explicitly requesting
224 logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch
225 so, err, ok dtucker.
226 - dtucker@cvs.openbsd.org 2013/06/05 12:52:38
227 [sshconnect2.c]
228 Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm
229 - dtucker@cvs.openbsd.org 2013/06/05 22:00:28
230 [readconf.c]
231 plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm
232 - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for
233 platforms that don't have multibyte character support (specifically,
234 mblen).
235
23620130602
237 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy
238 linking regress/modpipe.
239 - (dtucker) OpenBSD CVS Sync
240 - dtucker@cvs.openbsd.org 2013/06/02 13:33:05
241 [progressmeter.c]
242 Add misc.h for monotime prototype. (ID sync only).
243 - dtucker@cvs.openbsd.org 2013/06/02 13:35:58
244 [ssh-agent.c]
245 Make parent_alive_interval time_t to avoid signed/unsigned comparison
246 - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms
247 to prevent noise from configure. Patch from Nathan Osman. (bz#2114).
248 - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android.
249 Patch from Nathan Osman.
250 - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we
251 need a shell that can handle "[ file1 -nt file2 ]". Rather than keep
252 dealing with shell portability issues in regression tests, we let
253 configure find us a capable shell on those platforms with an old /bin/sh.
254 - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr.
255 feedback and ok dtucker
256 - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker
257 - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h.
258 - (dtucker) [configure.ac] Some other platforms need sys/types.h before
259 sys/socket.h.
260
26120130601
262 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to
263 using openssl's DES_crypt function on platorms that don't have a native
264 one, eg Android. Based on a patch from Nathan Osman.
265 - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS
266 rather than trying to enumerate the plaforms that don't have them.
267 Based on a patch from Nathan Osman, with help from tim@.
268 - (dtucker) OpenBSD CVS Sync
269 - djm@cvs.openbsd.org 2013/05/17 00:13:13
270 [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
271 ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
272 gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
273 auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
274 servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
275 auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
276 sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
277 kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
278 kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
279 monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
280 ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
281 sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
282 ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
283 dns.c packet.c readpass.c authfd.c moduli.c]
284 bye, bye xfree(); ok markus@
285 - djm@cvs.openbsd.org 2013/05/19 02:38:28
286 [auth2-pubkey.c]
287 fix failure to recognise cert-authority keys if a key of a different type
288 appeared in authorized_keys before it; ok markus@
289 - djm@cvs.openbsd.org 2013/05/19 02:42:42
290 [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
291 Standardise logging of supplemental information during userauth. Keys
292 and ruser is now logged in the auth success/failure message alongside
293 the local username, remote host/port and protocol in use. Certificates
294 contents and CA are logged too.
295 Pushing all logging onto a single line simplifies log analysis as it is
296 no longer necessary to relate information scattered across multiple log
297 entries. "I like it" markus@
298 - dtucker@cvs.openbsd.org 2013/05/31 12:28:10
299 [ssh-agent.c]
300 Use time_t where appropriate. ok djm
301 - dtucker@cvs.openbsd.org 2013/06/01 13:15:52
302 [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
303 channels.c sandbox-systrace.c]
304 Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
305 keepalives and rekeying will work properly over clock steps. Suggested by
306 markus@, "looks good" djm@.
307 - dtucker@cvs.openbsd.org 2013/06/01 20:59:25
308 [scp.c sftp-client.c]
309 Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
310 from Nathan Osman via bz#2085. ok deraadt.
311 - dtucker@cvs.openbsd.org 2013/06/01 22:34:50
312 [sftp-client.c]
313 Update progressmeter when data is acked, not when it's sent. bz#2108, from
314 Debian via Colin Watson, ok djm@
315 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
316 groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
317 sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
318 openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
319 openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
320 with the equivalent calls to free.
321 - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall
322 back to time(NULL) if we can't find it anywhere.
323 - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.
324
32520130529
326 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
327 implementation of endgrent for platforms that don't have it (eg Android).
328 Loosely based on a patch from Nathan Osman, ok djm
329
330 20130517
331 - (dtucker) OpenBSD CVS Sync
332 - djm@cvs.openbsd.org 2013/03/07 00:20:34
333 [regress/proxy-connect.sh]
334 repeat test with a style appended to the username
335 - dtucker@cvs.openbsd.org 2013/03/23 11:09:43
336 [regress/test-exec.sh]
337 Only regenerate host keys if they don't exist or if ssh-keygen has changed
338 since they were. Reduces test runtime by 5-30% depending on machine
339 speed.
340 - dtucker@cvs.openbsd.org 2013/04/06 06:00:22
341 [regress/rekey.sh regress/test-exec.sh regress/integrity.sh
342 regress/multiplex.sh Makefile regress/cfgmatch.sh]
343 Split the regress log into 3 parts: the debug output from ssh, the debug
344 log from sshd and the output from the client command (ssh, scp or sftp).
345 Somewhat functional now, will become more useful when ssh/sshd -E is added.
346 - dtucker@cvs.openbsd.org 2013/04/07 02:16:03
347 [regress/Makefile regress/rekey.sh regress/integrity.sh
348 regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh]
349 use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and
350 save the output from any failing tests. If a test fails the debug output
351 from ssh and sshd for the failing tests (and only the failing tests) should
352 be available in failed-ssh{,d}.log.
353 - djm@cvs.openbsd.org 2013/04/18 02:46:12
354 [regress/Makefile regress/sftp-chroot.sh]
355 test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@
356 - dtucker@cvs.openbsd.org 2013/04/22 07:23:08
357 [regress/multiplex.sh]
358 Write mux master logs to regress.log instead of ssh.log to keep separate
359 - djm@cvs.openbsd.org 2013/05/10 03:46:14
360 [regress/modpipe.c]
361 sync some portability changes from portable OpenSSH (id sync only)
362 - dtucker@cvs.openbsd.org 2013/05/16 02:10:35
363 [regress/rekey.sh]
364 Add test for time-based rekeying
365 - dtucker@cvs.openbsd.org 2013/05/16 03:33:30
366 [regress/rekey.sh]
367 test rekeying when there's no data being transferred
368 - dtucker@cvs.openbsd.org 2013/05/16 04:26:10
369 [regress/rekey.sh]
370 add server-side rekey test
371 - dtucker@cvs.openbsd.org 2013/05/16 05:48:31
372 [regress/rekey.sh]
373 add tests for RekeyLimit parsing
374 - dtucker@cvs.openbsd.org 2013/05/17 00:37:40
375 [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh
376 regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh
377 regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh
378 regress/ssh-com.sh]
379 replace 'echo -n' with 'printf' since it's more portable
380 also remove "echon" hack.
381 - dtucker@cvs.openbsd.org 2013/05/17 01:16:09
382 [regress/agent-timeout.sh]
383 Pull back some portability changes from -portable:
384 - TIMEOUT is a read-only variable in some shells
385 - not all greps have -q so redirect to /dev/null instead.
386 (ID sync only)
387 - dtucker@cvs.openbsd.org 2013/05/17 01:32:11
388 [regress/integrity.sh]
389 don't print output from ssh before getting it (it's available in ssh.log)
390 - dtucker@cvs.openbsd.org 2013/05/17 04:29:14
391 [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh
392 regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh
393 regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh
394 regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh
395 regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh
396 regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh
397 regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh
398 regress/multiplex.sh]
399 Move the setting of DATA and COPY into test-exec.sh
400 - dtucker@cvs.openbsd.org 2013/05/17 10:16:26
401 [regress/try-ciphers.sh]
402 use expr for math to keep diffs vs portable down
403 (id sync only)
404 - dtucker@cvs.openbsd.org 2013/05/17 10:23:52
405 [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh]
406 Use SUDO when cat'ing pid files and running the sshd log wrapper so that
407 it works with a restrictive umask and the pid files are not world readable.
408 Changes from -portable. (id sync only)
409 - dtucker@cvs.openbsd.org 2013/05/17 10:24:48
410 [regress/localcommand.sh]
411 use backticks for portability. (id sync only)
412 - dtucker@cvs.openbsd.org 2013/05/17 10:26:26
413 [regress/sftp-badcmds.sh]
414 remove unused BATCH variable. (id sync only)
415 - dtucker@cvs.openbsd.org 2013/05/17 10:28:11
416 [regress/sftp.sh]
417 only compare copied data if sftp succeeds. from portable (id sync only)
418 - dtucker@cvs.openbsd.org 2013/05/17 10:30:07
419 [regress/test-exec.sh]
420 wait a bit longer for startup and use case for absolute path.
421 from portable (id sync only)
422 - dtucker@cvs.openbsd.org 2013/05/17 10:33:09
423 [regress/agent-getpeereid.sh]
424 don't redirect stdout from sudo. from portable (id sync only)
425 - dtucker@cvs.openbsd.org 2013/05/17 10:34:30
426 [regress/portnum.sh]
427 use a more portable negated if structure. from portable (id sync only)
428 - dtucker@cvs.openbsd.org 2013/05/17 10:35:43
429 [regress/scp.sh]
430 use a file extention that's not special on some platforms. from portable
431 (id sync only)
432 - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it
433 in portable and it's long gone in openbsd.
434 - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange
435 methods. When the openssl version doesn't support ECDH then next one on
436 the list is DH group exchange, but that causes a bit more traffic which can
437 mean that the tests flip bits in the initial exchange rather than the MACed
438 traffic and we get different errors to what the tests look for.
439 - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits.
440 - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd.
441 - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd.
442 - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh]
443 Move the jot helper function to portable-specific part of test-exec.sh.
444 - (dtucker) [regress/test-exec.sh] Move the portable-specific functions
445 together and add a couple of missing lines from openbsd.
446 - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5
447 helper function to the portable part of test-exec.sh.
448 - (dtucker) [regress/runtests.sh] Remove obsolete test driver script.
449 - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by
450 rev 1.6 which calls wait.
451
120130516 45220130516
2 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be 453 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
3 executed if mktemp failed; bz#2105 ok dtucker@ 454 executed if mktemp failed; bz#2105 ok dtucker@
4 - (djm) Release 6.2p2 455 - (dtucker) OpenBSD CVS Sync
456 - tedu@cvs.openbsd.org 2013/04/23 17:49:45
457 [misc.c]
458 use xasprintf instead of a series of strlcats and strdup. ok djm
459 - tedu@cvs.openbsd.org 2013/04/24 16:01:46
460 [misc.c]
461 remove extra parens noticed by nicm
462 - dtucker@cvs.openbsd.org 2013/05/06 07:35:12
463 [sftp-server.8]
464 Reference the version of the sftp draft we actually implement. ok djm@
465 - djm@cvs.openbsd.org 2013/05/10 03:40:07
466 [sshconnect2.c]
467 fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from
468 Colin Watson
469 - djm@cvs.openbsd.org 2013/05/10 04:08:01
470 [key.c]
471 memleak in cert_free(), wasn't actually freeing the struct;
472 bz#2096 from shm AT digitalsun.pl
473 - dtucker@cvs.openbsd.org 2013/05/10 10:13:50
474 [ssh-pkcs11-helper.c]
475 remove unused extern optarg. ok markus@
476 - dtucker@cvs.openbsd.org 2013/05/16 02:00:34
477 [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
478 ssh_config.5 packet.h]
479 Add an optional second argument to RekeyLimit in the client to allow
480 rekeying based on elapsed time in addition to amount of traffic.
481 with djm@ jmc@, ok djm
482 - dtucker@cvs.openbsd.org 2013/05/16 04:09:14
483 [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
484 sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
485 rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
486 page.
487 - djm@cvs.openbsd.org 2013/05/16 04:27:50
488 [ssh_config.5 readconf.h readconf.c]
489 add the ability to ignore specific unrecognised ssh_config options;
490 bz#866; ok markus@
491 - jmc@cvs.openbsd.org 2013/05/16 06:28:45
492 [ssh_config.5]
493 put IgnoreUnknown in the right place;
494 - jmc@cvs.openbsd.org 2013/05/16 06:30:06
495 [sshd_config.5]
496 oops! avoid Xr to self;
497 - dtucker@cvs.openbsd.org 2013/05/16 09:08:41
498 [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c]
499 Fix some "unused result" warnings found via clang and -portable.
500 ok markus@
501 - dtucker@cvs.openbsd.org 2013/05/16 09:12:31
502 [readconf.c servconf.c]
503 switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@
504 - dtucker@cvs.openbsd.org 2013/05/16 10:43:34
505 [servconf.c readconf.c]
506 remove now-unused variables
507 - dtucker@cvs.openbsd.org 2013/05/16 10:44:06
508 [servconf.c]
509 remove another now-unused variable
510 - (dtucker) [configure.ac readconf.c servconf.c
511 openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled.
5 512
620130510 51320130510
7 - (djm) OpenBSD CVS Cherrypick 514 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler
515 supports it. Mentioned by Colin Watson in bz#2100, ok djm.
516 - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to
517 getopt.c. Preprocessed source is identical other than line numbers.
518 - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No
519 portability changes yet.
520 - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c
521 openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add
522 portability code to getopt_long.c and switch over Makefile and the ugly
523 hack in modpipe.c. Fixes bz#1448.
524 - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c
525 openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb
526 in to use it when we're using our own getopt.
527 - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the
528 underlying libraries support them.
529 - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so
530 we don't get a warning on compilers that *don't* support it. Add
531 -Wno-unknown-warning-option. Move both to the start of the list for
532 maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9.
533
53420130423
535 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support
536 platforms, such as Android, that lack struct passwd.pw_gecos. Report
537 and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@
538 - (djm) OpenBSD CVS Sync
539 - markus@cvs.openbsd.org 2013/03/05 20:16:09
540 [sshconnect2.c]
541 reset pubkey order on partial success; ok djm@
542 - djm@cvs.openbsd.org 2013/03/06 23:35:23
543 [session.c]
544 fatal() when ChrootDirectory specified by running without root privileges;
545 ok markus@
546 - djm@cvs.openbsd.org 2013/03/06 23:36:53
547 [readconf.c]
548 g/c unused variable (-Wunused)
549 - djm@cvs.openbsd.org 2013/03/07 00:19:59
550 [auth2-pubkey.c monitor.c]
551 reconstruct the original username that was sent by the client, which may
552 have included a style (e.g. "root:skey") when checking public key
553 signatures. Fixes public key and hostbased auth when the client specified
554 a style; ok markus@
555 - markus@cvs.openbsd.org 2013/03/07 19:27:25
556 [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5]
557 add submethod support to AuthenticationMethods; ok and freedback djm@
558 - djm@cvs.openbsd.org 2013/03/08 06:32:58
559 [ssh.c]
560 allow "ssh -f none ..." ok markus@
561 - djm@cvs.openbsd.org 2013/04/05 00:14:00
562 [auth2-gss.c krl.c sshconnect2.c]
563 hush some {unused, printf type} warnings
564 - djm@cvs.openbsd.org 2013/04/05 00:31:49
565 [pathnames.h]
566 use the existing _PATH_SSH_USER_RC define to construct the other
567 pathnames; bz#2077, ok dtucker@ (no binary change)
568 - djm@cvs.openbsd.org 2013/04/05 00:58:51
569 [mux.c]
570 cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too
571 (in addition to ones already in OPEN); bz#2079, ok dtucker@
572 - markus@cvs.openbsd.org 2013/04/06 16:07:00
573 [channels.c sshd.c]
574 handle ECONNABORTED for accept(); ok deraadt some time ago...
575 - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
576 [log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
577 Add -E option to ssh and sshd to append debugging logs to a specified file
578 instead of stderr or syslog. ok markus@, man page help jmc@
579 - dtucker@cvs.openbsd.org 2013/04/07 09:40:27
580 [sshd.8]
581 clarify -e text. suggested by & ok jmc@
8 - djm@cvs.openbsd.org 2013/04/11 02:27:50 582 - djm@cvs.openbsd.org 2013/04/11 02:27:50
9 [packet.c] 583 [packet.c]
10 quiet disconnect notifications on the server from error() back to logit() 584 quiet disconnect notifications on the server from error() back to logit()
11 if it is a normal client closure; bz#2057 ok+feedback dtucker@ 585 if it is a normal client closure; bz#2057 ok+feedback dtucker@
12 - (djm) [version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 586 - dtucker@cvs.openbsd.org 2013/04/17 09:04:09
13 [contrib/suse/openssh.spec] Crank version numbers for release. 587 [session.c]
14 - (djm) [README] Update release notes URL 588 revert rev 1.262; it fails because uid is already set here. ok djm@
589 - djm@cvs.openbsd.org 2013/04/18 02:16:07
590 [sftp.c]
591 make "sftp -q" do what it says on the sticker: hush everything but errors;
592 ok dtucker@
593 - djm@cvs.openbsd.org 2013/04/19 01:00:10
594 [sshd_config.5]
595 document the requirment that the AuthorizedKeysCommand be owned by root;
596 ok dtucker@ markus@
597 - djm@cvs.openbsd.org 2013/04/19 01:01:00
598 [ssh-keygen.c]
599 fix some memory leaks; bz#2088 ok dtucker@
600 - djm@cvs.openbsd.org 2013/04/19 01:03:01
601 [session.c]
602 reintroduce 1.262 without the connection-killing bug:
603 fatal() when ChrootDirectory specified by running without root privileges;
604 ok markus@
605 - djm@cvs.openbsd.org 2013/04/19 01:06:50
606 [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
607 [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
608 add the ability to query supported ciphers, MACs, key type and KEX
609 algorithms to ssh. Includes some refactoring of KEX and key type handling
610 to be table-driven; ok markus@
611 - djm@cvs.openbsd.org 2013/04/19 11:10:18
612 [ssh.c]
613 add -Q to usage; reminded by jmc@
614 - djm@cvs.openbsd.org 2013/04/19 12:07:08
615 [kex.c]
616 remove duplicated list entry pointed out by naddy@
617 - dtucker@cvs.openbsd.org 2013/04/22 01:17:18
618 [mux.c]
619 typo in debug output: evitval->exitval
620
62120130418
622 - (djm) [config.guess config.sub] Update to last versions before they switch
623 to GPL3. ok dtucker@
624 - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from
625 unused argument warnings (in particular, -fno-builtin-memset) from clang.
15 626
1620130404 62720130404
17 - (dtucker) OpenBSD CVS Sync 628 - (dtucker) OpenBSD CVS Sync
@@ -40,10 +651,16 @@
40 to avoid conflicting definitions of __int64, adding the required bits. 651 to avoid conflicting definitions of __int64, adding the required bits.
41 Patch from Corinna Vinschen. 652 Patch from Corinna Vinschen.
42 653
65420120323
655 - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit.
656
4320120322 65720120322
44 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil 658 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
45 Hands' greatly revised version. 659 Hands' greatly revised version.
46 - (djm) Release 6.2p1 660 - (djm) Release 6.2p1
661 - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype.
662 - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before
663 defining it again. Prevents warnings if someone, eg, sets it in CFLAGS.
47 664
4820120318 66520120318
49 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c] 666 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
diff --git a/Makefile.in b/Makefile.in
index dd0502e63..f9799268a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $ 1# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -122,6 +122,8 @@ PATHSUBS = \
122 -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' 122 -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
123 123
124FIXPATHSCMD = $(SED) $(PATHSUBS) 124FIXPATHSCMD = $(SED) $(PATHSUBS)
125FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
126 @UNSUPPORTED_ALGORITHMS@
125 127
126all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) 128all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
127 129
@@ -185,9 +187,10 @@ $(MANPAGES): $(MANPAGES_IN)
185 manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ 187 manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
186 fi; \ 188 fi; \
187 if test "$(MANTYPE)" = "man"; then \ 189 if test "$(MANTYPE)" = "man"; then \
188 $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ 190 $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
191 $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
189 else \ 192 else \
190 $(FIXPATHSCMD) $${manpage} > $@; \ 193 $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
191 fi 194 fi
192 195
193$(CONFIGFILES): $(CONFIGFILES_IN) 196$(CONFIGFILES): $(CONFIGFILES_IN)
@@ -383,15 +386,14 @@ uninstall:
383 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 386 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
384 387
385regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c 388regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
386 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ 389 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
387 $(CC) $(CPPFLAGS) -o $@ $? \ 390 [ -f `pwd`/regress/Makefile ] || \
388 $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) 391 ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
392 $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
393 $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
389 394
390tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) 395tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
391 BUILDDIR=`pwd`; \ 396 BUILDDIR=`pwd`; \
392 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
393 [ -f `pwd`/regress/Makefile ] || \
394 ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
395 TEST_SHELL="@TEST_SHELL@"; \ 397 TEST_SHELL="@TEST_SHELL@"; \
396 TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ 398 TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
397 TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ 399 TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
diff --git a/README b/README
index 52bb657d6..ece2dba19 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-6.2p2 for the release notes. 1See http://www.openssh.com/txt/release-6.3 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
64 64
65$Id: README,v 1.82.2.1 2013/05/10 06:12:54 djm Exp $ 65$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $
diff --git a/aclocal.m4 b/aclocal.m4
index 9bdea5ec2..1b3bed790 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
1dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $ 1dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $
2dnl 2dnl
3dnl OpenSSH-specific autoconf macros 3dnl OpenSSH-specific autoconf macros
4dnl 4dnl
@@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
14 _define_flag="$2" 14 _define_flag="$2"
15 test "x$_define_flag" = "x" && _define_flag="$1" 15 test "x$_define_flag" = "x" && _define_flag="$1"
16 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], 16 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
17 [ AC_MSG_RESULT([yes]) 17 [
18 CFLAGS="$saved_CFLAGS $_define_flag"], 18if `grep -i "unrecognized option" conftest.err >/dev/null`
19then
20 AC_MSG_RESULT([no])
21 CFLAGS="$saved_CFLAGS"
22else
23 AC_MSG_RESULT([yes])
24 CFLAGS="$saved_CFLAGS $_define_flag"
25fi],
19 [ AC_MSG_RESULT([no]) 26 [ AC_MSG_RESULT([no])
20 CFLAGS="$saved_CFLAGS" ] 27 CFLAGS="$saved_CFLAGS" ]
21 ) 28 )
diff --git a/addrmatch.c b/addrmatch.c
index 388603cae..fb6de92e7 100644
--- a/addrmatch.c
+++ b/addrmatch.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */ 1/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org> 4 * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list)
420 goto foundit; 420 goto foundit;
421 } 421 }
422 } 422 }
423 xfree(o); 423 free(o);
424 424
425 return ret; 425 return ret;
426} 426}
@@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list)
494 continue; 494 continue;
495 } 495 }
496 } 496 }
497 xfree(o); 497 free(o);
498 498
499 return ret; 499 return ret;
500} 500}
diff --git a/auth-chall.c b/auth-chall.c
index 919b1eaa4..0005aa88b 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt)
69 fatal("get_challenge: numprompts < 1"); 69 fatal("get_challenge: numprompts < 1");
70 challenge = xstrdup(prompts[0]); 70 challenge = xstrdup(prompts[0]);
71 for (i = 0; i < numprompts; i++) 71 for (i = 0; i < numprompts; i++)
72 xfree(prompts[i]); 72 free(prompts[i]);
73 xfree(prompts); 73 free(prompts);
74 xfree(name); 74 free(name);
75 xfree(echo_on); 75 free(echo_on);
76 xfree(info); 76 free(info);
77 77
78 return (challenge); 78 return (challenge);
79} 79}
@@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response)
102 authenticated = 1; 102 authenticated = 1;
103 103
104 for (i = 0; i < numprompts; i++) 104 for (i = 0; i < numprompts; i++)
105 xfree(prompts[i]); 105 free(prompts[i]);
106 xfree(prompts); 106 free(prompts);
107 xfree(name); 107 free(name);
108 xfree(echo_on); 108 free(echo_on);
109 xfree(info); 109 free(info);
110 break; 110 break;
111 } 111 }
112 device->free_ctx(authctxt->kbdintctxt); 112 device->free_ctx(authctxt->kbdintctxt);
diff --git a/auth-krb5.c b/auth-krb5.c
index 4c2375462..5613b5772 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
2/* 2/*
3 * Kerberos v5 authentication and ticket-passing routines. 3 * Kerberos v5 authentication and ticket-passing routines.
4 * 4 *
@@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
79 krb5_ccache ccache = NULL; 79 krb5_ccache ccache = NULL;
80 int len; 80 int len;
81 char *client, *platform_client; 81 char *client, *platform_client;
82 const char *errmsg;
82 83
83 /* get platform-specific kerberos client principal name (if it exists) */ 84 /* get platform-specific kerberos client principal name (if it exists) */
84 platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name); 85 platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
@@ -96,7 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
96 goto out; 97 goto out;
97 98
98#ifdef HEIMDAL 99#ifdef HEIMDAL
100# ifdef HAVE_KRB5_CC_NEW_UNIQUE
101 problem = krb5_cc_new_unique(authctxt->krb5_ctx,
102 krb5_mcc_ops.prefix, NULL, &ccache);
103# else
99 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); 104 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
105# endif
100 if (problem) 106 if (problem)
101 goto out; 107 goto out;
102 108
@@ -115,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
115 if (problem) 121 if (problem)
116 goto out; 122 goto out;
117 123
124# ifdef HAVE_KRB5_CC_NEW_UNIQUE
125 problem = krb5_cc_new_unique(authctxt->krb5_ctx,
126 krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
127# else
118 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, 128 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
119 &authctxt->krb5_fwd_ccache); 129 &authctxt->krb5_fwd_ccache);
130# endif
120 if (problem) 131 if (problem)
121 goto out; 132 goto out;
122 133
@@ -186,17 +197,19 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
186 out: 197 out:
187 restore_uid(); 198 restore_uid();
188 199
189 if (platform_client != NULL) 200 free(platform_client);
190 xfree(platform_client);
191 201
192 if (problem) { 202 if (problem) {
193 if (ccache) 203 if (ccache)
194 krb5_cc_destroy(authctxt->krb5_ctx, ccache); 204 krb5_cc_destroy(authctxt->krb5_ctx, ccache);
195 205
196 if (authctxt->krb5_ctx != NULL && problem!=-1) 206 if (authctxt->krb5_ctx != NULL && problem!=-1) {
197 debug("Kerberos password authentication failed: %s", 207 errmsg = krb5_get_error_message(authctxt->krb5_ctx,
198 krb5_get_err_text(authctxt->krb5_ctx, problem)); 208 problem);
199 else 209 debug("Kerberos password authentication failed: %s",
210 errmsg);
211 krb5_free_error_message(authctxt->krb5_ctx, errmsg);
212 } else
200 debug("Kerberos password authentication failed: %d", 213 debug("Kerberos password authentication failed: %d",
201 problem); 214 problem);
202 215
diff --git a/auth-options.c b/auth-options.c
index 23d0423e1..80d59ee95 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -72,15 +72,15 @@ auth_clear_options(void)
72 while (custom_environment) { 72 while (custom_environment) {
73 struct envstring *ce = custom_environment; 73 struct envstring *ce = custom_environment;
74 custom_environment = ce->next; 74 custom_environment = ce->next;
75 xfree(ce->s); 75 free(ce->s);
76 xfree(ce); 76 free(ce);
77 } 77 }
78 if (forced_command) { 78 if (forced_command) {
79 xfree(forced_command); 79 free(forced_command);
80 forced_command = NULL; 80 forced_command = NULL;
81 } 81 }
82 if (authorized_principals) { 82 if (authorized_principals) {
83 xfree(authorized_principals); 83 free(authorized_principals);
84 authorized_principals = NULL; 84 authorized_principals = NULL;
85 } 85 }
86 forced_tun_device = -1; 86 forced_tun_device = -1;
@@ -149,7 +149,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
149 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 149 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
150 opts += strlen(cp); 150 opts += strlen(cp);
151 if (forced_command != NULL) 151 if (forced_command != NULL)
152 xfree(forced_command); 152 free(forced_command);
153 forced_command = xmalloc(strlen(opts) + 1); 153 forced_command = xmalloc(strlen(opts) + 1);
154 i = 0; 154 i = 0;
155 while (*opts) { 155 while (*opts) {
@@ -167,7 +167,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
167 file, linenum); 167 file, linenum);
168 auth_debug_add("%.100s, line %lu: missing end quote", 168 auth_debug_add("%.100s, line %lu: missing end quote",
169 file, linenum); 169 file, linenum);
170 xfree(forced_command); 170 free(forced_command);
171 forced_command = NULL; 171 forced_command = NULL;
172 goto bad_option; 172 goto bad_option;
173 } 173 }
@@ -180,7 +180,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
180 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 180 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
181 opts += strlen(cp); 181 opts += strlen(cp);
182 if (authorized_principals != NULL) 182 if (authorized_principals != NULL)
183 xfree(authorized_principals); 183 free(authorized_principals);
184 authorized_principals = xmalloc(strlen(opts) + 1); 184 authorized_principals = xmalloc(strlen(opts) + 1);
185 i = 0; 185 i = 0;
186 while (*opts) { 186 while (*opts) {
@@ -198,7 +198,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
198 file, linenum); 198 file, linenum);
199 auth_debug_add("%.100s, line %lu: missing end quote", 199 auth_debug_add("%.100s, line %lu: missing end quote",
200 file, linenum); 200 file, linenum);
201 xfree(authorized_principals); 201 free(authorized_principals);
202 authorized_principals = NULL; 202 authorized_principals = NULL;
203 goto bad_option; 203 goto bad_option;
204 } 204 }
@@ -232,7 +232,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
232 file, linenum); 232 file, linenum);
233 auth_debug_add("%.100s, line %lu: missing end quote", 233 auth_debug_add("%.100s, line %lu: missing end quote",
234 file, linenum); 234 file, linenum);
235 xfree(s); 235 free(s);
236 goto bad_option; 236 goto bad_option;
237 } 237 }
238 s[i] = '\0'; 238 s[i] = '\0';
@@ -269,7 +269,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
269 file, linenum); 269 file, linenum);
270 auth_debug_add("%.100s, line %lu: missing end quote", 270 auth_debug_add("%.100s, line %lu: missing end quote",
271 file, linenum); 271 file, linenum);
272 xfree(patterns); 272 free(patterns);
273 goto bad_option; 273 goto bad_option;
274 } 274 }
275 patterns[i] = '\0'; 275 patterns[i] = '\0';
@@ -277,7 +277,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
277 switch (match_host_and_ip(remote_host, remote_ip, 277 switch (match_host_and_ip(remote_host, remote_ip,
278 patterns)) { 278 patterns)) {
279 case 1: 279 case 1:
280 xfree(patterns); 280 free(patterns);
281 /* Host name matches. */ 281 /* Host name matches. */
282 goto next_option; 282 goto next_option;
283 case -1: 283 case -1:
@@ -287,7 +287,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
287 "invalid criteria", file, linenum); 287 "invalid criteria", file, linenum);
288 /* FALLTHROUGH */ 288 /* FALLTHROUGH */
289 case 0: 289 case 0:
290 xfree(patterns); 290 free(patterns);
291 logit("Authentication tried for %.100s with " 291 logit("Authentication tried for %.100s with "
292 "correct key but not from a permitted " 292 "correct key but not from a permitted "
293 "host (host=%.200s, ip=%.200s).", 293 "host (host=%.200s, ip=%.200s).",
@@ -323,7 +323,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
323 file, linenum); 323 file, linenum);
324 auth_debug_add("%.100s, line %lu: missing " 324 auth_debug_add("%.100s, line %lu: missing "
325 "end quote", file, linenum); 325 "end quote", file, linenum);
326 xfree(patterns); 326 free(patterns);
327 goto bad_option; 327 goto bad_option;
328 } 328 }
329 patterns[i] = '\0'; 329 patterns[i] = '\0';
@@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
337 auth_debug_add("%.100s, line %lu: " 337 auth_debug_add("%.100s, line %lu: "
338 "Bad permitopen specification", file, 338 "Bad permitopen specification", file,
339 linenum); 339 linenum);
340 xfree(patterns); 340 free(patterns);
341 goto bad_option; 341 goto bad_option;
342 } 342 }
343 host = cleanhostname(host); 343 host = cleanhostname(host);
@@ -346,12 +346,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
346 "<%.100s>", file, linenum, p ? p : ""); 346 "<%.100s>", file, linenum, p ? p : "");
347 auth_debug_add("%.100s, line %lu: " 347 auth_debug_add("%.100s, line %lu: "
348 "Bad permitopen port", file, linenum); 348 "Bad permitopen port", file, linenum);
349 xfree(patterns); 349 free(patterns);
350 goto bad_option; 350 goto bad_option;
351 } 351 }
352 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) 352 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
353 channel_add_permitted_opens(host, port); 353 channel_add_permitted_opens(host, port);
354 xfree(patterns); 354 free(patterns);
355 goto next_option; 355 goto next_option;
356 } 356 }
357 cp = "tunnel=\""; 357 cp = "tunnel=\"";
@@ -370,13 +370,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
370 file, linenum); 370 file, linenum);
371 auth_debug_add("%.100s, line %lu: missing end quote", 371 auth_debug_add("%.100s, line %lu: missing end quote",
372 file, linenum); 372 file, linenum);
373 xfree(tun); 373 free(tun);
374 forced_tun_device = -1; 374 forced_tun_device = -1;
375 goto bad_option; 375 goto bad_option;
376 } 376 }
377 tun[i] = '\0'; 377 tun[i] = '\0';
378 forced_tun_device = a2tun(tun, NULL); 378 forced_tun_device = a2tun(tun, NULL);
379 xfree(tun); 379 free(tun);
380 if (forced_tun_device == SSH_TUNID_ERR) { 380 if (forced_tun_device == SSH_TUNID_ERR) {
381 debug("%.100s, line %lu: invalid tun device", 381 debug("%.100s, line %lu: invalid tun device",
382 file, linenum); 382 file, linenum);
@@ -432,7 +432,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
432{ 432{
433 char *command, *allowed; 433 char *command, *allowed;
434 const char *remote_ip; 434 const char *remote_ip;
435 u_char *name = NULL, *data_blob = NULL; 435 char *name = NULL;
436 u_char *data_blob = NULL;
436 u_int nlen, dlen, clen; 437 u_int nlen, dlen, clen;
437 Buffer c, data; 438 Buffer c, data;
438 int ret = -1, found; 439 int ret = -1, found;
@@ -484,7 +485,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
484 if (*cert_forced_command != NULL) { 485 if (*cert_forced_command != NULL) {
485 error("Certificate has multiple " 486 error("Certificate has multiple "
486 "force-command options"); 487 "force-command options");
487 xfree(command); 488 free(command);
488 goto out; 489 goto out;
489 } 490 }
490 *cert_forced_command = command; 491 *cert_forced_command = command;
@@ -500,7 +501,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
500 if ((*cert_source_address_done)++) { 501 if ((*cert_source_address_done)++) {
501 error("Certificate has multiple " 502 error("Certificate has multiple "
502 "source-address options"); 503 "source-address options");
503 xfree(allowed); 504 free(allowed);
504 goto out; 505 goto out;
505 } 506 }
506 remote_ip = get_remote_ipaddr(); 507 remote_ip = get_remote_ipaddr();
@@ -508,7 +509,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
508 allowed)) { 509 allowed)) {
509 case 1: 510 case 1:
510 /* accepted */ 511 /* accepted */
511 xfree(allowed); 512 free(allowed);
512 break; 513 break;
513 case 0: 514 case 0:
514 /* no match */ 515 /* no match */
@@ -521,12 +522,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
521 "is not permitted to use this " 522 "is not permitted to use this "
522 "certificate for login.", 523 "certificate for login.",
523 remote_ip); 524 remote_ip);
524 xfree(allowed); 525 free(allowed);
525 goto out; 526 goto out;
526 case -1: 527 case -1:
527 error("Certificate source-address " 528 error("Certificate source-address "
528 "contents invalid"); 529 "contents invalid");
529 xfree(allowed); 530 free(allowed);
530 goto out; 531 goto out;
531 } 532 }
532 found = 1; 533 found = 1;
@@ -548,9 +549,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
548 goto out; 549 goto out;
549 } 550 }
550 buffer_clear(&data); 551 buffer_clear(&data);
551 xfree(name); 552 free(name);
552 xfree(data_blob); 553 free(data_blob);
553 name = data_blob = NULL; 554 name = NULL;
555 data_blob = NULL;
554 } 556 }
555 /* successfully parsed all options */ 557 /* successfully parsed all options */
556 ret = 0; 558 ret = 0;
@@ -559,13 +561,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
559 if (ret != 0 && 561 if (ret != 0 &&
560 cert_forced_command != NULL && 562 cert_forced_command != NULL &&
561 *cert_forced_command != NULL) { 563 *cert_forced_command != NULL) {
562 xfree(*cert_forced_command); 564 free(*cert_forced_command);
563 *cert_forced_command = NULL; 565 *cert_forced_command = NULL;
564 } 566 }
565 if (name != NULL) 567 if (name != NULL)
566 xfree(name); 568 free(name);
567 if (data_blob != NULL) 569 if (data_blob != NULL)
568 xfree(data_blob); 570 free(data_blob);
569 buffer_free(&data); 571 buffer_free(&data);
570 buffer_free(&c); 572 buffer_free(&c);
571 return ret; 573 return ret;
@@ -627,7 +629,7 @@ auth_cert_options(Key *k, struct passwd *pw)
627 /* CA-specified forced command supersedes key option */ 629 /* CA-specified forced command supersedes key option */
628 if (cert_forced_command != NULL) { 630 if (cert_forced_command != NULL) {
629 if (forced_command != NULL) 631 if (forced_command != NULL)
630 xfree(forced_command); 632 free(forced_command);
631 forced_command = cert_forced_command; 633 forced_command = cert_forced_command;
632 } 634 }
633 return 0; 635 return 0;
diff --git a/auth-pam.c b/auth-pam.c
index 675006e6f..d51318b3a 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
412 412
413 fail: 413 fail:
414 for(i = 0; i < n; i++) { 414 for(i = 0; i < n; i++) {
415 if (reply[i].resp != NULL) 415 free(reply[i].resp);
416 xfree(reply[i].resp);
417 } 416 }
418 xfree(reply); 417 free(reply);
419 buffer_free(&buffer); 418 buffer_free(&buffer);
420 return (PAM_CONV_ERR); 419 return (PAM_CONV_ERR);
421} 420}
@@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
586 585
587 fail: 586 fail:
588 for(i = 0; i < n; i++) { 587 for(i = 0; i < n; i++) {
589 if (reply[i].resp != NULL) 588 free(reply[i].resp);
590 xfree(reply[i].resp);
591 } 589 }
592 xfree(reply); 590 free(reply);
593 return (PAM_CONV_ERR); 591 return (PAM_CONV_ERR);
594} 592}
595 593
@@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt)
693 /* Start the authentication thread */ 691 /* Start the authentication thread */
694 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { 692 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
695 error("PAM: failed create sockets: %s", strerror(errno)); 693 error("PAM: failed create sockets: %s", strerror(errno));
696 xfree(ctxt); 694 free(ctxt);
697 return (NULL); 695 return (NULL);
698 } 696 }
699 ctxt->pam_psock = socks[0]; 697 ctxt->pam_psock = socks[0];
@@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt)
703 strerror(errno)); 701 strerror(errno));
704 close(socks[0]); 702 close(socks[0]);
705 close(socks[1]); 703 close(socks[1]);
706 xfree(ctxt); 704 free(ctxt);
707 return (NULL); 705 return (NULL);
708 } 706 }
709 cleanup_ctxt = ctxt; 707 cleanup_ctxt = ctxt;
@@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info,
742 strlcpy(**prompts + plen, msg, len - plen); 740 strlcpy(**prompts + plen, msg, len - plen);
743 plen += mlen; 741 plen += mlen;
744 **echo_on = (type == PAM_PROMPT_ECHO_ON); 742 **echo_on = (type == PAM_PROMPT_ECHO_ON);
745 xfree(msg); 743 free(msg);
746 return (0); 744 return (0);
747 case PAM_ERROR_MSG: 745 case PAM_ERROR_MSG:
748 case PAM_TEXT_INFO: 746 case PAM_TEXT_INFO:
@@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info,
753 plen += mlen; 751 plen += mlen;
754 strlcat(**prompts + plen, "\n", len - plen); 752 strlcat(**prompts + plen, "\n", len - plen);
755 plen++; 753 plen++;
756 xfree(msg); 754 free(msg);
757 break; 755 break;
758 case PAM_ACCT_EXPIRED: 756 case PAM_ACCT_EXPIRED:
759 sshpam_account_status = 0; 757 sshpam_account_status = 0;
@@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info,
766 *num = 0; 764 *num = 0;
767 **echo_on = 0; 765 **echo_on = 0;
768 ctxt->pam_done = -1; 766 ctxt->pam_done = -1;
769 xfree(msg); 767 free(msg);
770 return 0; 768 return 0;
771 } 769 }
772 /* FALLTHROUGH */ 770 /* FALLTHROUGH */
@@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info,
776 debug("PAM: %s", **prompts); 774 debug("PAM: %s", **prompts);
777 buffer_append(&loginmsg, **prompts, 775 buffer_append(&loginmsg, **prompts,
778 strlen(**prompts)); 776 strlen(**prompts));
779 xfree(**prompts); 777 free(**prompts);
780 **prompts = NULL; 778 **prompts = NULL;
781 } 779 }
782 if (type == PAM_SUCCESS) { 780 if (type == PAM_SUCCESS) {
@@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info,
790 *num = 0; 788 *num = 0;
791 **echo_on = 0; 789 **echo_on = 0;
792 ctxt->pam_done = 1; 790 ctxt->pam_done = 1;
793 xfree(msg); 791 free(msg);
794 return (0); 792 return (0);
795 } 793 }
796 error("PAM: %s for %s%.100s from %.100s", msg, 794 error("PAM: %s for %s%.100s from %.100s", msg,
@@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info,
801 default: 799 default:
802 *num = 0; 800 *num = 0;
803 **echo_on = 0; 801 **echo_on = 0;
804 xfree(msg); 802 free(msg);
805 ctxt->pam_done = -1; 803 ctxt->pam_done = -1;
806 return (-1); 804 return (-1);
807 } 805 }
@@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp)
852 850
853 debug3("PAM: %s entering", __func__); 851 debug3("PAM: %s entering", __func__);
854 sshpam_thread_cleanup(); 852 sshpam_thread_cleanup();
855 xfree(ctxt); 853 free(ctxt);
856 /* 854 /*
857 * We don't call sshpam_cleanup() here because we may need the PAM 855 * We don't call sshpam_cleanup() here because we may need the PAM
858 * handle at a later stage, e.g. when setting up a session. It's 856 * handle at a later stage, e.g. when setting up a session. It's
@@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
1006 1004
1007 fail: 1005 fail:
1008 for(i = 0; i < n; i++) { 1006 for(i = 0; i < n; i++) {
1009 if (reply[i].resp != NULL) 1007 free(reply[i].resp);
1010 xfree(reply[i].resp);
1011 } 1008 }
1012 xfree(reply); 1009 free(reply);
1013 return (PAM_CONV_ERR); 1010 return (PAM_CONV_ERR);
1014} 1011}
1015 1012
@@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value)
1081 1078
1082 snprintf(compound, len, "%s=%s", name, value); 1079 snprintf(compound, len, "%s=%s", name, value);
1083 ret = pam_putenv(sshpam_handle, compound); 1080 ret = pam_putenv(sshpam_handle, compound);
1084 xfree(compound); 1081 free(compound);
1085#endif 1082#endif
1086 1083
1087 return (ret); 1084 return (ret);
@@ -1108,8 +1105,8 @@ free_pam_environment(char **env)
1108 return; 1105 return;
1109 1106
1110 for (envp = env; *envp; envp++) 1107 for (envp = env; *envp; envp++)
1111 xfree(*envp); 1108 free(*envp);
1112 xfree(env); 1109 free(env);
1113} 1110}
1114 1111
1115/* 1112/*
@@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
1165 1162
1166 fail: 1163 fail:
1167 for(i = 0; i < n; i++) { 1164 for(i = 0; i < n; i++) {
1168 if (reply[i].resp != NULL) 1165 free(reply[i].resp);
1169 xfree(reply[i].resp);
1170 } 1166 }
1171 xfree(reply); 1167 free(reply);
1172 return (PAM_CONV_ERR); 1168 return (PAM_CONV_ERR);
1173} 1169}
1174 1170
diff --git a/auth-rsa.c b/auth-rsa.c
index 2c8a7cb35..545aa496a 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ 1/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -164,9 +164,8 @@ static int
164rsa_key_allowed_in_file(struct passwd *pw, char *file, 164rsa_key_allowed_in_file(struct passwd *pw, char *file,
165 const BIGNUM *client_n, Key **rkey) 165 const BIGNUM *client_n, Key **rkey)
166{ 166{
167 char line[SSH_MAX_PUBKEY_BYTES]; 167 char *fp, line[SSH_MAX_PUBKEY_BYTES];
168 int allowed = 0; 168 int allowed = 0, bits;
169 u_int bits;
170 FILE *f; 169 FILE *f;
171 u_long linenum = 0; 170 u_long linenum = 0;
172 Key *key; 171 Key *key;
@@ -227,11 +226,16 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
227 226
228 /* check the real bits */ 227 /* check the real bits */
229 keybits = BN_num_bits(key->rsa->n); 228 keybits = BN_num_bits(key->rsa->n);
230 if (keybits < 0 || bits != (u_int)keybits) 229 if (keybits < 0 || bits != keybits)
231 logit("Warning: %s, line %lu: keysize mismatch: " 230 logit("Warning: %s, line %lu: keysize mismatch: "
232 "actual %d vs. announced %d.", 231 "actual %d vs. announced %d.",
233 file, linenum, BN_num_bits(key->rsa->n), bits); 232 file, linenum, BN_num_bits(key->rsa->n), bits);
234 233
234 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
235 debug("matching key found: file %s, line %lu %s %s",
236 file, linenum, key_type(key), fp);
237 free(fp);
238
235 /* Never accept a revoked key */ 239 /* Never accept a revoked key */
236 if (auth_key_is_revoked(key)) 240 if (auth_key_is_revoked(key))
237 break; 241 break;
@@ -281,7 +285,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
281 file = expand_authorized_keys( 285 file = expand_authorized_keys(
282 options.authorized_keys_files[i], pw); 286 options.authorized_keys_files[i], pw);
283 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); 287 allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
284 xfree(file); 288 free(file);
285 } 289 }
286 290
287 restore_uid(); 291 restore_uid();
@@ -298,7 +302,6 @@ int
298auth_rsa(Authctxt *authctxt, BIGNUM *client_n) 302auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
299{ 303{
300 Key *key; 304 Key *key;
301 char *fp;
302 struct passwd *pw = authctxt->pw; 305 struct passwd *pw = authctxt->pw;
303 306
304 /* no user given */ 307 /* no user given */
@@ -328,11 +331,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
328 * options; this will be reset if the options cause the 331 * options; this will be reset if the options cause the
329 * authentication to be rejected. 332 * authentication to be rejected.
330 */ 333 */
331 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 334 pubkey_auth_info(authctxt, key, NULL);
332 verbose("Found matching %s key: %s",
333 key_type(key), fp);
334 xfree(fp);
335 key_free(key);
336 335
337 packet_send_debug("RSA authentication accepted."); 336 packet_send_debug("RSA authentication accepted.");
338 return (1); 337 return (1);
diff --git a/auth.c b/auth.c
index 6128fa460..9a36f1dac 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ 1/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -72,6 +72,7 @@
72#include "authfile.h" 72#include "authfile.h"
73#include "monitor_wrap.h" 73#include "monitor_wrap.h"
74#include "krl.h" 74#include "krl.h"
75#include "compat.h"
75 76
76/* import */ 77/* import */
77extern ServerOptions options; 78extern ServerOptions options;
@@ -165,17 +166,17 @@ allowed_user(struct passwd * pw)
165 if (stat(shell, &st) != 0) { 166 if (stat(shell, &st) != 0) {
166 logit("User %.100s not allowed because shell %.100s " 167 logit("User %.100s not allowed because shell %.100s "
167 "does not exist", pw->pw_name, shell); 168 "does not exist", pw->pw_name, shell);
168 xfree(shell); 169 free(shell);
169 return 0; 170 return 0;
170 } 171 }
171 if (S_ISREG(st.st_mode) == 0 || 172 if (S_ISREG(st.st_mode) == 0 ||
172 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { 173 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
173 logit("User %.100s not allowed because shell %.100s " 174 logit("User %.100s not allowed because shell %.100s "
174 "is not executable", pw->pw_name, shell); 175 "is not executable", pw->pw_name, shell);
175 xfree(shell); 176 free(shell);
176 return 0; 177 return 0;
177 } 178 }
178 xfree(shell); 179 free(shell);
179 } 180 }
180 181
181 if (options.num_deny_users > 0 || options.num_allow_users > 0 || 182 if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
@@ -252,8 +253,25 @@ allowed_user(struct passwd * pw)
252} 253}
253 254
254void 255void
256auth_info(Authctxt *authctxt, const char *fmt, ...)
257{
258 va_list ap;
259 int i;
260
261 free(authctxt->info);
262 authctxt->info = NULL;
263
264 va_start(ap, fmt);
265 i = vasprintf(&authctxt->info, fmt, ap);
266 va_end(ap);
267
268 if (i < 0 || authctxt->info == NULL)
269 fatal("vasprintf failed");
270}
271
272void
255auth_log(Authctxt *authctxt, int authenticated, int partial, 273auth_log(Authctxt *authctxt, int authenticated, int partial,
256 const char *method, const char *submethod, const char *info) 274 const char *method, const char *submethod)
257{ 275{
258 void (*authlog) (const char *fmt,...) = verbose; 276 void (*authlog) (const char *fmt,...) = verbose;
259 char *authmsg; 277 char *authmsg;
@@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
275 else 293 else
276 authmsg = authenticated ? "Accepted" : "Failed"; 294 authmsg = authenticated ? "Accepted" : "Failed";
277 295
278 authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", 296 authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
279 authmsg, 297 authmsg,
280 method, 298 method,
281 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, 299 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
@@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
283 authctxt->user, 301 authctxt->user,
284 get_remote_ipaddr(), 302 get_remote_ipaddr(),
285 get_remote_port(), 303 get_remote_port(),
286 info); 304 compat20 ? "ssh2" : "ssh1",
305 authctxt->info != NULL ? ": " : "",
306 authctxt->info != NULL ? authctxt->info : "");
307 free(authctxt->info);
308 authctxt->info = NULL;
287 309
288#ifdef CUSTOM_FAILED_LOGIN 310#ifdef CUSTOM_FAILED_LOGIN
289 if (authenticated == 0 && !authctxt->postponed && 311 if (authenticated == 0 && !authctxt->postponed &&
@@ -355,7 +377,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
355 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); 377 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
356 if (i < 0 || (size_t)i >= sizeof(ret)) 378 if (i < 0 || (size_t)i >= sizeof(ret))
357 fatal("expand_authorized_keys: path too long"); 379 fatal("expand_authorized_keys: path too long");
358 xfree(file); 380 free(file);
359 return (xstrdup(ret)); 381 return (xstrdup(ret));
360} 382}
361 383
@@ -397,7 +419,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
397 load_hostkeys(hostkeys, host, user_hostfile); 419 load_hostkeys(hostkeys, host, user_hostfile);
398 restore_uid(); 420 restore_uid();
399 } 421 }
400 xfree(user_hostfile); 422 free(user_hostfile);
401 } 423 }
402 host_status = check_key_in_hostkeys(hostkeys, key, &found); 424 host_status = check_key_in_hostkeys(hostkeys, key, &found);
403 if (host_status == HOST_REVOKED) 425 if (host_status == HOST_REVOKED)
@@ -666,7 +688,7 @@ auth_key_is_revoked(Key *key)
666 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 688 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
667 error("WARNING: authentication attempt with a revoked " 689 error("WARNING: authentication attempt with a revoked "
668 "%s key %s ", key_type(key), key_fp); 690 "%s key %s ", key_type(key), key_fp);
669 xfree(key_fp); 691 free(key_fp);
670 return 1; 692 return 1;
671 } 693 }
672 fatal("key_in_file returned junk"); 694 fatal("key_in_file returned junk");
@@ -697,7 +719,7 @@ auth_debug_send(void)
697 while (buffer_len(&auth_debug)) { 719 while (buffer_len(&auth_debug)) {
698 msg = buffer_get_string(&auth_debug, NULL); 720 msg = buffer_get_string(&auth_debug, NULL);
699 packet_send_debug("%s", msg); 721 packet_send_debug("%s", msg);
700 xfree(msg); 722 free(msg);
701 } 723 }
702} 724}
703 725
@@ -721,10 +743,12 @@ fakepw(void)
721 fake.pw_name = "NOUSER"; 743 fake.pw_name = "NOUSER";
722 fake.pw_passwd = 744 fake.pw_passwd =
723 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; 745 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
746#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
724 fake.pw_gecos = "NOUSER"; 747 fake.pw_gecos = "NOUSER";
748#endif
725 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; 749 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
726 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; 750 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
727#ifdef HAVE_PW_CLASS_IN_PASSWD 751#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
728 fake.pw_class = ""; 752 fake.pw_class = "";
729#endif 753#endif
730 fake.pw_dir = "/nonexist"; 754 fake.pw_dir = "/nonexist";
diff --git a/auth.h b/auth.h
index c6fe84722..80f089869 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -60,6 +60,7 @@ struct Authctxt {
60 struct passwd *pw; /* set if 'valid' */ 60 struct passwd *pw; /* set if 'valid' */
61 char *style; 61 char *style;
62 void *kbdintctxt; 62 void *kbdintctxt;
63 char *info; /* Extra info for next auth_log */
63 void *jpake_ctx; 64 void *jpake_ctx;
64#ifdef BSD_AUTH 65#ifdef BSD_AUTH
65 auth_session_t *as; 66 auth_session_t *as;
@@ -121,6 +122,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
121int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); 122int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
122int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 123int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
123int user_key_allowed(struct passwd *, Key *); 124int user_key_allowed(struct passwd *, Key *);
125void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
126 __attribute__((__format__ (printf, 3, 4)));
124 127
125struct stat; 128struct stat;
126int auth_secure_path(const char *, struct stat *, const char *, uid_t, 129int auth_secure_path(const char *, struct stat *, const char *, uid_t,
@@ -148,8 +151,10 @@ void disable_forwarding(void);
148void do_authentication(Authctxt *); 151void do_authentication(Authctxt *);
149void do_authentication2(Authctxt *); 152void do_authentication2(Authctxt *);
150 153
151void auth_log(Authctxt *, int, int, const char *, const char *, 154void auth_info(Authctxt *authctxt, const char *, ...)
152 const char *); 155 __attribute__((__format__ (printf, 2, 3)))
156 __attribute__((__nonnull__ (2)));
157void auth_log(Authctxt *, int, int, const char *, const char *);
153void userauth_finish(Authctxt *, int, const char *, const char *); 158void userauth_finish(Authctxt *, int, const char *, const char *);
154int auth_root_allowed(const char *); 159int auth_root_allowed(const char *);
155 160
@@ -157,8 +162,9 @@ void userauth_send_banner(const char *);
157 162
158char *auth2_read_banner(void); 163char *auth2_read_banner(void);
159int auth2_methods_valid(const char *, int); 164int auth2_methods_valid(const char *, int);
160int auth2_update_methods_lists(Authctxt *, const char *); 165int auth2_update_methods_lists(Authctxt *, const char *, const char *);
161int auth2_setup_methods_lists(Authctxt *); 166int auth2_setup_methods_lists(Authctxt *);
167int auth2_method_allowed(Authctxt *, const char *, const char *);
162 168
163void privsep_challenge_enable(void); 169void privsep_challenge_enable(void);
164 170
@@ -192,10 +198,12 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *,
192 198
193/* hostkey handling */ 199/* hostkey handling */
194Key *get_hostkey_by_index(int); 200Key *get_hostkey_by_index(int);
201Key *get_hostkey_public_by_index(int);
195Key *get_hostkey_public_by_type(int); 202Key *get_hostkey_public_by_type(int);
196Key *get_hostkey_private_by_type(int); 203Key *get_hostkey_private_by_type(int);
197int get_hostkey_index(Key *); 204int get_hostkey_index(Key *);
198int ssh1_session_key(BIGNUM *); 205int ssh1_session_key(BIGNUM *);
206void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
199 207
200/* debug messages during authentication */ 208/* debug messages during authentication */
201void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); 209void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff --git a/auth1.c b/auth1.c
index 6eea8d81e..f1ac59814 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -45,11 +45,11 @@
45extern ServerOptions options; 45extern ServerOptions options;
46extern Buffer loginmsg; 46extern Buffer loginmsg;
47 47
48static int auth1_process_password(Authctxt *, char *, size_t); 48static int auth1_process_password(Authctxt *);
49static int auth1_process_rsa(Authctxt *, char *, size_t); 49static int auth1_process_rsa(Authctxt *);
50static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t); 50static int auth1_process_rhosts_rsa(Authctxt *);
51static int auth1_process_tis_challenge(Authctxt *, char *, size_t); 51static int auth1_process_tis_challenge(Authctxt *);
52static int auth1_process_tis_response(Authctxt *, char *, size_t); 52static int auth1_process_tis_response(Authctxt *);
53 53
54static char *client_user = NULL; /* Used to fill in remote user for PAM */ 54static char *client_user = NULL; /* Used to fill in remote user for PAM */
55 55
@@ -57,7 +57,7 @@ struct AuthMethod1 {
57 int type; 57 int type;
58 char *name; 58 char *name;
59 int *enabled; 59 int *enabled;
60 int (*method)(Authctxt *, char *, size_t); 60 int (*method)(Authctxt *);
61}; 61};
62 62
63const struct AuthMethod1 auth1_methods[] = { 63const struct AuthMethod1 auth1_methods[] = {
@@ -112,7 +112,7 @@ get_authname(int type)
112 112
113/*ARGSUSED*/ 113/*ARGSUSED*/
114static int 114static int
115auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) 115auth1_process_password(Authctxt *authctxt)
116{ 116{
117 int authenticated = 0; 117 int authenticated = 0;
118 char *password; 118 char *password;
@@ -130,14 +130,14 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
130 authenticated = PRIVSEP(auth_password(authctxt, password)); 130 authenticated = PRIVSEP(auth_password(authctxt, password));
131 131
132 memset(password, 0, dlen); 132 memset(password, 0, dlen);
133 xfree(password); 133 free(password);
134 134
135 return (authenticated); 135 return (authenticated);
136} 136}
137 137
138/*ARGSUSED*/ 138/*ARGSUSED*/
139static int 139static int
140auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) 140auth1_process_rsa(Authctxt *authctxt)
141{ 141{
142 int authenticated = 0; 142 int authenticated = 0;
143 BIGNUM *n; 143 BIGNUM *n;
@@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
155 155
156/*ARGSUSED*/ 156/*ARGSUSED*/
157static int 157static int
158auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) 158auth1_process_rhosts_rsa(Authctxt *authctxt)
159{ 159{
160 int keybits, authenticated = 0; 160 int keybits, authenticated = 0;
161 u_int bits; 161 u_int bits;
@@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
187 client_host_key); 187 client_host_key);
188 key_free(client_host_key); 188 key_free(client_host_key);
189 189
190 snprintf(info, infolen, " ruser %.100s", client_user); 190 auth_info(authctxt, "ruser %.100s", client_user);
191 191
192 return (authenticated); 192 return (authenticated);
193} 193}
194 194
195/*ARGSUSED*/ 195/*ARGSUSED*/
196static int 196static int
197auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) 197auth1_process_tis_challenge(Authctxt *authctxt)
198{ 198{
199 char *challenge; 199 char *challenge;
200 200
@@ -204,7 +204,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
204 debug("sending challenge '%s'", challenge); 204 debug("sending challenge '%s'", challenge);
205 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); 205 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
206 packet_put_cstring(challenge); 206 packet_put_cstring(challenge);
207 xfree(challenge); 207 free(challenge);
208 packet_send(); 208 packet_send();
209 packet_write_wait(); 209 packet_write_wait();
210 210
@@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
213 213
214/*ARGSUSED*/ 214/*ARGSUSED*/
215static int 215static int
216auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) 216auth1_process_tis_response(Authctxt *authctxt)
217{ 217{
218 int authenticated = 0; 218 int authenticated = 0;
219 char *response; 219 char *response;
@@ -223,7 +223,7 @@ auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
223 packet_check_eom(); 223 packet_check_eom();
224 authenticated = verify_response(authctxt, response); 224 authenticated = verify_response(authctxt, response);
225 memset(response, 'r', dlen); 225 memset(response, 'r', dlen);
226 xfree(response); 226 free(response);
227 227
228 return (authenticated); 228 return (authenticated);
229} 229}
@@ -236,7 +236,6 @@ static void
236do_authloop(Authctxt *authctxt) 236do_authloop(Authctxt *authctxt)
237{ 237{
238 int authenticated = 0; 238 int authenticated = 0;
239 char info[1024];
240 int prev = 0, type = 0; 239 int prev = 0, type = 0;
241 const struct AuthMethod1 *meth; 240 const struct AuthMethod1 *meth;
242 241
@@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt)
254#endif 253#endif
255 { 254 {
256 auth_log(authctxt, 1, 0, "without authentication", 255 auth_log(authctxt, 1, 0, "without authentication",
257 NULL, ""); 256 NULL);
258 return; 257 return;
259 } 258 }
260 } 259 }
@@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt)
268 /* default to fail */ 267 /* default to fail */
269 authenticated = 0; 268 authenticated = 0;
270 269
271 info[0] = '\0';
272 270
273 /* Get a packet from the client. */ 271 /* Get a packet from the client. */
274 prev = type; 272 prev = type;
@@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt)
298 goto skip; 296 goto skip;
299 } 297 }
300 298
301 authenticated = meth->method(authctxt, info, sizeof(info)); 299 authenticated = meth->method(authctxt);
302 if (authenticated == -1) 300 if (authenticated == -1)
303 continue; /* "postponed" */ 301 continue; /* "postponed" */
304 302
@@ -353,13 +351,10 @@ do_authloop(Authctxt *authctxt)
353 351
354 skip: 352 skip:
355 /* Log before sending the reply */ 353 /* Log before sending the reply */
356 auth_log(authctxt, authenticated, 0, get_authname(type), 354 auth_log(authctxt, authenticated, 0, get_authname(type), NULL);
357 NULL, info);
358 355
359 if (client_user != NULL) { 356 free(client_user);
360 xfree(client_user); 357 client_user = NULL;
361 client_user = NULL;
362 }
363 358
364 if (authenticated) 359 if (authenticated)
365 return; 360 return;
diff --git a/auth2-chall.c b/auth2-chall.c
index 6505d4009..98f3093ce 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.38 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -147,15 +147,13 @@ kbdint_free(KbdintAuthctxt *kbdintctxt)
147{ 147{
148 if (kbdintctxt->device) 148 if (kbdintctxt->device)
149 kbdint_reset_device(kbdintctxt); 149 kbdint_reset_device(kbdintctxt);
150 if (kbdintctxt->devices) { 150 free(kbdintctxt->devices);
151 xfree(kbdintctxt->devices); 151 bzero(kbdintctxt, sizeof(*kbdintctxt));
152 kbdintctxt->devices = NULL; 152 free(kbdintctxt);
153 }
154 xfree(kbdintctxt);
155} 153}
156/* get next device */ 154/* get next device */
157static int 155static int
158kbdint_next_device(KbdintAuthctxt *kbdintctxt) 156kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
159{ 157{
160 size_t len; 158 size_t len;
161 char *t; 159 char *t;
@@ -169,12 +167,16 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
169 167
170 if (len == 0) 168 if (len == 0)
171 break; 169 break;
172 for (i = 0; devices[i]; i++) 170 for (i = 0; devices[i]; i++) {
171 if (!auth2_method_allowed(authctxt,
172 "keyboard-interactive", devices[i]->name))
173 continue;
173 if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) 174 if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
174 kbdintctxt->device = devices[i]; 175 kbdintctxt->device = devices[i];
176 }
175 t = kbdintctxt->devices; 177 t = kbdintctxt->devices;
176 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; 178 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
177 xfree(t); 179 free(t);
178 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? 180 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
179 kbdintctxt->devices : "<empty>"); 181 kbdintctxt->devices : "<empty>");
180 } while (kbdintctxt->devices && !kbdintctxt->device); 182 } while (kbdintctxt->devices && !kbdintctxt->device);
@@ -221,7 +223,7 @@ auth2_challenge_start(Authctxt *authctxt)
221 debug2("auth2_challenge_start: devices %s", 223 debug2("auth2_challenge_start: devices %s",
222 kbdintctxt->devices ? kbdintctxt->devices : "<empty>"); 224 kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
223 225
224 if (kbdint_next_device(kbdintctxt) == 0) { 226 if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
225 auth2_challenge_stop(authctxt); 227 auth2_challenge_stop(authctxt);
226 return 0; 228 return 0;
227 } 229 }
@@ -268,11 +270,11 @@ send_userauth_info_request(Authctxt *authctxt)
268 packet_write_wait(); 270 packet_write_wait();
269 271
270 for (i = 0; i < kbdintctxt->nreq; i++) 272 for (i = 0; i < kbdintctxt->nreq; i++)
271 xfree(prompts[i]); 273 free(prompts[i]);
272 xfree(prompts); 274 free(prompts);
273 xfree(echo_on); 275 free(echo_on);
274 xfree(name); 276 free(name);
275 xfree(instr); 277 free(instr);
276 return 1; 278 return 1;
277} 279}
278 280
@@ -311,10 +313,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
311 313
312 for (i = 0; i < nresp; i++) { 314 for (i = 0; i < nresp; i++) {
313 memset(response[i], 'r', strlen(response[i])); 315 memset(response[i], 'r', strlen(response[i]));
314 xfree(response[i]); 316 free(response[i]);
315 } 317 }
316 if (response) 318 free(response);
317 xfree(response);
318 319
319 switch (res) { 320 switch (res) {
320 case 0: 321 case 0:
diff --git a/auth2-gss.c b/auth2-gss.c
index 17d4a3a84..3c3cbb966 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -115,8 +115,7 @@ userauth_gssapi(Authctxt *authctxt)
115 do { 115 do {
116 mechs--; 116 mechs--;
117 117
118 if (doid) 118 free(doid);
119 xfree(doid);
120 119
121 present = 0; 120 present = 0;
122 doid = packet_get_string(&len); 121 doid = packet_get_string(&len);
@@ -135,7 +134,7 @@ userauth_gssapi(Authctxt *authctxt)
135 gss_release_oid_set(&ms, &supported); 134 gss_release_oid_set(&ms, &supported);
136 135
137 if (!present) { 136 if (!present) {
138 xfree(doid); 137 free(doid);
139 authctxt->server_caused_failure = 1; 138 authctxt->server_caused_failure = 1;
140 return (0); 139 return (0);
141 } 140 }
@@ -143,7 +142,7 @@ userauth_gssapi(Authctxt *authctxt)
143 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 142 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
144 if (ctxt != NULL) 143 if (ctxt != NULL)
145 ssh_gssapi_delete_ctx(&ctxt); 144 ssh_gssapi_delete_ctx(&ctxt);
146 xfree(doid); 145 free(doid);
147 authctxt->server_caused_failure = 1; 146 authctxt->server_caused_failure = 1;
148 return (0); 147 return (0);
149 } 148 }
@@ -156,7 +155,7 @@ userauth_gssapi(Authctxt *authctxt)
156 packet_put_string(doid, len); 155 packet_put_string(doid, len);
157 156
158 packet_send(); 157 packet_send();
159 xfree(doid); 158 free(doid);
160 159
161 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 160 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
162 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 161 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
@@ -187,7 +186,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
187 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 186 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
188 &send_tok, &flags)); 187 &send_tok, &flags));
189 188
190 xfree(recv_tok.value); 189 free(recv_tok.value);
191 190
192 if (GSS_ERROR(maj_status)) { 191 if (GSS_ERROR(maj_status)) {
193 if (send_tok.length != 0) { 192 if (send_tok.length != 0) {
@@ -242,7 +241,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
242 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 241 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
243 &send_tok, NULL)); 242 &send_tok, NULL));
244 243
245 xfree(recv_tok.value); 244 free(recv_tok.value);
246 245
247 /* We can't return anything to the client, even if we wanted to */ 246 /* We can't return anything to the client, even if we wanted to */
248 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 247 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -263,14 +262,11 @@ static void
263input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 262input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
264{ 263{
265 Authctxt *authctxt = ctxt; 264 Authctxt *authctxt = ctxt;
266 Gssctxt *gssctxt;
267 int authenticated; 265 int authenticated;
268 266
269 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 267 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
270 fatal("No authentication or GSSAPI context"); 268 fatal("No authentication or GSSAPI context");
271 269
272 gssctxt = authctxt->methoddata;
273
274 /* 270 /*
275 * We don't need to check the status, because we're only enabled in 271 * We don't need to check the status, because we're only enabled in
276 * the dispatcher once the exchange is complete 272 * the dispatcher once the exchange is complete
@@ -320,7 +316,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
320 logit("GSSAPI MIC check failed"); 316 logit("GSSAPI MIC check failed");
321 317
322 buffer_free(&b); 318 buffer_free(&b);
323 xfree(mic.value); 319 free(mic.value);
324 320
325 authctxt->postponed = 0; 321 authctxt->postponed = 0;
326 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 322 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index cdf442f97..a344dcc1f 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt)
116#ifdef DEBUG_PK 116#ifdef DEBUG_PK
117 buffer_dump(&b); 117 buffer_dump(&b);
118#endif 118#endif
119
120 pubkey_auth_info(authctxt, key,
121 "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
122
119 /* test for allowed key and correct signature */ 123 /* test for allowed key and correct signature */
120 authenticated = 0; 124 authenticated = 0;
121 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && 125 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@@ -128,11 +132,11 @@ done:
128 debug2("userauth_hostbased: authenticated %d", authenticated); 132 debug2("userauth_hostbased: authenticated %d", authenticated);
129 if (key != NULL) 133 if (key != NULL)
130 key_free(key); 134 key_free(key);
131 xfree(pkalg); 135 free(pkalg);
132 xfree(pkblob); 136 free(pkblob);
133 xfree(cuser); 137 free(cuser);
134 xfree(chost); 138 free(chost);
135 xfree(sig); 139 free(sig);
136 return authenticated; 140 return authenticated;
137} 141}
138 142
@@ -207,7 +211,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
207 verbose("Accepted %s public key %s from %s@%s", 211 verbose("Accepted %s public key %s from %s@%s",
208 key_type(key), fp, cuser, lookup); 212 key_type(key), fp, cuser, lookup);
209 } 213 }
210 xfree(fp); 214 free(fp);
211 } 215 }
212 216
213 return (host_status == HOST_OK); 217 return (host_status == HOST_OK);
diff --git a/auth2-jpake.c b/auth2-jpake.c
index ed0eba47b..78a6b8817 100644
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -179,7 +179,7 @@ derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
179 __func__, len, digest_len); 179 __func__, len, digest_len);
180 memcpy(rawsalt, digest, len); 180 memcpy(rawsalt, digest, len);
181 bzero(digest, digest_len); 181 bzero(digest, digest_len);
182 xfree(digest); 182 free(digest);
183} 183}
184 184
185/* ASCII an integer [0, 64) for inclusion in a password/salt */ 185/* ASCII an integer [0, 64) for inclusion in a password/salt */
@@ -258,7 +258,7 @@ fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
258 makesalt(22, authctxt->user)); 258 makesalt(22, authctxt->user));
259 *scheme = xstrdup("bcrypt"); 259 *scheme = xstrdup("bcrypt");
260 } 260 }
261 xfree(style); 261 free(style);
262 debug3("%s: fake %s salt for user %s: %s", 262 debug3("%s: fake %s salt for user %s: %s",
263 __func__, *scheme, authctxt->user, *salt); 263 __func__, *scheme, authctxt->user, *salt);
264} 264}
@@ -361,7 +361,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
361 JPAKE_DEBUG_BN((*s, "%s: s = ", __func__)); 361 JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
362#endif 362#endif
363 bzero(secret, secret_len); 363 bzero(secret, secret_len);
364 xfree(secret); 364 free(secret);
365} 365}
366 366
367/* 367/*
@@ -403,12 +403,12 @@ auth2_jpake_start(Authctxt *authctxt)
403 403
404 bzero(hash_scheme, strlen(hash_scheme)); 404 bzero(hash_scheme, strlen(hash_scheme));
405 bzero(salt, strlen(salt)); 405 bzero(salt, strlen(salt));
406 xfree(hash_scheme); 406 free(hash_scheme);
407 xfree(salt); 407 free(salt);
408 bzero(x3_proof, x3_proof_len); 408 bzero(x3_proof, x3_proof_len);
409 bzero(x4_proof, x4_proof_len); 409 bzero(x4_proof, x4_proof_len);
410 xfree(x3_proof); 410 free(x3_proof);
411 xfree(x4_proof); 411 free(x4_proof);
412 412
413 /* Expect step 1 packet from peer */ 413 /* Expect step 1 packet from peer */
414 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, 414 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
@@ -455,8 +455,8 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
455 455
456 bzero(x1_proof, x1_proof_len); 456 bzero(x1_proof, x1_proof_len);
457 bzero(x2_proof, x2_proof_len); 457 bzero(x2_proof, x2_proof_len);
458 xfree(x1_proof); 458 free(x1_proof);
459 xfree(x2_proof); 459 free(x2_proof);
460 460
461 if (!use_privsep) 461 if (!use_privsep)
462 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); 462 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
@@ -469,7 +469,7 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
469 packet_write_wait(); 469 packet_write_wait();
470 470
471 bzero(x4_s_proof, x4_s_proof_len); 471 bzero(x4_s_proof, x4_s_proof_len);
472 xfree(x4_s_proof); 472 free(x4_s_proof);
473 473
474 /* Expect step 2 packet from peer */ 474 /* Expect step 2 packet from peer */
475 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, 475 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
@@ -510,7 +510,7 @@ input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
510 &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len)); 510 &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
511 511
512 bzero(x2_s_proof, x2_s_proof_len); 512 bzero(x2_s_proof, x2_s_proof_len);
513 xfree(x2_s_proof); 513 free(x2_s_proof);
514 514
515 if (!use_privsep) 515 if (!use_privsep)
516 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); 516 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index fae67da6e..c39bdc62d 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -56,8 +56,8 @@ userauth_kbdint(Authctxt *authctxt)
56 if (options.challenge_response_authentication) 56 if (options.challenge_response_authentication)
57 authenticated = auth2_challenge(authctxt, devs); 57 authenticated = auth2_challenge(authctxt, devs);
58 58
59 xfree(devs); 59 free(devs);
60 xfree(lang); 60 free(lang);
61 return authenticated; 61 return authenticated;
62} 62}
63 63
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 5f1f3635f..21bc5047d 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */ 1/* $OpenBSD: auth2-passwd.c,v 1.10 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -60,7 +60,7 @@ userauth_passwd(Authctxt *authctxt)
60 /* discard new password from packet */ 60 /* discard new password from packet */
61 newpass = packet_get_string(&newlen); 61 newpass = packet_get_string(&newlen);
62 memset(newpass, 0, newlen); 62 memset(newpass, 0, newlen);
63 xfree(newpass); 63 free(newpass);
64 } 64 }
65 packet_check_eom(); 65 packet_check_eom();
66 66
@@ -69,7 +69,7 @@ userauth_passwd(Authctxt *authctxt)
69 else if (PRIVSEP(auth_password(authctxt, password)) == 1) 69 else if (PRIVSEP(auth_password(authctxt, password)) == 1)
70 authenticated = 1; 70 authenticated = 1;
71 memset(password, 0, len); 71 memset(password, 0, len);
72 xfree(password); 72 free(password);
73 return authenticated; 73 return authenticated;
74} 74}
75 75
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3ff6faa8b..2b3ecb104 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
75{ 75{
76 Buffer b; 76 Buffer b;
77 Key *key = NULL; 77 Key *key = NULL;
78 char *pkalg; 78 char *pkalg, *userstyle;
79 u_char *pkblob, *sig; 79 u_char *pkblob, *sig;
80 u_int alen, blen, slen; 80 u_int alen, blen, slen;
81 int have_sig, pktype; 81 int have_sig, pktype;
@@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
127 } 127 }
128 /* reconstruct packet */ 128 /* reconstruct packet */
129 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 129 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
130 buffer_put_cstring(&b, authctxt->user); 130 xasprintf(&userstyle, "%s%s%s", authctxt->user,
131 authctxt->style ? ":" : "",
132 authctxt->style ? authctxt->style : "");
133 buffer_put_cstring(&b, userstyle);
134 free(userstyle);
131 buffer_put_cstring(&b, 135 buffer_put_cstring(&b,
132 datafellows & SSH_BUG_PKSERVICE ? 136 datafellows & SSH_BUG_PKSERVICE ?
133 "ssh-userauth" : 137 "ssh-userauth" :
@@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
143#ifdef DEBUG_PK 147#ifdef DEBUG_PK
144 buffer_dump(&b); 148 buffer_dump(&b);
145#endif 149#endif
150 pubkey_auth_info(authctxt, key, NULL);
151
146 /* test for correct signature */ 152 /* test for correct signature */
147 authenticated = 0; 153 authenticated = 0;
148 if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && 154 if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
150 buffer_len(&b))) == 1) 156 buffer_len(&b))) == 1)
151 authenticated = 1; 157 authenticated = 1;
152 buffer_free(&b); 158 buffer_free(&b);
153 xfree(sig); 159 free(sig);
154 } else { 160 } else {
155 debug("test whether pkalg/pkblob are acceptable"); 161 debug("test whether pkalg/pkblob are acceptable");
156 packet_check_eom(); 162 packet_check_eom();
@@ -178,11 +184,45 @@ done:
178 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); 184 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
179 if (key != NULL) 185 if (key != NULL)
180 key_free(key); 186 key_free(key);
181 xfree(pkalg); 187 free(pkalg);
182 xfree(pkblob); 188 free(pkblob);
183 return authenticated; 189 return authenticated;
184} 190}
185 191
192void
193pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
194{
195 char *fp, *extra;
196 va_list ap;
197 int i;
198
199 extra = NULL;
200 if (fmt != NULL) {
201 va_start(ap, fmt);
202 i = vasprintf(&extra, fmt, ap);
203 va_end(ap);
204 if (i < 0 || extra == NULL)
205 fatal("%s: vasprintf failed", __func__);
206 }
207
208 if (key_is_cert(key)) {
209 fp = key_fingerprint(key->cert->signature_key,
210 SSH_FP_MD5, SSH_FP_HEX);
211 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
212 key_type(key), key->cert->key_id,
213 (unsigned long long)key->cert->serial,
214 key_type(key->cert->signature_key), fp,
215 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
216 free(fp);
217 } else {
218 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
219 auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
220 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
221 free(fp);
222 }
223 free(extra);
224}
225
186static int 226static int
187match_principals_option(const char *principal_list, struct KeyCert *cert) 227match_principals_option(const char *principal_list, struct KeyCert *cert)
188{ 228{
@@ -196,7 +236,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
196 principal_list, NULL)) != NULL) { 236 principal_list, NULL)) != NULL) {
197 debug3("matched principal from key options \"%.100s\"", 237 debug3("matched principal from key options \"%.100s\"",
198 result); 238 result);
199 xfree(result); 239 free(result);
200 return 1; 240 return 1;
201 } 241 }
202 } 242 }
@@ -276,11 +316,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
276 char *fp; 316 char *fp;
277 317
278 found_key = 0; 318 found_key = 0;
279 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
280 319
320 found = NULL;
281 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 321 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
282 char *cp, *key_options = NULL; 322 char *cp, *key_options = NULL;
283 323 if (found != NULL)
324 key_free(found);
325 found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
284 auth_clear_options(); 326 auth_clear_options();
285 327
286 /* Skip leading whitespace, empty and comment lines. */ 328 /* Skip leading whitespace, empty and comment lines. */
@@ -332,7 +374,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
332 reason = "Certificate does not contain an " 374 reason = "Certificate does not contain an "
333 "authorized principal"; 375 "authorized principal";
334 fail_reason: 376 fail_reason:
335 xfree(fp); 377 free(fp);
336 error("%s", reason); 378 error("%s", reason);
337 auth_debug_add("%s", reason); 379 auth_debug_add("%s", reason);
338 continue; 380 continue;
@@ -342,13 +384,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
342 &reason) != 0) 384 &reason) != 0)
343 goto fail_reason; 385 goto fail_reason;
344 if (auth_cert_options(key, pw) != 0) { 386 if (auth_cert_options(key, pw) != 0) {
345 xfree(fp); 387 free(fp);
346 continue; 388 continue;
347 } 389 }
348 verbose("Accepted certificate ID \"%s\" " 390 verbose("Accepted certificate ID \"%s\" "
349 "signed by %s CA %s via %s", key->cert->key_id, 391 "signed by %s CA %s via %s", key->cert->key_id,
350 key_type(found), fp, file); 392 key_type(found), fp, file);
351 xfree(fp); 393 free(fp);
352 found_key = 1; 394 found_key = 1;
353 break; 395 break;
354 } else if (key_equal(found, key)) { 396 } else if (key_equal(found, key)) {
@@ -358,16 +400,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
358 if (key_is_cert_authority) 400 if (key_is_cert_authority)
359 continue; 401 continue;
360 found_key = 1; 402 found_key = 1;
361 debug("matching key found: file %s, line %lu",
362 file, linenum);
363 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); 403 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
364 verbose("Found matching %s key: %s", 404 debug("matching key found: file %s, line %lu %s %s",
365 key_type(found), fp); 405 file, linenum, key_type(found), fp);
366 xfree(fp); 406 free(fp);
367 break; 407 break;
368 } 408 }
369 } 409 }
370 key_free(found); 410 if (found != NULL)
411 key_free(found);
371 if (!found_key) 412 if (!found_key)
372 debug2("key not found"); 413 debug2("key not found");
373 return found_key; 414 return found_key;
@@ -421,10 +462,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
421 ret = 1; 462 ret = 1;
422 463
423 out: 464 out:
424 if (principals_file != NULL) 465 free(principals_file);
425 xfree(principals_file); 466 free(ca_fp);
426 if (ca_fp != NULL)
427 xfree(ca_fp);
428 return ret; 467 return ret;
429} 468}
430 469
@@ -629,7 +668,7 @@ user_key_allowed(struct passwd *pw, Key *key)
629 options.authorized_keys_files[i], pw); 668 options.authorized_keys_files[i], pw);
630 669
631 success = user_key_allowed2(pw, key, file); 670 success = user_key_allowed2(pw, key, file);
632 xfree(file); 671 free(file);
633 } 672 }
634 673
635 return success; 674 return success;
diff --git a/auth2.c b/auth2.c
index d25940036..6ed8f042b 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ 1/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -100,8 +100,12 @@ static void input_userauth_request(int, u_int32_t, void *);
100/* helper */ 100/* helper */
101static Authmethod *authmethod_lookup(Authctxt *, const char *); 101static Authmethod *authmethod_lookup(Authctxt *, const char *);
102static char *authmethods_get(Authctxt *authctxt); 102static char *authmethods_get(Authctxt *authctxt);
103static int method_allowed(Authctxt *, const char *); 103
104static int list_starts_with(const char *, const char *); 104#define MATCH_NONE 0 /* method or submethod mismatch */
105#define MATCH_METHOD 1 /* method matches (no submethod specified) */
106#define MATCH_BOTH 2 /* method and submethod match */
107#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */
108static int list_starts_with(const char *, const char *, const char *);
105 109
106char * 110char *
107auth2_read_banner(void) 111auth2_read_banner(void)
@@ -128,7 +132,7 @@ auth2_read_banner(void)
128 close(fd); 132 close(fd);
129 133
130 if (n != len) { 134 if (n != len) {
131 xfree(banner); 135 free(banner);
132 return (NULL); 136 return (NULL);
133 } 137 }
134 banner[n] = '\0'; 138 banner[n] = '\0';
@@ -164,8 +168,7 @@ userauth_banner(void)
164 userauth_send_banner(banner); 168 userauth_send_banner(banner);
165 169
166done: 170done:
167 if (banner) 171 free(banner);
168 xfree(banner);
169} 172}
170 173
171/* 174/*
@@ -210,7 +213,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
210 debug("bad service request %s", service); 213 debug("bad service request %s", service);
211 packet_disconnect("bad service request %s", service); 214 packet_disconnect("bad service request %s", service);
212 } 215 }
213 xfree(service); 216 free(service);
214} 217}
215 218
216/*ARGSUSED*/ 219/*ARGSUSED*/
@@ -290,9 +293,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
290 } 293 }
291 userauth_finish(authctxt, authenticated, method, NULL); 294 userauth_finish(authctxt, authenticated, method, NULL);
292 295
293 xfree(service); 296 free(service);
294 xfree(user); 297 free(user);
295 xfree(method); 298 free(method);
296} 299}
297 300
298void 301void
@@ -318,14 +321,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
318 } 321 }
319 322
320 if (authenticated && options.num_auth_methods != 0) { 323 if (authenticated && options.num_auth_methods != 0) {
321 if (!auth2_update_methods_lists(authctxt, method)) { 324 if (!auth2_update_methods_lists(authctxt, method, submethod)) {
322 authenticated = 0; 325 authenticated = 0;
323 partial = 1; 326 partial = 1;
324 } 327 }
325 } 328 }
326 329
327 /* Log before sending the reply */ 330 /* Log before sending the reply */
328 auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); 331 auth_log(authctxt, authenticated, partial, method, submethod);
329 332
330 if (authctxt->postponed) 333 if (authctxt->postponed)
331 return; 334 return;
@@ -380,7 +383,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
380 packet_put_char(partial); 383 packet_put_char(partial);
381 packet_send(); 384 packet_send();
382 packet_write_wait(); 385 packet_write_wait();
383 xfree(methods); 386 free(methods);
384 } 387 }
385} 388}
386 389
@@ -389,8 +392,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
389 * methods list. Returns 1 if allowed, or no methods lists configured. 392 * methods list. Returns 1 if allowed, or no methods lists configured.
390 * 0 otherwise. 393 * 0 otherwise.
391 */ 394 */
392static int 395int
393method_allowed(Authctxt *authctxt, const char *method) 396auth2_method_allowed(Authctxt *authctxt, const char *method,
397 const char *submethod)
394{ 398{
395 u_int i; 399 u_int i;
396 400
@@ -401,7 +405,8 @@ method_allowed(Authctxt *authctxt, const char *method)
401 if (options.num_auth_methods == 0) 405 if (options.num_auth_methods == 0)
402 return 1; 406 return 1;
403 for (i = 0; i < authctxt->num_auth_methods; i++) { 407 for (i = 0; i < authctxt->num_auth_methods; i++) {
404 if (list_starts_with(authctxt->auth_methods[i], method)) 408 if (list_starts_with(authctxt->auth_methods[i], method,
409 submethod) != MATCH_NONE)
405 return 1; 410 return 1;
406 } 411 }
407 return 0; 412 return 0;
@@ -421,7 +426,8 @@ authmethods_get(Authctxt *authctxt)
421 if (authmethods[i]->enabled == NULL || 426 if (authmethods[i]->enabled == NULL ||
422 *(authmethods[i]->enabled) == 0) 427 *(authmethods[i]->enabled) == 0)
423 continue; 428 continue;
424 if (!method_allowed(authctxt, authmethods[i]->name)) 429 if (!auth2_method_allowed(authctxt, authmethods[i]->name,
430 NULL))
425 continue; 431 continue;
426 if (buffer_len(&b) > 0) 432 if (buffer_len(&b) > 0)
427 buffer_append(&b, ",", 1); 433 buffer_append(&b, ",", 1);
@@ -444,7 +450,8 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
444 if (authmethods[i]->enabled != NULL && 450 if (authmethods[i]->enabled != NULL &&
445 *(authmethods[i]->enabled) != 0 && 451 *(authmethods[i]->enabled) != 0 &&
446 strcmp(name, authmethods[i]->name) == 0 && 452 strcmp(name, authmethods[i]->name) == 0 &&
447 method_allowed(authctxt, authmethods[i]->name)) 453 auth2_method_allowed(authctxt,
454 authmethods[i]->name, NULL))
448 return authmethods[i]; 455 return authmethods[i];
449 debug2("Unrecognized authentication method name: %s", 456 debug2("Unrecognized authentication method name: %s",
450 name ? name : "NULL"); 457 name ? name : "NULL");
@@ -459,7 +466,7 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
459int 466int
460auth2_methods_valid(const char *_methods, int need_enable) 467auth2_methods_valid(const char *_methods, int need_enable)
461{ 468{
462 char *methods, *omethods, *method; 469 char *methods, *omethods, *method, *p;
463 u_int i, found; 470 u_int i, found;
464 int ret = -1; 471 int ret = -1;
465 472
@@ -470,6 +477,8 @@ auth2_methods_valid(const char *_methods, int need_enable)
470 omethods = methods = xstrdup(_methods); 477 omethods = methods = xstrdup(_methods);
471 while ((method = strsep(&methods, ",")) != NULL) { 478 while ((method = strsep(&methods, ",")) != NULL) {
472 for (found = i = 0; !found && authmethods[i] != NULL; i++) { 479 for (found = i = 0; !found && authmethods[i] != NULL; i++) {
480 if ((p = strchr(method, ':')) != NULL)
481 *p = '\0';
473 if (strcmp(method, authmethods[i]->name) != 0) 482 if (strcmp(method, authmethods[i]->name) != 0)
474 continue; 483 continue;
475 if (need_enable) { 484 if (need_enable) {
@@ -535,15 +544,30 @@ auth2_setup_methods_lists(Authctxt *authctxt)
535} 544}
536 545
537static int 546static int
538list_starts_with(const char *methods, const char *method) 547list_starts_with(const char *methods, const char *method,
548 const char *submethod)
539{ 549{
540 size_t l = strlen(method); 550 size_t l = strlen(method);
551 int match;
552 const char *p;
541 553
542 if (strncmp(methods, method, l) != 0) 554 if (strncmp(methods, method, l) != 0)
543 return 0; 555 return MATCH_NONE;
544 if (methods[l] != ',' && methods[l] != '\0') 556 p = methods + l;
545 return 0; 557 match = MATCH_METHOD;
546 return 1; 558 if (*p == ':') {
559 if (!submethod)
560 return MATCH_PARTIAL;
561 l = strlen(submethod);
562 p += 1;
563 if (strncmp(submethod, p, l))
564 return MATCH_NONE;
565 p += l;
566 match = MATCH_BOTH;
567 }
568 if (*p != ',' && *p != '\0')
569 return MATCH_NONE;
570 return match;
547} 571}
548 572
549/* 573/*
@@ -552,14 +576,21 @@ list_starts_with(const char *methods, const char *method)
552 * if it did. 576 * if it did.
553 */ 577 */
554static int 578static int
555remove_method(char **methods, const char *method) 579remove_method(char **methods, const char *method, const char *submethod)
556{ 580{
557 char *omethods = *methods; 581 char *omethods = *methods, *p;
558 size_t l = strlen(method); 582 size_t l = strlen(method);
583 int match;
559 584
560 if (!list_starts_with(omethods, method)) 585 match = list_starts_with(omethods, method, submethod);
586 if (match != MATCH_METHOD && match != MATCH_BOTH)
561 return 0; 587 return 0;
562 *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); 588 p = omethods + l;
589 if (submethod && match == MATCH_BOTH)
590 p += 1 + strlen(submethod); /* include colon */
591 if (*p == ',')
592 p++;
593 *methods = xstrdup(p);
563 free(omethods); 594 free(omethods);
564 return 1; 595 return 1;
565} 596}
@@ -571,13 +602,15 @@ remove_method(char **methods, const char *method)
571 * Returns 1 if the method completed any authentication list or 0 otherwise. 602 * Returns 1 if the method completed any authentication list or 0 otherwise.
572 */ 603 */
573int 604int
574auth2_update_methods_lists(Authctxt *authctxt, const char *method) 605auth2_update_methods_lists(Authctxt *authctxt, const char *method,
606 const char *submethod)
575{ 607{
576 u_int i, found = 0; 608 u_int i, found = 0;
577 609
578 debug3("%s: updating methods list after \"%s\"", __func__, method); 610 debug3("%s: updating methods list after \"%s\"", __func__, method);
579 for (i = 0; i < authctxt->num_auth_methods; i++) { 611 for (i = 0; i < authctxt->num_auth_methods; i++) {
580 if (!remove_method(&(authctxt->auth_methods[i]), method)) 612 if (!remove_method(&(authctxt->auth_methods[i]), method,
613 submethod))
581 continue; 614 continue;
582 found = 1; 615 found = 1;
583 if (*authctxt->auth_methods[i] == '\0') { 616 if (*authctxt->auth_methods[i] == '\0') {
diff --git a/authfd.c b/authfd.c
index f037e838b..775786bee 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */ 1/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -224,7 +224,7 @@ ssh_close_authentication_connection(AuthenticationConnection *auth)
224{ 224{
225 buffer_free(&auth->identities); 225 buffer_free(&auth->identities);
226 close(auth->fd); 226 close(auth->fd);
227 xfree(auth); 227 free(auth);
228} 228}
229 229
230/* Lock/unlock agent */ 230/* Lock/unlock agent */
@@ -343,7 +343,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
343 blob = buffer_get_string(&auth->identities, &blen); 343 blob = buffer_get_string(&auth->identities, &blen);
344 *comment = buffer_get_string(&auth->identities, NULL); 344 *comment = buffer_get_string(&auth->identities, NULL);
345 key = key_from_blob(blob, blen); 345 key = key_from_blob(blob, blen);
346 xfree(blob); 346 free(blob);
347 break; 347 break;
348 default: 348 default:
349 return NULL; 349 return NULL;
@@ -436,7 +436,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
436 buffer_put_string(&msg, blob, blen); 436 buffer_put_string(&msg, blob, blen);
437 buffer_put_string(&msg, data, datalen); 437 buffer_put_string(&msg, data, datalen);
438 buffer_put_int(&msg, flags); 438 buffer_put_int(&msg, flags);
439 xfree(blob); 439 free(blob);
440 440
441 if (ssh_request_reply(auth, &msg, &msg) == 0) { 441 if (ssh_request_reply(auth, &msg, &msg) == 0) {
442 buffer_free(&msg); 442 buffer_free(&msg);
@@ -612,7 +612,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
612 key_to_blob(key, &blob, &blen); 612 key_to_blob(key, &blob, &blen);
613 buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); 613 buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
614 buffer_put_string(&msg, blob, blen); 614 buffer_put_string(&msg, blob, blen);
615 xfree(blob); 615 free(blob);
616 } else { 616 } else {
617 buffer_free(&msg); 617 buffer_free(&msg);
618 return 0; 618 return 0;
diff --git a/authfile.c b/authfile.c
index 3544d170b..63ae16bbd 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: authfile.c,v 1.97 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -89,7 +89,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
89 u_char buf[100], *cp; 89 u_char buf[100], *cp;
90 int i, cipher_num; 90 int i, cipher_num;
91 CipherContext ciphercontext; 91 CipherContext ciphercontext;
92 Cipher *cipher; 92 const Cipher *cipher;
93 u_int32_t rnd; 93 u_int32_t rnd;
94 94
95 /* 95 /*
@@ -421,7 +421,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
421 Buffer decrypted; 421 Buffer decrypted;
422 u_char *cp; 422 u_char *cp;
423 CipherContext ciphercontext; 423 CipherContext ciphercontext;
424 Cipher *cipher; 424 const Cipher *cipher;
425 Key *prv = NULL; 425 Key *prv = NULL;
426 Buffer copy; 426 Buffer copy;
427 427
@@ -509,8 +509,8 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
509 return prv; 509 return prv;
510 510
511fail: 511fail:
512 if (commentp) 512 if (commentp != NULL)
513 xfree(*commentp); 513 free(*commentp);
514 key_free(prv); 514 key_free(prv);
515 return NULL; 515 return NULL;
516} 516}
@@ -832,10 +832,10 @@ key_load_cert(const char *filename)
832 pub = key_new(KEY_UNSPEC); 832 pub = key_new(KEY_UNSPEC);
833 xasprintf(&file, "%s-cert.pub", filename); 833 xasprintf(&file, "%s-cert.pub", filename);
834 if (key_try_load_public(pub, file, NULL) == 1) { 834 if (key_try_load_public(pub, file, NULL) == 1) {
835 xfree(file); 835 free(file);
836 return pub; 836 return pub;
837 } 837 }
838 xfree(file); 838 free(file);
839 key_free(pub); 839 key_free(pub);
840 return NULL; 840 return NULL;
841} 841}
diff --git a/bufaux.c b/bufaux.c
index 00208ca27..de5b3ca1a 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufaux.c,v 1.50 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: bufaux.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -181,7 +181,7 @@ buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
181 /* Get the string. */ 181 /* Get the string. */
182 if (buffer_get_ret(buffer, value, len) == -1) { 182 if (buffer_get_ret(buffer, value, len) == -1) {
183 error("buffer_get_string_ret: buffer_get failed"); 183 error("buffer_get_string_ret: buffer_get failed");
184 xfree(value); 184 free(value);
185 return (NULL); 185 return (NULL);
186 } 186 }
187 /* Append a null character to make processing easier. */ 187 /* Append a null character to make processing easier. */
@@ -216,7 +216,7 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
216 error("buffer_get_cstring_ret: string contains \\0"); 216 error("buffer_get_cstring_ret: string contains \\0");
217 else { 217 else {
218 bzero(ret, length); 218 bzero(ret, length);
219 xfree(ret); 219 free(ret);
220 return NULL; 220 return NULL;
221 } 221 }
222 } 222 }
@@ -285,7 +285,7 @@ buffer_put_cstring(Buffer *buffer, const char *s)
285 * Returns a character from the buffer (0 - 255). 285 * Returns a character from the buffer (0 - 255).
286 */ 286 */
287int 287int
288buffer_get_char_ret(char *ret, Buffer *buffer) 288buffer_get_char_ret(u_char *ret, Buffer *buffer)
289{ 289{
290 if (buffer_get_ret(buffer, ret, 1) == -1) { 290 if (buffer_get_ret(buffer, ret, 1) == -1) {
291 error("buffer_get_char_ret: buffer_get_ret failed"); 291 error("buffer_get_char_ret: buffer_get_ret failed");
@@ -297,11 +297,11 @@ buffer_get_char_ret(char *ret, Buffer *buffer)
297int 297int
298buffer_get_char(Buffer *buffer) 298buffer_get_char(Buffer *buffer)
299{ 299{
300 char ch; 300 u_char ch;
301 301
302 if (buffer_get_char_ret(&ch, buffer) == -1) 302 if (buffer_get_char_ret(&ch, buffer) == -1)
303 fatal("buffer_get_char: buffer error"); 303 fatal("buffer_get_char: buffer error");
304 return (u_char) ch; 304 return ch;
305} 305}
306 306
307/* 307/*
diff --git a/bufbn.c b/bufbn.c
index 251cd0951..1fbfbbcc9 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/ 1/* $OpenBSD: bufbn.c,v 1.7 2013/05/17 00:13:13 djm Exp $*/
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -69,7 +69,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
69 if (oi != bin_size) { 69 if (oi != bin_size) {
70 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", 70 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
71 oi, bin_size); 71 oi, bin_size);
72 xfree(buf); 72 free(buf);
73 return (-1); 73 return (-1);
74 } 74 }
75 75
@@ -80,7 +80,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
80 buffer_append(buffer, buf, oi); 80 buffer_append(buffer, buf, oi);
81 81
82 memset(buf, 0, bin_size); 82 memset(buf, 0, bin_size);
83 xfree(buf); 83 free(buf);
84 84
85 return (0); 85 return (0);
86} 86}
@@ -167,13 +167,13 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
167 if (oi < 0 || (u_int)oi != bytes - 1) { 167 if (oi < 0 || (u_int)oi != bytes - 1) {
168 error("buffer_put_bignum2_ret: BN_bn2bin() failed: " 168 error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
169 "oi %d != bin_size %d", oi, bytes); 169 "oi %d != bin_size %d", oi, bytes);
170 xfree(buf); 170 free(buf);
171 return (-1); 171 return (-1);
172 } 172 }
173 hasnohigh = (buf[1] & 0x80) ? 0 : 1; 173 hasnohigh = (buf[1] & 0x80) ? 0 : 1;
174 buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); 174 buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
175 memset(buf, 0, bytes); 175 memset(buf, 0, bytes);
176 xfree(buf); 176 free(buf);
177 return (0); 177 return (0);
178} 178}
179 179
@@ -197,21 +197,21 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
197 197
198 if (len > 0 && (bin[0] & 0x80)) { 198 if (len > 0 && (bin[0] & 0x80)) {
199 error("buffer_get_bignum2_ret: negative numbers not supported"); 199 error("buffer_get_bignum2_ret: negative numbers not supported");
200 xfree(bin); 200 free(bin);
201 return (-1); 201 return (-1);
202 } 202 }
203 if (len > 8 * 1024) { 203 if (len > 8 * 1024) {
204 error("buffer_get_bignum2_ret: cannot handle BN of size %d", 204 error("buffer_get_bignum2_ret: cannot handle BN of size %d",
205 len); 205 len);
206 xfree(bin); 206 free(bin);
207 return (-1); 207 return (-1);
208 } 208 }
209 if (BN_bin2bn(bin, len, value) == NULL) { 209 if (BN_bin2bn(bin, len, value) == NULL) {
210 error("buffer_get_bignum2_ret: BN_bin2bn failed"); 210 error("buffer_get_bignum2_ret: BN_bin2bn failed");
211 xfree(bin); 211 free(bin);
212 return (-1); 212 return (-1);
213 } 213 }
214 xfree(bin); 214 free(bin);
215 return (0); 215 return (0);
216} 216}
217 217
diff --git a/bufec.c b/bufec.c
index 3dcb49477..6c0048978 100644
--- a/bufec.c
+++ b/bufec.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufec.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: bufec.c,v 1.2 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2010 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -78,7 +78,7 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
78 out: 78 out:
79 if (buf != NULL) { 79 if (buf != NULL) {
80 bzero(buf, len); 80 bzero(buf, len);
81 xfree(buf); 81 free(buf);
82 } 82 }
83 BN_CTX_free(bnctx); 83 BN_CTX_free(bnctx);
84 return ret; 84 return ret;
@@ -131,7 +131,7 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
131 out: 131 out:
132 BN_CTX_free(bnctx); 132 BN_CTX_free(bnctx);
133 bzero(buf, len); 133 bzero(buf, len);
134 xfree(buf); 134 free(buf);
135 return ret; 135 return ret;
136} 136}
137 137
diff --git a/buffer.c b/buffer.c
index ae9700344..007e7f94e 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: buffer.c,v 1.32 2010/02/09 03:56:28 djm Exp $ */ 1/* $OpenBSD: buffer.c,v 1.33 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -50,7 +50,7 @@ buffer_free(Buffer *buffer)
50 if (buffer->alloc > 0) { 50 if (buffer->alloc > 0) {
51 memset(buffer->buf, 0, buffer->alloc); 51 memset(buffer->buf, 0, buffer->alloc);
52 buffer->alloc = 0; 52 buffer->alloc = 0;
53 xfree(buffer->buf); 53 free(buffer->buf);
54 } 54 }
55} 55}
56 56
diff --git a/buffer.h b/buffer.h
index e2a9dd100..4fa2ca112 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: buffer.h,v 1.21 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: buffer.h,v 1.22 2013/07/12 00:19:58 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -84,7 +84,7 @@ int buffer_get_int64_ret(u_int64_t *, Buffer *);
84void *buffer_get_string_ret(Buffer *, u_int *); 84void *buffer_get_string_ret(Buffer *, u_int *);
85char *buffer_get_cstring_ret(Buffer *, u_int *); 85char *buffer_get_cstring_ret(Buffer *, u_int *);
86void *buffer_get_string_ptr_ret(Buffer *, u_int *); 86void *buffer_get_string_ptr_ret(Buffer *, u_int *);
87int buffer_get_char_ret(char *, Buffer *); 87int buffer_get_char_ret(u_char *, Buffer *);
88 88
89#ifdef OPENSSL_HAS_ECC 89#ifdef OPENSSL_HAS_ECC
90#include <openssl/ec.h> 90#include <openssl/ec.h>
diff --git a/canohost.c b/canohost.c
index dabd8a31a..69e8e6f6d 100644
--- a/canohost.c
+++ b/canohost.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */ 1/* $OpenBSD: canohost.c,v 1.67 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -41,7 +41,7 @@ static int cached_port = -1;
41 41
42/* 42/*
43 * Return the canonical name of the host at the other end of the socket. The 43 * Return the canonical name of the host at the other end of the socket. The
44 * caller should free the returned string with xfree. 44 * caller should free the returned string.
45 */ 45 */
46 46
47static char * 47static char *
@@ -323,10 +323,8 @@ get_local_name(int fd)
323void 323void
324clear_cached_addr(void) 324clear_cached_addr(void)
325{ 325{
326 if (canonical_host_ip != NULL) { 326 free(canonical_host_ip);
327 xfree(canonical_host_ip); 327 canonical_host_ip = NULL;
328 canonical_host_ip = NULL;
329 }
330 cached_port = -1; 328 cached_port = -1;
331} 329}
332 330
diff --git a/channels.c b/channels.c
index 9cf85a38d..ac675c742 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ 1/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -213,6 +213,7 @@ channel_lookup(int id)
213 case SSH_CHANNEL_OPEN: 213 case SSH_CHANNEL_OPEN:
214 case SSH_CHANNEL_INPUT_DRAINING: 214 case SSH_CHANNEL_INPUT_DRAINING:
215 case SSH_CHANNEL_OUTPUT_DRAINING: 215 case SSH_CHANNEL_OUTPUT_DRAINING:
216 case SSH_CHANNEL_ABANDONED:
216 return (c); 217 return (c);
217 } 218 }
218 logit("Non-public channel %d, type %d.", id, c->type); 219 logit("Non-public channel %d, type %d.", id, c->type);
@@ -247,7 +248,10 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
247 248
248 if ((c->isatty = is_tty) != 0) 249 if ((c->isatty = is_tty) != 0)
249 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 250 debug2("channel %d: rfd %d isatty", c->self, c->rfd);
251#ifdef _AIX
252 /* XXX: Later AIX versions can't push as much data to tty */
250 c->wfd_isatty = is_tty || isatty(c->wfd); 253 c->wfd_isatty = is_tty || isatty(c->wfd);
254#endif
251 255
252 /* enable nonblocking mode */ 256 /* enable nonblocking mode */
253 if (nonblock) { 257 if (nonblock) {
@@ -401,7 +405,7 @@ channel_free(Channel *c)
401 405
402 s = channel_open_message(); 406 s = channel_open_message();
403 debug3("channel %d: status: %s", c->self, s); 407 debug3("channel %d: status: %s", c->self, s);
404 xfree(s); 408 free(s);
405 409
406 if (c->sock != -1) 410 if (c->sock != -1)
407 shutdown(c->sock, SHUT_RDWR); 411 shutdown(c->sock, SHUT_RDWR);
@@ -409,29 +413,23 @@ channel_free(Channel *c)
409 buffer_free(&c->input); 413 buffer_free(&c->input);
410 buffer_free(&c->output); 414 buffer_free(&c->output);
411 buffer_free(&c->extended); 415 buffer_free(&c->extended);
412 if (c->remote_name) { 416 free(c->remote_name);
413 xfree(c->remote_name); 417 c->remote_name = NULL;
414 c->remote_name = NULL; 418 free(c->path);
415 } 419 c->path = NULL;
416 if (c->path) { 420 free(c->listening_addr);
417 xfree(c->path); 421 c->listening_addr = NULL;
418 c->path = NULL;
419 }
420 if (c->listening_addr) {
421 xfree(c->listening_addr);
422 c->listening_addr = NULL;
423 }
424 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 422 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
425 if (cc->abandon_cb != NULL) 423 if (cc->abandon_cb != NULL)
426 cc->abandon_cb(c, cc->ctx); 424 cc->abandon_cb(c, cc->ctx);
427 TAILQ_REMOVE(&c->status_confirms, cc, entry); 425 TAILQ_REMOVE(&c->status_confirms, cc, entry);
428 bzero(cc, sizeof(*cc)); 426 bzero(cc, sizeof(*cc));
429 xfree(cc); 427 free(cc);
430 } 428 }
431 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 429 if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
432 c->filter_cleanup(c->self, c->filter_ctx); 430 c->filter_cleanup(c->self, c->filter_ctx);
433 channels[c->self] = NULL; 431 channels[c->self] = NULL;
434 xfree(c); 432 free(c);
435} 433}
436 434
437void 435void
@@ -536,6 +534,7 @@ channel_still_open(void)
536 case SSH_CHANNEL_DYNAMIC: 534 case SSH_CHANNEL_DYNAMIC:
537 case SSH_CHANNEL_CONNECTING: 535 case SSH_CHANNEL_CONNECTING:
538 case SSH_CHANNEL_ZOMBIE: 536 case SSH_CHANNEL_ZOMBIE:
537 case SSH_CHANNEL_ABANDONED:
539 continue; 538 continue;
540 case SSH_CHANNEL_LARVAL: 539 case SSH_CHANNEL_LARVAL:
541 if (!compat20) 540 if (!compat20)
@@ -581,6 +580,7 @@ channel_find_open(void)
581 case SSH_CHANNEL_OPENING: 580 case SSH_CHANNEL_OPENING:
582 case SSH_CHANNEL_CONNECTING: 581 case SSH_CHANNEL_CONNECTING:
583 case SSH_CHANNEL_ZOMBIE: 582 case SSH_CHANNEL_ZOMBIE:
583 case SSH_CHANNEL_ABANDONED:
584 continue; 584 continue;
585 case SSH_CHANNEL_LARVAL: 585 case SSH_CHANNEL_LARVAL:
586 case SSH_CHANNEL_AUTH_SOCKET: 586 case SSH_CHANNEL_AUTH_SOCKET:
@@ -628,6 +628,7 @@ channel_open_message(void)
628 case SSH_CHANNEL_CLOSED: 628 case SSH_CHANNEL_CLOSED:
629 case SSH_CHANNEL_AUTH_SOCKET: 629 case SSH_CHANNEL_AUTH_SOCKET:
630 case SSH_CHANNEL_ZOMBIE: 630 case SSH_CHANNEL_ZOMBIE:
631 case SSH_CHANNEL_ABANDONED:
631 case SSH_CHANNEL_MUX_CLIENT: 632 case SSH_CHANNEL_MUX_CLIENT:
632 case SSH_CHANNEL_MUX_LISTENER: 633 case SSH_CHANNEL_MUX_LISTENER:
633 continue; 634 continue;
@@ -1080,10 +1081,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
1080 strlcpy(username, p, sizeof(username)); 1081 strlcpy(username, p, sizeof(username));
1081 buffer_consume(&c->input, len); 1082 buffer_consume(&c->input, len);
1082 1083
1083 if (c->path != NULL) { 1084 free(c->path);
1084 xfree(c->path); 1085 c->path = NULL;
1085 c->path = NULL;
1086 }
1087 if (need == 1) { /* SOCKS4: one string */ 1086 if (need == 1) { /* SOCKS4: one string */
1088 host = inet_ntoa(s4_req.dest_addr); 1087 host = inet_ntoa(s4_req.dest_addr);
1089 c->path = xstrdup(host); 1088 c->path = xstrdup(host);
@@ -1143,7 +1142,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1143 u_int8_t atyp; 1142 u_int8_t atyp;
1144 } s5_req, s5_rsp; 1143 } s5_req, s5_rsp;
1145 u_int16_t dest_port; 1144 u_int16_t dest_port;
1146 u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1145 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1146 u_char *p;
1147 u_int have, need, i, found, nmethods, addrlen, af; 1147 u_int have, need, i, found, nmethods, addrlen, af;
1148 1148
1149 debug2("channel %d: decode socks5", c->self); 1149 debug2("channel %d: decode socks5", c->self);
@@ -1213,13 +1213,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1213 buffer_consume(&c->input, sizeof(s5_req)); 1213 buffer_consume(&c->input, sizeof(s5_req));
1214 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1214 if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1215 buffer_consume(&c->input, 1); /* host string length */ 1215 buffer_consume(&c->input, 1); /* host string length */
1216 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1216 buffer_get(&c->input, &dest_addr, addrlen);
1217 buffer_get(&c->input, (char *)&dest_port, 2); 1217 buffer_get(&c->input, (char *)&dest_port, 2);
1218 dest_addr[addrlen] = '\0'; 1218 dest_addr[addrlen] = '\0';
1219 if (c->path != NULL) { 1219 free(c->path);
1220 xfree(c->path); 1220 c->path = NULL;
1221 c->path = NULL;
1222 }
1223 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1221 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1224 if (addrlen >= NI_MAXHOST) { 1222 if (addrlen >= NI_MAXHOST) {
1225 error("channel %d: dynamic request: socks5 hostname " 1223 error("channel %d: dynamic request: socks5 hostname "
@@ -1241,11 +1239,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1241 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1239 s5_rsp.command = SSH_SOCKS5_SUCCESS;
1242 s5_rsp.reserved = 0; /* ignored */ 1240 s5_rsp.reserved = 0; /* ignored */
1243 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1241 s5_rsp.atyp = SSH_SOCKS5_IPV4;
1244 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
1245 dest_port = 0; /* ignored */ 1242 dest_port = 0; /* ignored */
1246 1243
1247 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1244 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
1248 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1245 buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */
1249 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1246 buffer_append(&c->output, &dest_port, sizeof(dest_port));
1250 return 1; 1247 return 1;
1251} 1248}
@@ -1324,7 +1321,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1324{ 1321{
1325 Channel *nc; 1322 Channel *nc;
1326 struct sockaddr_storage addr; 1323 struct sockaddr_storage addr;
1327 int newsock; 1324 int newsock, oerrno;
1328 socklen_t addrlen; 1325 socklen_t addrlen;
1329 char buf[16384], *remote_ipaddr; 1326 char buf[16384], *remote_ipaddr;
1330 int remote_port; 1327 int remote_port;
@@ -1334,14 +1331,18 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1334 addrlen = sizeof(addr); 1331 addrlen = sizeof(addr);
1335 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1332 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1336 if (c->single_connection) { 1333 if (c->single_connection) {
1334 oerrno = errno;
1337 debug2("single_connection: closing X11 listener."); 1335 debug2("single_connection: closing X11 listener.");
1338 channel_close_fd(&c->sock); 1336 channel_close_fd(&c->sock);
1339 chan_mark_dead(c); 1337 chan_mark_dead(c);
1338 errno = oerrno;
1340 } 1339 }
1341 if (newsock < 0) { 1340 if (newsock < 0) {
1342 error("accept: %.100s", strerror(errno)); 1341 if (errno != EINTR && errno != EWOULDBLOCK &&
1342 errno != ECONNABORTED)
1343 error("accept: %.100s", strerror(errno));
1343 if (errno == EMFILE || errno == ENFILE) 1344 if (errno == EMFILE || errno == ENFILE)
1344 c->notbefore = time(NULL) + 1; 1345 c->notbefore = monotime() + 1;
1345 return; 1346 return;
1346 } 1347 }
1347 set_nodelay(newsock); 1348 set_nodelay(newsock);
@@ -1375,7 +1376,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1375 packet_put_cstring(buf); 1376 packet_put_cstring(buf);
1376 packet_send(); 1377 packet_send();
1377 } 1378 }
1378 xfree(remote_ipaddr); 1379 free(remote_ipaddr);
1379 } 1380 }
1380} 1381}
1381 1382
@@ -1389,7 +1390,7 @@ port_open_helper(Channel *c, char *rtype)
1389 1390
1390 if (remote_port == -1) { 1391 if (remote_port == -1) {
1391 /* Fake addr/port to appease peers that validate it (Tectia) */ 1392 /* Fake addr/port to appease peers that validate it (Tectia) */
1392 xfree(remote_ipaddr); 1393 free(remote_ipaddr);
1393 remote_ipaddr = xstrdup("127.0.0.1"); 1394 remote_ipaddr = xstrdup("127.0.0.1");
1394 remote_port = 65535; 1395 remote_port = 65535;
1395 } 1396 }
@@ -1402,7 +1403,7 @@ port_open_helper(Channel *c, char *rtype)
1402 rtype, c->listening_port, c->path, c->host_port, 1403 rtype, c->listening_port, c->path, c->host_port,
1403 remote_ipaddr, remote_port); 1404 remote_ipaddr, remote_port);
1404 1405
1405 xfree(c->remote_name); 1406 free(c->remote_name);
1406 c->remote_name = xstrdup(buf); 1407 c->remote_name = xstrdup(buf);
1407 1408
1408 if (compat20) { 1409 if (compat20) {
@@ -1434,7 +1435,7 @@ port_open_helper(Channel *c, char *rtype)
1434 packet_put_cstring(c->remote_name); 1435 packet_put_cstring(c->remote_name);
1435 packet_send(); 1436 packet_send();
1436 } 1437 }
1437 xfree(remote_ipaddr); 1438 free(remote_ipaddr);
1438} 1439}
1439 1440
1440static void 1441static void
@@ -1484,9 +1485,11 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
1484 addrlen = sizeof(addr); 1485 addrlen = sizeof(addr);
1485 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1486 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1486 if (newsock < 0) { 1487 if (newsock < 0) {
1487 error("accept: %.100s", strerror(errno)); 1488 if (errno != EINTR && errno != EWOULDBLOCK &&
1489 errno != ECONNABORTED)
1490 error("accept: %.100s", strerror(errno));
1488 if (errno == EMFILE || errno == ENFILE) 1491 if (errno == EMFILE || errno == ENFILE)
1489 c->notbefore = time(NULL) + 1; 1492 c->notbefore = monotime() + 1;
1490 return; 1493 return;
1491 } 1494 }
1492 set_nodelay(newsock); 1495 set_nodelay(newsock);
@@ -1522,7 +1525,7 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
1522 error("accept from auth socket: %.100s", 1525 error("accept from auth socket: %.100s",
1523 strerror(errno)); 1526 strerror(errno));
1524 if (errno == EMFILE || errno == ENFILE) 1527 if (errno == EMFILE || errno == ENFILE)
1525 c->notbefore = time(NULL) + 1; 1528 c->notbefore = monotime() + 1;
1526 return; 1529 return;
1527 } 1530 }
1528 nc = channel_new("accepted auth socket", 1531 nc = channel_new("accepted auth socket",
@@ -1685,7 +1688,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
1685 if (c->datagram) { 1688 if (c->datagram) {
1686 /* ignore truncated writes, datagrams might get lost */ 1689 /* ignore truncated writes, datagrams might get lost */
1687 len = write(c->wfd, buf, dlen); 1690 len = write(c->wfd, buf, dlen);
1688 xfree(data); 1691 free(data);
1689 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1692 if (len < 0 && (errno == EINTR || errno == EAGAIN ||
1690 errno == EWOULDBLOCK)) 1693 errno == EWOULDBLOCK))
1691 return 1; 1694 return 1;
@@ -1926,7 +1929,7 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset)
1926 &addrlen)) == -1) { 1929 &addrlen)) == -1) {
1927 error("%s accept: %s", __func__, strerror(errno)); 1930 error("%s accept: %s", __func__, strerror(errno));
1928 if (errno == EMFILE || errno == ENFILE) 1931 if (errno == EMFILE || errno == ENFILE)
1929 c->notbefore = time(NULL) + 1; 1932 c->notbefore = monotime() + 1;
1930 return; 1933 return;
1931 } 1934 }
1932 1935
@@ -2089,7 +2092,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset,
2089 channel_handler_init(); 2092 channel_handler_init();
2090 did_init = 1; 2093 did_init = 1;
2091 } 2094 }
2092 now = time(NULL); 2095 now = monotime();
2093 if (unpause_secs != NULL) 2096 if (unpause_secs != NULL)
2094 *unpause_secs = 0; 2097 *unpause_secs = 0;
2095 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2098 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) {
@@ -2219,7 +2222,7 @@ channel_output_poll(void)
2219 debug("channel %d: datagram " 2222 debug("channel %d: datagram "
2220 "too big for channel", 2223 "too big for channel",
2221 c->self); 2224 c->self);
2222 xfree(data); 2225 free(data);
2223 continue; 2226 continue;
2224 } 2227 }
2225 packet_start(SSH2_MSG_CHANNEL_DATA); 2228 packet_start(SSH2_MSG_CHANNEL_DATA);
@@ -2227,7 +2230,7 @@ channel_output_poll(void)
2227 packet_put_string(data, dlen); 2230 packet_put_string(data, dlen);
2228 packet_send(); 2231 packet_send();
2229 c->remote_window -= dlen + 4; 2232 c->remote_window -= dlen + 4;
2230 xfree(data); 2233 free(data);
2231 } 2234 }
2232 continue; 2235 continue;
2233 } 2236 }
@@ -2399,13 +2402,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
2399 if (data_len > c->local_window) { 2402 if (data_len > c->local_window) {
2400 logit("channel %d: rcvd too much extended_data %d, win %d", 2403 logit("channel %d: rcvd too much extended_data %d, win %d",
2401 c->self, data_len, c->local_window); 2404 c->self, data_len, c->local_window);
2402 xfree(data); 2405 free(data);
2403 return; 2406 return;
2404 } 2407 }
2405 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2408 debug2("channel %d: rcvd ext data %d", c->self, data_len);
2406 c->local_window -= data_len; 2409 c->local_window -= data_len;
2407 buffer_append(&c->extended, data, data_len); 2410 buffer_append(&c->extended, data, data_len);
2408 xfree(data); 2411 free(data);
2409} 2412}
2410 2413
2411/* ARGSUSED */ 2414/* ARGSUSED */
@@ -2495,7 +2498,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
2495 if (c == NULL) 2498 if (c == NULL)
2496 packet_disconnect("Received close confirmation for " 2499 packet_disconnect("Received close confirmation for "
2497 "out-of-range channel %d.", id); 2500 "out-of-range channel %d.", id);
2498 if (c->type != SSH_CHANNEL_CLOSED) 2501 if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED)
2499 packet_disconnect("Received close confirmation for " 2502 packet_disconnect("Received close confirmation for "
2500 "non-closed channel %d (type %d).", id, c->type); 2503 "non-closed channel %d (type %d).", id, c->type);
2501 channel_free(c); 2504 channel_free(c);
@@ -2571,10 +2574,8 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
2571 } 2574 }
2572 logit("channel %d: open failed: %s%s%s", id, 2575 logit("channel %d: open failed: %s%s%s", id,
2573 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2576 reason2txt(reason), msg ? ": ": "", msg ? msg : "");
2574 if (msg != NULL) 2577 free(msg);
2575 xfree(msg); 2578 free(lang);
2576 if (lang != NULL)
2577 xfree(lang);
2578 if (c->open_confirm) { 2579 if (c->open_confirm) {
2579 debug2("callback start"); 2580 debug2("callback start");
2580 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2581 c->open_confirm(c->self, 0, c->open_confirm_ctx);
@@ -2632,8 +2633,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
2632 packet_check_eom(); 2633 packet_check_eom();
2633 c = channel_connect_to(host, host_port, 2634 c = channel_connect_to(host, host_port,
2634 "connected socket", originator_string); 2635 "connected socket", originator_string);
2635 xfree(originator_string); 2636 free(originator_string);
2636 xfree(host); 2637 free(host);
2637 if (c == NULL) { 2638 if (c == NULL) {
2638 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2639 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2639 packet_put_int(remote_id); 2640 packet_put_int(remote_id);
@@ -2668,7 +2669,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
2668 cc->cb(type, c, cc->ctx); 2669 cc->cb(type, c, cc->ctx);
2669 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2670 TAILQ_REMOVE(&c->status_confirms, cc, entry);
2670 bzero(cc, sizeof(*cc)); 2671 bzero(cc, sizeof(*cc));
2671 xfree(cc); 2672 free(cc);
2672} 2673}
2673 2674
2674/* -- tcp forwarding */ 2675/* -- tcp forwarding */
@@ -3048,7 +3049,7 @@ channel_request_rforward_cancel(const char *host, u_short port)
3048 3049
3049 permitted_opens[i].listen_port = 0; 3050 permitted_opens[i].listen_port = 0;
3050 permitted_opens[i].port_to_connect = 0; 3051 permitted_opens[i].port_to_connect = 0;
3051 xfree(permitted_opens[i].host_to_connect); 3052 free(permitted_opens[i].host_to_connect);
3052 permitted_opens[i].host_to_connect = NULL; 3053 permitted_opens[i].host_to_connect = NULL;
3053 3054
3054 return 0; 3055 return 0;
@@ -3089,7 +3090,7 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
3089 host_port, gateway_ports); 3090 host_port, gateway_ports);
3090 3091
3091 /* Free the argument string. */ 3092 /* Free the argument string. */
3092 xfree(hostname); 3093 free(hostname);
3093 3094
3094 return (success ? 0 : -1); 3095 return (success ? 0 : -1);
3095} 3096}
@@ -3144,7 +3145,7 @@ channel_update_permitted_opens(int idx, int newport)
3144 } else { 3145 } else {
3145 permitted_opens[idx].listen_port = 0; 3146 permitted_opens[idx].listen_port = 0;
3146 permitted_opens[idx].port_to_connect = 0; 3147 permitted_opens[idx].port_to_connect = 0;
3147 xfree(permitted_opens[idx].host_to_connect); 3148 free(permitted_opens[idx].host_to_connect);
3148 permitted_opens[idx].host_to_connect = NULL; 3149 permitted_opens[idx].host_to_connect = NULL;
3149 } 3150 }
3150} 3151}
@@ -3177,12 +3178,9 @@ channel_clear_permitted_opens(void)
3177 int i; 3178 int i;
3178 3179
3179 for (i = 0; i < num_permitted_opens; i++) 3180 for (i = 0; i < num_permitted_opens; i++)
3180 if (permitted_opens[i].host_to_connect != NULL) 3181 free(permitted_opens[i].host_to_connect);
3181 xfree(permitted_opens[i].host_to_connect); 3182 free(permitted_opens);
3182 if (num_permitted_opens > 0) { 3183 permitted_opens = NULL;
3183 xfree(permitted_opens);
3184 permitted_opens = NULL;
3185 }
3186 num_permitted_opens = 0; 3184 num_permitted_opens = 0;
3187} 3185}
3188 3186
@@ -3192,12 +3190,9 @@ channel_clear_adm_permitted_opens(void)
3192 int i; 3190 int i;
3193 3191
3194 for (i = 0; i < num_adm_permitted_opens; i++) 3192 for (i = 0; i < num_adm_permitted_opens; i++)
3195 if (permitted_adm_opens[i].host_to_connect != NULL) 3193 free(permitted_adm_opens[i].host_to_connect);
3196 xfree(permitted_adm_opens[i].host_to_connect); 3194 free(permitted_adm_opens);
3197 if (num_adm_permitted_opens > 0) { 3195 permitted_adm_opens = NULL;
3198 xfree(permitted_adm_opens);
3199 permitted_adm_opens = NULL;
3200 }
3201 num_adm_permitted_opens = 0; 3196 num_adm_permitted_opens = 0;
3202} 3197}
3203 3198
@@ -3291,7 +3286,7 @@ connect_next(struct channel_connect *cctx)
3291static void 3286static void
3292channel_connect_ctx_free(struct channel_connect *cctx) 3287channel_connect_ctx_free(struct channel_connect *cctx)
3293{ 3288{
3294 xfree(cctx->host); 3289 free(cctx->host);
3295 if (cctx->aitop) 3290 if (cctx->aitop)
3296 freeaddrinfo(cctx->aitop); 3291 freeaddrinfo(cctx->aitop);
3297 bzero(cctx, sizeof(*cctx)); 3292 bzero(cctx, sizeof(*cctx));
@@ -3686,7 +3681,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
3686 c->remote_id = remote_id; 3681 c->remote_id = remote_id;
3687 c->force_drain = 1; 3682 c->force_drain = 1;
3688 } 3683 }
3689 xfree(remote_host); 3684 free(remote_host);
3690 if (c == NULL) { 3685 if (c == NULL) {
3691 /* Send refusal to the remote host. */ 3686 /* Send refusal to the remote host. */
3692 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3687 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
@@ -3794,7 +3789,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
3794 packet_put_int(screen_number); 3789 packet_put_int(screen_number);
3795 packet_send(); 3790 packet_send();
3796 packet_write_wait(); 3791 packet_write_wait();
3797 xfree(new_data); 3792 free(new_data);
3798} 3793}
3799 3794
3800 3795
diff --git a/channels.h b/channels.h
index d75b800f7..4fab9d7c4 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */ 1/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -55,7 +55,8 @@
55#define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ 55#define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */
56#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ 56#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */
57#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ 57#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
58#define SSH_CHANNEL_MAX_TYPE 17 58#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
59#define SSH_CHANNEL_MAX_TYPE 18
59 60
60#define CHANNEL_CANCEL_PORT_STATIC -1 61#define CHANNEL_CANCEL_PORT_STATIC -1
61 62
@@ -102,7 +103,9 @@ struct Channel {
102 int sock; /* sock fd */ 103 int sock; /* sock fd */
103 int ctl_chan; /* control channel (multiplexed connections) */ 104 int ctl_chan; /* control channel (multiplexed connections) */
104 int isatty; /* rfd is a tty */ 105 int isatty; /* rfd is a tty */
106#ifdef _AIX
105 int wfd_isatty; /* wfd is a tty */ 107 int wfd_isatty; /* wfd is a tty */
108#endif
106 int client_tty; /* (client) TTY has been requested */ 109 int client_tty; /* (client) TTY has been requested */
107 int force_drain; /* force close on iEOF */ 110 int force_drain; /* force close on iEOF */
108 time_t notbefore; /* Pause IO until deadline (time_t) */ 111 time_t notbefore; /* Pause IO until deadline (time_t) */
@@ -110,7 +113,7 @@ struct Channel {
110 * channels are delayed until the first call 113 * channels are delayed until the first call
111 * to a matching pre-select handler. 114 * to a matching pre-select handler.
112 * this way post-select handlers are not 115 * this way post-select handlers are not
113 * accidenly called if a FD gets reused */ 116 * accidentally called if a FD gets reused */
114 Buffer input; /* data read from socket, to be sent over 117 Buffer input; /* data read from socket, to be sent over
115 * encrypted connection */ 118 * encrypted connection */
116 Buffer output; /* data received over encrypted connection for 119 Buffer output; /* data received over encrypted connection for
diff --git a/cipher-3des1.c b/cipher-3des1.c
index b7aa588cd..c8a70244b 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher-3des1.c,v 1.7 2010/10/01 23:05:32 djm Exp $ */ 1/* $OpenBSD: cipher-3des1.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2003 Markus Friedl. All rights reserved. 3 * Copyright (c) 2003 Markus Friedl. All rights reserved.
4 * 4 *
@@ -94,7 +94,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
94 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || 94 EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
95 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { 95 EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
96 memset(c, 0, sizeof(*c)); 96 memset(c, 0, sizeof(*c));
97 xfree(c); 97 free(c);
98 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 98 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
99 return (0); 99 return (0);
100 } 100 }
@@ -135,7 +135,7 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
135 EVP_CIPHER_CTX_cleanup(&c->k2); 135 EVP_CIPHER_CTX_cleanup(&c->k2);
136 EVP_CIPHER_CTX_cleanup(&c->k3); 136 EVP_CIPHER_CTX_cleanup(&c->k3);
137 memset(c, 0, sizeof(*c)); 137 memset(c, 0, sizeof(*c));
138 xfree(c); 138 free(c);
139 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 139 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
140 } 140 }
141 return (1); 141 return (1);
diff --git a/cipher-aes.c b/cipher-aes.c
index 07ec7aa5d..8b1017272 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -120,7 +120,7 @@ ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
120 120
121 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 121 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
122 memset(c, 0, sizeof(*c)); 122 memset(c, 0, sizeof(*c));
123 xfree(c); 123 free(c);
124 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 124 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
125 } 125 }
126 return (1); 126 return (1);
diff --git a/cipher-ctr.c b/cipher-ctr.c
index d1fe69f57..ea0f9b3b7 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -104,7 +104,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
104 104
105 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { 105 if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
106 memset(c, 0, sizeof(*c)); 106 memset(c, 0, sizeof(*c));
107 xfree(c); 107 free(c);
108 EVP_CIPHER_CTX_set_app_data(ctx, NULL); 108 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
109 } 109 }
110 return (1); 110 return (1);
diff --git a/cipher.c b/cipher.c
index 9ca1d0065..a2cbe2bea 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ 1/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -65,7 +65,9 @@ struct Cipher {
65 u_int discard_len; 65 u_int discard_len;
66 u_int cbc_mode; 66 u_int cbc_mode;
67 const EVP_CIPHER *(*evptype)(void); 67 const EVP_CIPHER *(*evptype)(void);
68} ciphers[] = { 68};
69
70static const struct Cipher ciphers[] = {
69 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, 71 { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
70 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, 72 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
71 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, 73 { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
@@ -98,6 +100,27 @@ struct Cipher {
98 100
99/*--*/ 101/*--*/
100 102
103/* Returns a comma-separated list of supported ciphers. */
104char *
105cipher_alg_list(void)
106{
107 char *ret = NULL;
108 size_t nlen, rlen = 0;
109 const Cipher *c;
110
111 for (c = ciphers; c->name != NULL; c++) {
112 if (c->number != SSH_CIPHER_SSH2)
113 continue;
114 if (ret != NULL)
115 ret[rlen++] = '\n';
116 nlen = strlen(c->name);
117 ret = xrealloc(ret, 1, rlen + nlen + 2);
118 memcpy(ret + rlen, c->name, nlen + 1);
119 rlen += nlen;
120 }
121 return ret;
122}
123
101u_int 124u_int
102cipher_blocksize(const Cipher *c) 125cipher_blocksize(const Cipher *c)
103{ 126{
@@ -146,20 +169,20 @@ cipher_mask_ssh1(int client)
146 return mask; 169 return mask;
147} 170}
148 171
149Cipher * 172const Cipher *
150cipher_by_name(const char *name) 173cipher_by_name(const char *name)
151{ 174{
152 Cipher *c; 175 const Cipher *c;
153 for (c = ciphers; c->name != NULL; c++) 176 for (c = ciphers; c->name != NULL; c++)
154 if (strcmp(c->name, name) == 0) 177 if (strcmp(c->name, name) == 0)
155 return c; 178 return c;
156 return NULL; 179 return NULL;
157} 180}
158 181
159Cipher * 182const Cipher *
160cipher_by_number(int id) 183cipher_by_number(int id)
161{ 184{
162 Cipher *c; 185 const Cipher *c;
163 for (c = ciphers; c->name != NULL; c++) 186 for (c = ciphers; c->name != NULL; c++)
164 if (c->number == id) 187 if (c->number == id)
165 return c; 188 return c;
@@ -170,7 +193,7 @@ cipher_by_number(int id)
170int 193int
171ciphers_valid(const char *names) 194ciphers_valid(const char *names)
172{ 195{
173 Cipher *c; 196 const Cipher *c;
174 char *cipher_list, *cp; 197 char *cipher_list, *cp;
175 char *p; 198 char *p;
176 199
@@ -182,14 +205,14 @@ ciphers_valid(const char *names)
182 c = cipher_by_name(p); 205 c = cipher_by_name(p);
183 if (c == NULL || c->number != SSH_CIPHER_SSH2) { 206 if (c == NULL || c->number != SSH_CIPHER_SSH2) {
184 debug("bad cipher %s [%s]", p, names); 207 debug("bad cipher %s [%s]", p, names);
185 xfree(cipher_list); 208 free(cipher_list);
186 return 0; 209 return 0;
187 } else { 210 } else {
188 debug3("cipher ok: %s [%s]", p, names); 211 debug3("cipher ok: %s [%s]", p, names);
189 } 212 }
190 } 213 }
191 debug3("ciphers ok: [%s]", names); 214 debug3("ciphers ok: [%s]", names);
192 xfree(cipher_list); 215 free(cipher_list);
193 return 1; 216 return 1;
194} 217}
195 218
@@ -201,7 +224,7 @@ ciphers_valid(const char *names)
201int 224int
202cipher_number(const char *name) 225cipher_number(const char *name)
203{ 226{
204 Cipher *c; 227 const Cipher *c;
205 if (name == NULL) 228 if (name == NULL)
206 return -1; 229 return -1;
207 for (c = ciphers; c->name != NULL; c++) 230 for (c = ciphers; c->name != NULL; c++)
@@ -213,12 +236,12 @@ cipher_number(const char *name)
213char * 236char *
214cipher_name(int id) 237cipher_name(int id)
215{ 238{
216 Cipher *c = cipher_by_number(id); 239 const Cipher *c = cipher_by_number(id);
217 return (c==NULL) ? "<unknown>" : c->name; 240 return (c==NULL) ? "<unknown>" : c->name;
218} 241}
219 242
220void 243void
221cipher_init(CipherContext *cc, Cipher *cipher, 244cipher_init(CipherContext *cc, const Cipher *cipher,
222 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, 245 const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
223 int do_encrypt) 246 int do_encrypt)
224{ 247{
@@ -291,8 +314,8 @@ cipher_init(CipherContext *cc, Cipher *cipher,
291 cipher->discard_len) == 0) 314 cipher->discard_len) == 0)
292 fatal("evp_crypt: EVP_Cipher failed during discard"); 315 fatal("evp_crypt: EVP_Cipher failed during discard");
293 memset(discard, 0, cipher->discard_len); 316 memset(discard, 0, cipher->discard_len);
294 xfree(junk); 317 free(junk);
295 xfree(discard); 318 free(discard);
296 } 319 }
297} 320}
298 321
@@ -364,7 +387,7 @@ cipher_cleanup(CipherContext *cc)
364 */ 387 */
365 388
366void 389void
367cipher_set_key_string(CipherContext *cc, Cipher *cipher, 390cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
368 const char *passphrase, int do_encrypt) 391 const char *passphrase, int do_encrypt)
369{ 392{
370 MD5_CTX md; 393 MD5_CTX md;
@@ -389,7 +412,7 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher,
389int 412int
390cipher_get_keyiv_len(const CipherContext *cc) 413cipher_get_keyiv_len(const CipherContext *cc)
391{ 414{
392 Cipher *c = cc->cipher; 415 const Cipher *c = cc->cipher;
393 int ivlen; 416 int ivlen;
394 417
395 if (c->number == SSH_CIPHER_3DES) 418 if (c->number == SSH_CIPHER_3DES)
@@ -402,7 +425,7 @@ cipher_get_keyiv_len(const CipherContext *cc)
402void 425void
403cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) 426cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
404{ 427{
405 Cipher *c = cc->cipher; 428 const Cipher *c = cc->cipher;
406 int evplen; 429 int evplen;
407 430
408 switch (c->number) { 431 switch (c->number) {
@@ -438,7 +461,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
438void 461void
439cipher_set_keyiv(CipherContext *cc, u_char *iv) 462cipher_set_keyiv(CipherContext *cc, u_char *iv)
440{ 463{
441 Cipher *c = cc->cipher; 464 const Cipher *c = cc->cipher;
442 int evplen = 0; 465 int evplen = 0;
443 466
444 switch (c->number) { 467 switch (c->number) {
@@ -471,7 +494,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
471int 494int
472cipher_get_keycontext(const CipherContext *cc, u_char *dat) 495cipher_get_keycontext(const CipherContext *cc, u_char *dat)
473{ 496{
474 Cipher *c = cc->cipher; 497 const Cipher *c = cc->cipher;
475 int plen = 0; 498 int plen = 0;
476 499
477 if (c->evptype == EVP_rc4) { 500 if (c->evptype == EVP_rc4) {
@@ -486,7 +509,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat)
486void 509void
487cipher_set_keycontext(CipherContext *cc, u_char *dat) 510cipher_set_keycontext(CipherContext *cc, u_char *dat)
488{ 511{
489 Cipher *c = cc->cipher; 512 const Cipher *c = cc->cipher;
490 int plen; 513 int plen;
491 514
492 if (c->evptype == EVP_rc4) { 515 if (c->evptype == EVP_rc4) {
diff --git a/cipher.h b/cipher.h
index 8cb57c3e5..b878d50f4 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -66,21 +66,22 @@ struct CipherContext {
66 int plaintext; 66 int plaintext;
67 int encrypt; 67 int encrypt;
68 EVP_CIPHER_CTX evp; 68 EVP_CIPHER_CTX evp;
69 Cipher *cipher; 69 const Cipher *cipher;
70}; 70};
71 71
72u_int cipher_mask_ssh1(int); 72u_int cipher_mask_ssh1(int);
73Cipher *cipher_by_name(const char *); 73const Cipher *cipher_by_name(const char *);
74Cipher *cipher_by_number(int); 74const Cipher *cipher_by_number(int);
75int cipher_number(const char *); 75int cipher_number(const char *);
76char *cipher_name(int); 76char *cipher_name(int);
77int ciphers_valid(const char *); 77int ciphers_valid(const char *);
78void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, 78char *cipher_alg_list(void);
79void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
79 const u_char *, u_int, int); 80 const u_char *, u_int, int);
80void cipher_crypt(CipherContext *, u_char *, const u_char *, 81void cipher_crypt(CipherContext *, u_char *, const u_char *,
81 u_int, u_int, u_int); 82 u_int, u_int, u_int);
82void cipher_cleanup(CipherContext *); 83void cipher_cleanup(CipherContext *);
83void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); 84void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
84u_int cipher_blocksize(const Cipher *); 85u_int cipher_blocksize(const Cipher *);
85u_int cipher_keylen(const Cipher *); 86u_int cipher_keylen(const Cipher *);
86u_int cipher_authlen(const Cipher *); 87u_int cipher_authlen(const Cipher *);
diff --git a/clientloop.c b/clientloop.c
index 2ef816ab3..86695cc16 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -277,7 +277,7 @@ set_control_persist_exit_time(void)
277 control_persist_exit_time = 0; 277 control_persist_exit_time = 0;
278 } else if (control_persist_exit_time <= 0) { 278 } else if (control_persist_exit_time <= 0) {
279 /* a client connection has recently closed */ 279 /* a client connection has recently closed */
280 control_persist_exit_time = time(NULL) + 280 control_persist_exit_time = monotime() +
281 (time_t)options.control_persist_timeout; 281 (time_t)options.control_persist_timeout;
282 debug2("%s: schedule exit in %d seconds", __func__, 282 debug2("%s: schedule exit in %d seconds", __func__,
283 options.control_persist_timeout); 283 options.control_persist_timeout);
@@ -360,7 +360,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
360 if (system(cmd) == 0) 360 if (system(cmd) == 0)
361 generated = 1; 361 generated = 1;
362 if (x11_refuse_time == 0) { 362 if (x11_refuse_time == 0) {
363 now = time(NULL) + 1; 363 now = monotime() + 1;
364 if (UINT_MAX - timeout < now) 364 if (UINT_MAX - timeout < now)
365 x11_refuse_time = UINT_MAX; 365 x11_refuse_time = UINT_MAX;
366 else 366 else
@@ -397,10 +397,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
397 unlink(xauthfile); 397 unlink(xauthfile);
398 rmdir(xauthdir); 398 rmdir(xauthdir);
399 } 399 }
400 if (xauthdir) 400 free(xauthdir);
401 xfree(xauthdir); 401 free(xauthfile);
402 if (xauthfile)
403 xfree(xauthfile);
404 402
405 /* 403 /*
406 * If we didn't get authentication data, just make up some 404 * If we didn't get authentication data, just make up some
@@ -556,7 +554,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
556 if (--gc->ref_count <= 0) { 554 if (--gc->ref_count <= 0) {
557 TAILQ_REMOVE(&global_confirms, gc, entry); 555 TAILQ_REMOVE(&global_confirms, gc, entry);
558 bzero(gc, sizeof(*gc)); 556 bzero(gc, sizeof(*gc));
559 xfree(gc); 557 free(gc);
560 } 558 }
561 559
562 packet_set_alive_timeouts(0); 560 packet_set_alive_timeouts(0);
@@ -587,7 +585,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
587{ 585{
588 struct timeval tv, *tvp; 586 struct timeval tv, *tvp;
589 int timeout_secs; 587 int timeout_secs;
590 time_t minwait_secs = 0; 588 time_t minwait_secs = 0, server_alive_time = 0, now = monotime();
591 int ret; 589 int ret;
592 590
593 /* Add any selections by the channel mechanism. */ 591 /* Add any selections by the channel mechanism. */
@@ -636,12 +634,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
636 */ 634 */
637 635
638 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 636 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
639 if (options.server_alive_interval > 0 && compat20) 637 if (options.server_alive_interval > 0 && compat20) {
640 timeout_secs = options.server_alive_interval; 638 timeout_secs = options.server_alive_interval;
639 server_alive_time = now + options.server_alive_interval;
640 }
641 if (options.rekey_interval > 0 && compat20 && !rekeying)
642 timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout());
641 set_control_persist_exit_time(); 643 set_control_persist_exit_time();
642 if (control_persist_exit_time > 0) { 644 if (control_persist_exit_time > 0) {
643 timeout_secs = MIN(timeout_secs, 645 timeout_secs = MIN(timeout_secs,
644 control_persist_exit_time - time(NULL)); 646 control_persist_exit_time - now);
645 if (timeout_secs < 0) 647 if (timeout_secs < 0)
646 timeout_secs = 0; 648 timeout_secs = 0;
647 } 649 }
@@ -673,8 +675,15 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
673 snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); 675 snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
674 buffer_append(&stderr_buffer, buf, strlen(buf)); 676 buffer_append(&stderr_buffer, buf, strlen(buf));
675 quit_pending = 1; 677 quit_pending = 1;
676 } else if (ret == 0) 678 } else if (ret == 0) {
677 server_alive_check(); 679 /*
680 * Timeout. Could have been either keepalive or rekeying.
681 * Keepalive we check here, rekeying is checked in clientloop.
682 */
683 if (server_alive_time != 0 && server_alive_time <= monotime())
684 server_alive_check();
685 }
686
678} 687}
679 688
680static void 689static void
@@ -819,13 +828,13 @@ client_status_confirm(int type, Channel *c, void *ctx)
819 chan_write_failed(c); 828 chan_write_failed(c);
820 } 829 }
821 } 830 }
822 xfree(cr); 831 free(cr);
823} 832}
824 833
825static void 834static void
826client_abandon_status_confirm(Channel *c, void *ctx) 835client_abandon_status_confirm(Channel *c, void *ctx)
827{ 836{
828 xfree(ctx); 837 free(ctx);
829} 838}
830 839
831void 840void
@@ -992,12 +1001,9 @@ process_cmdline(void)
992out: 1001out:
993 signal(SIGINT, handler); 1002 signal(SIGINT, handler);
994 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1003 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
995 if (cmd) 1004 free(cmd);
996 xfree(cmd); 1005 free(fwd.listen_host);
997 if (fwd.listen_host != NULL) 1006 free(fwd.connect_host);
998 xfree(fwd.listen_host);
999 if (fwd.connect_host != NULL)
1000 xfree(fwd.connect_host);
1001} 1007}
1002 1008
1003/* reasons to suppress output of an escape command in help output */ 1009/* reasons to suppress output of an escape command in help output */
@@ -1107,8 +1113,11 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1107 if (c && c->ctl_chan != -1) { 1113 if (c && c->ctl_chan != -1) {
1108 chan_read_failed(c); 1114 chan_read_failed(c);
1109 chan_write_failed(c); 1115 chan_write_failed(c);
1110 mux_master_session_cleanup_cb(c->self, 1116 if (c->detach_user)
1111 NULL); 1117 c->detach_user(c->self, NULL);
1118 c->type = SSH_CHANNEL_ABANDONED;
1119 buffer_clear(&c->input);
1120 chan_ibuf_empty(c);
1112 return 0; 1121 return 0;
1113 } else 1122 } else
1114 quit_pending = 1; 1123 quit_pending = 1;
@@ -1254,7 +1263,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
1254 buffer_append(berr, string, strlen(string)); 1263 buffer_append(berr, string, strlen(string));
1255 s = channel_open_message(); 1264 s = channel_open_message();
1256 buffer_append(berr, s, strlen(s)); 1265 buffer_append(berr, s, strlen(s));
1257 xfree(s); 1266 free(s);
1258 continue; 1267 continue;
1259 1268
1260 case 'C': 1269 case 'C':
@@ -1443,7 +1452,7 @@ client_new_escape_filter_ctx(int escape_char)
1443void 1452void
1444client_filter_cleanup(int cid, void *ctx) 1453client_filter_cleanup(int cid, void *ctx)
1445{ 1454{
1446 xfree(ctx); 1455 free(ctx);
1447} 1456}
1448 1457
1449int 1458int
@@ -1657,16 +1666,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
1657 * connections, then quit. 1666 * connections, then quit.
1658 */ 1667 */
1659 if (control_persist_exit_time > 0) { 1668 if (control_persist_exit_time > 0) {
1660 if (time(NULL) >= control_persist_exit_time) { 1669 if (monotime() >= control_persist_exit_time) {
1661 debug("ControlPersist timeout expired"); 1670 debug("ControlPersist timeout expired");
1662 break; 1671 break;
1663 } 1672 }
1664 } 1673 }
1665 } 1674 }
1666 if (readset) 1675 free(readset);
1667 xfree(readset); 1676 free(writeset);
1668 if (writeset)
1669 xfree(writeset);
1670 1677
1671 /* Terminate the session. */ 1678 /* Terminate the session. */
1672 1679
@@ -1768,7 +1775,7 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt)
1768 packet_check_eom(); 1775 packet_check_eom();
1769 buffer_append(&stdout_buffer, data, data_len); 1776 buffer_append(&stdout_buffer, data, data_len);
1770 memset(data, 0, data_len); 1777 memset(data, 0, data_len);
1771 xfree(data); 1778 free(data);
1772} 1779}
1773static void 1780static void
1774client_input_stderr_data(int type, u_int32_t seq, void *ctxt) 1781client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
@@ -1778,7 +1785,7 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
1778 packet_check_eom(); 1785 packet_check_eom();
1779 buffer_append(&stderr_buffer, data, data_len); 1786 buffer_append(&stderr_buffer, data, data_len);
1780 memset(data, 0, data_len); 1787 memset(data, 0, data_len);
1781 xfree(data); 1788 free(data);
1782} 1789}
1783static void 1790static void
1784client_input_exit_status(int type, u_int32_t seq, void *ctxt) 1791client_input_exit_status(int type, u_int32_t seq, void *ctxt)
@@ -1858,8 +1865,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
1858 c = channel_connect_by_listen_address(listen_port, 1865 c = channel_connect_by_listen_address(listen_port,
1859 "forwarded-tcpip", originator_address); 1866 "forwarded-tcpip", originator_address);
1860 1867
1861 xfree(originator_address); 1868 free(originator_address);
1862 xfree(listen_address); 1869 free(listen_address);
1863 return c; 1870 return c;
1864} 1871}
1865 1872
@@ -1877,7 +1884,7 @@ client_request_x11(const char *request_type, int rchan)
1877 "malicious server."); 1884 "malicious server.");
1878 return NULL; 1885 return NULL;
1879 } 1886 }
1880 if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) { 1887 if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
1881 verbose("Rejected X11 connection after ForwardX11Timeout " 1888 verbose("Rejected X11 connection after ForwardX11Timeout "
1882 "expired"); 1889 "expired");
1883 return NULL; 1890 return NULL;
@@ -1893,7 +1900,7 @@ client_request_x11(const char *request_type, int rchan)
1893 /* XXX check permission */ 1900 /* XXX check permission */
1894 debug("client_request_x11: request from %s %d", originator, 1901 debug("client_request_x11: request from %s %d", originator,
1895 originator_port); 1902 originator_port);
1896 xfree(originator); 1903 free(originator);
1897 sock = x11_connect_display(); 1904 sock = x11_connect_display();
1898 if (sock < 0) 1905 if (sock < 0)
1899 return NULL; 1906 return NULL;
@@ -2020,7 +2027,7 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
2020 } 2027 }
2021 packet_send(); 2028 packet_send();
2022 } 2029 }
2023 xfree(ctype); 2030 free(ctype);
2024} 2031}
2025static void 2032static void
2026client_input_channel_req(int type, u_int32_t seq, void *ctxt) 2033client_input_channel_req(int type, u_int32_t seq, void *ctxt)
@@ -2066,7 +2073,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
2066 packet_put_int(c->remote_id); 2073 packet_put_int(c->remote_id);
2067 packet_send(); 2074 packet_send();
2068 } 2075 }
2069 xfree(rtype); 2076 free(rtype);
2070} 2077}
2071static void 2078static void
2072client_input_global_request(int type, u_int32_t seq, void *ctxt) 2079client_input_global_request(int type, u_int32_t seq, void *ctxt)
@@ -2085,7 +2092,7 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
2085 packet_send(); 2092 packet_send();
2086 packet_write_wait(); 2093 packet_write_wait();
2087 } 2094 }
2088 xfree(rtype); 2095 free(rtype);
2089} 2096}
2090 2097
2091void 2098void
@@ -2135,7 +2142,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
2135 /* Split */ 2142 /* Split */
2136 name = xstrdup(env[i]); 2143 name = xstrdup(env[i]);
2137 if ((val = strchr(name, '=')) == NULL) { 2144 if ((val = strchr(name, '=')) == NULL) {
2138 xfree(name); 2145 free(name);
2139 continue; 2146 continue;
2140 } 2147 }
2141 *val++ = '\0'; 2148 *val++ = '\0';
@@ -2149,7 +2156,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
2149 } 2156 }
2150 if (!matched) { 2157 if (!matched) {
2151 debug3("Ignored env %s", name); 2158 debug3("Ignored env %s", name);
2152 xfree(name); 2159 free(name);
2153 continue; 2160 continue;
2154 } 2161 }
2155 2162
@@ -2158,7 +2165,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
2158 packet_put_cstring(name); 2165 packet_put_cstring(name);
2159 packet_put_cstring(val); 2166 packet_put_cstring(val);
2160 packet_send(); 2167 packet_send();
2161 xfree(name); 2168 free(name);
2162 } 2169 }
2163 } 2170 }
2164 2171
diff --git a/clientloop.h b/clientloop.h
index d2baa0324..338d45186 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ 1/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -76,5 +76,4 @@ void muxserver_listen(void);
76void muxclient(const char *); 76void muxclient(const char *);
77void mux_exit_message(Channel *, int); 77void mux_exit_message(Channel *, int);
78void mux_tty_alloc_failed(Channel *); 78void mux_tty_alloc_failed(Channel *);
79void mux_master_session_cleanup_cb(int, void *);
80 79
diff --git a/compat.c b/compat.c
index f680f4fe3..ac353a706 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ 1/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -204,7 +204,7 @@ proto_spec(const char *spec)
204 break; 204 break;
205 } 205 }
206 } 206 }
207 xfree(s); 207 free(s);
208 return ret; 208 return ret;
209} 209}
210 210
@@ -230,7 +230,7 @@ compat_cipher_proposal(char *cipher_prop)
230 buffer_append(&b, "\0", 1); 230 buffer_append(&b, "\0", 1);
231 fix_ciphers = xstrdup(buffer_ptr(&b)); 231 fix_ciphers = xstrdup(buffer_ptr(&b));
232 buffer_free(&b); 232 buffer_free(&b);
233 xfree(orig_prop); 233 free(orig_prop);
234 debug2("Original cipher proposal: %s", cipher_prop); 234 debug2("Original cipher proposal: %s", cipher_prop);
235 debug2("Compat cipher proposal: %s", fix_ciphers); 235 debug2("Compat cipher proposal: %s", fix_ciphers);
236 if (!*fix_ciphers) 236 if (!*fix_ciphers)
diff --git a/config.guess b/config.guess
index 78553c4ea..b94cde8ef 100755
--- a/config.guess
+++ b/config.guess
@@ -2,9 +2,9 @@
2# Attempt to guess a canonical system name. 2# Attempt to guess a canonical system name.
3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
5# 2011 Free Software Foundation, Inc. 5# 2011, 2012, 2013 Free Software Foundation, Inc.
6 6
7timestamp='2011-01-23' 7timestamp='2012-12-23'
8 8
9# This file is free software; you can redistribute it and/or modify it 9# This file is free software; you can redistribute it and/or modify it
10# under the terms of the GNU General Public License as published by 10# under the terms of the GNU General Public License as published by
@@ -17,9 +17,7 @@ timestamp='2011-01-23'
17# General Public License for more details. 17# General Public License for more details.
18# 18#
19# You should have received a copy of the GNU General Public License 19# You should have received a copy of the GNU General Public License
20# along with this program; if not, write to the Free Software 20# along with this program; if not, see <http://www.gnu.org/licenses/>.
21# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
22# 02110-1301, USA.
23# 21#
24# As a special exception to the GNU General Public License, if you 22# As a special exception to the GNU General Public License, if you
25# distribute this file as part of a program that contains a 23# distribute this file as part of a program that contains a
@@ -57,8 +55,8 @@ GNU config.guess ($timestamp)
57 55
58Originally written by Per Bothner. 56Originally written by Per Bothner.
59Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 57Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
602001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free 582001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
61Software Foundation, Inc. 592012, 2013 Free Software Foundation, Inc.
62 60
63This is free software; see the source for copying conditions. There is NO 61This is free software; see the source for copying conditions. There is NO
64warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." 62warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
145case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in 143case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
146 *:NetBSD:*:*) 144 *:NetBSD:*:*)
147 # NetBSD (nbsd) targets should (where applicable) match one or 145 # NetBSD (nbsd) targets should (where applicable) match one or
148 # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, 146 # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
149 # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently 147 # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
150 # switched to ELF, *-*-netbsd* would select the old 148 # switched to ELF, *-*-netbsd* would select the old
151 # object file format. This provides both forward 149 # object file format. This provides both forward
@@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
181 fi 179 fi
182 ;; 180 ;;
183 *) 181 *)
184 os=netbsd 182 os=netbsd
185 ;; 183 ;;
186 esac 184 esac
187 # The OS release 185 # The OS release
@@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
202 # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. 200 # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
203 echo "${machine}-${os}${release}" 201 echo "${machine}-${os}${release}"
204 exit ;; 202 exit ;;
203 *:Bitrig:*:*)
204 UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
205 echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
206 exit ;;
205 *:OpenBSD:*:*) 207 *:OpenBSD:*:*)
206 UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` 208 UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
207 echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} 209 echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
@@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
224 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` 226 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
225 ;; 227 ;;
226 *5.*) 228 *5.*)
227 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` 229 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
228 ;; 230 ;;
229 esac 231 esac
230 # According to Compaq, /usr/sbin/psrinfo has been available on 232 # According to Compaq, /usr/sbin/psrinfo has been available on
@@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
299 echo s390-ibm-zvmoe 301 echo s390-ibm-zvmoe
300 exit ;; 302 exit ;;
301 *:OS400:*:*) 303 *:OS400:*:*)
302 echo powerpc-ibm-os400 304 echo powerpc-ibm-os400
303 exit ;; 305 exit ;;
304 arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) 306 arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
305 echo arm-acorn-riscix${UNAME_RELEASE} 307 echo arm-acorn-riscix${UNAME_RELEASE}
306 exit ;; 308 exit ;;
307 arm:riscos:*:*|arm:RISCOS:*:*) 309 arm*:riscos:*:*|arm*:RISCOS:*:*)
308 echo arm-unknown-riscos 310 echo arm-unknown-riscos
309 exit ;; 311 exit ;;
310 SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) 312 SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
398 # MiNT. But MiNT is downward compatible to TOS, so this should 400 # MiNT. But MiNT is downward compatible to TOS, so this should
399 # be no problem. 401 # be no problem.
400 atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) 402 atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
401 echo m68k-atari-mint${UNAME_RELEASE} 403 echo m68k-atari-mint${UNAME_RELEASE}
402 exit ;; 404 exit ;;
403 atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) 405 atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
404 echo m68k-atari-mint${UNAME_RELEASE} 406 echo m68k-atari-mint${UNAME_RELEASE}
405 exit ;; 407 exit ;;
406 *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) 408 *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
407 echo m68k-atari-mint${UNAME_RELEASE} 409 echo m68k-atari-mint${UNAME_RELEASE}
408 exit ;; 410 exit ;;
409 milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) 411 milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
410 echo m68k-milan-mint${UNAME_RELEASE} 412 echo m68k-milan-mint${UNAME_RELEASE}
411 exit ;; 413 exit ;;
412 hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) 414 hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
413 echo m68k-hades-mint${UNAME_RELEASE} 415 echo m68k-hades-mint${UNAME_RELEASE}
414 exit ;; 416 exit ;;
415 *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) 417 *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
416 echo m68k-unknown-mint${UNAME_RELEASE} 418 echo m68k-unknown-mint${UNAME_RELEASE}
417 exit ;; 419 exit ;;
418 m68k:machten:*:*) 420 m68k:machten:*:*)
419 echo m68k-apple-machten${UNAME_RELEASE} 421 echo m68k-apple-machten${UNAME_RELEASE}
420 exit ;; 422 exit ;;
@@ -484,8 +486,8 @@ EOF
484 echo m88k-motorola-sysv3 486 echo m88k-motorola-sysv3
485 exit ;; 487 exit ;;
486 AViiON:dgux:*:*) 488 AViiON:dgux:*:*)
487 # DG/UX returns AViiON for all architectures 489 # DG/UX returns AViiON for all architectures
488 UNAME_PROCESSOR=`/usr/bin/uname -p` 490 UNAME_PROCESSOR=`/usr/bin/uname -p`
489 if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] 491 if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
490 then 492 then
491 if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ 493 if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@@ -498,7 +500,7 @@ EOF
498 else 500 else
499 echo i586-dg-dgux${UNAME_RELEASE} 501 echo i586-dg-dgux${UNAME_RELEASE}
500 fi 502 fi
501 exit ;; 503 exit ;;
502 M88*:DolphinOS:*:*) # DolphinOS (SVR3) 504 M88*:DolphinOS:*:*) # DolphinOS (SVR3)
503 echo m88k-dolphin-sysv3 505 echo m88k-dolphin-sysv3
504 exit ;; 506 exit ;;
@@ -598,52 +600,52 @@ EOF
598 9000/[678][0-9][0-9]) 600 9000/[678][0-9][0-9])
599 if [ -x /usr/bin/getconf ]; then 601 if [ -x /usr/bin/getconf ]; then
600 sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` 602 sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
601 sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` 603 sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
602 case "${sc_cpu_version}" in 604 case "${sc_cpu_version}" in
603 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 605 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
604 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 606 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
605 532) # CPU_PA_RISC2_0 607 532) # CPU_PA_RISC2_0
606 case "${sc_kernel_bits}" in 608 case "${sc_kernel_bits}" in
607 32) HP_ARCH="hppa2.0n" ;; 609 32) HP_ARCH="hppa2.0n" ;;
608 64) HP_ARCH="hppa2.0w" ;; 610 64) HP_ARCH="hppa2.0w" ;;
609 '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 611 '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
610 esac ;; 612 esac ;;
611 esac 613 esac
612 fi 614 fi
613 if [ "${HP_ARCH}" = "" ]; then 615 if [ "${HP_ARCH}" = "" ]; then
614 eval $set_cc_for_build 616 eval $set_cc_for_build
615 sed 's/^ //' << EOF >$dummy.c 617 sed 's/^ //' << EOF >$dummy.c
616 618
617 #define _HPUX_SOURCE 619 #define _HPUX_SOURCE
618 #include <stdlib.h> 620 #include <stdlib.h>
619 #include <unistd.h> 621 #include <unistd.h>
620 622
621 int main () 623 int main ()
622 { 624 {
623 #if defined(_SC_KERNEL_BITS) 625 #if defined(_SC_KERNEL_BITS)
624 long bits = sysconf(_SC_KERNEL_BITS); 626 long bits = sysconf(_SC_KERNEL_BITS);
625 #endif 627 #endif
626 long cpu = sysconf (_SC_CPU_VERSION); 628 long cpu = sysconf (_SC_CPU_VERSION);
627 629
628 switch (cpu) 630 switch (cpu)
629 { 631 {
630 case CPU_PA_RISC1_0: puts ("hppa1.0"); break; 632 case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
631 case CPU_PA_RISC1_1: puts ("hppa1.1"); break; 633 case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
632 case CPU_PA_RISC2_0: 634 case CPU_PA_RISC2_0:
633 #if defined(_SC_KERNEL_BITS) 635 #if defined(_SC_KERNEL_BITS)
634 switch (bits) 636 switch (bits)
635 { 637 {
636 case 64: puts ("hppa2.0w"); break; 638 case 64: puts ("hppa2.0w"); break;
637 case 32: puts ("hppa2.0n"); break; 639 case 32: puts ("hppa2.0n"); break;
638 default: puts ("hppa2.0"); break; 640 default: puts ("hppa2.0"); break;
639 } break; 641 } break;
640 #else /* !defined(_SC_KERNEL_BITS) */ 642 #else /* !defined(_SC_KERNEL_BITS) */
641 puts ("hppa2.0"); break; 643 puts ("hppa2.0"); break;
642 #endif 644 #endif
643 default: puts ("hppa1.0"); break; 645 default: puts ("hppa1.0"); break;
644 } 646 }
645 exit (0); 647 exit (0);
646 } 648 }
647EOF 649EOF
648 (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` 650 (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
649 test -z "$HP_ARCH" && HP_ARCH=hppa 651 test -z "$HP_ARCH" && HP_ARCH=hppa
@@ -734,22 +736,22 @@ EOF
734 exit ;; 736 exit ;;
735 C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) 737 C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
736 echo c1-convex-bsd 738 echo c1-convex-bsd
737 exit ;; 739 exit ;;
738 C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) 740 C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
739 if getsysinfo -f scalar_acc 741 if getsysinfo -f scalar_acc
740 then echo c32-convex-bsd 742 then echo c32-convex-bsd
741 else echo c2-convex-bsd 743 else echo c2-convex-bsd
742 fi 744 fi
743 exit ;; 745 exit ;;
744 C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) 746 C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
745 echo c34-convex-bsd 747 echo c34-convex-bsd
746 exit ;; 748 exit ;;
747 C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) 749 C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
748 echo c38-convex-bsd 750 echo c38-convex-bsd
749 exit ;; 751 exit ;;
750 C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) 752 C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
751 echo c4-convex-bsd 753 echo c4-convex-bsd
752 exit ;; 754 exit ;;
753 CRAY*Y-MP:*:*:*) 755 CRAY*Y-MP:*:*:*)
754 echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 756 echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
755 exit ;; 757 exit ;;
@@ -773,14 +775,14 @@ EOF
773 exit ;; 775 exit ;;
774 F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) 776 F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
775 FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` 777 FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
776 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` 778 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
777 FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` 779 FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
778 echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" 780 echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
779 exit ;; 781 exit ;;
780 5000:UNIX_System_V:4.*:*) 782 5000:UNIX_System_V:4.*:*)
781 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` 783 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
782 FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` 784 FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
783 echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" 785 echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
784 exit ;; 786 exit ;;
785 i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) 787 i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
786 echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} 788 echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@@ -792,30 +794,35 @@ EOF
792 echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} 794 echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
793 exit ;; 795 exit ;;
794 *:FreeBSD:*:*) 796 *:FreeBSD:*:*)
795 case ${UNAME_MACHINE} in 797 UNAME_PROCESSOR=`/usr/bin/uname -p`
796 pc98) 798 case ${UNAME_PROCESSOR} in
797 echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
798 amd64) 799 amd64)
799 echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; 800 echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
800 *) 801 *)
801 echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; 802 echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
802 esac 803 esac
803 exit ;; 804 exit ;;
804 i*:CYGWIN*:*) 805 i*:CYGWIN*:*)
805 echo ${UNAME_MACHINE}-pc-cygwin 806 echo ${UNAME_MACHINE}-pc-cygwin
806 exit ;; 807 exit ;;
808 *:MINGW64*:*)
809 echo ${UNAME_MACHINE}-pc-mingw64
810 exit ;;
807 *:MINGW*:*) 811 *:MINGW*:*)
808 echo ${UNAME_MACHINE}-pc-mingw32 812 echo ${UNAME_MACHINE}-pc-mingw32
809 exit ;; 813 exit ;;
814 i*:MSYS*:*)
815 echo ${UNAME_MACHINE}-pc-msys
816 exit ;;
810 i*:windows32*:*) 817 i*:windows32*:*)
811 # uname -m includes "-pc" on this system. 818 # uname -m includes "-pc" on this system.
812 echo ${UNAME_MACHINE}-mingw32 819 echo ${UNAME_MACHINE}-mingw32
813 exit ;; 820 exit ;;
814 i*:PW*:*) 821 i*:PW*:*)
815 echo ${UNAME_MACHINE}-pc-pw32 822 echo ${UNAME_MACHINE}-pc-pw32
816 exit ;; 823 exit ;;
817 *:Interix*:*) 824 *:Interix*:*)
818 case ${UNAME_MACHINE} in 825 case ${UNAME_MACHINE} in
819 x86) 826 x86)
820 echo i586-pc-interix${UNAME_RELEASE} 827 echo i586-pc-interix${UNAME_RELEASE}
821 exit ;; 828 exit ;;
@@ -861,6 +868,13 @@ EOF
861 i*86:Minix:*:*) 868 i*86:Minix:*:*)
862 echo ${UNAME_MACHINE}-pc-minix 869 echo ${UNAME_MACHINE}-pc-minix
863 exit ;; 870 exit ;;
871 aarch64:Linux:*:*)
872 echo ${UNAME_MACHINE}-unknown-linux-gnu
873 exit ;;
874 aarch64_be:Linux:*:*)
875 UNAME_MACHINE=aarch64_be
876 echo ${UNAME_MACHINE}-unknown-linux-gnu
877 exit ;;
864 alpha:Linux:*:*) 878 alpha:Linux:*:*)
865 case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in 879 case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
866 EV5) UNAME_MACHINE=alphaev5 ;; 880 EV5) UNAME_MACHINE=alphaev5 ;;
@@ -870,7 +884,7 @@ EOF
870 EV6) UNAME_MACHINE=alphaev6 ;; 884 EV6) UNAME_MACHINE=alphaev6 ;;
871 EV67) UNAME_MACHINE=alphaev67 ;; 885 EV67) UNAME_MACHINE=alphaev67 ;;
872 EV68*) UNAME_MACHINE=alphaev68 ;; 886 EV68*) UNAME_MACHINE=alphaev68 ;;
873 esac 887 esac
874 objdump --private-headers /bin/sh | grep -q ld.so.1 888 objdump --private-headers /bin/sh | grep -q ld.so.1
875 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi 889 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
876 echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} 890 echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@@ -882,20 +896,29 @@ EOF
882 then 896 then
883 echo ${UNAME_MACHINE}-unknown-linux-gnu 897 echo ${UNAME_MACHINE}-unknown-linux-gnu
884 else 898 else
885 echo ${UNAME_MACHINE}-unknown-linux-gnueabi 899 if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
900 | grep -q __ARM_PCS_VFP
901 then
902 echo ${UNAME_MACHINE}-unknown-linux-gnueabi
903 else
904 echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
905 fi
886 fi 906 fi
887 exit ;; 907 exit ;;
888 avr32*:Linux:*:*) 908 avr32*:Linux:*:*)
889 echo ${UNAME_MACHINE}-unknown-linux-gnu 909 echo ${UNAME_MACHINE}-unknown-linux-gnu
890 exit ;; 910 exit ;;
891 cris:Linux:*:*) 911 cris:Linux:*:*)
892 echo cris-axis-linux-gnu 912 echo ${UNAME_MACHINE}-axis-linux-gnu
893 exit ;; 913 exit ;;
894 crisv32:Linux:*:*) 914 crisv32:Linux:*:*)
895 echo crisv32-axis-linux-gnu 915 echo ${UNAME_MACHINE}-axis-linux-gnu
896 exit ;; 916 exit ;;
897 frv:Linux:*:*) 917 frv:Linux:*:*)
898 echo frv-unknown-linux-gnu 918 echo ${UNAME_MACHINE}-unknown-linux-gnu
919 exit ;;
920 hexagon:Linux:*:*)
921 echo ${UNAME_MACHINE}-unknown-linux-gnu
899 exit ;; 922 exit ;;
900 i*86:Linux:*:*) 923 i*86:Linux:*:*)
901 LIBC=gnu 924 LIBC=gnu
@@ -937,7 +960,7 @@ EOF
937 test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } 960 test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
938 ;; 961 ;;
939 or32:Linux:*:*) 962 or32:Linux:*:*)
940 echo or32-unknown-linux-gnu 963 echo ${UNAME_MACHINE}-unknown-linux-gnu
941 exit ;; 964 exit ;;
942 padre:Linux:*:*) 965 padre:Linux:*:*)
943 echo sparc-unknown-linux-gnu 966 echo sparc-unknown-linux-gnu
@@ -963,7 +986,7 @@ EOF
963 echo ${UNAME_MACHINE}-ibm-linux 986 echo ${UNAME_MACHINE}-ibm-linux
964 exit ;; 987 exit ;;
965 sh64*:Linux:*:*) 988 sh64*:Linux:*:*)
966 echo ${UNAME_MACHINE}-unknown-linux-gnu 989 echo ${UNAME_MACHINE}-unknown-linux-gnu
967 exit ;; 990 exit ;;
968 sh*:Linux:*:*) 991 sh*:Linux:*:*)
969 echo ${UNAME_MACHINE}-unknown-linux-gnu 992 echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -972,16 +995,16 @@ EOF
972 echo ${UNAME_MACHINE}-unknown-linux-gnu 995 echo ${UNAME_MACHINE}-unknown-linux-gnu
973 exit ;; 996 exit ;;
974 tile*:Linux:*:*) 997 tile*:Linux:*:*)
975 echo ${UNAME_MACHINE}-tilera-linux-gnu 998 echo ${UNAME_MACHINE}-unknown-linux-gnu
976 exit ;; 999 exit ;;
977 vax:Linux:*:*) 1000 vax:Linux:*:*)
978 echo ${UNAME_MACHINE}-dec-linux-gnu 1001 echo ${UNAME_MACHINE}-dec-linux-gnu
979 exit ;; 1002 exit ;;
980 x86_64:Linux:*:*) 1003 x86_64:Linux:*:*)
981 echo x86_64-unknown-linux-gnu 1004 echo ${UNAME_MACHINE}-unknown-linux-gnu
982 exit ;; 1005 exit ;;
983 xtensa*:Linux:*:*) 1006 xtensa*:Linux:*:*)
984 echo ${UNAME_MACHINE}-unknown-linux-gnu 1007 echo ${UNAME_MACHINE}-unknown-linux-gnu
985 exit ;; 1008 exit ;;
986 i*86:DYNIX/ptx:4*:*) 1009 i*86:DYNIX/ptx:4*:*)
987 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. 1010 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@@ -990,11 +1013,11 @@ EOF
990 echo i386-sequent-sysv4 1013 echo i386-sequent-sysv4
991 exit ;; 1014 exit ;;
992 i*86:UNIX_SV:4.2MP:2.*) 1015 i*86:UNIX_SV:4.2MP:2.*)
993 # Unixware is an offshoot of SVR4, but it has its own version 1016 # Unixware is an offshoot of SVR4, but it has its own version
994 # number series starting with 2... 1017 # number series starting with 2...
995 # I am not positive that other SVR4 systems won't match this, 1018 # I am not positive that other SVR4 systems won't match this,
996 # I just have to hope. -- rms. 1019 # I just have to hope. -- rms.
997 # Use sysv4.2uw... so that sysv4* matches it. 1020 # Use sysv4.2uw... so that sysv4* matches it.
998 echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} 1021 echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
999 exit ;; 1022 exit ;;
1000 i*86:OS/2:*:*) 1023 i*86:OS/2:*:*)
@@ -1026,7 +1049,7 @@ EOF
1026 fi 1049 fi
1027 exit ;; 1050 exit ;;
1028 i*86:*:5:[678]*) 1051 i*86:*:5:[678]*)
1029 # UnixWare 7.x, OpenUNIX and OpenServer 6. 1052 # UnixWare 7.x, OpenUNIX and OpenServer 6.
1030 case `/bin/uname -X | grep "^Machine"` in 1053 case `/bin/uname -X | grep "^Machine"` in
1031 *486*) UNAME_MACHINE=i486 ;; 1054 *486*) UNAME_MACHINE=i486 ;;
1032 *Pentium) UNAME_MACHINE=i586 ;; 1055 *Pentium) UNAME_MACHINE=i586 ;;
@@ -1054,13 +1077,13 @@ EOF
1054 exit ;; 1077 exit ;;
1055 pc:*:*:*) 1078 pc:*:*:*)
1056 # Left here for compatibility: 1079 # Left here for compatibility:
1057 # uname -m prints for DJGPP always 'pc', but it prints nothing about 1080 # uname -m prints for DJGPP always 'pc', but it prints nothing about
1058 # the processor, so we play safe by assuming i586. 1081 # the processor, so we play safe by assuming i586.
1059 # Note: whatever this is, it MUST be the same as what config.sub 1082 # Note: whatever this is, it MUST be the same as what config.sub
1060 # prints for the "djgpp" host, or else GDB configury will decide that 1083 # prints for the "djgpp" host, or else GDB configury will decide that
1061 # this is a cross-build. 1084 # this is a cross-build.
1062 echo i586-pc-msdosdjgpp 1085 echo i586-pc-msdosdjgpp
1063 exit ;; 1086 exit ;;
1064 Intel:Mach:3*:*) 1087 Intel:Mach:3*:*)
1065 echo i386-pc-mach3 1088 echo i386-pc-mach3
1066 exit ;; 1089 exit ;;
@@ -1095,8 +1118,8 @@ EOF
1095 /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ 1118 /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
1096 && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 1119 && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
1097 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) 1120 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
1098 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ 1121 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
1099 && { echo i486-ncr-sysv4; exit; } ;; 1122 && { echo i486-ncr-sysv4; exit; } ;;
1100 NCR*:*:4.2:* | MPRAS*:*:4.2:*) 1123 NCR*:*:4.2:* | MPRAS*:*:4.2:*)
1101 OS_REL='.3' 1124 OS_REL='.3'
1102 test -r /etc/.relid \ 1125 test -r /etc/.relid \
@@ -1139,10 +1162,10 @@ EOF
1139 echo ns32k-sni-sysv 1162 echo ns32k-sni-sysv
1140 fi 1163 fi
1141 exit ;; 1164 exit ;;
1142 PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort 1165 PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
1143 # says <Richard.M.Bartel@ccMail.Census.GOV> 1166 # says <Richard.M.Bartel@ccMail.Census.GOV>
1144 echo i586-unisys-sysv4 1167 echo i586-unisys-sysv4
1145 exit ;; 1168 exit ;;
1146 *:UNIX_System_V:4*:FTX*) 1169 *:UNIX_System_V:4*:FTX*)
1147 # From Gerald Hewes <hewes@openmarket.com>. 1170 # From Gerald Hewes <hewes@openmarket.com>.
1148 # How about differentiating between stratus architectures? -djm 1171 # How about differentiating between stratus architectures? -djm
@@ -1168,11 +1191,11 @@ EOF
1168 exit ;; 1191 exit ;;
1169 R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) 1192 R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
1170 if [ -d /usr/nec ]; then 1193 if [ -d /usr/nec ]; then
1171 echo mips-nec-sysv${UNAME_RELEASE} 1194 echo mips-nec-sysv${UNAME_RELEASE}
1172 else 1195 else
1173 echo mips-unknown-sysv${UNAME_RELEASE} 1196 echo mips-unknown-sysv${UNAME_RELEASE}
1174 fi 1197 fi
1175 exit ;; 1198 exit ;;
1176 BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. 1199 BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
1177 echo powerpc-be-beos 1200 echo powerpc-be-beos
1178 exit ;; 1201 exit ;;
@@ -1185,6 +1208,9 @@ EOF
1185 BePC:Haiku:*:*) # Haiku running on Intel PC compatible. 1208 BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
1186 echo i586-pc-haiku 1209 echo i586-pc-haiku
1187 exit ;; 1210 exit ;;
1211 x86_64:Haiku:*:*)
1212 echo x86_64-unknown-haiku
1213 exit ;;
1188 SX-4:SUPER-UX:*:*) 1214 SX-4:SUPER-UX:*:*)
1189 echo sx4-nec-superux${UNAME_RELEASE} 1215 echo sx4-nec-superux${UNAME_RELEASE}
1190 exit ;; 1216 exit ;;
@@ -1240,7 +1266,7 @@ EOF
1240 NEO-?:NONSTOP_KERNEL:*:*) 1266 NEO-?:NONSTOP_KERNEL:*:*)
1241 echo neo-tandem-nsk${UNAME_RELEASE} 1267 echo neo-tandem-nsk${UNAME_RELEASE}
1242 exit ;; 1268 exit ;;
1243 NSE-?:NONSTOP_KERNEL:*:*) 1269 NSE-*:NONSTOP_KERNEL:*:*)
1244 echo nse-tandem-nsk${UNAME_RELEASE} 1270 echo nse-tandem-nsk${UNAME_RELEASE}
1245 exit ;; 1271 exit ;;
1246 NSR-?:NONSTOP_KERNEL:*:*) 1272 NSR-?:NONSTOP_KERNEL:*:*)
@@ -1285,13 +1311,13 @@ EOF
1285 echo pdp10-unknown-its 1311 echo pdp10-unknown-its
1286 exit ;; 1312 exit ;;
1287 SEI:*:*:SEIUX) 1313 SEI:*:*:SEIUX)
1288 echo mips-sei-seiux${UNAME_RELEASE} 1314 echo mips-sei-seiux${UNAME_RELEASE}
1289 exit ;; 1315 exit ;;
1290 *:DragonFly:*:*) 1316 *:DragonFly:*:*)
1291 echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` 1317 echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
1292 exit ;; 1318 exit ;;
1293 *:*VMS:*:*) 1319 *:*VMS:*:*)
1294 UNAME_MACHINE=`(uname -p) 2>/dev/null` 1320 UNAME_MACHINE=`(uname -p) 2>/dev/null`
1295 case "${UNAME_MACHINE}" in 1321 case "${UNAME_MACHINE}" in
1296 A*) echo alpha-dec-vms ; exit ;; 1322 A*) echo alpha-dec-vms ; exit ;;
1297 I*) echo ia64-dec-vms ; exit ;; 1323 I*) echo ia64-dec-vms ; exit ;;
@@ -1309,11 +1335,11 @@ EOF
1309 i*86:AROS:*:*) 1335 i*86:AROS:*:*)
1310 echo ${UNAME_MACHINE}-pc-aros 1336 echo ${UNAME_MACHINE}-pc-aros
1311 exit ;; 1337 exit ;;
1338 x86_64:VMkernel:*:*)
1339 echo ${UNAME_MACHINE}-unknown-esx
1340 exit ;;
1312esac 1341esac
1313 1342
1314#echo '(No uname command or uname output not recognized.)' 1>&2
1315#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
1316
1317eval $set_cc_for_build 1343eval $set_cc_for_build
1318cat >$dummy.c <<EOF 1344cat >$dummy.c <<EOF
1319#ifdef _SEQUENT_ 1345#ifdef _SEQUENT_
@@ -1331,11 +1357,11 @@ main ()
1331#include <sys/param.h> 1357#include <sys/param.h>
1332 printf ("m68k-sony-newsos%s\n", 1358 printf ("m68k-sony-newsos%s\n",
1333#ifdef NEWSOS4 1359#ifdef NEWSOS4
1334 "4" 1360 "4"
1335#else 1361#else
1336 "" 1362 ""
1337#endif 1363#endif
1338 ); exit (0); 1364 ); exit (0);
1339#endif 1365#endif
1340#endif 1366#endif
1341 1367
diff --git a/config.h.in b/config.h.in
index 67858ef6d..34f1c9c53 100644
--- a/config.h.in
+++ b/config.h.in
@@ -230,6 +230,9 @@
230/* Define to 1 if you have the `clock' function. */ 230/* Define to 1 if you have the `clock' function. */
231#undef HAVE_CLOCK 231#undef HAVE_CLOCK
232 232
233/* Have clock_gettime */
234#undef HAVE_CLOCK_GETTIME
235
233/* define if you have clock_t data type */ 236/* define if you have clock_t data type */
234#undef HAVE_CLOCK_T 237#undef HAVE_CLOCK_T
235 238
@@ -242,6 +245,9 @@
242/* Define if your system uses ancillary data style file descriptor passing */ 245/* Define if your system uses ancillary data style file descriptor passing */
243#undef HAVE_CONTROL_IN_MSGHDR 246#undef HAVE_CONTROL_IN_MSGHDR
244 247
248/* Define to 1 if you have the `crypt' function. */
249#undef HAVE_CRYPT
250
245/* Define to 1 if you have the <crypto/sha2.h> header file. */ 251/* Define to 1 if you have the <crypto/sha2.h> header file. */
246#undef HAVE_CRYPTO_SHA2_H 252#undef HAVE_CRYPTO_SHA2_H
247 253
@@ -266,6 +272,10 @@
266 and to 0 if you don't. */ 272 and to 0 if you don't. */
267#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE 273#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
268 274
275/* Define to 1 if you have the declaration of `howmany', and to 0 if you
276 don't. */
277#undef HAVE_DECL_HOWMANY
278
269/* Define to 1 if you have the declaration of `h_errno', and to 0 if you 279/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
270 don't. */ 280 don't. */
271#undef HAVE_DECL_H_ERRNO 281#undef HAVE_DECL_H_ERRNO
@@ -286,6 +296,10 @@
286 don't. */ 296 don't. */
287#undef HAVE_DECL_MAXSYMLINKS 297#undef HAVE_DECL_MAXSYMLINKS
288 298
299/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
300 don't. */
301#undef HAVE_DECL_NFDBITS
302
289/* Define to 1 if you have the declaration of `offsetof', and to 0 if you 303/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
290 don't. */ 304 don't. */
291#undef HAVE_DECL_OFFSETOF 305#undef HAVE_DECL_OFFSETOF
@@ -318,6 +332,9 @@
318 don't. */ 332 don't. */
319#undef HAVE_DECL__GETSHORT 333#undef HAVE_DECL__GETSHORT
320 334
335/* Define to 1 if you have the `DES_crypt' function. */
336#undef HAVE_DES_CRYPT
337
321/* Define if you have /dev/ptmx */ 338/* Define if you have /dev/ptmx */
322#undef HAVE_DEV_PTMX 339#undef HAVE_DEV_PTMX
323 340
@@ -339,6 +356,9 @@
339/* Define to 1 if you have the <elf.h> header file. */ 356/* Define to 1 if you have the <elf.h> header file. */
340#undef HAVE_ELF_H 357#undef HAVE_ELF_H
341 358
359/* Define to 1 if you have the `endgrent' function. */
360#undef HAVE_ENDGRENT
361
342/* Define to 1 if you have the <endian.h> header file. */ 362/* Define to 1 if you have the <endian.h> header file. */
343#undef HAVE_ENDIAN_H 363#undef HAVE_ENDIAN_H
344 364
@@ -372,6 +392,9 @@
372/* Define to 1 if you have the <fcntl.h> header file. */ 392/* Define to 1 if you have the <fcntl.h> header file. */
373#undef HAVE_FCNTL_H 393#undef HAVE_FCNTL_H
374 394
395/* Define to 1 if the system has the type `fd_mask'. */
396#undef HAVE_FD_MASK
397
375/* Define to 1 if you have the <features.h> header file. */ 398/* Define to 1 if you have the <features.h> header file. */
376#undef HAVE_FEATURES_H 399#undef HAVE_FEATURES_H
377 400
@@ -576,6 +599,15 @@
576/* Define if you have isblank(3C). */ 599/* Define if you have isblank(3C). */
577#undef HAVE_ISBLANK 600#undef HAVE_ISBLANK
578 601
602/* Define to 1 if you have the `krb5_cc_new_unique' function. */
603#undef HAVE_KRB5_CC_NEW_UNIQUE
604
605/* Define to 1 if you have the `krb5_free_error_message' function. */
606#undef HAVE_KRB5_FREE_ERROR_MESSAGE
607
608/* Define to 1 if you have the `krb5_get_error_message' function. */
609#undef HAVE_KRB5_GET_ERROR_MESSAGE
610
579/* Define to 1 if you have the <lastlog.h> header file. */ 611/* Define to 1 if you have the <lastlog.h> header file. */
580#undef HAVE_LASTLOG_H 612#undef HAVE_LASTLOG_H
581 613
@@ -636,6 +668,9 @@
636/* Define to 1 if you have the <linux/seccomp.h> header file. */ 668/* Define to 1 if you have the <linux/seccomp.h> header file. */
637#undef HAVE_LINUX_SECCOMP_H 669#undef HAVE_LINUX_SECCOMP_H
638 670
671/* Define to 1 if you have the <locale.h> header file. */
672#undef HAVE_LOCALE_H
673
639/* Define to 1 if you have the `login' function. */ 674/* Define to 1 if you have the `login' function. */
640#undef HAVE_LOGIN 675#undef HAVE_LOGIN
641 676
@@ -663,6 +698,9 @@
663/* Define to 1 if you have the <maillock.h> header file. */ 698/* Define to 1 if you have the <maillock.h> header file. */
664#undef HAVE_MAILLOCK_H 699#undef HAVE_MAILLOCK_H
665 700
701/* Define to 1 if you have the `mblen' function. */
702#undef HAVE_MBLEN
703
666/* Define to 1 if you have the `md5_crypt' function. */ 704/* Define to 1 if you have the `md5_crypt' function. */
667#undef HAVE_MD5_CRYPT 705#undef HAVE_MD5_CRYPT
668 706
@@ -769,15 +807,6 @@
769/* Define to 1 if you have the `pututxline' function. */ 807/* Define to 1 if you have the `pututxline' function. */
770#undef HAVE_PUTUTXLINE 808#undef HAVE_PUTUTXLINE
771 809
772/* Define if your password has a pw_change field */
773#undef HAVE_PW_CHANGE_IN_PASSWD
774
775/* Define if your password has a pw_class field */
776#undef HAVE_PW_CLASS_IN_PASSWD
777
778/* Define if your password has a pw_expire field */
779#undef HAVE_PW_EXPIRE_IN_PASSWD
780
781/* Define to 1 if you have the `readpassphrase' function. */ 810/* Define to 1 if you have the `readpassphrase' function. */
782#undef HAVE_READPASSPHRASE 811#undef HAVE_READPASSPHRASE
783 812
@@ -814,6 +843,9 @@
814/* define if you have sa_family_t data type */ 843/* define if you have sa_family_t data type */
815#undef HAVE_SA_FAMILY_T 844#undef HAVE_SA_FAMILY_T
816 845
846/* Define to 1 if you have the `scan_scaled' function. */
847#undef HAVE_SCAN_SCALED
848
817/* Define if you have SecureWare-based protected password database */ 849/* Define if you have SecureWare-based protected password database */
818#undef HAVE_SECUREWARE 850#undef HAVE_SECUREWARE
819 851
@@ -1003,6 +1035,18 @@
1003/* define if you have struct in6_addr data type */ 1035/* define if you have struct in6_addr data type */
1004#undef HAVE_STRUCT_IN6_ADDR 1036#undef HAVE_STRUCT_IN6_ADDR
1005 1037
1038/* Define to 1 if `pw_change' is a member of `struct passwd'. */
1039#undef HAVE_STRUCT_PASSWD_PW_CHANGE
1040
1041/* Define to 1 if `pw_class' is a member of `struct passwd'. */
1042#undef HAVE_STRUCT_PASSWD_PW_CLASS
1043
1044/* Define to 1 if `pw_expire' is a member of `struct passwd'. */
1045#undef HAVE_STRUCT_PASSWD_PW_EXPIRE
1046
1047/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */
1048#undef HAVE_STRUCT_PASSWD_PW_GECOS
1049
1006/* define if you have struct sockaddr_in6 data type */ 1050/* define if you have struct sockaddr_in6 data type */
1007#undef HAVE_STRUCT_SOCKADDR_IN6 1051#undef HAVE_STRUCT_SOCKADDR_IN6
1008 1052
@@ -1323,15 +1367,6 @@
1323/* Set this to your mail directory if you do not have _PATH_MAILDIR */ 1367/* Set this to your mail directory if you do not have _PATH_MAILDIR */
1324#undef MAIL_DIRECTORY 1368#undef MAIL_DIRECTORY
1325 1369
1326/* Define on *nto-qnx systems */
1327#undef MISSING_FD_MASK
1328
1329/* Define on *nto-qnx systems */
1330#undef MISSING_HOWMANY
1331
1332/* Define on *nto-qnx systems */
1333#undef MISSING_NFDBITS
1334
1335/* Need setpgrp to acquire controlling tty */ 1370/* Need setpgrp to acquire controlling tty */
1336#undef NEED_SETPGRP 1371#undef NEED_SETPGRP
1337 1372
diff --git a/config.sub b/config.sub
index 2d8169626..eee8dccb0 100755
--- a/config.sub
+++ b/config.sub
@@ -2,9 +2,9 @@
2# Configuration validation subroutine script. 2# Configuration validation subroutine script.
3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 4# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
5# 2011 Free Software Foundation, Inc. 5# 2011, 2012, 2013 Free Software Foundation, Inc.
6 6
7timestamp='2011-01-01' 7timestamp='2012-12-23'
8 8
9# This file is (in principle) common to ALL GNU software. 9# This file is (in principle) common to ALL GNU software.
10# The presence of a machine in this file suggests that SOME GNU software 10# The presence of a machine in this file suggests that SOME GNU software
@@ -21,9 +21,7 @@ timestamp='2011-01-01'
21# GNU General Public License for more details. 21# GNU General Public License for more details.
22# 22#
23# You should have received a copy of the GNU General Public License 23# You should have received a copy of the GNU General Public License
24# along with this program; if not, write to the Free Software 24# along with this program; if not, see <http://www.gnu.org/licenses/>.
25# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
26# 02110-1301, USA.
27# 25#
28# As a special exception to the GNU General Public License, if you 26# As a special exception to the GNU General Public License, if you
29# distribute this file as part of a program that contains a 27# distribute this file as part of a program that contains a
@@ -76,8 +74,8 @@ version="\
76GNU config.sub ($timestamp) 74GNU config.sub ($timestamp)
77 75
78Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 76Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
792001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free 772001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
80Software Foundation, Inc. 782012, 2013 Free Software Foundation, Inc.
81 79
82This is free software; see the source for copying conditions. There is NO 80This is free software; see the source for copying conditions. There is NO
83warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." 81warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -125,13 +123,17 @@ esac
125maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` 123maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
126case $maybe_os in 124case $maybe_os in
127 nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ 125 nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
128 linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ 126 linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
129 knetbsd*-gnu* | netbsd*-gnu* | \ 127 knetbsd*-gnu* | netbsd*-gnu* | \
130 kopensolaris*-gnu* | \ 128 kopensolaris*-gnu* | \
131 storm-chaos* | os2-emx* | rtmk-nova*) 129 storm-chaos* | os2-emx* | rtmk-nova*)
132 os=-$maybe_os 130 os=-$maybe_os
133 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` 131 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
134 ;; 132 ;;
133 android-linux)
134 os=-linux-android
135 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
136 ;;
135 *) 137 *)
136 basic_machine=`echo $1 | sed 's/-[^-]*$//'` 138 basic_machine=`echo $1 | sed 's/-[^-]*$//'`
137 if [ $basic_machine != $1 ] 139 if [ $basic_machine != $1 ]
@@ -154,12 +156,12 @@ case $os in
154 -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ 156 -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
155 -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ 157 -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
156 -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ 158 -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
157 -apple | -axis | -knuth | -cray | -microblaze) 159 -apple | -axis | -knuth | -cray | -microblaze*)
158 os= 160 os=
159 basic_machine=$1 161 basic_machine=$1
160 ;; 162 ;;
161 -bluegene*) 163 -bluegene*)
162 os=-cnk 164 os=-cnk
163 ;; 165 ;;
164 -sim | -cisco | -oki | -wec | -winbond) 166 -sim | -cisco | -oki | -wec | -winbond)
165 os= 167 os=
@@ -175,10 +177,10 @@ case $os in
175 os=-chorusos 177 os=-chorusos
176 basic_machine=$1 178 basic_machine=$1
177 ;; 179 ;;
178 -chorusrdb) 180 -chorusrdb)
179 os=-chorusrdb 181 os=-chorusrdb
180 basic_machine=$1 182 basic_machine=$1
181 ;; 183 ;;
182 -hiux*) 184 -hiux*)
183 os=-hiuxwe2 185 os=-hiuxwe2
184 ;; 186 ;;
@@ -223,6 +225,12 @@ case $os in
223 -isc*) 225 -isc*)
224 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` 226 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
225 ;; 227 ;;
228 -lynx*178)
229 os=-lynxos178
230 ;;
231 -lynx*5)
232 os=-lynxos5
233 ;;
226 -lynx*) 234 -lynx*)
227 os=-lynxos 235 os=-lynxos
228 ;; 236 ;;
@@ -247,20 +255,27 @@ case $basic_machine in
247 # Some are omitted here because they have special meanings below. 255 # Some are omitted here because they have special meanings below.
248 1750a | 580 \ 256 1750a | 580 \
249 | a29k \ 257 | a29k \
258 | aarch64 | aarch64_be \
250 | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ 259 | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
251 | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ 260 | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
252 | am33_2.0 \ 261 | am33_2.0 \
253 | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ 262 | arc \
263 | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
264 | avr | avr32 \
265 | be32 | be64 \
254 | bfin \ 266 | bfin \
255 | c4x | clipper \ 267 | c4x | clipper \
256 | d10v | d30v | dlx | dsp16xx \ 268 | d10v | d30v | dlx | dsp16xx \
269 | epiphany \
257 | fido | fr30 | frv \ 270 | fido | fr30 | frv \
258 | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ 271 | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
272 | hexagon \
259 | i370 | i860 | i960 | ia64 \ 273 | i370 | i860 | i960 | ia64 \
260 | ip2k | iq2000 \ 274 | ip2k | iq2000 \
275 | le32 | le64 \
261 | lm32 \ 276 | lm32 \
262 | m32c | m32r | m32rle | m68000 | m68k | m88k \ 277 | m32c | m32r | m32rle | m68000 | m68k | m88k \
263 | maxq | mb | microblaze | mcore | mep | metag \ 278 | maxq | mb | microblaze | microblazeel | mcore | mep | metag \
264 | mips | mipsbe | mipseb | mipsel | mipsle \ 279 | mips | mipsbe | mipseb | mipsel | mipsle \
265 | mips16 \ 280 | mips16 \
266 | mips64 | mips64el \ 281 | mips64 | mips64el \
@@ -286,22 +301,23 @@ case $basic_machine in
286 | nds32 | nds32le | nds32be \ 301 | nds32 | nds32le | nds32be \
287 | nios | nios2 \ 302 | nios | nios2 \
288 | ns16k | ns32k \ 303 | ns16k | ns32k \
304 | open8 \
289 | or32 \ 305 | or32 \
290 | pdp10 | pdp11 | pj | pjl \ 306 | pdp10 | pdp11 | pj | pjl \
291 | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ 307 | powerpc | powerpc64 | powerpc64le | powerpcle \
292 | pyramid \ 308 | pyramid \
293 | rx \ 309 | rl78 | rx \
294 | score \ 310 | score \
295 | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ 311 | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
296 | sh64 | sh64le \ 312 | sh64 | sh64le \
297 | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ 313 | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
298 | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ 314 | sparcv8 | sparcv9 | sparcv9b | sparcv9v \
299 | spu | strongarm \ 315 | spu \
300 | tahoe | thumb | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ 316 | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
301 | ubicom32 \ 317 | ubicom32 \
302 | v850 | v850e \ 318 | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
303 | we32k \ 319 | we32k \
304 | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ 320 | x86 | xc16x | xstormy16 | xtensa \
305 | z8k | z80) 321 | z8k | z80)
306 basic_machine=$basic_machine-unknown 322 basic_machine=$basic_machine-unknown
307 ;; 323 ;;
@@ -314,8 +330,7 @@ case $basic_machine in
314 c6x) 330 c6x)
315 basic_machine=tic6x-unknown 331 basic_machine=tic6x-unknown
316 ;; 332 ;;
317 m6811 | m68hc11 | m6812 | m68hc12 | picochip) 333 m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
318 # Motorola 68HC11/12.
319 basic_machine=$basic_machine-unknown 334 basic_machine=$basic_machine-unknown
320 os=-none 335 os=-none
321 ;; 336 ;;
@@ -325,6 +340,21 @@ case $basic_machine in
325 basic_machine=mt-unknown 340 basic_machine=mt-unknown
326 ;; 341 ;;
327 342
343 strongarm | thumb | xscale)
344 basic_machine=arm-unknown
345 ;;
346 xgate)
347 basic_machine=$basic_machine-unknown
348 os=-none
349 ;;
350 xscaleeb)
351 basic_machine=armeb-unknown
352 ;;
353
354 xscaleel)
355 basic_machine=armel-unknown
356 ;;
357
328 # We use `pc' rather than `unknown' 358 # We use `pc' rather than `unknown'
329 # because (1) that's what they normally are, and 359 # because (1) that's what they normally are, and
330 # (2) the word "unknown" tends to confuse beginning users. 360 # (2) the word "unknown" tends to confuse beginning users.
@@ -339,11 +369,13 @@ case $basic_machine in
339 # Recognize the basic CPU types with company name. 369 # Recognize the basic CPU types with company name.
340 580-* \ 370 580-* \
341 | a29k-* \ 371 | a29k-* \
372 | aarch64-* | aarch64_be-* \
342 | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ 373 | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
343 | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ 374 | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
344 | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ 375 | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
345 | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ 376 | arm-* | armbe-* | armle-* | armeb-* | armv*-* \
346 | avr-* | avr32-* \ 377 | avr-* | avr32-* \
378 | be32-* | be64-* \
347 | bfin-* | bs2000-* \ 379 | bfin-* | bs2000-* \
348 | c[123]* | c30-* | [cjt]90-* | c4x-* \ 380 | c[123]* | c30-* | [cjt]90-* | c4x-* \
349 | clipper-* | craynv-* | cydra-* \ 381 | clipper-* | craynv-* | cydra-* \
@@ -352,12 +384,15 @@ case $basic_machine in
352 | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ 384 | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
353 | h8300-* | h8500-* \ 385 | h8300-* | h8500-* \
354 | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ 386 | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
387 | hexagon-* \
355 | i*86-* | i860-* | i960-* | ia64-* \ 388 | i*86-* | i860-* | i960-* | ia64-* \
356 | ip2k-* | iq2000-* \ 389 | ip2k-* | iq2000-* \
390 | le32-* | le64-* \
357 | lm32-* \ 391 | lm32-* \
358 | m32c-* | m32r-* | m32rle-* \ 392 | m32c-* | m32r-* | m32rle-* \
359 | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ 393 | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
360 | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ 394 | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
395 | microblaze-* | microblazeel-* \
361 | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ 396 | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
362 | mips16-* \ 397 | mips16-* \
363 | mips64-* | mips64el-* \ 398 | mips64-* | mips64el-* \
@@ -382,24 +417,26 @@ case $basic_machine in
382 | nds32-* | nds32le-* | nds32be-* \ 417 | nds32-* | nds32le-* | nds32be-* \
383 | nios-* | nios2-* \ 418 | nios-* | nios2-* \
384 | none-* | np1-* | ns16k-* | ns32k-* \ 419 | none-* | np1-* | ns16k-* | ns32k-* \
420 | open8-* \
385 | orion-* \ 421 | orion-* \
386 | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ 422 | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
387 | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ 423 | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
388 | pyramid-* \ 424 | pyramid-* \
389 | romp-* | rs6000-* | rx-* \ 425 | rl78-* | romp-* | rs6000-* | rx-* \
390 | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ 426 | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
391 | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ 427 | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
392 | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ 428 | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
393 | sparclite-* \ 429 | sparclite-* \
394 | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ 430 | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
395 | tahoe-* | thumb-* \ 431 | tahoe-* \
396 | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ 432 | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
397 | tile-* | tilegx-* \ 433 | tile*-* \
398 | tron-* \ 434 | tron-* \
399 | ubicom32-* \ 435 | ubicom32-* \
400 | v850-* | v850e-* | vax-* \ 436 | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
437 | vax-* \
401 | we32k-* \ 438 | we32k-* \
402 | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ 439 | x86-* | x86_64-* | xc16x-* | xps100-* \
403 | xstormy16-* | xtensa*-* \ 440 | xstormy16-* | xtensa*-* \
404 | ymp-* \ 441 | ymp-* \
405 | z8k-* | z80-*) 442 | z8k-* | z80-*)
@@ -424,7 +461,7 @@ case $basic_machine in
424 basic_machine=a29k-amd 461 basic_machine=a29k-amd
425 os=-udi 462 os=-udi
426 ;; 463 ;;
427 abacus) 464 abacus)
428 basic_machine=abacus-unknown 465 basic_machine=abacus-unknown
429 ;; 466 ;;
430 adobe68k) 467 adobe68k)
@@ -507,7 +544,7 @@ case $basic_machine in
507 basic_machine=c90-cray 544 basic_machine=c90-cray
508 os=-unicos 545 os=-unicos
509 ;; 546 ;;
510 cegcc) 547 cegcc)
511 basic_machine=arm-unknown 548 basic_machine=arm-unknown
512 os=-cegcc 549 os=-cegcc
513 ;; 550 ;;
@@ -697,7 +734,6 @@ case $basic_machine in
697 i370-ibm* | ibm*) 734 i370-ibm* | ibm*)
698 basic_machine=i370-ibm 735 basic_machine=i370-ibm
699 ;; 736 ;;
700# I'm not sure what "Sysv32" means. Should this be sysv3.2?
701 i*86v32) 737 i*86v32)
702 basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` 738 basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
703 os=-sysv32 739 os=-sysv32
@@ -755,9 +791,13 @@ case $basic_machine in
755 basic_machine=ns32k-utek 791 basic_machine=ns32k-utek
756 os=-sysv 792 os=-sysv
757 ;; 793 ;;
758 microblaze) 794 microblaze*)
759 basic_machine=microblaze-xilinx 795 basic_machine=microblaze-xilinx
760 ;; 796 ;;
797 mingw64)
798 basic_machine=x86_64-pc
799 os=-mingw64
800 ;;
761 mingw32) 801 mingw32)
762 basic_machine=i386-pc 802 basic_machine=i386-pc
763 os=-mingw32 803 os=-mingw32
@@ -794,10 +834,18 @@ case $basic_machine in
794 ms1-*) 834 ms1-*)
795 basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` 835 basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
796 ;; 836 ;;
837 msys)
838 basic_machine=i386-pc
839 os=-msys
840 ;;
797 mvs) 841 mvs)
798 basic_machine=i370-ibm 842 basic_machine=i370-ibm
799 os=-mvs 843 os=-mvs
800 ;; 844 ;;
845 nacl)
846 basic_machine=le32-unknown
847 os=-nacl
848 ;;
801 ncr3000) 849 ncr3000)
802 basic_machine=i486-ncr 850 basic_machine=i486-ncr
803 os=-sysv4 851 os=-sysv4
@@ -862,10 +910,10 @@ case $basic_machine in
862 np1) 910 np1)
863 basic_machine=np1-gould 911 basic_machine=np1-gould
864 ;; 912 ;;
865 neo-tandem) 913 neo-tandem)
866 basic_machine=neo-tandem 914 basic_machine=neo-tandem
867 ;; 915 ;;
868 nse-tandem) 916 nse-tandem)
869 basic_machine=nse-tandem 917 basic_machine=nse-tandem
870 ;; 918 ;;
871 nsr-tandem) 919 nsr-tandem)
@@ -950,9 +998,10 @@ case $basic_machine in
950 ;; 998 ;;
951 power) basic_machine=power-ibm 999 power) basic_machine=power-ibm
952 ;; 1000 ;;
953 ppc) basic_machine=powerpc-unknown 1001 ppc | ppcbe) basic_machine=powerpc-unknown
954 ;; 1002 ;;
955 ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` 1003 ppc-* | ppcbe-*)
1004 basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
956 ;; 1005 ;;
957 ppcle | powerpclittle | ppc-le | powerpc-little) 1006 ppcle | powerpclittle | ppc-le | powerpc-little)
958 basic_machine=powerpcle-unknown 1007 basic_machine=powerpcle-unknown
@@ -977,7 +1026,11 @@ case $basic_machine in
977 basic_machine=i586-unknown 1026 basic_machine=i586-unknown
978 os=-pw32 1027 os=-pw32
979 ;; 1028 ;;
980 rdos) 1029 rdos | rdos64)
1030 basic_machine=x86_64-pc
1031 os=-rdos
1032 ;;
1033 rdos32)
981 basic_machine=i386-pc 1034 basic_machine=i386-pc
982 os=-rdos 1035 os=-rdos
983 ;; 1036 ;;
@@ -1046,6 +1099,9 @@ case $basic_machine in
1046 basic_machine=i860-stratus 1099 basic_machine=i860-stratus
1047 os=-sysv4 1100 os=-sysv4
1048 ;; 1101 ;;
1102 strongarm-* | thumb-*)
1103 basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'`
1104 ;;
1049 sun2) 1105 sun2)
1050 basic_machine=m68000-sun 1106 basic_machine=m68000-sun
1051 ;; 1107 ;;
@@ -1102,13 +1158,8 @@ case $basic_machine in
1102 basic_machine=t90-cray 1158 basic_machine=t90-cray
1103 os=-unicos 1159 os=-unicos
1104 ;; 1160 ;;
1105 # This must be matched before tile*.
1106 tilegx*)
1107 basic_machine=tilegx-unknown
1108 os=-linux-gnu
1109 ;;
1110 tile*) 1161 tile*)
1111 basic_machine=tile-unknown 1162 basic_machine=$basic_machine-unknown
1112 os=-linux-gnu 1163 os=-linux-gnu
1113 ;; 1164 ;;
1114 tx39) 1165 tx39)
@@ -1178,6 +1229,9 @@ case $basic_machine in
1178 xps | xps100) 1229 xps | xps100)
1179 basic_machine=xps100-honeywell 1230 basic_machine=xps100-honeywell
1180 ;; 1231 ;;
1232 xscale-* | xscalee[bl]-*)
1233 basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'`
1234 ;;
1181 ymp) 1235 ymp)
1182 basic_machine=ymp-cray 1236 basic_machine=ymp-cray
1183 os=-unicos 1237 os=-unicos
@@ -1275,11 +1329,11 @@ esac
1275if [ x"$os" != x"" ] 1329if [ x"$os" != x"" ]
1276then 1330then
1277case $os in 1331case $os in
1278 # First match some system type aliases 1332 # First match some system type aliases
1279 # that might get confused with valid system types. 1333 # that might get confused with valid system types.
1280 # -solaris* is a basic system type, with this one exception. 1334 # -solaris* is a basic system type, with this one exception.
1281 -auroraux) 1335 -auroraux)
1282 os=-auroraux 1336 os=-auroraux
1283 ;; 1337 ;;
1284 -solaris1 | -solaris1.*) 1338 -solaris1 | -solaris1.*)
1285 os=`echo $os | sed -e 's|solaris1|sunos4|'` 1339 os=`echo $os | sed -e 's|solaris1|sunos4|'`
@@ -1309,15 +1363,15 @@ case $os in
1309 | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ 1363 | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
1310 | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ 1364 | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
1311 | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ 1365 | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
1312 | -openbsd* | -solidbsd* \ 1366 | -bitrig* | -openbsd* | -solidbsd* \
1313 | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ 1367 | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
1314 | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ 1368 | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
1315 | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ 1369 | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
1316 | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ 1370 | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
1317 | -chorusos* | -chorusrdb* | -cegcc* \ 1371 | -chorusos* | -chorusrdb* | -cegcc* \
1318 | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ 1372 | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
1319 | -mingw32* | -linux-gnu* | -linux-android* \ 1373 | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
1320 | -linux-newlib* | -linux-uclibc* \ 1374 | -linux-newlib* | -linux-musl* | -linux-uclibc* \
1321 | -uxpv* | -beos* | -mpeix* | -udk* \ 1375 | -uxpv* | -beos* | -mpeix* | -udk* \
1322 | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ 1376 | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
1323 | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ 1377 | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
@@ -1364,7 +1418,7 @@ case $os in
1364 -opened*) 1418 -opened*)
1365 os=-openedition 1419 os=-openedition
1366 ;; 1420 ;;
1367 -os400*) 1421 -os400*)
1368 os=-os400 1422 os=-os400
1369 ;; 1423 ;;
1370 -wince*) 1424 -wince*)
@@ -1413,7 +1467,7 @@ case $os in
1413 -sinix*) 1467 -sinix*)
1414 os=-sysv4 1468 os=-sysv4
1415 ;; 1469 ;;
1416 -tpf*) 1470 -tpf*)
1417 os=-tpf 1471 os=-tpf
1418 ;; 1472 ;;
1419 -triton*) 1473 -triton*)
@@ -1458,8 +1512,8 @@ case $os in
1458 -dicos*) 1512 -dicos*)
1459 os=-dicos 1513 os=-dicos
1460 ;; 1514 ;;
1461 -nacl*) 1515 -nacl*)
1462 ;; 1516 ;;
1463 -none) 1517 -none)
1464 ;; 1518 ;;
1465 *) 1519 *)
@@ -1482,10 +1536,10 @@ else
1482# system, and we'll never get to this point. 1536# system, and we'll never get to this point.
1483 1537
1484case $basic_machine in 1538case $basic_machine in
1485 score-*) 1539 score-*)
1486 os=-elf 1540 os=-elf
1487 ;; 1541 ;;
1488 spu-*) 1542 spu-*)
1489 os=-elf 1543 os=-elf
1490 ;; 1544 ;;
1491 *-acorn) 1545 *-acorn)
@@ -1497,8 +1551,11 @@ case $basic_machine in
1497 arm*-semi) 1551 arm*-semi)
1498 os=-aout 1552 os=-aout
1499 ;; 1553 ;;
1500 c4x-* | tic4x-*) 1554 c4x-* | tic4x-*)
1501 os=-coff 1555 os=-coff
1556 ;;
1557 hexagon-*)
1558 os=-elf
1502 ;; 1559 ;;
1503 tic54x-*) 1560 tic54x-*)
1504 os=-coff 1561 os=-coff
@@ -1527,14 +1584,11 @@ case $basic_machine in
1527 ;; 1584 ;;
1528 m68000-sun) 1585 m68000-sun)
1529 os=-sunos3 1586 os=-sunos3
1530 # This also exists in the configure program, but was not the
1531 # default.
1532 # os=-sunos4
1533 ;; 1587 ;;
1534 m68*-cisco) 1588 m68*-cisco)
1535 os=-aout 1589 os=-aout
1536 ;; 1590 ;;
1537 mep-*) 1591 mep-*)
1538 os=-elf 1592 os=-elf
1539 ;; 1593 ;;
1540 mips*-cisco) 1594 mips*-cisco)
@@ -1561,7 +1615,7 @@ case $basic_machine in
1561 *-ibm) 1615 *-ibm)
1562 os=-aix 1616 os=-aix
1563 ;; 1617 ;;
1564 *-knuth) 1618 *-knuth)
1565 os=-mmixware 1619 os=-mmixware
1566 ;; 1620 ;;
1567 *-wec) 1621 *-wec)
diff --git a/configure b/configure
index c4d1ed0d2..ceb1b5d6d 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.518 . 2# From configure.ac Revision: 1.536 .
3# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.68 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
5# 5#
@@ -605,6 +605,7 @@ ac_includes_default="\
605 605
606ac_subst_vars='LTLIBOBJS 606ac_subst_vars='LTLIBOBJS
607LIBOBJS 607LIBOBJS
608UNSUPPORTED_ALGORITHMS
608TEST_SSH_IPV6 609TEST_SSH_IPV6
609piddir 610piddir
610user_path 611user_path
@@ -5603,6 +5604,68 @@ fi
5603 5604
5604if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 5605if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
5605 { 5606 {
5607 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Qunused-arguments -Werror" >&5
5608$as_echo_n "checking if $CC supports -Qunused-arguments -Werror... " >&6; }
5609 saved_CFLAGS="$CFLAGS"
5610 CFLAGS="$CFLAGS -Qunused-arguments -Werror"
5611 _define_flag="-Qunused-arguments"
5612 test "x$_define_flag" = "x" && _define_flag="-Qunused-arguments -Werror"
5613 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5614/* end confdefs.h. */
5615int main(void) { return 0; }
5616_ACEOF
5617if ac_fn_c_try_compile "$LINENO"; then :
5618
5619if `grep -i "unrecognized option" conftest.err >/dev/null`
5620then
5621 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5622$as_echo "no" >&6; }
5623 CFLAGS="$saved_CFLAGS"
5624else
5625 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5626$as_echo "yes" >&6; }
5627 CFLAGS="$saved_CFLAGS $_define_flag"
5628fi
5629else
5630 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5631$as_echo "no" >&6; }
5632 CFLAGS="$saved_CFLAGS"
5633
5634fi
5635rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5636}
5637 {
5638 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wunknown-warning-option -Werror" >&5
5639$as_echo_n "checking if $CC supports -Wunknown-warning-option -Werror... " >&6; }
5640 saved_CFLAGS="$CFLAGS"
5641 CFLAGS="$CFLAGS -Wunknown-warning-option -Werror"
5642 _define_flag="-Wno-unknown-warning-option"
5643 test "x$_define_flag" = "x" && _define_flag="-Wunknown-warning-option -Werror"
5644 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5645/* end confdefs.h. */
5646int main(void) { return 0; }
5647_ACEOF
5648if ac_fn_c_try_compile "$LINENO"; then :
5649
5650if `grep -i "unrecognized option" conftest.err >/dev/null`
5651then
5652 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5653$as_echo "no" >&6; }
5654 CFLAGS="$saved_CFLAGS"
5655else
5656 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5657$as_echo "yes" >&6; }
5658 CFLAGS="$saved_CFLAGS $_define_flag"
5659fi
5660else
5661 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5662$as_echo "no" >&6; }
5663 CFLAGS="$saved_CFLAGS"
5664
5665fi
5666rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5667}
5668 {
5606 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wall" >&5 5669 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wall" >&5
5607$as_echo_n "checking if $CC supports -Wall... " >&6; } 5670$as_echo_n "checking if $CC supports -Wall... " >&6; }
5608 saved_CFLAGS="$CFLAGS" 5671 saved_CFLAGS="$CFLAGS"
@@ -5614,9 +5677,17 @@ $as_echo_n "checking if $CC supports -Wall... " >&6; }
5614int main(void) { return 0; } 5677int main(void) { return 0; }
5615_ACEOF 5678_ACEOF
5616if ac_fn_c_try_compile "$LINENO"; then : 5679if ac_fn_c_try_compile "$LINENO"; then :
5617 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5680
5681if `grep -i "unrecognized option" conftest.err >/dev/null`
5682then
5683 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5684$as_echo "no" >&6; }
5685 CFLAGS="$saved_CFLAGS"
5686else
5687 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5618$as_echo "yes" >&6; } 5688$as_echo "yes" >&6; }
5619 CFLAGS="$saved_CFLAGS $_define_flag" 5689 CFLAGS="$saved_CFLAGS $_define_flag"
5690fi
5620else 5691else
5621 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5692 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5622$as_echo "no" >&6; } 5693$as_echo "no" >&6; }
@@ -5637,9 +5708,17 @@ $as_echo_n "checking if $CC supports -Wpointer-arith... " >&6; }
5637int main(void) { return 0; } 5708int main(void) { return 0; }
5638_ACEOF 5709_ACEOF
5639if ac_fn_c_try_compile "$LINENO"; then : 5710if ac_fn_c_try_compile "$LINENO"; then :
5640 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5711
5712if `grep -i "unrecognized option" conftest.err >/dev/null`
5713then
5714 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5715$as_echo "no" >&6; }
5716 CFLAGS="$saved_CFLAGS"
5717else
5718 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5641$as_echo "yes" >&6; } 5719$as_echo "yes" >&6; }
5642 CFLAGS="$saved_CFLAGS $_define_flag" 5720 CFLAGS="$saved_CFLAGS $_define_flag"
5721fi
5643else 5722else
5644 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5723 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5645$as_echo "no" >&6; } 5724$as_echo "no" >&6; }
@@ -5660,9 +5739,17 @@ $as_echo_n "checking if $CC supports -Wuninitialized... " >&6; }
5660int main(void) { return 0; } 5739int main(void) { return 0; }
5661_ACEOF 5740_ACEOF
5662if ac_fn_c_try_compile "$LINENO"; then : 5741if ac_fn_c_try_compile "$LINENO"; then :
5663 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5742
5743if `grep -i "unrecognized option" conftest.err >/dev/null`
5744then
5745 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5746$as_echo "no" >&6; }
5747 CFLAGS="$saved_CFLAGS"
5748else
5749 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5664$as_echo "yes" >&6; } 5750$as_echo "yes" >&6; }
5665 CFLAGS="$saved_CFLAGS $_define_flag" 5751 CFLAGS="$saved_CFLAGS $_define_flag"
5752fi
5666else 5753else
5667 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5754 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5668$as_echo "no" >&6; } 5755$as_echo "no" >&6; }
@@ -5683,9 +5770,17 @@ $as_echo_n "checking if $CC supports -Wsign-compare... " >&6; }
5683int main(void) { return 0; } 5770int main(void) { return 0; }
5684_ACEOF 5771_ACEOF
5685if ac_fn_c_try_compile "$LINENO"; then : 5772if ac_fn_c_try_compile "$LINENO"; then :
5686 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5773
5774if `grep -i "unrecognized option" conftest.err >/dev/null`
5775then
5776 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5777$as_echo "no" >&6; }
5778 CFLAGS="$saved_CFLAGS"
5779else
5780 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5687$as_echo "yes" >&6; } 5781$as_echo "yes" >&6; }
5688 CFLAGS="$saved_CFLAGS $_define_flag" 5782 CFLAGS="$saved_CFLAGS $_define_flag"
5783fi
5689else 5784else
5690 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5785 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5691$as_echo "no" >&6; } 5786$as_echo "no" >&6; }
@@ -5706,9 +5801,48 @@ $as_echo_n "checking if $CC supports -Wformat-security... " >&6; }
5706int main(void) { return 0; } 5801int main(void) { return 0; }
5707_ACEOF 5802_ACEOF
5708if ac_fn_c_try_compile "$LINENO"; then : 5803if ac_fn_c_try_compile "$LINENO"; then :
5709 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5804
5805if `grep -i "unrecognized option" conftest.err >/dev/null`
5806then
5807 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5808$as_echo "no" >&6; }
5809 CFLAGS="$saved_CFLAGS"
5810else
5811 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5812$as_echo "yes" >&6; }
5813 CFLAGS="$saved_CFLAGS $_define_flag"
5814fi
5815else
5816 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5817$as_echo "no" >&6; }
5818 CFLAGS="$saved_CFLAGS"
5819
5820fi
5821rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
5822}
5823 {
5824 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wsizeof-pointer-memaccess" >&5
5825$as_echo_n "checking if $CC supports -Wsizeof-pointer-memaccess... " >&6; }
5826 saved_CFLAGS="$CFLAGS"
5827 CFLAGS="$CFLAGS -Wsizeof-pointer-memaccess"
5828 _define_flag=""
5829 test "x$_define_flag" = "x" && _define_flag="-Wsizeof-pointer-memaccess"
5830 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
5831/* end confdefs.h. */
5832int main(void) { return 0; }
5833_ACEOF
5834if ac_fn_c_try_compile "$LINENO"; then :
5835
5836if `grep -i "unrecognized option" conftest.err >/dev/null`
5837then
5838 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5839$as_echo "no" >&6; }
5840 CFLAGS="$saved_CFLAGS"
5841else
5842 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5710$as_echo "yes" >&6; } 5843$as_echo "yes" >&6; }
5711 CFLAGS="$saved_CFLAGS $_define_flag" 5844 CFLAGS="$saved_CFLAGS $_define_flag"
5845fi
5712else 5846else
5713 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5847 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5714$as_echo "no" >&6; } 5848$as_echo "no" >&6; }
@@ -5729,9 +5863,17 @@ $as_echo_n "checking if $CC supports -Wpointer-sign... " >&6; }
5729int main(void) { return 0; } 5863int main(void) { return 0; }
5730_ACEOF 5864_ACEOF
5731if ac_fn_c_try_compile "$LINENO"; then : 5865if ac_fn_c_try_compile "$LINENO"; then :
5732 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5866
5867if `grep -i "unrecognized option" conftest.err >/dev/null`
5868then
5869 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5870$as_echo "no" >&6; }
5871 CFLAGS="$saved_CFLAGS"
5872else
5873 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5733$as_echo "yes" >&6; } 5874$as_echo "yes" >&6; }
5734 CFLAGS="$saved_CFLAGS $_define_flag" 5875 CFLAGS="$saved_CFLAGS $_define_flag"
5876fi
5735else 5877else
5736 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5878 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5737$as_echo "no" >&6; } 5879$as_echo "no" >&6; }
@@ -5752,9 +5894,17 @@ $as_echo_n "checking if $CC supports -Wunused-result... " >&6; }
5752int main(void) { return 0; } 5894int main(void) { return 0; }
5753_ACEOF 5895_ACEOF
5754if ac_fn_c_try_compile "$LINENO"; then : 5896if ac_fn_c_try_compile "$LINENO"; then :
5755 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5897
5898if `grep -i "unrecognized option" conftest.err >/dev/null`
5899then
5900 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5901$as_echo "no" >&6; }
5902 CFLAGS="$saved_CFLAGS"
5903else
5904 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5756$as_echo "yes" >&6; } 5905$as_echo "yes" >&6; }
5757 CFLAGS="$saved_CFLAGS $_define_flag" 5906 CFLAGS="$saved_CFLAGS $_define_flag"
5907fi
5758else 5908else
5759 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5909 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5760$as_echo "no" >&6; } 5910$as_echo "no" >&6; }
@@ -5775,9 +5925,17 @@ $as_echo_n "checking if $CC supports -fno-strict-aliasing... " >&6; }
5775int main(void) { return 0; } 5925int main(void) { return 0; }
5776_ACEOF 5926_ACEOF
5777if ac_fn_c_try_compile "$LINENO"; then : 5927if ac_fn_c_try_compile "$LINENO"; then :
5778 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5928
5929if `grep -i "unrecognized option" conftest.err >/dev/null`
5930then
5931 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5932$as_echo "no" >&6; }
5933 CFLAGS="$saved_CFLAGS"
5934else
5935 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5779$as_echo "yes" >&6; } 5936$as_echo "yes" >&6; }
5780 CFLAGS="$saved_CFLAGS $_define_flag" 5937 CFLAGS="$saved_CFLAGS $_define_flag"
5938fi
5781else 5939else
5782 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5940 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5783$as_echo "no" >&6; } 5941$as_echo "no" >&6; }
@@ -5798,9 +5956,17 @@ $as_echo_n "checking if $CC supports -D_FORTIFY_SOURCE=2... " >&6; }
5798int main(void) { return 0; } 5956int main(void) { return 0; }
5799_ACEOF 5957_ACEOF
5800if ac_fn_c_try_compile "$LINENO"; then : 5958if ac_fn_c_try_compile "$LINENO"; then :
5801 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 5959
5960if `grep -i "unrecognized option" conftest.err >/dev/null`
5961then
5962 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5963$as_echo "no" >&6; }
5964 CFLAGS="$saved_CFLAGS"
5965else
5966 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
5802$as_echo "yes" >&6; } 5967$as_echo "yes" >&6; }
5803 CFLAGS="$saved_CFLAGS $_define_flag" 5968 CFLAGS="$saved_CFLAGS $_define_flag"
5969fi
5804else 5970else
5805 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 5971 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
5806$as_echo "no" >&6; } 5972$as_echo "no" >&6; }
@@ -6072,6 +6238,7 @@ for ac_header in \
6072 ia.h \ 6238 ia.h \
6073 iaf.h \ 6239 iaf.h \
6074 limits.h \ 6240 limits.h \
6241 locale.h \
6075 login.h \ 6242 login.h \
6076 maillock.h \ 6243 maillock.h \
6077 ndir.h \ 6244 ndir.h \
@@ -6110,7 +6277,6 @@ for ac_header in \
6110 sys/sysmacros.h \ 6277 sys/sysmacros.h \
6111 sys/time.h \ 6278 sys/time.h \
6112 sys/timers.h \ 6279 sys/timers.h \
6113 sys/un.h \
6114 time.h \ 6280 time.h \
6115 tmpdir.h \ 6281 tmpdir.h \
6116 ttyent.h \ 6282 ttyent.h \
@@ -6208,6 +6374,24 @@ fi
6208done 6374done
6209 6375
6210 6376
6377# Android requires sys/socket.h to be included before sys/un.h
6378for ac_header in sys/un.h
6379do :
6380 ac_fn_c_check_header_compile "$LINENO" "sys/un.h" "ac_cv_header_sys_un_h" "
6381#include <sys/types.h>
6382#include <sys/socket.h>
6383
6384"
6385if test "x$ac_cv_header_sys_un_h" = xyes; then :
6386 cat >>confdefs.h <<_ACEOF
6387#define HAVE_SYS_UN_H 1
6388_ACEOF
6389
6390fi
6391
6392done
6393
6394
6211# Messages for features tested for in target-specific section 6395# Messages for features tested for in target-specific section
6212SIA_MSG="no" 6396SIA_MSG="no"
6213SPC_MSG="no" 6397SPC_MSG="no"
@@ -6494,6 +6678,14 @@ $as_echo "#define PTY_ZEROREAD 1" >>confdefs.h
6494$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h 6678$as_echo "#define PLATFORM_SYS_DIR_UID 2" >>confdefs.h
6495 6679
6496 ;; 6680 ;;
6681*-*-android*)
6682
6683$as_echo "#define DISABLE_UTMP 1" >>confdefs.h
6684
6685
6686$as_echo "#define DISABLE_WTMP 1" >>confdefs.h
6687
6688 ;;
6497*-*-cygwin*) 6689*-*-cygwin*)
6498 check_for_libcrypt_later=1 6690 check_for_libcrypt_later=1
6499 LIBS="$LIBS /usr/lib/textreadmode.o" 6691 LIBS="$LIBS /usr/lib/textreadmode.o"
@@ -7255,6 +7447,7 @@ fi
7255 7447
7256fi 7448fi
7257 7449
7450 TEST_SHELL=$SHELL # let configure find us a capable shell
7258 ;; 7451 ;;
7259*-*-sunos4*) 7452*-*-sunos4*)
7260 CPPFLAGS="$CPPFLAGS -DSUNOS4" 7453 CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -7411,6 +7604,7 @@ $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h
7411 7604
7412 $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h 7605 $as_echo "#define LOCKED_PASSWD_STRING \"*LK*\"" >>confdefs.h
7413 7606
7607 TEST_SHELL=$SHELL # let configure find us a capable shell
7414 ;; 7608 ;;
7415# UnixWare 7.x, OpenUNIX 8 7609# UnixWare 7.x, OpenUNIX 8
7416*-*-sysv5*) 7610*-*-sysv5*)
@@ -7430,10 +7624,10 @@ $as_echo "#define UNIXWARE_LONG_PASSWORDS 1" >>confdefs.h
7430 7624
7431 $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h 7625 $as_echo "#define PASSWD_NEEDS_USERNAME 1" >>confdefs.h
7432 7626
7627 TEST_SHELL=$SHELL # let configure find us a capable shell
7433 case "$host" in 7628 case "$host" in
7434 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x 7629 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
7435 maildir=/var/spool/mail 7630 maildir=/var/spool/mail
7436 TEST_SHELL=/u95/bin/sh
7437 7631
7438$as_echo "#define BROKEN_LIBIAF 1" >>confdefs.h 7632$as_echo "#define BROKEN_LIBIAF 1" >>confdefs.h
7439 7633
@@ -7551,7 +7745,7 @@ fi
7551done 7745done
7552 7746
7553 MANTYPE=man 7747 MANTYPE=man
7554 TEST_SHELL=ksh 7748 TEST_SHELL=$SHELL # let configure find us a capable shell
7555 SKIP_DISABLE_LASTLOG_DEFINE=yes 7749 SKIP_DISABLE_LASTLOG_DEFINE=yes
7556 ;; 7750 ;;
7557*-*-unicosmk*) 7751*-*-unicosmk*)
@@ -7662,15 +7856,6 @@ $as_echo "#define BROKEN_READV_COMPARISON 1" >>confdefs.h
7662 7856
7663 $as_echo "#define NO_X11_UNIX_SOCKETS 1" >>confdefs.h 7857 $as_echo "#define NO_X11_UNIX_SOCKETS 1" >>confdefs.h
7664 7858
7665
7666$as_echo "#define MISSING_NFDBITS 1" >>confdefs.h
7667
7668
7669$as_echo "#define MISSING_HOWMANY 1" >>confdefs.h
7670
7671
7672$as_echo "#define MISSING_FD_MASK 1" >>confdefs.h
7673
7674 $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h 7859 $as_echo "#define DISABLE_LASTLOG 1" >>confdefs.h
7675 7860
7676 $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h 7861 $as_echo "#define SSHD_ACQUIRES_CTTY 1" >>confdefs.h
@@ -7703,8 +7888,6 @@ $as_echo "#define HAVE_SYS_SYSLOG_H 1" >>confdefs.h
7703 7888
7704*-*-lynxos) 7889*-*-lynxos)
7705 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 7890 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
7706 $as_echo "#define MISSING_HOWMANY 1" >>confdefs.h
7707
7708 7891
7709$as_echo "#define BROKEN_SETVBUF 1" >>confdefs.h 7892$as_echo "#define BROKEN_SETVBUF 1" >>confdefs.h
7710 7893
@@ -8229,6 +8412,7 @@ else
8229/* end confdefs.h. */ 8412/* end confdefs.h. */
8230 8413
8231#include <stdio.h> 8414#include <stdio.h>
8415#include <stdlib.h>
8232#include <zlib.h> 8416#include <zlib.h>
8233 8417
8234int 8418int
@@ -8453,6 +8637,62 @@ if test "$ac_res" != no; then :
8453 8637
8454fi 8638fi
8455 8639
8640{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing scan_scaled" >&5
8641$as_echo_n "checking for library containing scan_scaled... " >&6; }
8642if ${ac_cv_search_scan_scaled+:} false; then :
8643 $as_echo_n "(cached) " >&6
8644else
8645 ac_func_search_save_LIBS=$LIBS
8646cat confdefs.h - <<_ACEOF >conftest.$ac_ext
8647/* end confdefs.h. */
8648
8649/* Override any GCC internal prototype to avoid an error.
8650 Use char because int might match the return type of a GCC
8651 builtin and then its argument prototype would still apply. */
8652#ifdef __cplusplus
8653extern "C"
8654#endif
8655char scan_scaled ();
8656int
8657main ()
8658{
8659return scan_scaled ();
8660 ;
8661 return 0;
8662}
8663_ACEOF
8664for ac_lib in '' util bsd; do
8665 if test -z "$ac_lib"; then
8666 ac_res="none required"
8667 else
8668 ac_res=-l$ac_lib
8669 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
8670 fi
8671 if ac_fn_c_try_link "$LINENO"; then :
8672 ac_cv_search_scan_scaled=$ac_res
8673fi
8674rm -f core conftest.err conftest.$ac_objext \
8675 conftest$ac_exeext
8676 if ${ac_cv_search_scan_scaled+:} false; then :
8677 break
8678fi
8679done
8680if ${ac_cv_search_scan_scaled+:} false; then :
8681
8682else
8683 ac_cv_search_scan_scaled=no
8684fi
8685rm conftest.$ac_ext
8686LIBS=$ac_func_search_save_LIBS
8687fi
8688{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_scan_scaled" >&5
8689$as_echo "$ac_cv_search_scan_scaled" >&6; }
8690ac_res=$ac_cv_search_scan_scaled
8691if test "$ac_res" != no; then :
8692 test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
8693
8694fi
8695
8456{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing login" >&5 8696{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing login" >&5
8457$as_echo_n "checking for library containing login... " >&6; } 8697$as_echo_n "checking for library containing login... " >&6; }
8458if ${ac_cv_search_login+:} false; then : 8698if ${ac_cv_search_login+:} false; then :
@@ -8733,7 +8973,7 @@ if test "$ac_res" != no; then :
8733 8973
8734fi 8974fi
8735 8975
8736for ac_func in fmt_scaled login logout openpty updwtmp logwtmp 8976for ac_func in fmt_scaled scan_scaled login logout openpty updwtmp logwtmp
8737do : 8977do :
8738 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` 8978 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
8739ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" 8979ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -9568,6 +9808,7 @@ for ac_func in \
9568 clock \ 9808 clock \
9569 closefrom \ 9809 closefrom \
9570 dirfd \ 9810 dirfd \
9811 endgrent \
9571 fchmod \ 9812 fchmod \
9572 fchown \ 9813 fchown \
9573 freeaddrinfo \ 9814 freeaddrinfo \
@@ -9592,6 +9833,7 @@ for ac_func in \
9592 inet_ntop \ 9833 inet_ntop \
9593 innetgr \ 9834 innetgr \
9594 login_getcapbool \ 9835 login_getcapbool \
9836 mblen \
9595 md5_crypt \ 9837 md5_crypt \
9596 memmove \ 9838 memmove \
9597 mkdtemp \ 9839 mkdtemp \
@@ -9850,6 +10092,65 @@ $as_echo "#define HAVE_NANOSLEEP 1" >>confdefs.h
9850fi 10092fi
9851 10093
9852 10094
10095{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
10096$as_echo_n "checking for library containing clock_gettime... " >&6; }
10097if ${ac_cv_search_clock_gettime+:} false; then :
10098 $as_echo_n "(cached) " >&6
10099else
10100 ac_func_search_save_LIBS=$LIBS
10101cat confdefs.h - <<_ACEOF >conftest.$ac_ext
10102/* end confdefs.h. */
10103
10104/* Override any GCC internal prototype to avoid an error.
10105 Use char because int might match the return type of a GCC
10106 builtin and then its argument prototype would still apply. */
10107#ifdef __cplusplus
10108extern "C"
10109#endif
10110char clock_gettime ();
10111int
10112main ()
10113{
10114return clock_gettime ();
10115 ;
10116 return 0;
10117}
10118_ACEOF
10119for ac_lib in '' rt; do
10120 if test -z "$ac_lib"; then
10121 ac_res="none required"
10122 else
10123 ac_res=-l$ac_lib
10124 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
10125 fi
10126 if ac_fn_c_try_link "$LINENO"; then :
10127 ac_cv_search_clock_gettime=$ac_res
10128fi
10129rm -f core conftest.err conftest.$ac_objext \
10130 conftest$ac_exeext
10131 if ${ac_cv_search_clock_gettime+:} false; then :
10132 break
10133fi
10134done
10135if ${ac_cv_search_clock_gettime+:} false; then :
10136
10137else
10138 ac_cv_search_clock_gettime=no
10139fi
10140rm conftest.$ac_ext
10141LIBS=$ac_func_search_save_LIBS
10142fi
10143{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5
10144$as_echo "$ac_cv_search_clock_gettime" >&6; }
10145ac_res=$ac_cv_search_clock_gettime
10146if test "$ac_res" != no; then :
10147 test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
10148
10149$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
10150
10151fi
10152
10153
9853ac_fn_c_check_decl "$LINENO" "getrusage" "ac_cv_have_decl_getrusage" "$ac_includes_default" 10154ac_fn_c_check_decl "$LINENO" "getrusage" "ac_cv_have_decl_getrusage" "$ac_includes_default"
9854if test "x$ac_cv_have_decl_getrusage" = xyes; then : 10155if test "x$ac_cv_have_decl_getrusage" = xyes; then :
9855 for ac_func in getrusage 10156 for ac_func in getrusage
@@ -10004,6 +10305,84 @@ cat >>confdefs.h <<_ACEOF
10004_ACEOF 10305_ACEOF
10005 10306
10006 10307
10308# extra bits for select(2)
10309ac_fn_c_check_decl "$LINENO" "howmany" "ac_cv_have_decl_howmany" "
10310#include <sys/param.h>
10311#include <sys/types.h>
10312#ifdef HAVE_SYS_SYSMACROS_H
10313#include <sys/sysmacros.h>
10314#endif
10315#ifdef HAVE_SYS_SELECT_H
10316#include <sys/select.h>
10317#endif
10318#ifdef HAVE_SYS_TIME_H
10319#include <sys/time.h>
10320#endif
10321#ifdef HAVE_UNISTD_H
10322#include <unistd.h>
10323#endif
10324
10325"
10326if test "x$ac_cv_have_decl_howmany" = xyes; then :
10327 ac_have_decl=1
10328else
10329 ac_have_decl=0
10330fi
10331
10332cat >>confdefs.h <<_ACEOF
10333#define HAVE_DECL_HOWMANY $ac_have_decl
10334_ACEOF
10335ac_fn_c_check_decl "$LINENO" "NFDBITS" "ac_cv_have_decl_NFDBITS" "
10336#include <sys/param.h>
10337#include <sys/types.h>
10338#ifdef HAVE_SYS_SYSMACROS_H
10339#include <sys/sysmacros.h>
10340#endif
10341#ifdef HAVE_SYS_SELECT_H
10342#include <sys/select.h>
10343#endif
10344#ifdef HAVE_SYS_TIME_H
10345#include <sys/time.h>
10346#endif
10347#ifdef HAVE_UNISTD_H
10348#include <unistd.h>
10349#endif
10350
10351"
10352if test "x$ac_cv_have_decl_NFDBITS" = xyes; then :
10353 ac_have_decl=1
10354else
10355 ac_have_decl=0
10356fi
10357
10358cat >>confdefs.h <<_ACEOF
10359#define HAVE_DECL_NFDBITS $ac_have_decl
10360_ACEOF
10361
10362ac_fn_c_check_type "$LINENO" "fd_mask" "ac_cv_type_fd_mask" "
10363#include <sys/param.h>
10364#include <sys/types.h>
10365#ifdef HAVE_SYS_SELECT_H
10366#include <sys/select.h>
10367#endif
10368#ifdef HAVE_SYS_TIME_H
10369#include <sys/time.h>
10370#endif
10371#ifdef HAVE_UNISTD_H
10372#include <unistd.h>
10373#endif
10374
10375"
10376if test "x$ac_cv_type_fd_mask" = xyes; then :
10377
10378cat >>confdefs.h <<_ACEOF
10379#define HAVE_FD_MASK 1
10380_ACEOF
10381
10382
10383fi
10384
10385
10007for ac_func in setresuid 10386for ac_func in setresuid
10008do : 10387do :
10009 ac_fn_c_check_func "$LINENO" "setresuid" "ac_cv_func_setresuid" 10388 ac_fn_c_check_func "$LINENO" "setresuid" "ac_cv_func_setresuid"
@@ -11334,6 +11713,8 @@ else
11334 11713
11335 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 11714 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
11336$as_echo "no" >&6; } 11715$as_echo "no" >&6; }
11716 unsupported_algorithms="$unsupported_cipers \
11717 aes128-gcm@openssh.com aes256-gcm@openssh.com"
11337 11718
11338 11719
11339fi 11720fi
@@ -11530,6 +11911,18 @@ if test "x$ac_cv_lib_crypt_crypt" = xyes; then :
11530fi 11911fi
11531 11912
11532fi 11913fi
11914for ac_func in crypt DES_crypt
11915do :
11916 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
11917ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
11918if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
11919 cat >>confdefs.h <<_ACEOF
11920#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
11921_ACEOF
11922
11923fi
11924done
11925
11533 11926
11534# Search for SHA256 support in libc and/or OpenSSL 11927# Search for SHA256 support in libc and/or OpenSSL
11535for ac_func in SHA256_Update EVP_sha256 11928for ac_func in SHA256_Update EVP_sha256
@@ -11543,6 +11936,12 @@ _ACEOF
11543 TEST_SSH_SHA256=yes 11936 TEST_SSH_SHA256=yes
11544else 11937else
11545 TEST_SSH_SHA256=no 11938 TEST_SSH_SHA256=no
11939 unsupported_algorithms="$unsupported_algorithms \
11940 hmac-sha2-256 hmac-sha2-512 \
11941 diffie-hellman-group-exchange-sha256 \
11942 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
11943
11944
11546fi 11945fi
11547done 11946done
11548 11947
@@ -11591,6 +11990,12 @@ else
11591$as_echo "no" >&6; } 11990$as_echo "no" >&6; }
11592 TEST_SSH_ECC=no 11991 TEST_SSH_ECC=no
11593 COMMENT_OUT_ECC="#no ecc#" 11992 COMMENT_OUT_ECC="#no ecc#"
11993 unsupported_algorithms="$unsupported_algorithms \
11994 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
11995 ecdsa-sha2-nistp256-cert-v01@openssh.com \
11996 ecdsa-sha2-nistp384-cert-v01@openssh.com \
11997 ecdsa-sha2-nistp521-cert-v01@openssh.com \
11998 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"
11594 11999
11595 12000
11596fi 12001fi
@@ -14343,6 +14748,60 @@ _ACEOF
14343 14748
14344fi 14749fi
14345 14750
14751ac_fn_c_check_member "$LINENO" "struct passwd" "pw_gecos" "ac_cv_member_struct_passwd_pw_gecos" "
14752#include <sys/types.h>
14753#include <pwd.h>
14754
14755"
14756if test "x$ac_cv_member_struct_passwd_pw_gecos" = xyes; then :
14757
14758cat >>confdefs.h <<_ACEOF
14759#define HAVE_STRUCT_PASSWD_PW_GECOS 1
14760_ACEOF
14761
14762
14763fi
14764ac_fn_c_check_member "$LINENO" "struct passwd" "pw_class" "ac_cv_member_struct_passwd_pw_class" "
14765#include <sys/types.h>
14766#include <pwd.h>
14767
14768"
14769if test "x$ac_cv_member_struct_passwd_pw_class" = xyes; then :
14770
14771cat >>confdefs.h <<_ACEOF
14772#define HAVE_STRUCT_PASSWD_PW_CLASS 1
14773_ACEOF
14774
14775
14776fi
14777ac_fn_c_check_member "$LINENO" "struct passwd" "pw_change" "ac_cv_member_struct_passwd_pw_change" "
14778#include <sys/types.h>
14779#include <pwd.h>
14780
14781"
14782if test "x$ac_cv_member_struct_passwd_pw_change" = xyes; then :
14783
14784cat >>confdefs.h <<_ACEOF
14785#define HAVE_STRUCT_PASSWD_PW_CHANGE 1
14786_ACEOF
14787
14788
14789fi
14790ac_fn_c_check_member "$LINENO" "struct passwd" "pw_expire" "ac_cv_member_struct_passwd_pw_expire" "
14791#include <sys/types.h>
14792#include <pwd.h>
14793
14794"
14795if test "x$ac_cv_member_struct_passwd_pw_expire" = xyes; then :
14796
14797cat >>confdefs.h <<_ACEOF
14798#define HAVE_STRUCT_PASSWD_PW_EXPIRE 1
14799_ACEOF
14800
14801
14802fi
14803
14804
14346ac_fn_c_check_member "$LINENO" "struct __res_state" "retrans" "ac_cv_member_struct___res_state_retrans" " 14805ac_fn_c_check_member "$LINENO" "struct __res_state" "retrans" "ac_cv_member_struct___res_state_retrans" "
14347#include <stdio.h> 14806#include <stdio.h>
14348#if HAVE_SYS_TYPES_H 14807#if HAVE_SYS_TYPES_H
@@ -14435,108 +14894,6 @@ $as_echo "#define HAVE___SS_FAMILY_IN_SS 1" >>confdefs.h
14435 14894
14436fi 14895fi
14437 14896
14438{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pw_class field in struct passwd" >&5
14439$as_echo_n "checking for pw_class field in struct passwd... " >&6; }
14440if ${ac_cv_have_pw_class_in_struct_passwd+:} false; then :
14441 $as_echo_n "(cached) " >&6
14442else
14443
14444 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14445/* end confdefs.h. */
14446 #include <pwd.h>
14447int
14448main ()
14449{
14450 struct passwd p; p.pw_class = 0;
14451 ;
14452 return 0;
14453}
14454_ACEOF
14455if ac_fn_c_try_compile "$LINENO"; then :
14456 ac_cv_have_pw_class_in_struct_passwd="yes"
14457else
14458 ac_cv_have_pw_class_in_struct_passwd="no"
14459
14460fi
14461rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
14462
14463fi
14464{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pw_class_in_struct_passwd" >&5
14465$as_echo "$ac_cv_have_pw_class_in_struct_passwd" >&6; }
14466if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
14467
14468$as_echo "#define HAVE_PW_CLASS_IN_PASSWD 1" >>confdefs.h
14469
14470fi
14471
14472{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pw_expire field in struct passwd" >&5
14473$as_echo_n "checking for pw_expire field in struct passwd... " >&6; }
14474if ${ac_cv_have_pw_expire_in_struct_passwd+:} false; then :
14475 $as_echo_n "(cached) " >&6
14476else
14477
14478 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14479/* end confdefs.h. */
14480 #include <pwd.h>
14481int
14482main ()
14483{
14484 struct passwd p; p.pw_expire = 0;
14485 ;
14486 return 0;
14487}
14488_ACEOF
14489if ac_fn_c_try_compile "$LINENO"; then :
14490 ac_cv_have_pw_expire_in_struct_passwd="yes"
14491else
14492 ac_cv_have_pw_expire_in_struct_passwd="no"
14493
14494fi
14495rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
14496
14497fi
14498{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5
14499$as_echo "$ac_cv_have_pw_expire_in_struct_passwd" >&6; }
14500if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
14501
14502$as_echo "#define HAVE_PW_EXPIRE_IN_PASSWD 1" >>confdefs.h
14503
14504fi
14505
14506{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pw_change field in struct passwd" >&5
14507$as_echo_n "checking for pw_change field in struct passwd... " >&6; }
14508if ${ac_cv_have_pw_change_in_struct_passwd+:} false; then :
14509 $as_echo_n "(cached) " >&6
14510else
14511
14512 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
14513/* end confdefs.h. */
14514 #include <pwd.h>
14515int
14516main ()
14517{
14518 struct passwd p; p.pw_change = 0;
14519 ;
14520 return 0;
14521}
14522_ACEOF
14523if ac_fn_c_try_compile "$LINENO"; then :
14524 ac_cv_have_pw_change_in_struct_passwd="yes"
14525else
14526 ac_cv_have_pw_change_in_struct_passwd="no"
14527
14528fi
14529rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
14530
14531fi
14532{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_have_pw_change_in_struct_passwd" >&5
14533$as_echo "$ac_cv_have_pw_change_in_struct_passwd" >&6; }
14534if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
14535
14536$as_echo "#define HAVE_PW_CHANGE_IN_PASSWD 1" >>confdefs.h
14537
14538fi
14539
14540{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for msg_accrights field in struct msghdr" >&5 14897{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for msg_accrights field in struct msghdr" >&5
14541$as_echo_n "checking for msg_accrights field in struct msghdr... " >&6; } 14898$as_echo_n "checking for msg_accrights field in struct msghdr... " >&6; }
14542if ${ac_cv_have_accrights_in_msghdr+:} false; then : 14899if ${ac_cv_have_accrights_in_msghdr+:} false; then :
@@ -15994,6 +16351,22 @@ cat >>confdefs.h <<_ACEOF
15994#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl 16351#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE $ac_have_decl
15995_ACEOF 16352_ACEOF
15996 16353
16354 saved_LIBS="$LIBS"
16355 LIBS="$LIBS $K5LIBS"
16356 for ac_func in krb5_cc_new_unique krb5_get_error_message krb5_free_error_message
16357do :
16358 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
16359ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
16360if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
16361 cat >>confdefs.h <<_ACEOF
16362#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
16363_ACEOF
16364
16365fi
16366done
16367
16368 LIBS="$saved_LIBS"
16369
15997 fi 16370 fi
15998 16371
15999 16372
@@ -17176,6 +17549,8 @@ fi
17176 17549
17177TEST_SSH_IPV6=$TEST_SSH_IPV6 17550TEST_SSH_IPV6=$TEST_SSH_IPV6
17178 17551
17552UNSUPPORTED_ALGORITHMS=$unsupported_algorithms
17553
17179 17554
17180 17555
17181ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile survey.sh" 17556ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile survey.sh"
diff --git a/configure.ac b/configure.ac
index 271a63a46..4c1a6589e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.518 2013/03/20 01:55:15 djm Exp $ 1# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.518 $) 18AC_REVISION($Revision: 1.536 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -129,11 +129,16 @@ AC_ARG_WITH([stackprotect],
129 129
130 130
131if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 131if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
132 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror],
133 [-Qunused-arguments])
134 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror],
135 [-Wno-unknown-warning-option])
132 OSSH_CHECK_CFLAG_COMPILE([-Wall]) 136 OSSH_CHECK_CFLAG_COMPILE([-Wall])
133 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) 137 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
134 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) 138 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
135 OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) 139 OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
136 OSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) 140 OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
141 OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
137 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) 142 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
138 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) 143 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
139 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) 144 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
@@ -305,6 +310,7 @@ AC_CHECK_HEADERS([ \
305 ia.h \ 310 ia.h \
306 iaf.h \ 311 iaf.h \
307 limits.h \ 312 limits.h \
313 locale.h \
308 login.h \ 314 login.h \
309 maillock.h \ 315 maillock.h \
310 ndir.h \ 316 ndir.h \
@@ -343,7 +349,6 @@ AC_CHECK_HEADERS([ \
343 sys/sysmacros.h \ 349 sys/sysmacros.h \
344 sys/time.h \ 350 sys/time.h \
345 sys/timers.h \ 351 sys/timers.h \
346 sys/un.h \
347 time.h \ 352 time.h \
348 tmpdir.h \ 353 tmpdir.h \
349 ttyent.h \ 354 ttyent.h \
@@ -381,6 +386,12 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [
381#include <sys/param.h> 386#include <sys/param.h>
382]) 387])
383 388
389# Android requires sys/socket.h to be included before sys/un.h
390AC_CHECK_HEADERS([sys/un.h], [], [], [
391#include <sys/types.h>
392#include <sys/socket.h>
393])
394
384# Messages for features tested for in target-specific section 395# Messages for features tested for in target-specific section
385SIA_MSG="no" 396SIA_MSG="no"
386SPC_MSG="no" 397SPC_MSG="no"
@@ -482,6 +493,10 @@ case "$host" in
482 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) 493 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
483 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) 494 AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)])
484 ;; 495 ;;
496*-*-android*)
497 AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
498 AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
499 ;;
485*-*-cygwin*) 500*-*-cygwin*)
486 check_for_libcrypt_later=1 501 check_for_libcrypt_later=1
487 LIBS="$LIBS /usr/lib/textreadmode.o" 502 LIBS="$LIBS /usr/lib/textreadmode.o"
@@ -823,6 +838,7 @@ mips-sony-bsd|mips-sony-newsos4)
823 SP_MSG="yes" ], ) 838 SP_MSG="yes" ], )
824 ], 839 ],
825 ) 840 )
841 TEST_SHELL=$SHELL # let configure find us a capable shell
826 ;; 842 ;;
827*-*-sunos4*) 843*-*-sunos4*)
828 CPPFLAGS="$CPPFLAGS -DSUNOS4" 844 CPPFLAGS="$CPPFLAGS -DSUNOS4"
@@ -866,6 +882,7 @@ mips-sony-bsd|mips-sony-newsos4)
866 AC_DEFINE([BROKEN_SETREGID]) 882 AC_DEFINE([BROKEN_SETREGID])
867 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd]) 883 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
868 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) 884 AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"])
885 TEST_SHELL=$SHELL # let configure find us a capable shell
869 ;; 886 ;;
870# UnixWare 7.x, OpenUNIX 8 887# UnixWare 7.x, OpenUNIX 8
871*-*-sysv5*) 888*-*-sysv5*)
@@ -877,10 +894,10 @@ mips-sony-bsd|mips-sony-newsos4)
877 AC_DEFINE([BROKEN_SETREUID]) 894 AC_DEFINE([BROKEN_SETREUID])
878 AC_DEFINE([BROKEN_SETREGID]) 895 AC_DEFINE([BROKEN_SETREGID])
879 AC_DEFINE([PASSWD_NEEDS_USERNAME]) 896 AC_DEFINE([PASSWD_NEEDS_USERNAME])
897 TEST_SHELL=$SHELL # let configure find us a capable shell
880 case "$host" in 898 case "$host" in
881 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x 899 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
882 maildir=/var/spool/mail 900 maildir=/var/spool/mail
883 TEST_SHELL=/u95/bin/sh
884 AC_DEFINE([BROKEN_LIBIAF], [1], 901 AC_DEFINE([BROKEN_LIBIAF], [1],
885 [ia_uinfo routines not supported by OS yet]) 902 [ia_uinfo routines not supported by OS yet])
886 AC_DEFINE([BROKEN_UPDWTMPX]) 903 AC_DEFINE([BROKEN_UPDWTMPX])
@@ -921,7 +938,7 @@ mips-sony-bsd|mips-sony-newsos4)
921 AC_DEFINE([PASSWD_NEEDS_USERNAME]) 938 AC_DEFINE([PASSWD_NEEDS_USERNAME])
922 AC_CHECK_FUNCS([getluid setluid]) 939 AC_CHECK_FUNCS([getluid setluid])
923 MANTYPE=man 940 MANTYPE=man
924 TEST_SHELL=ksh 941 TEST_SHELL=$SHELL # let configure find us a capable shell
925 SKIP_DISABLE_LASTLOG_DEFINE=yes 942 SKIP_DISABLE_LASTLOG_DEFINE=yes
926 ;; 943 ;;
927*-*-unicosmk*) 944*-*-unicosmk*)
@@ -998,9 +1015,6 @@ mips-sony-bsd|mips-sony-newsos4)
998*-*-nto-qnx*) 1015*-*-nto-qnx*)
999 AC_DEFINE([USE_PIPES]) 1016 AC_DEFINE([USE_PIPES])
1000 AC_DEFINE([NO_X11_UNIX_SOCKETS]) 1017 AC_DEFINE([NO_X11_UNIX_SOCKETS])
1001 AC_DEFINE([MISSING_NFDBITS], [1], [Define on *nto-qnx systems])
1002 AC_DEFINE([MISSING_HOWMANY], [1], [Define on *nto-qnx systems])
1003 AC_DEFINE([MISSING_FD_MASK], [1], [Define on *nto-qnx systems])
1004 AC_DEFINE([DISABLE_LASTLOG]) 1018 AC_DEFINE([DISABLE_LASTLOG])
1005 AC_DEFINE([SSHD_ACQUIRES_CTTY]) 1019 AC_DEFINE([SSHD_ACQUIRES_CTTY])
1006 AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken]) 1020 AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken])
@@ -1021,7 +1035,6 @@ mips-sony-bsd|mips-sony-newsos4)
1021 1035
1022*-*-lynxos) 1036*-*-lynxos)
1023 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 1037 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1024 AC_DEFINE([MISSING_HOWMANY])
1025 AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) 1038 AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation])
1026 ;; 1039 ;;
1027esac 1040esac
@@ -1144,6 +1157,7 @@ AC_ARG_WITH([zlib-version-check],
1144AC_MSG_CHECKING([for possibly buggy zlib]) 1157AC_MSG_CHECKING([for possibly buggy zlib])
1145AC_RUN_IFELSE([AC_LANG_PROGRAM([[ 1158AC_RUN_IFELSE([AC_LANG_PROGRAM([[
1146#include <stdio.h> 1159#include <stdio.h>
1160#include <stdlib.h>
1147#include <zlib.h> 1161#include <zlib.h>
1148 ]], 1162 ]],
1149 [[ 1163 [[
@@ -1193,12 +1207,13 @@ AC_CHECK_FUNCS([utimes],
1193dnl Checks for libutil functions 1207dnl Checks for libutil functions
1194AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) 1208AC_CHECK_HEADERS([bsd/libutil.h libutil.h])
1195AC_SEARCH_LIBS([fmt_scaled], [util bsd]) 1209AC_SEARCH_LIBS([fmt_scaled], [util bsd])
1210AC_SEARCH_LIBS([scan_scaled], [util bsd])
1196AC_SEARCH_LIBS([login], [util bsd]) 1211AC_SEARCH_LIBS([login], [util bsd])
1197AC_SEARCH_LIBS([logout], [util bsd]) 1212AC_SEARCH_LIBS([logout], [util bsd])
1198AC_SEARCH_LIBS([logwtmp], [util bsd]) 1213AC_SEARCH_LIBS([logwtmp], [util bsd])
1199AC_SEARCH_LIBS([openpty], [util bsd]) 1214AC_SEARCH_LIBS([openpty], [util bsd])
1200AC_SEARCH_LIBS([updwtmp], [util bsd]) 1215AC_SEARCH_LIBS([updwtmp], [util bsd])
1201AC_CHECK_FUNCS([fmt_scaled login logout openpty updwtmp logwtmp]) 1216AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
1202 1217
1203AC_FUNC_STRFTIME 1218AC_FUNC_STRFTIME
1204 1219
@@ -1548,6 +1563,7 @@ AC_CHECK_FUNCS([ \
1548 clock \ 1563 clock \
1549 closefrom \ 1564 closefrom \
1550 dirfd \ 1565 dirfd \
1566 endgrent \
1551 fchmod \ 1567 fchmod \
1552 fchown \ 1568 fchown \
1553 freeaddrinfo \ 1569 freeaddrinfo \
@@ -1572,6 +1588,7 @@ AC_CHECK_FUNCS([ \
1572 inet_ntop \ 1588 inet_ntop \
1573 innetgr \ 1589 innetgr \
1574 login_getcapbool \ 1590 login_getcapbool \
1591 mblen \
1575 md5_crypt \ 1592 md5_crypt \
1576 memmove \ 1593 memmove \
1577 mkdtemp \ 1594 mkdtemp \
@@ -1668,6 +1685,9 @@ const char *gai_strerror(int);
1668AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1], 1685AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1],
1669 [Some systems put nanosleep outside of libc])]) 1686 [Some systems put nanosleep outside of libc])])
1670 1687
1688AC_SEARCH_LIBS([clock_gettime], [rt],
1689 [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])])
1690
1671dnl Make sure prototypes are defined for these before using them. 1691dnl Make sure prototypes are defined for these before using them.
1672AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])]) 1692AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])])
1673AC_CHECK_DECL([strsep], 1693AC_CHECK_DECL([strsep],
@@ -1719,6 +1739,37 @@ AC_CHECK_DECLS([offsetof], , , [
1719#include <stddef.h> 1739#include <stddef.h>
1720 ]) 1740 ])
1721 1741
1742# extra bits for select(2)
1743AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[
1744#include <sys/param.h>
1745#include <sys/types.h>
1746#ifdef HAVE_SYS_SYSMACROS_H
1747#include <sys/sysmacros.h>
1748#endif
1749#ifdef HAVE_SYS_SELECT_H
1750#include <sys/select.h>
1751#endif
1752#ifdef HAVE_SYS_TIME_H
1753#include <sys/time.h>
1754#endif
1755#ifdef HAVE_UNISTD_H
1756#include <unistd.h>
1757#endif
1758 ]])
1759AC_CHECK_TYPES([fd_mask], [], [], [[
1760#include <sys/param.h>
1761#include <sys/types.h>
1762#ifdef HAVE_SYS_SELECT_H
1763#include <sys/select.h>
1764#endif
1765#ifdef HAVE_SYS_TIME_H
1766#include <sys/time.h>
1767#endif
1768#ifdef HAVE_UNISTD_H
1769#include <unistd.h>
1770#endif
1771 ]])
1772
1722AC_CHECK_FUNCS([setresuid], [ 1773AC_CHECK_FUNCS([setresuid], [
1723 dnl Some platorms have setresuid that isn't implemented, test for this 1774 dnl Some platorms have setresuid that isn't implemented, test for this
1724 AC_MSG_CHECKING([if setresuid seems to work]) 1775 AC_MSG_CHECKING([if setresuid seems to work])
@@ -2367,6 +2418,8 @@ AC_LINK_IFELSE(
2367 ], 2418 ],
2368 [ 2419 [
2369 AC_MSG_RESULT([no]) 2420 AC_MSG_RESULT([no])
2421 unsupported_algorithms="$unsupported_cipers \
2422 aes128-gcm@openssh.com aes256-gcm@openssh.com"
2370 ] 2423 ]
2371) 2424)
2372 2425
@@ -2404,10 +2457,18 @@ fi
2404if test "x$check_for_libcrypt_later" = "x1"; then 2457if test "x$check_for_libcrypt_later" = "x1"; then
2405 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) 2458 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2406fi 2459fi
2460AC_CHECK_FUNCS([crypt DES_crypt])
2407 2461
2408# Search for SHA256 support in libc and/or OpenSSL 2462# Search for SHA256 support in libc and/or OpenSSL
2409AC_CHECK_FUNCS([SHA256_Update EVP_sha256], [TEST_SSH_SHA256=yes], 2463AC_CHECK_FUNCS([SHA256_Update EVP_sha256],
2410 [TEST_SSH_SHA256=no]) 2464 [TEST_SSH_SHA256=yes],
2465 [TEST_SSH_SHA256=no
2466 unsupported_algorithms="$unsupported_algorithms \
2467 hmac-sha2-256 hmac-sha2-512 \
2468 diffie-hellman-group-exchange-sha256 \
2469 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2470 ]
2471)
2411AC_SUBST([TEST_SSH_SHA256]) 2472AC_SUBST([TEST_SSH_SHA256])
2412 2473
2413# Check complete ECC support in OpenSSL 2474# Check complete ECC support in OpenSSL
@@ -2438,6 +2499,12 @@ AC_LINK_IFELSE(
2438 AC_MSG_RESULT([no]) 2499 AC_MSG_RESULT([no])
2439 TEST_SSH_ECC=no 2500 TEST_SSH_ECC=no
2440 COMMENT_OUT_ECC="#no ecc#" 2501 COMMENT_OUT_ECC="#no ecc#"
2502 unsupported_algorithms="$unsupported_algorithms \
2503 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
2504 ecdsa-sha2-nistp256-cert-v01@openssh.com \
2505 ecdsa-sha2-nistp384-cert-v01@openssh.com \
2506 ecdsa-sha2-nistp521-cert-v01@openssh.com \
2507 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521"
2441 ] 2508 ]
2442) 2509)
2443AC_SUBST([TEST_SSH_ECC]) 2510AC_SUBST([TEST_SSH_ECC])
@@ -3325,9 +3392,16 @@ OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX])
3325OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX]) 3392OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX])
3326 3393
3327AC_CHECK_MEMBERS([struct stat.st_blksize]) 3394AC_CHECK_MEMBERS([struct stat.st_blksize])
3395AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class,
3396struct passwd.pw_change, struct passwd.pw_expire],
3397[], [], [[
3398#include <sys/types.h>
3399#include <pwd.h>
3400]])
3401
3328AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state], 3402AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state],
3329 [Define if we don't have struct __res_state in resolv.h])], 3403 [Define if we don't have struct __res_state in resolv.h])],
3330[ 3404[[
3331#include <stdio.h> 3405#include <stdio.h>
3332#if HAVE_SYS_TYPES_H 3406#if HAVE_SYS_TYPES_H
3333# include <sys/types.h> 3407# include <sys/types.h>
@@ -3335,7 +3409,7 @@ AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [sta
3335#include <netinet/in.h> 3409#include <netinet/in.h>
3336#include <arpa/nameser.h> 3410#include <arpa/nameser.h>
3337#include <resolv.h> 3411#include <resolv.h>
3338]) 3412]])
3339 3413
3340AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], 3414AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
3341 ac_cv_have_ss_family_in_struct_ss, [ 3415 ac_cv_have_ss_family_in_struct_ss, [
@@ -3365,45 +3439,6 @@ if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
3365 [Fields in struct sockaddr_storage]) 3439 [Fields in struct sockaddr_storage])
3366fi 3440fi
3367 3441
3368AC_CACHE_CHECK([for pw_class field in struct passwd],
3369 ac_cv_have_pw_class_in_struct_passwd, [
3370 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <pwd.h> ]],
3371 [[ struct passwd p; p.pw_class = 0; ]])],
3372 [ ac_cv_have_pw_class_in_struct_passwd="yes" ],
3373 [ ac_cv_have_pw_class_in_struct_passwd="no"
3374 ])
3375])
3376if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
3377 AC_DEFINE([HAVE_PW_CLASS_IN_PASSWD], [1],
3378 [Define if your password has a pw_class field])
3379fi
3380
3381AC_CACHE_CHECK([for pw_expire field in struct passwd],
3382 ac_cv_have_pw_expire_in_struct_passwd, [
3383 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <pwd.h> ]],
3384 [[ struct passwd p; p.pw_expire = 0; ]])],
3385 [ ac_cv_have_pw_expire_in_struct_passwd="yes" ],
3386 [ ac_cv_have_pw_expire_in_struct_passwd="no"
3387 ])
3388])
3389if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
3390 AC_DEFINE([HAVE_PW_EXPIRE_IN_PASSWD], [1],
3391 [Define if your password has a pw_expire field])
3392fi
3393
3394AC_CACHE_CHECK([for pw_change field in struct passwd],
3395 ac_cv_have_pw_change_in_struct_passwd, [
3396 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <pwd.h> ]],
3397 [[ struct passwd p; p.pw_change = 0; ]])],
3398 [ ac_cv_have_pw_change_in_struct_passwd="yes" ],
3399 [ ac_cv_have_pw_change_in_struct_passwd="no"
3400 ])
3401])
3402if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
3403 AC_DEFINE([HAVE_PW_CHANGE_IN_PASSWD], [1],
3404 [Define if your password has a pw_change field])
3405fi
3406
3407dnl make sure we're using the real structure members and not defines 3442dnl make sure we're using the real structure members and not defines
3408AC_CACHE_CHECK([for msg_accrights field in struct msghdr], 3443AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
3409 ac_cv_have_accrights_in_msghdr, [ 3444 ac_cv_have_accrights_in_msghdr, [
@@ -3795,6 +3830,11 @@ AC_ARG_WITH([kerberos5],
3795# include <gssapi/gssapi_generic.h> 3830# include <gssapi/gssapi_generic.h>
3796#endif 3831#endif
3797 ]]) 3832 ]])
3833 saved_LIBS="$LIBS"
3834 LIBS="$LIBS $K5LIBS"
3835 AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message])
3836 LIBS="$saved_LIBS"
3837
3798 fi 3838 fi
3799 ] 3839 ]
3800) 3840)
@@ -4545,6 +4585,7 @@ else
4545fi 4585fi
4546AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) 4586AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no])
4547AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) 4587AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
4588AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms])
4548 4589
4549AC_EXEEXT 4590AC_EXEEXT
4550AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ 4591AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index ca34bd23a..b460bfff0 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
16 16
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%define version 6.2p2 19%define version 6.3p1
20%if %{use_stable} 20%if %{use_stable}
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
@@ -363,4 +363,4 @@ fi
363* Mon Jan 01 1998 ... 363* Mon Jan 01 1998 ...
364Template Version: 1.31 364Template Version: 1.31
365 365
366$Id: openssh.spec,v 1.79.2.1 2013/05/10 06:02:21 djm Exp $ 366$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 5f911e924..2562b6186 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might
4not run on older versions. Please check http://cygwin.com/ for information 4not run on older versions. Please check http://cygwin.com/ for information
5about current Cygwin releases. 5about current Cygwin releases.
6 6
7Build instructions are at the end of the file. 7==================
8 8Host configuration
9=========================================================================== 9==================
10Important change since 3.7.1p2-2:
11
12The ssh-host-config file doesn't create the /etc/ssh_config and
13/etc/sshd_config files from builtin here-scripts anymore, but it uses
14skeleton files installed in /etc/defaults/etc.
15
16Also it now tries hard to create appropriate permissions on files.
17Same applies for ssh-user-config.
18
19After creating the sshd service with ssh-host-config, it's advisable to
20call ssh-user-config for all affected users, also already exising user
21configurations. In the latter case, file and directory permissions are
22checked and changed, if requireed to match the host configuration.
23
24Important note for Windows 2003 Server users:
25---------------------------------------------
26
272003 Server has a funny new feature. When starting services under SYSTEM
28account, these services have nearly all user rights which SYSTEM holds...
29except for the "Create a token object" right, which is needed to allow
30public key authentication :-(
31
32There's no way around this, except for creating a substitute account which
33has the appropriate privileges. Basically, this account should be member
34of the administrators group, plus it should have the following user rights:
35
36 Create a token object
37 Logon as a service
38 Replace a process level token
39 Increase Quota
40
41The ssh-host-config script asks you, if it should create such an account,
42called "sshd_server". If you say "no" here, you're on your own. Please
43follow the instruction in ssh-host-config exactly if possible. Note that
44ssh-user-config sets the permissions on 2003 Server machines dependent of
45whether a sshd_server account exists or not.
46===========================================================================
47
48===========================================================================
49Important change since 3.4p1-2:
50
51This version adds privilege separation as default setting, see
52/usr/doc/openssh/README.privsep. According to that document the
53privsep feature requires a non-privileged account called 'sshd'.
54
55The new ssh-host-config file which is part of this version asks
56to create 'sshd' as local user if you want to use privilege
57separation. If you confirm, it creates that NT user and adds
58the necessary entry to /etc/passwd.
59
60On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
61since that feature doesn't make any sense on a system which doesn't
62differ between privileged and unprivileged users.
63
64The new ssh-host-config script also adds the /var/empty directory
65needed by privilege separation. When creating the /var/empty directory
66by yourself, please note that in contrast to the README.privsep document
67the owner sshould not be "root" but the user which is running sshd. So,
68in the standard configuration this is SYSTEM. The ssh-host-config script
69chowns /var/empty accordingly.
70===========================================================================
71
72===========================================================================
73Important change since 3.0.1p1-2:
74
75This version introduces the ability to register sshd as service on
76Windows 9x/Me systems. This is done only when the options -D and/or
77-d are not given.
78===========================================================================
79
80===========================================================================
81Important change since 2.9p2:
82
83Since Cygwin is able to switch user context without password beginning
84with version 1.3.2, OpenSSH now allows to do so when it's running under
85a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
86allow that feature.
87===========================================================================
88
89===========================================================================
90Important change since 2.3.0p1:
91
92When using `ntea' or `ntsec' you now have to care for the ownership
93and permission bits of your host key files and your private key files.
94The host key files have to be owned by the NT account which starts
95sshd. The user key files have to be owned by the user. The permission
96bits of the private key files (host and user) have to be at least
97rw------- (0600)!
98
99Note that this is forced under `ntsec' only if the files are on a NTFS
100filesystem (which is recommended) due to the lack of any basic security
101features of the FAT/FAT32 filesystems.
102===========================================================================
103 10
104If you are installing OpenSSH the first time, you can generate global config 11If you are installing OpenSSH the first time, you can generate global config
105files and server keys by running 12files and server keys, as well as installing sshd as a service, by running
106 13
107 /usr/bin/ssh-host-config 14 /usr/bin/ssh-host-config
108 15
109Note that this binary archive doesn't contain default config files in /etc. 16Note that this binary archive doesn't contain default config files in /etc.
110That files are only created if ssh-host-config is started. 17That files are only created if ssh-host-config is started.
111 18
112If you are updating your installation you may run the above ssh-host-config
113as well to move your configuration files to the new location and to
114erase the files at the old location.
115
116To support testing and unattended installation ssh-host-config got 19To support testing and unattended installation ssh-host-config got
117some options: 20some options:
118 21
@@ -123,16 +26,25 @@ Options:
123 --no -n Answer all questions with "no" automatically. 26 --no -n Answer all questions with "no" automatically.
124 --cygwin -c <options> Use "options" as value for CYGWIN environment var. 27 --cygwin -c <options> Use "options" as value for CYGWIN environment var.
125 --port -p <n> sshd listens on port n. 28 --port -p <n> sshd listens on port n.
126 --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'. 29 --user -u <account> privileged user for service, default 'cyg_server'.
30 --pwd -w <passwd> Use "pwd" as password for privileged user.
31 --privileged On Windows XP, require privileged user
32 instead of LocalSystem for sshd service.
127 33
128Additionally ssh-host-config now asks if it should install sshd as a 34Installing sshd as daemon via ssh-host-config is recommended.
129service when running under NT/W2K. This requires cygrunsrv installed.
130 35
131You can create the private and public keys for a user now by running 36Alternatively you can start sshd via inetd, if you have the inetutils
37package installed. Just run ssh-host-config, but answer "no" when asked
38to install sshd as service. The ssh-host-config script also adds the
39required lines to /etc/inetd.conf and /etc/services.
132 40
133 /usr/bin/ssh-user-config 41==================
42User configuration
43==================
44
45Any user can simplify creating the own private and public keys by running
134 46
135under the users account. 47 /usr/bin/ssh-user-config
136 48
137To support testing and unattended installation ssh-user-config got 49To support testing and unattended installation ssh-user-config got
138some options as well: 50some options as well:
@@ -144,88 +56,30 @@ Options:
144 --no -n Answer all questions with "no" automatically. 56 --no -n Answer all questions with "no" automatically.
145 --passphrase -p word Use "word" as passphrase automatically. 57 --passphrase -p word Use "word" as passphrase automatically.
146 58
147Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
148(results in very slow deamon startup!) or from the command line (recommended
149on 9X/ME).
150
151If you start sshd as deamon via cygrunsrv.exe you MUST give the
152"-D" option to sshd. Otherwise the service can't get started at all.
153
154If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
155following line to your inetd.conf file:
156
157ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
158
159Moreover you'll have to add the following line to your
160${SYSTEMROOT}/system32/drivers/etc/services file:
161
162 ssh 22/tcp #SSH daemon
163
164Please note that OpenSSH does never use the value of $HOME to 59Please note that OpenSSH does never use the value of $HOME to
165search for the users configuration files! It always uses the 60search for the users configuration files! It always uses the
166value of the pw_dir field in /etc/passwd as the home directory. 61value of the pw_dir field in /etc/passwd as the home directory.
167If no home diretory is set in /etc/passwd, the root directory 62If no home diretory is set in /etc/passwd, the root directory
168is used instead! 63is used instead!
169 64
170You may use all features of the CYGWIN=ntsec setting the same 65================
171way as they are used by Cygwin's login(1) port: 66Building OpenSSH
172 67================
173 The pw_gecos field may contain an additional field, that begins
174 with (upper case!) "U-", followed by the domain and the username
175 separated by a backslash.
176 CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
177 BTW: The field separator in pw_gecos is the comma.
178 The username in pw_name itself may be any nice name:
179
180 domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
181
182 Now you may use `domuser' as your login name with telnet!
183 This is possible additionally for local users, if you don't like
184 your NT login name ;-) You only have to leave out the domain:
185
186 locuser::1104:513:John Doe,U-user,S-1-5-21-...
187
188Note that the CYGWIN=ntsec setting is required for public key authentication.
189
190SSH2 server and user keys are generated by the `ssh-*-config' scripts
191as well.
192
193If you want to build from source, the following options to
194configure are used for the Cygwin binary distribution:
195
196 --prefix=/usr \
197 --sysconfdir=/etc \
198 --libexecdir='${sbindir}' \
199 --localstatedir=/var \
200 --datadir='${prefix}/share' \
201 --mandir='${datadir}/man' \
202 --infodir='${datadir}/info'
203 --with-tcp-wrappers
204 --with-libedit
205
206If you want to create a Cygwin package, equivalent to the one
207in the Cygwin binary distribution, install like this:
208
209 mkdir /tmp/cygwin-ssh
210 cd ${builddir}
211 make install DESTDIR=/tmp/cygwin-ssh
212 cd ${srcdir}/contrib/cygwin
213 make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
214 cd /tmp/cygwin-ssh
215 find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
216
217You must have installed the following packages to be able to build OpenSSH:
218
219- zlib
220- openssl-devel
221 68
222If you want to build with --with-tcp-wrappers, you also need the package 69Building from source is easy. Just unpack the source archive, cd to that
70directory, and call cygport:
223 71
224- tcp_wrappers 72 cygport openssh.cygport almostall
225 73
226If you want to build with --with-libedit, you also need the package 74You must have installed the following packages to be able to build OpenSSH
75with the aforementioned cygport script:
227 76
228- libedit-devel 77 zlib
78 crypt
79 openssl-devel
80 libwrap-devel
81 libedit-devel
82 libkrb5-devel
229 83
230Please send requests, error reports etc. to cygwin@cygwin.com. 84Please send requests, error reports etc. to cygwin@cygwin.com.
231 85
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 3c9046f5f..c542d5cb6 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -606,9 +606,9 @@ do
606 echo " --no -n Answer all questions with \"no\" automatically." 606 echo " --no -n Answer all questions with \"no\" automatically."
607 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 607 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
608 echo " --port -p <n> sshd listens on port n." 608 echo " --port -p <n> sshd listens on port n."
609 echo " --user -u <account> privileged user for service." 609 echo " --user -u <account> privileged user for service, default 'cyg_server'."
610 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 610 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
611 echo " --privileged On Windows NT/2k/XP, require privileged user" 611 echo " --privileged On Windows XP, require privileged user"
612 echo " instead of LocalSystem for sshd service." 612 echo " instead of LocalSystem for sshd service."
613 echo 613 echo
614 exit 1 614 exit 1
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 027ae6032..8708b7a58 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -222,10 +222,6 @@ do
222 shift 222 shift
223 ;; 223 ;;
224 224
225 --privileged )
226 csih_FORCE_PRIVILEGED_USER=yes
227 ;;
228
229 *) 225 *)
230 echo "usage: ${PROGNAME} [OPTION]..." 226 echo "usage: ${PROGNAME} [OPTION]..."
231 echo 227 echo
@@ -236,8 +232,6 @@ do
236 echo " --yes -y Answer all questions with \"yes\" automatically." 232 echo " --yes -y Answer all questions with \"yes\" automatically."
237 echo " --no -n Answer all questions with \"no\" automatically." 233 echo " --no -n Answer all questions with \"no\" automatically."
238 echo " --passphrase -p word Use \"word\" as passphrase automatically." 234 echo " --passphrase -p word Use \"word\" as passphrase automatically."
239 echo " --privileged On Windows NT/2k/XP, assume privileged user"
240 echo " instead of LocalSystem for sshd service."
241 echo 235 echo
242 exit 1 236 exit 1
243 ;; 237 ;;
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index cd5378ed2..d1191f4e1 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 6.2p2 1%define ver 6.3p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 9f2817b6b..ae88e9958 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -165,7 +165,7 @@ done
165 165
166eval set -- "$SAVEARGS" 166eval set -- "$SAVEARGS"
167 167
168if [ $# == 0 ] ; then 168if [ $# = 0 ] ; then
169 usage 169 usage
170fi 170fi
171if [ $# != 1 ] ; then 171if [ $# != 1 ] ; then
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index bb9e50bd9..2866039d1 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 6.2p2 16Version: 6.3p1
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
diff --git a/defines.h b/defines.h
index 64515c2ff..d5ce52f32 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ 28/* $Id: defines.h,v 1.172 2013/06/01 21:18:48 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -171,11 +171,6 @@ enum
171# define MAP_FAILED ((void *)-1) 171# define MAP_FAILED ((void *)-1)
172#endif 172#endif
173 173
174/* *-*-nto-qnx doesn't define this constant in the system headers */
175#ifdef MISSING_NFDBITS
176# define NFDBITS (8 * sizeof(unsigned long))
177#endif
178
179/* 174/*
180SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but 175SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but
181including rpc/rpc.h breaks Solaris 6 176including rpc/rpc.h breaks Solaris 6
@@ -355,11 +350,19 @@ struct winsize {
355}; 350};
356#endif 351#endif
357 352
358/* *-*-nto-qnx does not define this type in the system headers */ 353/* bits needed for select that may not be in the system headers */
359#ifdef MISSING_FD_MASK 354#ifndef HAVE_FD_MASK
360 typedef unsigned long int fd_mask; 355 typedef unsigned long int fd_mask;
361#endif 356#endif
362 357
358#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0
359# define NFDBITS (8 * sizeof(unsigned long))
360#endif
361
362#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0
363# define howmany(x,y) (((x)+((y)-1))/(y))
364#endif
365
363/* Paths */ 366/* Paths */
364 367
365#ifndef _PATH_BSHELL 368#ifndef _PATH_BSHELL
@@ -484,11 +487,6 @@ struct winsize {
484# define __nonnull__(x) 487# define __nonnull__(x)
485#endif 488#endif
486 489
487/* *-*-nto-qnx doesn't define this macro in the system headers */
488#ifdef MISSING_HOWMANY
489# define howmany(x,y) (((x)+((y)-1))/(y))
490#endif
491
492#ifndef OSSH_ALIGNBYTES 490#ifndef OSSH_ALIGNBYTES
493#define OSSH_ALIGNBYTES (sizeof(int) - 1) 491#define OSSH_ALIGNBYTES (sizeof(int) - 1)
494#endif 492#endif
diff --git a/dh.c b/dh.c
index d943ca1e1..449dd3858 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * 4 *
@@ -48,6 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
48 const char *errstr = NULL; 48 const char *errstr = NULL;
49 long long n; 49 long long n;
50 50
51 dhg->p = dhg->g = NULL;
51 cp = line; 52 cp = line;
52 if ((arg = strdelim(&cp)) == NULL) 53 if ((arg = strdelim(&cp)) == NULL)
53 return 0; 54 return 0;
@@ -59,66 +60,85 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
59 60
60 /* time */ 61 /* time */
61 if (cp == NULL || *arg == '\0') 62 if (cp == NULL || *arg == '\0')
62 goto fail; 63 goto truncated;
63 arg = strsep(&cp, " "); /* type */ 64 arg = strsep(&cp, " "); /* type */
64 if (cp == NULL || *arg == '\0') 65 if (cp == NULL || *arg == '\0')
65 goto fail; 66 goto truncated;
66 /* Ensure this is a safe prime */ 67 /* Ensure this is a safe prime */
67 n = strtonum(arg, 0, 5, &errstr); 68 n = strtonum(arg, 0, 5, &errstr);
68 if (errstr != NULL || n != MODULI_TYPE_SAFE) 69 if (errstr != NULL || n != MODULI_TYPE_SAFE) {
70 error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
69 goto fail; 71 goto fail;
72 }
70 arg = strsep(&cp, " "); /* tests */ 73 arg = strsep(&cp, " "); /* tests */
71 if (cp == NULL || *arg == '\0') 74 if (cp == NULL || *arg == '\0')
72 goto fail; 75 goto truncated;
73 /* Ensure prime has been tested and is not composite */ 76 /* Ensure prime has been tested and is not composite */
74 n = strtonum(arg, 0, 0x1f, &errstr); 77 n = strtonum(arg, 0, 0x1f, &errstr);
75 if (errstr != NULL || 78 if (errstr != NULL ||
76 (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) 79 (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) {
80 error("moduli:%d: invalid moduli tests flag", linenum);
77 goto fail; 81 goto fail;
82 }
78 arg = strsep(&cp, " "); /* tries */ 83 arg = strsep(&cp, " "); /* tries */
79 if (cp == NULL || *arg == '\0') 84 if (cp == NULL || *arg == '\0')
80 goto fail; 85 goto truncated;
81 n = strtonum(arg, 0, 1<<30, &errstr); 86 n = strtonum(arg, 0, 1<<30, &errstr);
82 if (errstr != NULL || n == 0) 87 if (errstr != NULL || n == 0) {
88 error("moduli:%d: invalid primality trial count", linenum);
83 goto fail; 89 goto fail;
90 }
84 strsize = strsep(&cp, " "); /* size */ 91 strsize = strsep(&cp, " "); /* size */
85 if (cp == NULL || *strsize == '\0' || 92 if (cp == NULL || *strsize == '\0' ||
86 (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || 93 (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
87 errstr) 94 errstr) {
95 error("moduli:%d: invalid prime length", linenum);
88 goto fail; 96 goto fail;
97 }
89 /* The whole group is one bit larger */ 98 /* The whole group is one bit larger */
90 dhg->size++; 99 dhg->size++;
91 gen = strsep(&cp, " "); /* gen */ 100 gen = strsep(&cp, " "); /* gen */
92 if (cp == NULL || *gen == '\0') 101 if (cp == NULL || *gen == '\0')
93 goto fail; 102 goto truncated;
94 prime = strsep(&cp, " "); /* prime */ 103 prime = strsep(&cp, " "); /* prime */
95 if (cp != NULL || *prime == '\0') 104 if (cp != NULL || *prime == '\0') {
105 truncated:
106 error("moduli:%d: truncated", linenum);
96 goto fail; 107 goto fail;
108 }
97 109
98 if ((dhg->g = BN_new()) == NULL) 110 if ((dhg->g = BN_new()) == NULL)
99 fatal("parse_prime: BN_new failed"); 111 fatal("parse_prime: BN_new failed");
100 if ((dhg->p = BN_new()) == NULL) 112 if ((dhg->p = BN_new()) == NULL)
101 fatal("parse_prime: BN_new failed"); 113 fatal("parse_prime: BN_new failed");
102 if (BN_hex2bn(&dhg->g, gen) == 0) 114 if (BN_hex2bn(&dhg->g, gen) == 0) {
103 goto failclean; 115 error("moduli:%d: could not parse generator value", linenum);
104 116 goto fail;
105 if (BN_hex2bn(&dhg->p, prime) == 0) 117 }
106 goto failclean; 118 if (BN_hex2bn(&dhg->p, prime) == 0) {
107 119 error("moduli:%d: could not parse prime value", linenum);
108 if (BN_num_bits(dhg->p) != dhg->size) 120 goto fail;
109 goto failclean; 121 }
110 122 if (BN_num_bits(dhg->p) != dhg->size) {
111 if (BN_is_zero(dhg->g) || BN_is_one(dhg->g)) 123 error("moduli:%d: prime has wrong size: actual %d listed %d",
112 goto failclean; 124 linenum, BN_num_bits(dhg->p), dhg->size - 1);
125 goto fail;
126 }
127 if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
128 error("moduli:%d: generator is invalid", linenum);
129 goto fail;
130 }
113 131
114 return (1); 132 return 1;
115 133
116 failclean:
117 BN_clear_free(dhg->g);
118 BN_clear_free(dhg->p);
119 fail: 134 fail:
135 if (dhg->g != NULL)
136 BN_clear_free(dhg->g);
137 if (dhg->p != NULL)
138 BN_clear_free(dhg->p);
139 dhg->g = dhg->p = NULL;
120 error("Bad prime description in line %d", linenum); 140 error("Bad prime description in line %d", linenum);
121 return (0); 141 return 0;
122} 142}
123 143
124DH * 144DH *
diff --git a/dns.c b/dns.c
index 9e3084ba5..630b97ae8 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -261,7 +261,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
261 261
262 if (hostkey_digest_type != dnskey_digest_type) { 262 if (hostkey_digest_type != dnskey_digest_type) {
263 hostkey_digest_type = dnskey_digest_type; 263 hostkey_digest_type = dnskey_digest_type;
264 xfree(hostkey_digest); 264 free(hostkey_digest);
265 265
266 /* Initialize host key parameters */ 266 /* Initialize host key parameters */
267 if (!dns_read_key(&hostkey_algorithm, 267 if (!dns_read_key(&hostkey_algorithm,
@@ -281,10 +281,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
281 hostkey_digest_len) == 0) 281 hostkey_digest_len) == 0)
282 *flags |= DNS_VERIFY_MATCH; 282 *flags |= DNS_VERIFY_MATCH;
283 } 283 }
284 xfree(dnskey_digest); 284 free(dnskey_digest);
285 } 285 }
286 286
287 xfree(hostkey_digest); /* from key_fingerprint_raw() */ 287 free(hostkey_digest); /* from key_fingerprint_raw() */
288 freerrset(fingerprints); 288 freerrset(fingerprints);
289 289
290 if (*flags & DNS_VERIFY_FOUND) 290 if (*flags & DNS_VERIFY_FOUND)
@@ -327,7 +327,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
327 for (i = 0; i < rdata_digest_len; i++) 327 for (i = 0; i < rdata_digest_len; i++)
328 fprintf(f, "%02x", rdata_digest[i]); 328 fprintf(f, "%02x", rdata_digest[i]);
329 fprintf(f, "\n"); 329 fprintf(f, "\n");
330 xfree(rdata_digest); /* from key_fingerprint_raw() */ 330 free(rdata_digest); /* from key_fingerprint_raw() */
331 success = 1; 331 success = 1;
332 } 332 }
333 } 333 }
diff --git a/fixalgorithms b/fixalgorithms
new file mode 100755
index 000000000..115dce81c
--- /dev/null
+++ b/fixalgorithms
@@ -0,0 +1,26 @@
1#!/bin/sh
2#
3# fixciphers - remove unsupported ciphers from man pages.
4# Usage: fixpaths /path/to/sed cipher1 [cipher2] <infile >outfile
5#
6# Author: Darren Tucker (dtucker at zip com.au). Placed in the public domain.
7
8die() {
9 echo $*
10 exit -1
11}
12
13SED=$1
14shift
15
16for c in $*; do
17 subs="$subs -e /.Dq.$c.*$/d"
18 subs="$subs -e s/$c,//g"
19done
20
21# now remove any entirely empty lines
22subs="$subs -e /^$/d"
23
24${SED} $subs
25
26exit 0
diff --git a/groupaccess.c b/groupaccess.c
index 2381aeb15..1eab10b19 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */ 1/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Kevin Steves. All rights reserved. 3 * Copyright (c) 2001 Kevin Steves. All rights reserved.
4 * 4 *
@@ -31,6 +31,7 @@
31#include <grp.h> 31#include <grp.h>
32#include <unistd.h> 32#include <unistd.h>
33#include <stdarg.h> 33#include <stdarg.h>
34#include <stdlib.h>
34#include <string.h> 35#include <string.h>
35 36
36#include "xmalloc.h" 37#include "xmalloc.h"
@@ -68,7 +69,7 @@ ga_init(const char *user, gid_t base)
68 for (i = 0, j = 0; i < ngroups; i++) 69 for (i = 0, j = 0; i < ngroups; i++)
69 if ((gr = getgrgid(groups_bygid[i])) != NULL) 70 if ((gr = getgrgid(groups_bygid[i])) != NULL)
70 groups_byname[j++] = xstrdup(gr->gr_name); 71 groups_byname[j++] = xstrdup(gr->gr_name);
71 xfree(groups_bygid); 72 free(groups_bygid);
72 return (ngroups = j); 73 return (ngroups = j);
73} 74}
74 75
@@ -122,8 +123,8 @@ ga_free(void)
122 123
123 if (ngroups > 0) { 124 if (ngroups > 0) {
124 for (i = 0; i < ngroups; i++) 125 for (i = 0; i < ngroups; i++)
125 xfree(groups_byname[i]); 126 free(groups_byname[i]);
126 ngroups = 0; 127 ngroups = 0;
127 xfree(groups_byname); 128 free(groups_byname);
128 } 129 }
129} 130}
diff --git a/gss-genr.c b/gss-genr.c
index f9b39cfd5..630c263da 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ 1/* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -214,8 +214,8 @@ void
214ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) 214ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
215{ 215{
216 if (ctx->oid != GSS_C_NO_OID) { 216 if (ctx->oid != GSS_C_NO_OID) {
217 xfree(ctx->oid->elements); 217 free(ctx->oid->elements);
218 xfree(ctx->oid); 218 free(ctx->oid);
219 } 219 }
220 ctx->oid = xmalloc(sizeof(gss_OID_desc)); 220 ctx->oid = xmalloc(sizeof(gss_OID_desc));
221 ctx->oid->length = len; 221 ctx->oid->length = len;
@@ -238,7 +238,7 @@ ssh_gssapi_error(Gssctxt *ctxt)
238 238
239 s = ssh_gssapi_last_error(ctxt, NULL, NULL); 239 s = ssh_gssapi_last_error(ctxt, NULL, NULL);
240 debug("%s", s); 240 debug("%s", s);
241 xfree(s); 241 free(s);
242} 242}
243 243
244char * 244char *
@@ -319,8 +319,8 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx)
319 if ((*ctx)->name != GSS_C_NO_NAME) 319 if ((*ctx)->name != GSS_C_NO_NAME)
320 gss_release_name(&ms, &(*ctx)->name); 320 gss_release_name(&ms, &(*ctx)->name);
321 if ((*ctx)->oid != GSS_C_NO_OID) { 321 if ((*ctx)->oid != GSS_C_NO_OID) {
322 xfree((*ctx)->oid->elements); 322 free((*ctx)->oid->elements);
323 xfree((*ctx)->oid); 323 free((*ctx)->oid);
324 (*ctx)->oid = GSS_C_NO_OID; 324 (*ctx)->oid = GSS_C_NO_OID;
325 } 325 }
326 if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) 326 if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
@@ -330,7 +330,7 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx)
330 if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) 330 if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
331 gss_release_cred(&ms, &(*ctx)->client_creds); 331 gss_release_cred(&ms, &(*ctx)->client_creds);
332 332
333 xfree(*ctx); 333 free(*ctx);
334 *ctx = NULL; 334 *ctx = NULL;
335} 335}
336 336
@@ -377,7 +377,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
377 &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) 377 &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
378 ssh_gssapi_error(ctx); 378 ssh_gssapi_error(ctx);
379 379
380 xfree(gssbuf.value); 380 free(gssbuf.value);
381 return (ctx->major); 381 return (ctx->major);
382} 382}
383 383
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index e7170ee41..c55446a0b 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -48,12 +48,11 @@ extern ServerOptions options;
48 48
49#ifdef HEIMDAL 49#ifdef HEIMDAL
50# include <krb5.h> 50# include <krb5.h>
51#else 51#endif
52# ifdef HAVE_GSSAPI_KRB5_H 52#ifdef HAVE_GSSAPI_KRB5_H
53# include <gssapi_krb5.h> 53# include <gssapi_krb5.h>
54# elif HAVE_GSSAPI_GSSAPI_KRB5_H 54#elif HAVE_GSSAPI_GSSAPI_KRB5_H
55# include <gssapi/gssapi_krb5.h> 55# include <gssapi/gssapi_krb5.h>
56# endif
57#endif 56#endif
58 57
59static krb5_context krb_context = NULL; 58static krb5_context krb_context = NULL;
@@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
87{ 86{
88 krb5_principal princ; 87 krb5_principal princ;
89 int retval; 88 int retval;
89 const char *errmsg;
90 90
91 if (ssh_gssapi_krb5_init() == 0) 91 if (ssh_gssapi_krb5_init() == 0)
92 return 0; 92 return 0;
93 93
94 if ((retval = krb5_parse_name(krb_context, client->exportedname.value, 94 if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
95 &princ))) { 95 &princ))) {
96 logit("krb5_parse_name(): %.100s", 96 errmsg = krb5_get_error_message(krb_context, retval);
97 krb5_get_err_text(krb_context, retval)); 97 logit("krb5_parse_name(): %.100s", errmsg);
98 krb5_free_error_message(krb_context, errmsg);
98 return 0; 99 return 0;
99 } 100 }
100 if (krb5_kuserok(krb_context, princ, name)) { 101 if (krb5_kuserok(krb_context, princ, name)) {
@@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
120 krb5_principal princ; 121 krb5_principal princ;
121 OM_uint32 maj_status, min_status; 122 OM_uint32 maj_status, min_status;
122 int len; 123 int len;
124 const char *errmsg;
123 const char *new_ccname; 125 const char *new_ccname;
124 126
125 if (client->creds == NULL) { 127 if (client->creds == NULL) {
@@ -131,30 +133,34 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
131 return; 133 return;
132 134
133#ifdef HEIMDAL 135#ifdef HEIMDAL
134 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { 136 if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
135 logit("krb5_cc_gen_new(): %.100s", 137 NULL, &ccache)) != 0) {
136 krb5_get_err_text(krb_context, problem)); 138 errmsg = krb5_get_error_message(krb_context, problem);
139 logit("krb5_cc_new_unique(): %.100s", errmsg);
140 krb5_free_error_message(krb_context, errmsg);
137 return; 141 return;
138 } 142 }
139#else 143#else
140 if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { 144 if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
141 logit("ssh_krb5_cc_gen(): %.100s", 145 errmsg = krb5_get_error_message(krb_context, problem);
142 krb5_get_err_text(krb_context, problem)); 146 logit("ssh_krb5_cc_gen(): %.100s", errmsg);
147 krb5_free_error_message(krb_context, errmsg);
143 return; 148 return;
144 } 149 }
145#endif /* #ifdef HEIMDAL */ 150#endif /* #ifdef HEIMDAL */
146 151
147 if ((problem = krb5_parse_name(krb_context, 152 if ((problem = krb5_parse_name(krb_context,
148 client->exportedname.value, &princ))) { 153 client->exportedname.value, &princ))) {
149 logit("krb5_parse_name(): %.100s", 154 errmsg = krb5_get_error_message(krb_context, problem);
150 krb5_get_err_text(krb_context, problem)); 155 logit("krb5_parse_name(): %.100s", errmsg);
151 krb5_cc_destroy(krb_context, ccache); 156 krb5_free_error_message(krb_context, errmsg);
152 return; 157 return;
153 } 158 }
154 159
155 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { 160 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
156 logit("krb5_cc_initialize(): %.100s", 161 errmsg = krb5_get_error_message(krb_context, problem);
157 krb5_get_err_text(krb_context, problem)); 162 logit("krb5_cc_initialize(): %.100s", errmsg);
163 krb5_free_error_message(krb_context, errmsg);
158 krb5_free_principal(krb_context, princ); 164 krb5_free_principal(krb_context, princ);
159 krb5_cc_destroy(krb_context, ccache); 165 krb5_cc_destroy(krb_context, ccache);
160 return; 166 return;
diff --git a/gss-serv.c b/gss-serv.c
index 380895ea5..97f366fdf 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -55,7 +55,8 @@ extern ServerOptions options;
55 55
56static ssh_gssapi_client gssapi_client = 56static ssh_gssapi_client gssapi_client =
57 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 57 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
58 GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; 58 GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
59 {NULL, NULL, NULL, NULL, NULL}, 0, 0};
59 60
60ssh_gssapi_mech gssapi_null_mech = 61ssh_gssapi_mech gssapi_null_mech =
61 { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL}; 62 { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
diff --git a/hostfile.c b/hostfile.c
index b6f924b23..2ff4c48b4 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: hostfile.c,v 1.50 2010/12/04 13:31:37 djm Exp $ */ 1/* $OpenBSD: hostfile.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -64,7 +64,7 @@ struct hostkeys {
64}; 64};
65 65
66static int 66static int
67extract_salt(const char *s, u_int l, char *salt, size_t salt_len) 67extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len)
68{ 68{
69 char *p, *b64salt; 69 char *p, *b64salt;
70 u_int b64len; 70 u_int b64len;
@@ -96,7 +96,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
96 b64salt[b64len] = '\0'; 96 b64salt[b64len] = '\0';
97 97
98 ret = __b64_pton(b64salt, salt, salt_len); 98 ret = __b64_pton(b64salt, salt, salt_len);
99 xfree(b64salt); 99 free(b64salt);
100 if (ret == -1) { 100 if (ret == -1) {
101 debug2("extract_salt: salt decode error"); 101 debug2("extract_salt: salt decode error");
102 return (-1); 102 return (-1);
@@ -115,7 +115,8 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
115{ 115{
116 const EVP_MD *md = EVP_sha1(); 116 const EVP_MD *md = EVP_sha1();
117 HMAC_CTX mac_ctx; 117 HMAC_CTX mac_ctx;
118 char salt[256], result[256], uu_salt[512], uu_result[512]; 118 u_char salt[256], result[256];
119 char uu_salt[512], uu_result[512];
119 static char encoded[1024]; 120 static char encoded[1024];
120 u_int i, len; 121 u_int i, len;
121 122
@@ -133,7 +134,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
133 } 134 }
134 135
135 HMAC_Init(&mac_ctx, salt, len, md); 136 HMAC_Init(&mac_ctx, salt, len, md);
136 HMAC_Update(&mac_ctx, host, strlen(host)); 137 HMAC_Update(&mac_ctx, (u_char *)host, strlen(host));
137 HMAC_Final(&mac_ctx, result, NULL); 138 HMAC_Final(&mac_ctx, result, NULL);
138 HMAC_cleanup(&mac_ctx); 139 HMAC_cleanup(&mac_ctx);
139 140
@@ -153,7 +154,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
153 */ 154 */
154 155
155int 156int
156hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) 157hostfile_read_key(char **cpp, int *bitsp, Key *ret)
157{ 158{
158 char *cp; 159 char *cp;
159 160
@@ -170,8 +171,10 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret)
170 171
171 /* Return results. */ 172 /* Return results. */
172 *cpp = cp; 173 *cpp = cp;
173 if (bitsp != NULL) 174 if (bitsp != NULL) {
174 *bitsp = key_size(ret); 175 if ((*bitsp = key_size(ret)) <= 0)
176 return 0;
177 }
175 return 1; 178 return 1;
176} 179}
177 180
@@ -327,16 +330,14 @@ free_hostkeys(struct hostkeys *hostkeys)
327 u_int i; 330 u_int i;
328 331
329 for (i = 0; i < hostkeys->num_entries; i++) { 332 for (i = 0; i < hostkeys->num_entries; i++) {
330 xfree(hostkeys->entries[i].host); 333 free(hostkeys->entries[i].host);
331 xfree(hostkeys->entries[i].file); 334 free(hostkeys->entries[i].file);
332 key_free(hostkeys->entries[i].key); 335 key_free(hostkeys->entries[i].key);
333 bzero(hostkeys->entries + i, sizeof(*hostkeys->entries)); 336 bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
334 } 337 }
335 if (hostkeys->entries != NULL) 338 free(hostkeys->entries);
336 xfree(hostkeys->entries); 339 bzero(hostkeys, sizeof(*hostkeys));
337 hostkeys->entries = NULL; 340 free(hostkeys);
338 hostkeys->num_entries = 0;
339 xfree(hostkeys);
340} 341}
341 342
342static int 343static int
diff --git a/hostfile.h b/hostfile.h
index d84d422ff..679c034f3 100644
--- a/hostfile.h
+++ b/hostfile.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: hostfile.h,v 1.19 2010/11/29 23:45:51 djm Exp $ */ 1/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -40,7 +40,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, Key *,
40int lookup_key_in_hostkeys_by_type(struct hostkeys *, int, 40int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
41 const struct hostkey_entry **); 41 const struct hostkey_entry **);
42 42
43int hostfile_read_key(char **, u_int *, Key *); 43int hostfile_read_key(char **, int *, Key *);
44int add_host_to_hostfile(const char *, const char *, const Key *, int); 44int add_host_to_hostfile(const char *, const char *, const Key *, int);
45 45
46#define HASH_MAGIC "|1|" 46#define HASH_MAGIC "|1|"
diff --git a/includes.h b/includes.h
index 3e206c899..07bcd89f2 100644
--- a/includes.h
+++ b/includes.h
@@ -18,7 +18,9 @@
18 18
19#include "config.h" 19#include "config.h"
20 20
21#ifndef _GNU_SOURCE
21#define _GNU_SOURCE /* activate extra prototypes for glibc */ 22#define _GNU_SOURCE /* activate extra prototypes for glibc */
23#endif
22 24
23#include <sys/types.h> 25#include <sys/types.h>
24#include <sys/socket.h> /* For CMSG_* */ 26#include <sys/socket.h> /* For CMSG_* */
diff --git a/jpake.c b/jpake.c
index b010dafaa..3dd87916a 100644
--- a/jpake.c
+++ b/jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */ 1/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -106,7 +106,7 @@ jpake_free(struct jpake_ctx *pctx)
106 do { \ 106 do { \
107 if ((v) != NULL) { \ 107 if ((v) != NULL) { \
108 bzero((v), (l)); \ 108 bzero((v), (l)); \
109 xfree(v); \ 109 free(v); \
110 (v) = NULL; \ 110 (v) = NULL; \
111 (l) = 0; \ 111 (l) = 0; \
112 } \ 112 } \
@@ -134,7 +134,7 @@ jpake_free(struct jpake_ctx *pctx)
134#undef JPAKE_BUF_CLEAR_FREE 134#undef JPAKE_BUF_CLEAR_FREE
135 135
136 bzero(pctx, sizeof(*pctx)); 136 bzero(pctx, sizeof(*pctx));
137 xfree(pctx); 137 free(pctx);
138} 138}
139 139
140/* dump entire jpake_ctx. NB. includes private values! */ 140/* dump entire jpake_ctx. NB. includes private values! */
@@ -445,7 +445,7 @@ jpake_check_confirm(const BIGNUM *k,
445 expected_confirm_hash_len) == 0) 445 expected_confirm_hash_len) == 0)
446 success = 1; 446 success = 1;
447 bzero(expected_confirm_hash, expected_confirm_hash_len); 447 bzero(expected_confirm_hash, expected_confirm_hash_len);
448 xfree(expected_confirm_hash); 448 free(expected_confirm_hash);
449 debug3("%s: success = %d", __func__, success); 449 debug3("%s: success = %d", __func__, success);
450 return success; 450 return success;
451} 451}
diff --git a/kex.c b/kex.c
index f9e7a9c09..1ec278245 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -66,6 +66,69 @@ extern const EVP_MD *evp_ssh_sha256(void);
66static void kex_kexinit_finish(Kex *); 66static void kex_kexinit_finish(Kex *);
67static void kex_choose_conf(Kex *); 67static void kex_choose_conf(Kex *);
68 68
69struct kexalg {
70 char *name;
71 int type;
72 int ec_nid;
73 const EVP_MD *(*mdfunc)(void);
74};
75static const struct kexalg kexalgs[] = {
76 { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 },
77 { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 },
78 { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 },
79#ifdef HAVE_EVP_SHA256
80 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 },
81#endif
82#ifdef OPENSSL_HAS_ECC
83 { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 },
84 { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
85 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
86#endif
87 { NULL, -1, -1, NULL},
88};
89static const struct kexalg kexalg_prefixes[] = {
90#ifdef GSSAPI
91 { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
92 { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
93 { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
94#endif
95 { NULL, -1, -1, NULL },
96};
97
98char *
99kex_alg_list(void)
100{
101 char *ret = NULL;
102 size_t nlen, rlen = 0;
103 const struct kexalg *k;
104
105 for (k = kexalgs; k->name != NULL; k++) {
106 if (ret != NULL)
107 ret[rlen++] = '\n';
108 nlen = strlen(k->name);
109 ret = xrealloc(ret, 1, rlen + nlen + 2);
110 memcpy(ret + rlen, k->name, nlen + 1);
111 rlen += nlen;
112 }
113 return ret;
114}
115
116static const struct kexalg *
117kex_alg_by_name(const char *name)
118{
119 const struct kexalg *k;
120
121 for (k = kexalgs; k->name != NULL; k++) {
122 if (strcmp(k->name, name) == 0)
123 return k;
124 }
125 for (k = kexalg_prefixes; k->name != NULL; k++) {
126 if (strncmp(k->name, name, strlen(k->name)) == 0)
127 return k;
128 }
129 return NULL;
130}
131
69/* Validate KEX method name list */ 132/* Validate KEX method name list */
70int 133int
71kex_names_valid(const char *names) 134kex_names_valid(const char *names)
@@ -77,20 +140,14 @@ kex_names_valid(const char *names)
77 s = cp = xstrdup(names); 140 s = cp = xstrdup(names);
78 for ((p = strsep(&cp, ",")); p && *p != '\0'; 141 for ((p = strsep(&cp, ",")); p && *p != '\0';
79 (p = strsep(&cp, ","))) { 142 (p = strsep(&cp, ","))) {
80 if (strcmp(p, KEX_DHGEX_SHA256) != 0 && 143 if (kex_alg_by_name(p) == NULL) {
81 strcmp(p, KEX_DHGEX_SHA1) != 0 &&
82 strcmp(p, KEX_DH14) != 0 &&
83 strcmp(p, KEX_DH1) != 0 &&
84 (strncmp(p, KEX_ECDH_SHA2_STEM,
85 sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 ||
86 kex_ecdh_name_to_nid(p) == -1)) {
87 error("Unsupported KEX algorithm \"%.100s\"", p); 144 error("Unsupported KEX algorithm \"%.100s\"", p);
88 xfree(s); 145 free(s);
89 return 0; 146 return 0;
90 } 147 }
91 } 148 }
92 debug3("kex names ok: [%s]", names); 149 debug3("kex names ok: [%s]", names);
93 xfree(s); 150 free(s);
94 return 1; 151 return 1;
95} 152}
96 153
@@ -150,8 +207,8 @@ kex_prop_free(char **proposal)
150 u_int i; 207 u_int i;
151 208
152 for (i = 0; i < PROPOSAL_MAX; i++) 209 for (i = 0; i < PROPOSAL_MAX; i++)
153 xfree(proposal[i]); 210 free(proposal[i]);
154 xfree(proposal); 211 free(proposal);
155} 212}
156 213
157/* ARGSUSED */ 214/* ARGSUSED */
@@ -188,7 +245,7 @@ kex_finish(Kex *kex)
188 buffer_clear(&kex->peer); 245 buffer_clear(&kex->peer);
189 /* buffer_clear(&kex->my); */ 246 /* buffer_clear(&kex->my); */
190 kex->flags &= ~KEX_INIT_SENT; 247 kex->flags &= ~KEX_INIT_SENT;
191 xfree(kex->name); 248 free(kex->name);
192 kex->name = NULL; 249 kex->name = NULL;
193} 250}
194 251
@@ -245,7 +302,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
245 for (i = 0; i < KEX_COOKIE_LEN; i++) 302 for (i = 0; i < KEX_COOKIE_LEN; i++)
246 packet_get_char(); 303 packet_get_char();
247 for (i = 0; i < PROPOSAL_MAX; i++) 304 for (i = 0; i < PROPOSAL_MAX; i++)
248 xfree(packet_get_string(NULL)); 305 free(packet_get_string(NULL));
249 /* 306 /*
250 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported 307 * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
251 * KEX method has the server move first, but a server might be using 308 * KEX method has the server move first, but a server might be using
@@ -352,43 +409,16 @@ choose_comp(Comp *comp, char *client, char *server)
352static void 409static void
353choose_kex(Kex *k, char *client, char *server) 410choose_kex(Kex *k, char *client, char *server)
354{ 411{
412 const struct kexalg *kexalg;
413
355 k->name = match_list(client, server, NULL); 414 k->name = match_list(client, server, NULL);
356 if (k->name == NULL) 415 if (k->name == NULL)
357 fatal("Unable to negotiate a key exchange method"); 416 fatal("Unable to negotiate a key exchange method");
358 if (strcmp(k->name, KEX_DH1) == 0) { 417 if ((kexalg = kex_alg_by_name(k->name)) == NULL)
359 k->kex_type = KEX_DH_GRP1_SHA1; 418 fatal("unsupported kex alg %s", k->name);
360 k->evp_md = EVP_sha1(); 419 k->kex_type = kexalg->type;
361 } else if (strcmp(k->name, KEX_DH14) == 0) { 420 k->evp_md = kexalg->mdfunc();
362 k->kex_type = KEX_DH_GRP14_SHA1; 421 k->ec_nid = kexalg->ec_nid;
363 k->evp_md = EVP_sha1();
364 } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
365 k->kex_type = KEX_DH_GEX_SHA1;
366 k->evp_md = EVP_sha1();
367#if OPENSSL_VERSION_NUMBER >= 0x00907000L
368 } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
369 k->kex_type = KEX_DH_GEX_SHA256;
370 k->evp_md = evp_ssh_sha256();
371 } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
372 sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
373 k->kex_type = KEX_ECDH_SHA2;
374 k->evp_md = kex_ecdh_name_to_evpmd(k->name);
375#endif
376#ifdef GSSAPI
377 } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
378 sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
379 k->kex_type = KEX_GSS_GEX_SHA1;
380 k->evp_md = EVP_sha1();
381 } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
382 sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
383 k->kex_type = KEX_GSS_GRP1_SHA1;
384 k->evp_md = EVP_sha1();
385 } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
386 sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
387 k->kex_type = KEX_GSS_GRP14_SHA1;
388 k->evp_md = EVP_sha1();
389#endif
390 } else
391 fatal("bad kex alg %s", k->name);
392} 422}
393 423
394static void 424static void
@@ -400,7 +430,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server)
400 k->hostkey_type = key_type_from_name(hostkeyalg); 430 k->hostkey_type = key_type_from_name(hostkeyalg);
401 if (k->hostkey_type == KEY_UNSPEC) 431 if (k->hostkey_type == KEY_UNSPEC)
402 fatal("bad hostkey alg '%s'", hostkeyalg); 432 fatal("bad hostkey alg '%s'", hostkeyalg);
403 xfree(hostkeyalg); 433 free(hostkeyalg);
404} 434}
405 435
406static int 436static int
@@ -454,7 +484,7 @@ kex_choose_conf(Kex *kex)
454 roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL); 484 roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL);
455 if (roaming) { 485 if (roaming) {
456 kex->roaming = 1; 486 kex->roaming = 1;
457 xfree(roaming); 487 free(roaming);
458 } 488 }
459 } 489 }
460 490
diff --git a/kex.h b/kex.h
index 8013ab8a4..d5046c627 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -40,8 +40,9 @@
40#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" 40#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
41#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" 41#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
42#define KEX_RESUME "resume@appgate.com" 42#define KEX_RESUME "resume@appgate.com"
43/* The following represents the family of ECDH methods */ 43#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
44#define KEX_ECDH_SHA2_STEM "ecdh-sha2-" 44#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
45#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
45 46
46#define COMP_NONE 0 47#define COMP_NONE 0
47#define COMP_ZLIB 1 48#define COMP_ZLIB 1
@@ -89,7 +90,7 @@ typedef struct Newkeys Newkeys;
89 90
90struct Enc { 91struct Enc {
91 char *name; 92 char *name;
92 Cipher *cipher; 93 const Cipher *cipher;
93 int enabled; 94 int enabled;
94 u_int key_len; 95 u_int key_len;
95 u_int iv_len; 96 u_int iv_len;
@@ -134,6 +135,7 @@ struct Kex {
134 sig_atomic_t done; 135 sig_atomic_t done;
135 int flags; 136 int flags;
136 const EVP_MD *evp_md; 137 const EVP_MD *evp_md;
138 int ec_nid;
137#ifdef GSSAPI 139#ifdef GSSAPI
138 int gss_deleg_creds; 140 int gss_deleg_creds;
139 int gss_trust_dns; 141 int gss_trust_dns;
@@ -146,10 +148,12 @@ struct Kex {
146 Key *(*load_host_public_key)(int); 148 Key *(*load_host_public_key)(int);
147 Key *(*load_host_private_key)(int); 149 Key *(*load_host_private_key)(int);
148 int (*host_key_index)(Key *); 150 int (*host_key_index)(Key *);
151 void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
149 void (*kex[KEX_MAX])(Kex *); 152 void (*kex[KEX_MAX])(Kex *);
150}; 153};
151 154
152int kex_names_valid(const char *); 155int kex_names_valid(const char *);
156char *kex_alg_list(void);
153 157
154Kex *kex_setup(char *[PROPOSAL_MAX]); 158Kex *kex_setup(char *[PROPOSAL_MAX]);
155void kex_finish(Kex *); 159void kex_finish(Kex *);
@@ -184,11 +188,6 @@ void
184kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, 188kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int,
185 char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, 189 char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
186 const BIGNUM *, u_char **, u_int *); 190 const BIGNUM *, u_char **, u_int *);
187int kex_ecdh_name_to_nid(const char *);
188const EVP_MD *kex_ecdh_name_to_evpmd(const char *);
189#else
190# define kex_ecdh_name_to_nid(x) (-1)
191# define kex_ecdh_name_to_evpmd(x) (NULL)
192#endif 191#endif
193 192
194void 193void
diff --git a/kexdhc.c b/kexdhc.c
index 76ceb5dd8..ccd137cac 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexdhc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexdhc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -125,7 +125,7 @@ kexdh_client(Kex *kex)
125 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 125 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
126 fatal("kexdh_client: BN_bin2bn failed"); 126 fatal("kexdh_client: BN_bin2bn failed");
127 memset(kbuf, 0, klen); 127 memset(kbuf, 0, klen);
128 xfree(kbuf); 128 free(kbuf);
129 129
130 /* calc and verify H */ 130 /* calc and verify H */
131 kex_dh_hash( 131 kex_dh_hash(
@@ -139,14 +139,14 @@ kexdh_client(Kex *kex)
139 shared_secret, 139 shared_secret,
140 &hash, &hashlen 140 &hash, &hashlen
141 ); 141 );
142 xfree(server_host_key_blob); 142 free(server_host_key_blob);
143 BN_clear_free(dh_server_pub); 143 BN_clear_free(dh_server_pub);
144 DH_free(dh); 144 DH_free(dh);
145 145
146 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 146 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
147 fatal("key_verify failed for server_host_key"); 147 fatal("key_verify failed for server_host_key");
148 key_free(server_host_key); 148 key_free(server_host_key);
149 xfree(signature); 149 free(signature);
150 150
151 /* save session id */ 151 /* save session id */
152 if (kex->session_id == NULL) { 152 if (kex->session_id == NULL) {
diff --git a/kexdhs.c b/kexdhs.c
index f56e88764..269d80900 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexdhs.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexdhs.c,v 1.14 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -80,9 +80,6 @@ kexdh_server(Kex *kex)
80 if (server_host_public == NULL) 80 if (server_host_public == NULL)
81 fatal("Unsupported hostkey type %d", kex->hostkey_type); 81 fatal("Unsupported hostkey type %d", kex->hostkey_type);
82 server_host_private = kex->load_host_private_key(kex->hostkey_type); 82 server_host_private = kex->load_host_private_key(kex->hostkey_type);
83 if (server_host_private == NULL)
84 fatal("Missing private key for hostkey type %d",
85 kex->hostkey_type);
86 83
87 /* key, cert */ 84 /* key, cert */
88 if ((dh_client_pub = BN_new()) == NULL) 85 if ((dh_client_pub = BN_new()) == NULL)
@@ -118,7 +115,7 @@ kexdh_server(Kex *kex)
118 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 115 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
119 fatal("kexdh_server: BN_bin2bn failed"); 116 fatal("kexdh_server: BN_bin2bn failed");
120 memset(kbuf, 0, klen); 117 memset(kbuf, 0, klen);
121 xfree(kbuf); 118 free(kbuf);
122 119
123 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); 120 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
124 121
@@ -144,9 +141,8 @@ kexdh_server(Kex *kex)
144 } 141 }
145 142
146 /* sign H */ 143 /* sign H */
147 if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, 144 kex->sign(server_host_private, server_host_public, &signature, &slen,
148 hashlen)) < 0) 145 hash, hashlen);
149 fatal("kexdh_server: key_sign failed");
150 146
151 /* destroy_sensitive_data(); */ 147 /* destroy_sensitive_data(); */
152 148
@@ -157,8 +153,8 @@ kexdh_server(Kex *kex)
157 packet_put_string(signature, slen); 153 packet_put_string(signature, slen);
158 packet_send(); 154 packet_send();
159 155
160 xfree(signature); 156 free(signature);
161 xfree(server_host_key_blob); 157 free(server_host_key_blob);
162 /* have keys, free DH */ 158 /* have keys, free DH */
163 DH_free(dh); 159 DH_free(dh);
164 160
diff --git a/kexecdh.c b/kexecdh.c
index f13f69d3b..c948fe20a 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kexecdh.c,v 1.4 2013/04/19 01:06:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -45,24 +45,6 @@
45#include "kex.h" 45#include "kex.h"
46#include "log.h" 46#include "log.h"
47 47
48int
49kex_ecdh_name_to_nid(const char *kexname)
50{
51 if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1)
52 fatal("%s: kexname too short \"%s\"", __func__, kexname);
53 return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1);
54}
55
56const EVP_MD *
57kex_ecdh_name_to_evpmd(const char *kexname)
58{
59 int nid = kex_ecdh_name_to_nid(kexname);
60
61 if (nid == -1)
62 fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname);
63 return key_ec_nid_to_evpmd(nid);
64}
65
66void 48void
67kex_ecdh_hash( 49kex_ecdh_hash(
68 const EVP_MD *evp_md, 50 const EVP_MD *evp_md,
diff --git a/kexecdhc.c b/kexecdhc.c
index 115d4bf83..6193836c7 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kexecdhc.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -57,11 +57,8 @@ kexecdh_client(Kex *kex)
57 u_char *server_host_key_blob = NULL, *signature = NULL; 57 u_char *server_host_key_blob = NULL, *signature = NULL;
58 u_char *kbuf, *hash; 58 u_char *kbuf, *hash;
59 u_int klen, slen, sbloblen, hashlen; 59 u_int klen, slen, sbloblen, hashlen;
60 int curve_nid;
61 60
62 if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) 61 if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
63 fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
64 if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
65 fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 62 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
66 if (EC_KEY_generate_key(client_key) != 1) 63 if (EC_KEY_generate_key(client_key) != 1)
67 fatal("%s: EC_KEY_generate_key failed", __func__); 64 fatal("%s: EC_KEY_generate_key failed", __func__);
@@ -123,7 +120,7 @@ kexecdh_client(Kex *kex)
123 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) 120 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
124 fatal("%s: BN_bin2bn failed", __func__); 121 fatal("%s: BN_bin2bn failed", __func__);
125 memset(kbuf, 0, klen); 122 memset(kbuf, 0, klen);
126 xfree(kbuf); 123 free(kbuf);
127 124
128 /* calc and verify H */ 125 /* calc and verify H */
129 kex_ecdh_hash( 126 kex_ecdh_hash(
@@ -139,14 +136,14 @@ kexecdh_client(Kex *kex)
139 shared_secret, 136 shared_secret,
140 &hash, &hashlen 137 &hash, &hashlen
141 ); 138 );
142 xfree(server_host_key_blob); 139 free(server_host_key_blob);
143 EC_POINT_clear_free(server_public); 140 EC_POINT_clear_free(server_public);
144 EC_KEY_free(client_key); 141 EC_KEY_free(client_key);
145 142
146 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 143 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
147 fatal("key_verify failed for server_host_key"); 144 fatal("key_verify failed for server_host_key");
148 key_free(server_host_key); 145 key_free(server_host_key);
149 xfree(signature); 146 free(signature);
150 147
151 /* save session id */ 148 /* save session id */
152 if (kex->session_id == NULL) { 149 if (kex->session_id == NULL) {
diff --git a/kexecdhs.c b/kexecdhs.c
index 8c515dfa6..3a580aacf 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ 1/* $OpenBSD: kexecdhs.c,v 1.5 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -59,11 +59,8 @@ kexecdh_server(Kex *kex)
59 u_char *server_host_key_blob = NULL, *signature = NULL; 59 u_char *server_host_key_blob = NULL, *signature = NULL;
60 u_char *kbuf, *hash; 60 u_char *kbuf, *hash;
61 u_int klen, slen, sbloblen, hashlen; 61 u_int klen, slen, sbloblen, hashlen;
62 int curve_nid;
63 62
64 if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) 63 if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
65 fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
66 if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
67 fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 64 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
68 if (EC_KEY_generate_key(server_key) != 1) 65 if (EC_KEY_generate_key(server_key) != 1)
69 fatal("%s: EC_KEY_generate_key failed", __func__); 66 fatal("%s: EC_KEY_generate_key failed", __func__);
@@ -81,9 +78,6 @@ kexecdh_server(Kex *kex)
81 if (server_host_public == NULL) 78 if (server_host_public == NULL)
82 fatal("Unsupported hostkey type %d", kex->hostkey_type); 79 fatal("Unsupported hostkey type %d", kex->hostkey_type);
83 server_host_private = kex->load_host_private_key(kex->hostkey_type); 80 server_host_private = kex->load_host_private_key(kex->hostkey_type);
84 if (server_host_private == NULL)
85 fatal("Missing private key for hostkey type %d",
86 kex->hostkey_type);
87 81
88 debug("expecting SSH2_MSG_KEX_ECDH_INIT"); 82 debug("expecting SSH2_MSG_KEX_ECDH_INIT");
89 packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); 83 packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
@@ -115,7 +109,7 @@ kexecdh_server(Kex *kex)
115 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) 109 if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
116 fatal("%s: BN_bin2bn failed", __func__); 110 fatal("%s: BN_bin2bn failed", __func__);
117 memset(kbuf, 0, klen); 111 memset(kbuf, 0, klen);
118 xfree(kbuf); 112 free(kbuf);
119 113
120 /* calc H */ 114 /* calc H */
121 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); 115 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
@@ -142,9 +136,8 @@ kexecdh_server(Kex *kex)
142 } 136 }
143 137
144 /* sign H */ 138 /* sign H */
145 if (PRIVSEP(key_sign(server_host_private, &signature, &slen, 139 kex->sign(server_host_private, server_host_public, &signature, &slen,
146 hash, hashlen)) < 0) 140 hash, hashlen);
147 fatal("kexdh_server: key_sign failed");
148 141
149 /* destroy_sensitive_data(); */ 142 /* destroy_sensitive_data(); */
150 143
@@ -155,8 +148,8 @@ kexecdh_server(Kex *kex)
155 packet_put_string(signature, slen); 148 packet_put_string(signature, slen);
156 packet_send(); 149 packet_send();
157 150
158 xfree(signature); 151 free(signature);
159 xfree(server_host_key_blob); 152 free(server_host_key_blob);
160 /* have keys, free server key */ 153 /* have keys, free server key */
161 EC_KEY_free(server_key); 154 EC_KEY_free(server_key);
162 155
diff --git a/kexgexc.c b/kexgexc.c
index 79552d709..5a3be2005 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -163,7 +163,7 @@ kexgex_client(Kex *kex)
163 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 163 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
164 fatal("kexgex_client: BN_bin2bn failed"); 164 fatal("kexgex_client: BN_bin2bn failed");
165 memset(kbuf, 0, klen); 165 memset(kbuf, 0, klen);
166 xfree(kbuf); 166 free(kbuf);
167 167
168 if (datafellows & SSH_OLD_DHGEX) 168 if (datafellows & SSH_OLD_DHGEX)
169 min = max = -1; 169 min = max = -1;
@@ -186,13 +186,13 @@ kexgex_client(Kex *kex)
186 186
187 /* have keys, free DH */ 187 /* have keys, free DH */
188 DH_free(dh); 188 DH_free(dh);
189 xfree(server_host_key_blob); 189 free(server_host_key_blob);
190 BN_clear_free(dh_server_pub); 190 BN_clear_free(dh_server_pub);
191 191
192 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) 192 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
193 fatal("key_verify failed for server_host_key"); 193 fatal("key_verify failed for server_host_key");
194 key_free(server_host_key); 194 key_free(server_host_key);
195 xfree(signature); 195 free(signature);
196 196
197 /* save session id */ 197 /* save session id */
198 if (kex->session_id == NULL) { 198 if (kex->session_id == NULL) {
diff --git a/kexgexs.c b/kexgexs.c
index a5e3df7bc..4e473fc73 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexgexs.c,v 1.14 2010/11/10 01:33:07 djm Exp $ */ 1/* $OpenBSD: kexgexs.c,v 1.16 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Niels Provos. All rights reserved. 3 * Copyright (c) 2000 Niels Provos. All rights reserved.
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -68,10 +68,6 @@ kexgex_server(Kex *kex)
68 if (server_host_public == NULL) 68 if (server_host_public == NULL)
69 fatal("Unsupported hostkey type %d", kex->hostkey_type); 69 fatal("Unsupported hostkey type %d", kex->hostkey_type);
70 server_host_private = kex->load_host_private_key(kex->hostkey_type); 70 server_host_private = kex->load_host_private_key(kex->hostkey_type);
71 if (server_host_private == NULL)
72 fatal("Missing private key for hostkey type %d",
73 kex->hostkey_type);
74
75 71
76 type = packet_read(); 72 type = packet_read();
77 switch (type) { 73 switch (type) {
@@ -155,7 +151,7 @@ kexgex_server(Kex *kex)
155 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) 151 if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
156 fatal("kexgex_server: BN_bin2bn failed"); 152 fatal("kexgex_server: BN_bin2bn failed");
157 memset(kbuf, 0, klen); 153 memset(kbuf, 0, klen);
158 xfree(kbuf); 154 free(kbuf);
159 155
160 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); 156 key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
161 157
@@ -187,9 +183,8 @@ kexgex_server(Kex *kex)
187 } 183 }
188 184
189 /* sign H */ 185 /* sign H */
190 if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, 186 kex->sign(server_host_private, server_host_public, &signature, &slen,
191 hashlen)) < 0) 187 hash, hashlen);
192 fatal("kexgex_server: key_sign failed");
193 188
194 /* destroy_sensitive_data(); */ 189 /* destroy_sensitive_data(); */
195 190
@@ -201,8 +196,8 @@ kexgex_server(Kex *kex)
201 packet_put_string(signature, slen); 196 packet_put_string(signature, slen);
202 packet_send(); 197 packet_send();
203 198
204 xfree(signature); 199 free(signature);
205 xfree(server_host_key_blob); 200 free(server_host_key_blob);
206 /* have keys, free DH */ 201 /* have keys, free DH */
207 DH_free(dh); 202 DH_free(dh);
208 203
diff --git a/key.c b/key.c
index fdfed5c56..2591635bc 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ 1/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * read_bignum(): 3 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -187,14 +187,13 @@ cert_free(struct KeyCert *cert)
187 buffer_free(&cert->certblob); 187 buffer_free(&cert->certblob);
188 buffer_free(&cert->critical); 188 buffer_free(&cert->critical);
189 buffer_free(&cert->extensions); 189 buffer_free(&cert->extensions);
190 if (cert->key_id != NULL) 190 free(cert->key_id);
191 xfree(cert->key_id);
192 for (i = 0; i < cert->nprincipals; i++) 191 for (i = 0; i < cert->nprincipals; i++)
193 xfree(cert->principals[i]); 192 free(cert->principals[i]);
194 if (cert->principals != NULL) 193 free(cert->principals);
195 xfree(cert->principals);
196 if (cert->signature_key != NULL) 194 if (cert->signature_key != NULL)
197 key_free(cert->signature_key); 195 key_free(cert->signature_key);
196 free(cert);
198} 197}
199 198
200void 199void
@@ -238,7 +237,7 @@ key_free(Key *k)
238 k->cert = NULL; 237 k->cert = NULL;
239 } 238 }
240 239
241 xfree(k); 240 free(k);
242} 241}
243 242
244static int 243static int
@@ -388,7 +387,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
388 EVP_DigestUpdate(&ctx, blob, len); 387 EVP_DigestUpdate(&ctx, blob, len);
389 EVP_DigestFinal(&ctx, retval, dgst_raw_length); 388 EVP_DigestFinal(&ctx, retval, dgst_raw_length);
390 memset(blob, 0, len); 389 memset(blob, 0, len);
391 xfree(blob); 390 free(blob);
392 } else { 391 } else {
393 fatal("key_fingerprint_raw: blob is null"); 392 fatal("key_fingerprint_raw: blob is null");
394 } 393 }
@@ -570,7 +569,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
570} 569}
571 570
572char * 571char *
573key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) 572key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
574{ 573{
575 char *retval = NULL; 574 char *retval = NULL;
576 u_char *dgst_raw; 575 u_char *dgst_raw;
@@ -595,7 +594,7 @@ key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
595 break; 594 break;
596 } 595 }
597 memset(dgst_raw, 0, dgst_raw_len); 596 memset(dgst_raw, 0, dgst_raw_len);
598 xfree(dgst_raw); 597 free(dgst_raw);
599 return retval; 598 return retval;
600} 599}
601 600
@@ -740,11 +739,11 @@ key_read(Key *ret, char **cpp)
740 n = uudecode(cp, blob, len); 739 n = uudecode(cp, blob, len);
741 if (n < 0) { 740 if (n < 0) {
742 error("key_read: uudecode %s failed", cp); 741 error("key_read: uudecode %s failed", cp);
743 xfree(blob); 742 free(blob);
744 return -1; 743 return -1;
745 } 744 }
746 k = key_from_blob(blob, (u_int)n); 745 k = key_from_blob(blob, (u_int)n);
747 xfree(blob); 746 free(blob);
748 if (k == NULL) { 747 if (k == NULL) {
749 error("key_read: key_from_blob %s failed", cp); 748 error("key_read: key_from_blob %s failed", cp);
750 return -1; 749 return -1;
@@ -885,43 +884,13 @@ key_write(const Key *key, FILE *f)
885 fprintf(f, "%s %s", key_ssh_name(key), uu); 884 fprintf(f, "%s %s", key_ssh_name(key), uu);
886 success = 1; 885 success = 1;
887 } 886 }
888 xfree(blob); 887 free(blob);
889 xfree(uu); 888 free(uu);
890 889
891 return success; 890 return success;
892} 891}
893 892
894const char * 893const char *
895key_type(const Key *k)
896{
897 switch (k->type) {
898 case KEY_RSA1:
899 return "RSA1";
900 case KEY_RSA:
901 return "RSA";
902 case KEY_DSA:
903 return "DSA";
904#ifdef OPENSSL_HAS_ECC
905 case KEY_ECDSA:
906 return "ECDSA";
907#endif
908 case KEY_RSA_CERT_V00:
909 return "RSA-CERT-V00";
910 case KEY_DSA_CERT_V00:
911 return "DSA-CERT-V00";
912 case KEY_RSA_CERT:
913 return "RSA-CERT";
914 case KEY_DSA_CERT:
915 return "DSA-CERT";
916#ifdef OPENSSL_HAS_ECC
917 case KEY_ECDSA_CERT:
918 return "ECDSA-CERT";
919#endif
920 }
921 return "unknown";
922}
923
924const char *
925key_cert_type(const Key *k) 894key_cert_type(const Key *k)
926{ 895{
927 switch (k->cert->type) { 896 switch (k->cert->type) {
@@ -934,50 +903,60 @@ key_cert_type(const Key *k)
934 } 903 }
935} 904}
936 905
906struct keytype {
907 char *name;
908 char *shortname;
909 int type;
910 int nid;
911 int cert;
912};
913static const struct keytype keytypes[] = {
914 { NULL, "RSA1", KEY_RSA1, 0, 0 },
915 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
916 { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
917#ifdef OPENSSL_HAS_ECC
918 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
919 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
920 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
921#endif /* OPENSSL_HAS_ECC */
922 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
923 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
924#ifdef OPENSSL_HAS_ECC
925 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
926 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
927 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
928 KEY_ECDSA_CERT, NID_secp384r1, 1 },
929 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
930 KEY_ECDSA_CERT, NID_secp521r1, 1 },
931#endif /* OPENSSL_HAS_ECC */
932 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
933 KEY_RSA_CERT_V00, 0, 1 },
934 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
935 KEY_DSA_CERT_V00, 0, 1 },
936 { "null", "null", KEY_NULL, 0, 0 },
937 { NULL, NULL, -1, -1, 0 }
938};
939
940const char *
941key_type(const Key *k)
942{
943 const struct keytype *kt;
944
945 for (kt = keytypes; kt->type != -1; kt++) {
946 if (kt->type == k->type)
947 return kt->shortname;
948 }
949 return "unknown";
950}
951
937static const char * 952static const char *
938key_ssh_name_from_type_nid(int type, int nid) 953key_ssh_name_from_type_nid(int type, int nid)
939{ 954{
940 switch (type) { 955 const struct keytype *kt;
941 case KEY_RSA: 956
942 return "ssh-rsa"; 957 for (kt = keytypes; kt->type != -1; kt++) {
943 case KEY_DSA: 958 if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
944 return "ssh-dss"; 959 return kt->name;
945 case KEY_RSA_CERT_V00:
946 return "ssh-rsa-cert-v00@openssh.com";
947 case KEY_DSA_CERT_V00:
948 return "ssh-dss-cert-v00@openssh.com";
949 case KEY_RSA_CERT:
950 return "ssh-rsa-cert-v01@openssh.com";
951 case KEY_DSA_CERT:
952 return "ssh-dss-cert-v01@openssh.com";
953#ifdef OPENSSL_HAS_ECC
954 case KEY_ECDSA:
955 switch (nid) {
956 case NID_X9_62_prime256v1:
957 return "ecdsa-sha2-nistp256";
958 case NID_secp384r1:
959 return "ecdsa-sha2-nistp384";
960 case NID_secp521r1:
961 return "ecdsa-sha2-nistp521";
962 default:
963 break;
964 }
965 break;
966 case KEY_ECDSA_CERT:
967 switch (nid) {
968 case NID_X9_62_prime256v1:
969 return "ecdsa-sha2-nistp256-cert-v01@openssh.com";
970 case NID_secp384r1:
971 return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
972 case NID_secp521r1:
973 return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
974 default:
975 break;
976 }
977 break;
978#endif /* OPENSSL_HAS_ECC */
979 case KEY_NULL:
980 return "null";
981 } 960 }
982 return "ssh-unknown"; 961 return "ssh-unknown";
983} 962}
@@ -995,6 +974,56 @@ key_ssh_name_plain(const Key *k)
995 k->ecdsa_nid); 974 k->ecdsa_nid);
996} 975}
997 976
977int
978key_type_from_name(char *name)
979{
980 const struct keytype *kt;
981
982 for (kt = keytypes; kt->type != -1; kt++) {
983 /* Only allow shortname matches for plain key types */
984 if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
985 (!kt->cert && strcasecmp(kt->shortname, name) == 0))
986 return kt->type;
987 }
988 debug2("key_type_from_name: unknown key type '%s'", name);
989 return KEY_UNSPEC;
990}
991
992int
993key_ecdsa_nid_from_name(const char *name)
994{
995 const struct keytype *kt;
996
997 for (kt = keytypes; kt->type != -1; kt++) {
998 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
999 continue;
1000 if (kt->name != NULL && strcmp(name, kt->name) == 0)
1001 return kt->nid;
1002 }
1003 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1004 return -1;
1005}
1006
1007char *
1008key_alg_list(void)
1009{
1010 char *ret = NULL;
1011 size_t nlen, rlen = 0;
1012 const struct keytype *kt;
1013
1014 for (kt = keytypes; kt->type != -1; kt++) {
1015 if (kt->name == NULL)
1016 continue;
1017 if (ret != NULL)
1018 ret[rlen++] = '\n';
1019 nlen = strlen(kt->name);
1020 ret = xrealloc(ret, 1, rlen + nlen + 2);
1021 memcpy(ret + rlen, kt->name, nlen + 1);
1022 rlen += nlen;
1023 }
1024 return ret;
1025}
1026
998u_int 1027u_int
999key_size(const Key *k) 1028key_size(const Key *k)
1000{ 1029{
@@ -1250,67 +1279,6 @@ key_from_private(const Key *k)
1250} 1279}
1251 1280
1252int 1281int
1253key_type_from_name(char *name)
1254{
1255 if (strcmp(name, "rsa1") == 0) {
1256 return KEY_RSA1;
1257 } else if (strcmp(name, "rsa") == 0) {
1258 return KEY_RSA;
1259 } else if (strcmp(name, "dsa") == 0) {
1260 return KEY_DSA;
1261 } else if (strcmp(name, "ssh-rsa") == 0) {
1262 return KEY_RSA;
1263 } else if (strcmp(name, "ssh-dss") == 0) {
1264 return KEY_DSA;
1265#ifdef OPENSSL_HAS_ECC
1266 } else if (strcmp(name, "ecdsa") == 0 ||
1267 strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
1268 strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
1269 strcmp(name, "ecdsa-sha2-nistp521") == 0) {
1270 return KEY_ECDSA;
1271#endif
1272 } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
1273 return KEY_RSA_CERT_V00;
1274 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
1275 return KEY_DSA_CERT_V00;
1276 } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
1277 return KEY_RSA_CERT;
1278 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
1279 return KEY_DSA_CERT;
1280#ifdef OPENSSL_HAS_ECC
1281 } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
1282 strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
1283 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1284 return KEY_ECDSA_CERT;
1285#endif
1286 } else if (strcmp(name, "null") == 0) {
1287 return KEY_NULL;
1288 }
1289
1290 debug2("key_type_from_name: unknown key type '%s'", name);
1291 return KEY_UNSPEC;
1292}
1293
1294int
1295key_ecdsa_nid_from_name(const char *name)
1296{
1297#ifdef OPENSSL_HAS_ECC
1298 if (strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
1299 strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0)
1300 return NID_X9_62_prime256v1;
1301 if (strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
1302 strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0)
1303 return NID_secp384r1;
1304 if (strcmp(name, "ecdsa-sha2-nistp521") == 0 ||
1305 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0)
1306 return NID_secp521r1;
1307#endif /* OPENSSL_HAS_ECC */
1308
1309 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1310 return -1;
1311}
1312
1313int
1314key_names_valid2(const char *names) 1282key_names_valid2(const char *names)
1315{ 1283{
1316 char *s, *cp, *p; 1284 char *s, *cp, *p;
@@ -1323,12 +1291,12 @@ key_names_valid2(const char *names)
1323 switch (key_type_from_name(p)) { 1291 switch (key_type_from_name(p)) {
1324 case KEY_RSA1: 1292 case KEY_RSA1:
1325 case KEY_UNSPEC: 1293 case KEY_UNSPEC:
1326 xfree(s); 1294 free(s);
1327 return 0; 1295 return 0;
1328 } 1296 }
1329 } 1297 }
1330 debug3("key names ok: [%s]", names); 1298 debug3("key names ok: [%s]", names);
1331 xfree(s); 1299 free(s);
1332 return 1; 1300 return 1;
1333} 1301}
1334 1302
@@ -1450,16 +1418,11 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1450 1418
1451 out: 1419 out:
1452 buffer_free(&tmp); 1420 buffer_free(&tmp);
1453 if (principals != NULL) 1421 free(principals);
1454 xfree(principals); 1422 free(critical);
1455 if (critical != NULL) 1423 free(exts);
1456 xfree(critical); 1424 free(sig_key);
1457 if (exts != NULL) 1425 free(sig);
1458 xfree(exts);
1459 if (sig_key != NULL)
1460 xfree(sig_key);
1461 if (sig != NULL)
1462 xfree(sig);
1463 return ret; 1426 return ret;
1464} 1427}
1465 1428
@@ -1579,10 +1542,8 @@ key_from_blob(const u_char *blob, u_int blen)
1579 if (key != NULL && rlen != 0) 1542 if (key != NULL && rlen != 0)
1580 error("key_from_blob: remaining bytes in key blob %d", rlen); 1543 error("key_from_blob: remaining bytes in key blob %d", rlen);
1581 out: 1544 out:
1582 if (ktype != NULL) 1545 free(ktype);
1583 xfree(ktype); 1546 free(curve);
1584 if (curve != NULL)
1585 xfree(curve);
1586#ifdef OPENSSL_HAS_ECC 1547#ifdef OPENSSL_HAS_ECC
1587 if (q != NULL) 1548 if (q != NULL)
1588 EC_POINT_free(q); 1549 EC_POINT_free(q);
@@ -1932,7 +1893,7 @@ key_certify(Key *k, Key *ca)
1932 default: 1893 default:
1933 error("%s: key has incorrect type %s", __func__, key_type(k)); 1894 error("%s: key has incorrect type %s", __func__, key_type(k));
1934 buffer_clear(&k->cert->certblob); 1895 buffer_clear(&k->cert->certblob);
1935 xfree(ca_blob); 1896 free(ca_blob);
1936 return -1; 1897 return -1;
1937 } 1898 }
1938 1899
@@ -1968,7 +1929,7 @@ key_certify(Key *k, Key *ca)
1968 1929
1969 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1930 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1970 buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1931 buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1971 xfree(ca_blob); 1932 free(ca_blob);
1972 1933
1973 /* Sign the whole mess */ 1934 /* Sign the whole mess */
1974 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1935 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
@@ -1979,7 +1940,7 @@ key_certify(Key *k, Key *ca)
1979 } 1940 }
1980 /* Append signature and we are done */ 1941 /* Append signature and we are done */
1981 buffer_put_string(&k->cert->certblob, sig_blob, sig_len); 1942 buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1982 xfree(sig_blob); 1943 free(sig_blob);
1983 1944
1984 return 0; 1945 return 0;
1985} 1946}
diff --git a/key.h b/key.h
index 4beaf202e..b57d6a4c4 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ 1/* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -96,7 +96,7 @@ void key_free(Key *);
96Key *key_demote(const Key *); 96Key *key_demote(const Key *);
97int key_equal_public(const Key *, const Key *); 97int key_equal_public(const Key *, const Key *);
98int key_equal(const Key *, const Key *); 98int key_equal(const Key *, const Key *);
99char *key_fingerprint(Key *, enum fp_type, enum fp_rep); 99char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
100u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); 100u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
101const char *key_type(const Key *); 101const char *key_type(const Key *);
102const char *key_cert_type(const Key *); 102const char *key_cert_type(const Key *);
@@ -119,15 +119,16 @@ int key_cert_is_legacy(const Key *);
119 119
120int key_ecdsa_nid_from_name(const char *); 120int key_ecdsa_nid_from_name(const char *);
121int key_curve_name_to_nid(const char *); 121int key_curve_name_to_nid(const char *);
122const char * key_curve_nid_to_name(int); 122const char *key_curve_nid_to_name(int);
123u_int key_curve_nid_to_bits(int); 123u_int key_curve_nid_to_bits(int);
124int key_ecdsa_bits_to_nid(int); 124int key_ecdsa_bits_to_nid(int);
125#ifdef OPENSSL_HAS_ECC 125#ifdef OPENSSL_HAS_ECC
126int key_ecdsa_key_to_nid(EC_KEY *); 126int key_ecdsa_key_to_nid(EC_KEY *);
127const EVP_MD * key_ec_nid_to_evpmd(int nid); 127const EVP_MD *key_ec_nid_to_evpmd(int nid);
128int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); 128int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
129int key_ec_validate_private(const EC_KEY *); 129int key_ec_validate_private(const EC_KEY *);
130#endif 130#endif
131char *key_alg_list(void);
131 132
132Key *key_from_blob(const u_char *, u_int); 133Key *key_from_blob(const u_char *, u_int);
133int key_to_blob(const Key *, u_char **, u_int *); 134int key_to_blob(const Key *, u_char **, u_int *);
diff --git a/krl.c b/krl.c
index 0d9bb5411..b2d0354f2 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ 17/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */
18 18
19#include "includes.h" 19#include "includes.h"
20 20
@@ -502,8 +502,11 @@ choose_next_state(int current_state, u_int64_t contig, int final,
502 } 502 }
503 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" 503 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
504 "list %llu range %llu bitmap %llu new bitmap %llu, " 504 "list %llu range %llu bitmap %llu new bitmap %llu, "
505 "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, 505 "selected 0x%02x%s", __func__, (long long unsigned)contig,
506 cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, 506 (long long unsigned)last_gap, (long long unsigned)next_gap, final,
507 (long long unsigned)cost_list, (long long unsigned)cost_range,
508 (long long unsigned)cost_bitmap,
509 (long long unsigned)cost_bitmap_restart, new_state,
507 *force_new_section ? " restart" : ""); 510 *force_new_section ? " restart" : "");
508 return new_state; 511 return new_state;
509} 512}
@@ -539,7 +542,8 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
539 rs != NULL; 542 rs != NULL;
540 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { 543 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
541 debug3("%s: serial %llu:%llu state 0x%02x", __func__, 544 debug3("%s: serial %llu:%llu state 0x%02x", __func__,
542 rs->lo, rs->hi, state); 545 (long long unsigned)rs->lo, (long long unsigned)rs->hi,
546 state);
543 547
544 /* Check contiguous length and gap to next section (if any) */ 548 /* Check contiguous length and gap to next section (if any) */
545 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); 549 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
@@ -883,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
883 char timestamp[64]; 887 char timestamp[64];
884 int ret = -1, r, sig_seen; 888 int ret = -1, r, sig_seen;
885 Key *key = NULL, **ca_used = NULL; 889 Key *key = NULL, **ca_used = NULL;
886 u_char type, *blob; 890 u_char type, *blob, *rdata = NULL;
887 u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; 891 u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used;
888 892
893 nca_used = 0;
889 *krlp = NULL; 894 *krlp = NULL;
890 if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || 895 if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 ||
891 memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { 896 memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) {
@@ -928,8 +933,9 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
928 } 933 }
929 934
930 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); 935 format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
931 debug("KRL version %llu generated at %s%s%s", krl->krl_version, 936 debug("KRL version %llu generated at %s%s%s",
932 timestamp, *krl->comment ? ": " : "", krl->comment); 937 (long long unsigned)krl->krl_version, timestamp,
938 *krl->comment ? ": " : "", krl->comment);
933 939
934 /* 940 /*
935 * 1st pass: verify signatures, if any. This is done to avoid 941 * 1st pass: verify signatures, if any. This is done to avoid
@@ -967,7 +973,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
967 } 973 }
968 /* Check signature over entire KRL up to this point */ 974 /* Check signature over entire KRL up to this point */
969 if (key_verify(key, blob, blen, 975 if (key_verify(key, blob, blen,
970 buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { 976 buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) {
971 error("bad signaure on KRL"); 977 error("bad signaure on KRL");
972 goto out; 978 goto out;
973 } 979 }
@@ -1010,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
1010 case KRL_SECTION_EXPLICIT_KEY: 1016 case KRL_SECTION_EXPLICIT_KEY:
1011 case KRL_SECTION_FINGERPRINT_SHA1: 1017 case KRL_SECTION_FINGERPRINT_SHA1:
1012 while (buffer_len(&sect) > 0) { 1018 while (buffer_len(&sect) > 0) {
1013 if ((blob = buffer_get_string_ret(&sect, 1019 if ((rdata = buffer_get_string_ret(&sect,
1014 &blen)) == NULL) { 1020 &rlen)) == NULL) {
1015 error("%s: buffer error", __func__); 1021 error("%s: buffer error", __func__);
1016 goto out; 1022 goto out;
1017 } 1023 }
1018 if (type == KRL_SECTION_FINGERPRINT_SHA1 && 1024 if (type == KRL_SECTION_FINGERPRINT_SHA1 &&
1019 blen != 20) { 1025 rlen != 20) {
1020 error("%s: bad SHA1 length", __func__); 1026 error("%s: bad SHA1 length", __func__);
1021 goto out; 1027 goto out;
1022 } 1028 }
1023 if (revoke_blob( 1029 if (revoke_blob(
1024 type == KRL_SECTION_EXPLICIT_KEY ? 1030 type == KRL_SECTION_EXPLICIT_KEY ?
1025 &krl->revoked_keys : &krl->revoked_sha1s, 1031 &krl->revoked_keys : &krl->revoked_sha1s,
1026 blob, blen) != 0) 1032 rdata, rlen) != 0)
1027 goto out; /* revoke_blob frees blob */ 1033 goto out;
1034 rdata = NULL; /* revoke_blob frees blob */
1028 } 1035 }
1029 break; 1036 break;
1030 case KRL_SECTION_SIGNATURE: 1037 case KRL_SECTION_SIGNATURE:
@@ -1090,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
1090 key_free(ca_used[i]); 1097 key_free(ca_used[i]);
1091 } 1098 }
1092 free(ca_used); 1099 free(ca_used);
1100 free(rdata);
1093 if (key != NULL) 1101 if (key != NULL)
1094 key_free(key); 1102 key_free(key);
1095 buffer_free(&copy); 1103 buffer_free(&copy);
diff --git a/log.c b/log.c
index d69154a67..32e1d2e45 100644
--- a/log.c
+++ b/log.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ 1/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -38,6 +38,7 @@
38 38
39#include <sys/types.h> 39#include <sys/types.h>
40 40
41#include <fcntl.h>
41#include <stdarg.h> 42#include <stdarg.h>
42#include <stdio.h> 43#include <stdio.h>
43#include <stdlib.h> 44#include <stdlib.h>
@@ -54,6 +55,7 @@
54 55
55static LogLevel log_level = SYSLOG_LEVEL_INFO; 56static LogLevel log_level = SYSLOG_LEVEL_INFO;
56static int log_on_stderr = 1; 57static int log_on_stderr = 1;
58static int log_stderr_fd = STDERR_FILENO;
57static int log_facility = LOG_AUTH; 59static int log_facility = LOG_AUTH;
58static char *argv0; 60static char *argv0;
59static log_handler_fn *log_handler; 61static log_handler_fn *log_handler;
@@ -344,6 +346,20 @@ log_is_on_stderr(void)
344 return log_on_stderr; 346 return log_on_stderr;
345} 347}
346 348
349/* redirect what would usually get written to stderr to specified file */
350void
351log_redirect_stderr_to(const char *logfile)
352{
353 int fd;
354
355 if ((fd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0600)) == -1) {
356 fprintf(stderr, "Couldn't open logfile %s: %s\n", logfile,
357 strerror(errno));
358 exit(1);
359 }
360 log_stderr_fd = fd;
361}
362
347#define MSGBUFSIZ 1024 363#define MSGBUFSIZ 1024
348 364
349void 365void
@@ -429,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args)
429 log_handler = tmp_handler; 445 log_handler = tmp_handler;
430 } else if (log_on_stderr) { 446 } else if (log_on_stderr) {
431 snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); 447 snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
432 write(STDERR_FILENO, msgbuf, strlen(msgbuf)); 448 (void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
433 } else { 449 } else {
434#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) 450#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
435 openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); 451 openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
diff --git a/log.h b/log.h
index e3e328b06..ae7df25d3 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ 1/* $OpenBSD: log.h,v 1.20 2013/04/07 02:10:33 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -51,6 +51,7 @@ typedef void (log_handler_fn)(LogLevel, const char *, void *);
51void log_init(char *, LogLevel, SyslogFacility, int); 51void log_init(char *, LogLevel, SyslogFacility, int);
52void log_change_level(LogLevel); 52void log_change_level(LogLevel);
53int log_is_on_stderr(void); 53int log_is_on_stderr(void);
54void log_redirect_stderr_to(const char *);
54 55
55SyslogFacility log_facility_number(char *); 56SyslogFacility log_facility_number(char *);
56const char * log_facility_name(SyslogFacility); 57const char * log_facility_name(SyslogFacility);
diff --git a/loginrec.c b/loginrec.c
index f9662fa5c..59e8a44ee 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -347,7 +347,7 @@ logininfo *login_alloc_entry(pid_t pid, const char *username,
347void 347void
348login_free_entry(struct logininfo *li) 348login_free_entry(struct logininfo *li)
349{ 349{
350 xfree(li); 350 free(li);
351} 351}
352 352
353 353
diff --git a/mac.c b/mac.c
index 3f2dc6f2a..c4dfb501d 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ 1/* $OpenBSD: mac.c,v 1.24 2013/06/03 00:03:18 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -50,7 +50,7 @@
50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ 50#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
51#define SSH_UMAC128 3 51#define SSH_UMAC128 3
52 52
53struct { 53struct macalg {
54 char *name; 54 char *name;
55 int type; 55 int type;
56 const EVP_MD * (*mdfunc)(void); 56 const EVP_MD * (*mdfunc)(void);
@@ -58,7 +58,9 @@ struct {
58 int key_len; /* just for UMAC */ 58 int key_len; /* just for UMAC */
59 int len; /* just for UMAC */ 59 int len; /* just for UMAC */
60 int etm; /* Encrypt-then-MAC */ 60 int etm; /* Encrypt-then-MAC */
61} macs[] = { 61};
62
63static const struct macalg macs[] = {
62 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ 64 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
63 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, 65 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
64 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, 66 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@@ -89,38 +91,58 @@ struct {
89 { NULL, 0, NULL, 0, 0, 0, 0 } 91 { NULL, 0, NULL, 0, 0, 0, 0 }
90}; 92};
91 93
94/* Returns a comma-separated list of supported MACs. */
95char *
96mac_alg_list(void)
97{
98 char *ret = NULL;
99 size_t nlen, rlen = 0;
100 const struct macalg *m;
101
102 for (m = macs; m->name != NULL; m++) {
103 if (ret != NULL)
104 ret[rlen++] = '\n';
105 nlen = strlen(m->name);
106 ret = xrealloc(ret, 1, rlen + nlen + 2);
107 memcpy(ret + rlen, m->name, nlen + 1);
108 rlen += nlen;
109 }
110 return ret;
111}
112
92static void 113static void
93mac_setup_by_id(Mac *mac, int which) 114mac_setup_by_alg(Mac *mac, const struct macalg *macalg)
94{ 115{
95 int evp_len; 116 int evp_len;
96 mac->type = macs[which].type; 117
118 mac->type = macalg->type;
97 if (mac->type == SSH_EVP) { 119 if (mac->type == SSH_EVP) {
98 mac->evp_md = (*macs[which].mdfunc)(); 120 mac->evp_md = macalg->mdfunc();
99 if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0) 121 if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
100 fatal("mac %s len %d", mac->name, evp_len); 122 fatal("mac %s len %d", mac->name, evp_len);
101 mac->key_len = mac->mac_len = (u_int)evp_len; 123 mac->key_len = mac->mac_len = (u_int)evp_len;
102 } else { 124 } else {
103 mac->mac_len = macs[which].len / 8; 125 mac->mac_len = macalg->len / 8;
104 mac->key_len = macs[which].key_len / 8; 126 mac->key_len = macalg->key_len / 8;
105 mac->umac_ctx = NULL; 127 mac->umac_ctx = NULL;
106 } 128 }
107 if (macs[which].truncatebits != 0) 129 if (macalg->truncatebits != 0)
108 mac->mac_len = macs[which].truncatebits / 8; 130 mac->mac_len = macalg->truncatebits / 8;
109 mac->etm = macs[which].etm; 131 mac->etm = macalg->etm;
110} 132}
111 133
112int 134int
113mac_setup(Mac *mac, char *name) 135mac_setup(Mac *mac, char *name)
114{ 136{
115 int i; 137 const struct macalg *m;
116 138
117 for (i = 0; macs[i].name; i++) { 139 for (m = macs; m->name != NULL; m++) {
118 if (strcmp(name, macs[i].name) == 0) { 140 if (strcmp(name, m->name) != 0)
119 if (mac != NULL) 141 continue;
120 mac_setup_by_id(mac, i); 142 if (mac != NULL)
121 debug2("mac_setup: found %s", name); 143 mac_setup_by_alg(mac, m);
122 return (0); 144 debug2("mac_setup: found %s", name);
123 } 145 return (0);
124 } 146 }
125 debug2("mac_setup: unknown %s", name); 147 debug2("mac_setup: unknown %s", name);
126 return (-1); 148 return (-1);
@@ -152,12 +174,15 @@ mac_init(Mac *mac)
152u_char * 174u_char *
153mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) 175mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
154{ 176{
155 static u_char m[EVP_MAX_MD_SIZE]; 177 static union {
178 u_char m[EVP_MAX_MD_SIZE];
179 u_int64_t for_align;
180 } u;
156 u_char b[4], nonce[8]; 181 u_char b[4], nonce[8];
157 182
158 if (mac->mac_len > sizeof(m)) 183 if (mac->mac_len > sizeof(u))
159 fatal("mac_compute: mac too long %u %lu", 184 fatal("mac_compute: mac too long %u %lu",
160 mac->mac_len, (u_long)sizeof(m)); 185 mac->mac_len, (u_long)sizeof(u));
161 186
162 switch (mac->type) { 187 switch (mac->type) {
163 case SSH_EVP: 188 case SSH_EVP:
@@ -166,22 +191,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
166 HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); 191 HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
167 HMAC_Update(&mac->evp_ctx, b, sizeof(b)); 192 HMAC_Update(&mac->evp_ctx, b, sizeof(b));
168 HMAC_Update(&mac->evp_ctx, data, datalen); 193 HMAC_Update(&mac->evp_ctx, data, datalen);
169 HMAC_Final(&mac->evp_ctx, m, NULL); 194 HMAC_Final(&mac->evp_ctx, u.m, NULL);
170 break; 195 break;
171 case SSH_UMAC: 196 case SSH_UMAC:
172 put_u64(nonce, seqno); 197 put_u64(nonce, seqno);
173 umac_update(mac->umac_ctx, data, datalen); 198 umac_update(mac->umac_ctx, data, datalen);
174 umac_final(mac->umac_ctx, m, nonce); 199 umac_final(mac->umac_ctx, u.m, nonce);
175 break; 200 break;
176 case SSH_UMAC128: 201 case SSH_UMAC128:
177 put_u64(nonce, seqno); 202 put_u64(nonce, seqno);
178 umac128_update(mac->umac_ctx, data, datalen); 203 umac128_update(mac->umac_ctx, data, datalen);
179 umac128_final(mac->umac_ctx, m, nonce); 204 umac128_final(mac->umac_ctx, u.m, nonce);
180 break; 205 break;
181 default: 206 default:
182 fatal("mac_compute: unknown MAC type"); 207 fatal("mac_compute: unknown MAC type");
183 } 208 }
184 return (m); 209 return (u.m);
185} 210}
186 211
187void 212void
@@ -213,13 +238,13 @@ mac_valid(const char *names)
213 (p = strsep(&cp, MAC_SEP))) { 238 (p = strsep(&cp, MAC_SEP))) {
214 if (mac_setup(NULL, p) < 0) { 239 if (mac_setup(NULL, p) < 0) {
215 debug("bad mac %s [%s]", p, names); 240 debug("bad mac %s [%s]", p, names);
216 xfree(maclist); 241 free(maclist);
217 return (0); 242 return (0);
218 } else { 243 } else {
219 debug3("mac ok: %s [%s]", p, names); 244 debug3("mac ok: %s [%s]", p, names);
220 } 245 }
221 } 246 }
222 debug3("macs ok: [%s]", names); 247 debug3("macs ok: [%s]", names);
223 xfree(maclist); 248 free(maclist);
224 return (1); 249 return (1);
225} 250}
diff --git a/mac.h b/mac.h
index 39f564dd3..260798ab3 100644
--- a/mac.h
+++ b/mac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */ 1/* $OpenBSD: mac.h,v 1.7 2013/04/19 01:06:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -24,6 +24,7 @@
24 */ 24 */
25 25
26int mac_valid(const char *); 26int mac_valid(const char *);
27char *mac_alg_list(void);
27int mac_setup(Mac *, char *); 28int mac_setup(Mac *, char *);
28int mac_init(Mac *); 29int mac_init(Mac *);
29u_char *mac_compute(Mac *, u_int32_t, u_char *, int); 30u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
diff --git a/match.c b/match.c
index 238947778..7be7d2c5c 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ 1/* $OpenBSD: match.c,v 1.28 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -40,6 +40,7 @@
40#include <sys/types.h> 40#include <sys/types.h>
41 41
42#include <ctype.h> 42#include <ctype.h>
43#include <stdlib.h>
43#include <string.h> 44#include <string.h>
44 45
45#include "xmalloc.h" 46#include "xmalloc.h"
@@ -226,14 +227,14 @@ match_user(const char *user, const char *host, const char *ipaddr,
226 227
227 if ((ret = match_pattern(user, pat)) == 1) 228 if ((ret = match_pattern(user, pat)) == 1)
228 ret = match_host_and_ip(host, ipaddr, p); 229 ret = match_host_and_ip(host, ipaddr, p);
229 xfree(pat); 230 free(pat);
230 231
231 return ret; 232 return ret;
232} 233}
233 234
234/* 235/*
235 * Returns first item from client-list that is also supported by server-list, 236 * Returns first item from client-list that is also supported by server-list,
236 * caller must xfree() returned string. 237 * caller must free the returned string.
237 */ 238 */
238#define MAX_PROP 40 239#define MAX_PROP 40
239#define SEP "," 240#define SEP ","
@@ -264,15 +265,15 @@ match_list(const char *client, const char *server, u_int *next)
264 if (next != NULL) 265 if (next != NULL)
265 *next = (cp == NULL) ? 266 *next = (cp == NULL) ?
266 strlen(c) : (u_int)(cp - c); 267 strlen(c) : (u_int)(cp - c);
267 xfree(c); 268 free(c);
268 xfree(s); 269 free(s);
269 return ret; 270 return ret;
270 } 271 }
271 } 272 }
272 } 273 }
273 if (next != NULL) 274 if (next != NULL)
274 *next = strlen(c); 275 *next = strlen(c);
275 xfree(c); 276 free(c);
276 xfree(s); 277 free(s);
277 return NULL; 278 return NULL;
278} 279}
diff --git a/misc.c b/misc.c
index a7a23dcc6..c3c809943 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */ 1/* $OpenBSD: misc.c,v 1.91 2013/07/12 00:43:50 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved. 4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -127,7 +127,7 @@ unset_nonblock(int fd)
127const char * 127const char *
128ssh_gai_strerror(int gaierr) 128ssh_gai_strerror(int gaierr)
129{ 129{
130 if (gaierr == EAI_SYSTEM) 130 if (gaierr == EAI_SYSTEM && errno != 0)
131 return strerror(errno); 131 return strerror(errno);
132 return gai_strerror(gaierr); 132 return gai_strerror(gaierr);
133} 133}
@@ -206,16 +206,18 @@ pwcopy(struct passwd *pw)
206 206
207 copy->pw_name = xstrdup(pw->pw_name); 207 copy->pw_name = xstrdup(pw->pw_name);
208 copy->pw_passwd = xstrdup(pw->pw_passwd); 208 copy->pw_passwd = xstrdup(pw->pw_passwd);
209#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
209 copy->pw_gecos = xstrdup(pw->pw_gecos); 210 copy->pw_gecos = xstrdup(pw->pw_gecos);
211#endif
210 copy->pw_uid = pw->pw_uid; 212 copy->pw_uid = pw->pw_uid;
211 copy->pw_gid = pw->pw_gid; 213 copy->pw_gid = pw->pw_gid;
212#ifdef HAVE_PW_EXPIRE_IN_PASSWD 214#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
213 copy->pw_expire = pw->pw_expire; 215 copy->pw_expire = pw->pw_expire;
214#endif 216#endif
215#ifdef HAVE_PW_CHANGE_IN_PASSWD 217#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE
216 copy->pw_change = pw->pw_change; 218 copy->pw_change = pw->pw_change;
217#endif 219#endif
218#ifdef HAVE_PW_CLASS_IN_PASSWD 220#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
219 copy->pw_class = xstrdup(pw->pw_class); 221 copy->pw_class = xstrdup(pw->pw_class);
220#endif 222#endif
221 copy->pw_dir = xstrdup(pw->pw_dir); 223 copy->pw_dir = xstrdup(pw->pw_dir);
@@ -251,13 +253,13 @@ a2tun(const char *s, int *remote)
251 *remote = SSH_TUNID_ANY; 253 *remote = SSH_TUNID_ANY;
252 sp = xstrdup(s); 254 sp = xstrdup(s);
253 if ((ep = strchr(sp, ':')) == NULL) { 255 if ((ep = strchr(sp, ':')) == NULL) {
254 xfree(sp); 256 free(sp);
255 return (a2tun(s, NULL)); 257 return (a2tun(s, NULL));
256 } 258 }
257 ep[0] = '\0'; ep++; 259 ep[0] = '\0'; ep++;
258 *remote = a2tun(ep, NULL); 260 *remote = a2tun(ep, NULL);
259 tun = a2tun(sp, NULL); 261 tun = a2tun(sp, NULL);
260 xfree(sp); 262 free(sp);
261 return (*remote == SSH_TUNID_ERR ? *remote : tun); 263 return (*remote == SSH_TUNID_ERR ? *remote : tun);
262 } 264 }
263 265
@@ -490,7 +492,7 @@ replacearg(arglist *args, u_int which, char *fmt, ...)
490 if (which >= args->num) 492 if (which >= args->num)
491 fatal("replacearg: tried to replace invalid arg %d >= %d", 493 fatal("replacearg: tried to replace invalid arg %d >= %d",
492 which, args->num); 494 which, args->num);
493 xfree(args->list[which]); 495 free(args->list[which]);
494 args->list[which] = cp; 496 args->list[which] = cp;
495} 497}
496 498
@@ -501,8 +503,8 @@ freeargs(arglist *args)
501 503
502 if (args->list != NULL) { 504 if (args->list != NULL) {
503 for (i = 0; i < args->num; i++) 505 for (i = 0; i < args->num; i++)
504 xfree(args->list[i]); 506 free(args->list[i]);
505 xfree(args->list); 507 free(args->list);
506 args->nalloc = args->num = 0; 508 args->nalloc = args->num = 0;
507 args->list = NULL; 509 args->list = NULL;
508 } 510 }
@@ -515,8 +517,8 @@ freeargs(arglist *args)
515char * 517char *
516tilde_expand_filename(const char *filename, uid_t uid) 518tilde_expand_filename(const char *filename, uid_t uid)
517{ 519{
518 const char *path; 520 const char *path, *sep;
519 char user[128], ret[MAXPATHLEN]; 521 char user[128], *ret;
520 struct passwd *pw; 522 struct passwd *pw;
521 u_int len, slash; 523 u_int len, slash;
522 524
@@ -536,22 +538,21 @@ tilde_expand_filename(const char *filename, uid_t uid)
536 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ 538 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
537 fatal("tilde_expand_filename: No such uid %ld", (long)uid); 539 fatal("tilde_expand_filename: No such uid %ld", (long)uid);
538 540
539 if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
540 fatal("tilde_expand_filename: Path too long");
541
542 /* Make sure directory has a trailing '/' */ 541 /* Make sure directory has a trailing '/' */
543 len = strlen(pw->pw_dir); 542 len = strlen(pw->pw_dir);
544 if ((len == 0 || pw->pw_dir[len - 1] != '/') && 543 if (len == 0 || pw->pw_dir[len - 1] != '/')
545 strlcat(ret, "/", sizeof(ret)) >= sizeof(ret)) 544 sep = "/";
546 fatal("tilde_expand_filename: Path too long"); 545 else
546 sep = "";
547 547
548 /* Skip leading '/' from specified path */ 548 /* Skip leading '/' from specified path */
549 if (path != NULL) 549 if (path != NULL)
550 filename = path + 1; 550 filename = path + 1;
551 if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret)) 551
552 if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= MAXPATHLEN)
552 fatal("tilde_expand_filename: Path too long"); 553 fatal("tilde_expand_filename: Path too long");
553 554
554 return (xstrdup(ret)); 555 return (ret);
555} 556}
556 557
557/* 558/*
@@ -853,6 +854,24 @@ ms_to_timeval(struct timeval *tv, int ms)
853 tv->tv_usec = (ms % 1000) * 1000; 854 tv->tv_usec = (ms % 1000) * 1000;
854} 855}
855 856
857time_t
858monotime(void)
859{
860#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
861 struct timespec ts;
862 static int gettime_failed = 0;
863
864 if (!gettime_failed) {
865 if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
866 return (ts.tv_sec);
867 debug3("clock_gettime: %s", strerror(errno));
868 gettime_failed = 1;
869 }
870#endif
871
872 return time(NULL);
873}
874
856void 875void
857bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) 876bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen)
858{ 877{
diff --git a/misc.h b/misc.h
index f3142a95e..fceb30655 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */ 1/* $OpenBSD: misc.h,v 1.49 2013/06/01 13:15:52 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,6 +35,7 @@ char *tohex(const void *, size_t);
35void sanitise_stdfd(void); 35void sanitise_stdfd(void);
36void ms_subtract_diff(struct timeval *, int *); 36void ms_subtract_diff(struct timeval *, int *);
37void ms_to_timeval(struct timeval *, int); 37void ms_to_timeval(struct timeval *, int);
38time_t monotime(void);
38void sock_set_v6only(int); 39void sock_set_v6only(int);
39 40
40struct passwd *pwcopy(struct passwd *); 41struct passwd *pwcopy(struct passwd *);
diff --git a/moduli.0 b/moduli.0
index 77dfa4295..7dc2cd540 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
71 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, 71 the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
72 2006. 72 2006.
73 73
74OpenBSD 5.3 September 26, 2012 OpenBSD 5.3 74OpenBSD 5.4 September 26, 2012 OpenBSD 5.4
diff --git a/moduli.c b/moduli.c
index 5267bb9ab..294ff8fde 100644
--- a/moduli.c
+++ b/moduli.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */ 1/* $OpenBSD: moduli.c,v 1.27 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright 1994 Phil Karn <karn@qualcomm.com> 3 * Copyright 1994 Phil Karn <karn@qualcomm.com>
4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com> 4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@@ -433,9 +433,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
433 433
434 time(&time_stop); 434 time(&time_stop);
435 435
436 xfree(LargeSieve); 436 free(LargeSieve);
437 xfree(SmallSieve); 437 free(SmallSieve);
438 xfree(TinySieve); 438 free(TinySieve);
439 439
440 logit("%.24s Found %u candidates", ctime(&time_stop), r); 440 logit("%.24s Found %u candidates", ctime(&time_stop), r);
441 441
@@ -709,7 +709,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
709 } 709 }
710 710
711 time(&time_stop); 711 time(&time_stop);
712 xfree(lp); 712 free(lp);
713 BN_free(p); 713 BN_free(p);
714 BN_free(q); 714 BN_free(q);
715 BN_CTX_free(ctx); 715 BN_CTX_free(ctx);
diff --git a/monitor.c b/monitor.c
index d7a782f89..bd9303bdb 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ 1/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -97,6 +97,7 @@
97#include "ssh2.h" 97#include "ssh2.h"
98#include "jpake.h" 98#include "jpake.h"
99#include "roaming.h" 99#include "roaming.h"
100#include "authfd.h"
100 101
101#ifdef GSSAPI 102#ifdef GSSAPI
102static Gssctxt *gsscontext = NULL; 103static Gssctxt *gsscontext = NULL;
@@ -405,7 +406,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
405 "with SSH protocol 1"); 406 "with SSH protocol 1");
406 if (authenticated && 407 if (authenticated &&
407 !auth2_update_methods_lists(authctxt, 408 !auth2_update_methods_lists(authctxt,
408 auth_method)) { 409 auth_method, auth_submethod)) {
409 debug3("%s: method %s: partial", __func__, 410 debug3("%s: method %s: partial", __func__,
410 auth_method); 411 auth_method);
411 authenticated = 0; 412 authenticated = 0;
@@ -435,8 +436,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
435 } 436 }
436 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 437 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
437 auth_log(authctxt, authenticated, partial, 438 auth_log(authctxt, authenticated, partial,
438 auth_method, auth_submethod, 439 auth_method, auth_submethod);
439 compat20 ? " ssh2" : "");
440 if (!authenticated) 440 if (!authenticated)
441 authctxt->failures++; 441 authctxt->failures++;
442 } 442 }
@@ -568,7 +568,7 @@ monitor_read_log(struct monitor *pmonitor)
568 do_log2(level, "%s [preauth]", msg); 568 do_log2(level, "%s [preauth]", msg);
569 569
570 buffer_free(&logmsg); 570 buffer_free(&logmsg);
571 xfree(msg); 571 free(msg);
572 572
573 return 0; 573 return 0;
574} 574}
@@ -659,12 +659,9 @@ static void
659monitor_reset_key_state(void) 659monitor_reset_key_state(void)
660{ 660{
661 /* reset state */ 661 /* reset state */
662 if (key_blob != NULL) 662 free(key_blob);
663 xfree(key_blob); 663 free(hostbased_cuser);
664 if (hostbased_cuser != NULL) 664 free(hostbased_chost);
665 xfree(hostbased_cuser);
666 if (hostbased_chost != NULL)
667 xfree(hostbased_chost);
668 key_blob = NULL; 665 key_blob = NULL;
669 key_bloblen = 0; 666 key_bloblen = 0;
670 key_blobtype = MM_NOKEY; 667 key_blobtype = MM_NOKEY;
@@ -707,6 +704,8 @@ mm_answer_moduli(int sock, Buffer *m)
707 return (0); 704 return (0);
708} 705}
709 706
707extern AuthenticationConnection *auth_conn;
708
710int 709int
711mm_answer_sign(int sock, Buffer *m) 710mm_answer_sign(int sock, Buffer *m)
712{ 711{
@@ -735,18 +734,24 @@ mm_answer_sign(int sock, Buffer *m)
735 memcpy(session_id2, p, session_id2_len); 734 memcpy(session_id2, p, session_id2_len);
736 } 735 }
737 736
738 if ((key = get_hostkey_by_index(keyid)) == NULL) 737 if ((key = get_hostkey_by_index(keyid)) != NULL) {
738 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
739 fatal("%s: key_sign failed", __func__);
740 } else if ((key = get_hostkey_public_by_index(keyid)) != NULL &&
741 auth_conn != NULL) {
742 if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p,
743 datlen) < 0)
744 fatal("%s: ssh_agent_sign failed", __func__);
745 } else
739 fatal("%s: no hostkey from index %d", __func__, keyid); 746 fatal("%s: no hostkey from index %d", __func__, keyid);
740 if (key_sign(key, &signature, &siglen, p, datlen) < 0)
741 fatal("%s: key_sign failed", __func__);
742 747
743 debug3("%s: signature %p(%u)", __func__, signature, siglen); 748 debug3("%s: signature %p(%u)", __func__, signature, siglen);
744 749
745 buffer_clear(m); 750 buffer_clear(m);
746 buffer_put_string(m, signature, siglen); 751 buffer_put_string(m, signature, siglen);
747 752
748 xfree(p); 753 free(p);
749 xfree(signature); 754 free(signature);
750 755
751 mm_request_send(sock, MONITOR_ANS_SIGN, m); 756 mm_request_send(sock, MONITOR_ANS_SIGN, m);
752 757
@@ -777,7 +782,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
777 782
778 authctxt->user = xstrdup(username); 783 authctxt->user = xstrdup(username);
779 setproctitle("%s [priv]", pwent ? username : "unknown"); 784 setproctitle("%s [priv]", pwent ? username : "unknown");
780 xfree(username); 785 free(username);
781 786
782 buffer_clear(m); 787 buffer_clear(m);
783 788
@@ -795,8 +800,10 @@ mm_answer_pwnamallow(int sock, Buffer *m)
795 buffer_put_string(m, pwent, sizeof(struct passwd)); 800 buffer_put_string(m, pwent, sizeof(struct passwd));
796 buffer_put_cstring(m, pwent->pw_name); 801 buffer_put_cstring(m, pwent->pw_name);
797 buffer_put_cstring(m, "*"); 802 buffer_put_cstring(m, "*");
803#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
798 buffer_put_cstring(m, pwent->pw_gecos); 804 buffer_put_cstring(m, pwent->pw_gecos);
799#ifdef HAVE_PW_CLASS_IN_PASSWD 805#endif
806#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
800 buffer_put_cstring(m, pwent->pw_class); 807 buffer_put_cstring(m, pwent->pw_class);
801#endif 808#endif
802 buffer_put_cstring(m, pwent->pw_dir); 809 buffer_put_cstring(m, pwent->pw_dir);
@@ -855,9 +862,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m)
855 banner = auth2_read_banner(); 862 banner = auth2_read_banner();
856 buffer_put_cstring(m, banner != NULL ? banner : ""); 863 buffer_put_cstring(m, banner != NULL ? banner : "");
857 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); 864 mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
858 865 free(banner);
859 if (banner != NULL)
860 xfree(banner);
861 866
862 return (0); 867 return (0);
863} 868}
@@ -873,7 +878,7 @@ mm_answer_authserv(int sock, Buffer *m)
873 __func__, authctxt->service, authctxt->style); 878 __func__, authctxt->service, authctxt->style);
874 879
875 if (strlen(authctxt->style) == 0) { 880 if (strlen(authctxt->style) == 0) {
876 xfree(authctxt->style); 881 free(authctxt->style);
877 authctxt->style = NULL; 882 authctxt->style = NULL;
878 } 883 }
879 884
@@ -893,7 +898,7 @@ mm_answer_authpassword(int sock, Buffer *m)
893 authenticated = options.password_authentication && 898 authenticated = options.password_authentication &&
894 auth_password(authctxt, passwd); 899 auth_password(authctxt, passwd);
895 memset(passwd, 0, strlen(passwd)); 900 memset(passwd, 0, strlen(passwd));
896 xfree(passwd); 901 free(passwd);
897 902
898 buffer_clear(m); 903 buffer_clear(m);
899 buffer_put_int(m, authenticated); 904 buffer_put_int(m, authenticated);
@@ -933,10 +938,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
933 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); 938 mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
934 939
935 if (success) { 940 if (success) {
936 xfree(name); 941 free(name);
937 xfree(infotxt); 942 free(infotxt);
938 xfree(prompts); 943 free(prompts);
939 xfree(echo_on); 944 free(echo_on);
940 } 945 }
941 946
942 return (0); 947 return (0);
@@ -956,7 +961,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
956 auth_userresponse(authctxt->as, response, 0); 961 auth_userresponse(authctxt->as, response, 0);
957 authctxt->as = NULL; 962 authctxt->as = NULL;
958 debug3("%s: <%s> = <%d>", __func__, response, authok); 963 debug3("%s: <%s> = <%d>", __func__, response, authok);
959 xfree(response); 964 free(response);
960 965
961 buffer_clear(m); 966 buffer_clear(m);
962 buffer_put_int(m, authok); 967 buffer_put_int(m, authok);
@@ -964,9 +969,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
964 debug3("%s: sending authenticated: %d", __func__, authok); 969 debug3("%s: sending authenticated: %d", __func__, authok);
965 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 970 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
966 971
967 if (compat20) 972 if (compat20) {
968 auth_method = "keyboard-interactive"; /* XXX auth_submethod */ 973 auth_method = "keyboard-interactive";
969 else 974 auth_submethod = "bsdauth";
975 } else
970 auth_method = "bsdauth"; 976 auth_method = "bsdauth";
971 977
972 return (authok != 0); 978 return (authok != 0);
@@ -1008,7 +1014,7 @@ mm_answer_skeyrespond(int sock, Buffer *m)
1008 skey_haskey(authctxt->pw->pw_name) == 0 && 1014 skey_haskey(authctxt->pw->pw_name) == 0 &&
1009 skey_passcheck(authctxt->pw->pw_name, response) != -1); 1015 skey_passcheck(authctxt->pw->pw_name, response) != -1);
1010 1016
1011 xfree(response); 1017 free(response);
1012 1018
1013 buffer_clear(m); 1019 buffer_clear(m);
1014 buffer_put_int(m, authok); 1020 buffer_put_int(m, authok);
@@ -1093,19 +1099,17 @@ mm_answer_pam_query(int sock, Buffer *m)
1093 buffer_clear(m); 1099 buffer_clear(m);
1094 buffer_put_int(m, ret); 1100 buffer_put_int(m, ret);
1095 buffer_put_cstring(m, name); 1101 buffer_put_cstring(m, name);
1096 xfree(name); 1102 free(name);
1097 buffer_put_cstring(m, info); 1103 buffer_put_cstring(m, info);
1098 xfree(info); 1104 free(info);
1099 buffer_put_int(m, num); 1105 buffer_put_int(m, num);
1100 for (i = 0; i < num; ++i) { 1106 for (i = 0; i < num; ++i) {
1101 buffer_put_cstring(m, prompts[i]); 1107 buffer_put_cstring(m, prompts[i]);
1102 xfree(prompts[i]); 1108 free(prompts[i]);
1103 buffer_put_int(m, echo_on[i]); 1109 buffer_put_int(m, echo_on[i]);
1104 } 1110 }
1105 if (prompts != NULL) 1111 free(prompts);
1106 xfree(prompts); 1112 free(echo_on);
1107 if (echo_on != NULL)
1108 xfree(echo_on);
1109 auth_method = "keyboard-interactive"; 1113 auth_method = "keyboard-interactive";
1110 auth_submethod = "pam"; 1114 auth_submethod = "pam";
1111 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1115 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
@@ -1128,8 +1132,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
1128 resp[i] = buffer_get_string(m, NULL); 1132 resp[i] = buffer_get_string(m, NULL);
1129 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); 1133 ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
1130 for (i = 0; i < num; ++i) 1134 for (i = 0; i < num; ++i)
1131 xfree(resp[i]); 1135 free(resp[i]);
1132 xfree(resp); 1136 free(resp);
1133 } else { 1137 } else {
1134 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); 1138 ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
1135 } 1139 }
@@ -1187,6 +1191,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1187 case MM_USERKEY: 1191 case MM_USERKEY:
1188 allowed = options.pubkey_authentication && 1192 allowed = options.pubkey_authentication &&
1189 user_key_allowed(authctxt->pw, key); 1193 user_key_allowed(authctxt->pw, key);
1194 pubkey_auth_info(authctxt, key, NULL);
1190 auth_method = "publickey"; 1195 auth_method = "publickey";
1191 if (options.pubkey_authentication && allowed != 1) 1196 if (options.pubkey_authentication && allowed != 1)
1192 auth_clear_options(); 1197 auth_clear_options();
@@ -1195,6 +1200,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
1195 allowed = options.hostbased_authentication && 1200 allowed = options.hostbased_authentication &&
1196 hostbased_key_allowed(authctxt->pw, 1201 hostbased_key_allowed(authctxt->pw,
1197 cuser, chost, key); 1202 cuser, chost, key);
1203 pubkey_auth_info(authctxt, key,
1204 "client user \"%.100s\", client host \"%.100s\"",
1205 cuser, chost);
1198 auth_method = "hostbased"; 1206 auth_method = "hostbased";
1199 break; 1207 break;
1200 case MM_RSAHOSTKEY: 1208 case MM_RSAHOSTKEY:
@@ -1226,11 +1234,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
1226 hostbased_chost = chost; 1234 hostbased_chost = chost;
1227 } else { 1235 } else {
1228 /* Log failed attempt */ 1236 /* Log failed attempt */
1229 auth_log(authctxt, 0, 0, auth_method, NULL, 1237 auth_log(authctxt, 0, 0, auth_method, NULL);
1230 compat20 ? " ssh2" : ""); 1238 free(blob);
1231 xfree(blob); 1239 free(cuser);
1232 xfree(cuser); 1240 free(chost);
1233 xfree(chost);
1234 } 1241 }
1235 1242
1236 debug3("%s: key %p is %s", 1243 debug3("%s: key %p is %s",
@@ -1252,7 +1259,7 @@ static int
1252monitor_valid_userblob(u_char *data, u_int datalen) 1259monitor_valid_userblob(u_char *data, u_int datalen)
1253{ 1260{
1254 Buffer b; 1261 Buffer b;
1255 char *p; 1262 char *p, *userstyle;
1256 u_int len; 1263 u_int len;
1257 int fail = 0; 1264 int fail = 0;
1258 1265
@@ -1273,26 +1280,30 @@ monitor_valid_userblob(u_char *data, u_int datalen)
1273 (len != session_id2_len) || 1280 (len != session_id2_len) ||
1274 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1281 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
1275 fail++; 1282 fail++;
1276 xfree(p); 1283 free(p);
1277 } 1284 }
1278 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1285 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1279 fail++; 1286 fail++;
1280 p = buffer_get_string(&b, NULL); 1287 p = buffer_get_cstring(&b, NULL);
1281 if (strcmp(authctxt->user, p) != 0) { 1288 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1289 authctxt->style ? ":" : "",
1290 authctxt->style ? authctxt->style : "");
1291 if (strcmp(userstyle, p) != 0) {
1282 logit("wrong user name passed to monitor: expected %s != %.100s", 1292 logit("wrong user name passed to monitor: expected %s != %.100s",
1283 authctxt->user, p); 1293 userstyle, p);
1284 fail++; 1294 fail++;
1285 } 1295 }
1286 xfree(p); 1296 free(userstyle);
1297 free(p);
1287 buffer_skip_string(&b); 1298 buffer_skip_string(&b);
1288 if (datafellows & SSH_BUG_PKAUTH) { 1299 if (datafellows & SSH_BUG_PKAUTH) {
1289 if (!buffer_get_char(&b)) 1300 if (!buffer_get_char(&b))
1290 fail++; 1301 fail++;
1291 } else { 1302 } else {
1292 p = buffer_get_string(&b, NULL); 1303 p = buffer_get_cstring(&b, NULL);
1293 if (strcmp("publickey", p) != 0) 1304 if (strcmp("publickey", p) != 0)
1294 fail++; 1305 fail++;
1295 xfree(p); 1306 free(p);
1296 if (!buffer_get_char(&b)) 1307 if (!buffer_get_char(&b))
1297 fail++; 1308 fail++;
1298 buffer_skip_string(&b); 1309 buffer_skip_string(&b);
@@ -1309,7 +1320,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1309 char *chost) 1320 char *chost)
1310{ 1321{
1311 Buffer b; 1322 Buffer b;
1312 char *p; 1323 char *p, *userstyle;
1313 u_int len; 1324 u_int len;
1314 int fail = 0; 1325 int fail = 0;
1315 1326
@@ -1321,22 +1332,26 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1321 (len != session_id2_len) || 1332 (len != session_id2_len) ||
1322 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) 1333 (timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
1323 fail++; 1334 fail++;
1324 xfree(p); 1335 free(p);
1325 1336
1326 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1337 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1327 fail++; 1338 fail++;
1328 p = buffer_get_string(&b, NULL); 1339 p = buffer_get_cstring(&b, NULL);
1329 if (strcmp(authctxt->user, p) != 0) { 1340 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1341 authctxt->style ? ":" : "",
1342 authctxt->style ? authctxt->style : "");
1343 if (strcmp(userstyle, p) != 0) {
1330 logit("wrong user name passed to monitor: expected %s != %.100s", 1344 logit("wrong user name passed to monitor: expected %s != %.100s",
1331 authctxt->user, p); 1345 userstyle, p);
1332 fail++; 1346 fail++;
1333 } 1347 }
1334 xfree(p); 1348 free(userstyle);
1349 free(p);
1335 buffer_skip_string(&b); /* service */ 1350 buffer_skip_string(&b); /* service */
1336 p = buffer_get_string(&b, NULL); 1351 p = buffer_get_cstring(&b, NULL);
1337 if (strcmp(p, "hostbased") != 0) 1352 if (strcmp(p, "hostbased") != 0)
1338 fail++; 1353 fail++;
1339 xfree(p); 1354 free(p);
1340 buffer_skip_string(&b); /* pkalg */ 1355 buffer_skip_string(&b); /* pkalg */
1341 buffer_skip_string(&b); /* pkblob */ 1356 buffer_skip_string(&b); /* pkblob */
1342 1357
@@ -1346,13 +1361,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
1346 p[len - 1] = '\0'; 1361 p[len - 1] = '\0';
1347 if (strcmp(p, chost) != 0) 1362 if (strcmp(p, chost) != 0)
1348 fail++; 1363 fail++;
1349 xfree(p); 1364 free(p);
1350 1365
1351 /* verify client user */ 1366 /* verify client user */
1352 p = buffer_get_string(&b, NULL); 1367 p = buffer_get_string(&b, NULL);
1353 if (strcmp(p, cuser) != 0) 1368 if (strcmp(p, cuser) != 0)
1354 fail++; 1369 fail++;
1355 xfree(p); 1370 free(p);
1356 1371
1357 if (buffer_len(&b) != 0) 1372 if (buffer_len(&b) != 0)
1358 fail++; 1373 fail++;
@@ -1401,9 +1416,9 @@ mm_answer_keyverify(int sock, Buffer *m)
1401 __func__, key, (verified == 1) ? "verified" : "unverified"); 1416 __func__, key, (verified == 1) ? "verified" : "unverified");
1402 1417
1403 key_free(key); 1418 key_free(key);
1404 xfree(blob); 1419 free(blob);
1405 xfree(signature); 1420 free(signature);
1406 xfree(data); 1421 free(data);
1407 1422
1408 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; 1423 auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1409 1424
@@ -1531,7 +1546,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
1531 if ((s = session_by_tty(tty)) != NULL) 1546 if ((s = session_by_tty(tty)) != NULL)
1532 mm_session_close(s); 1547 mm_session_close(s);
1533 buffer_clear(m); 1548 buffer_clear(m);
1534 xfree(tty); 1549 free(tty);
1535 return (0); 1550 return (0);
1536} 1551}
1537 1552
@@ -1663,7 +1678,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
1663 1678
1664 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); 1679 monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
1665 1680
1666 xfree(blob); 1681 free(blob);
1667 key_free(key); 1682 key_free(key);
1668 return (0); 1683 return (0);
1669} 1684}
@@ -1695,9 +1710,9 @@ mm_answer_rsa_response(int sock, Buffer *m)
1695 fatal("%s: received bad response to challenge", __func__); 1710 fatal("%s: received bad response to challenge", __func__);
1696 success = auth_rsa_verify_response(key, ssh1_challenge, response); 1711 success = auth_rsa_verify_response(key, ssh1_challenge, response);
1697 1712
1698 xfree(blob); 1713 free(blob);
1699 key_free(key); 1714 key_free(key);
1700 xfree(response); 1715 free(response);
1701 1716
1702 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; 1717 auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
1703 1718
@@ -1776,7 +1791,7 @@ mm_answer_audit_command(int socket, Buffer *m)
1776 cmd = buffer_get_string(m, &len); 1791 cmd = buffer_get_string(m, &len);
1777 /* sanity check command, if so how? */ 1792 /* sanity check command, if so how? */
1778 audit_run_command(cmd); 1793 audit_run_command(cmd);
1779 xfree(cmd); 1794 free(cmd);
1780 return (0); 1795 return (0);
1781} 1796}
1782#endif /* SSH_AUDIT_EVENTS */ 1797#endif /* SSH_AUDIT_EVENTS */
@@ -1791,20 +1806,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
1791 packet_set_protocol_flags(child_state.ssh1protoflags); 1806 packet_set_protocol_flags(child_state.ssh1protoflags);
1792 packet_set_encryption_key(child_state.ssh1key, 1807 packet_set_encryption_key(child_state.ssh1key,
1793 child_state.ssh1keylen, child_state.ssh1cipher); 1808 child_state.ssh1keylen, child_state.ssh1cipher);
1794 xfree(child_state.ssh1key); 1809 free(child_state.ssh1key);
1795 } 1810 }
1796 1811
1797 /* for rc4 and other stateful ciphers */ 1812 /* for rc4 and other stateful ciphers */
1798 packet_set_keycontext(MODE_OUT, child_state.keyout); 1813 packet_set_keycontext(MODE_OUT, child_state.keyout);
1799 xfree(child_state.keyout); 1814 free(child_state.keyout);
1800 packet_set_keycontext(MODE_IN, child_state.keyin); 1815 packet_set_keycontext(MODE_IN, child_state.keyin);
1801 xfree(child_state.keyin); 1816 free(child_state.keyin);
1802 1817
1803 if (!compat20) { 1818 if (!compat20) {
1804 packet_set_iv(MODE_OUT, child_state.ivout); 1819 packet_set_iv(MODE_OUT, child_state.ivout);
1805 xfree(child_state.ivout); 1820 free(child_state.ivout);
1806 packet_set_iv(MODE_IN, child_state.ivin); 1821 packet_set_iv(MODE_IN, child_state.ivin);
1807 xfree(child_state.ivin); 1822 free(child_state.ivin);
1808 } 1823 }
1809 1824
1810 memcpy(&incoming_stream, &child_state.incoming, 1825 memcpy(&incoming_stream, &child_state.incoming,
@@ -1816,18 +1831,22 @@ monitor_apply_keystate(struct monitor *pmonitor)
1816 if (options.compression) 1831 if (options.compression)
1817 mm_init_compression(pmonitor->m_zlib); 1832 mm_init_compression(pmonitor->m_zlib);
1818 1833
1834 if (options.rekey_limit || options.rekey_interval)
1835 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
1836 (time_t)options.rekey_interval);
1837
1819 /* Network I/O buffers */ 1838 /* Network I/O buffers */
1820 /* XXX inefficient for large buffers, need: buffer_init_from_string */ 1839 /* XXX inefficient for large buffers, need: buffer_init_from_string */
1821 buffer_clear(packet_get_input()); 1840 buffer_clear(packet_get_input());
1822 buffer_append(packet_get_input(), child_state.input, child_state.ilen); 1841 buffer_append(packet_get_input(), child_state.input, child_state.ilen);
1823 memset(child_state.input, 0, child_state.ilen); 1842 memset(child_state.input, 0, child_state.ilen);
1824 xfree(child_state.input); 1843 free(child_state.input);
1825 1844
1826 buffer_clear(packet_get_output()); 1845 buffer_clear(packet_get_output());
1827 buffer_append(packet_get_output(), child_state.output, 1846 buffer_append(packet_get_output(), child_state.output,
1828 child_state.olen); 1847 child_state.olen);
1829 memset(child_state.output, 0, child_state.olen); 1848 memset(child_state.output, 0, child_state.olen);
1830 xfree(child_state.output); 1849 free(child_state.output);
1831 1850
1832 /* Roaming */ 1851 /* Roaming */
1833 if (compat20) 1852 if (compat20)
@@ -1866,11 +1885,11 @@ mm_get_kex(Buffer *m)
1866 blob = buffer_get_string(m, &bloblen); 1885 blob = buffer_get_string(m, &bloblen);
1867 buffer_init(&kex->my); 1886 buffer_init(&kex->my);
1868 buffer_append(&kex->my, blob, bloblen); 1887 buffer_append(&kex->my, blob, bloblen);
1869 xfree(blob); 1888 free(blob);
1870 blob = buffer_get_string(m, &bloblen); 1889 blob = buffer_get_string(m, &bloblen);
1871 buffer_init(&kex->peer); 1890 buffer_init(&kex->peer);
1872 buffer_append(&kex->peer, blob, bloblen); 1891 buffer_append(&kex->peer, blob, bloblen);
1873 xfree(blob); 1892 free(blob);
1874 kex->done = 1; 1893 kex->done = 1;
1875 kex->flags = buffer_get_int(m); 1894 kex->flags = buffer_get_int(m);
1876 kex->client_version_string = buffer_get_string(m, NULL); 1895 kex->client_version_string = buffer_get_string(m, NULL);
@@ -1878,6 +1897,7 @@ mm_get_kex(Buffer *m)
1878 kex->load_host_public_key=&get_hostkey_public_by_type; 1897 kex->load_host_public_key=&get_hostkey_public_by_type;
1879 kex->load_host_private_key=&get_hostkey_private_by_type; 1898 kex->load_host_private_key=&get_hostkey_private_by_type;
1880 kex->host_key_index=&get_hostkey_index; 1899 kex->host_key_index=&get_hostkey_index;
1900 kex->sign = sshd_hostkey_sign;
1881 1901
1882 return (kex); 1902 return (kex);
1883} 1903}
@@ -1913,12 +1933,12 @@ mm_get_keystate(struct monitor *pmonitor)
1913 1933
1914 blob = buffer_get_string(&m, &bloblen); 1934 blob = buffer_get_string(&m, &bloblen);
1915 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); 1935 current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
1916 xfree(blob); 1936 free(blob);
1917 1937
1918 debug3("%s: Waiting for second key", __func__); 1938 debug3("%s: Waiting for second key", __func__);
1919 blob = buffer_get_string(&m, &bloblen); 1939 blob = buffer_get_string(&m, &bloblen);
1920 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); 1940 current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
1921 xfree(blob); 1941 free(blob);
1922 1942
1923 /* Now get sequence numbers for the packets */ 1943 /* Now get sequence numbers for the packets */
1924 seqnr = buffer_get_int(&m); 1944 seqnr = buffer_get_int(&m);
@@ -1943,13 +1963,13 @@ mm_get_keystate(struct monitor *pmonitor)
1943 if (plen != sizeof(child_state.outgoing)) 1963 if (plen != sizeof(child_state.outgoing))
1944 fatal("%s: bad request size", __func__); 1964 fatal("%s: bad request size", __func__);
1945 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); 1965 memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
1946 xfree(p); 1966 free(p);
1947 1967
1948 p = buffer_get_string(&m, &plen); 1968 p = buffer_get_string(&m, &plen);
1949 if (plen != sizeof(child_state.incoming)) 1969 if (plen != sizeof(child_state.incoming))
1950 fatal("%s: bad request size", __func__); 1970 fatal("%s: bad request size", __func__);
1951 memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); 1971 memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
1952 xfree(p); 1972 free(p);
1953 1973
1954 /* Network I/O buffers */ 1974 /* Network I/O buffers */
1955 debug3("%s: Getting Network I/O buffers", __func__); 1975 debug3("%s: Getting Network I/O buffers", __func__);
@@ -2074,7 +2094,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2074 2094
2075 major = ssh_gssapi_server_ctx(&gsscontext, &goid); 2095 major = ssh_gssapi_server_ctx(&gsscontext, &goid);
2076 2096
2077 xfree(goid.elements); 2097 free(goid.elements);
2078 2098
2079 buffer_clear(m); 2099 buffer_clear(m);
2080 buffer_put_int(m, major); 2100 buffer_put_int(m, major);
@@ -2102,7 +2122,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2102 in.value = buffer_get_string(m, &len); 2122 in.value = buffer_get_string(m, &len);
2103 in.length = len; 2123 in.length = len;
2104 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2124 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2105 xfree(in.value); 2125 free(in.value);
2106 2126
2107 buffer_clear(m); 2127 buffer_clear(m);
2108 buffer_put_int(m, major); 2128 buffer_put_int(m, major);
@@ -2138,8 +2158,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2138 2158
2139 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); 2159 ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
2140 2160
2141 xfree(gssbuf.value); 2161 free(gssbuf.value);
2142 xfree(mic.value); 2162 free(mic.value);
2143 2163
2144 buffer_clear(m); 2164 buffer_clear(m);
2145 buffer_put_int(m, ret); 2165 buffer_put_int(m, ret);
@@ -2281,8 +2301,8 @@ mm_answer_jpake_step1(int sock, Buffer *m)
2281 2301
2282 bzero(x3_proof, x3_proof_len); 2302 bzero(x3_proof, x3_proof_len);
2283 bzero(x4_proof, x4_proof_len); 2303 bzero(x4_proof, x4_proof_len);
2284 xfree(x3_proof); 2304 free(x3_proof);
2285 xfree(x4_proof); 2305 free(x4_proof);
2286 2306
2287 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1); 2307 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
2288 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0); 2308 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
@@ -2311,8 +2331,8 @@ mm_answer_jpake_get_pwdata(int sock, Buffer *m)
2311 2331
2312 bzero(hash_scheme, strlen(hash_scheme)); 2332 bzero(hash_scheme, strlen(hash_scheme));
2313 bzero(salt, strlen(salt)); 2333 bzero(salt, strlen(salt));
2314 xfree(hash_scheme); 2334 free(hash_scheme);
2315 xfree(salt); 2335 free(salt);
2316 2336
2317 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1); 2337 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
2318 2338
@@ -2351,8 +2371,8 @@ mm_answer_jpake_step2(int sock, Buffer *m)
2351 2371
2352 bzero(x1_proof, x1_proof_len); 2372 bzero(x1_proof, x1_proof_len);
2353 bzero(x2_proof, x2_proof_len); 2373 bzero(x2_proof, x2_proof_len);
2354 xfree(x1_proof); 2374 free(x1_proof);
2355 xfree(x2_proof); 2375 free(x2_proof);
2356 2376
2357 buffer_clear(m); 2377 buffer_clear(m);
2358 2378
@@ -2363,7 +2383,7 @@ mm_answer_jpake_step2(int sock, Buffer *m)
2363 mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); 2383 mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
2364 2384
2365 bzero(x4_s_proof, x4_s_proof_len); 2385 bzero(x4_s_proof, x4_s_proof_len);
2366 xfree(x4_s_proof); 2386 free(x4_s_proof);
2367 2387
2368 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); 2388 monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
2369 2389
@@ -2431,7 +2451,7 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
2431 JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); 2451 JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
2432 2452
2433 bzero(peer_confirm_hash, peer_confirm_hash_len); 2453 bzero(peer_confirm_hash, peer_confirm_hash_len);
2434 xfree(peer_confirm_hash); 2454 free(peer_confirm_hash);
2435 2455
2436 buffer_clear(m); 2456 buffer_clear(m);
2437 buffer_put_int(m, authenticated); 2457 buffer_put_int(m, authenticated);
diff --git a/monitor_mm.c b/monitor_mm.c
index faf9f3dcb..ee7bad4b4 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */ 1/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * All rights reserved. 4 * All rights reserved.
@@ -35,6 +35,7 @@
35 35
36#include <errno.h> 36#include <errno.h>
37#include <stdarg.h> 37#include <stdarg.h>
38#include <stdlib.h>
38#include <string.h> 39#include <string.h>
39 40
40#include "xmalloc.h" 41#include "xmalloc.h"
@@ -124,7 +125,7 @@ mm_freelist(struct mm_master *mmalloc, struct mmtree *head)
124 next = RB_NEXT(mmtree, head, mms); 125 next = RB_NEXT(mmtree, head, mms);
125 RB_REMOVE(mmtree, head, mms); 126 RB_REMOVE(mmtree, head, mms);
126 if (mmalloc == NULL) 127 if (mmalloc == NULL)
127 xfree(mms); 128 free(mms);
128 else 129 else
129 mm_free(mmalloc, mms); 130 mm_free(mmalloc, mms);
130 } 131 }
@@ -147,7 +148,7 @@ mm_destroy(struct mm_master *mm)
147 __func__); 148 __func__);
148#endif 149#endif
149 if (mm->mmalloc == NULL) 150 if (mm->mmalloc == NULL)
150 xfree(mm); 151 free(mm);
151 else 152 else
152 mm_free(mm->mmalloc, mm); 153 mm_free(mm->mmalloc, mm);
153} 154}
@@ -198,7 +199,7 @@ mm_malloc(struct mm_master *mm, size_t size)
198 if (mms->size == 0) { 199 if (mms->size == 0) {
199 RB_REMOVE(mmtree, &mm->rb_free, mms); 200 RB_REMOVE(mmtree, &mm->rb_free, mms);
200 if (mm->mmalloc == NULL) 201 if (mm->mmalloc == NULL)
201 xfree(mms); 202 free(mms);
202 else 203 else
203 mm_free(mm->mmalloc, mms); 204 mm_free(mm->mmalloc, mms);
204 } 205 }
@@ -254,7 +255,7 @@ mm_free(struct mm_master *mm, void *address)
254 prev->size += mms->size; 255 prev->size += mms->size;
255 RB_REMOVE(mmtree, &mm->rb_free, mms); 256 RB_REMOVE(mmtree, &mm->rb_free, mms);
256 if (mm->mmalloc == NULL) 257 if (mm->mmalloc == NULL)
257 xfree(mms); 258 free(mms);
258 else 259 else
259 mm_free(mm->mmalloc, mms); 260 mm_free(mm->mmalloc, mms);
260 } else 261 } else
@@ -278,7 +279,7 @@ mm_free(struct mm_master *mm, void *address)
278 RB_REMOVE(mmtree, &mm->rb_free, mms); 279 RB_REMOVE(mmtree, &mm->rb_free, mms);
279 280
280 if (mm->mmalloc == NULL) 281 if (mm->mmalloc == NULL)
281 xfree(mms); 282 free(mms);
282 else 283 else
283 mm_free(mm->mmalloc, mms); 284 mm_free(mm->mmalloc, mms);
284} 285}
diff --git a/monitor_wrap.c b/monitor_wrap.c
index ed8dbdadf..433b234d2 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ 1/* $OpenBSD: monitor_wrap.c,v 1.76 2013/05/17 00:13:13 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -259,8 +259,10 @@ mm_getpwnamallow(const char *username)
259 fatal("%s: struct passwd size mismatch", __func__); 259 fatal("%s: struct passwd size mismatch", __func__);
260 pw->pw_name = buffer_get_string(&m, NULL); 260 pw->pw_name = buffer_get_string(&m, NULL);
261 pw->pw_passwd = buffer_get_string(&m, NULL); 261 pw->pw_passwd = buffer_get_string(&m, NULL);
262#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
262 pw->pw_gecos = buffer_get_string(&m, NULL); 263 pw->pw_gecos = buffer_get_string(&m, NULL);
263#ifdef HAVE_PW_CLASS_IN_PASSWD 264#endif
265#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
264 pw->pw_class = buffer_get_string(&m, NULL); 266 pw->pw_class = buffer_get_string(&m, NULL);
265#endif 267#endif
266 pw->pw_dir = buffer_get_string(&m, NULL); 268 pw->pw_dir = buffer_get_string(&m, NULL);
@@ -286,7 +288,7 @@ out:
286#undef M_CP_STRARRAYOPT 288#undef M_CP_STRARRAYOPT
287 289
288 copy_set_server_options(&options, newopts, 1); 290 copy_set_server_options(&options, newopts, 1);
289 xfree(newopts); 291 free(newopts);
290 292
291 buffer_free(&m); 293 buffer_free(&m);
292 294
@@ -312,7 +314,7 @@ mm_auth2_read_banner(void)
312 314
313 /* treat empty banner as missing banner */ 315 /* treat empty banner as missing banner */
314 if (strlen(banner) == 0) { 316 if (strlen(banner) == 0) {
315 xfree(banner); 317 free(banner);
316 banner = NULL; 318 banner = NULL;
317 } 319 }
318 return (banner); 320 return (banner);
@@ -405,7 +407,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
405 buffer_put_cstring(&m, user ? user : ""); 407 buffer_put_cstring(&m, user ? user : "");
406 buffer_put_cstring(&m, host ? host : ""); 408 buffer_put_cstring(&m, host ? host : "");
407 buffer_put_string(&m, blob, len); 409 buffer_put_string(&m, blob, len);
408 xfree(blob); 410 free(blob);
409 411
410 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); 412 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
411 413
@@ -448,7 +450,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
448 buffer_put_string(&m, blob, len); 450 buffer_put_string(&m, blob, len);
449 buffer_put_string(&m, sig, siglen); 451 buffer_put_string(&m, sig, siglen);
450 buffer_put_string(&m, data, datalen); 452 buffer_put_string(&m, data, datalen);
451 xfree(blob); 453 free(blob);
452 454
453 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); 455 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
454 456
@@ -617,7 +619,7 @@ mm_send_keystate(struct monitor *monitor)
617 keylen = packet_get_encryption_key(key); 619 keylen = packet_get_encryption_key(key);
618 buffer_put_string(&m, key, keylen); 620 buffer_put_string(&m, key, keylen);
619 memset(key, 0, keylen); 621 memset(key, 0, keylen);
620 xfree(key); 622 free(key);
621 623
622 ivlen = packet_get_keyiv_len(MODE_OUT); 624 ivlen = packet_get_keyiv_len(MODE_OUT);
623 packet_get_keyiv(MODE_OUT, iv, ivlen); 625 packet_get_keyiv(MODE_OUT, iv, ivlen);
@@ -640,13 +642,13 @@ mm_send_keystate(struct monitor *monitor)
640 fatal("%s: conversion of newkeys failed", __func__); 642 fatal("%s: conversion of newkeys failed", __func__);
641 643
642 buffer_put_string(&m, blob, bloblen); 644 buffer_put_string(&m, blob, bloblen);
643 xfree(blob); 645 free(blob);
644 646
645 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) 647 if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
646 fatal("%s: conversion of newkeys failed", __func__); 648 fatal("%s: conversion of newkeys failed", __func__);
647 649
648 buffer_put_string(&m, blob, bloblen); 650 buffer_put_string(&m, blob, bloblen);
649 xfree(blob); 651 free(blob);
650 652
651 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); 653 packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
652 buffer_put_int(&m, seqnr); 654 buffer_put_int(&m, seqnr);
@@ -666,13 +668,13 @@ mm_send_keystate(struct monitor *monitor)
666 p = xmalloc(plen+1); 668 p = xmalloc(plen+1);
667 packet_get_keycontext(MODE_OUT, p); 669 packet_get_keycontext(MODE_OUT, p);
668 buffer_put_string(&m, p, plen); 670 buffer_put_string(&m, p, plen);
669 xfree(p); 671 free(p);
670 672
671 plen = packet_get_keycontext(MODE_IN, NULL); 673 plen = packet_get_keycontext(MODE_IN, NULL);
672 p = xmalloc(plen+1); 674 p = xmalloc(plen+1);
673 packet_get_keycontext(MODE_IN, p); 675 packet_get_keycontext(MODE_IN, p);
674 buffer_put_string(&m, p, plen); 676 buffer_put_string(&m, p, plen);
675 xfree(p); 677 free(p);
676 678
677 /* Compression state */ 679 /* Compression state */
678 debug3("%s: Sending compression state", __func__); 680 debug3("%s: Sending compression state", __func__);
@@ -734,10 +736,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
734 buffer_free(&m); 736 buffer_free(&m);
735 737
736 strlcpy(namebuf, p, namebuflen); /* Possible truncation */ 738 strlcpy(namebuf, p, namebuflen); /* Possible truncation */
737 xfree(p); 739 free(p);
738 740
739 buffer_append(&loginmsg, msg, strlen(msg)); 741 buffer_append(&loginmsg, msg, strlen(msg));
740 xfree(msg); 742 free(msg);
741 743
742 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || 744 if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 ||
743 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) 745 (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1)
@@ -803,7 +805,7 @@ mm_do_pam_account(void)
803 ret = buffer_get_int(&m); 805 ret = buffer_get_int(&m);
804 msg = buffer_get_string(&m, NULL); 806 msg = buffer_get_string(&m, NULL);
805 buffer_append(&loginmsg, msg, strlen(msg)); 807 buffer_append(&loginmsg, msg, strlen(msg));
806 xfree(msg); 808 free(msg);
807 809
808 buffer_free(&m); 810 buffer_free(&m);
809 811
@@ -1033,7 +1035,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
1033 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); 1035 mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
1034 1036
1035 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); 1037 xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
1036 xfree(challenge); 1038 free(challenge);
1037 1039
1038 return (0); 1040 return (0);
1039} 1041}
@@ -1107,7 +1109,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
1107 if ((key = key_from_blob(blob, blen)) == NULL) 1109 if ((key = key_from_blob(blob, blen)) == NULL)
1108 fatal("%s: key_from_blob failed", __func__); 1110 fatal("%s: key_from_blob failed", __func__);
1109 *rkey = key; 1111 *rkey = key;
1110 xfree(blob); 1112 free(blob);
1111 } 1113 }
1112 buffer_free(&m); 1114 buffer_free(&m);
1113 1115
@@ -1134,7 +1136,7 @@ mm_auth_rsa_generate_challenge(Key *key)
1134 1136
1135 buffer_init(&m); 1137 buffer_init(&m);
1136 buffer_put_string(&m, blob, blen); 1138 buffer_put_string(&m, blob, blen);
1137 xfree(blob); 1139 free(blob);
1138 1140
1139 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); 1141 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m);
1140 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); 1142 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m);
@@ -1163,7 +1165,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
1163 buffer_init(&m); 1165 buffer_init(&m);
1164 buffer_put_string(&m, blob, blen); 1166 buffer_put_string(&m, blob, blen);
1165 buffer_put_string(&m, response, 16); 1167 buffer_put_string(&m, response, 16);
1166 xfree(blob); 1168 free(blob);
1167 1169
1168 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); 1170 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m);
1169 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); 1171 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m);
diff --git a/mux.c b/mux.c
index 1ae0e0915..882fa61b5 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ 1/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -184,7 +184,7 @@ static const struct {
184 184
185/* Cleanup callback fired on closure of mux slave _session_ channel */ 185/* Cleanup callback fired on closure of mux slave _session_ channel */
186/* ARGSUSED */ 186/* ARGSUSED */
187void 187static void
188mux_master_session_cleanup_cb(int cid, void *unused) 188mux_master_session_cleanup_cb(int cid, void *unused)
189{ 189{
190 Channel *cc, *c = channel_by_id(cid); 190 Channel *cc, *c = channel_by_id(cid);
@@ -219,7 +219,8 @@ mux_master_control_cleanup_cb(int cid, void *unused)
219 __func__, c->self, c->remote_id); 219 __func__, c->self, c->remote_id);
220 c->remote_id = -1; 220 c->remote_id = -1;
221 sc->ctl_chan = -1; 221 sc->ctl_chan = -1;
222 if (sc->type != SSH_CHANNEL_OPEN) { 222 if (sc->type != SSH_CHANNEL_OPEN &&
223 sc->type != SSH_CHANNEL_OPENING) {
223 debug2("%s: channel %d: not open", __func__, sc->self); 224 debug2("%s: channel %d: not open", __func__, sc->self);
224 chan_mark_dead(sc); 225 chan_mark_dead(sc);
225 } else { 226 } else {
@@ -286,13 +287,13 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r)
286 char *value = buffer_get_string_ret(m, NULL); 287 char *value = buffer_get_string_ret(m, NULL);
287 288
288 if (name == NULL || value == NULL) { 289 if (name == NULL || value == NULL) {
289 if (name != NULL) 290 free(name);
290 xfree(name); 291 free(value);
291 goto malf; 292 goto malf;
292 } 293 }
293 debug2("Unrecognised slave extension \"%s\"", name); 294 debug2("Unrecognised slave extension \"%s\"", name);
294 xfree(name); 295 free(name);
295 xfree(value); 296 free(value);
296 } 297 }
297 state->hello_rcvd = 1; 298 state->hello_rcvd = 1;
298 return 0; 299 return 0;
@@ -323,21 +324,17 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
323 (cctx->term = buffer_get_string_ret(m, &len)) == NULL || 324 (cctx->term = buffer_get_string_ret(m, &len)) == NULL ||
324 (cmd = buffer_get_string_ret(m, &len)) == NULL) { 325 (cmd = buffer_get_string_ret(m, &len)) == NULL) {
325 malf: 326 malf:
326 if (cmd != NULL) 327 free(cmd);
327 xfree(cmd); 328 free(reserved);
328 if (reserved != NULL)
329 xfree(reserved);
330 for (j = 0; j < env_len; j++) 329 for (j = 0; j < env_len; j++)
331 xfree(cctx->env[j]); 330 free(cctx->env[j]);
332 if (env_len > 0) 331 free(cctx->env);
333 xfree(cctx->env); 332 free(cctx->term);
334 if (cctx->term != NULL) 333 free(cctx);
335 xfree(cctx->term);
336 xfree(cctx);
337 error("%s: malformed message", __func__); 334 error("%s: malformed message", __func__);
338 return -1; 335 return -1;
339 } 336 }
340 xfree(reserved); 337 free(reserved);
341 reserved = NULL; 338 reserved = NULL;
342 339
343 while (buffer_len(m) > 0) { 340 while (buffer_len(m) > 0) {
@@ -345,7 +342,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
345 if ((cp = buffer_get_string_ret(m, &len)) == NULL) 342 if ((cp = buffer_get_string_ret(m, &len)) == NULL)
346 goto malf; 343 goto malf;
347 if (!env_permitted(cp)) { 344 if (!env_permitted(cp)) {
348 xfree(cp); 345 free(cp);
349 continue; 346 continue;
350 } 347 }
351 cctx->env = xrealloc(cctx->env, env_len + 2, 348 cctx->env = xrealloc(cctx->env, env_len + 2,
@@ -366,7 +363,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
366 363
367 buffer_init(&cctx->cmd); 364 buffer_init(&cctx->cmd);
368 buffer_append(&cctx->cmd, cmd, strlen(cmd)); 365 buffer_append(&cctx->cmd, cmd, strlen(cmd));
369 xfree(cmd); 366 free(cmd);
370 cmd = NULL; 367 cmd = NULL;
371 368
372 /* Gather fds from client */ 369 /* Gather fds from client */
@@ -377,12 +374,11 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
377 for (j = 0; j < i; j++) 374 for (j = 0; j < i; j++)
378 close(new_fd[j]); 375 close(new_fd[j]);
379 for (j = 0; j < env_len; j++) 376 for (j = 0; j < env_len; j++)
380 xfree(cctx->env[j]); 377 free(cctx->env[j]);
381 if (env_len > 0) 378 free(cctx->env);
382 xfree(cctx->env); 379 free(cctx->term);
383 xfree(cctx->term);
384 buffer_free(&cctx->cmd); 380 buffer_free(&cctx->cmd);
385 xfree(cctx); 381 free(cctx);
386 382
387 /* prepare reply */ 383 /* prepare reply */
388 buffer_put_int(r, MUX_S_FAILURE); 384 buffer_put_int(r, MUX_S_FAILURE);
@@ -407,14 +403,14 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
407 close(new_fd[0]); 403 close(new_fd[0]);
408 close(new_fd[1]); 404 close(new_fd[1]);
409 close(new_fd[2]); 405 close(new_fd[2]);
410 xfree(cctx->term); 406 free(cctx->term);
411 if (env_len != 0) { 407 if (env_len != 0) {
412 for (i = 0; i < env_len; i++) 408 for (i = 0; i < env_len; i++)
413 xfree(cctx->env[i]); 409 free(cctx->env[i]);
414 xfree(cctx->env); 410 free(cctx->env);
415 } 411 }
416 buffer_free(&cctx->cmd); 412 buffer_free(&cctx->cmd);
417 xfree(cctx); 413 free(cctx);
418 return 0; 414 return 0;
419 } 415 }
420 416
@@ -619,7 +615,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
619 buffer_put_int(&out, MUX_S_FAILURE); 615 buffer_put_int(&out, MUX_S_FAILURE);
620 buffer_put_int(&out, fctx->rid); 616 buffer_put_int(&out, fctx->rid);
621 buffer_put_cstring(&out, failmsg); 617 buffer_put_cstring(&out, failmsg);
622 xfree(failmsg); 618 free(failmsg);
623 out: 619 out:
624 buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); 620 buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out));
625 buffer_free(&out); 621 buffer_free(&out);
@@ -634,25 +630,28 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
634 Forward fwd; 630 Forward fwd;
635 char *fwd_desc = NULL; 631 char *fwd_desc = NULL;
636 u_int ftype; 632 u_int ftype;
633 u_int lport, cport;
637 int i, ret = 0, freefwd = 1; 634 int i, ret = 0, freefwd = 1;
638 635
639 fwd.listen_host = fwd.connect_host = NULL; 636 fwd.listen_host = fwd.connect_host = NULL;
640 if (buffer_get_int_ret(&ftype, m) != 0 || 637 if (buffer_get_int_ret(&ftype, m) != 0 ||
641 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || 638 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
642 buffer_get_int_ret(&fwd.listen_port, m) != 0 || 639 buffer_get_int_ret(&lport, m) != 0 ||
643 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || 640 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
644 buffer_get_int_ret(&fwd.connect_port, m) != 0) { 641 buffer_get_int_ret(&cport, m) != 0 ||
642 lport > 65535 || cport > 65535) {
645 error("%s: malformed message", __func__); 643 error("%s: malformed message", __func__);
646 ret = -1; 644 ret = -1;
647 goto out; 645 goto out;
648 } 646 }
649 647 fwd.listen_port = lport;
648 fwd.connect_port = cport;
650 if (*fwd.listen_host == '\0') { 649 if (*fwd.listen_host == '\0') {
651 xfree(fwd.listen_host); 650 free(fwd.listen_host);
652 fwd.listen_host = NULL; 651 fwd.listen_host = NULL;
653 } 652 }
654 if (*fwd.connect_host == '\0') { 653 if (*fwd.connect_host == '\0') {
655 xfree(fwd.connect_host); 654 free(fwd.connect_host);
656 fwd.connect_host = NULL; 655 fwd.connect_host = NULL;
657 } 656 }
658 657
@@ -663,10 +662,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
663 ftype != MUX_FWD_DYNAMIC) { 662 ftype != MUX_FWD_DYNAMIC) {
664 logit("%s: invalid forwarding type %u", __func__, ftype); 663 logit("%s: invalid forwarding type %u", __func__, ftype);
665 invalid: 664 invalid:
666 if (fwd.listen_host) 665 free(fwd.listen_host);
667 xfree(fwd.listen_host); 666 free(fwd.connect_host);
668 if (fwd.connect_host)
669 xfree(fwd.connect_host);
670 buffer_put_int(r, MUX_S_FAILURE); 667 buffer_put_int(r, MUX_S_FAILURE);
671 buffer_put_int(r, rid); 668 buffer_put_int(r, rid);
672 buffer_put_cstring(r, "Invalid forwarding request"); 669 buffer_put_cstring(r, "Invalid forwarding request");
@@ -768,13 +765,10 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
768 buffer_put_int(r, MUX_S_OK); 765 buffer_put_int(r, MUX_S_OK);
769 buffer_put_int(r, rid); 766 buffer_put_int(r, rid);
770 out: 767 out:
771 if (fwd_desc != NULL) 768 free(fwd_desc);
772 xfree(fwd_desc);
773 if (freefwd) { 769 if (freefwd) {
774 if (fwd.listen_host != NULL) 770 free(fwd.listen_host);
775 xfree(fwd.listen_host); 771 free(fwd.connect_host);
776 if (fwd.connect_host != NULL)
777 xfree(fwd.connect_host);
778 } 772 }
779 return ret; 773 return ret;
780} 774}
@@ -787,24 +781,28 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
787 const char *error_reason = NULL; 781 const char *error_reason = NULL;
788 u_int ftype; 782 u_int ftype;
789 int i, listen_port, ret = 0; 783 int i, listen_port, ret = 0;
784 u_int lport, cport;
790 785
791 fwd.listen_host = fwd.connect_host = NULL; 786 fwd.listen_host = fwd.connect_host = NULL;
792 if (buffer_get_int_ret(&ftype, m) != 0 || 787 if (buffer_get_int_ret(&ftype, m) != 0 ||
793 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || 788 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
794 buffer_get_int_ret(&fwd.listen_port, m) != 0 || 789 buffer_get_int_ret(&lport, m) != 0 ||
795 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || 790 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
796 buffer_get_int_ret(&fwd.connect_port, m) != 0) { 791 buffer_get_int_ret(&cport, m) != 0 ||
792 lport > 65535 || cport > 65535) {
797 error("%s: malformed message", __func__); 793 error("%s: malformed message", __func__);
798 ret = -1; 794 ret = -1;
799 goto out; 795 goto out;
800 } 796 }
797 fwd.listen_port = lport;
798 fwd.connect_port = cport;
801 799
802 if (*fwd.listen_host == '\0') { 800 if (*fwd.listen_host == '\0') {
803 xfree(fwd.listen_host); 801 free(fwd.listen_host);
804 fwd.listen_host = NULL; 802 fwd.listen_host = NULL;
805 } 803 }
806 if (*fwd.connect_host == '\0') { 804 if (*fwd.connect_host == '\0') {
807 xfree(fwd.connect_host); 805 free(fwd.connect_host);
808 fwd.connect_host = NULL; 806 fwd.connect_host = NULL;
809 } 807 }
810 808
@@ -861,10 +859,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
861 buffer_put_int(r, MUX_S_OK); 859 buffer_put_int(r, MUX_S_OK);
862 buffer_put_int(r, rid); 860 buffer_put_int(r, rid);
863 861
864 if (found_fwd->listen_host != NULL) 862 free(found_fwd->listen_host);
865 xfree(found_fwd->listen_host); 863 free(found_fwd->connect_host);
866 if (found_fwd->connect_host != NULL)
867 xfree(found_fwd->connect_host);
868 found_fwd->listen_host = found_fwd->connect_host = NULL; 864 found_fwd->listen_host = found_fwd->connect_host = NULL;
869 found_fwd->listen_port = found_fwd->connect_port = 0; 865 found_fwd->listen_port = found_fwd->connect_port = 0;
870 } else { 866 } else {
@@ -873,12 +869,9 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
873 buffer_put_cstring(r, error_reason); 869 buffer_put_cstring(r, error_reason);
874 } 870 }
875 out: 871 out:
876 if (fwd_desc != NULL) 872 free(fwd_desc);
877 xfree(fwd_desc); 873 free(fwd.listen_host);
878 if (fwd.listen_host != NULL) 874 free(fwd.connect_host);
879 xfree(fwd.listen_host);
880 if (fwd.connect_host != NULL)
881 xfree(fwd.connect_host);
882 875
883 return ret; 876 return ret;
884} 877}
@@ -895,14 +888,12 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
895 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 888 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
896 (chost = buffer_get_string_ret(m, NULL)) == NULL || 889 (chost = buffer_get_string_ret(m, NULL)) == NULL ||
897 buffer_get_int_ret(&cport, m) != 0) { 890 buffer_get_int_ret(&cport, m) != 0) {
898 if (reserved != NULL) 891 free(reserved);
899 xfree(reserved); 892 free(chost);
900 if (chost != NULL)
901 xfree(chost);
902 error("%s: malformed message", __func__); 893 error("%s: malformed message", __func__);
903 return -1; 894 return -1;
904 } 895 }
905 xfree(reserved); 896 free(reserved);
906 897
907 debug2("%s: channel %d: request stdio fwd to %s:%u", 898 debug2("%s: channel %d: request stdio fwd to %s:%u",
908 __func__, c->self, chost, cport); 899 __func__, c->self, chost, cport);
@@ -914,7 +905,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
914 __func__, i); 905 __func__, i);
915 for (j = 0; j < i; j++) 906 for (j = 0; j < i; j++)
916 close(new_fd[j]); 907 close(new_fd[j]);
917 xfree(chost); 908 free(chost);
918 909
919 /* prepare reply */ 910 /* prepare reply */
920 buffer_put_int(r, MUX_S_FAILURE); 911 buffer_put_int(r, MUX_S_FAILURE);
@@ -938,7 +929,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
938 cleanup: 929 cleanup:
939 close(new_fd[0]); 930 close(new_fd[0]);
940 close(new_fd[1]); 931 close(new_fd[1]);
941 xfree(chost); 932 free(chost);
942 return 0; 933 return 0;
943 } 934 }
944 935
@@ -1000,7 +991,7 @@ process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r)
1000 if (mux_listener_channel != NULL) { 991 if (mux_listener_channel != NULL) {
1001 channel_free(mux_listener_channel); 992 channel_free(mux_listener_channel);
1002 client_stop_mux(); 993 client_stop_mux();
1003 xfree(options.control_path); 994 free(options.control_path);
1004 options.control_path = NULL; 995 options.control_path = NULL;
1005 mux_listener_channel = NULL; 996 mux_listener_channel = NULL;
1006 muxserver_sock = -1; 997 muxserver_sock = -1;
@@ -1100,7 +1091,7 @@ mux_exit_message(Channel *c, int exitval)
1100 Buffer m; 1091 Buffer m;
1101 Channel *mux_chan; 1092 Channel *mux_chan;
1102 1093
1103 debug3("%s: channel %d: exit message, evitval %d", __func__, c->self, 1094 debug3("%s: channel %d: exit message, exitval %d", __func__, c->self,
1104 exitval); 1095 exitval);
1105 1096
1106 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) 1097 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL)
@@ -1197,8 +1188,8 @@ muxserver_listen(void)
1197 close(muxserver_sock); 1188 close(muxserver_sock);
1198 muxserver_sock = -1; 1189 muxserver_sock = -1;
1199 } 1190 }
1200 xfree(orig_control_path); 1191 free(orig_control_path);
1201 xfree(options.control_path); 1192 free(options.control_path);
1202 options.control_path = NULL; 1193 options.control_path = NULL;
1203 options.control_master = SSHCTL_MASTER_NO; 1194 options.control_master = SSHCTL_MASTER_NO;
1204 return; 1195 return;
@@ -1223,7 +1214,7 @@ muxserver_listen(void)
1223 goto disable_mux_master; 1214 goto disable_mux_master;
1224 } 1215 }
1225 unlink(options.control_path); 1216 unlink(options.control_path);
1226 xfree(options.control_path); 1217 free(options.control_path);
1227 options.control_path = orig_control_path; 1218 options.control_path = orig_control_path;
1228 1219
1229 set_nonblock(muxserver_sock); 1220 set_nonblock(muxserver_sock);
@@ -1308,13 +1299,13 @@ mux_session_confirm(int id, int success, void *arg)
1308 cc->mux_pause = 0; /* start processing messages again */ 1299 cc->mux_pause = 0; /* start processing messages again */
1309 c->open_confirm_ctx = NULL; 1300 c->open_confirm_ctx = NULL;
1310 buffer_free(&cctx->cmd); 1301 buffer_free(&cctx->cmd);
1311 xfree(cctx->term); 1302 free(cctx->term);
1312 if (cctx->env != NULL) { 1303 if (cctx->env != NULL) {
1313 for (i = 0; cctx->env[i] != NULL; i++) 1304 for (i = 0; cctx->env[i] != NULL; i++)
1314 xfree(cctx->env[i]); 1305 free(cctx->env[i]);
1315 xfree(cctx->env); 1306 free(cctx->env);
1316 } 1307 }
1317 xfree(cctx); 1308 free(cctx);
1318} 1309}
1319 1310
1320/* ** Multiplexing client support */ 1311/* ** Multiplexing client support */
@@ -1444,7 +1435,9 @@ mux_client_read_packet(int fd, Buffer *m)
1444 buffer_init(&queue); 1435 buffer_init(&queue);
1445 if (mux_client_read(fd, &queue, 4) != 0) { 1436 if (mux_client_read(fd, &queue, 4) != 0) {
1446 if ((oerrno = errno) == EPIPE) 1437 if ((oerrno = errno) == EPIPE)
1447 debug3("%s: read header failed: %s", __func__, strerror(errno)); 1438 debug3("%s: read header failed: %s", __func__,
1439 strerror(errno));
1440 buffer_free(&queue);
1448 errno = oerrno; 1441 errno = oerrno;
1449 return -1; 1442 return -1;
1450 } 1443 }
@@ -1452,6 +1445,7 @@ mux_client_read_packet(int fd, Buffer *m)
1452 if (mux_client_read(fd, &queue, need) != 0) { 1445 if (mux_client_read(fd, &queue, need) != 0) {
1453 oerrno = errno; 1446 oerrno = errno;
1454 debug3("%s: read body failed: %s", __func__, strerror(errno)); 1447 debug3("%s: read body failed: %s", __func__, strerror(errno));
1448 buffer_free(&queue);
1455 errno = oerrno; 1449 errno = oerrno;
1456 return -1; 1450 return -1;
1457 } 1451 }
@@ -1498,8 +1492,8 @@ mux_client_hello_exchange(int fd)
1498 char *value = buffer_get_string(&m, NULL); 1492 char *value = buffer_get_string(&m, NULL);
1499 1493
1500 debug2("Unrecognised master extension \"%s\"", name); 1494 debug2("Unrecognised master extension \"%s\"", name);
1501 xfree(name); 1495 free(name);
1502 xfree(value); 1496 free(value);
1503 } 1497 }
1504 buffer_free(&m); 1498 buffer_free(&m);
1505 return 0; 1499 return 0;
@@ -1608,7 +1602,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
1608 fwd_desc = format_forward(ftype, fwd); 1602 fwd_desc = format_forward(ftype, fwd);
1609 debug("Requesting %s %s", 1603 debug("Requesting %s %s",
1610 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1604 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1611 xfree(fwd_desc); 1605 free(fwd_desc);
1612 1606
1613 buffer_init(&m); 1607 buffer_init(&m);
1614 buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD); 1608 buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
diff --git a/myproposal.h b/myproposal.h
index 99d093461..4e913e3ce 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -26,6 +26,8 @@
26 26
27#include <openssl/opensslv.h> 27#include <openssl/opensslv.h>
28 28
29/* conditional algorithm support */
30
29#ifdef OPENSSL_HAS_ECC 31#ifdef OPENSSL_HAS_ECC
30# define KEX_ECDH_METHODS \ 32# define KEX_ECDH_METHODS \
31 "ecdh-sha2-nistp256," \ 33 "ecdh-sha2-nistp256," \
@@ -45,12 +47,22 @@
45# define HOSTKEY_ECDSA_METHODS 47# define HOSTKEY_ECDSA_METHODS
46#endif 48#endif
47 49
48/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ 50#ifdef OPENSSL_HAVE_EVPGCM
49#if OPENSSL_VERSION_NUMBER >= 0x00907000L 51# define AESGCM_CIPHER_MODES \
52 "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
53#else
54# define AESGCM_CIPHER_MODES
55#endif
56
57#ifdef HAVE_EVP_SHA256
50# define KEX_SHA256_METHODS \ 58# define KEX_SHA256_METHODS \
51 "diffie-hellman-group-exchange-sha256," 59 "diffie-hellman-group-exchange-sha256,"
60#define SHA2_HMAC_MODES \
61 "hmac-sha2-256," \
62 "hmac-sha2-512,"
52#else 63#else
53# define KEX_SHA256_METHODS 64# define KEX_SHA256_METHODS
65# define SHA2_HMAC_MODES
54#endif 66#endif
55 67
56# define KEX_DEFAULT_KEX \ 68# define KEX_DEFAULT_KEX \
@@ -70,19 +82,15 @@
70 "ssh-rsa," \ 82 "ssh-rsa," \
71 "ssh-dss" 83 "ssh-dss"
72 84
85/* the actual algorithms */
86
73#define KEX_DEFAULT_ENCRYPT \ 87#define KEX_DEFAULT_ENCRYPT \
74 "aes128-ctr,aes192-ctr,aes256-ctr," \ 88 "aes128-ctr,aes192-ctr,aes256-ctr," \
75 "arcfour256,arcfour128," \ 89 "arcfour256,arcfour128," \
76 "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ 90 AESGCM_CIPHER_MODES \
77 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ 91 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
78 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" 92 "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
79#ifdef HAVE_EVP_SHA256 93
80#define SHA2_HMAC_MODES \
81 "hmac-sha2-256," \
82 "hmac-sha2-512,"
83#else
84# define SHA2_HMAC_MODES
85#endif
86#define KEX_DEFAULT_MAC \ 94#define KEX_DEFAULT_MAC \
87 "hmac-md5-etm@openssh.com," \ 95 "hmac-md5-etm@openssh.com," \
88 "hmac-sha1-etm@openssh.com," \ 96 "hmac-sha1-etm@openssh.com," \
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index e1c3651e8..365cf006d 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $ 1# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@
16INSTALL=@INSTALL@ 16INSTALL=@INSTALL@
17LDFLAGS=-L. @LDFLAGS@ 17LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index d3d2d913a..267e77a11 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -97,7 +97,7 @@ fetch_windows_environment(void)
97void 97void
98free_windows_environment(char **p) 98free_windows_environment(char **p)
99{ 99{
100 xfree(p); 100 free(p);
101} 101}
102 102
103#endif /* HAVE_CYGWIN */ 103#endif /* HAVE_CYGWIN */
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 6061a6b01..372e41955 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-cygwin_util.h,v 1.15.4.1 2013/04/04 23:53:31 dtucker Exp $ */ 1/* $Id: bsd-cygwin_util.h,v 1.16 2013/04/01 01:40:49 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com> 4 * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index 430066376..65c18ec2f 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ 1/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> 4 * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -110,4 +110,16 @@ int isblank(int);
110pid_t getpgid(pid_t); 110pid_t getpgid(pid_t);
111#endif 111#endif
112 112
113#ifndef HAVE_ENDGRENT
114# define endgrent() {}
115#endif
116
117#ifndef HAVE_KRB5_GET_ERROR_MESSAGE
118# define krb5_get_error_message krb5_get_err_text
119#endif
120
121#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE
122# define krb5_free_error_message(a,b) while(0)
123#endif
124
113#endif /* _BSD_MISC_H */ 125#endif /* _BSD_MISC_H */
diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c
deleted file mode 100644
index 5450e43d9..000000000
--- a/openbsd-compat/getopt.c
+++ /dev/null
@@ -1,123 +0,0 @@
1/*
2 * Copyright (c) 1987, 1993, 1994
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
31
32#include "includes.h"
33#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
34
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42
43int BSDopterr = 1, /* if error message should be printed */
44 BSDoptind = 1, /* index into parent argv vector */
45 BSDoptopt, /* character checked for validity */
46 BSDoptreset; /* reset getopt */
47char *BSDoptarg; /* argument associated with option */
48
49#define BADCH (int)'?'
50#define BADARG (int)':'
51#define EMSG ""
52
53/*
54 * getopt --
55 * Parse argc/argv argument vector.
56 */
57int
58BSDgetopt(nargc, nargv, ostr)
59 int nargc;
60 char * const *nargv;
61 const char *ostr;
62{
63 extern char *__progname;
64 static char *place = EMSG; /* option letter processing */
65 char *oli; /* option letter list index */
66
67 if (ostr == NULL)
68 return (-1);
69
70 if (BSDoptreset || !*place) { /* update scanning pointer */
71 BSDoptreset = 0;
72 if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') {
73 place = EMSG;
74 return (-1);
75 }
76 if (place[1] && *++place == '-') { /* found "--" */
77 ++BSDoptind;
78 place = EMSG;
79 return (-1);
80 }
81 } /* option letter okay? */
82 if ((BSDoptopt = (int)*place++) == (int)':' ||
83 !(oli = strchr(ostr, BSDoptopt))) {
84 /*
85 * if the user didn't specify '-' as an option,
86 * assume it means -1.
87 */
88 if (BSDoptopt == (int)'-')
89 return (-1);
90 if (!*place)
91 ++BSDoptind;
92 if (BSDopterr && *ostr != ':')
93 (void)fprintf(stderr,
94 "%s: illegal option -- %c\n", __progname, BSDoptopt);
95 return (BADCH);
96 }
97 if (*++oli != ':') { /* don't need argument */
98 BSDoptarg = NULL;
99 if (!*place)
100 ++BSDoptind;
101 }
102 else { /* need an argument */
103 if (*place) /* no white space */
104 BSDoptarg = place;
105 else if (nargc <= ++BSDoptind) { /* no arg */
106 place = EMSG;
107 if (*ostr == ':')
108 return (BADARG);
109 if (BSDopterr)
110 (void)fprintf(stderr,
111 "%s: option requires an argument -- %c\n",
112 __progname, BSDoptopt);
113 return (BADCH);
114 }
115 else /* white space */
116 BSDoptarg = nargv[BSDoptind];
117 place = EMSG;
118 ++BSDoptind;
119 }
120 return (BSDoptopt); /* dump back option letter */
121}
122
123#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */
diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h
new file mode 100644
index 000000000..8eb12447e
--- /dev/null
+++ b/openbsd-compat/getopt.h
@@ -0,0 +1,74 @@
1/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */
2/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */
3
4/*-
5 * Copyright (c) 2000 The NetBSD Foundation, Inc.
6 * All rights reserved.
7 *
8 * This code is derived from software contributed to The NetBSD Foundation
9 * by Dieter Baron and Thomas Klausner.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
24 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#ifndef _GETOPT_H_
34#define _GETOPT_H_
35
36/*
37 * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions
38 */
39#define no_argument 0
40#define required_argument 1
41#define optional_argument 2
42
43struct option {
44 /* name of long option */
45 const char *name;
46 /*
47 * one of no_argument, required_argument, and optional_argument:
48 * whether option takes an argument
49 */
50 int has_arg;
51 /* if not NULL, set *flag to val when option found */
52 int *flag;
53 /* if flag not NULL, value to set *flag to; else return value */
54 int val;
55};
56
57int getopt_long(int, char * const *, const char *,
58 const struct option *, int *);
59int getopt_long_only(int, char * const *, const char *,
60 const struct option *, int *);
61#ifndef _GETOPT_DEFINED_
62#define _GETOPT_DEFINED_
63int getopt(int, char * const *, const char *);
64int getsubopt(char **, char * const *, char **);
65
66extern char *optarg; /* getopt(3) external variables */
67extern int opterr;
68extern int optind;
69extern int optopt;
70extern int optreset;
71extern char *suboptarg; /* getsubopt(3) external variable */
72#endif
73
74#endif /* !_GETOPT_H_ */
diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c
new file mode 100644
index 000000000..e28947430
--- /dev/null
+++ b/openbsd-compat/getopt_long.c
@@ -0,0 +1,532 @@
1/* $OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $ */
2/* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */
3
4/*
5 * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 *
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
22 */
23/*-
24 * Copyright (c) 2000 The NetBSD Foundation, Inc.
25 * All rights reserved.
26 *
27 * This code is derived from software contributed to The NetBSD Foundation
28 * by Dieter Baron and Thomas Klausner.
29 *
30 * Redistribution and use in source and binary forms, with or without
31 * modification, are permitted provided that the following conditions
32 * are met:
33 * 1. Redistributions of source code must retain the above copyright
34 * notice, this list of conditions and the following disclaimer.
35 * 2. Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer in the
37 * documentation and/or other materials provided with the distribution.
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
40 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
41 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
43 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
44 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
45 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
46 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
47 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
49 * POSSIBILITY OF SUCH DAMAGE.
50 */
51
52/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt_long.c */
53#include "includes.h"
54
55#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
56
57/*
58 * Some defines to make it easier to keep the code in sync with upstream.
59 * getopt opterr optind optopt optreset optarg are all in defines.h which is
60 * pulled in by includes.h.
61 */
62#define warnx logit
63
64#if 0
65#include <err.h>
66#include <getopt.h>
67#endif
68#include <errno.h>
69#include <stdlib.h>
70#include <string.h>
71#include <stdarg.h>
72
73#include "log.h"
74
75int opterr = 1; /* if error message should be printed */
76int optind = 1; /* index into parent argv vector */
77int optopt = '?'; /* character checked for validity */
78int optreset; /* reset getopt */
79char *optarg; /* argument associated with option */
80
81#define PRINT_ERROR ((opterr) && (*options != ':'))
82
83#define FLAG_PERMUTE 0x01 /* permute non-options to the end of argv */
84#define FLAG_ALLARGS 0x02 /* treat non-options as args to option "-1" */
85#define FLAG_LONGONLY 0x04 /* operate as getopt_long_only */
86
87/* return values */
88#define BADCH (int)'?'
89#define BADARG ((*options == ':') ? (int)':' : (int)'?')
90#define INORDER (int)1
91
92#define EMSG ""
93
94static int getopt_internal(int, char * const *, const char *,
95 const struct option *, int *, int);
96static int parse_long_options(char * const *, const char *,
97 const struct option *, int *, int);
98static int gcd(int, int);
99static void permute_args(int, int, int, char * const *);
100
101static char *place = EMSG; /* option letter processing */
102
103/* XXX: set optreset to 1 rather than these two */
104static int nonopt_start = -1; /* first non option argument (for permute) */
105static int nonopt_end = -1; /* first option after non options (for permute) */
106
107/* Error messages */
108static const char recargchar[] = "option requires an argument -- %c";
109static const char recargstring[] = "option requires an argument -- %s";
110static const char ambig[] = "ambiguous option -- %.*s";
111static const char noarg[] = "option doesn't take an argument -- %.*s";
112static const char illoptchar[] = "unknown option -- %c";
113static const char illoptstring[] = "unknown option -- %s";
114
115/*
116 * Compute the greatest common divisor of a and b.
117 */
118static int
119gcd(int a, int b)
120{
121 int c;
122
123 c = a % b;
124 while (c != 0) {
125 a = b;
126 b = c;
127 c = a % b;
128 }
129
130 return (b);
131}
132
133/*
134 * Exchange the block from nonopt_start to nonopt_end with the block
135 * from nonopt_end to opt_end (keeping the same order of arguments
136 * in each block).
137 */
138static void
139permute_args(int panonopt_start, int panonopt_end, int opt_end,
140 char * const *nargv)
141{
142 int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos;
143 char *swap;
144
145 /*
146 * compute lengths of blocks and number and size of cycles
147 */
148 nnonopts = panonopt_end - panonopt_start;
149 nopts = opt_end - panonopt_end;
150 ncycle = gcd(nnonopts, nopts);
151 cyclelen = (opt_end - panonopt_start) / ncycle;
152
153 for (i = 0; i < ncycle; i++) {
154 cstart = panonopt_end+i;
155 pos = cstart;
156 for (j = 0; j < cyclelen; j++) {
157 if (pos >= panonopt_end)
158 pos -= nnonopts;
159 else
160 pos += nopts;
161 swap = nargv[pos];
162 /* LINTED const cast */
163 ((char **) nargv)[pos] = nargv[cstart];
164 /* LINTED const cast */
165 ((char **)nargv)[cstart] = swap;
166 }
167 }
168}
169
170/*
171 * parse_long_options --
172 * Parse long options in argc/argv argument vector.
173 * Returns -1 if short_too is set and the option does not match long_options.
174 */
175static int
176parse_long_options(char * const *nargv, const char *options,
177 const struct option *long_options, int *idx, int short_too)
178{
179 char *current_argv, *has_equal;
180 size_t current_argv_len;
181 int i, match;
182
183 current_argv = place;
184 match = -1;
185
186 optind++;
187
188 if ((has_equal = strchr(current_argv, '=')) != NULL) {
189 /* argument found (--option=arg) */
190 current_argv_len = has_equal - current_argv;
191 has_equal++;
192 } else
193 current_argv_len = strlen(current_argv);
194
195 for (i = 0; long_options[i].name; i++) {
196 /* find matching long option */
197 if (strncmp(current_argv, long_options[i].name,
198 current_argv_len))
199 continue;
200
201 if (strlen(long_options[i].name) == current_argv_len) {
202 /* exact match */
203 match = i;
204 break;
205 }
206 /*
207 * If this is a known short option, don't allow
208 * a partial match of a single character.
209 */
210 if (short_too && current_argv_len == 1)
211 continue;
212
213 if (match == -1) /* partial match */
214 match = i;
215 else {
216 /* ambiguous abbreviation */
217 if (PRINT_ERROR)
218 warnx(ambig, (int)current_argv_len,
219 current_argv);
220 optopt = 0;
221 return (BADCH);
222 }
223 }
224 if (match != -1) { /* option found */
225 if (long_options[match].has_arg == no_argument
226 && has_equal) {
227 if (PRINT_ERROR)
228 warnx(noarg, (int)current_argv_len,
229 current_argv);
230 /*
231 * XXX: GNU sets optopt to val regardless of flag
232 */
233 if (long_options[match].flag == NULL)
234 optopt = long_options[match].val;
235 else
236 optopt = 0;
237 return (BADARG);
238 }
239 if (long_options[match].has_arg == required_argument ||
240 long_options[match].has_arg == optional_argument) {
241 if (has_equal)
242 optarg = has_equal;
243 else if (long_options[match].has_arg ==
244 required_argument) {
245 /*
246 * optional argument doesn't use next nargv
247 */
248 optarg = nargv[optind++];
249 }
250 }
251 if ((long_options[match].has_arg == required_argument)
252 && (optarg == NULL)) {
253 /*
254 * Missing argument; leading ':' indicates no error
255 * should be generated.
256 */
257 if (PRINT_ERROR)
258 warnx(recargstring,
259 current_argv);
260 /*
261 * XXX: GNU sets optopt to val regardless of flag
262 */
263 if (long_options[match].flag == NULL)
264 optopt = long_options[match].val;
265 else
266 optopt = 0;
267 --optind;
268 return (BADARG);
269 }
270 } else { /* unknown option */
271 if (short_too) {
272 --optind;
273 return (-1);
274 }
275 if (PRINT_ERROR)
276 warnx(illoptstring, current_argv);
277 optopt = 0;
278 return (BADCH);
279 }
280 if (idx)
281 *idx = match;
282 if (long_options[match].flag) {
283 *long_options[match].flag = long_options[match].val;
284 return (0);
285 } else
286 return (long_options[match].val);
287}
288
289/*
290 * getopt_internal --
291 * Parse argc/argv argument vector. Called by user level routines.
292 */
293static int
294getopt_internal(int nargc, char * const *nargv, const char *options,
295 const struct option *long_options, int *idx, int flags)
296{
297 char *oli; /* option letter list index */
298 int optchar, short_too;
299 static int posixly_correct = -1;
300
301 if (options == NULL)
302 return (-1);
303
304 /*
305 * XXX Some GNU programs (like cvs) set optind to 0 instead of
306 * XXX using optreset. Work around this braindamage.
307 */
308 if (optind == 0)
309 optind = optreset = 1;
310
311 /*
312 * Disable GNU extensions if POSIXLY_CORRECT is set or options
313 * string begins with a '+'.
314 */
315 if (posixly_correct == -1 || optreset)
316 posixly_correct = (getenv("POSIXLY_CORRECT") != NULL);
317 if (*options == '-')
318 flags |= FLAG_ALLARGS;
319 else if (posixly_correct || *options == '+')
320 flags &= ~FLAG_PERMUTE;
321 if (*options == '+' || *options == '-')
322 options++;
323
324 optarg = NULL;
325 if (optreset)
326 nonopt_start = nonopt_end = -1;
327start:
328 if (optreset || !*place) { /* update scanning pointer */
329 optreset = 0;
330 if (optind >= nargc) { /* end of argument vector */
331 place = EMSG;
332 if (nonopt_end != -1) {
333 /* do permutation, if we have to */
334 permute_args(nonopt_start, nonopt_end,
335 optind, nargv);
336 optind -= nonopt_end - nonopt_start;
337 }
338 else if (nonopt_start != -1) {
339 /*
340 * If we skipped non-options, set optind
341 * to the first of them.
342 */
343 optind = nonopt_start;
344 }
345 nonopt_start = nonopt_end = -1;
346 return (-1);
347 }
348 if (*(place = nargv[optind]) != '-' ||
349 (place[1] == '\0' && strchr(options, '-') == NULL)) {
350 place = EMSG; /* found non-option */
351 if (flags & FLAG_ALLARGS) {
352 /*
353 * GNU extension:
354 * return non-option as argument to option 1
355 */
356 optarg = nargv[optind++];
357 return (INORDER);
358 }
359 if (!(flags & FLAG_PERMUTE)) {
360 /*
361 * If no permutation wanted, stop parsing
362 * at first non-option.
363 */
364 return (-1);
365 }
366 /* do permutation */
367 if (nonopt_start == -1)
368 nonopt_start = optind;
369 else if (nonopt_end != -1) {
370 permute_args(nonopt_start, nonopt_end,
371 optind, nargv);
372 nonopt_start = optind -
373 (nonopt_end - nonopt_start);
374 nonopt_end = -1;
375 }
376 optind++;
377 /* process next argument */
378 goto start;
379 }
380 if (nonopt_start != -1 && nonopt_end == -1)
381 nonopt_end = optind;
382
383 /*
384 * If we have "-" do nothing, if "--" we are done.
385 */
386 if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
387 optind++;
388 place = EMSG;
389 /*
390 * We found an option (--), so if we skipped
391 * non-options, we have to permute.
392 */
393 if (nonopt_end != -1) {
394 permute_args(nonopt_start, nonopt_end,
395 optind, nargv);
396 optind -= nonopt_end - nonopt_start;
397 }
398 nonopt_start = nonopt_end = -1;
399 return (-1);
400 }
401 }
402
403 /*
404 * Check long options if:
405 * 1) we were passed some
406 * 2) the arg is not just "-"
407 * 3) either the arg starts with -- we are getopt_long_only()
408 */
409 if (long_options != NULL && place != nargv[optind] &&
410 (*place == '-' || (flags & FLAG_LONGONLY))) {
411 short_too = 0;
412 if (*place == '-')
413 place++; /* --foo long option */
414 else if (*place != ':' && strchr(options, *place) != NULL)
415 short_too = 1; /* could be short option too */
416
417 optchar = parse_long_options(nargv, options, long_options,
418 idx, short_too);
419 if (optchar != -1) {
420 place = EMSG;
421 return (optchar);
422 }
423 }
424
425 if ((optchar = (int)*place++) == (int)':' ||
426 (optchar == (int)'-' && *place != '\0') ||
427 (oli = strchr(options, optchar)) == NULL) {
428 /*
429 * If the user specified "-" and '-' isn't listed in
430 * options, return -1 (non-option) as per POSIX.
431 * Otherwise, it is an unknown option character (or ':').
432 */
433 if (optchar == (int)'-' && *place == '\0')
434 return (-1);
435 if (!*place)
436 ++optind;
437 if (PRINT_ERROR)
438 warnx(illoptchar, optchar);
439 optopt = optchar;
440 return (BADCH);
441 }
442 if (long_options != NULL && optchar == 'W' && oli[1] == ';') {
443 /* -W long-option */
444 if (*place) /* no space */
445 /* NOTHING */;
446 else if (++optind >= nargc) { /* no arg */
447 place = EMSG;
448 if (PRINT_ERROR)
449 warnx(recargchar, optchar);
450 optopt = optchar;
451 return (BADARG);
452 } else /* white space */
453 place = nargv[optind];
454 optchar = parse_long_options(nargv, options, long_options,
455 idx, 0);
456 place = EMSG;
457 return (optchar);
458 }
459 if (*++oli != ':') { /* doesn't take argument */
460 if (!*place)
461 ++optind;
462 } else { /* takes (optional) argument */
463 optarg = NULL;
464 if (*place) /* no white space */
465 optarg = place;
466 else if (oli[1] != ':') { /* arg not optional */
467 if (++optind >= nargc) { /* no arg */
468 place = EMSG;
469 if (PRINT_ERROR)
470 warnx(recargchar, optchar);
471 optopt = optchar;
472 return (BADARG);
473 } else
474 optarg = nargv[optind];
475 }
476 place = EMSG;
477 ++optind;
478 }
479 /* dump back option letter */
480 return (optchar);
481}
482
483/*
484 * getopt --
485 * Parse argc/argv argument vector.
486 *
487 * [eventually this will replace the BSD getopt]
488 */
489int
490getopt(int nargc, char * const *nargv, const char *options)
491{
492
493 /*
494 * We don't pass FLAG_PERMUTE to getopt_internal() since
495 * the BSD getopt(3) (unlike GNU) has never done this.
496 *
497 * Furthermore, since many privileged programs call getopt()
498 * before dropping privileges it makes sense to keep things
499 * as simple (and bug-free) as possible.
500 */
501 return (getopt_internal(nargc, nargv, options, NULL, NULL, 0));
502}
503
504#if 0
505/*
506 * getopt_long --
507 * Parse argc/argv argument vector.
508 */
509int
510getopt_long(int nargc, char * const *nargv, const char *options,
511 const struct option *long_options, int *idx)
512{
513
514 return (getopt_internal(nargc, nargv, options, long_options, idx,
515 FLAG_PERMUTE));
516}
517
518/*
519 * getopt_long_only --
520 * Parse argc/argv argument vector.
521 */
522int
523getopt_long_only(int nargc, char * const *nargv, const char *options,
524 const struct option *long_options, int *idx)
525{
526
527 return (getopt_internal(nargc, nargv, options, long_options, idx,
528 FLAG_PERMUTE|FLAG_LONGONLY));
529}
530#endif
531
532#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */
diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c
index 19666346b..343720f10 100644
--- a/openbsd-compat/getrrsetbyname-ldns.c
+++ b/openbsd-compat/getrrsetbyname-ldns.c
@@ -58,7 +58,6 @@
58 58
59#define malloc(x) (xmalloc(x)) 59#define malloc(x) (xmalloc(x))
60#define calloc(x, y) (xcalloc((x),(y))) 60#define calloc(x, y) (xcalloc((x),(y)))
61#define free(x) (xfree(x))
62 61
63int 62int
64getrrsetbyname(const char *hostname, unsigned int rdclass, 63getrrsetbyname(const char *hostname, unsigned int rdclass,
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index a8c579f49..392fa38dc 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ 1/* $Id: openbsd-compat.h,v 1.58 2013/06/05 22:30:21 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -111,6 +111,10 @@ char *dirname(const char *path);
111int fmt_scaled(long long number, char *result); 111int fmt_scaled(long long number, char *result);
112#endif 112#endif
113 113
114#ifndef HAVE_SCAN_SCALED
115int scan_scaled(char *, long long *);
116#endif
117
114#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) 118#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
115char *inet_ntoa(struct in_addr in); 119char *inet_ntoa(struct in_addr in);
116#endif 120#endif
@@ -139,6 +143,7 @@ int getgrouplist(const char *, gid_t, gid_t *, int *);
139 143
140#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) 144#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
141int BSDgetopt(int argc, char * const *argv, const char *opts); 145int BSDgetopt(int argc, char * const *argv, const char *opts);
146#include "openbsd-compat/getopt.h"
142#endif 147#endif
143 148
144#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0 149#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0
@@ -202,6 +207,11 @@ unsigned long long strtoull(const char *, char **, int);
202long long strtonum(const char *, long long, long long, const char **); 207long long strtonum(const char *, long long, long long, const char **);
203#endif 208#endif
204 209
210/* multibyte character support */
211#ifndef HAVE_MBLEN
212# define mblen(x, y) 1
213#endif
214
205#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF) 215#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF)
206# include <stdarg.h> 216# include <stdarg.h>
207#endif 217#endif
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 0bdefbf6d..8da367d48 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -86,7 +86,7 @@ aix_usrinfo(struct passwd *pw)
86 fatal("Couldn't set usrinfo: %s", strerror(errno)); 86 fatal("Couldn't set usrinfo: %s", strerror(errno));
87 debug3("AIX/UsrInfo: set len %d", i); 87 debug3("AIX/UsrInfo: set len %d", i);
88 88
89 xfree(cp); 89 free(cp);
90} 90}
91 91
92# ifdef WITH_AIXAUTHENTICATE 92# ifdef WITH_AIXAUTHENTICATE
@@ -215,16 +215,14 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
215 default: /* user can't change(2) or other error (-1) */ 215 default: /* user can't change(2) or other error (-1) */
216 logit("Password can't be changed for user %s: %.100s", 216 logit("Password can't be changed for user %s: %.100s",
217 name, msg); 217 name, msg);
218 if (msg) 218 free(msg);
219 xfree(msg);
220 authsuccess = 0; 219 authsuccess = 0;
221 } 220 }
222 221
223 aix_restoreauthdb(); 222 aix_restoreauthdb();
224 } 223 }
225 224
226 if (authmsg != NULL) 225 free(authmsg);
227 xfree(authmsg);
228 226
229 return authsuccess; 227 return authsuccess;
230} 228}
@@ -269,7 +267,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
269 267
270 if (!permitted) 268 if (!permitted)
271 logit("Login restricted for %s: %.100s", pw->pw_name, msg); 269 logit("Login restricted for %s: %.100s", pw->pw_name, msg);
272 xfree(msg); 270 free(msg);
273 return permitted; 271 return permitted;
274} 272}
275 273
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index aba75387c..4637a7a3e 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
1/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */ 1/* $Id: port-linux.c,v 1.18 2013/06/01 22:07:32 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> 4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -96,10 +96,8 @@ ssh_selinux_getctxbyname(char *pwname)
96 } 96 }
97 97
98#ifdef HAVE_GETSEUSERBYNAME 98#ifdef HAVE_GETSEUSERBYNAME
99 if (sename != NULL) 99 free(sename);
100 xfree(sename); 100 free(lvl);
101 if (lvl != NULL)
102 xfree(lvl);
103#endif 101#endif
104 102
105 return sc; 103 return sc;
@@ -217,8 +215,8 @@ ssh_selinux_change_context(const char *newname)
217 if (setcon(newctx) < 0) 215 if (setcon(newctx) < 0)
218 switchlog("%s: setcon %s from %s failed with %s", __func__, 216 switchlog("%s: setcon %s from %s failed with %s", __func__,
219 newctx, oldctx, strerror(errno)); 217 newctx, oldctx, strerror(errno));
220 xfree(oldctx); 218 free(oldctx);
221 xfree(newctx); 219 free(newctx);
222} 220}
223 221
224void 222void
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 6291e2884..c8aea461d 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -55,7 +55,12 @@
55 55
56# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) 56# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
57# include "md5crypt.h" 57# include "md5crypt.h"
58# endif 58# endif
59
60# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
61# include <openssl/des.h>
62# define crypt DES_crypt
63# endif
59 64
60char * 65char *
61xcrypt(const char *password, const char *salt) 66xcrypt(const char *password, const char *salt)
diff --git a/packet.c b/packet.c
index 3e835d360..0d27e7592 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ 1/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -58,6 +58,7 @@
58#include <string.h> 58#include <string.h>
59#include <unistd.h> 59#include <unistd.h>
60#include <signal.h> 60#include <signal.h>
61#include <time.h>
61 62
62#include "xmalloc.h" 63#include "xmalloc.h"
63#include "buffer.h" 64#include "buffer.h"
@@ -165,9 +166,14 @@ struct session_state {
165 Newkeys *newkeys[MODE_MAX]; 166 Newkeys *newkeys[MODE_MAX];
166 struct packet_state p_read, p_send; 167 struct packet_state p_read, p_send;
167 168
169 /* Volume-based rekeying */
168 u_int64_t max_blocks_in, max_blocks_out; 170 u_int64_t max_blocks_in, max_blocks_out;
169 u_int32_t rekey_limit; 171 u_int32_t rekey_limit;
170 172
173 /* Time-based rekeying */
174 time_t rekey_interval; /* how often in seconds */
175 time_t rekey_time; /* time of last rekeying */
176
171 /* Session key for protocol v1 */ 177 /* Session key for protocol v1 */
172 u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; 178 u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
173 u_int ssh1_keylen; 179 u_int ssh1_keylen;
@@ -215,7 +221,7 @@ alloc_session_state(void)
215void 221void
216packet_set_connection(int fd_in, int fd_out) 222packet_set_connection(int fd_in, int fd_out)
217{ 223{
218 Cipher *none = cipher_by_name("none"); 224 const Cipher *none = cipher_by_name("none");
219 225
220 if (none == NULL) 226 if (none == NULL)
221 fatal("packet_set_connection: cannot load cipher 'none'"); 227 fatal("packet_set_connection: cannot load cipher 'none'");
@@ -545,7 +551,7 @@ packet_start_compression(int level)
545void 551void
546packet_set_encryption_key(const u_char *key, u_int keylen, int number) 552packet_set_encryption_key(const u_char *key, u_int keylen, int number)
547{ 553{
548 Cipher *cipher = cipher_by_number(number); 554 const Cipher *cipher = cipher_by_number(number);
549 555
550 if (cipher == NULL) 556 if (cipher == NULL)
551 fatal("packet_set_encryption_key: unknown cipher number %d", number); 557 fatal("packet_set_encryption_key: unknown cipher number %d", number);
@@ -760,13 +766,13 @@ set_newkeys(int mode)
760 memset(enc->iv, 0, enc->iv_len); 766 memset(enc->iv, 0, enc->iv_len);
761 memset(enc->key, 0, enc->key_len); 767 memset(enc->key, 0, enc->key_len);
762 memset(mac->key, 0, mac->key_len); 768 memset(mac->key, 0, mac->key_len);
763 xfree(enc->name); 769 free(enc->name);
764 xfree(enc->iv); 770 free(enc->iv);
765 xfree(enc->key); 771 free(enc->key);
766 xfree(mac->name); 772 free(mac->name);
767 xfree(mac->key); 773 free(mac->key);
768 xfree(comp->name); 774 free(comp->name);
769 xfree(active_state->newkeys[mode]); 775 free(active_state->newkeys[mode]);
770 } 776 }
771 active_state->newkeys[mode] = kex_get_newkeys(mode); 777 active_state->newkeys[mode] = kex_get_newkeys(mode);
772 if (active_state->newkeys[mode] == NULL) 778 if (active_state->newkeys[mode] == NULL)
@@ -1009,6 +1015,7 @@ packet_send2(void)
1009 /* after a NEWKEYS message we can send the complete queue */ 1015 /* after a NEWKEYS message we can send the complete queue */
1010 if (type == SSH2_MSG_NEWKEYS) { 1016 if (type == SSH2_MSG_NEWKEYS) {
1011 active_state->rekeying = 0; 1017 active_state->rekeying = 0;
1018 active_state->rekey_time = monotime();
1012 while ((p = TAILQ_FIRST(&active_state->outgoing))) { 1019 while ((p = TAILQ_FIRST(&active_state->outgoing))) {
1013 type = p->type; 1020 type = p->type;
1014 debug("dequeue packet: %u", type); 1021 debug("dequeue packet: %u", type);
@@ -1016,7 +1023,7 @@ packet_send2(void)
1016 memcpy(&active_state->outgoing_packet, &p->payload, 1023 memcpy(&active_state->outgoing_packet, &p->payload,
1017 sizeof(Buffer)); 1024 sizeof(Buffer));
1018 TAILQ_REMOVE(&active_state->outgoing, p, next); 1025 TAILQ_REMOVE(&active_state->outgoing, p, next);
1019 xfree(p); 1026 free(p);
1020 packet_send2_wrapped(); 1027 packet_send2_wrapped();
1021 } 1028 }
1022 } 1029 }
@@ -1041,7 +1048,7 @@ packet_send(void)
1041int 1048int
1042packet_read_seqnr(u_int32_t *seqnr_p) 1049packet_read_seqnr(u_int32_t *seqnr_p)
1043{ 1050{
1044 int type, len, ret, ms_remain, cont; 1051 int type, len, ret, cont, ms_remain = 0;
1045 fd_set *setp; 1052 fd_set *setp;
1046 char buf[8192]; 1053 char buf[8192];
1047 struct timeval timeout, start, *timeoutp = NULL; 1054 struct timeval timeout, start, *timeoutp = NULL;
@@ -1066,7 +1073,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
1066 packet_check_eom(); 1073 packet_check_eom();
1067 /* If we got a packet, return it. */ 1074 /* If we got a packet, return it. */
1068 if (type != SSH_MSG_NONE) { 1075 if (type != SSH_MSG_NONE) {
1069 xfree(setp); 1076 free(setp);
1070 return type; 1077 return type;
1071 } 1078 }
1072 /* 1079 /*
@@ -1453,9 +1460,9 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1453 packet_get_char(); 1460 packet_get_char();
1454 msg = packet_get_string(NULL); 1461 msg = packet_get_string(NULL);
1455 debug("Remote: %.900s", msg); 1462 debug("Remote: %.900s", msg);
1456 xfree(msg); 1463 free(msg);
1457 msg = packet_get_string(NULL); 1464 msg = packet_get_string(NULL);
1458 xfree(msg); 1465 free(msg);
1459 break; 1466 break;
1460 case SSH2_MSG_DISCONNECT: 1467 case SSH2_MSG_DISCONNECT:
1461 reason = packet_get_int(); 1468 reason = packet_get_int();
@@ -1466,7 +1473,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1466 SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, 1473 SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
1467 "Received disconnect from %s: %u: %.400s", 1474 "Received disconnect from %s: %u: %.400s",
1468 get_remote_ipaddr(), reason, msg); 1475 get_remote_ipaddr(), reason, msg);
1469 xfree(msg); 1476 free(msg);
1470 cleanup_exit(255); 1477 cleanup_exit(255);
1471 break; 1478 break;
1472 case SSH2_MSG_UNIMPLEMENTED: 1479 case SSH2_MSG_UNIMPLEMENTED:
@@ -1480,12 +1487,14 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1480 } else { 1487 } else {
1481 type = packet_read_poll1(); 1488 type = packet_read_poll1();
1482 switch (type) { 1489 switch (type) {
1490 case SSH_MSG_NONE:
1491 return SSH_MSG_NONE;
1483 case SSH_MSG_IGNORE: 1492 case SSH_MSG_IGNORE:
1484 break; 1493 break;
1485 case SSH_MSG_DEBUG: 1494 case SSH_MSG_DEBUG:
1486 msg = packet_get_string(NULL); 1495 msg = packet_get_string(NULL);
1487 debug("Remote: %.900s", msg); 1496 debug("Remote: %.900s", msg);
1488 xfree(msg); 1497 free(msg);
1489 break; 1498 break;
1490 case SSH_MSG_DISCONNECT: 1499 case SSH_MSG_DISCONNECT:
1491 msg = packet_get_string(NULL); 1500 msg = packet_get_string(NULL);
@@ -1494,8 +1503,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
1494 cleanup_exit(255); 1503 cleanup_exit(255);
1495 break; 1504 break;
1496 default: 1505 default:
1497 if (type) 1506 DBG(debug("received packet type %d", type));
1498 DBG(debug("received packet type %d", type));
1499 return type; 1507 return type;
1500 } 1508 }
1501 } 1509 }
@@ -1732,7 +1740,7 @@ void
1732packet_write_wait(void) 1740packet_write_wait(void)
1733{ 1741{
1734 fd_set *setp; 1742 fd_set *setp;
1735 int ret, ms_remain; 1743 int ret, ms_remain = 0;
1736 struct timeval start, timeout, *timeoutp = NULL; 1744 struct timeval start, timeout, *timeoutp = NULL;
1737 1745
1738 setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, 1746 setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
@@ -1773,7 +1781,7 @@ packet_write_wait(void)
1773 } 1781 }
1774 packet_write_poll(); 1782 packet_write_poll();
1775 } 1783 }
1776 xfree(setp); 1784 free(setp);
1777} 1785}
1778 1786
1779/* Returns true if there is buffered data to write to the connection. */ 1787/* Returns true if there is buffered data to write to the connection. */
@@ -1933,13 +1941,33 @@ packet_need_rekeying(void)
1933 (active_state->max_blocks_out && 1941 (active_state->max_blocks_out &&
1934 (active_state->p_send.blocks > active_state->max_blocks_out)) || 1942 (active_state->p_send.blocks > active_state->max_blocks_out)) ||
1935 (active_state->max_blocks_in && 1943 (active_state->max_blocks_in &&
1936 (active_state->p_read.blocks > active_state->max_blocks_in)); 1944 (active_state->p_read.blocks > active_state->max_blocks_in)) ||
1945 (active_state->rekey_interval != 0 && active_state->rekey_time +
1946 active_state->rekey_interval <= monotime());
1937} 1947}
1938 1948
1939void 1949void
1940packet_set_rekey_limit(u_int32_t bytes) 1950packet_set_rekey_limits(u_int32_t bytes, time_t seconds)
1941{ 1951{
1952 debug3("rekey after %lld bytes, %d seconds", (long long)bytes,
1953 (int)seconds);
1942 active_state->rekey_limit = bytes; 1954 active_state->rekey_limit = bytes;
1955 active_state->rekey_interval = seconds;
1956 /*
1957 * We set the time here so that in post-auth privsep slave we count
1958 * from the completion of the authentication.
1959 */
1960 active_state->rekey_time = monotime();
1961}
1962
1963time_t
1964packet_get_rekey_timeout(void)
1965{
1966 time_t seconds;
1967
1968 seconds = active_state->rekey_time + active_state->rekey_interval -
1969 monotime();
1970 return (seconds <= 0 ? 1 : seconds);
1943} 1971}
1944 1972
1945void 1973void
diff --git a/packet.h b/packet.h
index 09ba07951..f8edf851c 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */ 1/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -71,7 +71,7 @@ void *packet_get_raw(u_int *length_ptr);
71void *packet_get_string(u_int *length_ptr); 71void *packet_get_string(u_int *length_ptr);
72char *packet_get_cstring(u_int *length_ptr); 72char *packet_get_cstring(u_int *length_ptr);
73void *packet_get_string_ptr(u_int *length_ptr); 73void *packet_get_string_ptr(u_int *length_ptr);
74void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); 74void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2)));
75void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); 75void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
76 76
77void set_newkeys(int mode); 77void set_newkeys(int mode);
@@ -115,7 +115,8 @@ do { \
115} while (0) 115} while (0)
116 116
117int packet_need_rekeying(void); 117int packet_need_rekeying(void);
118void packet_set_rekey_limit(u_int32_t); 118void packet_set_rekey_limits(u_int32_t, time_t);
119time_t packet_get_rekey_timeout(void);
119 120
120void packet_backup_state(void); 121void packet_backup_state(void);
121void packet_restore_state(void); 122void packet_restore_state(void);
diff --git a/pathnames.h b/pathnames.h
index c3d9abff5..5027fbaed 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */ 1/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,18 +65,18 @@
65 * readable by anyone except the user him/herself, though this does not 65 * readable by anyone except the user him/herself, though this does not
66 * contain anything particularly secret. 66 * contain anything particularly secret.
67 */ 67 */
68#define _PATH_SSH_USER_HOSTFILE "~/.ssh/known_hosts" 68#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts"
69/* backward compat for protocol 2 */ 69/* backward compat for protocol 2 */
70#define _PATH_SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2" 70#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2"
71 71
72/* 72/*
73 * Name of the default file containing client-side authentication key. This 73 * Name of the default file containing client-side authentication key. This
74 * file should only be readable by the user him/herself. 74 * file should only be readable by the user him/herself.
75 */ 75 */
76#define _PATH_SSH_CLIENT_IDENTITY ".ssh/identity" 76#define _PATH_SSH_CLIENT_IDENTITY _PATH_SSH_USER_DIR "/identity"
77#define _PATH_SSH_CLIENT_ID_DSA ".ssh/id_dsa" 77#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
78#define _PATH_SSH_CLIENT_ID_ECDSA ".ssh/id_ecdsa" 78#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
79#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa" 79#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
80 80
81/* 81/*
82 * Configuration file in user's home directory. This file need not be 82 * Configuration file in user's home directory. This file need not be
@@ -84,7 +84,7 @@
84 * particularly secret. If the user's home directory resides on an NFS 84 * particularly secret. If the user's home directory resides on an NFS
85 * volume where root is mapped to nobody, this may need to be world-readable. 85 * volume where root is mapped to nobody, this may need to be world-readable.
86 */ 86 */
87#define _PATH_SSH_USER_CONFFILE ".ssh/config" 87#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
88 88
89/* 89/*
90 * File containing a list of those rsa keys that permit logging in as this 90 * File containing a list of those rsa keys that permit logging in as this
@@ -94,10 +94,10 @@
94 * may need to be world-readable. (This file is read by the daemon which is 94 * may need to be world-readable. (This file is read by the daemon which is
95 * running as root.) 95 * running as root.)
96 */ 96 */
97#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" 97#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys"
98 98
99/* backward compat for protocol v2 */ 99/* backward compat for protocol v2 */
100#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" 100#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2"
101 101
102/* 102/*
103 * Per-user and system-wide ssh "rc" files. These files are executed with 103 * Per-user and system-wide ssh "rc" files. These files are executed with
@@ -105,7 +105,7 @@
105 * passed "proto cookie" as arguments if X11 forwarding with spoofing is in 105 * passed "proto cookie" as arguments if X11 forwarding with spoofing is in
106 * use. xauth will be run if neither of these exists. 106 * use. xauth will be run if neither of these exists.
107 */ 107 */
108#define _PATH_SSH_USER_RC ".ssh/rc" 108#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc"
109#define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc" 109#define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc"
110 110
111/* 111/*
diff --git a/progressmeter.c b/progressmeter.c
index 0f95222d2..332bd3c99 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: progressmeter.c,v 1.39 2013/06/02 13:33:05 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2003 Nils Nordman. All rights reserved. 3 * Copyright (c) 2003 Nils Nordman. All rights reserved.
4 * 4 *
@@ -131,7 +131,7 @@ refresh_progress_meter(void)
131 131
132 transferred = *counter - cur_pos; 132 transferred = *counter - cur_pos;
133 cur_pos = *counter; 133 cur_pos = *counter;
134 now = time(NULL); 134 now = monotime();
135 bytes_left = end_pos - cur_pos; 135 bytes_left = end_pos - cur_pos;
136 136
137 if (bytes_left > 0) 137 if (bytes_left > 0)
@@ -249,7 +249,7 @@ update_progress_meter(int ignore)
249void 249void
250start_progress_meter(char *f, off_t filesize, off_t *ctr) 250start_progress_meter(char *f, off_t filesize, off_t *ctr)
251{ 251{
252 start = last_update = time(NULL); 252 start = last_update = monotime();
253 file = f; 253 file = f;
254 end_pos = filesize; 254 end_pos = filesize;
255 cur_pos = 0; 255 cur_pos = 0;
diff --git a/readconf.c b/readconf.c
index 375ca32cc..2695fd6c0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ 1/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -30,6 +30,9 @@
30#include <stdio.h> 30#include <stdio.h>
31#include <string.h> 31#include <string.h>
32#include <unistd.h> 32#include <unistd.h>
33#ifdef HAVE_UTIL_H
34#include <util.h>
35#endif
33 36
34#include "xmalloc.h" 37#include "xmalloc.h"
35#include "ssh.h" 38#include "ssh.h"
@@ -136,8 +139,8 @@ typedef enum {
136 oHashKnownHosts, 139 oHashKnownHosts,
137 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
138 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
139 oKexAlgorithms, oIPQoS, oRequestTTY, 142 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
140 oDeprecated, oUnsupported 143 oIgnoredUnknownOption, oDeprecated, oUnsupported
141} OpCodes; 144} OpCodes;
142 145
143/* Textual representations of the tokens. */ 146/* Textual representations of the tokens. */
@@ -257,6 +260,7 @@ static struct {
257 { "kexalgorithms", oKexAlgorithms }, 260 { "kexalgorithms", oKexAlgorithms },
258 { "ipqos", oIPQoS }, 261 { "ipqos", oIPQoS },
259 { "requesttty", oRequestTTY }, 262 { "requesttty", oRequestTTY },
263 { "ignoreunknown", oIgnoreUnknown },
260 264
261 { NULL, oBadOption } 265 { NULL, oBadOption }
262}; 266};
@@ -315,22 +319,20 @@ clear_forwardings(Options *options)
315 int i; 319 int i;
316 320
317 for (i = 0; i < options->num_local_forwards; i++) { 321 for (i = 0; i < options->num_local_forwards; i++) {
318 if (options->local_forwards[i].listen_host != NULL) 322 free(options->local_forwards[i].listen_host);
319 xfree(options->local_forwards[i].listen_host); 323 free(options->local_forwards[i].connect_host);
320 xfree(options->local_forwards[i].connect_host);
321 } 324 }
322 if (options->num_local_forwards > 0) { 325 if (options->num_local_forwards > 0) {
323 xfree(options->local_forwards); 326 free(options->local_forwards);
324 options->local_forwards = NULL; 327 options->local_forwards = NULL;
325 } 328 }
326 options->num_local_forwards = 0; 329 options->num_local_forwards = 0;
327 for (i = 0; i < options->num_remote_forwards; i++) { 330 for (i = 0; i < options->num_remote_forwards; i++) {
328 if (options->remote_forwards[i].listen_host != NULL) 331 free(options->remote_forwards[i].listen_host);
329 xfree(options->remote_forwards[i].listen_host); 332 free(options->remote_forwards[i].connect_host);
330 xfree(options->remote_forwards[i].connect_host);
331 } 333 }
332 if (options->num_remote_forwards > 0) { 334 if (options->num_remote_forwards > 0) {
333 xfree(options->remote_forwards); 335 free(options->remote_forwards);
334 options->remote_forwards = NULL; 336 options->remote_forwards = NULL;
335 } 337 }
336 options->num_remote_forwards = 0; 338 options->num_remote_forwards = 0;
@@ -362,14 +364,17 @@ add_identity_file(Options *options, const char *dir, const char *filename,
362 */ 364 */
363 365
364static OpCodes 366static OpCodes
365parse_token(const char *cp, const char *filename, int linenum) 367parse_token(const char *cp, const char *filename, int linenum,
368 const char *ignored_unknown)
366{ 369{
367 u_int i; 370 int i;
368 371
369 for (i = 0; keywords[i].name; i++) 372 for (i = 0; keywords[i].name; i++)
370 if (strcasecmp(cp, keywords[i].name) == 0) 373 if (strcmp(cp, keywords[i].name) == 0)
371 return keywords[i].opcode; 374 return keywords[i].opcode;
372 375 if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
376 strlen(ignored_unknown), 1) == 1)
377 return oIgnoredUnknownOption;
373 error("%s: line %d: Bad configuration option: %s", 378 error("%s: line %d: Bad configuration option: %s",
374 filename, linenum, cp); 379 filename, linenum, cp);
375 return oBadOption; 380 return oBadOption;
@@ -388,10 +393,10 @@ process_config_line(Options *options, const char *host,
388{ 393{
389 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; 394 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
390 char **cpptr, fwdarg[256]; 395 char **cpptr, fwdarg[256];
391 u_int *uintptr, max_entries = 0; 396 u_int i, *uintptr, max_entries = 0;
392 int negated, opcode, *intptr, value, value2, scale; 397 int negated, opcode, *intptr, value, value2;
393 LogLevel *log_level_ptr; 398 LogLevel *log_level_ptr;
394 long long orig, val64; 399 long long val64;
395 size_t len; 400 size_t len;
396 Forward fwd; 401 Forward fwd;
397 402
@@ -411,14 +416,22 @@ process_config_line(Options *options, const char *host,
411 keyword = strdelim(&s); 416 keyword = strdelim(&s);
412 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') 417 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
413 return 0; 418 return 0;
419 /* Match lowercase keyword */
420 for (i = 0; i < strlen(keyword); i++)
421 keyword[i] = tolower(keyword[i]);
414 422
415 opcode = parse_token(keyword, filename, linenum); 423 opcode = parse_token(keyword, filename, linenum,
424 options->ignored_unknown);
416 425
417 switch (opcode) { 426 switch (opcode) {
418 case oBadOption: 427 case oBadOption:
419 /* don't panic, but count bad options */ 428 /* don't panic, but count bad options */
420 return -1; 429 return -1;
421 /* NOTREACHED */ 430 /* NOTREACHED */
431 case oIgnoredUnknownOption:
432 debug("%s line %d: Ignored unknown option \"%s\"",
433 filename, linenum, keyword);
434 return 0;
422 case oConnectTimeout: 435 case oConnectTimeout:
423 intptr = &options->connection_timeout; 436 intptr = &options->connection_timeout;
424parse_time: 437parse_time:
@@ -593,39 +606,32 @@ parse_yesnoask:
593 case oRekeyLimit: 606 case oRekeyLimit:
594 arg = strdelim(&s); 607 arg = strdelim(&s);
595 if (!arg || *arg == '\0') 608 if (!arg || *arg == '\0')
596 fatal("%.200s line %d: Missing argument.", filename, linenum); 609 fatal("%.200s line %d: Missing argument.", filename,
597 if (arg[0] < '0' || arg[0] > '9') 610 linenum);
598 fatal("%.200s line %d: Bad number.", filename, linenum); 611 if (strcmp(arg, "default") == 0) {
599 orig = val64 = strtoll(arg, &endofnumber, 10); 612 val64 = 0;
600 if (arg == endofnumber) 613 } else {
601 fatal("%.200s line %d: Bad number.", filename, linenum); 614 if (scan_scaled(arg, &val64) == -1)
602 switch (toupper(*endofnumber)) { 615 fatal("%.200s line %d: Bad number '%s': %s",
603 case '\0': 616 filename, linenum, arg, strerror(errno));
604 scale = 1; 617 /* check for too-large or too-small limits */
605 break; 618 if (val64 > UINT_MAX)
606 case 'K': 619 fatal("%.200s line %d: RekeyLimit too large",
607 scale = 1<<10; 620 filename, linenum);
608 break; 621 if (val64 != 0 && val64 < 16)
609 case 'M': 622 fatal("%.200s line %d: RekeyLimit too small",
610 scale = 1<<20; 623 filename, linenum);
611 break;
612 case 'G':
613 scale = 1<<30;
614 break;
615 default:
616 fatal("%.200s line %d: Invalid RekeyLimit suffix",
617 filename, linenum);
618 } 624 }
619 val64 *= scale;
620 /* detect integer wrap and too-large limits */
621 if ((val64 / scale) != orig || val64 > UINT_MAX)
622 fatal("%.200s line %d: RekeyLimit too large",
623 filename, linenum);
624 if (val64 < 16)
625 fatal("%.200s line %d: RekeyLimit too small",
626 filename, linenum);
627 if (*activep && options->rekey_limit == -1) 625 if (*activep && options->rekey_limit == -1)
628 options->rekey_limit = (u_int32_t)val64; 626 options->rekey_limit = (u_int32_t)val64;
627 if (s != NULL) { /* optional rekey interval present */
628 if (strcmp(s, "none") == 0) {
629 (void)strdelim(&s); /* discard */
630 break;
631 }
632 intptr = &options->rekey_interval;
633 goto parse_time;
634 }
629 break; 635 break;
630 636
631 case oIdentityFile: 637 case oIdentityFile:
@@ -1093,6 +1099,10 @@ parse_int:
1093 *intptr = value; 1099 *intptr = value;
1094 break; 1100 break;
1095 1101
1102 case oIgnoreUnknown:
1103 charptr = &options->ignored_unknown;
1104 goto parse_string;
1105
1096 case oDeprecated: 1106 case oDeprecated:
1097 debug("%s line %d: Deprecated option \"%s\"", 1107 debug("%s line %d: Deprecated option \"%s\"",
1098 filename, linenum, keyword); 1108 filename, linenum, keyword);
@@ -1238,6 +1248,7 @@ initialize_options(Options * options)
1238 options->no_host_authentication_for_localhost = - 1; 1248 options->no_host_authentication_for_localhost = - 1;
1239 options->identities_only = - 1; 1249 options->identities_only = - 1;
1240 options->rekey_limit = - 1; 1250 options->rekey_limit = - 1;
1251 options->rekey_interval = -1;
1241 options->verify_host_key_dns = -1; 1252 options->verify_host_key_dns = -1;
1242 options->server_alive_interval = -1; 1253 options->server_alive_interval = -1;
1243 options->server_alive_count_max = -1; 1254 options->server_alive_count_max = -1;
@@ -1258,6 +1269,7 @@ initialize_options(Options * options)
1258 options->ip_qos_interactive = -1; 1269 options->ip_qos_interactive = -1;
1259 options->ip_qos_bulk = -1; 1270 options->ip_qos_bulk = -1;
1260 options->request_tty = -1; 1271 options->request_tty = -1;
1272 options->ignored_unknown = NULL;
1261} 1273}
1262 1274
1263/* 1275/*
@@ -1268,8 +1280,6 @@ initialize_options(Options * options)
1268void 1280void
1269fill_default_options(Options * options) 1281fill_default_options(Options * options)
1270{ 1282{
1271 int len;
1272
1273 if (options->forward_agent == -1) 1283 if (options->forward_agent == -1)
1274 options->forward_agent = 0; 1284 options->forward_agent = 0;
1275 if (options->forward_x11 == -1) 1285 if (options->forward_x11 == -1)
@@ -1381,6 +1391,8 @@ fill_default_options(Options * options)
1381 options->enable_ssh_keysign = 0; 1391 options->enable_ssh_keysign = 0;
1382 if (options->rekey_limit == -1) 1392 if (options->rekey_limit == -1)
1383 options->rekey_limit = 0; 1393 options->rekey_limit = 0;
1394 if (options->rekey_interval == -1)
1395 options->rekey_interval = 0;
1384 if (options->verify_host_key_dns == -1) 1396 if (options->verify_host_key_dns == -1)
1385 options->verify_host_key_dns = 0; 1397 options->verify_host_key_dns = 0;
1386 if (options->server_alive_interval == -1) 1398 if (options->server_alive_interval == -1)
@@ -1484,7 +1496,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1484 i = 0; /* failure */ 1496 i = 0; /* failure */
1485 } 1497 }
1486 1498
1487 xfree(p); 1499 free(p);
1488 1500
1489 if (dynamicfwd) { 1501 if (dynamicfwd) {
1490 if (!(i == 1 || i == 2)) 1502 if (!(i == 1 || i == 2))
@@ -1510,13 +1522,9 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1510 return (i); 1522 return (i);
1511 1523
1512 fail_free: 1524 fail_free:
1513 if (fwd->connect_host != NULL) { 1525 free(fwd->connect_host);
1514 xfree(fwd->connect_host); 1526 fwd->connect_host = NULL;
1515 fwd->connect_host = NULL; 1527 free(fwd->listen_host);
1516 } 1528 fwd->listen_host = NULL;
1517 if (fwd->listen_host != NULL) {
1518 xfree(fwd->listen_host);
1519 fwd->listen_host = NULL;
1520 }
1521 return (0); 1529 return (0);
1522} 1530}
diff --git a/readconf.h b/readconf.h
index 0835cb671..675b35dfe 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ 1/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -115,6 +115,7 @@ typedef struct {
115 115
116 int enable_ssh_keysign; 116 int enable_ssh_keysign;
117 int64_t rekey_limit; 117 int64_t rekey_limit;
118 int rekey_interval;
118 int no_host_authentication_for_localhost; 119 int no_host_authentication_for_localhost;
119 int identities_only; 120 int identities_only;
120 int server_alive_interval; 121 int server_alive_interval;
@@ -141,6 +142,8 @@ typedef struct {
141 int use_roaming; 142 int use_roaming;
142 143
143 int request_tty; 144 int request_tty;
145
146 char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
144} Options; 147} Options;
145 148
146#define SSHCTL_MASTER_NO 0 149#define SSHCTL_MASTER_NO 0
diff --git a/readpass.c b/readpass.c
index 599c8ef9a..e37d31158 100644
--- a/readpass.c
+++ b/readpass.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readpass.c,v 1.48 2010/12/15 00:49:27 djm Exp $ */ 1/* $OpenBSD: readpass.c,v 1.49 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -186,7 +186,7 @@ ask_permission(const char *fmt, ...)
186 if (*p == '\0' || *p == '\n' || 186 if (*p == '\0' || *p == '\n' ||
187 strcasecmp(p, "yes") == 0) 187 strcasecmp(p, "yes") == 0)
188 allowed = 1; 188 allowed = 1;
189 xfree(p); 189 free(p);
190 } 190 }
191 191
192 return (allowed); 192 return (allowed);
diff --git a/regress/Makefile b/regress/Makefile
index 6ef5d9cce..ab2a6ae7b 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ 1# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -8,6 +8,7 @@ interop interop-tests: t-exec-interop
8 8
9clean: 9clean:
10 for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done 10 for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
11 test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN}
11 rm -rf $(OBJ).putty 12 rm -rf $(OBJ).putty
12 13
13distclean: clean 14distclean: clean
@@ -38,6 +39,7 @@ LTESTS= connect \
38 key-options \ 39 key-options \
39 scp \ 40 scp \
40 sftp \ 41 sftp \
42 sftp-chroot \
41 sftp-cmds \ 43 sftp-cmds \
42 sftp-badcmds \ 44 sftp-badcmds \
43 sftp-batch \ 45 sftp-batch \
@@ -82,8 +84,11 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
82 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 84 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
83 key.rsa-* key.dsa-* key.ecdsa-* \ 85 key.rsa-* key.dsa-* key.ecdsa-* \
84 authorized_principals_${USER} expect actual ready \ 86 authorized_principals_${USER} expect actual ready \
85 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* 87 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
88 ssh.log failed-ssh.log sshd.log failed-sshd.log \
89 regress.log failed-regress.log ssh-log-wrapper.sh
86 90
91SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
87 92
88# Enable all malloc(3) randomisations and checks 93# Enable all malloc(3) randomisations and checks
89TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 94TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
@@ -150,14 +155,14 @@ t-exec: ${LTESTS:=.sh}
150 @if [ "x$?" = "x" ]; then exit 0; fi; \ 155 @if [ "x$?" = "x" ]; then exit 0; fi; \
151 for TEST in ""$?; do \ 156 for TEST in ""$?; do \
152 echo "run test $${TEST}" ... 1>&2; \ 157 echo "run test $${TEST}" ... 1>&2; \
153 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 158 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
154 done 159 done
155 160
156t-exec-interop: ${INTEROP_TESTS:=.sh} 161t-exec-interop: ${INTEROP_TESTS:=.sh}
157 @if [ "x$?" = "x" ]; then exit 0; fi; \ 162 @if [ "x$?" = "x" ]; then exit 0; fi; \
158 for TEST in ""$?; do \ 163 for TEST in ""$?; do \
159 echo "run test $${TEST}" ... 1>&2; \ 164 echo "run test $${TEST}" ... 1>&2; \
160 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 165 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
161 done 166 done
162 167
163# Not run by default 168# Not run by default
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index faf654c04..d5ae2d6e2 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.4 2007/11/25 15:35:09 jmc Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -18,7 +18,6 @@ if [ -z "$SUDO" ]; then
18 exit 0 18 exit 0
19fi 19fi
20 20
21
22trace "start agent" 21trace "start agent"
23eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null 22eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
24r=$? 23r=$?
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 3a40e7af8..68826594e 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $ 1# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="agent timeout test" 4tid="agent timeout test"
diff --git a/regress/agent.sh b/regress/agent.sh
index 094cf694b..be7d91334 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.7 2007/11/25 15:35:09 jmc Exp $ 1# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -19,7 +19,7 @@ else
19 fail "ssh-add -l did not fail with exit code 1" 19 fail "ssh-add -l did not fail with exit code 1"
20 fi 20 fi
21 trace "overwrite authorized keys" 21 trace "overwrite authorized keys"
22 echon > $OBJ/authorized_keys_$USER 22 printf '' > $OBJ/authorized_keys_$USER
23 for t in rsa rsa1; do 23 for t in rsa rsa1; do
24 # generate user key for agent 24 # generate user key for agent
25 rm -f $OBJ/$t-agent 25 rm -f $OBJ/$t-agent
diff --git a/regress/bsd.regress.mk b/regress/bsd.regress.mk
deleted file mode 100644
index 9b8011a01..000000000
--- a/regress/bsd.regress.mk
+++ /dev/null
@@ -1,79 +0,0 @@
1# $OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $
2# No man pages for regression tests.
3NOMAN=
4
5# No installation.
6install:
7
8# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG
9.if defined(REGRESSTARGETS) && !defined(PROG)
10NOPROG=
11.endif
12
13.include <bsd.prog.mk>
14
15.MAIN: all
16all: regress
17
18# XXX - Need full path to REGRESSLOG, otherwise there will be much pain.
19
20REGRESSLOG?=/dev/null
21REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///}
22
23.if defined(PROG) && !empty(PROG)
24run-regress-${PROG}: ${PROG}
25 ./${PROG}
26.endif
27
28.if !defined(REGRESSTARGETS)
29REGRESSTARGETS=run-regress-${PROG}
30. if defined(REGRESSSKIP)
31REGRESSSKIPTARGETS=run-regress-${PROG}
32. endif
33.endif
34
35REGRESSSKIPSLOW?=no
36
37#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS)
38
39.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS)
40REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS}
41.endif
42
43.if defined(REGRESSROOTTARGETS)
44ROOTUSER!=id -g
45SUDO?=
46. if (${ROOTUSER} != 0) && empty(SUDO)
47REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS}
48. endif
49.endif
50
51REGRESSSKIPTARGETS?=
52
53regress:
54.for RT in ${REGRESSTARGETS}
55. if ${REGRESSSKIPTARGETS:M${RT}}
56 @echo -n "SKIP " >> ${REGRESSLOG}
57. else
58# XXX - we need a better method to see if a test fails due to timeout or just
59# normal failure.
60. if !defined(REGRESSMAXTIME)
61 @if cd ${.CURDIR} && ${MAKE} ${RT}; then \
62 echo -n "SUCCESS " >> ${REGRESSLOG} ; \
63 else \
64 echo -n "FAIL " >> ${REGRESSLOG} ; \
65 echo FAILED ; \
66 fi
67. else
68 @if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \
69 echo -n "SUCCESS " >> ${REGRESSLOG} ; \
70 else \
71 echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \
72 echo FAILED ; \
73 fi
74. endif
75. endif
76 @echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG}
77.endfor
78
79.PHONY: regress
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 6216abd87..35cd39293 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -18,8 +18,8 @@ HOSTS='localhost-with-alias,127.0.0.1,::1'
18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ 18${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
19 fail "ssh-keygen of host_ca_key failed" 19 fail "ssh-keygen of host_ca_key failed"
20( 20(
21 echon '@cert-authority ' 21 printf '@cert-authority '
22 echon "$HOSTS " 22 printf "$HOSTS "
23 cat $OBJ/host_ca_key.pub 23 cat $OBJ/host_ca_key.pub
24) > $OBJ/known_hosts-cert 24) > $OBJ/known_hosts-cert
25 25
@@ -66,25 +66,25 @@ done
66 66
67# Revoked certificates with key present 67# Revoked certificates with key present
68( 68(
69 echon '@cert-authority ' 69 printf '@cert-authority '
70 echon "$HOSTS " 70 printf "$HOSTS "
71 cat $OBJ/host_ca_key.pub 71 cat $OBJ/host_ca_key.pub
72 echon '@revoked ' 72 printf '@revoked '
73 echon "* " 73 printf "* "
74 cat $OBJ/cert_host_key_rsa.pub 74 cat $OBJ/cert_host_key_rsa.pub
75 if test "x$TEST_SSH_ECC" = "xyes"; then 75 if test "x$TEST_SSH_ECC" = "xyes"; then
76 echon '@revoked ' 76 printf '@revoked '
77 echon "* " 77 printf "* "
78 cat $OBJ/cert_host_key_ecdsa.pub 78 cat $OBJ/cert_host_key_ecdsa.pub
79 fi 79 fi
80 echon '@revoked ' 80 printf '@revoked '
81 echon "* " 81 printf "* "
82 cat $OBJ/cert_host_key_dsa.pub 82 cat $OBJ/cert_host_key_dsa.pub
83 echon '@revoked ' 83 printf '@revoked '
84 echon "* " 84 printf "* "
85 cat $OBJ/cert_host_key_rsa_v00.pub 85 cat $OBJ/cert_host_key_rsa_v00.pub
86 echon '@revoked ' 86 printf '@revoked '
87 echon "* " 87 printf "* "
88 cat $OBJ/cert_host_key_dsa_v00.pub 88 cat $OBJ/cert_host_key_dsa_v00.pub
89) > $OBJ/known_hosts-cert 89) > $OBJ/known_hosts-cert
90for privsep in yes no ; do 90for privsep in yes no ; do
@@ -108,11 +108,11 @@ done
108 108
109# Revoked CA 109# Revoked CA
110( 110(
111 echon '@cert-authority ' 111 printf '@cert-authority '
112 echon "$HOSTS " 112 printf "$HOSTS "
113 cat $OBJ/host_ca_key.pub 113 cat $OBJ/host_ca_key.pub
114 echon '@revoked ' 114 printf '@revoked '
115 echon "* " 115 printf "* "
116 cat $OBJ/host_ca_key.pub 116 cat $OBJ/host_ca_key.pub
117) > $OBJ/known_hosts-cert 117) > $OBJ/known_hosts-cert
118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
@@ -132,8 +132,8 @@ done
132 132
133# Create a CA key and add it to known hosts 133# Create a CA key and add it to known hosts
134( 134(
135 echon '@cert-authority ' 135 printf '@cert-authority '
136 echon "$HOSTS " 136 printf "$HOSTS "
137 cat $OBJ/host_ca_key.pub 137 cat $OBJ/host_ca_key.pub
138) > $OBJ/known_hosts-cert 138) > $OBJ/known_hosts-cert
139 139
@@ -200,7 +200,7 @@ for v in v01 v00 ; do
200 -n $HOSTS $OBJ/cert_host_key_${ktype} || 200 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
201 fail "couldn't sign cert_host_key_${ktype}" 201 fail "couldn't sign cert_host_key_${ktype}"
202 ( 202 (
203 echon "$HOSTS " 203 printf "$HOSTS "
204 cat $OBJ/cert_host_key_${ktype}.pub 204 cat $OBJ/cert_host_key_${ktype}.pub
205 ) > $OBJ/known_hosts-cert 205 ) > $OBJ/known_hosts-cert
206 ( 206 (
@@ -220,8 +220,8 @@ done
220 220
221# Wrong certificate 221# Wrong certificate
222( 222(
223 echon '@cert-authority ' 223 printf '@cert-authority '
224 echon "$HOSTS " 224 printf "$HOSTS "
225 cat $OBJ/host_ca_key.pub 225 cat $OBJ/host_ca_key.pub
226) > $OBJ/known_hosts-cert 226) > $OBJ/known_hosts-cert
227for v in v01 v00 ; do 227for v in v01 v00 ; do
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 3bba9f8f2..6018b38f4 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -126,7 +126,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
126 # Wrong principals list 126 # Wrong principals list
127 verbose "$tid: ${_prefix} wrong principals key option" 127 verbose "$tid: ${_prefix} wrong principals key option"
128 ( 128 (
129 echon 'cert-authority,principals="gregorsamsa" ' 129 printf 'cert-authority,principals="gregorsamsa" '
130 cat $OBJ/user_ca_key.pub 130 cat $OBJ/user_ca_key.pub
131 ) > $OBJ/authorized_keys_$USER 131 ) > $OBJ/authorized_keys_$USER
132 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 132 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -138,7 +138,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
138 # Correct principals list 138 # Correct principals list
139 verbose "$tid: ${_prefix} correct principals key option" 139 verbose "$tid: ${_prefix} correct principals key option"
140 ( 140 (
141 echon 'cert-authority,principals="mekmitasdigoat" ' 141 printf 'cert-authority,principals="mekmitasdigoat" '
142 cat $OBJ/user_ca_key.pub 142 cat $OBJ/user_ca_key.pub
143 ) > $OBJ/authorized_keys_$USER 143 ) > $OBJ/authorized_keys_$USER
144 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 144 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -154,7 +154,7 @@ basic_tests() {
154 if test "x$auth" = "xauthorized_keys" ; then 154 if test "x$auth" = "xauthorized_keys" ; then
155 # Add CA to authorized_keys 155 # Add CA to authorized_keys
156 ( 156 (
157 echon 'cert-authority ' 157 printf 'cert-authority '
158 cat $OBJ/user_ca_key.pub 158 cat $OBJ/user_ca_key.pub
159 ) > $OBJ/authorized_keys_$USER 159 ) > $OBJ/authorized_keys_$USER
160 else 160 else
@@ -264,7 +264,7 @@ test_one() {
264 if test "x$auth" = "xauthorized_keys" ; then 264 if test "x$auth" = "xauthorized_keys" ; then
265 # Add CA to authorized_keys 265 # Add CA to authorized_keys
266 ( 266 (
267 echon "cert-authority${auth_opt} " 267 printf "cert-authority${auth_opt} "
268 cat $OBJ/user_ca_key.pub 268 cat $OBJ/user_ca_key.pub
269 ) > $OBJ/authorized_keys_$USER 269 ) > $OBJ/authorized_keys_$USER
270 else 270 else
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 0603fab64..80cf22930 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -15,7 +15,7 @@ start_client()
15 rm -f $pidfile 15 rm -f $pidfile
16 ${SSH} -q -$p $fwd "$@" somehost \ 16 ${SSH} -q -$p $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_SSH_LOGFILE 2>&1 & 18 >>$TEST_REGRESS_LOGFILE 2>&1 &
19 client_pid=$! 19 client_pid=$!
20 # Wait for remote end 20 # Wait for remote end
21 n=0 21 n=0
@@ -34,21 +34,20 @@ stop_client()
34 pid=`cat $pidfile` 34 pid=`cat $pidfile`
35 if [ ! -z "$pid" ]; then 35 if [ ! -z "$pid" ]; then
36 kill $pid 36 kill $pid
37 sleep 1
38 fi 37 fi
39 wait 38 wait
40} 39}
41 40
42cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
43grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
44echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
45echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 42echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
46echo "Match user $USER" >>$OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
48echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
49echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 44echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
50 45
46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
51echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 48echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49echo "Match user $USER" >>$OBJ/sshd_proxy
50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
52echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
53echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 52echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
54 53
@@ -75,9 +74,9 @@ for p in 1 2; do
75done 74done
76 75
77# Retry previous with key option, should also be denied. 76# Retry previous with key option, should also be denied.
78echon 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER 77printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
79cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 78cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
80echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 79printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
81cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 80cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
82for p in 1 2; do 81for p in 1 2; do
83 trace "match permitopen proxy w/key opts proto $p" 82 trace "match permitopen proxy w/key opts proto $p"
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 65e5f35ec..489d9f5fa 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 5b65cd993..199d863a0 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: conch-ciphers.sh,v 1.2 2008/06/30 10:43:03 djm Exp $ 1# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="conch ciphers" 4tid="conch ciphers"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then 6if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
10 echo "conch interop tests not enabled" 7 echo "conch interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index d1ab8059b..42fa8acdc 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,12 +1,10 @@
1# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $ 1# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dynamic forwarding" 4tid="dynamic forwarding"
5 5
6FWDPORT=`expr $PORT + 1` 6FWDPORT=`expr $PORT + 1`
7 7
8DATA=/bin/ls${EXEEXT}
9
10if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then 8if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
11 proxycmd="nc -x 127.0.0.1:$FWDPORT -X" 9 proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
12elif have_prog connect; then 10elif have_prog connect; then
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
index 99e51a60f..44d2b7ffd 100644
--- a/regress/forcecommand.sh
+++ b/regress/forcecommand.sh
@@ -1,13 +1,13 @@
1# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $ 1# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="forced command" 4tid="forced command"
5 5
6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
7 7
8echon 'command="true" ' >$OBJ/authorized_keys_$USER 8printf 'command="true" ' >$OBJ/authorized_keys_$USER
9cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 9cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
10echon 'command="true" ' >>$OBJ/authorized_keys_$USER 10printf 'command="true" ' >>$OBJ/authorized_keys_$USER
11cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 11cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
12 12
13for p in 1 2; do 13for p in 1 2; do
@@ -16,9 +16,9 @@ for p in 1 2; do
16 fail "forced command in key proto $p" 16 fail "forced command in key proto $p"
17done 17done
18 18
19echon 'command="false" ' >$OBJ/authorized_keys_$USER 19printf 'command="false" ' >$OBJ/authorized_keys_$USER
20cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 20cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
21echon 'command="false" ' >>$OBJ/authorized_keys_$USER 21printf 'command="false" ' >>$OBJ/authorized_keys_$USER
22cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 22cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
23 23
24cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 24cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index f9c367beb..94873f22c 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,7 +1,8 @@
1# $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $ 1# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
5
5DATA=/bin/ls${EXEEXT} 6DATA=/bin/ls${EXEEXT}
6 7
7start_sshd 8start_sshd
@@ -26,9 +27,9 @@ for p in 1 2; do
26 27
27 trace "transfer over forwarded channels and check result" 28 trace "transfer over forwarded channels and check result"
28 ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ 29 ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
29 somehost cat $DATA > $OBJ/ls.copy 30 somehost cat ${DATA} > ${COPY}
30 test -f $OBJ/ls.copy || fail "failed copy $DATA" 31 test -f ${COPY} || fail "failed copy of ${DATA}"
31 cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" 32 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
32 33
33 sleep 10 34 sleep 10
34done 35done
@@ -75,7 +76,7 @@ for p in 1 2; do
75 else 76 else
76 # this one should fail 77 # this one should fail
77 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ 78 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
78 2>>$TEST_SSH_LOGFILE && \ 79 >>$TEST_REGRESS_LOGFILE 2>&1 && \
79 fail "local forwarding not cleared" 80 fail "local forwarding not cleared"
80 fi 81 fi
81 sleep 10 82 sleep 10
@@ -88,7 +89,7 @@ for p in 1 2; do
88 else 89 else
89 # this one should fail 90 # this one should fail
90 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ 91 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
91 2>>$TEST_SSH_LOGFILE && \ 92 >>$TEST_REGRESS_LOGFILE 2>&1 && \
92 fail "remote forwarding not cleared" 93 fail "remote forwarding not cleared"
93 fi 94 fi
94 sleep 10 95 sleep 10
@@ -103,3 +104,18 @@ for p in 2; do
103 fail "stdio forwarding proto $p" 104 fail "stdio forwarding proto $p"
104 fi 105 fi
105done 106done
107
108echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
109echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
110for p in 1 2; do
111 trace "config file: start forwarding, fork to background"
112 ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10
113
114 trace "config file: transfer over forwarded channels and check result"
115 ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
116 somehost cat ${DATA} > ${COPY}
117 test -f ${COPY} || fail "failed copy of ${DATA}"
118 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
119
120 wait
121done
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 4d46926d5..1d17fe10a 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ 1# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -21,12 +21,13 @@ config_defined HAVE_EVP_SHA256 &&
21config_defined OPENSSL_HAVE_EVPGCM && \ 21config_defined OPENSSL_HAVE_EVPGCM && \
22 macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" 22 macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
23 23
24# sshd-command for proxy (see test-exec.sh) 24# avoid DH group exchange as the extra traffic makes it harder to get the
25cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" 25# offset into the stream right.
26echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
27 >> $OBJ/ssh_proxy
26 28
27jot() { 29# sshd-command for proxy (see test-exec.sh)
28 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" 30cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
29}
30 31
31for m in $macs; do 32for m in $macs; do
32 trace "test $tid: mac $m" 33 trace "test $tid: mac $m"
@@ -47,14 +48,15 @@ for m in $macs; do
47 aes*gcm*) macopt="-c $m";; 48 aes*gcm*) macopt="-c $m";;
48 *) macopt="-m $m";; 49 *) macopt="-m $m";;
49 esac 50 esac
50 output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 51 verbose "test $tid: $m @$off"
51 999.999.999.999 'printf "%4096s" " "' 2>&1` 52 ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
53 999.999.999.999 'printf "%4096s" " "' >/dev/null
52 if [ $? -eq 0 ]; then 54 if [ $? -eq 0 ]; then
53 fail "ssh -m $m succeeds with bit-flip at $off" 55 fail "ssh -m $m succeeds with bit-flip at $off"
54 fi 56 fi
55 ecnt=`expr $ecnt + 1` 57 ecnt=`expr $ecnt + 1`
56 output=`echo $output | tr -s '\r\n' '.'` 58 output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
57 verbose "test $tid: $m @$off $output" 59 tr -s '\r\n' '.')
58 case "$output" in 60 case "$output" in
59 Bad?packet*) elen=`expr $elen + 1`; skip=3;; 61 Bad?packet*) elen=`expr $elen + 1`; skip=3;;
60 Corrupted?MAC* | Decryption?integrity?check?failed*) 62 Corrupted?MAC* | Decryption?integrity?check?failed*)
diff --git a/regress/keytype.sh b/regress/keytype.sh
index cb40c6864..59586bf0d 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.1 2010/09/02 16:12:55 markus Exp $ 1# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -40,7 +40,7 @@ for ut in $ktypes; do
40 echo IdentityFile $OBJ/key.$ut 40 echo IdentityFile $OBJ/key.$ut
41 ) > $OBJ/ssh_proxy 41 ) > $OBJ/ssh_proxy
42 ( 42 (
43 echon 'localhost-with-alias,127.0.0.1,::1 ' 43 printf 'localhost-with-alias,127.0.0.1,::1 '
44 cat $OBJ/key.$ht.pub 44 cat $OBJ/key.$ht.pub
45 ) > $OBJ/known_hosts 45 ) > $OBJ/known_hosts
46 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER 46 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
diff --git a/regress/krl.sh b/regress/krl.sh
index 62a239c38..de9cc8764 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -39,10 +39,6 @@ serial: 799
39serial: 599-701 39serial: 599-701
40EOF 40EOF
41 41
42jot() {
43 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
44}
45
46# A specification that revokes some certificated by key ID. 42# A specification that revokes some certificated by key ID.
47touch $OBJ/revoked-keyid 43touch $OBJ/revoked-keyid
48for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 44for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
diff --git a/regress/localcommand.sh b/regress/localcommand.sh
index feade7a9d..8a9b56971 100644
--- a/regress/localcommand.sh
+++ b/regress/localcommand.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: localcommand.sh,v 1.1 2007/10/29 06:57:13 dtucker Exp $ 1# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="localcommand" 4tid="localcommand"
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 55fbb324d..d73923b9c 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $ 1# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect after login grace timeout" 4tid="connect after login grace timeout"
diff --git a/regress/modpipe.c b/regress/modpipe.c
index 9629aa80b..85747cf7d 100755
--- a/regress/modpipe.c
+++ b/regress/modpipe.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ 17/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
18 18
19#include "includes.h" 19#include "includes.h"
20 20
@@ -25,7 +25,7 @@
25#include <stdarg.h> 25#include <stdarg.h>
26#include <stdlib.h> 26#include <stdlib.h>
27#include <errno.h> 27#include <errno.h>
28#include "openbsd-compat/getopt.c" 28#include "openbsd-compat/getopt_long.c"
29 29
30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); 30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); 31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 1e6cc7606..3e697e691 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $ 1# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -10,8 +10,7 @@ if config_defined DISABLE_FD_PASSING ; then
10 exit 0 10 exit 0
11fi 11fi
12 12
13DATA=/bin/ls${EXEEXT} 13P=3301 # test port
14COPY=$OBJ/ls.copy
15 14
16wait_for_mux_master_ready() 15wait_for_mux_master_ready()
17{ 16{
@@ -25,10 +24,16 @@ wait_for_mux_master_ready()
25 24
26start_sshd 25start_sshd
27 26
28trace "start master, fork to background" 27start_mux_master()
29${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & 28{
30MASTER_PID=$! 29 trace "start master, fork to background"
31wait_for_mux_master_ready 30 ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
31 -E $TEST_REGRESS_LOGFILE 2>&1 &
32 MASTER_PID=$!
33 wait_for_mux_master_ready
34}
35
36start_mux_master
32 37
33verbose "test $tid: envpass" 38verbose "test $tid: envpass"
34trace "env passing over multiplexed connection" 39trace "env passing over multiplexed connection"
@@ -55,13 +60,13 @@ cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
55rm -f ${COPY} 60rm -f ${COPY}
56trace "sftp transfer over multiplexed connection and check result" 61trace "sftp transfer over multiplexed connection and check result"
57echo "get ${DATA} ${COPY}" | \ 62echo "get ${DATA} ${COPY}" | \
58 ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_SSH_LOGFILE 2>&1 63 ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1
59test -f ${COPY} || fail "sftp: failed copy ${DATA}" 64test -f ${COPY} || fail "sftp: failed copy ${DATA}"
60cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" 65cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}"
61 66
62rm -f ${COPY} 67rm -f ${COPY}
63trace "scp transfer over multiplexed connection and check result" 68trace "scp transfer over multiplexed connection and check result"
64${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_SSH_LOGFILE 2>&1 69${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1
65test -f ${COPY} || fail "scp: failed copy ${DATA}" 70test -f ${COPY} || fail "scp: failed copy ${DATA}"
66cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" 71cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}"
67 72
@@ -87,11 +92,31 @@ for s in 0 1 4 5 44; do
87done 92done
88 93
89verbose "test $tid: cmd check" 94verbose "test $tid: cmd check"
90${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \ 95${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
91 || fail "check command failed" 96 || fail "check command failed"
92 97
98verbose "test $tid: cmd forward local"
99${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
100 || fail "request local forward failed"
101${SSH} -F $OBJ/ssh_config -p$P otherhost true \
102 || fail "connect to local forward port failed"
103${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
104 || fail "cancel local forward failed"
105${SSH} -F $OBJ/ssh_config -p$P otherhost true \
106 && fail "local forward port still listening"
107
108verbose "test $tid: cmd forward remote"
109${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
110 || fail "request remote forward failed"
111${SSH} -F $OBJ/ssh_config -p$P otherhost true \
112 || fail "connect to remote forwarded port failed"
113${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
114 || fail "cancel remote forward failed"
115${SSH} -F $OBJ/ssh_config -p$P otherhost true \
116 && fail "remote forward port still listening"
117
93verbose "test $tid: cmd exit" 118verbose "test $tid: cmd exit"
94${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ 119${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
95 || fail "send exit command failed" 120 || fail "send exit command failed"
96 121
97# Wait for master to exit 122# Wait for master to exit
@@ -101,15 +126,13 @@ kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
101# Restart master and test -O stop command with master using -N 126# Restart master and test -O stop command with master using -N
102verbose "test $tid: cmd stop" 127verbose "test $tid: cmd stop"
103trace "restart master, fork to background" 128trace "restart master, fork to background"
104${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & 129start_mux_master
105MASTER_PID=$!
106wait_for_mux_master_ready
107 130
108# start a long-running command then immediately request a stop 131# start a long-running command then immediately request a stop
109${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ 132${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
110 >>$TEST_SSH_LOGFILE 2>&1 & 133 >>$TEST_REGRESS_LOGFILE 2>&1 &
111SLEEP_PID=$! 134SLEEP_PID=$!
112${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ 135${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
113 || fail "send stop command failed" 136 || fail "send stop command failed"
114 137
115# wait until both long-running command and master have exited. 138# wait until both long-running command and master have exited.
diff --git a/regress/portnum.sh b/regress/portnum.sh
index 1de0680fe..c56b869a3 100644
--- a/regress/portnum.sh
+++ b/regress/portnum.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: portnum.sh,v 1.1 2009/08/13 00:57:17 djm Exp $ 1# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="port number parsing" 4tid="port number parsing"
diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index 1651a69e1..b876dd7ec 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ 1# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd version with different protocol combinations" 4tid="sshd version with different protocol combinations"
@@ -8,7 +8,7 @@ check_version ()
8{ 8{
9 version=$1 9 version=$1
10 expect=$2 10 expect=$2
11 banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` 11 banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
12 case ${banner} in 12 case ${banner} in
13 SSH-1.99-*) 13 SSH-1.99-*)
14 proto=199 14 proto=199
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index 6a36b2513..76e602dd6 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,8 +1,9 @@
1# $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $ 1# $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect" 4tid="proxy connect"
5 5
6verbose "plain username"
6for p in 1 2; do 7for p in 1 2; do
7 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true 8 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
8 if [ $? -ne 0 ]; then 9 if [ $? -ne 0 ]; then
@@ -16,3 +17,10 @@ for p in 1 2; do
16 fail "bad SSH_CONNECTION" 17 fail "bad SSH_CONNECTION"
17 fi 18 fi
18done 19done
20
21verbose "username with style"
22for p in 1 2; do
23 ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
24 fail "ssh proxyconnect protocol $p failed"
25done
26
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 928ea60d2..724a98cc1 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: putty-ciphers.sh,v 1.3 2008/11/10 02:06:35 djm Exp $ 1# $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty ciphers" 4tid="putty ciphers"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then 6if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
10 echo "putty interop tests not enabled" 7 echo "putty interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index 293885a8a..1844d6599 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: putty-kex.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ 1# $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty KEX" 4tid="putty KEX"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then 6if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
10 echo "putty interop tests not enabled" 7 echo "putty interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 9e1e1550a..aec0e04ee 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: putty-transfer.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ 1# $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty transfer data" 4tid="putty transfer data"
5 5
6DATA=/bin/ls
7COPY=${OBJ}/copy
8
9if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then 6if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
10 echo "putty interop tests not enabled" 7 echo "putty interop tests not enabled"
11 exit 0 8 exit 0
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 9464eb699..433573f06 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,12 +1,10 @@
1# $OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $ 1# $OpenBSD: reexec.sh,v 1.7 2013/05/17 10:23:52 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="reexec tests" 4tid="reexec tests"
5 5
6DATA=/bin/ls${EXEEXT} 6SSHD_ORIG=$SSHD
7COPY=${OBJ}/copy 7SSHD_COPY=$OBJ/sshd
8SSHD_ORIG=$SSHD${EXEEXT}
9SSHD_COPY=$OBJ/sshd${EXEEXT}
10 8
11# Start a sshd and then delete it 9# Start a sshd and then delete it
12start_sshd_copy () 10start_sshd_copy ()
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 3c5f266fc..8eb7efaf9 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,23 +1,18 @@
1# $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $ 1# $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="rekey during transfer data" 4tid="rekey"
5 5
6DATA=${OBJ}/data 6LOG=${TEST_SSH_LOGFILE}
7COPY=${OBJ}/copy
8LOG=${OBJ}/log
9 7
10rm -f ${COPY} ${LOG} ${DATA} 8rm -f ${LOG}
11touch ${DATA}
12dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1
13 9
14for s in 16 1k 128k 256k; do 10for s in 16 1k 128k 256k; do
15 trace "rekeylimit ${s}" 11 verbose "client rekeylimit ${s}"
16 rm -f ${COPY} 12 rm -f ${COPY} ${LOG}
17 cat $DATA | \ 13 cat $DATA | \
18 ${SSH} -oCompression=no -oRekeyLimit=$s \ 14 ${SSH} -oCompression=no -oRekeyLimit=$s \
19 -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \ 15 -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
20 2> ${LOG}
21 if [ $? -ne 0 ]; then 16 if [ $? -ne 0 ]; then
22 fail "ssh failed" 17 fail "ssh failed"
23 fi 18 fi
@@ -29,4 +24,86 @@ for s in 16 1k 128k 256k; do
29 fail "no rekeying occured" 24 fail "no rekeying occured"
30 fi 25 fi
31done 26done
32rm -f ${COPY} ${LOG} ${DATA} 27
28for s in 5 10; do
29 verbose "client rekeylimit default ${s}"
30 rm -f ${COPY} ${LOG}
31 cat $DATA | \
32 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
33 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
34 if [ $? -ne 0 ]; then
35 fail "ssh failed"
36 fi
37 cmp $DATA ${COPY} || fail "corrupted copy"
38 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
39 n=`expr $n - 1`
40 trace "$n rekeying(s)"
41 if [ $n -lt 1 ]; then
42 fail "no rekeying occured"
43 fi
44done
45
46for s in 5 10; do
47 verbose "client rekeylimit default ${s} no data"
48 rm -f ${COPY} ${LOG}
49 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
50 $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
51 if [ $? -ne 0 ]; then
52 fail "ssh failed"
53 fi
54 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
55 n=`expr $n - 1`
56 trace "$n rekeying(s)"
57 if [ $n -lt 1 ]; then
58 fail "no rekeying occured"
59 fi
60done
61
62echo "rekeylimit default 5" >>$OBJ/sshd_proxy
63for s in 5 10; do
64 verbose "server rekeylimit default ${s} no data"
65 rm -f ${COPY} ${LOG}
66 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
67 if [ $? -ne 0 ]; then
68 fail "ssh failed"
69 fi
70 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
71 n=`expr $n - 1`
72 trace "$n rekeying(s)"
73 if [ $n -lt 1 ]; then
74 fail "no rekeying occured"
75 fi
76done
77
78verbose "rekeylimit parsing"
79for size in 16 1k 1K 1m 1M 1g 1G; do
80 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
81 case $size in
82 16) bytes=16 ;;
83 1k|1K) bytes=1024 ;;
84 1m|1M) bytes=1048576 ;;
85 1g|1G) bytes=1073741824 ;;
86 esac
87 case $time in
88 1) seconds=1 ;;
89 1m|1M) seconds=60 ;;
90 1h|1H) seconds=3600 ;;
91 1d|1D) seconds=86400 ;;
92 1w|1W) seconds=604800 ;;
93 esac
94
95 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
96 awk '/rekeylimit/{print $2}'`
97 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
98 awk '/rekeylimit/{print $3}'`
99
100 if [ "$bytes" != "$b" ]; then
101 fatal "rekeylimit size: expected $bytes got $b"
102 fi
103 if [ "$seconds" != "$s" ]; then
104 fatal "rekeylimit time: expected $time got $s"
105 fi
106 done
107done
108
109rm -f ${COPY} ${DATA}
diff --git a/regress/runtests.sh b/regress/runtests.sh
deleted file mode 100755
index 9808eb8a7..000000000
--- a/regress/runtests.sh
+++ /dev/null
@@ -1,13 +0,0 @@
1#!/bin/sh
2
3TEST_SSH_SSH=../ssh
4TEST_SSH_SSHD=../sshd
5TEST_SSH_SSHAGENT=../ssh-agent
6TEST_SSH_SSHADD=../ssh-add
7TEST_SSH_SSHKEYGEN=../ssh-keygen
8TEST_SSH_SSHKEYSCAN=../ssh-keyscan
9TEST_SSH_SFTP=../sftp
10TEST_SSH_SFTPSERVER=../sftp-server
11
12pmake
13
diff --git a/regress/scp.sh b/regress/scp.sh
index c5d412dd9..29c5b35d4 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $ 1# $OpenBSD: scp.sh,v 1.9 2013/05/17 10:35:43 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="scp" 4tid="scp"
@@ -12,8 +12,6 @@ else
12 DIFFOPT="-r" 12 DIFFOPT="-r"
13fi 13fi
14 14
15DATA=/bin/ls${EXEEXT}
16COPY=${OBJ}/copy
17COPY2=${OBJ}/copy2 15COPY2=${OBJ}/copy2
18DIR=${COPY}.dd 16DIR=${COPY}.dd
19DIR2=${COPY}.dd2 17DIR2=${COPY}.dd2
diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh
index 08009f26b..7f85c4f22 100644
--- a/regress/sftp-badcmds.sh
+++ b/regress/sftp-badcmds.sh
@@ -1,12 +1,10 @@
1# $OpenBSD: sftp-badcmds.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ 1# $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sftp invalid commands" 4tid="sftp invalid commands"
5 5
6DATA=/bin/ls${EXEEXT}
7DATA2=/bin/sh${EXEEXT} 6DATA2=/bin/sh${EXEEXT}
8NONEXIST=/NONEXIST.$$ 7NONEXIST=/NONEXIST.$$
9COPY=${OBJ}/copy
10GLOBFILES=`(cd /bin;echo l*)` 8GLOBFILES=`(cd /bin;echo l*)`
11 9
12rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd 10rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh
index a51ef0782..41011549b 100644
--- a/regress/sftp-batch.sh
+++ b/regress/sftp-batch.sh
@@ -1,10 +1,8 @@
1# $OpenBSD: sftp-batch.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ 1# $OpenBSD: sftp-batch.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sftp batchfile" 4tid="sftp batchfile"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8BATCH=${OBJ}/sftp.bb 6BATCH=${OBJ}/sftp.bb
9 7
10rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* 8rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
new file mode 100644
index 000000000..03b9bc6d7
--- /dev/null
+++ b/regress/sftp-chroot.sh
@@ -0,0 +1,25 @@
1# $OpenBSD: sftp-chroot.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="sftp in chroot"
5
6CHROOT=/var/run
7FILENAME=testdata_${USER}
8PRIVDATA=${CHROOT}/${FILENAME}
9
10if [ -z "$SUDO" ]; then
11 echo "skipped: need SUDO to create file in /var/run, test won't work without"
12 exit 0
13fi
14
15$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \
16 fatal "create $PRIVDATA failed"
17
18start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /"
19
20verbose "test $tid: get"
21${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \
22 fatal "Fetch ${FILENAME} failed"
23cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ"
24
25$SUDO rm $PRIVDATA
diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh
index 2e0300e16..aad7fcac2 100644
--- a/regress/sftp-cmds.sh
+++ b/regress/sftp-cmds.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: sftp-cmds.sh,v 1.12 2012/06/01 00:52:52 djm Exp $ 1# $OpenBSD: sftp-cmds.sh,v 1.14 2013/06/21 02:26:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4# XXX - TODO: 4# XXX - TODO:
@@ -7,8 +7,6 @@
7 7
8tid="sftp commands" 8tid="sftp commands"
9 9
10DATA=/bin/ls${EXEEXT}
11COPY=${OBJ}/copy
12# test that these files are readable! 10# test that these files are readable!
13for i in `(cd /bin;echo l*)` 11for i in `(cd /bin;echo l*)`
14do 12do
@@ -108,7 +106,7 @@ rm -f ${COPY}.dd/*
108verbose "$tid: get to directory" 106verbose "$tid: get to directory"
109echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 107echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
110 || fail "get failed" 108 || fail "get failed"
111cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" 109cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
112 110
113rm -f ${COPY}.dd/* 111rm -f ${COPY}.dd/*
114verbose "$tid: glob get to directory" 112verbose "$tid: glob get to directory"
@@ -122,7 +120,7 @@ rm -f ${COPY}.dd/*
122verbose "$tid: get to local dir" 120verbose "$tid: get to local dir"
123(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 121(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
124 || fail "get failed" 122 || fail "get failed"
125cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" 123cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
126 124
127rm -f ${COPY}.dd/* 125rm -f ${COPY}.dd/*
128verbose "$tid: glob get to local dir" 126verbose "$tid: glob get to local dir"
@@ -156,7 +154,7 @@ rm -f ${COPY}.dd/*
156verbose "$tid: put to directory" 154verbose "$tid: put to directory"
157echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 155echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
158 || fail "put failed" 156 || fail "put failed"
159cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" 157cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
160 158
161rm -f ${COPY}.dd/* 159rm -f ${COPY}.dd/*
162verbose "$tid: glob put to directory" 160verbose "$tid: glob put to directory"
@@ -170,7 +168,7 @@ rm -f ${COPY}.dd/*
170verbose "$tid: put to local dir" 168verbose "$tid: put to local dir"
171(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ 169(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
172 || fail "put failed" 170 || fail "put failed"
173cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" 171cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
174 172
175rm -f ${COPY}.dd/* 173rm -f ${COPY}.dd/*
176verbose "$tid: glob put to local dir" 174verbose "$tid: glob put to local dir"
diff --git a/regress/sftp.sh b/regress/sftp.sh
index f84fa6f4e..b8e9f7527 100644
--- a/regress/sftp.sh
+++ b/regress/sftp.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: sftp.sh,v 1.3 2009/08/13 01:11:55 djm Exp $ 1# $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="basic sftp put/get" 4tid="basic sftp put/get"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8
9SFTPCMDFILE=${OBJ}/batch 6SFTPCMDFILE=${OBJ}/batch
10cat >$SFTPCMDFILE <<EOF 7cat >$SFTPCMDFILE <<EOF
11version 8version
diff --git a/regress/ssh-com-client.sh b/regress/ssh-com-client.sh
index 324a0a723..e4f80cf0a 100644
--- a/regress/ssh-com-client.sh
+++ b/regress/ssh-com-client.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $ 1# $OpenBSD: ssh-com-client.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect with ssh.com client" 4tid="connect with ssh.com client"
@@ -67,10 +67,6 @@ EOF
67# we need a real server (no ProxyConnect option) 67# we need a real server (no ProxyConnect option)
68start_sshd 68start_sshd
69 69
70DATA=/bin/ls${EXEEXT}
71COPY=${OBJ}/copy
72rm -f ${COPY}
73
74# go for it 70# go for it
75for v in ${VERSIONS}; do 71for v in ${VERSIONS}; do
76 ssh2=${TEST_COMBASE}/${v}/ssh2 72 ssh2=${TEST_COMBASE}/${v}/ssh2
diff --git a/regress/ssh-com-sftp.sh b/regress/ssh-com-sftp.sh
index be6f4e0dc..fabfa4983 100644
--- a/regress/ssh-com-sftp.sh
+++ b/regress/ssh-com-sftp.sh
@@ -1,10 +1,8 @@
1# $OpenBSD: ssh-com-sftp.sh,v 1.6 2009/08/20 18:43:07 djm Exp $ 1# $OpenBSD: ssh-com-sftp.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="basic sftp put/get with ssh.com server" 4tid="basic sftp put/get with ssh.com server"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8SFTPCMDFILE=${OBJ}/batch 6SFTPCMDFILE=${OBJ}/batch
9 7
10cat >$SFTPCMDFILE <<EOF 8cat >$SFTPCMDFILE <<EOF
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index 7bcd85b65..6c5cfe888 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $ 1# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect to ssh.com server" 4tid="connect to ssh.com server"
@@ -70,7 +70,7 @@ done
70 70
71# convert and append DSA hostkey 71# convert and append DSA hostkey
72( 72(
73 echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' 73 printf 'ssh2-localhost-with-alias,127.0.0.1,::1 '
74 ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub 74 ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
75) >> $OBJ/known_hosts 75) >> $OBJ/known_hosts
76 76
diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh
index c7a5ef3a6..a9386be4d 100644
--- a/regress/sshd-log-wrapper.sh
+++ b/regress/sshd-log-wrapper.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $ 2# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $
3# Placed in the Public Domain. 3# Placed in the Public Domain.
4# 4#
5# simple wrapper for sshd proxy mode to catch stderr output 5# simple wrapper for sshd proxy mode to catch stderr output
@@ -10,4 +10,4 @@ log=$2
10shift 10shift
11shift 11shift
12 12
13exec $sshd $@ -e 2>>$log 13exec $sshd -E$log $@
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh
index 05a5ea56d..218ac6b68 100644
--- a/regress/stderr-after-eof.sh
+++ b/regress/stderr-after-eof.sh
@@ -1,29 +1,13 @@
1# $OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $ 1# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="stderr data after eof" 4tid="stderr data after eof"
5 5
6DATA=/etc/motd
7DATA=${OBJ}/data
8COPY=${OBJ}/copy
9
10if have_prog md5sum; then
11 CHECKSUM=md5sum
12elif have_prog openssl; then
13 CHECKSUM="openssl md5"
14elif have_prog cksum; then
15 CHECKSUM=cksum
16elif have_prog sum; then
17 CHECKSUM=sum
18else
19 fatal "No checksum program available, aborting $tid test"
20fi
21
22# setup data 6# setup data
23rm -f ${DATA} ${COPY} 7rm -f ${DATA} ${COPY}
24cp /dev/null ${DATA} 8cp /dev/null ${DATA}
25for i in 1 2 3 4 5 6; do 9for i in 1 2 3 4 5 6; do
26 (date;echo $i) | $CHECKSUM >> ${DATA} 10 (date;echo $i) | md5 >> ${DATA}
27done 11done
28 12
29${SSH} -2 -F $OBJ/ssh_proxy otherhost \ 13${SSH} -2 -F $OBJ/ssh_proxy otherhost \
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh
index 1daf79bb5..b0bd2355c 100644
--- a/regress/stderr-data.sh
+++ b/regress/stderr-data.sh
@@ -1,12 +1,8 @@
1# $OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $ 1# $OpenBSD: stderr-data.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="stderr data transfer" 4tid="stderr data transfer"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8rm -f ${COPY}
9
10for n in '' -n; do 6for n in '' -n; do
11for p in 1 2; do 7for p in 1 2; do
12 verbose "test $tid: proto $p ($n)" 8 verbose "test $tid: proto $p ($n)"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index aa4e6e5c0..eee446264 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.37 2010/02/24 06:21:56 djm Exp $ 1# $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -136,30 +136,49 @@ case "$SSHD" in
136*) SSHD=`which sshd` ;; 136*) SSHD=`which sshd` ;;
137esac 137esac
138 138
139# Logfiles.
140# SSH_LOGFILE should be the debug output of ssh(1) only
141# SSHD_LOGFILE should be the debug output of sshd(8) only
142# REGRESS_LOGFILE is the output of the test itself stdout and stderr
139if [ "x$TEST_SSH_LOGFILE" = "x" ]; then 143if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
140 TEST_SSH_LOGFILE=/dev/null 144 TEST_SSH_LOGFILE=$OBJ/ssh.log
145fi
146if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then
147 TEST_SSHD_LOGFILE=$OBJ/sshd.log
148fi
149if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then
150 TEST_REGRESS_LOGFILE=$OBJ/regress.log
141fi 151fi
142 152
143# Some data for test copies 153# truncate logfiles
144DATA=$OBJ/testdata 154>$TEST_SSH_LOGFILE
145cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA 155>$TEST_SSHD_LOGFILE
156>$TEST_REGRESS_LOGFILE
157
158# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..."
159# because sftp and scp don't handle spaces in arguments.
160SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh
161echo "#!/bin/sh" > $SSHLOGWRAP
162echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
163
164chmod a+rx $OBJ/ssh-log-wrapper.sh
165SSH="$SSHLOGWRAP"
166
167# Some test data. We make a copy because some tests will overwrite it.
168# The tests may assume that $DATA exists and is writable and $COPY does
169# not exist.
170DATANAME=data
171DATA=$OBJ/${DATANAME}
172cat $SSHD $SSHD $SSHD $SSHD >${DATA}
173chmod u+w ${DATA}
174COPY=$OBJ/copy
175rm -f ${COPY}
146 176
147# these should be used in tests 177# these should be used in tests
148export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 178export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
149#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 179#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
150 180
151# helper 181# Portable specific functions
152echon()
153{
154 if [ "x`echo -n`" = "x" ]; then
155 echo -n "$@"
156 elif [ "x`echo '\c'`" = "x" ]; then
157 echo "$@\c"
158 else
159 fatal "Don't know how to echo without newline."
160 fi
161}
162
163have_prog() 182have_prog()
164{ 183{
165 saved_IFS="$IFS" 184 saved_IFS="$IFS"
@@ -175,6 +194,37 @@ have_prog()
175 return 1 194 return 1
176} 195}
177 196
197jot() {
198 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
199}
200
201# Check whether preprocessor symbols are defined in config.h.
202config_defined ()
203{
204 str=$1
205 while test "x$2" != "x" ; do
206 str="$str|$2"
207 shift
208 done
209 egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
210}
211
212md5 () {
213 if have_prog md5sum; then
214 md5sum
215 elif have_prog openssl; then
216 openssl md5
217 elif have_prog cksum; then
218 cksum
219 elif have_prog sum; then
220 sum
221 else
222 wc -c
223 fi
224}
225# End of portable specific functions
226
227# helper
178cleanup () 228cleanup ()
179{ 229{
180 if [ -f $PIDFILE ]; then 230 if [ -f $PIDFILE ]; then
@@ -199,9 +249,26 @@ cleanup ()
199 fi 249 fi
200} 250}
201 251
252start_debug_log ()
253{
254 echo "trace: $@" >$TEST_REGRESS_LOGFILE
255 echo "trace: $@" >$TEST_SSH_LOGFILE
256 echo "trace: $@" >$TEST_SSHD_LOGFILE
257}
258
259save_debug_log ()
260{
261 echo $@ >>$TEST_REGRESS_LOGFILE
262 echo $@ >>$TEST_SSH_LOGFILE
263 echo $@ >>$TEST_SSHD_LOGFILE
264 (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log
265 (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log
266 (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log
267}
268
202trace () 269trace ()
203{ 270{
204 echo "trace: $@" >>$TEST_SSH_LOGFILE 271 start_debug_log $@
205 if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then 272 if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
206 echo "$@" 273 echo "$@"
207 fi 274 fi
@@ -209,7 +276,7 @@ trace ()
209 276
210verbose () 277verbose ()
211{ 278{
212 echo "verbose: $@" >>$TEST_SSH_LOGFILE 279 start_debug_log $@
213 if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then 280 if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
214 echo "$@" 281 echo "$@"
215 fi 282 fi
@@ -223,31 +290,21 @@ warn ()
223 290
224fail () 291fail ()
225{ 292{
226 echo "FAIL: $@" >>$TEST_SSH_LOGFILE 293 save_debug_log "FAIL: $@"
227 RESULT=1 294 RESULT=1
228 echo "$@" 295 echo "$@"
296
229} 297}
230 298
231fatal () 299fatal ()
232{ 300{
233 echo "FATAL: $@" >>$TEST_SSH_LOGFILE 301 save_debug_log "FATAL: $@"
234 echon "FATAL: " 302 printf "FATAL: "
235 fail "$@" 303 fail "$@"
236 cleanup 304 cleanup
237 exit $RESULT 305 exit $RESULT
238} 306}
239 307
240# Check whether preprocessor symbols are defined in config.h.
241config_defined ()
242{
243 str=$1
244 while test "x$2" != "x" ; do
245 str="$str|$2"
246 shift
247 done
248 egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
249}
250
251RESULT=0 308RESULT=0
252PIDFILE=$OBJ/pidfile 309PIDFILE=$OBJ/pidfile
253 310
@@ -263,7 +320,7 @@ cat << EOF > $OBJ/sshd_config
263 #ListenAddress ::1 320 #ListenAddress ::1
264 PidFile $PIDFILE 321 PidFile $PIDFILE
265 AuthorizedKeysFile $OBJ/authorized_keys_%u 322 AuthorizedKeysFile $OBJ/authorized_keys_%u
266 LogLevel VERBOSE 323 LogLevel DEBUG3
267 AcceptEnv _XXX_TEST_* 324 AcceptEnv _XXX_TEST_*
268 AcceptEnv _XXX_TEST 325 AcceptEnv _XXX_TEST
269 Subsystem sftp $SFTPSERVER 326 Subsystem sftp $SFTPSERVER
@@ -295,8 +352,10 @@ Host *
295 ChallengeResponseAuthentication no 352 ChallengeResponseAuthentication no
296 HostbasedAuthentication no 353 HostbasedAuthentication no
297 PasswordAuthentication no 354 PasswordAuthentication no
355 RhostsRSAAuthentication no
298 BatchMode yes 356 BatchMode yes
299 StrictHostKeyChecking yes 357 StrictHostKeyChecking yes
358 LogLevel DEBUG3
300EOF 359EOF
301 360
302if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then 361if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
@@ -309,13 +368,15 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
309trace "generate keys" 368trace "generate keys"
310for t in rsa rsa1; do 369for t in rsa rsa1; do
311 # generate user key 370 # generate user key
312 rm -f $OBJ/$t 371 if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then
313 ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\ 372 rm -f $OBJ/$t
314 fail "ssh-keygen for $t failed" 373 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\
374 fail "ssh-keygen for $t failed"
375 fi
315 376
316 # known hosts file for client 377 # known hosts file for client
317 ( 378 (
318 echon 'localhost-with-alias,127.0.0.1,::1 ' 379 printf 'localhost-with-alias,127.0.0.1,::1 '
319 cat $OBJ/$t.pub 380 cat $OBJ/$t.pub
320 ) >> $OBJ/known_hosts 381 ) >> $OBJ/known_hosts
321 382
@@ -370,7 +431,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
370 echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy 431 echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
371 echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy 432 echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
372 echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy 433 echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
373 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy 434 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
374 435
375 REGRESS_INTEROP_PUTTY=yes 436 REGRESS_INTEROP_PUTTY=yes
376fi 437fi
@@ -378,7 +439,7 @@ fi
378# create a proxy version of the client config 439# create a proxy version of the client config
379( 440(
380 cat $OBJ/ssh_config 441 cat $OBJ/ssh_config
381 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy 442 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy
382) > $OBJ/ssh_proxy 443) > $OBJ/ssh_proxy
383 444
384# check proxy config 445# check proxy config
@@ -388,7 +449,7 @@ start_sshd ()
388{ 449{
389 # start sshd 450 # start sshd
390 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" 451 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
391 $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSH_LOGFILE 2>&1 452 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE
392 453
393 trace "wait for sshd" 454 trace "wait for sshd"
394 i=0; 455 i=0;
diff --git a/regress/transfer.sh b/regress/transfer.sh
index 13ea367d5..1ae3ef5bf 100644
--- a/regress/transfer.sh
+++ b/regress/transfer.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $ 1# $OpenBSD: transfer.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="transfer data" 4tid="transfer data"
5 5
6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy
8
9for p in 1 2; do 6for p in 1 2; do
10 verbose "$tid: proto $p" 7 verbose "$tid: proto $p"
11 rm -f ${COPY} 8 rm -f ${COPY}
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 084a1457a..e17c9f5e9 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
diff --git a/roaming_client.c b/roaming_client.c
index 48009d781..81c496827 100644
--- a/roaming_client.c
+++ b/roaming_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: roaming_client.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2004-2009 AppGate Network Security AB 3 * Copyright (c) 2004-2009 AppGate Network Security AB
4 * 4 *
@@ -187,10 +187,10 @@ roaming_resume(void)
187 debug("server doesn't allow resume"); 187 debug("server doesn't allow resume");
188 goto fail; 188 goto fail;
189 } 189 }
190 xfree(str); 190 free(str);
191 for (i = 1; i < PROPOSAL_MAX; i++) { 191 for (i = 1; i < PROPOSAL_MAX; i++) {
192 /* kex algorithm taken care of so start with i=1 and not 0 */ 192 /* kex algorithm taken care of so start with i=1 and not 0 */
193 xfree(packet_get_string(&len)); 193 free(packet_get_string(&len));
194 } 194 }
195 i = packet_get_char(); /* first_kex_packet_follows */ 195 i = packet_get_char(); /* first_kex_packet_follows */
196 if (i && (c = strchr(kexlist, ','))) 196 if (i && (c = strchr(kexlist, ',')))
@@ -226,8 +226,7 @@ roaming_resume(void)
226 return 0; 226 return 0;
227 227
228fail: 228fail:
229 if (kexlist) 229 free(kexlist);
230 xfree(kexlist);
231 if (packet_get_connection_in() == packet_get_connection_out()) 230 if (packet_get_connection_in() == packet_get_connection_out())
232 close(packet_get_connection_in()); 231 close(packet_get_connection_in());
233 else { 232 else {
diff --git a/roaming_common.c b/roaming_common.c
index 8d0b6054a..50d6177d0 100644
--- a/roaming_common.c
+++ b/roaming_common.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */ 1/* $OpenBSD: roaming_common.c,v 1.10 2013/07/12 00:19:59 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2004-2009 AppGate Network Security AB 3 * Copyright (c) 2004-2009 AppGate Network Security AB
4 * 4 *
@@ -227,7 +227,7 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge)
227{ 227{
228 const EVP_MD *md = EVP_sha1(); 228 const EVP_MD *md = EVP_sha1();
229 EVP_MD_CTX ctx; 229 EVP_MD_CTX ctx;
230 char hash[EVP_MAX_MD_SIZE]; 230 u_char hash[EVP_MAX_MD_SIZE];
231 Buffer b; 231 Buffer b;
232 232
233 buffer_init(&b); 233 buffer_init(&b);
diff --git a/rsa.c b/rsa.c
index bec1d190b..a9ee6b0ed 100644
--- a/rsa.c
+++ b/rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ 1/* $OpenBSD: rsa.c,v 1.30 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -96,8 +96,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
96 96
97 memset(outbuf, 0, olen); 97 memset(outbuf, 0, olen);
98 memset(inbuf, 0, ilen); 98 memset(inbuf, 0, ilen);
99 xfree(outbuf); 99 free(outbuf);
100 xfree(inbuf); 100 free(inbuf);
101} 101}
102 102
103int 103int
@@ -122,8 +122,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
122 } 122 }
123 memset(outbuf, 0, olen); 123 memset(outbuf, 0, olen);
124 memset(inbuf, 0, ilen); 124 memset(inbuf, 0, ilen);
125 xfree(outbuf); 125 free(outbuf);
126 xfree(inbuf); 126 free(inbuf);
127 return len; 127 return len;
128} 128}
129 129
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e12418399..cc1465305 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -91,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
91 SC_DENY(open, EACCES), 91 SC_DENY(open, EACCES),
92 SC_ALLOW(getpid), 92 SC_ALLOW(getpid),
93 SC_ALLOW(gettimeofday), 93 SC_ALLOW(gettimeofday),
94 SC_ALLOW(clock_gettime),
94#ifdef __NR_time /* not defined on EABI ARM */ 95#ifdef __NR_time /* not defined on EABI ARM */
95 SC_ALLOW(time), 96 SC_ALLOW(time),
96#endif 97#endif
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 2d16a627f..cc0db46c4 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */ 1/* $OpenBSD: sandbox-systrace.c,v 1.7 2013/06/01 13:15:52 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -57,6 +57,7 @@ static const struct sandbox_policy preauth_policy[] = {
57 { SYS_exit, SYSTR_POLICY_PERMIT }, 57 { SYS_exit, SYSTR_POLICY_PERMIT },
58 { SYS_getpid, SYSTR_POLICY_PERMIT }, 58 { SYS_getpid, SYSTR_POLICY_PERMIT },
59 { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, 59 { SYS_gettimeofday, SYSTR_POLICY_PERMIT },
60 { SYS_clock_gettime, SYSTR_POLICY_PERMIT },
60 { SYS_madvise, SYSTR_POLICY_PERMIT }, 61 { SYS_madvise, SYSTR_POLICY_PERMIT },
61 { SYS_mmap, SYSTR_POLICY_PERMIT }, 62 { SYS_mmap, SYSTR_POLICY_PERMIT },
62 { SYS_mprotect, SYSTR_POLICY_PERMIT }, 63 { SYS_mprotect, SYSTR_POLICY_PERMIT },
diff --git a/schnorr.c b/schnorr.c
index 4d54d6881..9549dcf0e 100644
--- a/schnorr.c
+++ b/schnorr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: schnorr.c,v 1.5 2010/12/03 23:49:26 djm Exp $ */ 1/* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -102,7 +102,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
102 out: 102 out:
103 buffer_free(&b); 103 buffer_free(&b);
104 bzero(digest, digest_len); 104 bzero(digest, digest_len);
105 xfree(digest); 105 free(digest);
106 digest_len = 0; 106 digest_len = 0;
107 if (success == 0) 107 if (success == 0)
108 return h; 108 return h;
@@ -488,12 +488,13 @@ debug3_bn(const BIGNUM *n, const char *fmt, ...)
488{ 488{
489 char *out, *h; 489 char *out, *h;
490 va_list args; 490 va_list args;
491 int ret;
491 492
492 out = NULL; 493 out = NULL;
493 va_start(args, fmt); 494 va_start(args, fmt);
494 vasprintf(&out, fmt, args); 495 ret = vasprintf(&out, fmt, args);
495 va_end(args); 496 va_end(args);
496 if (out == NULL) 497 if (ret == -1 || out == NULL)
497 fatal("%s: vasprintf failed", __func__); 498 fatal("%s: vasprintf failed", __func__);
498 499
499 if (n == NULL) 500 if (n == NULL)
@@ -513,12 +514,13 @@ debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
513 char *out, h[65]; 514 char *out, h[65];
514 u_int i, j; 515 u_int i, j;
515 va_list args; 516 va_list args;
517 int ret;
516 518
517 out = NULL; 519 out = NULL;
518 va_start(args, fmt); 520 va_start(args, fmt);
519 vasprintf(&out, fmt, args); 521 ret = vasprintf(&out, fmt, args);
520 va_end(args); 522 va_end(args);
521 if (out == NULL) 523 if (ret == -1 || out == NULL)
522 fatal("%s: vasprintf failed", __func__); 524 fatal("%s: vasprintf failed", __func__);
523 525
524 debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : ""); 526 debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
@@ -571,7 +573,7 @@ modp_group_free(struct modp_group *grp)
571 if (grp->q != NULL) 573 if (grp->q != NULL)
572 BN_clear_free(grp->q); 574 BN_clear_free(grp->q);
573 bzero(grp, sizeof(*grp)); 575 bzero(grp, sizeof(*grp));
574 xfree(grp); 576 free(grp);
575} 577}
576 578
577/* main() function for self-test */ 579/* main() function for self-test */
@@ -606,7 +608,7 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
606 if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4, 608 if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
607 sig, siglen) != 0) 609 sig, siglen) != 0)
608 fatal("%s: verify should have failed (bit error)", __func__); 610 fatal("%s: verify should have failed (bit error)", __func__);
609 xfree(sig); 611 free(sig);
610 BN_free(g_x); 612 BN_free(g_x);
611 BN_CTX_free(bn_ctx); 613 BN_CTX_free(bn_ctx);
612} 614}
diff --git a/scp.0 b/scp.0
index 119d9293b..fe7087bc4 100644
--- a/scp.0
+++ b/scp.0
@@ -155,4 +155,4 @@ AUTHORS
155 Timo Rinne <tri@iki.fi> 155 Timo Rinne <tri@iki.fi>
156 Tatu Ylonen <ylo@cs.hut.fi> 156 Tatu Ylonen <ylo@cs.hut.fi>
157 157
158OpenBSD 5.3 September 5, 2011 OpenBSD 5.3 158OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/scp.1 b/scp.1
index 734b97bb1..c83012c92 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
8.\" 8.\"
9.\" Created: Sun May 7 00:14:37 1995 ylo 9.\" Created: Sun May 7 00:14:37 1995 ylo
10.\" 10.\"
11.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $ 11.\" $OpenBSD: scp.1,v 1.59 2013/07/16 00:07:52 schwarze Exp $
12.\" 12.\"
13.Dd $Mdocdate: September 5 2011 $ 13.Dd $Mdocdate: July 16 2013 $
14.Dt SCP 1 14.Dt SCP 1
15.Os 15.Os
16.Sh NAME 16.Sh NAME
@@ -235,5 +235,5 @@ is based on the
235program in BSD source code from the Regents of the University of 235program in BSD source code from the Regents of the University of
236California. 236California.
237.Sh AUTHORS 237.Sh AUTHORS
238.An Timo Rinne Aq tri@iki.fi 238.An Timo Rinne Aq Mt tri@iki.fi
239.An Tatu Ylonen Aq ylo@cs.hut.fi 239.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
diff --git a/scp.c b/scp.c
index 645d7403b..28ded5e9a 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */ 1/* $OpenBSD: scp.c,v 1.178 2013/06/22 06:31:57 djm Exp $ */
2/* 2/*
3 * scp - secure remote copy. This is basically patched BSD rcp which 3 * scp - secure remote copy. This is basically patched BSD rcp which
4 * uses ssh to do the data transfer (instead of using rcmd). 4 * uses ssh to do the data transfer (instead of using rcmd).
@@ -550,6 +550,24 @@ scpio(void *_cnt, size_t s)
550 return 0; 550 return 0;
551} 551}
552 552
553static int
554do_times(int fd, int verb, const struct stat *sb)
555{
556 /* strlen(2^64) == 20; strlen(10^6) == 7 */
557 char buf[(20 + 7 + 2) * 2 + 2];
558
559 (void)snprintf(buf, sizeof(buf), "T%llu 0 %llu 0\n",
560 (unsigned long long) (sb->st_mtime < 0 ? 0 : sb->st_mtime),
561 (unsigned long long) (sb->st_atime < 0 ? 0 : sb->st_atime));
562 if (verb) {
563 fprintf(stderr, "File mtime %lld atime %lld\n",
564 (long long)sb->st_mtime, (long long)sb->st_atime);
565 fprintf(stderr, "Sending file timestamps: %s", buf);
566 }
567 (void) atomicio(vwrite, fd, buf, strlen(buf));
568 return (response());
569}
570
553void 571void
554toremote(char *targ, int argc, char **argv) 572toremote(char *targ, int argc, char **argv)
555{ 573{
@@ -578,7 +596,7 @@ toremote(char *targ, int argc, char **argv)
578 } 596 }
579 597
580 if (tuser != NULL && !okname(tuser)) { 598 if (tuser != NULL && !okname(tuser)) {
581 xfree(arg); 599 free(arg);
582 return; 600 return;
583 } 601 }
584 602
@@ -605,13 +623,13 @@ toremote(char *targ, int argc, char **argv)
605 *src == '-' ? "-- " : "", src); 623 *src == '-' ? "-- " : "", src);
606 if (do_cmd(host, suser, bp, &remin, &remout) < 0) 624 if (do_cmd(host, suser, bp, &remin, &remout) < 0)
607 exit(1); 625 exit(1);
608 (void) xfree(bp); 626 free(bp);
609 host = cleanhostname(thost); 627 host = cleanhostname(thost);
610 xasprintf(&bp, "%s -t %s%s", cmd, 628 xasprintf(&bp, "%s -t %s%s", cmd,
611 *targ == '-' ? "-- " : "", targ); 629 *targ == '-' ? "-- " : "", targ);
612 if (do_cmd2(host, tuser, bp, remin, remout) < 0) 630 if (do_cmd2(host, tuser, bp, remin, remout) < 0)
613 exit(1); 631 exit(1);
614 (void) xfree(bp); 632 free(bp);
615 (void) close(remin); 633 (void) close(remin);
616 (void) close(remout); 634 (void) close(remout);
617 remin = remout = -1; 635 remin = remout = -1;
@@ -662,12 +680,12 @@ toremote(char *targ, int argc, char **argv)
662 exit(1); 680 exit(1);
663 if (response() < 0) 681 if (response() < 0)
664 exit(1); 682 exit(1);
665 (void) xfree(bp); 683 free(bp);
666 } 684 }
667 source(1, argv + i); 685 source(1, argv + i);
668 } 686 }
669 } 687 }
670 xfree(arg); 688 free(arg);
671} 689}
672 690
673void 691void
@@ -711,11 +729,11 @@ tolocal(int argc, char **argv)
711 xasprintf(&bp, "%s -f %s%s", 729 xasprintf(&bp, "%s -f %s%s",
712 cmd, *src == '-' ? "-- " : "", src); 730 cmd, *src == '-' ? "-- " : "", src);
713 if (do_cmd(host, suser, bp, &remin, &remout) < 0) { 731 if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
714 (void) xfree(bp); 732 free(bp);
715 ++errs; 733 ++errs;
716 continue; 734 continue;
717 } 735 }
718 xfree(bp); 736 free(bp);
719 sink(1, argv + argc - 1); 737 sink(1, argv + argc - 1);
720 (void) close(remin); 738 (void) close(remin);
721 remin = remout = -1; 739 remin = remout = -1;
@@ -774,21 +792,7 @@ syserr: run_err("%s: %s", name, strerror(errno));
774 ++last; 792 ++last;
775 curfile = last; 793 curfile = last;
776 if (pflag) { 794 if (pflag) {
777 /* 795 if (do_times(remout, verbose_mode, &stb) < 0)
778 * Make it compatible with possible future
779 * versions expecting microseconds.
780 */
781 (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n",
782 (u_long) (stb.st_mtime < 0 ? 0 : stb.st_mtime),
783 (u_long) (stb.st_atime < 0 ? 0 : stb.st_atime));
784 if (verbose_mode) {
785 fprintf(stderr, "File mtime %ld atime %ld\n",
786 (long)stb.st_mtime, (long)stb.st_atime);
787 fprintf(stderr, "Sending file timestamps: %s",
788 buf);
789 }
790 (void) atomicio(vwrite, remout, buf, strlen(buf));
791 if (response() < 0)
792 goto next; 796 goto next;
793 } 797 }
794#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) 798#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
@@ -850,7 +854,7 @@ rsource(char *name, struct stat *statp)
850{ 854{
851 DIR *dirp; 855 DIR *dirp;
852 struct dirent *dp; 856 struct dirent *dp;
853 char *last, *vect[1], path[1100]; 857 char *last, *vect[1], path[MAXPATHLEN];
854 858
855 if (!(dirp = opendir(name))) { 859 if (!(dirp = opendir(name))) {
856 run_err("%s: %s", name, strerror(errno)); 860 run_err("%s: %s", name, strerror(errno));
@@ -862,11 +866,7 @@ rsource(char *name, struct stat *statp)
862 else 866 else
863 last++; 867 last++;
864 if (pflag) { 868 if (pflag) {
865 (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n", 869 if (do_times(remout, verbose_mode, statp) < 0) {
866 (u_long) statp->st_mtime,
867 (u_long) statp->st_atime);
868 (void) atomicio(vwrite, remout, path, strlen(path));
869 if (response() < 0) {
870 closedir(dirp); 870 closedir(dirp);
871 return; 871 return;
872 } 872 }
@@ -912,6 +912,7 @@ sink(int argc, char **argv)
912 int amt, exists, first, ofd; 912 int amt, exists, first, ofd;
913 mode_t mode, omode, mask; 913 mode_t mode, omode, mask;
914 off_t size, statbytes; 914 off_t size, statbytes;
915 unsigned long long ull;
915 int setimes, targisdir, wrerrno = 0; 916 int setimes, targisdir, wrerrno = 0;
916 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; 917 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
917 struct timeval tv[2]; 918 struct timeval tv[2];
@@ -970,17 +971,31 @@ sink(int argc, char **argv)
970 if (*cp == 'T') { 971 if (*cp == 'T') {
971 setimes++; 972 setimes++;
972 cp++; 973 cp++;
973 mtime.tv_sec = strtol(cp, &cp, 10); 974 if (!isdigit((unsigned char)*cp))
975 SCREWUP("mtime.sec not present");
976 ull = strtoull(cp, &cp, 10);
974 if (!cp || *cp++ != ' ') 977 if (!cp || *cp++ != ' ')
975 SCREWUP("mtime.sec not delimited"); 978 SCREWUP("mtime.sec not delimited");
979 if ((time_t)ull < 0 ||
980 (unsigned long long)(time_t)ull != ull)
981 setimes = 0; /* out of range */
982 mtime.tv_sec = ull;
976 mtime.tv_usec = strtol(cp, &cp, 10); 983 mtime.tv_usec = strtol(cp, &cp, 10);
977 if (!cp || *cp++ != ' ') 984 if (!cp || *cp++ != ' ' || mtime.tv_usec < 0 ||
985 mtime.tv_usec > 999999)
978 SCREWUP("mtime.usec not delimited"); 986 SCREWUP("mtime.usec not delimited");
979 atime.tv_sec = strtol(cp, &cp, 10); 987 if (!isdigit((unsigned char)*cp))
988 SCREWUP("atime.sec not present");
989 ull = strtoull(cp, &cp, 10);
980 if (!cp || *cp++ != ' ') 990 if (!cp || *cp++ != ' ')
981 SCREWUP("atime.sec not delimited"); 991 SCREWUP("atime.sec not delimited");
992 if ((time_t)ull < 0 ||
993 (unsigned long long)(time_t)ull != ull)
994 setimes = 0; /* out of range */
995 atime.tv_sec = ull;
982 atime.tv_usec = strtol(cp, &cp, 10); 996 atime.tv_usec = strtol(cp, &cp, 10);
983 if (!cp || *cp++ != '\0') 997 if (!cp || *cp++ != '\0' || atime.tv_usec < 0 ||
998 atime.tv_usec > 999999)
984 SCREWUP("atime.usec not delimited"); 999 SCREWUP("atime.usec not delimited");
985 (void) atomicio(vwrite, remout, "", 1); 1000 (void) atomicio(vwrite, remout, "", 1);
986 continue; 1001 continue;
@@ -1023,8 +1038,7 @@ sink(int argc, char **argv)
1023 1038
1024 need = strlen(targ) + strlen(cp) + 250; 1039 need = strlen(targ) + strlen(cp) + 250;
1025 if (need > cursize) { 1040 if (need > cursize) {
1026 if (namebuf) 1041 free(namebuf);
1027 xfree(namebuf);
1028 namebuf = xmalloc(need); 1042 namebuf = xmalloc(need);
1029 cursize = need; 1043 cursize = need;
1030 } 1044 }
@@ -1063,12 +1077,11 @@ sink(int argc, char **argv)
1063 } 1077 }
1064 if (mod_flag) 1078 if (mod_flag)
1065 (void) chmod(vect[0], mode); 1079 (void) chmod(vect[0], mode);
1066 if (vect[0]) 1080 free(vect[0]);
1067 xfree(vect[0]);
1068 continue; 1081 continue;
1069 } 1082 }
1070 omode = mode; 1083 omode = mode;
1071 mode |= S_IWRITE; 1084 mode |= S_IWUSR;
1072 if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { 1085 if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
1073bad: run_err("%s: %s", np, strerror(errno)); 1086bad: run_err("%s: %s", np, strerror(errno));
1074 continue; 1087 continue;
@@ -1325,7 +1338,7 @@ void
1325lostconn(int signo) 1338lostconn(int signo)
1326{ 1339{
1327 if (!iamremote) 1340 if (!iamremote)
1328 write(STDERR_FILENO, "lost connection\n", 16); 1341 (void)write(STDERR_FILENO, "lost connection\n", 16);
1329 if (signo) 1342 if (signo)
1330 _exit(1); 1343 _exit(1);
1331 else 1344 else
diff --git a/servconf.c b/servconf.c
index cdc029308..c938ae399 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -20,6 +20,7 @@
20#include <netinet/in_systm.h> 20#include <netinet/in_systm.h>
21#include <netinet/ip.h> 21#include <netinet/ip.h>
22 22
23#include <ctype.h>
23#include <netdb.h> 24#include <netdb.h>
24#include <pwd.h> 25#include <pwd.h>
25#include <stdio.h> 26#include <stdio.h>
@@ -29,6 +30,9 @@
29#include <unistd.h> 30#include <unistd.h>
30#include <stdarg.h> 31#include <stdarg.h>
31#include <errno.h> 32#include <errno.h>
33#ifdef HAVE_UTIL_H
34#include <util.h>
35#endif
32 36
33#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
34#include "xmalloc.h" 38#include "xmalloc.h"
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options)
75 options->address_family = -1; 79 options->address_family = -1;
76 options->num_host_key_files = 0; 80 options->num_host_key_files = 0;
77 options->num_host_cert_files = 0; 81 options->num_host_cert_files = 0;
82 options->host_key_agent = NULL;
78 options->pid_file = NULL; 83 options->pid_file = NULL;
79 options->server_key_bits = -1; 84 options->server_key_bits = -1;
80 options->login_grace_time = -1; 85 options->login_grace_time = -1;
@@ -113,6 +118,8 @@ initialize_server_options(ServerOptions *options)
113 options->permit_user_env = -1; 118 options->permit_user_env = -1;
114 options->use_login = -1; 119 options->use_login = -1;
115 options->compression = -1; 120 options->compression = -1;
121 options->rekey_limit = -1;
122 options->rekey_interval = -1;
116 options->allow_tcp_forwarding = -1; 123 options->allow_tcp_forwarding = -1;
117 options->allow_agent_forwarding = -1; 124 options->allow_agent_forwarding = -1;
118 options->num_allow_users = 0; 125 options->num_allow_users = 0;
@@ -258,6 +265,10 @@ fill_default_server_options(ServerOptions *options)
258 options->use_login = 0; 265 options->use_login = 0;
259 if (options->compression == -1) 266 if (options->compression == -1)
260 options->compression = COMP_DELAYED; 267 options->compression = COMP_DELAYED;
268 if (options->rekey_limit == -1)
269 options->rekey_limit = 0;
270 if (options->rekey_interval == -1)
271 options->rekey_interval = 0;
261 if (options->allow_tcp_forwarding == -1) 272 if (options->allow_tcp_forwarding == -1)
262 options->allow_tcp_forwarding = FORWARD_ALLOW; 273 options->allow_tcp_forwarding = FORWARD_ALLOW;
263 if (options->allow_agent_forwarding == -1) 274 if (options->allow_agent_forwarding == -1)
@@ -329,7 +340,7 @@ typedef enum {
329 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 340 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
330 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 341 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
331 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 342 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
332 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 343 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
333 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 344 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
334 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 345 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
335 sMaxStartups, sMaxAuthTries, sMaxSessions, 346 sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -345,7 +356,7 @@ typedef enum {
345 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 356 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
346 sKexAlgorithms, sIPQoS, sVersionAddendum, 357 sKexAlgorithms, sIPQoS, sVersionAddendum,
347 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 358 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
348 sAuthenticationMethods, 359 sAuthenticationMethods, sHostKeyAgent,
349 sDeprecated, sUnsupported 360 sDeprecated, sUnsupported
350} ServerOpCodes; 361} ServerOpCodes;
351 362
@@ -370,6 +381,7 @@ static struct {
370 { "port", sPort, SSHCFG_GLOBAL }, 381 { "port", sPort, SSHCFG_GLOBAL },
371 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 382 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
372 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 383 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
384 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
373 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 385 { "pidfile", sPidFile, SSHCFG_GLOBAL },
374 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 386 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
375 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 387 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
@@ -443,6 +455,7 @@ static struct {
443 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 455 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
444 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 456 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
445 { "compression", sCompression, SSHCFG_GLOBAL }, 457 { "compression", sCompression, SSHCFG_GLOBAL },
458 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
446 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 459 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
447 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 460 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
448 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 461 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
@@ -530,7 +543,7 @@ derelativise_path(const char *path)
530 if (getcwd(cwd, sizeof(cwd)) == NULL) 543 if (getcwd(cwd, sizeof(cwd)) == NULL)
531 fatal("%s: getcwd: %s", __func__, strerror(errno)); 544 fatal("%s: getcwd: %s", __func__, strerror(errno));
532 xasprintf(&ret, "%s/%s", cwd, expanded); 545 xasprintf(&ret, "%s/%s", cwd, expanded);
533 xfree(expanded); 546 free(expanded);
534 return ret; 547 return ret;
535} 548}
536 549
@@ -822,13 +835,13 @@ process_server_config_line(ServerOptions *options, char *line,
822 struct connection_info *connectinfo) 835 struct connection_info *connectinfo)
823{ 836{
824 char *cp, **charptr, *arg, *p; 837 char *cp, **charptr, *arg, *p;
825 int cmdline = 0, *intptr, value, value2, n; 838 int cmdline = 0, *intptr, value, value2, n, port;
826 SyslogFacility *log_facility_ptr; 839 SyslogFacility *log_facility_ptr;
827 LogLevel *log_level_ptr; 840 LogLevel *log_level_ptr;
828 ServerOpCodes opcode; 841 ServerOpCodes opcode;
829 int port;
830 u_int i, flags = 0; 842 u_int i, flags = 0;
831 size_t len; 843 size_t len;
844 long long val64;
832 const struct multistate *multistate_ptr; 845 const struct multistate *multistate_ptr;
833 846
834 cp = line; 847 cp = line;
@@ -988,6 +1001,17 @@ process_server_config_line(ServerOptions *options, char *line,
988 } 1001 }
989 break; 1002 break;
990 1003
1004 case sHostKeyAgent:
1005 charptr = &options->host_key_agent;
1006 arg = strdelim(&cp);
1007 if (!arg || *arg == '\0')
1008 fatal("%s line %d: missing socket name.",
1009 filename, linenum);
1010 if (*activep && *charptr == NULL)
1011 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1012 xstrdup(arg) : derelativise_path(arg);
1013 break;
1014
991 case sHostCertificate: 1015 case sHostCertificate:
992 intptr = &options->num_host_cert_files; 1016 intptr = &options->num_host_cert_files;
993 if (*intptr >= MAX_HOSTKEYS) 1017 if (*intptr >= MAX_HOSTKEYS)
@@ -1151,6 +1175,37 @@ process_server_config_line(ServerOptions *options, char *line,
1151 multistate_ptr = multistate_compression; 1175 multistate_ptr = multistate_compression;
1152 goto parse_multistate; 1176 goto parse_multistate;
1153 1177
1178 case sRekeyLimit:
1179 arg = strdelim(&cp);
1180 if (!arg || *arg == '\0')
1181 fatal("%.200s line %d: Missing argument.", filename,
1182 linenum);
1183 if (strcmp(arg, "default") == 0) {
1184 val64 = 0;
1185 } else {
1186 if (scan_scaled(arg, &val64) == -1)
1187 fatal("%.200s line %d: Bad number '%s': %s",
1188 filename, linenum, arg, strerror(errno));
1189 /* check for too-large or too-small limits */
1190 if (val64 > UINT_MAX)
1191 fatal("%.200s line %d: RekeyLimit too large",
1192 filename, linenum);
1193 if (val64 != 0 && val64 < 16)
1194 fatal("%.200s line %d: RekeyLimit too small",
1195 filename, linenum);
1196 }
1197 if (*activep && options->rekey_limit == -1)
1198 options->rekey_limit = (u_int32_t)val64;
1199 if (cp != NULL) { /* optional rekey interval present */
1200 if (strcmp(cp, "none") == 0) {
1201 (void)strdelim(&cp); /* discard */
1202 break;
1203 }
1204 intptr = &options->rekey_interval;
1205 goto parse_time;
1206 }
1207 break;
1208
1154 case sGatewayPorts: 1209 case sGatewayPorts:
1155 intptr = &options->gateway_ports; 1210 intptr = &options->gateway_ports;
1156 multistate_ptr = multistate_gatewayports; 1211 multistate_ptr = multistate_gatewayports;
@@ -1704,8 +1759,7 @@ int server_match_spec_complete(struct connection_info *ci)
1704} while (0) 1759} while (0)
1705#define M_CP_STROPT(n) do {\ 1760#define M_CP_STROPT(n) do {\
1706 if (src->n != NULL) { \ 1761 if (src->n != NULL) { \
1707 if (dst->n != NULL) \ 1762 free(dst->n); \
1708 xfree(dst->n); \
1709 dst->n = src->n; \ 1763 dst->n = src->n; \
1710 } \ 1764 } \
1711} while(0) 1765} while(0)
@@ -1751,6 +1805,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1751 M_CP_INTOPT(max_authtries); 1805 M_CP_INTOPT(max_authtries);
1752 M_CP_INTOPT(ip_qos_interactive); 1806 M_CP_INTOPT(ip_qos_interactive);
1753 M_CP_INTOPT(ip_qos_bulk); 1807 M_CP_INTOPT(ip_qos_bulk);
1808 M_CP_INTOPT(rekey_limit);
1809 M_CP_INTOPT(rekey_interval);
1754 1810
1755 /* See comment in servconf.h */ 1811 /* See comment in servconf.h */
1756 COPY_MATCH_STRING_OPTS(); 1812 COPY_MATCH_STRING_OPTS();
@@ -1787,7 +1843,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1787 linenum++, &active, connectinfo) != 0) 1843 linenum++, &active, connectinfo) != 0)
1788 bad_options++; 1844 bad_options++;
1789 } 1845 }
1790 xfree(obuf); 1846 free(obuf);
1791 if (bad_options > 0) 1847 if (bad_options > 0)
1792 fatal("%s: terminating, %d bad configuration options", 1848 fatal("%s: terminating, %d bad configuration options",
1793 filename, bad_options); 1849 filename, bad_options);
@@ -2004,6 +2060,7 @@ dump_config(ServerOptions *o)
2004 dump_cfg_string(sVersionAddendum, o->version_addendum); 2060 dump_cfg_string(sVersionAddendum, o->version_addendum);
2005 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2061 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2006 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2062 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2063 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2007 2064
2008 /* string arguments requiring a lookup */ 2065 /* string arguments requiring a lookup */
2009 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2066 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2042,5 +2099,7 @@ dump_config(ServerOptions *o)
2042 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2099 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2043 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2100 printf("%s\n", iptos2str(o->ip_qos_bulk));
2044 2101
2102 printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval);
2103
2045 channel_print_adm_permitted_opens(); 2104 channel_print_adm_permitted_opens();
2046} 2105}
diff --git a/servconf.h b/servconf.h
index 06e21a93d..ab6e34669 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,6 +65,7 @@ typedef struct {
65 int num_host_key_files; /* Number of files for host keys. */ 65 int num_host_key_files; /* Number of files for host keys. */
66 char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ 66 char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */
67 int num_host_cert_files; /* Number of files for host certs. */ 67 int num_host_cert_files; /* Number of files for host certs. */
68 char *host_key_agent; /* ssh-agent socket for host keys. */
68 char *pid_file; /* Where to put our pid */ 69 char *pid_file; /* Where to put our pid */
69 int server_key_bits;/* Size of the server key. */ 70 int server_key_bits;/* Size of the server key. */
70 int login_grace_time; /* Disconnect if no auth in this time 71 int login_grace_time; /* Disconnect if no auth in this time
@@ -179,6 +180,9 @@ typedef struct {
179 char *authorized_keys_command; 180 char *authorized_keys_command;
180 char *authorized_keys_command_user; 181 char *authorized_keys_command_user;
181 182
183 int64_t rekey_limit;
184 int rekey_interval;
185
182 char *version_addendum; /* Appended to SSH banner */ 186 char *version_addendum; /* Appended to SSH banner */
183 187
184 u_int num_auth_methods; 188 u_int num_auth_methods;
diff --git a/serverloop.c b/serverloop.c
index e224bd08a..ccbad617d 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ 1/* $OpenBSD: serverloop.c,v 1.168 2013/07/12 00:19:59 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -148,7 +148,7 @@ static void
148notify_parent(void) 148notify_parent(void)
149{ 149{
150 if (notify_pipe[1] != -1) 150 if (notify_pipe[1] != -1)
151 write(notify_pipe[1], "", 1); 151 (void)write(notify_pipe[1], "", 1);
152} 152}
153static void 153static void
154notify_prepare(fd_set *readset) 154notify_prepare(fd_set *readset)
@@ -277,7 +277,7 @@ client_alive_check(void)
277 */ 277 */
278static void 278static void
279wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 279wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
280 u_int *nallocp, u_int max_time_milliseconds) 280 u_int *nallocp, u_int64_t max_time_milliseconds)
281{ 281{
282 struct timeval tv, *tvp; 282 struct timeval tv, *tvp;
283 int ret; 283 int ret;
@@ -563,7 +563,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
563 int wait_status; /* Status returned by wait(). */ 563 int wait_status; /* Status returned by wait(). */
564 pid_t wait_pid; /* pid returned by wait(). */ 564 pid_t wait_pid; /* pid returned by wait(). */
565 int waiting_termination = 0; /* Have displayed waiting close message. */ 565 int waiting_termination = 0; /* Have displayed waiting close message. */
566 u_int max_time_milliseconds; 566 u_int64_t max_time_milliseconds;
567 u_int previous_stdout_buffer_bytes; 567 u_int previous_stdout_buffer_bytes;
568 u_int stdout_buffer_bytes; 568 u_int stdout_buffer_bytes;
569 int type; 569 int type;
@@ -694,7 +694,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
694 /* Display list of open channels. */ 694 /* Display list of open channels. */
695 cp = channel_open_message(); 695 cp = channel_open_message();
696 buffer_append(&stderr_buffer, cp, strlen(cp)); 696 buffer_append(&stderr_buffer, cp, strlen(cp));
697 xfree(cp); 697 free(cp);
698 } 698 }
699 } 699 }
700 max_fd = MAX(connection_in, connection_out); 700 max_fd = MAX(connection_in, connection_out);
@@ -722,10 +722,8 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
722 /* Process output to the client and to program stdin. */ 722 /* Process output to the client and to program stdin. */
723 process_output(writeset); 723 process_output(writeset);
724 } 724 }
725 if (readset) 725 free(readset);
726 xfree(readset); 726 free(writeset);
727 if (writeset)
728 xfree(writeset);
729 727
730 /* Cleanup and termination code. */ 728 /* Cleanup and termination code. */
731 729
@@ -825,7 +823,9 @@ void
825server_loop2(Authctxt *authctxt) 823server_loop2(Authctxt *authctxt)
826{ 824{
827 fd_set *readset = NULL, *writeset = NULL; 825 fd_set *readset = NULL, *writeset = NULL;
828 int rekeying = 0, max_fd, nalloc = 0; 826 int rekeying = 0, max_fd;
827 u_int nalloc = 0;
828 u_int64_t rekey_timeout_ms = 0;
829 829
830 debug("Entering interactive session for SSH2."); 830 debug("Entering interactive session for SSH2.");
831 831
@@ -854,8 +854,13 @@ server_loop2(Authctxt *authctxt)
854 854
855 if (!rekeying && packet_not_very_much_data_to_write()) 855 if (!rekeying && packet_not_very_much_data_to_write())
856 channel_output_poll(); 856 channel_output_poll();
857 if (options.rekey_interval > 0 && compat20 && !rekeying)
858 rekey_timeout_ms = packet_get_rekey_timeout() * 1000;
859 else
860 rekey_timeout_ms = 0;
861
857 wait_until_can_do_something(&readset, &writeset, &max_fd, 862 wait_until_can_do_something(&readset, &writeset, &max_fd,
858 &nalloc, 0); 863 &nalloc, rekey_timeout_ms);
859 864
860 if (received_sigterm) { 865 if (received_sigterm) {
861 logit("Exiting on signal %d", (int)received_sigterm); 866 logit("Exiting on signal %d", (int)received_sigterm);
@@ -879,10 +884,8 @@ server_loop2(Authctxt *authctxt)
879 } 884 }
880 collect_children(); 885 collect_children();
881 886
882 if (readset) 887 free(readset);
883 xfree(readset); 888 free(writeset);
884 if (writeset)
885 xfree(writeset);
886 889
887 /* free all channels, no more reads and writes */ 890 /* free all channels, no more reads and writes */
888 channel_free_all(); 891 channel_free_all();
@@ -917,7 +920,7 @@ server_input_stdin_data(int type, u_int32_t seq, void *ctxt)
917 packet_check_eom(); 920 packet_check_eom();
918 buffer_append(&stdin_buffer, data, data_len); 921 buffer_append(&stdin_buffer, data, data_len);
919 memset(data, 0, data_len); 922 memset(data, 0, data_len);
920 xfree(data); 923 free(data);
921} 924}
922 925
923static void 926static void
@@ -974,8 +977,8 @@ server_request_direct_tcpip(void)
974 originator, originator_port, target, target_port); 977 originator, originator_port, target, target_port);
975 } 978 }
976 979
977 xfree(originator); 980 free(originator);
978 xfree(target); 981 free(target);
979 982
980 return c; 983 return c;
981} 984}
@@ -1104,7 +1107,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
1104 } 1107 }
1105 packet_send(); 1108 packet_send();
1106 } 1109 }
1107 xfree(ctype); 1110 free(ctype);
1108} 1111}
1109 1112
1110static void 1113static void
@@ -1149,7 +1152,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1149 listen_address, listen_port, 1152 listen_address, listen_port,
1150 &allocated_listen_port, options.gateway_ports); 1153 &allocated_listen_port, options.gateway_ports);
1151 } 1154 }
1152 xfree(listen_address); 1155 free(listen_address);
1153 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { 1156 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
1154 char *cancel_address; 1157 char *cancel_address;
1155 u_short cancel_port; 1158 u_short cancel_port;
@@ -1161,7 +1164,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1161 1164
1162 success = channel_cancel_rport_listener(cancel_address, 1165 success = channel_cancel_rport_listener(cancel_address,
1163 cancel_port); 1166 cancel_port);
1164 xfree(cancel_address); 1167 free(cancel_address);
1165 } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { 1168 } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) {
1166 no_more_sessions = 1; 1169 no_more_sessions = 1;
1167 success = 1; 1170 success = 1;
@@ -1174,7 +1177,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
1174 packet_send(); 1177 packet_send();
1175 packet_write_wait(); 1178 packet_write_wait();
1176 } 1179 }
1177 xfree(rtype); 1180 free(rtype);
1178} 1181}
1179 1182
1180static void 1183static void
@@ -1206,7 +1209,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt)
1206 packet_put_int(c->remote_id); 1209 packet_put_int(c->remote_id);
1207 packet_send(); 1210 packet_send();
1208 } 1211 }
1209 xfree(rtype); 1212 free(rtype);
1210} 1213}
1211 1214
1212static void 1215static void
diff --git a/session.c b/session.c
index 19eaa20c3..d4b57bdfb 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -80,6 +80,7 @@
80#include "hostfile.h" 80#include "hostfile.h"
81#include "auth.h" 81#include "auth.h"
82#include "auth-options.h" 82#include "auth-options.h"
83#include "authfd.h"
83#include "pathnames.h" 84#include "pathnames.h"
84#include "log.h" 85#include "log.h"
85#include "servconf.h" 86#include "servconf.h"
@@ -199,7 +200,7 @@ auth_input_request_forwarding(struct passwd * pw)
199 packet_send_debug("Agent forwarding disabled: " 200 packet_send_debug("Agent forwarding disabled: "
200 "mkdtemp() failed: %.100s", strerror(errno)); 201 "mkdtemp() failed: %.100s", strerror(errno));
201 restore_uid(); 202 restore_uid();
202 xfree(auth_sock_dir); 203 free(auth_sock_dir);
203 auth_sock_dir = NULL; 204 auth_sock_dir = NULL;
204 goto authsock_err; 205 goto authsock_err;
205 } 206 }
@@ -244,11 +245,10 @@ auth_input_request_forwarding(struct passwd * pw)
244 return 1; 245 return 1;
245 246
246 authsock_err: 247 authsock_err:
247 if (auth_sock_name != NULL) 248 free(auth_sock_name);
248 xfree(auth_sock_name);
249 if (auth_sock_dir != NULL) { 249 if (auth_sock_dir != NULL) {
250 rmdir(auth_sock_dir); 250 rmdir(auth_sock_dir);
251 xfree(auth_sock_dir); 251 free(auth_sock_dir);
252 } 252 }
253 if (sock != -1) 253 if (sock != -1)
254 close(sock); 254 close(sock);
@@ -364,8 +364,8 @@ do_authenticated1(Authctxt *authctxt)
364 packet_check_eom(); 364 packet_check_eom();
365 success = session_setup_x11fwd(s); 365 success = session_setup_x11fwd(s);
366 if (!success) { 366 if (!success) {
367 xfree(s->auth_proto); 367 free(s->auth_proto);
368 xfree(s->auth_data); 368 free(s->auth_data);
369 s->auth_proto = NULL; 369 s->auth_proto = NULL;
370 s->auth_data = NULL; 370 s->auth_data = NULL;
371 } 371 }
@@ -412,7 +412,7 @@ do_authenticated1(Authctxt *authctxt)
412 if (do_exec(s, command) != 0) 412 if (do_exec(s, command) != 0)
413 packet_disconnect( 413 packet_disconnect(
414 "command execution failed"); 414 "command execution failed");
415 xfree(command); 415 free(command);
416 } else { 416 } else {
417 if (do_exec(s, NULL) != 0) 417 if (do_exec(s, NULL) != 0)
418 packet_disconnect( 418 packet_disconnect(
@@ -977,7 +977,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
977 break; 977 break;
978 if (env[i]) { 978 if (env[i]) {
979 /* Reuse the slot. */ 979 /* Reuse the slot. */
980 xfree(env[i]); 980 free(env[i]);
981 } else { 981 } else {
982 /* New variable. Expand if necessary. */ 982 /* New variable. Expand if necessary. */
983 envsize = *envsizep; 983 envsize = *envsizep;
@@ -1093,8 +1093,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
1093 umask((mode_t)mask); 1093 umask((mode_t)mask);
1094 1094
1095 for (i = 0; tmpenv[i] != NULL; i++) 1095 for (i = 0; tmpenv[i] != NULL; i++)
1096 xfree(tmpenv[i]); 1096 free(tmpenv[i]);
1097 xfree(tmpenv); 1097 free(tmpenv);
1098} 1098}
1099#endif /* HAVE_ETC_DEFAULT_LOGIN */ 1099#endif /* HAVE_ETC_DEFAULT_LOGIN */
1100 1100
@@ -1110,7 +1110,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
1110 for(i = 0; source[i] != NULL; i++) { 1110 for(i = 0; source[i] != NULL; i++) {
1111 var_name = xstrdup(source[i]); 1111 var_name = xstrdup(source[i]);
1112 if ((var_val = strstr(var_name, "=")) == NULL) { 1112 if ((var_val = strstr(var_name, "=")) == NULL) {
1113 xfree(var_name); 1113 free(var_name);
1114 continue; 1114 continue;
1115 } 1115 }
1116 *var_val++ = '\0'; 1116 *var_val++ = '\0';
@@ -1118,7 +1118,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
1118 debug3("Copy environment: %s=%s", var_name, var_val); 1118 debug3("Copy environment: %s=%s", var_name, var_val);
1119 child_set_env(env, envsize, var_name, var_val); 1119 child_set_env(env, envsize, var_name, var_val);
1120 1120
1121 xfree(var_name); 1121 free(var_name);
1122 } 1122 }
1123} 1123}
1124 1124
@@ -1219,8 +1219,8 @@ do_setup_env(Session *s, const char *shell)
1219 child_set_env(&env, &envsize, str, str + i + 1); 1219 child_set_env(&env, &envsize, str, str + i + 1);
1220 } 1220 }
1221 custom_environment = ce->next; 1221 custom_environment = ce->next;
1222 xfree(ce->s); 1222 free(ce->s);
1223 xfree(ce); 1223 free(ce);
1224 } 1224 }
1225 } 1225 }
1226 1226
@@ -1232,7 +1232,7 @@ do_setup_env(Session *s, const char *shell)
1232 laddr = get_local_ipaddr(packet_get_connection_in()); 1232 laddr = get_local_ipaddr(packet_get_connection_in());
1233 snprintf(buf, sizeof buf, "%.50s %d %.50s %d", 1233 snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
1234 get_remote_ipaddr(), get_remote_port(), laddr, get_local_port()); 1234 get_remote_ipaddr(), get_remote_port(), laddr, get_local_port());
1235 xfree(laddr); 1235 free(laddr);
1236 child_set_env(&env, &envsize, "SSH_CONNECTION", buf); 1236 child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
1237 1237
1238 if (s->ttyfd != -1) 1238 if (s->ttyfd != -1)
@@ -1403,7 +1403,7 @@ do_nologin(struct passwd *pw)
1403#endif 1403#endif
1404 if (stat(nl, &sb) == -1) { 1404 if (stat(nl, &sb) == -1) {
1405 if (nl != def_nl) 1405 if (nl != def_nl)
1406 xfree(nl); 1406 free(nl);
1407 return; 1407 return;
1408 } 1408 }
1409 1409
@@ -1513,6 +1513,9 @@ do_setusercontext(struct passwd *pw)
1513 safely_chroot(chroot_path, pw->pw_uid); 1513 safely_chroot(chroot_path, pw->pw_uid);
1514 free(tmp); 1514 free(tmp);
1515 free(chroot_path); 1515 free(chroot_path);
1516 /* Make sure we don't attempt to chroot again */
1517 free(options.chroot_directory);
1518 options.chroot_directory = NULL;
1516 } 1519 }
1517 1520
1518#ifdef HAVE_LOGIN_CAP 1521#ifdef HAVE_LOGIN_CAP
@@ -1529,6 +1532,9 @@ do_setusercontext(struct passwd *pw)
1529 /* Permanently switch to the desired uid. */ 1532 /* Permanently switch to the desired uid. */
1530 permanently_set_uid(pw); 1533 permanently_set_uid(pw);
1531#endif 1534#endif
1535 } else if (options.chroot_directory != NULL &&
1536 strcasecmp(options.chroot_directory, "none") != 0) {
1537 fatal("server lacks privileges to chroot to ChrootDirectory");
1532 } 1538 }
1533 1539
1534 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) 1540 if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
@@ -1584,6 +1590,13 @@ launch_login(struct passwd *pw, const char *hostname)
1584static void 1590static void
1585child_close_fds(void) 1591child_close_fds(void)
1586{ 1592{
1593 extern AuthenticationConnection *auth_conn;
1594
1595 if (auth_conn) {
1596 ssh_close_authentication_connection(auth_conn);
1597 auth_conn = NULL;
1598 }
1599
1587 if (packet_get_connection_in() == packet_get_connection_out()) 1600 if (packet_get_connection_in() == packet_get_connection_out())
1588 close(packet_get_connection_in()); 1601 close(packet_get_connection_in());
1589 else { 1602 else {
@@ -2048,7 +2061,7 @@ session_pty_req(Session *s)
2048 s->ypixel = packet_get_int(); 2061 s->ypixel = packet_get_int();
2049 2062
2050 if (strcmp(s->term, "") == 0) { 2063 if (strcmp(s->term, "") == 0) {
2051 xfree(s->term); 2064 free(s->term);
2052 s->term = NULL; 2065 s->term = NULL;
2053 } 2066 }
2054 2067
@@ -2056,8 +2069,7 @@ session_pty_req(Session *s)
2056 debug("Allocating pty."); 2069 debug("Allocating pty.");
2057 if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, 2070 if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
2058 sizeof(s->tty)))) { 2071 sizeof(s->tty)))) {
2059 if (s->term) 2072 free(s->term);
2060 xfree(s->term);
2061 s->term = NULL; 2073 s->term = NULL;
2062 s->ptyfd = -1; 2074 s->ptyfd = -1;
2063 s->ttyfd = -1; 2075 s->ttyfd = -1;
@@ -2118,7 +2130,7 @@ session_subsystem_req(Session *s)
2118 logit("subsystem request for %.100s failed, subsystem not found", 2130 logit("subsystem request for %.100s failed, subsystem not found",
2119 subsys); 2131 subsys);
2120 2132
2121 xfree(subsys); 2133 free(subsys);
2122 return success; 2134 return success;
2123} 2135}
2124 2136
@@ -2140,8 +2152,8 @@ session_x11_req(Session *s)
2140 2152
2141 success = session_setup_x11fwd(s); 2153 success = session_setup_x11fwd(s);
2142 if (!success) { 2154 if (!success) {
2143 xfree(s->auth_proto); 2155 free(s->auth_proto);
2144 xfree(s->auth_data); 2156 free(s->auth_data);
2145 s->auth_proto = NULL; 2157 s->auth_proto = NULL;
2146 s->auth_data = NULL; 2158 s->auth_data = NULL;
2147 } 2159 }
@@ -2163,7 +2175,7 @@ session_exec_req(Session *s)
2163 char *command = packet_get_string(&len); 2175 char *command = packet_get_string(&len);
2164 packet_check_eom(); 2176 packet_check_eom();
2165 success = do_exec(s, command) == 0; 2177 success = do_exec(s, command) == 0;
2166 xfree(command); 2178 free(command);
2167 return success; 2179 return success;
2168} 2180}
2169 2181
@@ -2209,8 +2221,8 @@ session_env_req(Session *s)
2209 debug2("Ignoring env request %s: disallowed name", name); 2221 debug2("Ignoring env request %s: disallowed name", name);
2210 2222
2211 fail: 2223 fail:
2212 xfree(name); 2224 free(name);
2213 xfree(val); 2225 free(val);
2214 return (0); 2226 return (0);
2215} 2227}
2216 2228
@@ -2392,24 +2404,16 @@ session_close_single_x11(int id, void *arg)
2392 if (s->x11_chanids[i] != id) 2404 if (s->x11_chanids[i] != id)
2393 session_close_x11(s->x11_chanids[i]); 2405 session_close_x11(s->x11_chanids[i]);
2394 } 2406 }
2395 xfree(s->x11_chanids); 2407 free(s->x11_chanids);
2396 s->x11_chanids = NULL; 2408 s->x11_chanids = NULL;
2397 if (s->display) { 2409 free(s->display);
2398 xfree(s->display); 2410 s->display = NULL;
2399 s->display = NULL; 2411 free(s->auth_proto);
2400 } 2412 s->auth_proto = NULL;
2401 if (s->auth_proto) { 2413 free(s->auth_data);
2402 xfree(s->auth_proto); 2414 s->auth_data = NULL;
2403 s->auth_proto = NULL; 2415 free(s->auth_display);
2404 } 2416 s->auth_display = NULL;
2405 if (s->auth_data) {
2406 xfree(s->auth_data);
2407 s->auth_data = NULL;
2408 }
2409 if (s->auth_display) {
2410 xfree(s->auth_display);
2411 s->auth_display = NULL;
2412 }
2413} 2417}
2414 2418
2415static void 2419static void
@@ -2471,24 +2475,18 @@ session_close(Session *s)
2471 debug("session_close: session %d pid %ld", s->self, (long)s->pid); 2475 debug("session_close: session %d pid %ld", s->self, (long)s->pid);
2472 if (s->ttyfd != -1) 2476 if (s->ttyfd != -1)
2473 session_pty_cleanup(s); 2477 session_pty_cleanup(s);
2474 if (s->term) 2478 free(s->term);
2475 xfree(s->term); 2479 free(s->display);
2476 if (s->display) 2480 free(s->x11_chanids);
2477 xfree(s->display); 2481 free(s->auth_display);
2478 if (s->x11_chanids) 2482 free(s->auth_data);
2479 xfree(s->x11_chanids); 2483 free(s->auth_proto);
2480 if (s->auth_display)
2481 xfree(s->auth_display);
2482 if (s->auth_data)
2483 xfree(s->auth_data);
2484 if (s->auth_proto)
2485 xfree(s->auth_proto);
2486 if (s->env != NULL) { 2484 if (s->env != NULL) {
2487 for (i = 0; i < s->num_env; i++) { 2485 for (i = 0; i < s->num_env; i++) {
2488 xfree(s->env[i].name); 2486 free(s->env[i].name);
2489 xfree(s->env[i].val); 2487 free(s->env[i].val);
2490 } 2488 }
2491 xfree(s->env); 2489 free(s->env);
2492 } 2490 }
2493 session_proctitle(s); 2491 session_proctitle(s);
2494 session_unused(s->self); 2492 session_unused(s->self);
diff --git a/sftp-client.c b/sftp-client.c
index 85f2bd444..f4f1970b6 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-client.c,v 1.97 2012/07/02 12:13:26 dtucker Exp $ */ 1/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -112,7 +112,7 @@ send_msg(struct sftp_conn *conn, Buffer *m)
112 iov[1].iov_len = buffer_len(m); 112 iov[1].iov_len = buffer_len(m);
113 113
114 if (atomiciov6(writev, conn->fd_out, iov, 2, 114 if (atomiciov6(writev, conn->fd_out, iov, 2,
115 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != 115 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
116 buffer_len(m) + sizeof(mlen)) 116 buffer_len(m) + sizeof(mlen))
117 fatal("Couldn't send packet: %s", strerror(errno)); 117 fatal("Couldn't send packet: %s", strerror(errno));
118 118
@@ -394,8 +394,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests,
394 } else { 394 } else {
395 debug2("Unrecognised server extension \"%s\"", name); 395 debug2("Unrecognised server extension \"%s\"", name);
396 } 396 }
397 xfree(name); 397 free(name);
398 xfree(value); 398 free(value);
399 } 399 }
400 400
401 buffer_free(&msg); 401 buffer_free(&msg);
@@ -509,7 +509,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
509 error("Couldn't read directory: %s", 509 error("Couldn't read directory: %s",
510 fx2txt(status)); 510 fx2txt(status));
511 do_close(conn, handle, handle_len); 511 do_close(conn, handle, handle_len);
512 xfree(handle); 512 free(handle);
513 buffer_free(&msg); 513 buffer_free(&msg);
514 return(status); 514 return(status);
515 } 515 }
@@ -552,14 +552,14 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
552 (*dir)[++ents] = NULL; 552 (*dir)[++ents] = NULL;
553 } 553 }
554 next: 554 next:
555 xfree(filename); 555 free(filename);
556 xfree(longname); 556 free(longname);
557 } 557 }
558 } 558 }
559 559
560 buffer_free(&msg); 560 buffer_free(&msg);
561 do_close(conn, handle, handle_len); 561 do_close(conn, handle, handle_len);
562 xfree(handle); 562 free(handle);
563 563
564 /* Don't return partial matches on interrupt */ 564 /* Don't return partial matches on interrupt */
565 if (interrupted && dir != NULL && *dir != NULL) { 565 if (interrupted && dir != NULL && *dir != NULL) {
@@ -582,11 +582,11 @@ void free_sftp_dirents(SFTP_DIRENT **s)
582 int i; 582 int i;
583 583
584 for (i = 0; s[i]; i++) { 584 for (i = 0; s[i]; i++) {
585 xfree(s[i]->filename); 585 free(s[i]->filename);
586 xfree(s[i]->longname); 586 free(s[i]->longname);
587 xfree(s[i]); 587 free(s[i]);
588 } 588 }
589 xfree(s); 589 free(s);
590} 590}
591 591
592int 592int
@@ -760,7 +760,7 @@ do_realpath(struct sftp_conn *conn, char *path)
760 debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename, 760 debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename,
761 (unsigned long)a->size); 761 (unsigned long)a->size);
762 762
763 xfree(longname); 763 free(longname);
764 764
765 buffer_free(&msg); 765 buffer_free(&msg);
766 766
@@ -907,7 +907,7 @@ do_readlink(struct sftp_conn *conn, char *path)
907 907
908 debug3("SSH_FXP_READLINK %s -> %s", path, filename); 908 debug3("SSH_FXP_READLINK %s -> %s", path, filename);
909 909
910 xfree(longname); 910 free(longname);
911 911
912 buffer_free(&msg); 912 buffer_free(&msg);
913 913
@@ -988,16 +988,17 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
988 988
989int 989int
990do_download(struct sftp_conn *conn, char *remote_path, char *local_path, 990do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
991 Attrib *a, int pflag) 991 Attrib *a, int pflag, int resume)
992{ 992{
993 Attrib junk; 993 Attrib junk;
994 Buffer msg; 994 Buffer msg;
995 char *handle; 995 char *handle;
996 int local_fd, status = 0, write_error; 996 int local_fd = -1, status = 0, write_error;
997 int read_error, write_errno; 997 int read_error, write_errno, reordered = 0;
998 u_int64_t offset, size; 998 u_int64_t offset = 0, size, highwater;
999 u_int handle_len, mode, type, id, buflen, num_req, max_req; 999 u_int handle_len, mode, type, id, buflen, num_req, max_req;
1000 off_t progress_counter; 1000 off_t progress_counter;
1001 struct stat st;
1001 struct request { 1002 struct request {
1002 u_int id; 1003 u_int id;
1003 u_int len; 1004 u_int len;
@@ -1050,21 +1051,36 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1050 return(-1); 1051 return(-1);
1051 } 1052 }
1052 1053
1053 local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, 1054 local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? 0 : O_TRUNC),
1054 mode | S_IWRITE); 1055 mode | S_IWUSR);
1055 if (local_fd == -1) { 1056 if (local_fd == -1) {
1056 error("Couldn't open local file \"%s\" for writing: %s", 1057 error("Couldn't open local file \"%s\" for writing: %s",
1057 local_path, strerror(errno)); 1058 local_path, strerror(errno));
1058 do_close(conn, handle, handle_len); 1059 goto fail;
1059 buffer_free(&msg); 1060 }
1060 xfree(handle); 1061 offset = highwater = 0;
1061 return(-1); 1062 if (resume) {
1063 if (fstat(local_fd, &st) == -1) {
1064 error("Unable to stat local file \"%s\": %s",
1065 local_path, strerror(errno));
1066 goto fail;
1067 }
1068 if ((size_t)st.st_size > size) {
1069 error("Unable to resume download of \"%s\": "
1070 "local file is larger than remote", local_path);
1071 fail:
1072 do_close(conn, handle, handle_len);
1073 buffer_free(&msg);
1074 free(handle);
1075 return -1;
1076 }
1077 offset = highwater = st.st_size;
1062 } 1078 }
1063 1079
1064 /* Read from remote and write to local */ 1080 /* Read from remote and write to local */
1065 write_error = read_error = write_errno = num_req = offset = 0; 1081 write_error = read_error = write_errno = num_req = 0;
1066 max_req = 1; 1082 max_req = 1;
1067 progress_counter = 0; 1083 progress_counter = offset;
1068 1084
1069 if (showprogress && size != 0) 1085 if (showprogress && size != 0)
1070 start_progress_meter(remote_path, size, &progress_counter); 1086 start_progress_meter(remote_path, size, &progress_counter);
@@ -1121,7 +1137,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1121 read_error = 1; 1137 read_error = 1;
1122 max_req = 0; 1138 max_req = 0;
1123 TAILQ_REMOVE(&requests, req, tq); 1139 TAILQ_REMOVE(&requests, req, tq);
1124 xfree(req); 1140 free(req);
1125 num_req--; 1141 num_req--;
1126 break; 1142 break;
1127 case SSH2_FXP_DATA: 1143 case SSH2_FXP_DATA:
@@ -1139,12 +1155,16 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1139 write_error = 1; 1155 write_error = 1;
1140 max_req = 0; 1156 max_req = 0;
1141 } 1157 }
1158 else if (!reordered && req->offset <= highwater)
1159 highwater = req->offset + len;
1160 else if (!reordered && req->offset > highwater)
1161 reordered = 1;
1142 progress_counter += len; 1162 progress_counter += len;
1143 xfree(data); 1163 free(data);
1144 1164
1145 if (len == req->len) { 1165 if (len == req->len) {
1146 TAILQ_REMOVE(&requests, req, tq); 1166 TAILQ_REMOVE(&requests, req, tq);
1147 xfree(req); 1167 free(req);
1148 num_req--; 1168 num_req--;
1149 } else { 1169 } else {
1150 /* Resend the request for the missing data */ 1170 /* Resend the request for the missing data */
@@ -1187,7 +1207,15 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1187 /* Sanity check */ 1207 /* Sanity check */
1188 if (TAILQ_FIRST(&requests) != NULL) 1208 if (TAILQ_FIRST(&requests) != NULL)
1189 fatal("Transfer complete, but requests still in queue"); 1209 fatal("Transfer complete, but requests still in queue");
1190 1210 /* Truncate at highest contiguous point to avoid holes on interrupt */
1211 if (read_error || write_error || interrupted) {
1212 if (reordered && resume) {
1213 error("Unable to resume download of \"%s\": "
1214 "server reordered requests", local_path);
1215 }
1216 debug("truncating at %llu", (unsigned long long)highwater);
1217 ftruncate(local_fd, highwater);
1218 }
1191 if (read_error) { 1219 if (read_error) {
1192 error("Couldn't read from remote file \"%s\" : %s", 1220 error("Couldn't read from remote file \"%s\" : %s",
1193 remote_path, fx2txt(status)); 1221 remote_path, fx2txt(status));
@@ -1199,7 +1227,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1199 do_close(conn, handle, handle_len); 1227 do_close(conn, handle, handle_len);
1200 } else { 1228 } else {
1201 status = do_close(conn, handle, handle_len); 1229 status = do_close(conn, handle, handle_len);
1202 1230 if (interrupted)
1231 status = -1;
1203 /* Override umask and utimes if asked */ 1232 /* Override umask and utimes if asked */
1204#ifdef HAVE_FCHMOD 1233#ifdef HAVE_FCHMOD
1205 if (pflag && fchmod(local_fd, mode) == -1) 1234 if (pflag && fchmod(local_fd, mode) == -1)
@@ -1220,14 +1249,14 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
1220 } 1249 }
1221 close(local_fd); 1250 close(local_fd);
1222 buffer_free(&msg); 1251 buffer_free(&msg);
1223 xfree(handle); 1252 free(handle);
1224 1253
1225 return(status); 1254 return(status);
1226} 1255}
1227 1256
1228static int 1257static int
1229download_dir_internal(struct sftp_conn *conn, char *src, char *dst, 1258download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1230 Attrib *dirattrib, int pflag, int printflag, int depth) 1259 Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
1231{ 1260{
1232 int i, ret = 0; 1261 int i, ret = 0;
1233 SFTP_DIRENT **dir_entries; 1262 SFTP_DIRENT **dir_entries;
@@ -1280,11 +1309,11 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1280 continue; 1309 continue;
1281 if (download_dir_internal(conn, new_src, new_dst, 1310 if (download_dir_internal(conn, new_src, new_dst,
1282 &(dir_entries[i]->a), pflag, printflag, 1311 &(dir_entries[i]->a), pflag, printflag,
1283 depth + 1) == -1) 1312 depth + 1, resume) == -1)
1284 ret = -1; 1313 ret = -1;
1285 } else if (S_ISREG(dir_entries[i]->a.perm) ) { 1314 } else if (S_ISREG(dir_entries[i]->a.perm) ) {
1286 if (do_download(conn, new_src, new_dst, 1315 if (do_download(conn, new_src, new_dst,
1287 &(dir_entries[i]->a), pflag) == -1) { 1316 &(dir_entries[i]->a), pflag, resume) == -1) {
1288 error("Download of file %s to %s failed", 1317 error("Download of file %s to %s failed",
1289 new_src, new_dst); 1318 new_src, new_dst);
1290 ret = -1; 1319 ret = -1;
@@ -1292,8 +1321,8 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1292 } else 1321 } else
1293 logit("%s: not a regular file\n", new_src); 1322 logit("%s: not a regular file\n", new_src);
1294 1323
1295 xfree(new_dst); 1324 free(new_dst);
1296 xfree(new_src); 1325 free(new_src);
1297 } 1326 }
1298 1327
1299 if (pflag) { 1328 if (pflag) {
@@ -1317,7 +1346,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1317 1346
1318int 1347int
1319download_dir(struct sftp_conn *conn, char *src, char *dst, 1348download_dir(struct sftp_conn *conn, char *src, char *dst,
1320 Attrib *dirattrib, int pflag, int printflag) 1349 Attrib *dirattrib, int pflag, int printflag, int resume)
1321{ 1350{
1322 char *src_canon; 1351 char *src_canon;
1323 int ret; 1352 int ret;
@@ -1328,8 +1357,8 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
1328 } 1357 }
1329 1358
1330 ret = download_dir_internal(conn, src_canon, dst, 1359 ret = download_dir_internal(conn, src_canon, dst,
1331 dirattrib, pflag, printflag, 0); 1360 dirattrib, pflag, printflag, 0, resume);
1332 xfree(src_canon); 1361 free(src_canon);
1333 return ret; 1362 return ret;
1334} 1363}
1335 1364
@@ -1340,7 +1369,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1340 int local_fd; 1369 int local_fd;
1341 int status = SSH2_FX_OK; 1370 int status = SSH2_FX_OK;
1342 u_int handle_len, id, type; 1371 u_int handle_len, id, type;
1343 off_t offset; 1372 off_t offset, progress_counter;
1344 char *handle, *data; 1373 char *handle, *data;
1345 Buffer msg; 1374 Buffer msg;
1346 struct stat sb; 1375 struct stat sb;
@@ -1408,9 +1437,10 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1408 data = xmalloc(conn->transfer_buflen); 1437 data = xmalloc(conn->transfer_buflen);
1409 1438
1410 /* Read from local and write to remote */ 1439 /* Read from local and write to remote */
1411 offset = 0; 1440 offset = progress_counter = 0;
1412 if (showprogress) 1441 if (showprogress)
1413 start_progress_meter(local_path, sb.st_size, &offset); 1442 start_progress_meter(local_path, sb.st_size,
1443 &progress_counter);
1414 1444
1415 for (;;) { 1445 for (;;) {
1416 int len; 1446 int len;
@@ -1481,7 +1511,8 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1481 debug3("In write loop, ack for %u %u bytes at %lld", 1511 debug3("In write loop, ack for %u %u bytes at %lld",
1482 ack->id, ack->len, (long long)ack->offset); 1512 ack->id, ack->len, (long long)ack->offset);
1483 ++ackid; 1513 ++ackid;
1484 xfree(ack); 1514 progress_counter += ack->len;
1515 free(ack);
1485 } 1516 }
1486 offset += len; 1517 offset += len;
1487 if (offset < 0) 1518 if (offset < 0)
@@ -1491,7 +1522,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1491 1522
1492 if (showprogress) 1523 if (showprogress)
1493 stop_progress_meter(); 1524 stop_progress_meter();
1494 xfree(data); 1525 free(data);
1495 1526
1496 if (status != SSH2_FX_OK) { 1527 if (status != SSH2_FX_OK) {
1497 error("Couldn't write to remote file \"%s\": %s", 1528 error("Couldn't write to remote file \"%s\": %s",
@@ -1511,7 +1542,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1511 1542
1512 if (do_close(conn, handle, handle_len) != SSH2_FX_OK) 1543 if (do_close(conn, handle, handle_len) != SSH2_FX_OK)
1513 status = -1; 1544 status = -1;
1514 xfree(handle); 1545 free(handle);
1515 1546
1516 return status; 1547 return status;
1517} 1548}
@@ -1551,7 +1582,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1551 a.perm &= 01777; 1582 a.perm &= 01777;
1552 if (!pflag) 1583 if (!pflag)
1553 a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; 1584 a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME;
1554 1585
1555 status = do_mkdir(conn, dst, &a, 0); 1586 status = do_mkdir(conn, dst, &a, 0);
1556 /* 1587 /*
1557 * we lack a portable status for errno EEXIST, 1588 * we lack a portable status for errno EEXIST,
@@ -1561,7 +1592,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1561 if (status != SSH2_FX_OK) { 1592 if (status != SSH2_FX_OK) {
1562 if (status != SSH2_FX_FAILURE) 1593 if (status != SSH2_FX_FAILURE)
1563 return -1; 1594 return -1;
1564 if (do_stat(conn, dst, 0) == NULL) 1595 if (do_stat(conn, dst, 0) == NULL)
1565 return -1; 1596 return -1;
1566 } 1597 }
1567 1598
@@ -1569,7 +1600,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1569 error("Failed to open dir \"%s\": %s", src, strerror(errno)); 1600 error("Failed to open dir \"%s\": %s", src, strerror(errno));
1570 return -1; 1601 return -1;
1571 } 1602 }
1572 1603
1573 while (((dp = readdir(dirp)) != NULL) && !interrupted) { 1604 while (((dp = readdir(dirp)) != NULL) && !interrupted) {
1574 if (dp->d_ino == 0) 1605 if (dp->d_ino == 0)
1575 continue; 1606 continue;
@@ -1597,8 +1628,8 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst,
1597 } 1628 }
1598 } else 1629 } else
1599 logit("%s: not a regular file\n", filename); 1630 logit("%s: not a regular file\n", filename);
1600 xfree(new_dst); 1631 free(new_dst);
1601 xfree(new_src); 1632 free(new_src);
1602 } 1633 }
1603 1634
1604 do_setstat(conn, dst, &a); 1635 do_setstat(conn, dst, &a);
@@ -1620,7 +1651,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag,
1620 } 1651 }
1621 1652
1622 ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0); 1653 ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0);
1623 xfree(dst_canon); 1654 free(dst_canon);
1624 return ret; 1655 return ret;
1625} 1656}
1626 1657
diff --git a/sftp-client.h b/sftp-client.h
index aef54ef49..111a998c8 100644
--- a/sftp-client.h
+++ b/sftp-client.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-client.h,v 1.20 2010/12/04 00:18:01 djm Exp $ */ 1/* $OpenBSD: sftp-client.h,v 1.21 2013/07/25 00:56:51 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 4 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
@@ -106,13 +106,13 @@ int do_symlink(struct sftp_conn *, char *, char *);
106 * Download 'remote_path' to 'local_path'. Preserve permissions and times 106 * Download 'remote_path' to 'local_path'. Preserve permissions and times
107 * if 'pflag' is set 107 * if 'pflag' is set
108 */ 108 */
109int do_download(struct sftp_conn *, char *, char *, Attrib *, int); 109int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
110 110
111/* 111/*
112 * Recursively download 'remote_directory' to 'local_directory'. Preserve 112 * Recursively download 'remote_directory' to 'local_directory'. Preserve
113 * times if 'pflag' is set 113 * times if 'pflag' is set
114 */ 114 */
115int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); 115int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
116 116
117/* 117/*
118 * Upload 'local_path' to 'remote_path'. Preserve permissions and times 118 * Upload 'local_path' to 'remote_path'. Preserve permissions and times
diff --git a/sftp-common.c b/sftp-common.c
index a042875c6..413efc209 100644
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-common.c,v 1.23 2010/01/15 09:24:23 markus Exp $ */ 1/* $OpenBSD: sftp-common.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Damien Miller. All rights reserved. 4 * Copyright (c) 2001 Damien Miller. All rights reserved.
@@ -128,8 +128,8 @@ decode_attrib(Buffer *b)
128 type = buffer_get_string(b, NULL); 128 type = buffer_get_string(b, NULL);
129 data = buffer_get_string(b, NULL); 129 data = buffer_get_string(b, NULL);
130 debug3("Got file attribute \"%s\"", type); 130 debug3("Got file attribute \"%s\"", type);
131 xfree(type); 131 free(type);
132 xfree(data); 132 free(data);
133 } 133 }
134 } 134 }
135 return &a; 135 return &a;
diff --git a/sftp-glob.c b/sftp-glob.c
index 06bf157ca..79b7bdb2f 100644
--- a/sftp-glob.c
+++ b/sftp-glob.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */ 1/* $OpenBSD: sftp-glob.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -51,7 +51,7 @@ fudge_opendir(const char *path)
51 r = xmalloc(sizeof(*r)); 51 r = xmalloc(sizeof(*r));
52 52
53 if (do_readdir(cur.conn, (char *)path, &r->dir)) { 53 if (do_readdir(cur.conn, (char *)path, &r->dir)) {
54 xfree(r); 54 free(r);
55 return(NULL); 55 return(NULL);
56 } 56 }
57 57
@@ -103,7 +103,7 @@ static void
103fudge_closedir(struct SFTP_OPENDIR *od) 103fudge_closedir(struct SFTP_OPENDIR *od)
104{ 104{
105 free_sftp_dirents(od->dir); 105 free_sftp_dirents(od->dir);
106 xfree(od); 106 free(od);
107} 107}
108 108
109static int 109static int
diff --git a/sftp-server.0 b/sftp-server.0
index 6beddcc13..bca318b38 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -62,7 +62,7 @@ SEE ALSO
62 sftp(1), ssh(1), sshd_config(5), sshd(8) 62 sftp(1), ssh(1), sshd_config(5), sshd(8)
63 63
64 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, 64 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol,
65 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress 65 draft-ietf-secsh-filexfer-02.txt, October 2001, work in progress
66 material. 66 material.
67 67
68HISTORY 68HISTORY
@@ -71,4 +71,4 @@ HISTORY
71AUTHORS 71AUTHORS
72 Markus Friedl <markus@openbsd.org> 72 Markus Friedl <markus@openbsd.org>
73 73
74OpenBSD 5.3 January 4, 2013 OpenBSD 5.3 74OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/sftp-server.8 b/sftp-server.8
index 2fd3df20c..cc925b96e 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ 1.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2000 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: January 4 2013 $ 25.Dd $Mdocdate: July 16 2013 $
26.Dt SFTP-SERVER 8 26.Dt SFTP-SERVER 8
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -124,8 +124,8 @@ establish a logging socket inside the chroot directory.
124.%A T. Ylonen 124.%A T. Ylonen
125.%A S. Lehtinen 125.%A S. Lehtinen
126.%T "SSH File Transfer Protocol" 126.%T "SSH File Transfer Protocol"
127.%N draft-ietf-secsh-filexfer-00.txt 127.%N draft-ietf-secsh-filexfer-02.txt
128.%D January 2001 128.%D October 2001
129.%O work in progress material 129.%O work in progress material
130.Re 130.Re
131.Sh HISTORY 131.Sh HISTORY
@@ -133,4 +133,4 @@ establish a logging socket inside the chroot directory.
133first appeared in 133first appeared in
134.Ox 2.8 . 134.Ox 2.8 .
135.Sh AUTHORS 135.Sh AUTHORS
136.An Markus Friedl Aq markus@openbsd.org 136.An Markus Friedl Aq Mt markus@openbsd.org
diff --git a/sftp-server.c b/sftp-server.c
index cce074a56..285f21aaf 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ 1/* $OpenBSD: sftp-server.c,v 1.97 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
4 * 4 *
@@ -319,11 +319,11 @@ handle_close(int handle)
319 319
320 if (handle_is_ok(handle, HANDLE_FILE)) { 320 if (handle_is_ok(handle, HANDLE_FILE)) {
321 ret = close(handles[handle].fd); 321 ret = close(handles[handle].fd);
322 xfree(handles[handle].name); 322 free(handles[handle].name);
323 handle_unused(handle); 323 handle_unused(handle);
324 } else if (handle_is_ok(handle, HANDLE_DIR)) { 324 } else if (handle_is_ok(handle, HANDLE_DIR)) {
325 ret = closedir(handles[handle].dirp); 325 ret = closedir(handles[handle].dirp);
326 xfree(handles[handle].name); 326 free(handles[handle].name);
327 handle_unused(handle); 327 handle_unused(handle);
328 } else { 328 } else {
329 errno = ENOENT; 329 errno = ENOENT;
@@ -367,7 +367,7 @@ get_handle(void)
367 handle = get_string(&hlen); 367 handle = get_string(&hlen);
368 if (hlen < 256) 368 if (hlen < 256)
369 val = handle_from_string(handle, hlen); 369 val = handle_from_string(handle, hlen);
370 xfree(handle); 370 free(handle);
371 return val; 371 return val;
372} 372}
373 373
@@ -450,7 +450,7 @@ send_handle(u_int32_t id, int handle)
450 handle_to_string(handle, &string, &hlen); 450 handle_to_string(handle, &string, &hlen);
451 debug("request %u: sent handle handle %d", id, handle); 451 debug("request %u: sent handle handle %d", id, handle);
452 send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); 452 send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen);
453 xfree(string); 453 free(string);
454} 454}
455 455
456static void 456static void
@@ -578,7 +578,7 @@ process_open(void)
578 } 578 }
579 if (status != SSH2_FX_OK) 579 if (status != SSH2_FX_OK)
580 send_status(id, status); 580 send_status(id, status);
581 xfree(name); 581 free(name);
582} 582}
583 583
584static void 584static void
@@ -679,7 +679,7 @@ process_write(void)
679 } 679 }
680 } 680 }
681 send_status(id, status); 681 send_status(id, status);
682 xfree(data); 682 free(data);
683} 683}
684 684
685static void 685static void
@@ -705,7 +705,7 @@ process_do_stat(int do_lstat)
705 } 705 }
706 if (status != SSH2_FX_OK) 706 if (status != SSH2_FX_OK)
707 send_status(id, status); 707 send_status(id, status);
708 xfree(name); 708 free(name);
709} 709}
710 710
711static void 711static void
@@ -807,7 +807,7 @@ process_setstat(void)
807 status = errno_to_portable(errno); 807 status = errno_to_portable(errno);
808 } 808 }
809 send_status(id, status); 809 send_status(id, status);
810 xfree(name); 810 free(name);
811} 811}
812 812
813static void 813static void
@@ -904,7 +904,7 @@ process_opendir(void)
904 } 904 }
905 if (status != SSH2_FX_OK) 905 if (status != SSH2_FX_OK)
906 send_status(id, status); 906 send_status(id, status);
907 xfree(path); 907 free(path);
908} 908}
909 909
910static void 910static void
@@ -953,13 +953,13 @@ process_readdir(void)
953 if (count > 0) { 953 if (count > 0) {
954 send_names(id, count, stats); 954 send_names(id, count, stats);
955 for (i = 0; i < count; i++) { 955 for (i = 0; i < count; i++) {
956 xfree(stats[i].name); 956 free(stats[i].name);
957 xfree(stats[i].long_name); 957 free(stats[i].long_name);
958 } 958 }
959 } else { 959 } else {
960 send_status(id, SSH2_FX_EOF); 960 send_status(id, SSH2_FX_EOF);
961 } 961 }
962 xfree(stats); 962 free(stats);
963 } 963 }
964} 964}
965 965
@@ -982,7 +982,7 @@ process_remove(void)
982 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 982 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
983 } 983 }
984 send_status(id, status); 984 send_status(id, status);
985 xfree(name); 985 free(name);
986} 986}
987 987
988static void 988static void
@@ -1007,7 +1007,7 @@ process_mkdir(void)
1007 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1007 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1008 } 1008 }
1009 send_status(id, status); 1009 send_status(id, status);
1010 xfree(name); 1010 free(name);
1011} 1011}
1012 1012
1013static void 1013static void
@@ -1028,7 +1028,7 @@ process_rmdir(void)
1028 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1028 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1029 } 1029 }
1030 send_status(id, status); 1030 send_status(id, status);
1031 xfree(name); 1031 free(name);
1032} 1032}
1033 1033
1034static void 1034static void
@@ -1041,7 +1041,7 @@ process_realpath(void)
1041 id = get_int(); 1041 id = get_int();
1042 path = get_string(NULL); 1042 path = get_string(NULL);
1043 if (path[0] == '\0') { 1043 if (path[0] == '\0') {
1044 xfree(path); 1044 free(path);
1045 path = xstrdup("."); 1045 path = xstrdup(".");
1046 } 1046 }
1047 debug3("request %u: realpath", id); 1047 debug3("request %u: realpath", id);
@@ -1054,7 +1054,7 @@ process_realpath(void)
1054 s.name = s.long_name = resolvedname; 1054 s.name = s.long_name = resolvedname;
1055 send_names(id, 1, &s); 1055 send_names(id, 1, &s);
1056 } 1056 }
1057 xfree(path); 1057 free(path);
1058} 1058}
1059 1059
1060static void 1060static void
@@ -1115,8 +1115,8 @@ process_rename(void)
1115 status = SSH2_FX_OK; 1115 status = SSH2_FX_OK;
1116 } 1116 }
1117 send_status(id, status); 1117 send_status(id, status);
1118 xfree(oldpath); 1118 free(oldpath);
1119 xfree(newpath); 1119 free(newpath);
1120} 1120}
1121 1121
1122static void 1122static void
@@ -1141,7 +1141,7 @@ process_readlink(void)
1141 s.name = s.long_name = buf; 1141 s.name = s.long_name = buf;
1142 send_names(id, 1, &s); 1142 send_names(id, 1, &s);
1143 } 1143 }
1144 xfree(path); 1144 free(path);
1145} 1145}
1146 1146
1147static void 1147static void
@@ -1164,8 +1164,8 @@ process_symlink(void)
1164 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1164 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1165 } 1165 }
1166 send_status(id, status); 1166 send_status(id, status);
1167 xfree(oldpath); 1167 free(oldpath);
1168 xfree(newpath); 1168 free(newpath);
1169} 1169}
1170 1170
1171static void 1171static void
@@ -1185,8 +1185,8 @@ process_extended_posix_rename(u_int32_t id)
1185 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1185 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1186 } 1186 }
1187 send_status(id, status); 1187 send_status(id, status);
1188 xfree(oldpath); 1188 free(oldpath);
1189 xfree(newpath); 1189 free(newpath);
1190} 1190}
1191 1191
1192static void 1192static void
@@ -1203,7 +1203,7 @@ process_extended_statvfs(u_int32_t id)
1203 send_status(id, errno_to_portable(errno)); 1203 send_status(id, errno_to_portable(errno));
1204 else 1204 else
1205 send_statvfs(id, &st); 1205 send_statvfs(id, &st);
1206 xfree(path); 1206 free(path);
1207} 1207}
1208 1208
1209static void 1209static void
@@ -1242,8 +1242,8 @@ process_extended_hardlink(u_int32_t id)
1242 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; 1242 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1243 } 1243 }
1244 send_status(id, status); 1244 send_status(id, status);
1245 xfree(oldpath); 1245 free(oldpath);
1246 xfree(newpath); 1246 free(newpath);
1247} 1247}
1248 1248
1249static void 1249static void
@@ -1264,7 +1264,7 @@ process_extended(void)
1264 process_extended_hardlink(id); 1264 process_extended_hardlink(id);
1265 else 1265 else
1266 send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ 1266 send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */
1267 xfree(request); 1267 free(request);
1268} 1268}
1269 1269
1270/* stolen from ssh-agent */ 1270/* stolen from ssh-agent */
diff --git a/sftp.0 b/sftp.0
index dd1da5241..c5fa17892 100644
--- a/sftp.0
+++ b/sftp.0
@@ -55,10 +55,10 @@ DESCRIPTION
55 used in conjunction with non-interactive authentication. A 55 used in conjunction with non-interactive authentication. A
56 batchfile of `-' may be used to indicate standard input. sftp 56 batchfile of `-' may be used to indicate standard input. sftp
57 will abort if any of the following commands fail: get, put, 57 will abort if any of the following commands fail: get, put,
58 rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp, 58 reget, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown,
59 lpwd, df, symlink, and lmkdir. Termination on error can be 59 chgrp, lpwd, df, symlink, and lmkdir. Termination on error can
60 suppressed on a command by command basis by prefixing the command 60 be suppressed on a command by command basis by prefixing the
61 with a `-' character (for example, -rm /tmp/blah*). 61 command with a `-' character (for example, -rm /tmp/blah*).
62 62
63 -C Enables compression (via ssh's -C flag). 63 -C Enables compression (via ssh's -C flag).
64 64
@@ -209,7 +209,7 @@ INTERACTIVE COMMANDS
209 209
210 exit Quit sftp. 210 exit Quit sftp.
211 211
212 get [-Ppr] remote-path [local-path] 212 get [-aPpr] remote-path [local-path]
213 Retrieve the remote-path and store it on the local machine. If 213 Retrieve the remote-path and store it on the local machine. If
214 the local path name is not specified, it is given the same name 214 the local path name is not specified, it is given the same name
215 it has on the remote machine. remote-path may contain glob(3) 215 it has on the remote machine. remote-path may contain glob(3)
@@ -217,6 +217,12 @@ INTERACTIVE COMMANDS
217 local-path is specified, then local-path must specify a 217 local-path is specified, then local-path must specify a
218 directory. 218 directory.
219 219
220 If the -a flag is specified, then attempt to resume partial
221 transfers of existing files. Note that resumption assumes that
222 any partial copy of the local file matches the remote copy. If
223 the remote file differs from the partial local copy then the
224 resultant file is likely to be corrupt.
225
220 If either the -P or -p flag is specified, then full file 226 If either the -P or -p flag is specified, then full file
221 permissions and access times are copied too. 227 permissions and access times are copied too.
222 228
@@ -306,6 +312,10 @@ INTERACTIVE COMMANDS
306 312
307 quit Quit sftp. 313 quit Quit sftp.
308 314
315 reget [-Ppr] remote-path [local-path]
316 Resume download of remote-path. Equivalent to get with the -a
317 flag set.
318
309 rename oldpath newpath 319 rename oldpath newpath
310 Rename remote file from oldpath to newpath. 320 Rename remote file from oldpath to newpath.
311 321
@@ -336,4 +346,4 @@ SEE ALSO
336 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress 346 draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
337 material. 347 material.
338 348
339OpenBSD 5.3 September 5, 2011 OpenBSD 5.3 349OpenBSD 5.4 July 25, 2013 OpenBSD 5.4
diff --git a/sftp.1 b/sftp.1
index bcb472144..2577fe875 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $ 1.\" $OpenBSD: sftp.1,v 1.92 2013/07/25 00:56:51 djm Exp $
2.\" 2.\"
3.\" Copyright (c) 2001 Damien Miller. All rights reserved. 3.\" Copyright (c) 2001 Damien Miller. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: September 5 2011 $ 25.Dd $Mdocdate: July 25 2013 $
26.Dt SFTP 1 26.Dt SFTP 1
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -129,7 +129,7 @@ may be used to indicate standard input.
129.Nm 129.Nm
130will abort if any of the following 130will abort if any of the following
131commands fail: 131commands fail:
132.Ic get , put , rename , ln , 132.Ic get , put , reget , rename , ln ,
133.Ic rm , mkdir , chdir , ls , 133.Ic rm , mkdir , chdir , ls ,
134.Ic lchdir , chmod , chown , 134.Ic lchdir , chmod , chown ,
135.Ic chgrp , lpwd , df , symlink , 135.Ic chgrp , lpwd , df , symlink ,
@@ -343,7 +343,7 @@ extension.
343Quit 343Quit
344.Nm sftp . 344.Nm sftp .
345.It Xo Ic get 345.It Xo Ic get
346.Op Fl Ppr 346.Op Fl aPpr
347.Ar remote-path 347.Ar remote-path
348.Op Ar local-path 348.Op Ar local-path
349.Xc 349.Xc
@@ -363,6 +363,14 @@ is specified, then
363.Ar local-path 363.Ar local-path
364must specify a directory. 364must specify a directory.
365.Pp 365.Pp
366If the
367.Fl a
368flag is specified, then attempt to resume partial transfers of existing files.
369Note that resumption assumes that any partial copy of the local file matches
370the remote copy.
371If the remote file differs from the partial local copy then the resultant file
372is likely to be corrupt.
373.Pp
366If either the 374If either the
367.Fl P 375.Fl P
368or 376or
@@ -503,6 +511,18 @@ Display remote working directory.
503.It Ic quit 511.It Ic quit
504Quit 512Quit
505.Nm sftp . 513.Nm sftp .
514.It Xo Ic reget
515.Op Fl Ppr
516.Ar remote-path
517.Op Ar local-path
518.Xc
519Resume download of
520.Ar remote-path .
521Equivalent to
522.Ic get
523with the
524.Fl a
525flag set.
506.It Ic rename Ar oldpath Ar newpath 526.It Ic rename Ar oldpath Ar newpath
507Rename remote file from 527Rename remote file from
508.Ar oldpath 528.Ar oldpath
diff --git a/sftp.c b/sftp.c
index 342ae7efc..969328de4 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ 1/* $OpenBSD: sftp.c,v 1.148 2013/07/25 00:56:52 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -38,6 +38,9 @@
38#ifdef HAVE_LIBGEN_H 38#ifdef HAVE_LIBGEN_H
39#include <libgen.h> 39#include <libgen.h>
40#endif 40#endif
41#ifdef HAVE_LOCALE_H
42# include <locale.h>
43#endif
41#ifdef USE_LIBEDIT 44#ifdef USE_LIBEDIT
42#include <histedit.h> 45#include <histedit.h>
43#else 46#else
@@ -76,12 +79,18 @@ int batchmode = 0;
76/* PID of ssh transport process */ 79/* PID of ssh transport process */
77static pid_t sshpid = -1; 80static pid_t sshpid = -1;
78 81
82/* Suppress diagnositic messages */
83int quiet = 0;
84
79/* This is set to 0 if the progressmeter is not desired. */ 85/* This is set to 0 if the progressmeter is not desired. */
80int showprogress = 1; 86int showprogress = 1;
81 87
82/* When this option is set, we always recursively download/upload directories */ 88/* When this option is set, we always recursively download/upload directories */
83int global_rflag = 0; 89int global_rflag = 0;
84 90
91/* When this option is set, we resume download if possible */
92int global_aflag = 0;
93
85/* When this option is set, the file transfers will always preserve times */ 94/* When this option is set, the file transfers will always preserve times */
86int global_pflag = 0; 95int global_pflag = 0;
87 96
@@ -145,6 +154,7 @@ extern char *__progname;
145#define I_SYMLINK 21 154#define I_SYMLINK 21
146#define I_VERSION 22 155#define I_VERSION 22
147#define I_PROGRESS 23 156#define I_PROGRESS 23
157#define I_REGET 26
148 158
149struct CMD { 159struct CMD {
150 const char *c; 160 const char *c;
@@ -184,6 +194,7 @@ static const struct CMD cmds[] = {
184 { "put", I_PUT, LOCAL }, 194 { "put", I_PUT, LOCAL },
185 { "pwd", I_PWD, REMOTE }, 195 { "pwd", I_PWD, REMOTE },
186 { "quit", I_QUIT, NOARGS }, 196 { "quit", I_QUIT, NOARGS },
197 { "reget", I_REGET, REMOTE },
187 { "rename", I_RENAME, REMOTE }, 198 { "rename", I_RENAME, REMOTE },
188 { "rm", I_RM, REMOTE }, 199 { "rm", I_RM, REMOTE },
189 { "rmdir", I_RMDIR, REMOTE }, 200 { "rmdir", I_RMDIR, REMOTE },
@@ -215,7 +226,7 @@ cmd_interrupt(int signo)
215 const char msg[] = "\rInterrupt \n"; 226 const char msg[] = "\rInterrupt \n";
216 int olderrno = errno; 227 int olderrno = errno;
217 228
218 write(STDERR_FILENO, msg, sizeof(msg) - 1); 229 (void)write(STDERR_FILENO, msg, sizeof(msg) - 1);
219 interrupted = 1; 230 interrupted = 1;
220 errno = olderrno; 231 errno = olderrno;
221} 232}
@@ -233,6 +244,7 @@ help(void)
233 " filesystem containing 'path'\n" 244 " filesystem containing 'path'\n"
234 "exit Quit sftp\n" 245 "exit Quit sftp\n"
235 "get [-Ppr] remote [local] Download file\n" 246 "get [-Ppr] remote [local] Download file\n"
247 "reget remote [local] Resume download file\n"
236 "help Display this help text\n" 248 "help Display this help text\n"
237 "lcd path Change local directory to 'path'\n" 249 "lcd path Change local directory to 'path'\n"
238 "lls [ls-options [path]] Display local directory listing\n" 250 "lls [ls-options [path]] Display local directory listing\n"
@@ -306,7 +318,7 @@ local_do_ls(const char *args)
306 /* XXX: quoting - rip quoting code from ftp? */ 318 /* XXX: quoting - rip quoting code from ftp? */
307 snprintf(buf, len, _PATH_LS " %s", args); 319 snprintf(buf, len, _PATH_LS " %s", args);
308 local_do_shell(buf); 320 local_do_shell(buf);
309 xfree(buf); 321 free(buf);
310 } 322 }
311} 323}
312 324
@@ -337,15 +349,15 @@ make_absolute(char *p, char *pwd)
337 /* Derelativise */ 349 /* Derelativise */
338 if (p && p[0] != '/') { 350 if (p && p[0] != '/') {
339 abs_str = path_append(pwd, p); 351 abs_str = path_append(pwd, p);
340 xfree(p); 352 free(p);
341 return(abs_str); 353 return(abs_str);
342 } else 354 } else
343 return(p); 355 return(p);
344} 356}
345 357
346static int 358static int
347parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, 359parse_getput_flags(const char *cmd, char **argv, int argc,
348 int *rflag) 360 int *aflag, int *pflag, int *rflag)
349{ 361{
350 extern int opterr, optind, optopt, optreset; 362 extern int opterr, optind, optopt, optreset;
351 int ch; 363 int ch;
@@ -353,9 +365,12 @@ parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag,
353 optind = optreset = 1; 365 optind = optreset = 1;
354 opterr = 0; 366 opterr = 0;
355 367
356 *rflag = *pflag = 0; 368 *aflag = *rflag = *pflag = 0;
357 while ((ch = getopt(argc, argv, "PpRr")) != -1) { 369 while ((ch = getopt(argc, argv, "aPpRr")) != -1) {
358 switch (ch) { 370 switch (ch) {
371 case 'a':
372 *aflag = 1;
373 break;
359 case 'p': 374 case 'p':
360 case 'P': 375 case 'P':
361 *pflag = 1; 376 *pflag = 1;
@@ -513,7 +528,7 @@ pathname_is_dir(char *pathname)
513 528
514static int 529static int
515process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, 530process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
516 int pflag, int rflag) 531 int pflag, int rflag, int resume)
517{ 532{
518 char *abs_src = NULL; 533 char *abs_src = NULL;
519 char *abs_dst = NULL; 534 char *abs_dst = NULL;
@@ -547,7 +562,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
547 tmp = xstrdup(g.gl_pathv[i]); 562 tmp = xstrdup(g.gl_pathv[i]);
548 if ((filename = basename(tmp)) == NULL) { 563 if ((filename = basename(tmp)) == NULL) {
549 error("basename %s: %s", tmp, strerror(errno)); 564 error("basename %s: %s", tmp, strerror(errno));
550 xfree(tmp); 565 free(tmp);
551 err = -1; 566 err = -1;
552 goto out; 567 goto out;
553 } 568 }
@@ -563,24 +578,28 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
563 } else { 578 } else {
564 abs_dst = xstrdup(filename); 579 abs_dst = xstrdup(filename);
565 } 580 }
566 xfree(tmp); 581 free(tmp);
567 582
568 printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); 583 resume |= global_aflag;
584 if (!quiet && resume)
585 printf("Resuming %s to %s\n", g.gl_pathv[i], abs_dst);
586 else if (!quiet && !resume)
587 printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
569 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { 588 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
570 if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, 589 if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL,
571 pflag || global_pflag, 1) == -1) 590 pflag || global_pflag, 1, resume) == -1)
572 err = -1; 591 err = -1;
573 } else { 592 } else {
574 if (do_download(conn, g.gl_pathv[i], abs_dst, NULL, 593 if (do_download(conn, g.gl_pathv[i], abs_dst, NULL,
575 pflag || global_pflag) == -1) 594 pflag || global_pflag, resume) == -1)
576 err = -1; 595 err = -1;
577 } 596 }
578 xfree(abs_dst); 597 free(abs_dst);
579 abs_dst = NULL; 598 abs_dst = NULL;
580 } 599 }
581 600
582out: 601out:
583 xfree(abs_src); 602 free(abs_src);
584 globfree(&g); 603 globfree(&g);
585 return(err); 604 return(err);
586} 605}
@@ -632,7 +651,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
632 tmp = xstrdup(g.gl_pathv[i]); 651 tmp = xstrdup(g.gl_pathv[i]);
633 if ((filename = basename(tmp)) == NULL) { 652 if ((filename = basename(tmp)) == NULL) {
634 error("basename %s: %s", tmp, strerror(errno)); 653 error("basename %s: %s", tmp, strerror(errno));
635 xfree(tmp); 654 free(tmp);
636 err = -1; 655 err = -1;
637 goto out; 656 goto out;
638 } 657 }
@@ -648,9 +667,10 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
648 } else { 667 } else {
649 abs_dst = make_absolute(xstrdup(filename), pwd); 668 abs_dst = make_absolute(xstrdup(filename), pwd);
650 } 669 }
651 xfree(tmp); 670 free(tmp);
652 671
653 printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); 672 if (!quiet)
673 printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst);
654 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { 674 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
655 if (upload_dir(conn, g.gl_pathv[i], abs_dst, 675 if (upload_dir(conn, g.gl_pathv[i], abs_dst,
656 pflag || global_pflag, 1) == -1) 676 pflag || global_pflag, 1) == -1)
@@ -663,10 +683,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
663 } 683 }
664 684
665out: 685out:
666 if (abs_dst) 686 free(abs_dst);
667 xfree(abs_dst); 687 free(tmp_dst);
668 if (tmp_dst)
669 xfree(tmp_dst);
670 globfree(&g); 688 globfree(&g);
671 return(err); 689 return(err);
672} 690}
@@ -714,7 +732,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
714 /* Add any subpath that also needs to be counted */ 732 /* Add any subpath that also needs to be counted */
715 tmp = path_strip(path, strip_path); 733 tmp = path_strip(path, strip_path);
716 m += strlen(tmp); 734 m += strlen(tmp);
717 xfree(tmp); 735 free(tmp);
718 736
719 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) 737 if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1)
720 width = ws.ws_col; 738 width = ws.ws_col;
@@ -740,7 +758,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
740 758
741 tmp = path_append(path, d[n]->filename); 759 tmp = path_append(path, d[n]->filename);
742 fname = path_strip(tmp, strip_path); 760 fname = path_strip(tmp, strip_path);
743 xfree(tmp); 761 free(tmp);
744 762
745 if (lflag & LS_LONG_VIEW) { 763 if (lflag & LS_LONG_VIEW) {
746 if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) { 764 if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) {
@@ -752,7 +770,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
752 lname = ls_file(fname, &sb, 1, 770 lname = ls_file(fname, &sb, 1,
753 (lflag & LS_SI_UNITS)); 771 (lflag & LS_SI_UNITS));
754 printf("%s\n", lname); 772 printf("%s\n", lname);
755 xfree(lname); 773 free(lname);
756 } else 774 } else
757 printf("%s\n", d[n]->longname); 775 printf("%s\n", d[n]->longname);
758 } else { 776 } else {
@@ -764,7 +782,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
764 c++; 782 c++;
765 } 783 }
766 784
767 xfree(fname); 785 free(fname);
768 } 786 }
769 787
770 if (!(lflag & LS_LONG_VIEW) && (c != 1)) 788 if (!(lflag & LS_LONG_VIEW) && (c != 1))
@@ -834,7 +852,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
834 lname = ls_file(fname, g.gl_statv[i], 1, 852 lname = ls_file(fname, g.gl_statv[i], 1,
835 (lflag & LS_SI_UNITS)); 853 (lflag & LS_SI_UNITS));
836 printf("%s\n", lname); 854 printf("%s\n", lname);
837 xfree(lname); 855 free(lname);
838 } else { 856 } else {
839 printf("%-*s", colspace, fname); 857 printf("%-*s", colspace, fname);
840 if (c >= columns) { 858 if (c >= columns) {
@@ -843,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
843 } else 861 } else
844 c++; 862 c++;
845 } 863 }
846 xfree(fname); 864 free(fname);
847 } 865 }
848 866
849 if (!(lflag & LS_LONG_VIEW) && (c != 1)) 867 if (!(lflag & LS_LONG_VIEW) && (c != 1))
@@ -1112,8 +1130,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
1112} 1130}
1113 1131
1114static int 1132static int
1115parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, 1133parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag,
1116 int *hflag, int *sflag, unsigned long *n_arg, char **path1, char **path2) 1134 int *pflag, int *rflag, int *sflag, unsigned long *n_arg,
1135 char **path1, char **path2)
1117{ 1136{
1118 const char *cmd, *cp = *cpp; 1137 const char *cmd, *cp = *cpp;
1119 char *cp2, **argv; 1138 char *cp2, **argv;
@@ -1157,14 +1176,15 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag,
1157 } 1176 }
1158 1177
1159 /* Get arguments and parse flags */ 1178 /* Get arguments and parse flags */
1160 *lflag = *pflag = *rflag = *hflag = *n_arg = 0; 1179 *aflag = *lflag = *pflag = *rflag = *hflag = *n_arg = 0;
1161 *path1 = *path2 = NULL; 1180 *path1 = *path2 = NULL;
1162 optidx = 1; 1181 optidx = 1;
1163 switch (cmdnum) { 1182 switch (cmdnum) {
1164 case I_GET: 1183 case I_GET:
1184 case I_REGET:
1165 case I_PUT: 1185 case I_PUT:
1166 if ((optidx = parse_getput_flags(cmd, argv, argc, 1186 if ((optidx = parse_getput_flags(cmd, argv, argc,
1167 pflag, rflag)) == -1) 1187 aflag, pflag, rflag)) == -1)
1168 return -1; 1188 return -1;
1169 /* Get first pathname (mandatory) */ 1189 /* Get first pathname (mandatory) */
1170 if (argc - optidx < 1) { 1190 if (argc - optidx < 1) {
@@ -1179,6 +1199,11 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag,
1179 /* Destination is not globbed */ 1199 /* Destination is not globbed */
1180 undo_glob_escape(*path2); 1200 undo_glob_escape(*path2);
1181 } 1201 }
1202 if (*aflag && cmdnum == I_PUT) {
1203 /* XXX implement resume for uploads */
1204 error("Resume is not supported for uploads");
1205 return -1;
1206 }
1182 break; 1207 break;
1183 case I_LINK: 1208 case I_LINK:
1184 if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) 1209 if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1)
@@ -1287,7 +1312,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1287 int err_abort) 1312 int err_abort)
1288{ 1313{
1289 char *path1, *path2, *tmp; 1314 char *path1, *path2, *tmp;
1290 int pflag = 0, rflag = 0, lflag = 0, iflag = 0, hflag = 0, sflag = 0; 1315 int aflag = 0, hflag = 0, iflag = 0, lflag = 0, pflag = 0;
1316 int rflag = 0, sflag = 0;
1291 int cmdnum, i; 1317 int cmdnum, i;
1292 unsigned long n_arg = 0; 1318 unsigned long n_arg = 0;
1293 Attrib a, *aa; 1319 Attrib a, *aa;
@@ -1296,9 +1322,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1296 glob_t g; 1322 glob_t g;
1297 1323
1298 path1 = path2 = NULL; 1324 path1 = path2 = NULL;
1299 cmdnum = parse_args(&cmd, &pflag, &rflag, &lflag, &iflag, &hflag, 1325 cmdnum = parse_args(&cmd, &aflag, &hflag, &iflag, &lflag, &pflag,
1300 &sflag, &n_arg, &path1, &path2); 1326 &rflag, &sflag, &n_arg, &path1, &path2);
1301
1302 if (iflag != 0) 1327 if (iflag != 0)
1303 err_abort = 0; 1328 err_abort = 0;
1304 1329
@@ -1313,8 +1338,12 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1313 /* Unrecognized command */ 1338 /* Unrecognized command */
1314 err = -1; 1339 err = -1;
1315 break; 1340 break;
1341 case I_REGET:
1342 aflag = 1;
1343 /* FALLTHROUGH */
1316 case I_GET: 1344 case I_GET:
1317 err = process_get(conn, path1, path2, *pwd, pflag, rflag); 1345 err = process_get(conn, path1, path2, *pwd, pflag,
1346 rflag, aflag);
1318 break; 1347 break;
1319 case I_PUT: 1348 case I_PUT:
1320 err = process_put(conn, path1, path2, *pwd, pflag, rflag); 1349 err = process_put(conn, path1, path2, *pwd, pflag, rflag);
@@ -1335,7 +1364,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1335 path1 = make_absolute(path1, *pwd); 1364 path1 = make_absolute(path1, *pwd);
1336 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); 1365 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
1337 for (i = 0; g.gl_pathv[i] && !interrupted; i++) { 1366 for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
1338 printf("Removing %s\n", g.gl_pathv[i]); 1367 if (!quiet)
1368 printf("Removing %s\n", g.gl_pathv[i]);
1339 err = do_rm(conn, g.gl_pathv[i]); 1369 err = do_rm(conn, g.gl_pathv[i]);
1340 if (err != 0 && err_abort) 1370 if (err != 0 && err_abort)
1341 break; 1371 break;
@@ -1359,24 +1389,24 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1359 break; 1389 break;
1360 } 1390 }
1361 if ((aa = do_stat(conn, tmp, 0)) == NULL) { 1391 if ((aa = do_stat(conn, tmp, 0)) == NULL) {
1362 xfree(tmp); 1392 free(tmp);
1363 err = 1; 1393 err = 1;
1364 break; 1394 break;
1365 } 1395 }
1366 if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { 1396 if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) {
1367 error("Can't change directory: Can't check target"); 1397 error("Can't change directory: Can't check target");
1368 xfree(tmp); 1398 free(tmp);
1369 err = 1; 1399 err = 1;
1370 break; 1400 break;
1371 } 1401 }
1372 if (!S_ISDIR(aa->perm)) { 1402 if (!S_ISDIR(aa->perm)) {
1373 error("Can't change directory: \"%s\" is not " 1403 error("Can't change directory: \"%s\" is not "
1374 "a directory", tmp); 1404 "a directory", tmp);
1375 xfree(tmp); 1405 free(tmp);
1376 err = 1; 1406 err = 1;
1377 break; 1407 break;
1378 } 1408 }
1379 xfree(*pwd); 1409 free(*pwd);
1380 *pwd = tmp; 1410 *pwd = tmp;
1381 break; 1411 break;
1382 case I_LS: 1412 case I_LS:
@@ -1431,7 +1461,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1431 a.perm = n_arg; 1461 a.perm = n_arg;
1432 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); 1462 remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
1433 for (i = 0; g.gl_pathv[i] && !interrupted; i++) { 1463 for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
1434 printf("Changing mode on %s\n", g.gl_pathv[i]); 1464 if (!quiet)
1465 printf("Changing mode on %s\n", g.gl_pathv[i]);
1435 err = do_setstat(conn, g.gl_pathv[i], &a); 1466 err = do_setstat(conn, g.gl_pathv[i], &a);
1436 if (err != 0 && err_abort) 1467 if (err != 0 && err_abort)
1437 break; 1468 break;
@@ -1460,10 +1491,14 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1460 } 1491 }
1461 aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; 1492 aa->flags &= SSH2_FILEXFER_ATTR_UIDGID;
1462 if (cmdnum == I_CHOWN) { 1493 if (cmdnum == I_CHOWN) {
1463 printf("Changing owner on %s\n", g.gl_pathv[i]); 1494 if (!quiet)
1495 printf("Changing owner on %s\n",
1496 g.gl_pathv[i]);
1464 aa->uid = n_arg; 1497 aa->uid = n_arg;
1465 } else { 1498 } else {
1466 printf("Changing group on %s\n", g.gl_pathv[i]); 1499 if (!quiet)
1500 printf("Changing group on %s\n",
1501 g.gl_pathv[i]);
1467 aa->gid = n_arg; 1502 aa->gid = n_arg;
1468 } 1503 }
1469 err = do_setstat(conn, g.gl_pathv[i], aa); 1504 err = do_setstat(conn, g.gl_pathv[i], aa);
@@ -1504,10 +1539,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
1504 1539
1505 if (g.gl_pathc) 1540 if (g.gl_pathc)
1506 globfree(&g); 1541 globfree(&g);
1507 if (path1) 1542 free(path1);
1508 xfree(path1); 1543 free(path2);
1509 if (path2)
1510 xfree(path2);
1511 1544
1512 /* If an unignored error occurs in batch mode we should abort. */ 1545 /* If an unignored error occurs in batch mode we should abort. */
1513 if (err_abort && err != 0) 1546 if (err_abort && err != 0)
@@ -1617,8 +1650,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1617 complete_display(list, 0); 1650 complete_display(list, 0);
1618 1651
1619 for (y = 0; list[y] != NULL; y++) 1652 for (y = 0; list[y] != NULL; y++)
1620 xfree(list[y]); 1653 free(list[y]);
1621 xfree(list); 1654 free(list);
1622 return count; 1655 return count;
1623 } 1656 }
1624 1657
@@ -1631,7 +1664,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1631 list[count] = NULL; 1664 list[count] = NULL;
1632 1665
1633 if (count == 0) { 1666 if (count == 0) {
1634 xfree(list); 1667 free(list);
1635 return 0; 1668 return 0;
1636 } 1669 }
1637 1670
@@ -1641,8 +1674,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1641 complete_display(list, 0); 1674 complete_display(list, 0);
1642 1675
1643 for (y = 0; list[y]; y++) 1676 for (y = 0; list[y]; y++)
1644 xfree(list[y]); 1677 free(list[y]);
1645 xfree(list); 1678 free(list);
1646 1679
1647 if (tmp != NULL) { 1680 if (tmp != NULL) {
1648 tmplen = strlen(tmp); 1681 tmplen = strlen(tmp);
@@ -1663,7 +1696,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
1663 if (y > 0 && el_insertstr(el, argterm) == -1) 1696 if (y > 0 && el_insertstr(el, argterm) == -1)
1664 fatal("el_insertstr failed."); 1697 fatal("el_insertstr failed.");
1665 } 1698 }
1666 xfree(tmp); 1699 free(tmp);
1667 } 1700 }
1668 1701
1669 return count; 1702 return count;
@@ -1694,8 +1727,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1694 char *file, int remote, int lastarg, char quote, int terminated) 1727 char *file, int remote, int lastarg, char quote, int terminated)
1695{ 1728{
1696 glob_t g; 1729 glob_t g;
1697 char *tmp, *tmp2, ins[3]; 1730 char *tmp, *tmp2, ins[8];
1698 u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; 1731 u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
1732 int clen;
1699 const LineInfo *lf; 1733 const LineInfo *lf;
1700 1734
1701 /* Glob from "file" location */ 1735 /* Glob from "file" location */
@@ -1727,7 +1761,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1727 if (tmp[tmplen] == '/') 1761 if (tmp[tmplen] == '/')
1728 pwdlen = tmplen + 1; /* track last seen '/' */ 1762 pwdlen = tmplen + 1; /* track last seen '/' */
1729 } 1763 }
1730 xfree(tmp); 1764 free(tmp);
1731 1765
1732 if (g.gl_matchc == 0) 1766 if (g.gl_matchc == 0)
1733 goto out; 1767 goto out;
@@ -1742,7 +1776,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1742 1776
1743 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); 1777 tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc);
1744 tmp = path_strip(tmp2, isabs ? NULL : remote_path); 1778 tmp = path_strip(tmp2, isabs ? NULL : remote_path);
1745 xfree(tmp2); 1779 free(tmp2);
1746 1780
1747 if (tmp == NULL) 1781 if (tmp == NULL)
1748 goto out; 1782 goto out;
@@ -1764,10 +1798,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1764 tmp2 = tmp + filelen - cesc; 1798 tmp2 = tmp + filelen - cesc;
1765 len = strlen(tmp2); 1799 len = strlen(tmp2);
1766 /* quote argument on way out */ 1800 /* quote argument on way out */
1767 for (i = 0; i < len; i++) { 1801 for (i = 0; i < len; i += clen) {
1802 if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
1803 (size_t)clen > sizeof(ins) - 2)
1804 fatal("invalid multibyte character");
1768 ins[0] = '\\'; 1805 ins[0] = '\\';
1769 ins[1] = tmp2[i]; 1806 memcpy(ins + 1, tmp2 + i, clen);
1770 ins[2] = '\0'; 1807 ins[clen + 1] = '\0';
1771 switch (tmp2[i]) { 1808 switch (tmp2[i]) {
1772 case '\'': 1809 case '\'':
1773 case '"': 1810 case '"':
@@ -1804,7 +1841,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
1804 if (i > 0 && el_insertstr(el, ins) == -1) 1841 if (i > 0 && el_insertstr(el, ins) == -1)
1805 fatal("el_insertstr failed."); 1842 fatal("el_insertstr failed.");
1806 } 1843 }
1807 xfree(tmp); 1844 free(tmp);
1808 1845
1809 out: 1846 out:
1810 globfree(&g); 1847 globfree(&g);
@@ -1816,7 +1853,8 @@ static unsigned char
1816complete(EditLine *el, int ch) 1853complete(EditLine *el, int ch)
1817{ 1854{
1818 char **argv, *line, quote; 1855 char **argv, *line, quote;
1819 u_int argc, carg, cursor, len, terminated, ret = CC_ERROR; 1856 int argc, carg;
1857 u_int cursor, len, terminated, ret = CC_ERROR;
1820 const LineInfo *lf; 1858 const LineInfo *lf;
1821 struct complete_ctx *complete_ctx; 1859 struct complete_ctx *complete_ctx;
1822 1860
@@ -1830,7 +1868,7 @@ complete(EditLine *el, int ch)
1830 memcpy(line, lf->buffer, cursor); 1868 memcpy(line, lf->buffer, cursor);
1831 line[cursor] = '\0'; 1869 line[cursor] = '\0';
1832 argv = makeargv(line, &carg, 1, &quote, &terminated); 1870 argv = makeargv(line, &carg, 1, &quote, &terminated);
1833 xfree(line); 1871 free(line);
1834 1872
1835 /* Get all the arguments on the line */ 1873 /* Get all the arguments on the line */
1836 len = lf->lastchar - lf->buffer; 1874 len = lf->lastchar - lf->buffer;
@@ -1842,7 +1880,7 @@ complete(EditLine *el, int ch)
1842 /* Ensure cursor is at EOL or a argument boundary */ 1880 /* Ensure cursor is at EOL or a argument boundary */
1843 if (line[cursor] != ' ' && line[cursor] != '\0' && 1881 if (line[cursor] != ' ' && line[cursor] != '\0' &&
1844 line[cursor] != '\n') { 1882 line[cursor] != '\n') {
1845 xfree(line); 1883 free(line);
1846 return ret; 1884 return ret;
1847 } 1885 }
1848 1886
@@ -1870,7 +1908,7 @@ complete(EditLine *el, int ch)
1870 ret = CC_REDISPLAY; 1908 ret = CC_REDISPLAY;
1871 } 1909 }
1872 1910
1873 xfree(line); 1911 free(line);
1874 return ret; 1912 return ret;
1875} 1913}
1876#endif /* USE_LIBEDIT */ 1914#endif /* USE_LIBEDIT */
@@ -1922,31 +1960,30 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
1922 dir = make_absolute(dir, remote_path); 1960 dir = make_absolute(dir, remote_path);
1923 1961
1924 if (remote_is_dir(conn, dir) && file2 == NULL) { 1962 if (remote_is_dir(conn, dir) && file2 == NULL) {
1925 printf("Changing to: %s\n", dir); 1963 if (!quiet)
1964 printf("Changing to: %s\n", dir);
1926 snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); 1965 snprintf(cmd, sizeof cmd, "cd \"%s\"", dir);
1927 if (parse_dispatch_command(conn, cmd, 1966 if (parse_dispatch_command(conn, cmd,
1928 &remote_path, 1) != 0) { 1967 &remote_path, 1) != 0) {
1929 xfree(dir); 1968 free(dir);
1930 xfree(remote_path); 1969 free(remote_path);
1931 xfree(conn); 1970 free(conn);
1932 return (-1); 1971 return (-1);
1933 } 1972 }
1934 } else { 1973 } else {
1935 /* XXX this is wrong wrt quoting */ 1974 /* XXX this is wrong wrt quoting */
1936 if (file2 == NULL) 1975 snprintf(cmd, sizeof cmd, "get%s %s%s%s",
1937 snprintf(cmd, sizeof cmd, "get %s", dir); 1976 global_aflag ? " -a" : "", dir,
1938 else 1977 file2 == NULL ? "" : " ",
1939 snprintf(cmd, sizeof cmd, "get %s %s", dir, 1978 file2 == NULL ? "" : file2);
1940 file2);
1941
1942 err = parse_dispatch_command(conn, cmd, 1979 err = parse_dispatch_command(conn, cmd,
1943 &remote_path, 1); 1980 &remote_path, 1);
1944 xfree(dir); 1981 free(dir);
1945 xfree(remote_path); 1982 free(remote_path);
1946 xfree(conn); 1983 free(conn);
1947 return (err); 1984 return (err);
1948 } 1985 }
1949 xfree(dir); 1986 free(dir);
1950 } 1987 }
1951 1988
1952 setlinebuf(stdout); 1989 setlinebuf(stdout);
@@ -2004,8 +2041,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
2004 if (err != 0) 2041 if (err != 0)
2005 break; 2042 break;
2006 } 2043 }
2007 xfree(remote_path); 2044 free(remote_path);
2008 xfree(conn); 2045 free(conn);
2009 2046
2010#ifdef USE_LIBEDIT 2047#ifdef USE_LIBEDIT
2011 if (el != NULL) 2048 if (el != NULL)
@@ -2112,6 +2149,7 @@ main(int argc, char **argv)
2112 2149
2113 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ 2150 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
2114 sanitise_stdfd(); 2151 sanitise_stdfd();
2152 setlocale(LC_CTYPE, "");
2115 2153
2116 __progname = ssh_get_progname(argv[0]); 2154 __progname = ssh_get_progname(argv[0]);
2117 memset(&args, '\0', sizeof(args)); 2155 memset(&args, '\0', sizeof(args));
@@ -2126,7 +2164,7 @@ main(int argc, char **argv)
2126 infile = stdin; 2164 infile = stdin;
2127 2165
2128 while ((ch = getopt(argc, argv, 2166 while ((ch = getopt(argc, argv,
2129 "1246hpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { 2167 "1246ahpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
2130 switch (ch) { 2168 switch (ch) {
2131 /* Passed through to ssh(1) */ 2169 /* Passed through to ssh(1) */
2132 case '4': 2170 case '4':
@@ -2143,6 +2181,8 @@ main(int argc, char **argv)
2143 addargs(&args, "%s", optarg); 2181 addargs(&args, "%s", optarg);
2144 break; 2182 break;
2145 case 'q': 2183 case 'q':
2184 ll = SYSLOG_LEVEL_ERROR;
2185 quiet = 1;
2146 showprogress = 0; 2186 showprogress = 0;
2147 addargs(&args, "-%c", ch); 2187 addargs(&args, "-%c", ch);
2148 break; 2188 break;
@@ -2164,6 +2204,9 @@ main(int argc, char **argv)
2164 case '2': 2204 case '2':
2165 sshver = 2; 2205 sshver = 2;
2166 break; 2206 break;
2207 case 'a':
2208 global_aflag = 1;
2209 break;
2167 case 'B': 2210 case 'B':
2168 copy_buffer_len = strtol(optarg, &cp, 10); 2211 copy_buffer_len = strtol(optarg, &cp, 10);
2169 if (copy_buffer_len == 0 || *cp != '\0') 2212 if (copy_buffer_len == 0 || *cp != '\0')
@@ -2178,7 +2221,7 @@ main(int argc, char **argv)
2178 (infile = fopen(optarg, "r")) == NULL) 2221 (infile = fopen(optarg, "r")) == NULL)
2179 fatal("%s (%s).", strerror(errno), optarg); 2222 fatal("%s (%s).", strerror(errno), optarg);
2180 showprogress = 0; 2223 showprogress = 0;
2181 batchmode = 1; 2224 quiet = batchmode = 1;
2182 addargs(&args, "-obatchmode yes"); 2225 addargs(&args, "-obatchmode yes");
2183 break; 2226 break;
2184 case 'p': 2227 case 'p':
@@ -2275,7 +2318,7 @@ main(int argc, char **argv)
2275 if (conn == NULL) 2318 if (conn == NULL)
2276 fatal("Couldn't initialise connection to server"); 2319 fatal("Couldn't initialise connection to server");
2277 2320
2278 if (!batchmode) { 2321 if (!quiet) {
2279 if (sftp_direct == NULL) 2322 if (sftp_direct == NULL)
2280 fprintf(stderr, "Connected to %s.\n", host); 2323 fprintf(stderr, "Connected to %s.\n", host);
2281 else 2324 else
diff --git a/ssh-add.0 b/ssh-add.0
index ed43dc8cc..bcd1e7322 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -116,4 +116,4 @@ AUTHORS
116 created OpenSSH. Markus Friedl contributed the support for SSH protocol 116 created OpenSSH. Markus Friedl contributed the support for SSH protocol
117 versions 1.5 and 2.0. 117 versions 1.5 and 2.0.
118 118
119OpenBSD 5.3 December 3, 2012 OpenBSD 5.3 119OpenBSD 5.4 December 3, 2012 OpenBSD 5.4
diff --git a/ssh-add.c b/ssh-add.c
index 008084704..5e8166f66 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.106 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -90,7 +90,7 @@ clear_pass(void)
90{ 90{
91 if (pass) { 91 if (pass) {
92 memset(pass, 0, strlen(pass)); 92 memset(pass, 0, strlen(pass));
93 xfree(pass); 93 free(pass);
94 pass = NULL; 94 pass = NULL;
95 } 95 }
96} 96}
@@ -215,7 +215,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
215 pass = read_passphrase(msg, RP_ALLOW_STDIN); 215 pass = read_passphrase(msg, RP_ALLOW_STDIN);
216 if (strcmp(pass, "") == 0) { 216 if (strcmp(pass, "") == 0) {
217 clear_pass(); 217 clear_pass();
218 xfree(comment); 218 free(comment);
219 buffer_free(&keyblob); 219 buffer_free(&keyblob);
220 return -1; 220 return -1;
221 } 221 }
@@ -282,8 +282,8 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
282 fprintf(stderr, "The user must confirm each use of the key\n"); 282 fprintf(stderr, "The user must confirm each use of the key\n");
283 out: 283 out:
284 if (certpath != NULL) 284 if (certpath != NULL)
285 xfree(certpath); 285 free(certpath);
286 xfree(comment); 286 free(comment);
287 key_free(private); 287 key_free(private);
288 288
289 return ret; 289 return ret;
@@ -308,7 +308,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id)
308 add ? "add" : "remove", id); 308 add ? "add" : "remove", id);
309 ret = -1; 309 ret = -1;
310 } 310 }
311 xfree(pin); 311 free(pin);
312 return ret; 312 return ret;
313} 313}
314 314
@@ -330,14 +330,14 @@ list_identities(AuthenticationConnection *ac, int do_fp)
330 SSH_FP_HEX); 330 SSH_FP_HEX);
331 printf("%d %s %s (%s)\n", 331 printf("%d %s %s (%s)\n",
332 key_size(key), fp, comment, key_type(key)); 332 key_size(key), fp, comment, key_type(key));
333 xfree(fp); 333 free(fp);
334 } else { 334 } else {
335 if (!key_write(key, stdout)) 335 if (!key_write(key, stdout))
336 fprintf(stderr, "key_write failed"); 336 fprintf(stderr, "key_write failed");
337 fprintf(stdout, " %s\n", comment); 337 fprintf(stdout, " %s\n", comment);
338 } 338 }
339 key_free(key); 339 key_free(key);
340 xfree(comment); 340 free(comment);
341 } 341 }
342 } 342 }
343 if (!had_identities) { 343 if (!had_identities) {
@@ -363,7 +363,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
363 passok = 0; 363 passok = 0;
364 } 364 }
365 memset(p2, 0, strlen(p2)); 365 memset(p2, 0, strlen(p2));
366 xfree(p2); 366 free(p2);
367 } 367 }
368 if (passok && ssh_lock_agent(ac, lock, p1)) { 368 if (passok && ssh_lock_agent(ac, lock, p1)) {
369 fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un"); 369 fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un");
@@ -371,7 +371,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
371 } else 371 } else
372 fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un"); 372 fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un");
373 memset(p1, 0, strlen(p1)); 373 memset(p1, 0, strlen(p1));
374 xfree(p1); 374 free(p1);
375 return (ret); 375 return (ret);
376} 376}
377 377
diff --git a/ssh-agent.0 b/ssh-agent.0
index 578984815..e5f0f7342 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -120,4 +120,4 @@ AUTHORS
120 created OpenSSH. Markus Friedl contributed the support for SSH protocol 120 created OpenSSH. Markus Friedl contributed the support for SSH protocol
121 versions 1.5 and 2.0. 121 versions 1.5 and 2.0.
122 122
123OpenBSD 5.3 November 21, 2010 OpenBSD 5.3 123OpenBSD 5.4 November 21, 2010 OpenBSD 5.4
diff --git a/ssh-agent.c b/ssh-agent.c
index b9498e6ef..c3b11729c 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.172 2011/06/03 01:37:40 dtucker Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.177 2013/07/20 01:50:20 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -106,7 +106,7 @@ typedef struct identity {
106 Key *key; 106 Key *key;
107 char *comment; 107 char *comment;
108 char *provider; 108 char *provider;
109 u_int death; 109 time_t death;
110 u_int confirm; 110 u_int confirm;
111} Identity; 111} Identity;
112 112
@@ -122,7 +122,7 @@ int max_fd = 0;
122 122
123/* pid of shell == parent of agent */ 123/* pid of shell == parent of agent */
124pid_t parent_pid = -1; 124pid_t parent_pid = -1;
125u_int parent_alive_interval = 0; 125time_t parent_alive_interval = 0;
126 126
127/* pathname and directory for AUTH_SOCKET */ 127/* pathname and directory for AUTH_SOCKET */
128char socket_name[MAXPATHLEN]; 128char socket_name[MAXPATHLEN];
@@ -134,8 +134,8 @@ char *lock_passwd = NULL;
134 134
135extern char *__progname; 135extern char *__progname;
136 136
137/* Default lifetime (0 == forever) */ 137/* Default lifetime in seconds (0 == forever) */
138static int lifetime = 0; 138static long lifetime = 0;
139 139
140static void 140static void
141close_socket(SocketEntry *e) 141close_socket(SocketEntry *e)
@@ -172,10 +172,9 @@ static void
172free_identity(Identity *id) 172free_identity(Identity *id)
173{ 173{
174 key_free(id->key); 174 key_free(id->key);
175 if (id->provider != NULL) 175 free(id->provider);
176 xfree(id->provider); 176 free(id->comment);
177 xfree(id->comment); 177 free(id);
178 xfree(id);
179} 178}
180 179
181/* return matching private key for given public key */ 180/* return matching private key for given public key */
@@ -203,7 +202,7 @@ confirm_key(Identity *id)
203 if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", 202 if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
204 id->comment, p)) 203 id->comment, p))
205 ret = 0; 204 ret = 0;
206 xfree(p); 205 free(p);
207 206
208 return (ret); 207 return (ret);
209} 208}
@@ -230,7 +229,7 @@ process_request_identities(SocketEntry *e, int version)
230 u_int blen; 229 u_int blen;
231 key_to_blob(id->key, &blob, &blen); 230 key_to_blob(id->key, &blob, &blen);
232 buffer_put_string(&msg, blob, blen); 231 buffer_put_string(&msg, blob, blen);
233 xfree(blob); 232 free(blob);
234 } 233 }
235 buffer_put_cstring(&msg, id->comment); 234 buffer_put_cstring(&msg, id->comment);
236 } 235 }
@@ -348,10 +347,9 @@ process_sign_request2(SocketEntry *e)
348 buffer_append(&e->output, buffer_ptr(&msg), 347 buffer_append(&e->output, buffer_ptr(&msg),
349 buffer_len(&msg)); 348 buffer_len(&msg));
350 buffer_free(&msg); 349 buffer_free(&msg);
351 xfree(data); 350 free(data);
352 xfree(blob); 351 free(blob);
353 if (signature != NULL) 352 free(signature);
354 xfree(signature);
355 datafellows = odatafellows; 353 datafellows = odatafellows;
356} 354}
357 355
@@ -378,7 +376,7 @@ process_remove_identity(SocketEntry *e, int version)
378 case 2: 376 case 2:
379 blob = buffer_get_string(&e->request, &blen); 377 blob = buffer_get_string(&e->request, &blen);
380 key = key_from_blob(blob, blen); 378 key = key_from_blob(blob, blen);
381 xfree(blob); 379 free(blob);
382 break; 380 break;
383 } 381 }
384 if (key != NULL) { 382 if (key != NULL) {
@@ -430,10 +428,10 @@ process_remove_all_identities(SocketEntry *e, int version)
430} 428}
431 429
432/* removes expired keys and returns number of seconds until the next expiry */ 430/* removes expired keys and returns number of seconds until the next expiry */
433static u_int 431static time_t
434reaper(void) 432reaper(void)
435{ 433{
436 u_int deadline = 0, now = time(NULL); 434 time_t deadline = 0, now = monotime();
437 Identity *id, *nxt; 435 Identity *id, *nxt;
438 int version; 436 int version;
439 Idtab *tab; 437 Idtab *tab;
@@ -465,8 +463,9 @@ process_add_identity(SocketEntry *e, int version)
465{ 463{
466 Idtab *tab = idtab_lookup(version); 464 Idtab *tab = idtab_lookup(version);
467 Identity *id; 465 Identity *id;
468 int type, success = 0, death = 0, confirm = 0; 466 int type, success = 0, confirm = 0;
469 char *type_name, *comment; 467 char *type_name, *comment;
468 time_t death = 0;
470 Key *k = NULL; 469 Key *k = NULL;
471#ifdef OPENSSL_HAS_ECC 470#ifdef OPENSSL_HAS_ECC
472 BIGNUM *exponent; 471 BIGNUM *exponent;
@@ -509,7 +508,7 @@ process_add_identity(SocketEntry *e, int version)
509 cert = buffer_get_string(&e->request, &len); 508 cert = buffer_get_string(&e->request, &len);
510 if ((k = key_from_blob(cert, len)) == NULL) 509 if ((k = key_from_blob(cert, len)) == NULL)
511 fatal("Certificate parse failed"); 510 fatal("Certificate parse failed");
512 xfree(cert); 511 free(cert);
513 key_add_private(k); 512 key_add_private(k);
514 buffer_get_bignum2(&e->request, k->dsa->priv_key); 513 buffer_get_bignum2(&e->request, k->dsa->priv_key);
515 break; 514 break;
@@ -520,7 +519,7 @@ process_add_identity(SocketEntry *e, int version)
520 curve = buffer_get_string(&e->request, NULL); 519 curve = buffer_get_string(&e->request, NULL);
521 if (k->ecdsa_nid != key_curve_name_to_nid(curve)) 520 if (k->ecdsa_nid != key_curve_name_to_nid(curve))
522 fatal("%s: curve names mismatch", __func__); 521 fatal("%s: curve names mismatch", __func__);
523 xfree(curve); 522 free(curve);
524 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 523 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
525 if (k->ecdsa == NULL) 524 if (k->ecdsa == NULL)
526 fatal("%s: EC_KEY_new_by_curve_name failed", 525 fatal("%s: EC_KEY_new_by_curve_name failed",
@@ -551,7 +550,7 @@ process_add_identity(SocketEntry *e, int version)
551 cert = buffer_get_string(&e->request, &len); 550 cert = buffer_get_string(&e->request, &len);
552 if ((k = key_from_blob(cert, len)) == NULL) 551 if ((k = key_from_blob(cert, len)) == NULL)
553 fatal("Certificate parse failed"); 552 fatal("Certificate parse failed");
554 xfree(cert); 553 free(cert);
555 key_add_private(k); 554 key_add_private(k);
556 if ((exponent = BN_new()) == NULL) 555 if ((exponent = BN_new()) == NULL)
557 fatal("%s: BN_new failed", __func__); 556 fatal("%s: BN_new failed", __func__);
@@ -583,7 +582,7 @@ process_add_identity(SocketEntry *e, int version)
583 cert = buffer_get_string(&e->request, &len); 582 cert = buffer_get_string(&e->request, &len);
584 if ((k = key_from_blob(cert, len)) == NULL) 583 if ((k = key_from_blob(cert, len)) == NULL)
585 fatal("Certificate parse failed"); 584 fatal("Certificate parse failed");
586 xfree(cert); 585 free(cert);
587 key_add_private(k); 586 key_add_private(k);
588 buffer_get_bignum2(&e->request, k->rsa->d); 587 buffer_get_bignum2(&e->request, k->rsa->d);
589 buffer_get_bignum2(&e->request, k->rsa->iqmp); 588 buffer_get_bignum2(&e->request, k->rsa->iqmp);
@@ -591,11 +590,11 @@ process_add_identity(SocketEntry *e, int version)
591 buffer_get_bignum2(&e->request, k->rsa->q); 590 buffer_get_bignum2(&e->request, k->rsa->q);
592 break; 591 break;
593 default: 592 default:
594 xfree(type_name); 593 free(type_name);
595 buffer_clear(&e->request); 594 buffer_clear(&e->request);
596 goto send; 595 goto send;
597 } 596 }
598 xfree(type_name); 597 free(type_name);
599 break; 598 break;
600 } 599 }
601 /* enable blinding */ 600 /* enable blinding */
@@ -613,13 +612,13 @@ process_add_identity(SocketEntry *e, int version)
613 } 612 }
614 comment = buffer_get_string(&e->request, NULL); 613 comment = buffer_get_string(&e->request, NULL);
615 if (k == NULL) { 614 if (k == NULL) {
616 xfree(comment); 615 free(comment);
617 goto send; 616 goto send;
618 } 617 }
619 while (buffer_len(&e->request)) { 618 while (buffer_len(&e->request)) {
620 switch ((type = buffer_get_char(&e->request))) { 619 switch ((type = buffer_get_char(&e->request))) {
621 case SSH_AGENT_CONSTRAIN_LIFETIME: 620 case SSH_AGENT_CONSTRAIN_LIFETIME:
622 death = time(NULL) + buffer_get_int(&e->request); 621 death = monotime() + buffer_get_int(&e->request);
623 break; 622 break;
624 case SSH_AGENT_CONSTRAIN_CONFIRM: 623 case SSH_AGENT_CONSTRAIN_CONFIRM:
625 confirm = 1; 624 confirm = 1;
@@ -627,14 +626,14 @@ process_add_identity(SocketEntry *e, int version)
627 default: 626 default:
628 error("process_add_identity: " 627 error("process_add_identity: "
629 "Unknown constraint type %d", type); 628 "Unknown constraint type %d", type);
630 xfree(comment); 629 free(comment);
631 key_free(k); 630 key_free(k);
632 goto send; 631 goto send;
633 } 632 }
634 } 633 }
635 success = 1; 634 success = 1;
636 if (lifetime && !death) 635 if (lifetime && !death)
637 death = time(NULL) + lifetime; 636 death = monotime() + lifetime;
638 if ((id = lookup_identity(k, version)) == NULL) { 637 if ((id = lookup_identity(k, version)) == NULL) {
639 id = xcalloc(1, sizeof(Identity)); 638 id = xcalloc(1, sizeof(Identity));
640 id->key = k; 639 id->key = k;
@@ -643,7 +642,7 @@ process_add_identity(SocketEntry *e, int version)
643 tab->nentries++; 642 tab->nentries++;
644 } else { 643 } else {
645 key_free(k); 644 key_free(k);
646 xfree(id->comment); 645 free(id->comment);
647 } 646 }
648 id->comment = comment; 647 id->comment = comment;
649 id->death = death; 648 id->death = death;
@@ -665,7 +664,7 @@ process_lock_agent(SocketEntry *e, int lock)
665 if (locked && !lock && strcmp(passwd, lock_passwd) == 0) { 664 if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
666 locked = 0; 665 locked = 0;
667 memset(lock_passwd, 0, strlen(lock_passwd)); 666 memset(lock_passwd, 0, strlen(lock_passwd));
668 xfree(lock_passwd); 667 free(lock_passwd);
669 lock_passwd = NULL; 668 lock_passwd = NULL;
670 success = 1; 669 success = 1;
671 } else if (!locked && lock) { 670 } else if (!locked && lock) {
@@ -674,7 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
674 success = 1; 673 success = 1;
675 } 674 }
676 memset(passwd, 0, strlen(passwd)); 675 memset(passwd, 0, strlen(passwd));
677 xfree(passwd); 676 free(passwd);
678 677
679 buffer_put_int(&e->output, 1); 678 buffer_put_int(&e->output, 1);
680 buffer_put_char(&e->output, 679 buffer_put_char(&e->output,
@@ -701,7 +700,8 @@ static void
701process_add_smartcard_key(SocketEntry *e) 700process_add_smartcard_key(SocketEntry *e)
702{ 701{
703 char *provider = NULL, *pin; 702 char *provider = NULL, *pin;
704 int i, type, version, count = 0, success = 0, death = 0, confirm = 0; 703 int i, type, version, count = 0, success = 0, confirm = 0;
704 time_t death = 0;
705 Key **keys = NULL, *k; 705 Key **keys = NULL, *k;
706 Identity *id; 706 Identity *id;
707 Idtab *tab; 707 Idtab *tab;
@@ -712,7 +712,7 @@ process_add_smartcard_key(SocketEntry *e)
712 while (buffer_len(&e->request)) { 712 while (buffer_len(&e->request)) {
713 switch ((type = buffer_get_char(&e->request))) { 713 switch ((type = buffer_get_char(&e->request))) {
714 case SSH_AGENT_CONSTRAIN_LIFETIME: 714 case SSH_AGENT_CONSTRAIN_LIFETIME:
715 death = time(NULL) + buffer_get_int(&e->request); 715 death = monotime() + buffer_get_int(&e->request);
716 break; 716 break;
717 case SSH_AGENT_CONSTRAIN_CONFIRM: 717 case SSH_AGENT_CONSTRAIN_CONFIRM:
718 confirm = 1; 718 confirm = 1;
@@ -724,7 +724,7 @@ process_add_smartcard_key(SocketEntry *e)
724 } 724 }
725 } 725 }
726 if (lifetime && !death) 726 if (lifetime && !death)
727 death = time(NULL) + lifetime; 727 death = monotime() + lifetime;
728 728
729 count = pkcs11_add_provider(provider, pin, &keys); 729 count = pkcs11_add_provider(provider, pin, &keys);
730 for (i = 0; i < count; i++) { 730 for (i = 0; i < count; i++) {
@@ -747,12 +747,9 @@ process_add_smartcard_key(SocketEntry *e)
747 keys[i] = NULL; 747 keys[i] = NULL;
748 } 748 }
749send: 749send:
750 if (pin) 750 free(pin);
751 xfree(pin); 751 free(provider);
752 if (provider) 752 free(keys);
753 xfree(provider);
754 if (keys)
755 xfree(keys);
756 buffer_put_int(&e->output, 1); 753 buffer_put_int(&e->output, 1);
757 buffer_put_char(&e->output, 754 buffer_put_char(&e->output,
758 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); 755 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
@@ -768,7 +765,7 @@ process_remove_smartcard_key(SocketEntry *e)
768 765
769 provider = buffer_get_string(&e->request, NULL); 766 provider = buffer_get_string(&e->request, NULL);
770 pin = buffer_get_string(&e->request, NULL); 767 pin = buffer_get_string(&e->request, NULL);
771 xfree(pin); 768 free(pin);
772 769
773 for (version = 1; version < 3; version++) { 770 for (version = 1; version < 3; version++) {
774 tab = idtab_lookup(version); 771 tab = idtab_lookup(version);
@@ -786,7 +783,7 @@ process_remove_smartcard_key(SocketEntry *e)
786 else 783 else
787 error("process_remove_smartcard_key:" 784 error("process_remove_smartcard_key:"
788 " pkcs11_del_provider failed"); 785 " pkcs11_del_provider failed");
789 xfree(provider); 786 free(provider);
790 buffer_put_int(&e->output, 1); 787 buffer_put_int(&e->output, 1);
791 buffer_put_char(&e->output, 788 buffer_put_char(&e->output,
792 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); 789 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
@@ -931,9 +928,10 @@ static int
931prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, 928prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
932 struct timeval **tvpp) 929 struct timeval **tvpp)
933{ 930{
934 u_int i, sz, deadline; 931 u_int i, sz;
935 int n = 0; 932 int n = 0;
936 static struct timeval tv; 933 static struct timeval tv;
934 time_t deadline;
937 935
938 for (i = 0; i < sockets_alloc; i++) { 936 for (i = 0; i < sockets_alloc; i++) {
939 switch (sockets[i].type) { 937 switch (sockets[i].type) {
@@ -951,10 +949,8 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
951 949
952 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); 950 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
953 if (*fdrp == NULL || sz > *nallocp) { 951 if (*fdrp == NULL || sz > *nallocp) {
954 if (*fdrp) 952 free(*fdrp);
955 xfree(*fdrp); 953 free(*fdwp);
956 if (*fdwp)
957 xfree(*fdwp);
958 *fdrp = xmalloc(sz); 954 *fdrp = xmalloc(sz);
959 *fdwp = xmalloc(sz); 955 *fdwp = xmalloc(sz);
960 *nallocp = sz; 956 *nallocp = sz;
@@ -1348,9 +1344,8 @@ skip:
1348 if (ac > 0) 1344 if (ac > 0)
1349 parent_alive_interval = 10; 1345 parent_alive_interval = 10;
1350 idtab_init(); 1346 idtab_init();
1351 if (!d_flag)
1352 signal(SIGINT, SIG_IGN);
1353 signal(SIGPIPE, SIG_IGN); 1347 signal(SIGPIPE, SIG_IGN);
1348 signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
1354 signal(SIGHUP, cleanup_handler); 1349 signal(SIGHUP, cleanup_handler);
1355 signal(SIGTERM, cleanup_handler); 1350 signal(SIGTERM, cleanup_handler);
1356 nalloc = 0; 1351 nalloc = 0;
diff --git a/ssh-dss.c b/ssh-dss.c
index ede5e21e5..322ec9fd8 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-dss.c,v 1.27 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: ssh-dss.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -137,17 +137,17 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
137 if (strcmp("ssh-dss", ktype) != 0) { 137 if (strcmp("ssh-dss", ktype) != 0) {
138 error("ssh_dss_verify: cannot handle type %s", ktype); 138 error("ssh_dss_verify: cannot handle type %s", ktype);
139 buffer_free(&b); 139 buffer_free(&b);
140 xfree(ktype); 140 free(ktype);
141 return -1; 141 return -1;
142 } 142 }
143 xfree(ktype); 143 free(ktype);
144 sigblob = buffer_get_string(&b, &len); 144 sigblob = buffer_get_string(&b, &len);
145 rlen = buffer_len(&b); 145 rlen = buffer_len(&b);
146 buffer_free(&b); 146 buffer_free(&b);
147 if (rlen != 0) { 147 if (rlen != 0) {
148 error("ssh_dss_verify: " 148 error("ssh_dss_verify: "
149 "remaining bytes in signature %d", rlen); 149 "remaining bytes in signature %d", rlen);
150 xfree(sigblob); 150 free(sigblob);
151 return -1; 151 return -1;
152 } 152 }
153 } 153 }
@@ -169,7 +169,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
169 169
170 /* clean up */ 170 /* clean up */
171 memset(sigblob, 0, len); 171 memset(sigblob, 0, len);
172 xfree(sigblob); 172 free(sigblob);
173 173
174 /* sha1 the data */ 174 /* sha1 the data */
175 EVP_DigestInit(&md, evp_md); 175 EVP_DigestInit(&md, evp_md);
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 085468ee7..766338941 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */ 1/* $OpenBSD: ssh-ecdsa.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -119,16 +119,16 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
119 if (strcmp(key_ssh_name_plain(key), ktype) != 0) { 119 if (strcmp(key_ssh_name_plain(key), ktype) != 0) {
120 error("%s: cannot handle type %s", __func__, ktype); 120 error("%s: cannot handle type %s", __func__, ktype);
121 buffer_free(&b); 121 buffer_free(&b);
122 xfree(ktype); 122 free(ktype);
123 return -1; 123 return -1;
124 } 124 }
125 xfree(ktype); 125 free(ktype);
126 sigblob = buffer_get_string(&b, &len); 126 sigblob = buffer_get_string(&b, &len);
127 rlen = buffer_len(&b); 127 rlen = buffer_len(&b);
128 buffer_free(&b); 128 buffer_free(&b);
129 if (rlen != 0) { 129 if (rlen != 0) {
130 error("%s: remaining bytes in signature %d", __func__, rlen); 130 error("%s: remaining bytes in signature %d", __func__, rlen);
131 xfree(sigblob); 131 free(sigblob);
132 return -1; 132 return -1;
133 } 133 }
134 134
@@ -149,7 +149,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
149 149
150 /* clean up */ 150 /* clean up */
151 memset(sigblob, 0, len); 151 memset(sigblob, 0, len);
152 xfree(sigblob); 152 free(sigblob);
153 153
154 /* hash the data */ 154 /* hash the data */
155 EVP_DigestInit(&md, evp_md); 155 EVP_DigestInit(&md, evp_md);
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 3c7a64753..2b0e9a692 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -543,4 +543,4 @@ AUTHORS
543 created OpenSSH. Markus Friedl contributed the support for SSH protocol 543 created OpenSSH. Markus Friedl contributed the support for SSH protocol
544 versions 1.5 and 2.0. 544 versions 1.5 and 2.0.
545 545
546OpenBSD 5.3 January 19, 2013 OpenBSD 5.3 546OpenBSD 5.4 June 27, 2013 OpenBSD 5.4
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 7da73e07c..0d55854e9 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: January 19 2013 $ 38.Dd $Mdocdate: June 27 2013 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -516,8 +516,7 @@ of two times separated by a colon to indicate an explicit time interval.
516The start time may be specified as a date in YYYYMMDD format, a time 516The start time may be specified as a date in YYYYMMDD format, a time
517in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 517in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
518of a minus sign followed by a relative time in the format described in the 518of a minus sign followed by a relative time in the format described in the
519.Sx TIME FORMATS 519TIME FORMATS section of
520section of
521.Xr sshd_config 5 . 520.Xr sshd_config 5 .
522The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 521The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
523a relative time starting with a plus character. 522a relative time starting with a plus character.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index d1a205e18..03c444d42 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.230 2013/07/20 01:44:37 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -252,7 +252,7 @@ load_identity(char *filename)
252 RP_ALLOW_STDIN); 252 RP_ALLOW_STDIN);
253 prv = key_load_private(filename, pass, NULL); 253 prv = key_load_private(filename, pass, NULL);
254 memset(pass, 0, strlen(pass)); 254 memset(pass, 0, strlen(pass));
255 xfree(pass); 255 free(pass);
256 } 256 }
257 return prv; 257 return prv;
258} 258}
@@ -288,7 +288,7 @@ do_convert_to_ssh2(struct passwd *pw, Key *k)
288 dump_base64(stdout, blob, len); 288 dump_base64(stdout, blob, len);
289 fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); 289 fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
290 key_free(k); 290 key_free(k);
291 xfree(blob); 291 free(blob);
292 exit(0); 292 exit(0);
293} 293}
294 294
@@ -415,12 +415,12 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
415 debug("ignore (%d %d %d %d)", i1, i2, i3, i4); 415 debug("ignore (%d %d %d %d)", i1, i2, i3, i4);
416 if (strcmp(cipher, "none") != 0) { 416 if (strcmp(cipher, "none") != 0) {
417 error("unsupported cipher %s", cipher); 417 error("unsupported cipher %s", cipher);
418 xfree(cipher); 418 free(cipher);
419 buffer_free(&b); 419 buffer_free(&b);
420 xfree(type); 420 free(type);
421 return NULL; 421 return NULL;
422 } 422 }
423 xfree(cipher); 423 free(cipher);
424 424
425 if (strstr(type, "dsa")) { 425 if (strstr(type, "dsa")) {
426 ktype = KEY_DSA; 426 ktype = KEY_DSA;
@@ -428,11 +428,11 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
428 ktype = KEY_RSA; 428 ktype = KEY_RSA;
429 } else { 429 } else {
430 buffer_free(&b); 430 buffer_free(&b);
431 xfree(type); 431 free(type);
432 return NULL; 432 return NULL;
433 } 433 }
434 key = key_new_private(ktype); 434 key = key_new_private(ktype);
435 xfree(type); 435 free(type);
436 436
437 switch (key->type) { 437 switch (key->type) {
438 case KEY_DSA: 438 case KEY_DSA:
@@ -475,7 +475,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
475 /* try the key */ 475 /* try the key */
476 key_sign(key, &sig, &slen, data, sizeof(data)); 476 key_sign(key, &sig, &slen, data, sizeof(data));
477 key_verify(key, sig, slen, data, sizeof(data)); 477 key_verify(key, sig, slen, data, sizeof(data));
478 xfree(sig); 478 free(sig);
479 return key; 479 return key;
480} 480}
481 481
@@ -524,7 +524,7 @@ do_convert_from_ssh2(struct passwd *pw, Key **k, int *private)
524 fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); 524 fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
525 encoded[0] = '\0'; 525 encoded[0] = '\0';
526 while ((blen = get_line(fp, line, sizeof(line))) != -1) { 526 while ((blen = get_line(fp, line, sizeof(line))) != -1) {
527 if (line[blen - 1] == '\\') 527 if (blen > 0 && line[blen - 1] == '\\')
528 escaped++; 528 escaped++;
529 if (strncmp(line, "----", 4) == 0 || 529 if (strncmp(line, "----", 4) == 0 ||
530 strstr(line, ": ") != NULL) { 530 strstr(line, ": ") != NULL) {
@@ -746,15 +746,15 @@ do_download(struct passwd *pw)
746 fp, key_type(keys[i])); 746 fp, key_type(keys[i]));
747 if (log_level >= SYSLOG_LEVEL_VERBOSE) 747 if (log_level >= SYSLOG_LEVEL_VERBOSE)
748 printf("%s\n", ra); 748 printf("%s\n", ra);
749 xfree(ra); 749 free(ra);
750 xfree(fp); 750 free(fp);
751 } else { 751 } else {
752 key_write(keys[i], stdout); 752 key_write(keys[i], stdout);
753 fprintf(stdout, "\n"); 753 fprintf(stdout, "\n");
754 } 754 }
755 key_free(keys[i]); 755 key_free(keys[i]);
756 } 756 }
757 xfree(keys); 757 free(keys);
758 pkcs11_terminate(); 758 pkcs11_terminate();
759 exit(0); 759 exit(0);
760#else 760#else
@@ -791,13 +791,13 @@ do_fingerprint(struct passwd *pw)
791 if (log_level >= SYSLOG_LEVEL_VERBOSE) 791 if (log_level >= SYSLOG_LEVEL_VERBOSE)
792 printf("%s\n", ra); 792 printf("%s\n", ra);
793 key_free(public); 793 key_free(public);
794 xfree(comment); 794 free(comment);
795 xfree(ra); 795 free(ra);
796 xfree(fp); 796 free(fp);
797 exit(0); 797 exit(0);
798 } 798 }
799 if (comment) { 799 if (comment) {
800 xfree(comment); 800 free(comment);
801 comment = NULL; 801 comment = NULL;
802 } 802 }
803 803
@@ -856,8 +856,8 @@ do_fingerprint(struct passwd *pw)
856 comment ? comment : "no comment", key_type(public)); 856 comment ? comment : "no comment", key_type(public));
857 if (log_level >= SYSLOG_LEVEL_VERBOSE) 857 if (log_level >= SYSLOG_LEVEL_VERBOSE)
858 printf("%s\n", ra); 858 printf("%s\n", ra);
859 xfree(ra); 859 free(ra);
860 xfree(fp); 860 free(fp);
861 key_free(public); 861 key_free(public);
862 invalid = 0; 862 invalid = 0;
863 } 863 }
@@ -980,8 +980,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
980 key_type(public)); 980 key_type(public));
981 if (log_level >= SYSLOG_LEVEL_VERBOSE) 981 if (log_level >= SYSLOG_LEVEL_VERBOSE)
982 printf("%s\n", ra); 982 printf("%s\n", ra);
983 xfree(ra); 983 free(ra);
984 xfree(fp); 984 free(fp);
985 } else { 985 } else {
986 if (hash && (name = host_hash(name, NULL, 0)) == NULL) 986 if (hash && (name = host_hash(name, NULL, 0)) == NULL)
987 fatal("hash_host failed"); 987 fatal("hash_host failed");
@@ -1007,7 +1007,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1007 if (strlcpy(identity_file, cp, sizeof(identity_file)) >= 1007 if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
1008 sizeof(identity_file)) 1008 sizeof(identity_file))
1009 fatal("Specified known hosts path too long"); 1009 fatal("Specified known hosts path too long");
1010 xfree(cp); 1010 free(cp);
1011 have_identity = 1; 1011 have_identity = 1;
1012 } 1012 }
1013 if ((in = fopen(identity_file, "r")) == NULL) 1013 if ((in = fopen(identity_file, "r")) == NULL)
@@ -1238,7 +1238,7 @@ do_change_passphrase(struct passwd *pw)
1238 private = key_load_private(identity_file, old_passphrase, 1238 private = key_load_private(identity_file, old_passphrase,
1239 &comment); 1239 &comment);
1240 memset(old_passphrase, 0, strlen(old_passphrase)); 1240 memset(old_passphrase, 0, strlen(old_passphrase));
1241 xfree(old_passphrase); 1241 free(old_passphrase);
1242 if (private == NULL) { 1242 if (private == NULL) {
1243 printf("Bad passphrase.\n"); 1243 printf("Bad passphrase.\n");
1244 exit(1); 1244 exit(1);
@@ -1261,30 +1261,30 @@ do_change_passphrase(struct passwd *pw)
1261 if (strcmp(passphrase1, passphrase2) != 0) { 1261 if (strcmp(passphrase1, passphrase2) != 0) {
1262 memset(passphrase1, 0, strlen(passphrase1)); 1262 memset(passphrase1, 0, strlen(passphrase1));
1263 memset(passphrase2, 0, strlen(passphrase2)); 1263 memset(passphrase2, 0, strlen(passphrase2));
1264 xfree(passphrase1); 1264 free(passphrase1);
1265 xfree(passphrase2); 1265 free(passphrase2);
1266 printf("Pass phrases do not match. Try again.\n"); 1266 printf("Pass phrases do not match. Try again.\n");
1267 exit(1); 1267 exit(1);
1268 } 1268 }
1269 /* Destroy the other copy. */ 1269 /* Destroy the other copy. */
1270 memset(passphrase2, 0, strlen(passphrase2)); 1270 memset(passphrase2, 0, strlen(passphrase2));
1271 xfree(passphrase2); 1271 free(passphrase2);
1272 } 1272 }
1273 1273
1274 /* Save the file using the new passphrase. */ 1274 /* Save the file using the new passphrase. */
1275 if (!key_save_private(private, identity_file, passphrase1, comment)) { 1275 if (!key_save_private(private, identity_file, passphrase1, comment)) {
1276 printf("Saving the key failed: %s.\n", identity_file); 1276 printf("Saving the key failed: %s.\n", identity_file);
1277 memset(passphrase1, 0, strlen(passphrase1)); 1277 memset(passphrase1, 0, strlen(passphrase1));
1278 xfree(passphrase1); 1278 free(passphrase1);
1279 key_free(private); 1279 key_free(private);
1280 xfree(comment); 1280 free(comment);
1281 exit(1); 1281 exit(1);
1282 } 1282 }
1283 /* Destroy the passphrase and the copy of the key in memory. */ 1283 /* Destroy the passphrase and the copy of the key in memory. */
1284 memset(passphrase1, 0, strlen(passphrase1)); 1284 memset(passphrase1, 0, strlen(passphrase1));
1285 xfree(passphrase1); 1285 free(passphrase1);
1286 key_free(private); /* Destroys contents */ 1286 key_free(private); /* Destroys contents */
1287 xfree(comment); 1287 free(comment);
1288 1288
1289 printf("Your identification has been saved with the new passphrase.\n"); 1289 printf("Your identification has been saved with the new passphrase.\n");
1290 exit(0); 1290 exit(0);
@@ -1301,7 +1301,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname)
1301 struct stat st; 1301 struct stat st;
1302 1302
1303 if (fname == NULL) 1303 if (fname == NULL)
1304 ask_filename(pw, "Enter file in which the key is"); 1304 fatal("%s: no filename", __func__);
1305 if (stat(fname, &st) < 0) { 1305 if (stat(fname, &st) < 0) {
1306 if (errno == ENOENT) 1306 if (errno == ENOENT)
1307 return 0; 1307 return 0;
@@ -1312,11 +1312,11 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname)
1312 if (public != NULL) { 1312 if (public != NULL) {
1313 export_dns_rr(hname, public, stdout, print_generic); 1313 export_dns_rr(hname, public, stdout, print_generic);
1314 key_free(public); 1314 key_free(public);
1315 xfree(comment); 1315 free(comment);
1316 return 1; 1316 return 1;
1317 } 1317 }
1318 if (comment) 1318 if (comment)
1319 xfree(comment); 1319 free(comment);
1320 1320
1321 printf("failed to read v2 public key from %s.\n", fname); 1321 printf("failed to read v2 public key from %s.\n", fname);
1322 exit(1); 1322 exit(1);
@@ -1354,7 +1354,7 @@ do_change_comment(struct passwd *pw)
1354 private = key_load_private(identity_file, passphrase, &comment); 1354 private = key_load_private(identity_file, passphrase, &comment);
1355 if (private == NULL) { 1355 if (private == NULL) {
1356 memset(passphrase, 0, strlen(passphrase)); 1356 memset(passphrase, 0, strlen(passphrase));
1357 xfree(passphrase); 1357 free(passphrase);
1358 printf("Bad passphrase.\n"); 1358 printf("Bad passphrase.\n");
1359 exit(1); 1359 exit(1);
1360 } 1360 }
@@ -1385,13 +1385,13 @@ do_change_comment(struct passwd *pw)
1385 if (!key_save_private(private, identity_file, passphrase, new_comment)) { 1385 if (!key_save_private(private, identity_file, passphrase, new_comment)) {
1386 printf("Saving the key failed: %s.\n", identity_file); 1386 printf("Saving the key failed: %s.\n", identity_file);
1387 memset(passphrase, 0, strlen(passphrase)); 1387 memset(passphrase, 0, strlen(passphrase));
1388 xfree(passphrase); 1388 free(passphrase);
1389 key_free(private); 1389 key_free(private);
1390 xfree(comment); 1390 free(comment);
1391 exit(1); 1391 exit(1);
1392 } 1392 }
1393 memset(passphrase, 0, strlen(passphrase)); 1393 memset(passphrase, 0, strlen(passphrase));
1394 xfree(passphrase); 1394 free(passphrase);
1395 public = key_from_private(private); 1395 public = key_from_private(private);
1396 key_free(private); 1396 key_free(private);
1397 1397
@@ -1412,7 +1412,7 @@ do_change_comment(struct passwd *pw)
1412 fprintf(f, " %s\n", new_comment); 1412 fprintf(f, " %s\n", new_comment);
1413 fclose(f); 1413 fclose(f);
1414 1414
1415 xfree(comment); 1415 free(comment);
1416 1416
1417 printf("The comment in your key file has been changed.\n"); 1417 printf("The comment in your key file has been changed.\n");
1418 exit(0); 1418 exit(0);
@@ -1529,7 +1529,7 @@ load_pkcs11_key(char *path)
1529 } 1529 }
1530 key_free(keys[i]); 1530 key_free(keys[i]);
1531 } 1531 }
1532 xfree(keys); 1532 free(keys);
1533 key_free(public); 1533 key_free(public);
1534 return private; 1534 return private;
1535#else 1535#else
@@ -1573,7 +1573,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1573 fatal("No PKCS#11 key matching %s found", ca_key_path); 1573 fatal("No PKCS#11 key matching %s found", ca_key_path);
1574 } else if ((ca = load_identity(tmp)) == NULL) 1574 } else if ((ca = load_identity(tmp)) == NULL)
1575 fatal("Couldn't load CA key \"%s\"", tmp); 1575 fatal("Couldn't load CA key \"%s\"", tmp);
1576 xfree(tmp); 1576 free(tmp);
1577 1577
1578 for (i = 0; i < argc; i++) { 1578 for (i = 0; i < argc; i++) {
1579 /* Split list of principals */ 1579 /* Split list of principals */
@@ -1586,7 +1586,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1586 if (*(plist[n] = xstrdup(cp)) == '\0') 1586 if (*(plist[n] = xstrdup(cp)) == '\0')
1587 fatal("Empty principal name"); 1587 fatal("Empty principal name");
1588 } 1588 }
1589 xfree(otmp); 1589 free(otmp);
1590 } 1590 }
1591 1591
1592 tmp = tilde_expand_filename(argv[i], pw->pw_uid); 1592 tmp = tilde_expand_filename(argv[i], pw->pw_uid);
@@ -1624,7 +1624,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1624 if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) 1624 if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
1625 *cp = '\0'; 1625 *cp = '\0';
1626 xasprintf(&out, "%s-cert.pub", tmp); 1626 xasprintf(&out, "%s-cert.pub", tmp);
1627 xfree(tmp); 1627 free(tmp);
1628 1628
1629 if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) 1629 if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
1630 fatal("Could not open \"%s\" for writing: %s", out, 1630 fatal("Could not open \"%s\" for writing: %s", out,
@@ -1647,7 +1647,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1647 } 1647 }
1648 1648
1649 key_free(public); 1649 key_free(public);
1650 xfree(out); 1650 free(out);
1651 } 1651 }
1652 pkcs11_terminate(); 1652 pkcs11_terminate();
1653 exit(0); 1653 exit(0);
@@ -1744,7 +1744,7 @@ parse_cert_times(char *timespec)
1744 1744
1745 if (cert_valid_to <= cert_valid_from) 1745 if (cert_valid_to <= cert_valid_from)
1746 fatal("Empty certificate validity interval"); 1746 fatal("Empty certificate validity interval");
1747 xfree(from); 1747 free(from);
1748} 1748}
1749 1749
1750static void 1750static void
@@ -1797,7 +1797,8 @@ add_cert_option(char *opt)
1797static void 1797static void
1798show_options(const Buffer *optbuf, int v00, int in_critical) 1798show_options(const Buffer *optbuf, int v00, int in_critical)
1799{ 1799{
1800 u_char *name, *data; 1800 char *name;
1801 u_char *data;
1801 u_int dlen; 1802 u_int dlen;
1802 Buffer options, option; 1803 Buffer options, option;
1803 1804
@@ -1822,13 +1823,13 @@ show_options(const Buffer *optbuf, int v00, int in_critical)
1822 strcmp(name, "source-address") == 0)) { 1823 strcmp(name, "source-address") == 0)) {
1823 data = buffer_get_string(&option, NULL); 1824 data = buffer_get_string(&option, NULL);
1824 printf(" %s\n", data); 1825 printf(" %s\n", data);
1825 xfree(data); 1826 free(data);
1826 } else { 1827 } else {
1827 printf(" UNKNOWN OPTION (len %u)\n", 1828 printf(" UNKNOWN OPTION (len %u)\n",
1828 buffer_len(&option)); 1829 buffer_len(&option));
1829 buffer_clear(&option); 1830 buffer_clear(&option);
1830 } 1831 }
1831 xfree(name); 1832 free(name);
1832 if (buffer_len(&option) != 0) 1833 if (buffer_len(&option) != 0)
1833 fatal("Option corrupt: extra data at end"); 1834 fatal("Option corrupt: extra data at end");
1834 } 1835 }
@@ -2038,6 +2039,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
2038 } 2039 }
2039 if (strcmp(path, "-") != 0) 2040 if (strcmp(path, "-") != 0)
2040 fclose(krl_spec); 2041 fclose(krl_spec);
2042 free(path);
2041} 2043}
2042 2044
2043static void 2045static void
@@ -2063,7 +2065,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2063 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); 2065 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
2064 if ((ca = key_load_public(tmp, NULL)) == NULL) 2066 if ((ca = key_load_public(tmp, NULL)) == NULL)
2065 fatal("Cannot load CA public key %s", tmp); 2067 fatal("Cannot load CA public key %s", tmp);
2066 xfree(tmp); 2068 free(tmp);
2067 } 2069 }
2068 2070
2069 if (updating) 2071 if (updating)
@@ -2090,6 +2092,8 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2090 close(fd); 2092 close(fd);
2091 buffer_free(&kbuf); 2093 buffer_free(&kbuf);
2092 ssh_krl_free(krl); 2094 ssh_krl_free(krl);
2095 if (ca != NULL)
2096 key_free(ca);
2093} 2097}
2094 2098
2095static void 2099static void
@@ -2210,7 +2214,7 @@ main(int argc, char **argv)
2210 /* we need this for the home * directory. */ 2214 /* we need this for the home * directory. */
2211 pw = getpwuid(getuid()); 2215 pw = getpwuid(getuid());
2212 if (!pw) { 2216 if (!pw) {
2213 printf("You don't exist, go away!\n"); 2217 printf("No user exists for uid %lu\n", (u_long)getuid());
2214 exit(1); 2218 exit(1);
2215 } 2219 }
2216 if (gethostname(hostname, sizeof(hostname)) < 0) { 2220 if (gethostname(hostname, sizeof(hostname)) < 0) {
@@ -2599,14 +2603,14 @@ passphrase_again:
2599 */ 2603 */
2600 memset(passphrase1, 0, strlen(passphrase1)); 2604 memset(passphrase1, 0, strlen(passphrase1));
2601 memset(passphrase2, 0, strlen(passphrase2)); 2605 memset(passphrase2, 0, strlen(passphrase2));
2602 xfree(passphrase1); 2606 free(passphrase1);
2603 xfree(passphrase2); 2607 free(passphrase2);
2604 printf("Passphrases do not match. Try again.\n"); 2608 printf("Passphrases do not match. Try again.\n");
2605 goto passphrase_again; 2609 goto passphrase_again;
2606 } 2610 }
2607 /* Clear the other copy of the passphrase. */ 2611 /* Clear the other copy of the passphrase. */
2608 memset(passphrase2, 0, strlen(passphrase2)); 2612 memset(passphrase2, 0, strlen(passphrase2));
2609 xfree(passphrase2); 2613 free(passphrase2);
2610 } 2614 }
2611 2615
2612 if (identity_comment) { 2616 if (identity_comment) {
@@ -2620,12 +2624,12 @@ passphrase_again:
2620 if (!key_save_private(private, identity_file, passphrase1, comment)) { 2624 if (!key_save_private(private, identity_file, passphrase1, comment)) {
2621 printf("Saving the key failed: %s.\n", identity_file); 2625 printf("Saving the key failed: %s.\n", identity_file);
2622 memset(passphrase1, 0, strlen(passphrase1)); 2626 memset(passphrase1, 0, strlen(passphrase1));
2623 xfree(passphrase1); 2627 free(passphrase1);
2624 exit(1); 2628 exit(1);
2625 } 2629 }
2626 /* Clear the passphrase. */ 2630 /* Clear the passphrase. */
2627 memset(passphrase1, 0, strlen(passphrase1)); 2631 memset(passphrase1, 0, strlen(passphrase1));
2628 xfree(passphrase1); 2632 free(passphrase1);
2629 2633
2630 /* Clear the private key and the random number generator. */ 2634 /* Clear the private key and the random number generator. */
2631 key_free(private); 2635 key_free(private);
@@ -2660,8 +2664,8 @@ passphrase_again:
2660 printf("%s %s\n", fp, comment); 2664 printf("%s %s\n", fp, comment);
2661 printf("The key's randomart image is:\n"); 2665 printf("The key's randomart image is:\n");
2662 printf("%s\n", ra); 2666 printf("%s\n", ra);
2663 xfree(ra); 2667 free(ra);
2664 xfree(fp); 2668 free(fp);
2665 } 2669 }
2666 2670
2667 key_free(public); 2671 key_free(public);
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 559c5a1f4..3ea99c320 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -106,4 +106,4 @@ BUGS
106 This is because it opens a connection to the ssh port, reads the public 106 This is because it opens a connection to the ssh port, reads the public
107 key, and drops the connection as soon as it gets the key. 107 key, and drops the connection as soon as it gets the key.
108 108
109OpenBSD 5.3 April 11, 2012 OpenBSD 5.3 109OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index f2b0fc8fa..c35ea05e0 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.30 2012/04/11 13:34:17 djm Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.31 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,7 +6,7 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: April 11 2012 $ 9.Dd $Mdocdate: July 16 2013 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
@@ -164,9 +164,9 @@ $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
164.Xr sshd 8 164.Xr sshd 8
165.Sh AUTHORS 165.Sh AUTHORS
166.An -nosplit 166.An -nosplit
167.An David Mazieres Aq dm@lcs.mit.edu 167.An David Mazieres Aq Mt dm@lcs.mit.edu
168wrote the initial version, and 168wrote the initial version, and
169.An Wayne Davison Aq wayned@users.sourceforge.net 169.An Wayne Davison Aq Mt wayned@users.sourceforge.net
170added support for protocol version 2. 170added support for protocol version 2.
171.Sh BUGS 171.Sh BUGS
172It generates "Connection closed by remote host" messages on the consoles 172It generates "Connection closed by remote host" messages on the consoles
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index c9de130f4..8b807c10a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keyscan.c,v 1.86 2012/04/11 13:34:17 djm Exp $ */ 1/* $OpenBSD: ssh-keyscan.c,v 1.87 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4 * 4 *
@@ -263,7 +263,7 @@ keygrab_ssh2(con *c)
263 exit(1); 263 exit(1);
264 } 264 }
265 nonfatal_fatal = 0; 265 nonfatal_fatal = 0;
266 xfree(c->c_kex); 266 free(c->c_kex);
267 c->c_kex = NULL; 267 c->c_kex = NULL;
268 packet_close(); 268 packet_close();
269 269
@@ -329,7 +329,7 @@ conalloc(char *iname, char *oname, int keytype)
329 do { 329 do {
330 name = xstrsep(&namelist, ","); 330 name = xstrsep(&namelist, ",");
331 if (!name) { 331 if (!name) {
332 xfree(namebase); 332 free(namebase);
333 return (-1); 333 return (-1);
334 } 334 }
335 } while ((s = tcpconnect(name)) < 0); 335 } while ((s = tcpconnect(name)) < 0);
@@ -363,10 +363,10 @@ confree(int s)
363 if (s >= maxfd || fdcon[s].c_status == CS_UNUSED) 363 if (s >= maxfd || fdcon[s].c_status == CS_UNUSED)
364 fatal("confree: attempt to free bad fdno %d", s); 364 fatal("confree: attempt to free bad fdno %d", s);
365 close(s); 365 close(s);
366 xfree(fdcon[s].c_namebase); 366 free(fdcon[s].c_namebase);
367 xfree(fdcon[s].c_output_name); 367 free(fdcon[s].c_output_name);
368 if (fdcon[s].c_status == CS_KEYS) 368 if (fdcon[s].c_status == CS_KEYS)
369 xfree(fdcon[s].c_data); 369 free(fdcon[s].c_data);
370 fdcon[s].c_status = CS_UNUSED; 370 fdcon[s].c_status = CS_UNUSED;
371 fdcon[s].c_keytype = 0; 371 fdcon[s].c_keytype = 0;
372 TAILQ_REMOVE(&tq, &fdcon[s], c_link); 372 TAILQ_REMOVE(&tq, &fdcon[s], c_link);
@@ -553,8 +553,8 @@ conloop(void)
553 } else if (FD_ISSET(i, r)) 553 } else if (FD_ISSET(i, r))
554 conread(i); 554 conread(i);
555 } 555 }
556 xfree(r); 556 free(r);
557 xfree(e); 557 free(e);
558 558
559 c = TAILQ_FIRST(&tq); 559 c = TAILQ_FIRST(&tq);
560 while (c && (c->c_tv.tv_sec < now.tv_sec || 560 while (c && (c->c_tv.tv_sec < now.tv_sec ||
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index a2e9eec2b..808828a07 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -48,4 +48,4 @@ HISTORY
48AUTHORS 48AUTHORS
49 Markus Friedl <markus@openbsd.org> 49 Markus Friedl <markus@openbsd.org>
50 50
51OpenBSD 5.3 August 31, 2010 OpenBSD 5.3 51OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 5e09e0271..5e0b2d232 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keysign.8,v 1.12 2010/08/31 11:54:45 djm Exp $ 1.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2002 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -22,7 +22,7 @@
22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24.\" 24.\"
25.Dd $Mdocdate: August 31 2010 $ 25.Dd $Mdocdate: July 16 2013 $
26.Dt SSH-KEYSIGN 8 26.Dt SSH-KEYSIGN 8
27.Os 27.Os
28.Sh NAME 28.Sh NAME
@@ -88,4 +88,4 @@ information corresponding with the private keys above.
88first appeared in 88first appeared in
89.Ox 3.2 . 89.Ox 3.2 .
90.Sh AUTHORS 90.Sh AUTHORS
91.An Markus Friedl Aq markus@openbsd.org 91.An Markus Friedl Aq Mt markus@openbsd.org
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 1deb7e141..9a6653c7c 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keysign.c,v 1.36 2011/02/16 00:31:14 djm Exp $ */ 1/* $OpenBSD: ssh-keysign.c,v 1.37 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -78,7 +78,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
78 p = buffer_get_string(&b, &len); 78 p = buffer_get_string(&b, &len);
79 if (len != 20 && len != 32) 79 if (len != 20 && len != 32)
80 fail++; 80 fail++;
81 xfree(p); 81 free(p);
82 82
83 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 83 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
84 fail++; 84 fail++;
@@ -90,13 +90,13 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
90 p = buffer_get_string(&b, NULL); 90 p = buffer_get_string(&b, NULL);
91 if (strcmp("ssh-connection", p) != 0) 91 if (strcmp("ssh-connection", p) != 0)
92 fail++; 92 fail++;
93 xfree(p); 93 free(p);
94 94
95 /* method */ 95 /* method */
96 p = buffer_get_string(&b, NULL); 96 p = buffer_get_string(&b, NULL);
97 if (strcmp("hostbased", p) != 0) 97 if (strcmp("hostbased", p) != 0)
98 fail++; 98 fail++;
99 xfree(p); 99 free(p);
100 100
101 /* pubkey */ 101 /* pubkey */
102 pkalg = buffer_get_string(&b, NULL); 102 pkalg = buffer_get_string(&b, NULL);
@@ -109,8 +109,8 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
109 fail++; 109 fail++;
110 else if (key->type != pktype) 110 else if (key->type != pktype)
111 fail++; 111 fail++;
112 xfree(pkalg); 112 free(pkalg);
113 xfree(pkblob); 113 free(pkblob);
114 114
115 /* client host name, handle trailing dot */ 115 /* client host name, handle trailing dot */
116 p = buffer_get_string(&b, &len); 116 p = buffer_get_string(&b, &len);
@@ -121,14 +121,14 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
121 fail++; 121 fail++;
122 else if (strncasecmp(host, p, len - 1) != 0) 122 else if (strncasecmp(host, p, len - 1) != 0)
123 fail++; 123 fail++;
124 xfree(p); 124 free(p);
125 125
126 /* local user */ 126 /* local user */
127 p = buffer_get_string(&b, NULL); 127 p = buffer_get_string(&b, NULL);
128 128
129 if (strcmp(pw->pw_name, p) != 0) 129 if (strcmp(pw->pw_name, p) != 0)
130 fail++; 130 fail++;
131 xfree(p); 131 free(p);
132 132
133 /* end of message */ 133 /* end of message */
134 if (buffer_len(&b) != 0) 134 if (buffer_len(&b) != 0)
@@ -233,7 +233,7 @@ main(int argc, char **argv)
233 data = buffer_get_string(&b, &dlen); 233 data = buffer_get_string(&b, &dlen);
234 if (valid_request(pw, host, &key, data, dlen) < 0) 234 if (valid_request(pw, host, &key, data, dlen) < 0)
235 fatal("not a valid request"); 235 fatal("not a valid request");
236 xfree(host); 236 free(host);
237 237
238 found = 0; 238 found = 0;
239 for (i = 0; i < NUM_KEYTYPES; i++) { 239 for (i = 0; i < NUM_KEYTYPES; i++) {
@@ -248,7 +248,7 @@ main(int argc, char **argv)
248 248
249 if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) 249 if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
250 fatal("key_sign failed"); 250 fatal("key_sign failed");
251 xfree(data); 251 free(data);
252 252
253 /* send reply */ 253 /* send reply */
254 buffer_clear(&b); 254 buffer_clear(&b);
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
index 82b11daf5..6c9f9d2c1 100644
--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */ 1/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -121,7 +121,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
121 buffer_put_string(&msg, blob, blen); 121 buffer_put_string(&msg, blob, blen);
122 buffer_put_string(&msg, from, flen); 122 buffer_put_string(&msg, from, flen);
123 buffer_put_int(&msg, 0); 123 buffer_put_int(&msg, 0);
124 xfree(blob); 124 free(blob);
125 send_msg(&msg); 125 send_msg(&msg);
126 buffer_clear(&msg); 126 buffer_clear(&msg);
127 127
@@ -131,7 +131,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
131 memcpy(to, signature, slen); 131 memcpy(to, signature, slen);
132 ret = slen; 132 ret = slen;
133 } 133 }
134 xfree(signature); 134 free(signature);
135 } 135 }
136 buffer_free(&msg); 136 buffer_free(&msg);
137 return (ret); 137 return (ret);
@@ -205,11 +205,11 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp)
205 *keysp = xcalloc(nkeys, sizeof(Key *)); 205 *keysp = xcalloc(nkeys, sizeof(Key *));
206 for (i = 0; i < nkeys; i++) { 206 for (i = 0; i < nkeys; i++) {
207 blob = buffer_get_string(&msg, &blen); 207 blob = buffer_get_string(&msg, &blen);
208 xfree(buffer_get_string(&msg, NULL)); 208 free(buffer_get_string(&msg, NULL));
209 k = key_from_blob(blob, blen); 209 k = key_from_blob(blob, blen);
210 wrap_key(k->rsa); 210 wrap_key(k->rsa);
211 (*keysp)[i] = k; 211 (*keysp)[i] = k;
212 xfree(blob); 212 free(blob);
213 } 213 }
214 } else { 214 } else {
215 nkeys = -1; 215 nkeys = -1;
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index dcfaa222a..d9ea34248 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
22AUTHORS 22AUTHORS
23 Markus Friedl <markus@openbsd.org> 23 Markus Friedl <markus@openbsd.org>
24 24
25OpenBSD 5.3 February 10, 2010 OpenBSD 5.3 25OpenBSD 5.4 July 16, 2013 OpenBSD 5.4
diff --git a/ssh-pkcs11-helper.8 b/ssh-pkcs11-helper.8
index 9bdaadc01..3728c4e4e 100644
--- a/ssh-pkcs11-helper.8
+++ b/ssh-pkcs11-helper.8
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.3 2010/02/10 23:20:38 markus Exp $ 1.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.4 2013/07/16 00:07:52 schwarze Exp $
2.\" 2.\"
3.\" Copyright (c) 2010 Markus Friedl. All rights reserved. 3.\" Copyright (c) 2010 Markus Friedl. All rights reserved.
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: February 10 2010 $ 17.Dd $Mdocdate: July 16 2013 $
18.Dt SSH-PKCS11-HELPER 8 18.Dt SSH-PKCS11-HELPER 8
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -40,4 +40,4 @@ is not intended to be invoked by the user, but from
40first appeared in 40first appeared in
41.Ox 4.7 . 41.Ox 4.7 .
42.Sh AUTHORS 42.Sh AUTHORS
43.An Markus Friedl Aq markus@openbsd.org 43.An Markus Friedl Aq Mt markus@openbsd.org
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index fcb5defc0..39b2e7c56 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11-helper.c,v 1.4 2012/07/02 12:13:26 dtucker Exp $ */ 1/* $OpenBSD: ssh-pkcs11-helper.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -79,7 +79,7 @@ del_keys_by_name(char *name)
79 nxt = TAILQ_NEXT(ki, next); 79 nxt = TAILQ_NEXT(ki, next);
80 if (!strcmp(ki->providername, name)) { 80 if (!strcmp(ki->providername, name)) {
81 TAILQ_REMOVE(&pkcs11_keylist, ki, next); 81 TAILQ_REMOVE(&pkcs11_keylist, ki, next);
82 xfree(ki->providername); 82 free(ki->providername);
83 key_free(ki->key); 83 key_free(ki->key);
84 free(ki); 84 free(ki);
85 } 85 }
@@ -130,15 +130,15 @@ process_add(void)
130 key_to_blob(keys[i], &blob, &blen); 130 key_to_blob(keys[i], &blob, &blen);
131 buffer_put_string(&msg, blob, blen); 131 buffer_put_string(&msg, blob, blen);
132 buffer_put_cstring(&msg, name); 132 buffer_put_cstring(&msg, name);
133 xfree(blob); 133 free(blob);
134 add_key(keys[i], name); 134 add_key(keys[i], name);
135 } 135 }
136 xfree(keys); 136 free(keys);
137 } else { 137 } else {
138 buffer_put_char(&msg, SSH_AGENT_FAILURE); 138 buffer_put_char(&msg, SSH_AGENT_FAILURE);
139 } 139 }
140 xfree(pin); 140 free(pin);
141 xfree(name); 141 free(name);
142 send_msg(&msg); 142 send_msg(&msg);
143 buffer_free(&msg); 143 buffer_free(&msg);
144} 144}
@@ -157,8 +157,8 @@ process_del(void)
157 buffer_put_char(&msg, SSH_AGENT_SUCCESS); 157 buffer_put_char(&msg, SSH_AGENT_SUCCESS);
158 else 158 else
159 buffer_put_char(&msg, SSH_AGENT_FAILURE); 159 buffer_put_char(&msg, SSH_AGENT_FAILURE);
160 xfree(pin); 160 free(pin);
161 xfree(name); 161 free(name);
162 send_msg(&msg); 162 send_msg(&msg);
163 buffer_free(&msg); 163 buffer_free(&msg);
164} 164}
@@ -195,10 +195,9 @@ process_sign(void)
195 } else { 195 } else {
196 buffer_put_char(&msg, SSH_AGENT_FAILURE); 196 buffer_put_char(&msg, SSH_AGENT_FAILURE);
197 } 197 }
198 xfree(data); 198 free(data);
199 xfree(blob); 199 free(blob);
200 if (signature != NULL) 200 free(signature);
201 xfree(signature);
202 send_msg(&msg); 201 send_msg(&msg);
203 buffer_free(&msg); 202 buffer_free(&msg);
204} 203}
@@ -274,7 +273,6 @@ main(int argc, char **argv)
274 LogLevel log_level = SYSLOG_LEVEL_ERROR; 273 LogLevel log_level = SYSLOG_LEVEL_ERROR;
275 char buf[4*4096]; 274 char buf[4*4096];
276 275
277 extern char *optarg;
278 extern char *__progname; 276 extern char *__progname;
279 277
280 TAILQ_INIT(&pkcs11_keylist); 278 TAILQ_INIT(&pkcs11_keylist);
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 1f4c1c8e4..618c07526 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */ 1/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -120,9 +120,9 @@ pkcs11_provider_unref(struct pkcs11_provider *p)
120 if (--p->refcount <= 0) { 120 if (--p->refcount <= 0) {
121 if (p->valid) 121 if (p->valid)
122 error("pkcs11_provider_unref: %p still valid", p); 122 error("pkcs11_provider_unref: %p still valid", p);
123 xfree(p->slotlist); 123 free(p->slotlist);
124 xfree(p->slotinfo); 124 free(p->slotinfo);
125 xfree(p); 125 free(p);
126 } 126 }
127} 127}
128 128
@@ -180,9 +180,8 @@ pkcs11_rsa_finish(RSA *rsa)
180 rv = k11->orig_finish(rsa); 180 rv = k11->orig_finish(rsa);
181 if (k11->provider) 181 if (k11->provider)
182 pkcs11_provider_unref(k11->provider); 182 pkcs11_provider_unref(k11->provider);
183 if (k11->keyid) 183 free(k11->keyid);
184 xfree(k11->keyid); 184 free(k11);
185 xfree(k11);
186 } 185 }
187 return (rv); 186 return (rv);
188} 187}
@@ -264,13 +263,13 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
264 pin = read_passphrase(prompt, RP_ALLOW_EOF); 263 pin = read_passphrase(prompt, RP_ALLOW_EOF);
265 if (pin == NULL) 264 if (pin == NULL)
266 return (-1); /* bail out */ 265 return (-1); /* bail out */
267 if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) 266 if ((rv = f->C_Login(si->session, CKU_USER,
268 != CKR_OK) { 267 (u_char *)pin, strlen(pin))) != CKR_OK) {
269 xfree(pin); 268 free(pin);
270 error("C_Login failed: %lu", rv); 269 error("C_Login failed: %lu", rv);
271 return (-1); 270 return (-1);
272 } 271 }
273 xfree(pin); 272 free(pin);
274 si->logged_in = 1; 273 si->logged_in = 1;
275 } 274 }
276 key_filter[1].pValue = k11->keyid; 275 key_filter[1].pValue = k11->keyid;
@@ -329,7 +328,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
329 328
330/* remove trailing spaces */ 329/* remove trailing spaces */
331static void 330static void
332rmspace(char *buf, size_t len) 331rmspace(u_char *buf, size_t len)
333{ 332{
334 size_t i; 333 size_t i;
335 334
@@ -367,8 +366,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
367 return (-1); 366 return (-1);
368 } 367 }
369 if (login_required && pin) { 368 if (login_required && pin) {
370 if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin))) 369 if ((rv = f->C_Login(session, CKU_USER,
371 != CKR_OK) { 370 (u_char *)pin, strlen(pin))) != CKR_OK) {
372 error("C_Login failed: %lu", rv); 371 error("C_Login failed: %lu", rv);
373 if ((rv = f->C_CloseSession(session)) != CKR_OK) 372 if ((rv = f->C_CloseSession(session)) != CKR_OK)
374 error("C_CloseSession failed: %lu", rv); 373 error("C_CloseSession failed: %lu", rv);
@@ -470,7 +469,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
470 } 469 }
471 } 470 }
472 for (i = 0; i < 3; i++) 471 for (i = 0; i < 3; i++)
473 xfree(attribs[i].pValue); 472 free(attribs[i].pValue);
474 } 473 }
475 if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) 474 if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
476 error("C_FindObjectsFinal failed: %lu", rv); 475 error("C_FindObjectsFinal failed: %lu", rv);
@@ -579,11 +578,9 @@ fail:
579 if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK) 578 if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)
580 error("C_Finalize failed: %lu", rv); 579 error("C_Finalize failed: %lu", rv);
581 if (p) { 580 if (p) {
582 if (p->slotlist) 581 free(p->slotlist);
583 xfree(p->slotlist); 582 free(p->slotinfo);
584 if (p->slotinfo) 583 free(p);
585 xfree(p->slotinfo);
586 xfree(p);
587 } 584 }
588 if (handle) 585 if (handle)
589 dlclose(handle); 586 dlclose(handle);
diff --git a/ssh-rsa.c b/ssh-rsa.c
index c6355fa09..30f96abc2 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */ 1/* $OpenBSD: ssh-rsa.c,v 1.46 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> 3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
4 * 4 *
@@ -72,7 +72,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
72 72
73 error("ssh_rsa_sign: RSA_sign failed: %s", 73 error("ssh_rsa_sign: RSA_sign failed: %s",
74 ERR_error_string(ecode, NULL)); 74 ERR_error_string(ecode, NULL));
75 xfree(sig); 75 free(sig);
76 return -1; 76 return -1;
77 } 77 }
78 if (len < slen) { 78 if (len < slen) {
@@ -82,7 +82,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
82 memset(sig, 0, diff); 82 memset(sig, 0, diff);
83 } else if (len > slen) { 83 } else if (len > slen) {
84 error("ssh_rsa_sign: slen %u slen2 %u", slen, len); 84 error("ssh_rsa_sign: slen %u slen2 %u", slen, len);
85 xfree(sig); 85 free(sig);
86 return -1; 86 return -1;
87 } 87 }
88 /* encode signature */ 88 /* encode signature */
@@ -98,7 +98,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
98 } 98 }
99 buffer_free(&b); 99 buffer_free(&b);
100 memset(sig, 's', slen); 100 memset(sig, 's', slen);
101 xfree(sig); 101 free(sig);
102 102
103 return 0; 103 return 0;
104} 104}
@@ -131,23 +131,23 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
131 if (strcmp("ssh-rsa", ktype) != 0) { 131 if (strcmp("ssh-rsa", ktype) != 0) {
132 error("ssh_rsa_verify: cannot handle type %s", ktype); 132 error("ssh_rsa_verify: cannot handle type %s", ktype);
133 buffer_free(&b); 133 buffer_free(&b);
134 xfree(ktype); 134 free(ktype);
135 return -1; 135 return -1;
136 } 136 }
137 xfree(ktype); 137 free(ktype);
138 sigblob = buffer_get_string(&b, &len); 138 sigblob = buffer_get_string(&b, &len);
139 rlen = buffer_len(&b); 139 rlen = buffer_len(&b);
140 buffer_free(&b); 140 buffer_free(&b);
141 if (rlen != 0) { 141 if (rlen != 0) {
142 error("ssh_rsa_verify: remaining bytes in signature %d", rlen); 142 error("ssh_rsa_verify: remaining bytes in signature %d", rlen);
143 xfree(sigblob); 143 free(sigblob);
144 return -1; 144 return -1;
145 } 145 }
146 /* RSA_verify expects a signature of RSA_size */ 146 /* RSA_verify expects a signature of RSA_size */
147 modlen = RSA_size(key->rsa); 147 modlen = RSA_size(key->rsa);
148 if (len > modlen) { 148 if (len > modlen) {
149 error("ssh_rsa_verify: len %u > modlen %u", len, modlen); 149 error("ssh_rsa_verify: len %u > modlen %u", len, modlen);
150 xfree(sigblob); 150 free(sigblob);
151 return -1; 151 return -1;
152 } else if (len < modlen) { 152 } else if (len < modlen) {
153 u_int diff = modlen - len; 153 u_int diff = modlen - len;
@@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
161 nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; 161 nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
162 if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { 162 if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
163 error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); 163 error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
164 xfree(sigblob); 164 free(sigblob);
165 return -1; 165 return -1;
166 } 166 }
167 EVP_DigestInit(&md, evp_md); 167 EVP_DigestInit(&md, evp_md);
@@ -171,7 +171,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
171 ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); 171 ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
172 memset(digest, 'd', sizeof(digest)); 172 memset(digest, 'd', sizeof(digest));
173 memset(sigblob, 's', len); 173 memset(sigblob, 's', len);
174 xfree(sigblob); 174 free(sigblob);
175 debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); 175 debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
176 return ret; 176 return ret;
177} 177}
@@ -262,7 +262,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
262 } 262 }
263 ret = 1; 263 ret = 1;
264done: 264done:
265 if (decrypted) 265 free(decrypted);
266 xfree(decrypted);
267 return ret; 266 return ret;
268} 267}
diff --git a/ssh.0 b/ssh.0
index f6b642bc8..adc1ee421 100644
--- a/ssh.0
+++ b/ssh.0
@@ -5,11 +5,13 @@ NAME
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] 7 ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
8 [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] 8 [-D [bind_address:]port] [-E log_file] [-e escape_char]
9 [-i identity_file] [-L [bind_address:]port:host:hostport] 9 [-F configfile] [-I pkcs11] [-i identity_file]
10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] 10 [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
11 [-O ctl_cmd] [-o option] [-p port]
11 [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] 12 [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
12 [-w local_tun[:remote_tun]] [user@]hostname [command] 13 [-w local_tun[:remote_tun]] [user@]hostname [command]
14 ssh -Q protocol_feature
13 15
14DESCRIPTION 16DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for 17 ssh (SSH client) is a program for logging into a remote machine and for
@@ -102,6 +104,9 @@ DESCRIPTION
102 be bound for local use only, while an empty address or `*' 104 be bound for local use only, while an empty address or `*'
103 indicates that the port should be available from all interfaces. 105 indicates that the port should be available from all interfaces.
104 106
107 -E log_file
108 Append debug logs to log_file instead of standard error.
109
105 -e escape_char 110 -e escape_char
106 Sets the escape character for sessions with a pty (default: `~'). 111 Sets the escape character for sessions with a pty (default: `~').
107 The escape character is only recognized at the beginning of a 112 The escape character is only recognized at the beginning of a
@@ -289,6 +294,14 @@ DESCRIPTION
289 Port to connect to on the remote host. This can be specified on 294 Port to connect to on the remote host. This can be specified on
290 a per-host basis in the configuration file. 295 a per-host basis in the configuration file.
291 296
297 -Q protocol_feature
298 Queries ssh for the algorithms supported for the specified
299 version 2 protocol_feature. The queriable features are:
300 ``cipher'' (supported symmetric ciphers), ``MAC'' (supported
301 message integrity codes), ``KEX'' (key exchange algorithms),
302 ``key'' (key types). Protocol features are treated case-
303 insensitively.
304
292 -q Quiet mode. Causes most warning and diagnostic messages to be 305 -q Quiet mode. Causes most warning and diagnostic messages to be
293 suppressed. 306 suppressed.
294 307
@@ -788,7 +801,7 @@ FILES
788 This is the per-user configuration file. The file format and 801 This is the per-user configuration file. The file format and
789 configuration options are described in ssh_config(5). Because of 802 configuration options are described in ssh_config(5). Because of
790 the potential for abuse, this file must have strict permissions: 803 the potential for abuse, this file must have strict permissions:
791 read/write for the user, and not accessible by others. 804 read/write for the user, and not writable by others.
792 805
793 ~/.ssh/environment 806 ~/.ssh/environment
794 Contains additional definitions for environment variables; see 807 Contains additional definitions for environment variables; see
@@ -919,4 +932,4 @@ AUTHORS
919 created OpenSSH. Markus Friedl contributed the support for SSH protocol 932 created OpenSSH. Markus Friedl contributed the support for SSH protocol
920 versions 1.5 and 2.0. 933 versions 1.5 and 2.0.
921 934
922OpenBSD 5.3 October 4, 2012 OpenBSD 5.3 935OpenBSD 5.4 July 18, 2013 OpenBSD 5.4
diff --git a/ssh.1 b/ssh.1
index a5576edb6..62292cc09 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ 36.\" $OpenBSD: ssh.1,v 1.334 2013/07/18 01:12:26 djm Exp $
37.Dd $Mdocdate: October 4 2012 $ 37.Dd $Mdocdate: July 18 2013 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -47,6 +47,7 @@
47.Op Fl b Ar bind_address 47.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec 48.Op Fl c Ar cipher_spec
49.Op Fl D Oo Ar bind_address : Oc Ns Ar port 49.Op Fl D Oo Ar bind_address : Oc Ns Ar port
50.Op Fl E Ar log_file
50.Op Fl e Ar escape_char 51.Op Fl e Ar escape_char
51.Op Fl F Ar configfile 52.Op Fl F Ar configfile
52.Op Fl I Ar pkcs11 53.Op Fl I Ar pkcs11
@@ -64,6 +65,8 @@
64.Oo Ar user Ns @ Oc Ns Ar hostname 65.Oo Ar user Ns @ Oc Ns Ar hostname
65.Op Ar command 66.Op Ar command
66.Ek 67.Ek
68.Nm
69.Fl Q Ar protocol_feature
67.Sh DESCRIPTION 70.Sh DESCRIPTION
68.Nm 71.Nm
69(SSH client) is a program for logging into a remote machine and for 72(SSH client) is a program for logging into a remote machine and for
@@ -217,6 +220,10 @@ indicates that the listening port be bound for local use only, while an
217empty address or 220empty address or
218.Sq * 221.Sq *
219indicates that the port should be available from all interfaces. 222indicates that the port should be available from all interfaces.
223.It Fl E Ar log_file
224Append debug logs to
225.Ar log_file
226instead of standard error.
220.It Fl e Ar escape_char 227.It Fl e Ar escape_char
221Sets the escape character for sessions with a pty (default: 228Sets the escape character for sessions with a pty (default:
222.Ql ~ ) . 229.Ql ~ ) .
@@ -482,6 +489,21 @@ For full details of the options listed below, and their possible values, see
482Port to connect to on the remote host. 489Port to connect to on the remote host.
483This can be specified on a 490This can be specified on a
484per-host basis in the configuration file. 491per-host basis in the configuration file.
492.It Fl Q Ar protocol_feature
493Queries
494.Nm
495for the algorithms supported for the specified version 2
496.Ar protocol_feature .
497The queriable features are:
498.Dq cipher
499(supported symmetric ciphers),
500.Dq MAC
501(supported message integrity codes),
502.Dq KEX
503(key exchange algorithms),
504.Dq key
505(key types).
506Protocol features are treated case-insensitively.
485.It Fl q 507.It Fl q
486Quiet mode. 508Quiet mode.
487Causes most warning and diagnostic messages to be suppressed. 509Causes most warning and diagnostic messages to be suppressed.
@@ -732,9 +754,7 @@ implements public key authentication protocol automatically,
732using one of the DSA, ECDSA or RSA algorithms. 754using one of the DSA, ECDSA or RSA algorithms.
733Protocol 1 is restricted to using only RSA keys, 755Protocol 1 is restricted to using only RSA keys,
734but protocol 2 may use any. 756but protocol 2 may use any.
735The 757The HISTORY section of
736.Sx HISTORY
737section of
738.Xr ssl 8 758.Xr ssl 8
739contains a brief discussion of the DSA and RSA algorithms. 759contains a brief discussion of the DSA and RSA algorithms.
740.Pp 760.Pp
@@ -790,9 +810,7 @@ instead of a set of public/private keys,
790signed certificates are used. 810signed certificates are used.
791This has the advantage that a single trusted certification authority 811This has the advantage that a single trusted certification authority
792can be used in place of many public/private keys. 812can be used in place of many public/private keys.
793See the 813See the CERTIFICATES section of
794.Sx CERTIFICATES
795section of
796.Xr ssh-keygen 1 814.Xr ssh-keygen 1
797for more information. 815for more information.
798.Pp 816.Pp
@@ -1319,7 +1337,7 @@ This is the per-user configuration file.
1319The file format and configuration options are described in 1337The file format and configuration options are described in
1320.Xr ssh_config 5 . 1338.Xr ssh_config 5 .
1321Because of the potential for abuse, this file must have strict permissions: 1339Because of the potential for abuse, this file must have strict permissions:
1322read/write for the user, and not accessible by others. 1340read/write for the user, and not writable by others.
1323.Pp 1341.Pp
1324.It Pa ~/.ssh/environment 1342.It Pa ~/.ssh/environment
1325Contains additional definitions for environment variables; see 1343Contains additional definitions for environment variables; see
diff --git a/ssh.c b/ssh.c
index 5ec89f2cc..87233bc91 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ 1/* $OpenBSD: ssh.c,v 1.381 2013/07/25 00:29:10 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -197,9 +197,9 @@ usage(void)
197{ 197{
198 fprintf(stderr, 198 fprintf(stderr,
199"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" 199"usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
200" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" 200" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
201" [-I pkcs11] [-i identity_file]\n" 201" [-F configfile] [-I pkcs11] [-i identity_file]\n"
202" [-L [bind_address:]port:host:hostport]\n" 202" [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n"
203" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 203" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
204" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" 204" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
205" [-W host:port] [-w local_tun[:remote_tun]]\n" 205" [-W host:port] [-w local_tun[:remote_tun]]\n"
@@ -226,7 +226,7 @@ tilde_expand_paths(char **paths, u_int num_paths)
226 226
227 for (i = 0; i < num_paths; i++) { 227 for (i = 0; i < num_paths; i++) {
228 cp = tilde_expand_filename(paths[i], original_real_uid); 228 cp = tilde_expand_filename(paths[i], original_real_uid);
229 xfree(paths[i]); 229 free(paths[i]);
230 paths[i] = cp; 230 paths[i] = cp;
231 } 231 }
232} 232}
@@ -238,7 +238,7 @@ int
238main(int ac, char **av) 238main(int ac, char **av)
239{ 239{
240 int i, r, opt, exit_status, use_syslog; 240 int i, r, opt, exit_status, use_syslog;
241 char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; 241 char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile;
242 char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; 242 char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
243 struct stat st; 243 struct stat st;
244 struct passwd *pw; 244 struct passwd *pw;
@@ -299,7 +299,7 @@ main(int ac, char **av)
299 /* Get user data. */ 299 /* Get user data. */
300 pw = getpwuid(original_real_uid); 300 pw = getpwuid(original_real_uid);
301 if (!pw) { 301 if (!pw) {
302 logit("You don't exist, go away!"); 302 logit("No user exists for uid %lu", (u_long)original_real_uid);
303 exit(255); 303 exit(255);
304 } 304 }
305 /* Take a copy of the returned structure. */ 305 /* Take a copy of the returned structure. */
@@ -322,11 +322,12 @@ main(int ac, char **av)
322 /* Parse command-line arguments. */ 322 /* Parse command-line arguments. */
323 host = NULL; 323 host = NULL;
324 use_syslog = 0; 324 use_syslog = 0;
325 logfile = NULL;
325 argv0 = av[0]; 326 argv0 = av[0];
326 327
327 again: 328 again:
328 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 329 while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
329 "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { 330 "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
330 switch (opt) { 331 switch (opt) {
331 case '1': 332 case '1':
332 options.protocol = SSH_PROTO_1; 333 options.protocol = SSH_PROTO_1;
@@ -356,6 +357,9 @@ main(int ac, char **av)
356 case 'y': 357 case 'y':
357 use_syslog = 1; 358 use_syslog = 1;
358 break; 359 break;
360 case 'E':
361 logfile = xstrdup(optarg);
362 break;
359 case 'Y': 363 case 'Y':
360 options.forward_x11 = 1; 364 options.forward_x11 = 1;
361 options.forward_x11_trusted = 1; 365 options.forward_x11_trusted = 1;
@@ -385,6 +389,22 @@ main(int ac, char **av)
385 case 'P': /* deprecated */ 389 case 'P': /* deprecated */
386 options.use_privileged_port = 0; 390 options.use_privileged_port = 0;
387 break; 391 break;
392 case 'Q': /* deprecated */
393 cp = NULL;
394 if (strcasecmp(optarg, "cipher") == 0)
395 cp = cipher_alg_list();
396 else if (strcasecmp(optarg, "mac") == 0)
397 cp = mac_alg_list();
398 else if (strcasecmp(optarg, "kex") == 0)
399 cp = kex_alg_list();
400 else if (strcasecmp(optarg, "key") == 0)
401 cp = key_alg_list();
402 if (cp == NULL)
403 fatal("Unsupported query \"%s\"", optarg);
404 printf("%s\n", cp);
405 free(cp);
406 exit(0);
407 break;
388 case 'a': 408 case 'a':
389 options.forward_agent = 0; 409 options.forward_agent = 0;
390 break; 410 break;
@@ -427,9 +447,8 @@ main(int ac, char **av)
427 } else { 447 } else {
428 if (options.log_level < SYSLOG_LEVEL_DEBUG3) 448 if (options.log_level < SYSLOG_LEVEL_DEBUG3)
429 options.log_level++; 449 options.log_level++;
430 break;
431 } 450 }
432 /* FALLTHROUGH */ 451 break;
433 case 'V': 452 case 'V':
434 fprintf(stderr, "%s, %s\n", 453 fprintf(stderr, "%s, %s\n",
435 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); 454 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
@@ -454,7 +473,7 @@ main(int ac, char **av)
454 if (parse_forward(&fwd, optarg, 1, 0)) { 473 if (parse_forward(&fwd, optarg, 1, 0)) {
455 stdio_forward_host = fwd.listen_host; 474 stdio_forward_host = fwd.listen_host;
456 stdio_forward_port = fwd.listen_port; 475 stdio_forward_port = fwd.listen_port;
457 xfree(fwd.connect_host); 476 free(fwd.connect_host);
458 } else { 477 } else {
459 fprintf(stderr, 478 fprintf(stderr,
460 "Bad stdio forwarding specification '%s'\n", 479 "Bad stdio forwarding specification '%s'\n",
@@ -582,7 +601,7 @@ main(int ac, char **av)
582 line, "command-line", 0, &dummy, SSHCONF_USERCONF) 601 line, "command-line", 0, &dummy, SSHCONF_USERCONF)
583 != 0) 602 != 0)
584 exit(255); 603 exit(255);
585 xfree(line); 604 free(line);
586 break; 605 break;
587 case 's': 606 case 's':
588 subsystem_flag = 1; 607 subsystem_flag = 1;
@@ -663,18 +682,28 @@ main(int ac, char **av)
663 682
664 /* 683 /*
665 * Initialize "log" output. Since we are the client all output 684 * Initialize "log" output. Since we are the client all output
666 * actually goes to stderr. 685 * goes to stderr unless otherwise specified by -y or -E.
667 */ 686 */
687 if (use_syslog && logfile != NULL)
688 fatal("Can't specify both -y and -E");
689 if (logfile != NULL) {
690 log_redirect_stderr_to(logfile);
691 free(logfile);
692 }
668 log_init(argv0, 693 log_init(argv0,
669 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, 694 options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
670 SYSLOG_FACILITY_USER, !use_syslog); 695 SYSLOG_FACILITY_USER, !use_syslog);
671 696
697 if (debug_flag)
698 logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
699
672 /* 700 /*
673 * Read per-user configuration file. Ignore the system wide config 701 * Read per-user configuration file. Ignore the system wide config
674 * file if the user specifies a config file on the command line. 702 * file if the user specifies a config file on the command line.
675 */ 703 */
676 if (config != NULL) { 704 if (config != NULL) {
677 if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) 705 if (strcasecmp(config, "none") != 0 &&
706 !read_config_file(config, host, &options, SSHCONF_USERCONF))
678 fatal("Can't open user config file %.100s: " 707 fatal("Can't open user config file %.100s: "
679 "%.100s", config, strerror(errno)); 708 "%.100s", config, strerror(errno));
680 } else { 709 } else {
@@ -749,7 +778,7 @@ main(int ac, char **av)
749 "p", portstr, "u", pw->pw_name, "L", shorthost, 778 "p", portstr, "u", pw->pw_name, "L", shorthost,
750 (char *)NULL); 779 (char *)NULL);
751 debug3("expanded LocalCommand: %s", options.local_command); 780 debug3("expanded LocalCommand: %s", options.local_command);
752 xfree(cp); 781 free(cp);
753 } 782 }
754 783
755 /* force lowercase for hostkey matching */ 784 /* force lowercase for hostkey matching */
@@ -761,24 +790,24 @@ main(int ac, char **av)
761 790
762 if (options.proxy_command != NULL && 791 if (options.proxy_command != NULL &&
763 strcmp(options.proxy_command, "none") == 0) { 792 strcmp(options.proxy_command, "none") == 0) {
764 xfree(options.proxy_command); 793 free(options.proxy_command);
765 options.proxy_command = NULL; 794 options.proxy_command = NULL;
766 } 795 }
767 if (options.control_path != NULL && 796 if (options.control_path != NULL &&
768 strcmp(options.control_path, "none") == 0) { 797 strcmp(options.control_path, "none") == 0) {
769 xfree(options.control_path); 798 free(options.control_path);
770 options.control_path = NULL; 799 options.control_path = NULL;
771 } 800 }
772 801
773 if (options.control_path != NULL) { 802 if (options.control_path != NULL) {
774 cp = tilde_expand_filename(options.control_path, 803 cp = tilde_expand_filename(options.control_path,
775 original_real_uid); 804 original_real_uid);
776 xfree(options.control_path); 805 free(options.control_path);
777 options.control_path = percent_expand(cp, "h", host, 806 options.control_path = percent_expand(cp, "h", host,
778 "l", thishost, "n", host_arg, "r", options.user, 807 "l", thishost, "n", host_arg, "r", options.user,
779 "p", portstr, "u", pw->pw_name, "L", shorthost, 808 "p", portstr, "u", pw->pw_name, "L", shorthost,
780 (char *)NULL); 809 (char *)NULL);
781 xfree(cp); 810 free(cp);
782 } 811 }
783 if (muxclient_command != 0 && options.control_path == NULL) 812 if (muxclient_command != 0 && options.control_path == NULL)
784 fatal("No ControlPath specified for \"-O\" command"); 813 fatal("No ControlPath specified for \"-O\" command");
@@ -929,13 +958,11 @@ main(int ac, char **av)
929 sensitive_data.keys[i] = NULL; 958 sensitive_data.keys[i] = NULL;
930 } 959 }
931 } 960 }
932 xfree(sensitive_data.keys); 961 free(sensitive_data.keys);
933 } 962 }
934 for (i = 0; i < options.num_identity_files; i++) { 963 for (i = 0; i < options.num_identity_files; i++) {
935 if (options.identity_files[i]) { 964 free(options.identity_files[i]);
936 xfree(options.identity_files[i]); 965 options.identity_files[i] = NULL;
937 options.identity_files[i] = NULL;
938 }
939 if (options.identity_keys[i]) { 966 if (options.identity_keys[i]) {
940 key_free(options.identity_keys[i]); 967 key_free(options.identity_keys[i]);
941 options.identity_keys[i] = NULL; 968 options.identity_keys[i] = NULL;
@@ -995,6 +1022,7 @@ control_persist_detach(void)
995 if (devnull > STDERR_FILENO) 1022 if (devnull > STDERR_FILENO)
996 close(devnull); 1023 close(devnull);
997 } 1024 }
1025 daemon(1, 1);
998 setproctitle("%s [mux]", options.control_path); 1026 setproctitle("%s [mux]", options.control_path);
999} 1027}
1000 1028
@@ -1453,6 +1481,11 @@ ssh_session2(void)
1453 1481
1454 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) 1482 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
1455 id = ssh_session2_open(); 1483 id = ssh_session2_open();
1484 else {
1485 packet_set_interactive(
1486 options.control_master == SSHCTL_MASTER_NO,
1487 options.ip_qos_interactive, options.ip_qos_bulk);
1488 }
1456 1489
1457 /* If we don't expect to open a new session, then disallow it */ 1490 /* If we don't expect to open a new session, then disallow it */
1458 if (options.control_master == SSHCTL_MASTER_NO && 1491 if (options.control_master == SSHCTL_MASTER_NO &&
@@ -1525,7 +1558,7 @@ load_public_identity_files(void)
1525 xstrdup(options.pkcs11_provider); /* XXX */ 1558 xstrdup(options.pkcs11_provider); /* XXX */
1526 n_ids++; 1559 n_ids++;
1527 } 1560 }
1528 xfree(keys); 1561 free(keys);
1529 } 1562 }
1530#endif /* ENABLE_PKCS11 */ 1563#endif /* ENABLE_PKCS11 */
1531 if ((pw = getpwuid(original_real_uid)) == NULL) 1564 if ((pw = getpwuid(original_real_uid)) == NULL)
@@ -1538,7 +1571,7 @@ load_public_identity_files(void)
1538 for (i = 0; i < options.num_identity_files; i++) { 1571 for (i = 0; i < options.num_identity_files; i++) {
1539 if (n_ids >= SSH_MAX_IDENTITY_FILES || 1572 if (n_ids >= SSH_MAX_IDENTITY_FILES ||
1540 strcasecmp(options.identity_files[i], "none") == 0) { 1573 strcasecmp(options.identity_files[i], "none") == 0) {
1541 xfree(options.identity_files[i]); 1574 free(options.identity_files[i]);
1542 continue; 1575 continue;
1543 } 1576 }
1544 cp = tilde_expand_filename(options.identity_files[i], 1577 cp = tilde_expand_filename(options.identity_files[i],
@@ -1546,11 +1579,11 @@ load_public_identity_files(void)
1546 filename = percent_expand(cp, "d", pwdir, 1579 filename = percent_expand(cp, "d", pwdir,
1547 "u", pwname, "l", thishost, "h", host, 1580 "u", pwname, "l", thishost, "h", host,
1548 "r", options.user, (char *)NULL); 1581 "r", options.user, (char *)NULL);
1549 xfree(cp); 1582 free(cp);
1550 public = key_load_public(filename, NULL); 1583 public = key_load_public(filename, NULL);
1551 debug("identity file %s type %d", filename, 1584 debug("identity file %s type %d", filename,
1552 public ? public->type : -1); 1585 public ? public->type : -1);
1553 xfree(options.identity_files[i]); 1586 free(options.identity_files[i]);
1554 identity_files[n_ids] = filename; 1587 identity_files[n_ids] = filename;
1555 identity_keys[n_ids] = public; 1588 identity_keys[n_ids] = public;
1556 1589
@@ -1563,14 +1596,14 @@ load_public_identity_files(void)
1563 debug("identity file %s type %d", cp, 1596 debug("identity file %s type %d", cp,
1564 public ? public->type : -1); 1597 public ? public->type : -1);
1565 if (public == NULL) { 1598 if (public == NULL) {
1566 xfree(cp); 1599 free(cp);
1567 continue; 1600 continue;
1568 } 1601 }
1569 if (!key_is_cert(public)) { 1602 if (!key_is_cert(public)) {
1570 debug("%s: key %s type %s is not a certificate", 1603 debug("%s: key %s type %s is not a certificate",
1571 __func__, cp, key_type(public)); 1604 __func__, cp, key_type(public));
1572 key_free(public); 1605 key_free(public);
1573 xfree(cp); 1606 free(cp);
1574 continue; 1607 continue;
1575 } 1608 }
1576 identity_keys[n_ids] = public; 1609 identity_keys[n_ids] = public;
@@ -1583,9 +1616,9 @@ load_public_identity_files(void)
1583 memcpy(options.identity_keys, identity_keys, sizeof(identity_keys)); 1616 memcpy(options.identity_keys, identity_keys, sizeof(identity_keys));
1584 1617
1585 bzero(pwname, strlen(pwname)); 1618 bzero(pwname, strlen(pwname));
1586 xfree(pwname); 1619 free(pwname);
1587 bzero(pwdir, strlen(pwdir)); 1620 bzero(pwdir, strlen(pwdir));
1588 xfree(pwdir); 1621 free(pwdir);
1589} 1622}
1590 1623
1591static void 1624static void
diff --git a/ssh_config b/ssh_config
index 2c06ba707..32343213f 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ 1# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $
2 2
3# This is the ssh client system-wide configuration file. See 3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for 4# ssh_config(5) for more information. This file provides defaults for
@@ -47,3 +47,4 @@
47# PermitLocalCommand no 47# PermitLocalCommand no
48# VisualHostKey no 48# VisualHostKey no
49# ProxyCommand ssh -q -W %h:%p gateway.example.com 49# ProxyCommand ssh -q -W %h:%p gateway.example.com
50# RekeyLimit 1G 1h
diff --git a/ssh_config.0 b/ssh_config.0
index 164d11817..bd9e1ad51 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -369,9 +369,9 @@ DESCRIPTION
369 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and 369 for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and
370 ~/.ssh/id_rsa for protocol version 2. Additionally, any 370 ~/.ssh/id_rsa for protocol version 2. Additionally, any
371 identities represented by the authentication agent will be used 371 identities represented by the authentication agent will be used
372 for authentication. ssh(1) will try to load certificate 372 for authentication unless IdentitiesOnly is set. ssh(1) will try
373 information from the filename obtained by appending -cert.pub to 373 to load certificate information from the filename obtained by
374 the path of a specified IdentityFile. 374 appending -cert.pub to the path of a specified IdentityFile.
375 375
376 The file name may use the tilde syntax to refer to a user's home 376 The file name may use the tilde syntax to refer to a user's home
377 directory or one of the following escape characters: `%d' (local 377 directory or one of the following escape characters: `%d' (local
@@ -384,6 +384,18 @@ DESCRIPTION
384 of identities tried (this behaviour differs from that of other 384 of identities tried (this behaviour differs from that of other
385 configuration directives). 385 configuration directives).
386 386
387 IdentityFile may be used in conjunction with IdentitiesOnly to
388 select which identities in an agent are offered during
389 authentication.
390
391 IgnoreUnknown
392 Specifies a pattern-list of unknown options to be ignored if they
393 are encountered in configuration parsing. This may be used to
394 suppress errors if ssh_config contains options that are
395 unrecognised by ssh(1). It is recommended that IgnoreUnknown be
396 listed early in the configuration file as it will not be applied
397 to unknown options that appear before it.
398
387 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. 399 IPQoS Specifies the IPv4 type-of-service or DSCP class for connections.
388 Accepted values are ``af11'', ``af12'', ``af13'', ``af21'', 400 Accepted values are ``af11'', ``af12'', ``af13'', ``af21'',
389 ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'', 401 ``af22'', ``af23'', ``af31'', ``af32'', ``af33'', ``af41'',
@@ -552,11 +564,18 @@ DESCRIPTION
552 564
553 RekeyLimit 565 RekeyLimit
554 Specifies the maximum amount of data that may be transmitted 566 Specifies the maximum amount of data that may be transmitted
555 before the session key is renegotiated. The argument is the 567 before the session key is renegotiated, optionally followed a
556 number of bytes, with an optional suffix of `K', `M', or `G' to 568 maximum amount of time that may pass before the session key is
557 indicate Kilobytes, Megabytes, or Gigabytes, respectively. The 569 renegotiated. The first argument is specified in bytes and may
558 default is between `1G' and `4G', depending on the cipher. This 570 have a suffix of `K', `M', or `G' to indicate Kilobytes,
559 option applies to protocol version 2 only. 571 Megabytes, or Gigabytes, respectively. The default is between
572 `1G' and `4G', depending on the cipher. The optional second
573 value is specified in seconds and may use any of the units
574 documented in the TIME FORMATS section of sshd_config(5). The
575 default value for RekeyLimit is ``default none'', which means
576 that rekeying is performed after the cipher's default amount of
577 data has been sent or received and no time based rekeying is
578 done. This option applies to protocol version 2 only.
560 579
561 RemoteForward 580 RemoteForward
562 Specifies that a TCP port on the remote machine be forwarded over 581 Specifies that a TCP port on the remote machine be forwarded over
@@ -773,4 +792,4 @@ AUTHORS
773 created OpenSSH. Markus Friedl contributed the support for SSH protocol 792 created OpenSSH. Markus Friedl contributed the support for SSH protocol
774 versions 1.5 and 2.0. 793 versions 1.5 and 2.0.
775 794
776OpenBSD 5.3 January 8, 2013 OpenBSD 5.3 795OpenBSD 5.4 June 27, 2013 OpenBSD 5.4
diff --git a/ssh_config.5 b/ssh_config.5
index bd3a7127a..e72919a89 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $
37.Dd $Mdocdate: January 8 2013 $ 37.Dd $Mdocdate: June 27 2013 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -474,8 +474,7 @@ option is also enabled.
474.It Cm ForwardX11Timeout 474.It Cm ForwardX11Timeout
475Specify a timeout for untrusted X11 forwarding 475Specify a timeout for untrusted X11 forwarding
476using the format described in the 476using the format described in the
477.Sx TIME FORMATS 477TIME FORMATS section of
478section of
479.Xr sshd_config 5 . 478.Xr sshd_config 5 .
480X11 connections received by 479X11 connections received by
481.Xr ssh 1 480.Xr ssh 1
@@ -660,7 +659,9 @@ and
660.Pa ~/.ssh/id_rsa 659.Pa ~/.ssh/id_rsa
661for protocol version 2. 660for protocol version 2.
662Additionally, any identities represented by the authentication agent 661Additionally, any identities represented by the authentication agent
663will be used for authentication. 662will be used for authentication unless
663.Cm IdentitiesOnly
664is set.
664.Xr ssh 1 665.Xr ssh 1
665will try to load certificate information from the filename obtained by 666will try to load certificate information from the filename obtained by
666appending 667appending
@@ -689,6 +690,22 @@ Multiple
689.Cm IdentityFile 690.Cm IdentityFile
690directives will add to the list of identities tried (this behaviour 691directives will add to the list of identities tried (this behaviour
691differs from that of other configuration directives). 692differs from that of other configuration directives).
693.Pp
694.Cm IdentityFile
695may be used in conjunction with
696.Cm IdentitiesOnly
697to select which identities in an agent are offered during authentication.
698.It Cm IgnoreUnknown
699Specifies a pattern-list of unknown options to be ignored if they are
700encountered in configuration parsing.
701This may be used to suppress errors if
702.Nm
703contains options that are unrecognised by
704.Xr ssh 1 .
705It is recommended that
706.Cm IgnoreUnknown
707be listed early in the configuration file as it will not be applied
708to unknown options that appear before it.
692.It Cm IPQoS 709.It Cm IPQoS
693Specifies the IPv4 type-of-service or DSCP class for connections. 710Specifies the IPv4 type-of-service or DSCP class for connections.
694Accepted values are 711Accepted values are
@@ -963,8 +980,9 @@ The default is
963This option applies to protocol version 2 only. 980This option applies to protocol version 2 only.
964.It Cm RekeyLimit 981.It Cm RekeyLimit
965Specifies the maximum amount of data that may be transmitted before the 982Specifies the maximum amount of data that may be transmitted before the
966session key is renegotiated. 983session key is renegotiated, optionally followed a maximum amount of
967The argument is the number of bytes, with an optional suffix of 984time that may pass before the session key is renegotiated.
985The first argument is specified in bytes and may have a suffix of
968.Sq K , 986.Sq K ,
969.Sq M , 987.Sq M ,
970or 988or
@@ -975,6 +993,16 @@ The default is between
975and 993and
976.Sq 4G , 994.Sq 4G ,
977depending on the cipher. 995depending on the cipher.
996The optional second value is specified in seconds and may use any of the
997units documented in the
998TIME FORMATS section of
999.Xr sshd_config 5 .
1000The default value for
1001.Cm RekeyLimit
1002is
1003.Dq default none ,
1004which means that rekeying is performed after the cipher's default amount
1005of data has been sent or received and no time based rekeying is done.
978This option applies to protocol version 2 only. 1006This option applies to protocol version 2 only.
979.It Cm RemoteForward 1007.It Cm RemoteForward
980Specifies that a TCP port on the remote machine be forwarded over 1008Specifies that a TCP port on the remote machine be forwarded over
@@ -1253,9 +1281,7 @@ The default is
1253.Dq no . 1281.Dq no .
1254Note that this option applies to protocol version 2 only. 1282Note that this option applies to protocol version 2 only.
1255.Pp 1283.Pp
1256See also 1284See also VERIFYING HOST KEYS in
1257.Sx VERIFYING HOST KEYS
1258in
1259.Xr ssh 1 . 1285.Xr ssh 1 .
1260.It Cm VisualHostKey 1286.It Cm VisualHostKey
1261If this flag is set to 1287If this flag is set to
diff --git a/sshconnect.c b/sshconnect.c
index cf0711285..483eb85ac 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -112,7 +112,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
112 xasprintf(&tmp, "exec %s", proxy_command); 112 xasprintf(&tmp, "exec %s", proxy_command);
113 command_string = percent_expand(tmp, "h", host, "p", strport, 113 command_string = percent_expand(tmp, "h", host, "p", strport,
114 "r", options.user, (char *)NULL); 114 "r", options.user, (char *)NULL);
115 xfree(tmp); 115 free(tmp);
116 116
117 /* Create pipes for communicating with the proxy. */ 117 /* Create pipes for communicating with the proxy. */
118 if (pipe(pin) < 0 || pipe(pout) < 0) 118 if (pipe(pin) < 0 || pipe(pout) < 0)
@@ -166,7 +166,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
166 close(pout[1]); 166 close(pout[1]);
167 167
168 /* Free the command name. */ 168 /* Free the command name. */
169 xfree(command_string); 169 free(command_string);
170 170
171 /* Set the connection file descriptors. */ 171 /* Set the connection file descriptors. */
172 packet_set_connection(pout[0], pin[1]); 172 packet_set_connection(pout[0], pin[1]);
@@ -315,7 +315,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
315 fatal("Bogus return (%d) from select()", rc); 315 fatal("Bogus return (%d) from select()", rc);
316 } 316 }
317 317
318 xfree(fdset); 318 free(fdset);
319 319
320 done: 320 done:
321 if (result == 0 && *timeoutp > 0) { 321 if (result == 0 && *timeoutp > 0) {
@@ -534,7 +534,7 @@ ssh_exchange_identification(int timeout_ms)
534 debug("ssh_exchange_identification: %s", buf); 534 debug("ssh_exchange_identification: %s", buf);
535 } 535 }
536 server_version_string = xstrdup(buf); 536 server_version_string = xstrdup(buf);
537 xfree(fdset); 537 free(fdset);
538 538
539 /* 539 /*
540 * Check that the versions match. In future this might accept 540 * Check that the versions match. In future this might accept
@@ -610,8 +610,7 @@ confirm(const char *prompt)
610 ret = 0; 610 ret = 0;
611 if (p && strncasecmp(p, "yes", 3) == 0) 611 if (p && strncasecmp(p, "yes", 3) == 0)
612 ret = 1; 612 ret = 1;
613 if (p) 613 free(p);
614 xfree(p);
615 if (ret != -1) 614 if (ret != -1)
616 return ret; 615 return ret;
617 } 616 }
@@ -835,8 +834,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
835 ra = key_fingerprint(host_key, SSH_FP_MD5, 834 ra = key_fingerprint(host_key, SSH_FP_MD5,
836 SSH_FP_RANDOMART); 835 SSH_FP_RANDOMART);
837 logit("Host key fingerprint is %s\n%s\n", fp, ra); 836 logit("Host key fingerprint is %s\n%s\n", fp, ra);
838 xfree(ra); 837 free(ra);
839 xfree(fp); 838 free(fp);
840 } 839 }
841 break; 840 break;
842 case HOST_NEW: 841 case HOST_NEW:
@@ -896,8 +895,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
896 options.visual_host_key ? "\n" : "", 895 options.visual_host_key ? "\n" : "",
897 options.visual_host_key ? ra : "", 896 options.visual_host_key ? ra : "",
898 msg2); 897 msg2);
899 xfree(ra); 898 free(ra);
900 xfree(fp); 899 free(fp);
901 if (!confirm(msg)) 900 if (!confirm(msg))
902 goto fail; 901 goto fail;
903 } 902 }
@@ -1098,8 +1097,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
1098 } 1097 }
1099 } 1098 }
1100 1099
1101 xfree(ip); 1100 free(ip);
1102 xfree(host); 1101 free(host);
1103 if (host_hostkeys != NULL) 1102 if (host_hostkeys != NULL)
1104 free_hostkeys(host_hostkeys); 1103 free_hostkeys(host_hostkeys);
1105 if (ip_hostkeys != NULL) 1104 if (ip_hostkeys != NULL)
@@ -1121,8 +1120,8 @@ fail:
1121 } 1120 }
1122 if (raw_key != NULL) 1121 if (raw_key != NULL)
1123 key_free(raw_key); 1122 key_free(raw_key);
1124 xfree(ip); 1123 free(ip);
1125 xfree(host); 1124 free(host);
1126 if (host_hostkeys != NULL) 1125 if (host_hostkeys != NULL)
1127 free_hostkeys(host_hostkeys); 1126 free_hostkeys(host_hostkeys);
1128 if (ip_hostkeys != NULL) 1127 if (ip_hostkeys != NULL)
@@ -1139,7 +1138,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
1139 1138
1140 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); 1139 fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
1141 debug("Server host key: %s %s", key_type(host_key), fp); 1140 debug("Server host key: %s %s", key_type(host_key), fp);
1142 xfree(fp); 1141 free(fp);
1143 1142
1144 /* XXX certs are not yet supported for DNS */ 1143 /* XXX certs are not yet supported for DNS */
1145 if (!key_is_cert(host_key) && options.verify_host_key_dns && 1144 if (!key_is_cert(host_key) && options.verify_host_key_dns &&
@@ -1204,7 +1203,7 @@ ssh_login(Sensitive *sensitive, const char *orighost,
1204 ssh_kex(host, hostaddr); 1203 ssh_kex(host, hostaddr);
1205 ssh_userauth1(local_user, server_user, host, sensitive); 1204 ssh_userauth1(local_user, server_user, host, sensitive);
1206 } 1205 }
1207 xfree(local_user); 1206 free(local_user);
1208} 1207}
1209 1208
1210void 1209void
@@ -1222,7 +1221,7 @@ ssh_put_password(char *password)
1222 strlcpy(padded, password, size); 1221 strlcpy(padded, password, size);
1223 packet_put_string(padded, size); 1222 packet_put_string(padded, size);
1224 memset(padded, 0, size); 1223 memset(padded, 0, size);
1225 xfree(padded); 1224 free(padded);
1226} 1225}
1227 1226
1228/* print all known host keys for a given host, but skip keys of given type */ 1227/* print all known host keys for a given host, but skip keys of given type */
@@ -1249,8 +1248,8 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
1249 key_type(found->key), fp); 1248 key_type(found->key), fp);
1250 if (options.visual_host_key) 1249 if (options.visual_host_key)
1251 logit("%s", ra); 1250 logit("%s", ra);
1252 xfree(ra); 1251 free(ra);
1253 xfree(fp); 1252 free(fp);
1254 ret = 1; 1253 ret = 1;
1255 } 1254 }
1256 return ret; 1255 return ret;
@@ -1273,7 +1272,7 @@ warn_changed_key(Key *host_key)
1273 key_type(host_key), fp); 1272 key_type(host_key), fp);
1274 error("Please contact your system administrator."); 1273 error("Please contact your system administrator.");
1275 1274
1276 xfree(fp); 1275 free(fp);
1277} 1276}
1278 1277
1279/* 1278/*
diff --git a/sshconnect1.c b/sshconnect1.c
index fd07bbf74..d285e23c0 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ 1/* $OpenBSD: sshconnect1.c,v 1.71 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -84,7 +84,7 @@ try_agent_authentication(void)
84 84
85 /* Try this identity. */ 85 /* Try this identity. */
86 debug("Trying RSA authentication via agent with '%.100s'", comment); 86 debug("Trying RSA authentication via agent with '%.100s'", comment);
87 xfree(comment); 87 free(comment);
88 88
89 /* Tell the server that we are willing to authenticate using this key. */ 89 /* Tell the server that we are willing to authenticate using this key. */
90 packet_start(SSH_CMSG_AUTH_RSA); 90 packet_start(SSH_CMSG_AUTH_RSA);
@@ -231,7 +231,7 @@ try_rsa_authentication(int idx)
231 */ 231 */
232 if (type == SSH_SMSG_FAILURE) { 232 if (type == SSH_SMSG_FAILURE) {
233 debug("Server refused our key."); 233 debug("Server refused our key.");
234 xfree(comment); 234 free(comment);
235 return 0; 235 return 0;
236 } 236 }
237 /* Otherwise, the server should respond with a challenge. */ 237 /* Otherwise, the server should respond with a challenge. */
@@ -270,14 +270,14 @@ try_rsa_authentication(int idx)
270 quit = 1; 270 quit = 1;
271 } 271 }
272 memset(passphrase, 0, strlen(passphrase)); 272 memset(passphrase, 0, strlen(passphrase));
273 xfree(passphrase); 273 free(passphrase);
274 if (private != NULL || quit) 274 if (private != NULL || quit)
275 break; 275 break;
276 debug2("bad passphrase given, try again..."); 276 debug2("bad passphrase given, try again...");
277 } 277 }
278 } 278 }
279 /* We no longer need the comment. */ 279 /* We no longer need the comment. */
280 xfree(comment); 280 free(comment);
281 281
282 if (private == NULL) { 282 if (private == NULL) {
283 if (!options.batch_mode && perm_ok) 283 if (!options.batch_mode && perm_ok)
@@ -412,7 +412,7 @@ try_challenge_response_authentication(void)
412 packet_check_eom(); 412 packet_check_eom();
413 snprintf(prompt, sizeof prompt, "%s%s", challenge, 413 snprintf(prompt, sizeof prompt, "%s%s", challenge,
414 strchr(challenge, '\n') ? "" : "\nResponse: "); 414 strchr(challenge, '\n') ? "" : "\nResponse: ");
415 xfree(challenge); 415 free(challenge);
416 if (i != 0) 416 if (i != 0)
417 error("Permission denied, please try again."); 417 error("Permission denied, please try again.");
418 if (options.cipher == SSH_CIPHER_NONE) 418 if (options.cipher == SSH_CIPHER_NONE)
@@ -420,13 +420,13 @@ try_challenge_response_authentication(void)
420 "Response will be transmitted in clear text."); 420 "Response will be transmitted in clear text.");
421 response = read_passphrase(prompt, 0); 421 response = read_passphrase(prompt, 0);
422 if (strcmp(response, "") == 0) { 422 if (strcmp(response, "") == 0) {
423 xfree(response); 423 free(response);
424 break; 424 break;
425 } 425 }
426 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); 426 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
427 ssh_put_password(response); 427 ssh_put_password(response);
428 memset(response, 0, strlen(response)); 428 memset(response, 0, strlen(response));
429 xfree(response); 429 free(response);
430 packet_send(); 430 packet_send();
431 packet_write_wait(); 431 packet_write_wait();
432 type = packet_read(); 432 type = packet_read();
@@ -459,7 +459,7 @@ try_password_authentication(char *prompt)
459 packet_start(SSH_CMSG_AUTH_PASSWORD); 459 packet_start(SSH_CMSG_AUTH_PASSWORD);
460 ssh_put_password(password); 460 ssh_put_password(password);
461 memset(password, 0, strlen(password)); 461 memset(password, 0, strlen(password));
462 xfree(password); 462 free(password);
463 packet_send(); 463 packet_send();
464 packet_write_wait(); 464 packet_write_wait();
465 465
diff --git a/sshconnect2.c b/sshconnect2.c
index 1aa8523e1..8c20eed93 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -146,10 +146,10 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
146 if (*first != '\0') 146 if (*first != '\0')
147 debug3("%s: prefer hostkeyalgs: %s", __func__, first); 147 debug3("%s: prefer hostkeyalgs: %s", __func__, first);
148 148
149 xfree(first); 149 free(first);
150 xfree(last); 150 free(last);
151 xfree(hostname); 151 free(hostname);
152 xfree(oavail); 152 free(oavail);
153 free_hostkeys(hostkeys); 153 free_hostkeys(hostkeys);
154 154
155 return ret; 155 return ret;
@@ -233,8 +233,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
233 } 233 }
234#endif 234#endif
235 235
236 if (options.rekey_limit) 236 if (options.rekey_limit || options.rekey_interval)
237 packet_set_rekey_limit((u_int32_t)options.rekey_limit); 237 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
238 (time_t)options.rekey_interval);
238 239
239 /* start key exchange */ 240 /* start key exchange */
240 kex = kex_setup(myproposal); 241 kex = kex_setup(myproposal);
@@ -445,7 +446,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
445 if (packet_remaining() > 0) { 446 if (packet_remaining() > 0) {
446 char *reply = packet_get_string(NULL); 447 char *reply = packet_get_string(NULL);
447 debug2("service_accept: %s", reply); 448 debug2("service_accept: %s", reply);
448 xfree(reply); 449 free(reply);
449 } else { 450 } else {
450 debug2("buggy server: service_accept w/o service"); 451 debug2("buggy server: service_accept w/o service");
451 } 452 }
@@ -492,15 +493,12 @@ userauth(Authctxt *authctxt, char *authlist)
492 if (authctxt->method != NULL && authctxt->method->cleanup != NULL) 493 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
493 authctxt->method->cleanup(authctxt); 494 authctxt->method->cleanup(authctxt);
494 495
495 if (authctxt->methoddata) { 496 free(authctxt->methoddata);
496 xfree(authctxt->methoddata); 497 authctxt->methoddata = NULL;
497 authctxt->methoddata = NULL;
498 }
499 if (authlist == NULL) { 498 if (authlist == NULL) {
500 authlist = authctxt->authlist; 499 authlist = authctxt->authlist;
501 } else { 500 } else {
502 if (authctxt->authlist) 501 free(authctxt->authlist);
503 xfree(authctxt->authlist);
504 authctxt->authlist = authlist; 502 authctxt->authlist = authlist;
505 } 503 }
506 for (;;) { 504 for (;;) {
@@ -548,10 +546,10 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
548 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ 546 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
549 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); 547 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
550 fprintf(stderr, "%s", msg); 548 fprintf(stderr, "%s", msg);
551 xfree(msg); 549 free(msg);
552 } 550 }
553 xfree(raw); 551 free(raw);
554 xfree(lang); 552 free(lang);
555} 553}
556 554
557/* ARGSUSED */ 555/* ARGSUSED */
@@ -562,16 +560,12 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
562 560
563 if (authctxt == NULL) 561 if (authctxt == NULL)
564 fatal("input_userauth_success: no authentication context"); 562 fatal("input_userauth_success: no authentication context");
565 if (authctxt->authlist) { 563 free(authctxt->authlist);
566 xfree(authctxt->authlist); 564 authctxt->authlist = NULL;
567 authctxt->authlist = NULL;
568 }
569 if (authctxt->method != NULL && authctxt->method->cleanup != NULL) 565 if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
570 authctxt->method->cleanup(authctxt); 566 authctxt->method->cleanup(authctxt);
571 if (authctxt->methoddata) { 567 free(authctxt->methoddata);
572 xfree(authctxt->methoddata); 568 authctxt->methoddata = NULL;
573 authctxt->methoddata = NULL;
574 }
575 authctxt->success = 1; /* break out */ 569 authctxt->success = 1; /* break out */
576} 570}
577 571
@@ -602,8 +596,12 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
602 partial = packet_get_char(); 596 partial = packet_get_char();
603 packet_check_eom(); 597 packet_check_eom();
604 598
605 if (partial != 0) 599 if (partial != 0) {
606 logit("Authenticated with partial success."); 600 logit("Authenticated with partial success.");
601 /* reset state */
602 pubkey_cleanup(authctxt);
603 pubkey_prepare(authctxt);
604 }
607 debug("Authentications that can continue: %s", authlist); 605 debug("Authentications that can continue: %s", authlist);
608 606
609 userauth(authctxt, authlist); 607 userauth(authctxt, authlist);
@@ -656,7 +654,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
656 } 654 }
657 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 655 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
658 debug2("input_userauth_pk_ok: fp %s", fp); 656 debug2("input_userauth_pk_ok: fp %s", fp);
659 xfree(fp); 657 free(fp);
660 658
661 /* 659 /*
662 * search keys in the reverse order, because last candidate has been 660 * search keys in the reverse order, because last candidate has been
@@ -672,8 +670,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
672done: 670done:
673 if (key != NULL) 671 if (key != NULL)
674 key_free(key); 672 key_free(key);
675 xfree(pkalg); 673 free(pkalg);
676 xfree(pkblob); 674 free(pkblob);
677 675
678 /* try another method if we did not send a packet */ 676 /* try another method if we did not send a packet */
679 if (sent == 0) 677 if (sent == 0)
@@ -823,7 +821,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
823 if (oidlen <= 2 || 821 if (oidlen <= 2 ||
824 oidv[0] != SSH_GSS_OIDTYPE || 822 oidv[0] != SSH_GSS_OIDTYPE ||
825 oidv[1] != oidlen - 2) { 823 oidv[1] != oidlen - 2) {
826 xfree(oidv); 824 free(oidv);
827 debug("Badly encoded mechanism OID received"); 825 debug("Badly encoded mechanism OID received");
828 userauth(authctxt, NULL); 826 userauth(authctxt, NULL);
829 return; 827 return;
@@ -834,7 +832,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
834 832
835 packet_check_eom(); 833 packet_check_eom();
836 834
837 xfree(oidv); 835 free(oidv);
838 836
839 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { 837 if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
840 /* Start again with next method on list */ 838 /* Start again with next method on list */
@@ -863,7 +861,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
863 861
864 status = process_gssapi_token(ctxt, &recv_tok); 862 status = process_gssapi_token(ctxt, &recv_tok);
865 863
866 xfree(recv_tok.value); 864 free(recv_tok.value);
867 865
868 if (GSS_ERROR(status)) { 866 if (GSS_ERROR(status)) {
869 /* Start again with the next method in the list */ 867 /* Start again with the next method in the list */
@@ -880,7 +878,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
880 Gssctxt *gssctxt; 878 Gssctxt *gssctxt;
881 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 879 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
882 gss_buffer_desc recv_tok; 880 gss_buffer_desc recv_tok;
883 OM_uint32 status, ms; 881 OM_uint32 ms;
884 u_int len; 882 u_int len;
885 883
886 if (authctxt == NULL) 884 if (authctxt == NULL)
@@ -893,10 +891,10 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
893 packet_check_eom(); 891 packet_check_eom();
894 892
895 /* Stick it into GSSAPI and see what it says */ 893 /* Stick it into GSSAPI and see what it says */
896 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, 894 (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
897 &recv_tok, &send_tok, NULL); 895 &recv_tok, &send_tok, NULL);
898 896
899 xfree(recv_tok.value); 897 free(recv_tok.value);
900 gss_release_buffer(&ms, &send_tok); 898 gss_release_buffer(&ms, &send_tok);
901 899
902 /* Server will be returning a failed packet after this one */ 900 /* Server will be returning a failed packet after this one */
@@ -906,20 +904,19 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
906void 904void
907input_gssapi_error(int type, u_int32_t plen, void *ctxt) 905input_gssapi_error(int type, u_int32_t plen, void *ctxt)
908{ 906{
909 OM_uint32 maj, min;
910 char *msg; 907 char *msg;
911 char *lang; 908 char *lang;
912 909
913 maj=packet_get_int(); 910 /* maj */(void)packet_get_int();
914 min=packet_get_int(); 911 /* min */(void)packet_get_int();
915 msg=packet_get_string(NULL); 912 msg=packet_get_string(NULL);
916 lang=packet_get_string(NULL); 913 lang=packet_get_string(NULL);
917 914
918 packet_check_eom(); 915 packet_check_eom();
919 916
920 debug("Server GSSAPI Error:\n%s", msg); 917 debug("Server GSSAPI Error:\n%s", msg);
921 xfree(msg); 918 free(msg);
922 xfree(lang); 919 free(lang);
923} 920}
924 921
925int 922int
@@ -1002,7 +999,7 @@ userauth_passwd(Authctxt *authctxt)
1002 packet_put_char(0); 999 packet_put_char(0);
1003 packet_put_cstring(password); 1000 packet_put_cstring(password);
1004 memset(password, 0, strlen(password)); 1001 memset(password, 0, strlen(password));
1005 xfree(password); 1002 free(password);
1006 packet_add_padding(64); 1003 packet_add_padding(64);
1007 packet_send(); 1004 packet_send();
1008 1005
@@ -1035,8 +1032,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
1035 lang = packet_get_string(NULL); 1032 lang = packet_get_string(NULL);
1036 if (strlen(info) > 0) 1033 if (strlen(info) > 0)
1037 logit("%s", info); 1034 logit("%s", info);
1038 xfree(info); 1035 free(info);
1039 xfree(lang); 1036 free(lang);
1040 packet_start(SSH2_MSG_USERAUTH_REQUEST); 1037 packet_start(SSH2_MSG_USERAUTH_REQUEST);
1041 packet_put_cstring(authctxt->server_user); 1038 packet_put_cstring(authctxt->server_user);
1042 packet_put_cstring(authctxt->service); 1039 packet_put_cstring(authctxt->service);
@@ -1048,7 +1045,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
1048 password = read_passphrase(prompt, 0); 1045 password = read_passphrase(prompt, 0);
1049 packet_put_cstring(password); 1046 packet_put_cstring(password);
1050 memset(password, 0, strlen(password)); 1047 memset(password, 0, strlen(password));
1051 xfree(password); 1048 free(password);
1052 password = NULL; 1049 password = NULL;
1053 while (password == NULL) { 1050 while (password == NULL) {
1054 snprintf(prompt, sizeof(prompt), 1051 snprintf(prompt, sizeof(prompt),
@@ -1065,16 +1062,16 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
1065 retype = read_passphrase(prompt, 0); 1062 retype = read_passphrase(prompt, 0);
1066 if (strcmp(password, retype) != 0) { 1063 if (strcmp(password, retype) != 0) {
1067 memset(password, 0, strlen(password)); 1064 memset(password, 0, strlen(password));
1068 xfree(password); 1065 free(password);
1069 logit("Mismatch; try again, EOF to quit."); 1066 logit("Mismatch; try again, EOF to quit.");
1070 password = NULL; 1067 password = NULL;
1071 } 1068 }
1072 memset(retype, 0, strlen(retype)); 1069 memset(retype, 0, strlen(retype));
1073 xfree(retype); 1070 free(retype);
1074 } 1071 }
1075 packet_put_cstring(password); 1072 packet_put_cstring(password);
1076 memset(password, 0, strlen(password)); 1073 memset(password, 0, strlen(password));
1077 xfree(password); 1074 free(password);
1078 packet_add_padding(64); 1075 packet_add_padding(64);
1079 packet_send(); 1076 packet_send();
1080 1077
@@ -1129,13 +1126,13 @@ jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
1129 1126
1130 bzero(password, strlen(password)); 1127 bzero(password, strlen(password));
1131 bzero(crypted, strlen(crypted)); 1128 bzero(crypted, strlen(crypted));
1132 xfree(password); 1129 free(password);
1133 xfree(crypted); 1130 free(crypted);
1134 1131
1135 if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL) 1132 if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
1136 fatal("%s: BN_bin2bn (secret)", __func__); 1133 fatal("%s: BN_bin2bn (secret)", __func__);
1137 bzero(secret, secret_len); 1134 bzero(secret, secret_len);
1138 xfree(secret); 1135 free(secret);
1139 1136
1140 return ret; 1137 return ret;
1141} 1138}
@@ -1173,8 +1170,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1173 pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt); 1170 pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
1174 bzero(crypt_scheme, strlen(crypt_scheme)); 1171 bzero(crypt_scheme, strlen(crypt_scheme));
1175 bzero(salt, strlen(salt)); 1172 bzero(salt, strlen(salt));
1176 xfree(crypt_scheme); 1173 free(crypt_scheme);
1177 xfree(salt); 1174 free(salt);
1178 JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__)); 1175 JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
1179 1176
1180 /* Calculate step 2 values */ 1177 /* Calculate step 2 values */
@@ -1189,8 +1186,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1189 1186
1190 bzero(x3_proof, x3_proof_len); 1187 bzero(x3_proof, x3_proof_len);
1191 bzero(x4_proof, x4_proof_len); 1188 bzero(x4_proof, x4_proof_len);
1192 xfree(x3_proof); 1189 free(x3_proof);
1193 xfree(x4_proof); 1190 free(x4_proof);
1194 1191
1195 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); 1192 JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
1196 1193
@@ -1201,7 +1198,7 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1201 packet_send(); 1198 packet_send();
1202 1199
1203 bzero(x2_s_proof, x2_s_proof_len); 1200 bzero(x2_s_proof, x2_s_proof_len);
1204 xfree(x2_s_proof); 1201 free(x2_s_proof);
1205 1202
1206 /* Expect step 2 packet from peer */ 1203 /* Expect step 2 packet from peer */
1207 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, 1204 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
@@ -1241,7 +1238,7 @@ input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
1241 &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len); 1238 &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
1242 1239
1243 bzero(x4_s_proof, x4_s_proof_len); 1240 bzero(x4_s_proof, x4_s_proof_len);
1244 xfree(x4_s_proof); 1241 free(x4_s_proof);
1245 1242
1246 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); 1243 JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
1247 1244
@@ -1323,7 +1320,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1323 1320
1324 fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); 1321 fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
1325 debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); 1322 debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
1326 xfree(fp); 1323 free(fp);
1327 1324
1328 if (key_to_blob(id->key, &blob, &bloblen) == 0) { 1325 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1329 /* we cannot handle this key */ 1326 /* we cannot handle this key */
@@ -1358,7 +1355,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1358 ret = identity_sign(id, &signature, &slen, 1355 ret = identity_sign(id, &signature, &slen,
1359 buffer_ptr(&b), buffer_len(&b)); 1356 buffer_ptr(&b), buffer_len(&b));
1360 if (ret == -1) { 1357 if (ret == -1) {
1361 xfree(blob); 1358 free(blob);
1362 buffer_free(&b); 1359 buffer_free(&b);
1363 return 0; 1360 return 0;
1364 } 1361 }
@@ -1378,11 +1375,11 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1378 buffer_put_cstring(&b, key_ssh_name(id->key)); 1375 buffer_put_cstring(&b, key_ssh_name(id->key));
1379 buffer_put_string(&b, blob, bloblen); 1376 buffer_put_string(&b, blob, bloblen);
1380 } 1377 }
1381 xfree(blob); 1378 free(blob);
1382 1379
1383 /* append signature */ 1380 /* append signature */
1384 buffer_put_string(&b, signature, slen); 1381 buffer_put_string(&b, signature, slen);
1385 xfree(signature); 1382 free(signature);
1386 1383
1387 /* skip session id and packet type */ 1384 /* skip session id and packet type */
1388 if (buffer_len(&b) < skip + 1) 1385 if (buffer_len(&b) < skip + 1)
@@ -1422,7 +1419,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
1422 if (!(datafellows & SSH_BUG_PKAUTH)) 1419 if (!(datafellows & SSH_BUG_PKAUTH))
1423 packet_put_cstring(key_ssh_name(id->key)); 1420 packet_put_cstring(key_ssh_name(id->key));
1424 packet_put_string(blob, bloblen); 1421 packet_put_string(blob, bloblen);
1425 xfree(blob); 1422 free(blob);
1426 packet_send(); 1423 packet_send();
1427 return 1; 1424 return 1;
1428} 1425}
@@ -1441,8 +1438,11 @@ load_identity_file(char *filename, int userprovided)
1441 return NULL; 1438 return NULL;
1442 } 1439 }
1443 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); 1440 private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
1444 if (!perm_ok) 1441 if (!perm_ok) {
1442 if (private != NULL)
1443 key_free(private);
1445 return NULL; 1444 return NULL;
1445 }
1446 if (private == NULL) { 1446 if (private == NULL) {
1447 if (options.batch_mode) 1447 if (options.batch_mode)
1448 return NULL; 1448 return NULL;
@@ -1459,7 +1459,7 @@ load_identity_file(char *filename, int userprovided)
1459 quit = 1; 1459 quit = 1;
1460 } 1460 }
1461 memset(passphrase, 0, strlen(passphrase)); 1461 memset(passphrase, 0, strlen(passphrase));
1462 xfree(passphrase); 1462 free(passphrase);
1463 if (private != NULL || quit) 1463 if (private != NULL || quit)
1464 break; 1464 break;
1465 debug2("bad passphrase given, try again..."); 1465 debug2("bad passphrase given, try again...");
@@ -1522,7 +1522,7 @@ pubkey_prepare(Authctxt *authctxt)
1522 /* If IdentitiesOnly set and key not found then don't use it */ 1522 /* If IdentitiesOnly set and key not found then don't use it */
1523 if (!found && options.identities_only) { 1523 if (!found && options.identities_only) {
1524 TAILQ_REMOVE(&files, id, next); 1524 TAILQ_REMOVE(&files, id, next);
1525 bzero(id, sizeof(id)); 1525 bzero(id, sizeof(*id));
1526 free(id); 1526 free(id);
1527 } 1527 }
1528 } 1528 }
@@ -1536,7 +1536,7 @@ pubkey_prepare(Authctxt *authctxt)
1536 /* agent keys from the config file are preferred */ 1536 /* agent keys from the config file are preferred */
1537 if (key_equal(key, id->key)) { 1537 if (key_equal(key, id->key)) {
1538 key_free(key); 1538 key_free(key);
1539 xfree(comment); 1539 free(comment);
1540 TAILQ_REMOVE(&files, id, next); 1540 TAILQ_REMOVE(&files, id, next);
1541 TAILQ_INSERT_TAIL(preferred, id, next); 1541 TAILQ_INSERT_TAIL(preferred, id, next);
1542 id->ac = ac; 1542 id->ac = ac;
@@ -1582,9 +1582,8 @@ pubkey_cleanup(Authctxt *authctxt)
1582 TAILQ_REMOVE(&authctxt->keys, id, next); 1582 TAILQ_REMOVE(&authctxt->keys, id, next);
1583 if (id->key) 1583 if (id->key)
1584 key_free(id->key); 1584 key_free(id->key);
1585 if (id->filename) 1585 free(id->filename);
1586 xfree(id->filename); 1586 free(id);
1587 xfree(id);
1588 } 1587 }
1589} 1588}
1590 1589
@@ -1682,9 +1681,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1682 logit("%s", name); 1681 logit("%s", name);
1683 if (strlen(inst) > 0) 1682 if (strlen(inst) > 0)
1684 logit("%s", inst); 1683 logit("%s", inst);
1685 xfree(name); 1684 free(name);
1686 xfree(inst); 1685 free(inst);
1687 xfree(lang); 1686 free(lang);
1688 1687
1689 num_prompts = packet_get_int(); 1688 num_prompts = packet_get_int();
1690 /* 1689 /*
@@ -1705,8 +1704,8 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1705 1704
1706 packet_put_cstring(response); 1705 packet_put_cstring(response);
1707 memset(response, 0, strlen(response)); 1706 memset(response, 0, strlen(response));
1708 xfree(response); 1707 free(response);
1709 xfree(prompt); 1708 free(prompt);
1710 } 1709 }
1711 packet_check_eom(); /* done with parsing incoming message. */ 1710 packet_check_eom(); /* done with parsing incoming message. */
1712 1711
@@ -1826,12 +1825,12 @@ userauth_hostbased(Authctxt *authctxt)
1826 if (p == NULL) { 1825 if (p == NULL) {
1827 error("userauth_hostbased: cannot get local ipaddr/name"); 1826 error("userauth_hostbased: cannot get local ipaddr/name");
1828 key_free(private); 1827 key_free(private);
1829 xfree(blob); 1828 free(blob);
1830 return 0; 1829 return 0;
1831 } 1830 }
1832 xasprintf(&chost, "%s.", p); 1831 xasprintf(&chost, "%s.", p);
1833 debug2("userauth_hostbased: chost %s", chost); 1832 debug2("userauth_hostbased: chost %s", chost);
1834 xfree(p); 1833 free(p);
1835 1834
1836 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : 1835 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1837 authctxt->service; 1836 authctxt->service;
@@ -1860,9 +1859,9 @@ userauth_hostbased(Authctxt *authctxt)
1860 buffer_free(&b); 1859 buffer_free(&b);
1861 if (ok != 0) { 1860 if (ok != 0) {
1862 error("key_sign failed"); 1861 error("key_sign failed");
1863 xfree(chost); 1862 free(chost);
1864 xfree(pkalg); 1863 free(pkalg);
1865 xfree(blob); 1864 free(blob);
1866 return 0; 1865 return 0;
1867 } 1866 }
1868 packet_start(SSH2_MSG_USERAUTH_REQUEST); 1867 packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -1875,10 +1874,10 @@ userauth_hostbased(Authctxt *authctxt)
1875 packet_put_cstring(authctxt->local_user); 1874 packet_put_cstring(authctxt->local_user);
1876 packet_put_string(signature, slen); 1875 packet_put_string(signature, slen);
1877 memset(signature, 's', slen); 1876 memset(signature, 's', slen);
1878 xfree(signature); 1877 free(signature);
1879 xfree(chost); 1878 free(chost);
1880 xfree(pkalg); 1879 free(pkalg);
1881 xfree(blob); 1880 free(blob);
1882 1881
1883 packet_send(); 1882 packet_send();
1884 return 1; 1883 return 1;
@@ -1933,8 +1932,8 @@ userauth_jpake(Authctxt *authctxt)
1933 1932
1934 bzero(x1_proof, x1_proof_len); 1933 bzero(x1_proof, x1_proof_len);
1935 bzero(x2_proof, x2_proof_len); 1934 bzero(x2_proof, x2_proof_len);
1936 xfree(x1_proof); 1935 free(x1_proof);
1937 xfree(x2_proof); 1936 free(x2_proof);
1938 1937
1939 /* Expect step 1 packet from peer */ 1938 /* Expect step 1 packet from peer */
1940 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, 1939 dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
@@ -2011,8 +2010,7 @@ authmethod_get(char *authlist)
2011 2010
2012 if (supported == NULL || strcmp(authlist, supported) != 0) { 2011 if (supported == NULL || strcmp(authlist, supported) != 0) {
2013 debug3("start over, passed a different list %s", authlist); 2012 debug3("start over, passed a different list %s", authlist);
2014 if (supported != NULL) 2013 free(supported);
2015 xfree(supported);
2016 supported = xstrdup(authlist); 2014 supported = xstrdup(authlist);
2017 preferred = options.preferred_authentications; 2015 preferred = options.preferred_authentications;
2018 debug3("preferred %s", preferred); 2016 debug3("preferred %s", preferred);
@@ -2033,9 +2031,10 @@ authmethod_get(char *authlist)
2033 authmethod_is_enabled(current)) { 2031 authmethod_is_enabled(current)) {
2034 debug3("authmethod_is_enabled %s", name); 2032 debug3("authmethod_is_enabled %s", name);
2035 debug("Next authentication method: %s", name); 2033 debug("Next authentication method: %s", name);
2036 xfree(name); 2034 free(name);
2037 return current; 2035 return current;
2038 } 2036 }
2037 free(name);
2039 } 2038 }
2040} 2039}
2041 2040
diff --git a/sshd.0 b/sshd.0
index 83f9a881b..c48b987f9 100644
--- a/sshd.0
+++ b/sshd.0
@@ -5,8 +5,9 @@ NAME
5 5
6SYNOPSIS 6SYNOPSIS
7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec] 7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec]
8 [-c host_certificate_file] [-f config_file] [-g login_grace_time] 8 [-c host_certificate_file] [-E log_file] [-f config_file]
9 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] 9 [-g login_grace_time] [-h host_key_file] [-k key_gen_time]
10 [-o option] [-p port] [-u len]
10 11
11DESCRIPTION 12DESCRIPTION
12 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 13 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
@@ -60,8 +61,10 @@ DESCRIPTION
60 option is only intended for debugging for the server. Multiple 61 option is only intended for debugging for the server. Multiple
61 -d options increase the debugging level. Maximum is 3. 62 -d options increase the debugging level. Maximum is 3.
62 63
63 -e When this option is specified, sshd will send the output to the 64 -E log_file
64 standard error instead of the system log. 65 Append debug logs to log_file instead of the system log.
66
67 -e Write debug logs to standard error instead of the system log.
65 68
66 -f config_file 69 -f config_file
67 Specifies the name of the configuration file. The default is 70 Specifies the name of the configuration file. The default is
@@ -634,4 +637,4 @@ CAVEATS
634 System security is not improved unless rshd, rlogind, and rexecd are 637 System security is not improved unless rshd, rlogind, and rexecd are
635 disabled (thus completely disabling rlogin and rsh into the machine). 638 disabled (thus completely disabling rlogin and rsh into the machine).
636 639
637OpenBSD 5.3 October 4, 2012 OpenBSD 5.3 640OpenBSD 5.4 June 27, 2013 OpenBSD 5.4
diff --git a/sshd.8 b/sshd.8
index 132397839..b0c7ab6bd 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ 36.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $
37.Dd $Mdocdate: October 4 2012 $ 37.Dd $Mdocdate: June 27 2013 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -47,6 +47,7 @@
47.Op Fl b Ar bits 47.Op Fl b Ar bits
48.Op Fl C Ar connection_spec 48.Op Fl C Ar connection_spec
49.Op Fl c Ar host_certificate_file 49.Op Fl c Ar host_certificate_file
50.Op Fl E Ar log_file
50.Op Fl f Ar config_file 51.Op Fl f Ar config_file
51.Op Fl g Ar login_grace_time 52.Op Fl g Ar login_grace_time
52.Op Fl h Ar host_key_file 53.Op Fl h Ar host_key_file
@@ -146,10 +147,12 @@ Multiple
146.Fl d 147.Fl d
147options increase the debugging level. 148options increase the debugging level.
148Maximum is 3. 149Maximum is 3.
150.It Fl E Ar log_file
151Append debug logs to
152.Ar log_file
153instead of the system log.
149.It Fl e 154.It Fl e
150When this option is specified, 155Write debug logs to standard error instead of the system log.
151.Nm
152will send the output to the standard error instead of the system log.
153.It Fl f Ar config_file 156.It Fl f Ar config_file
154Specifies the name of the configuration file. 157Specifies the name of the configuration file.
155The default is 158The default is
@@ -564,9 +567,7 @@ is enabled.
564Specifies that in addition to public key authentication, either the canonical 567Specifies that in addition to public key authentication, either the canonical
565name of the remote host or its IP address must be present in the 568name of the remote host or its IP address must be present in the
566comma-separated list of patterns. 569comma-separated list of patterns.
567See 570See PATTERNS in
568.Sx PATTERNS
569in
570.Xr ssh_config 5 571.Xr ssh_config 5
571for more information on patterns. 572for more information on patterns.
572.Pp 573.Pp
diff --git a/sshd.c b/sshd.c
index d8faaebd5..4eddeb8d8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ 1/* $OpenBSD: sshd.c,v 1.404 2013/07/19 07:37:48 markus Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -106,6 +106,7 @@
106#include "canohost.h" 106#include "canohost.h"
107#include "hostfile.h" 107#include "hostfile.h"
108#include "auth.h" 108#include "auth.h"
109#include "authfd.h"
109#include "misc.h" 110#include "misc.h"
110#include "msg.h" 111#include "msg.h"
111#include "dispatch.h" 112#include "dispatch.h"
@@ -198,6 +199,10 @@ char *server_version_string = NULL;
198/* for rekeying XXX fixme */ 199/* for rekeying XXX fixme */
199Kex *xxx_kex; 200Kex *xxx_kex;
200 201
202/* Daemon's agent connection */
203AuthenticationConnection *auth_conn = NULL;
204int have_agent = 0;
205
201/* 206/*
202 * Any really sensitive data in the application is contained in this 207 * Any really sensitive data in the application is contained in this
203 * structure. The idea is that this structure could be locked into memory so 208 * structure. The idea is that this structure could be locked into memory so
@@ -210,6 +215,7 @@ struct {
210 Key *server_key; /* ephemeral server key */ 215 Key *server_key; /* ephemeral server key */
211 Key *ssh1_host_key; /* ssh1 host key */ 216 Key *ssh1_host_key; /* ssh1 host key */
212 Key **host_keys; /* all private host keys */ 217 Key **host_keys; /* all private host keys */
218 Key **host_pubkeys; /* all public host keys */
213 Key **host_certificates; /* all public host certificates */ 219 Key **host_certificates; /* all public host certificates */
214 int have_ssh1_key; 220 int have_ssh1_key;
215 int have_ssh2_key; 221 int have_ssh2_key;
@@ -657,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
657 debug2("Network child is on pid %ld", (long)pid); 663 debug2("Network child is on pid %ld", (long)pid);
658 664
659 pmonitor->m_pid = pid; 665 pmonitor->m_pid = pid;
666 if (have_agent)
667 auth_conn = ssh_get_authentication_connection();
660 if (box != NULL) 668 if (box != NULL)
661 ssh_sandbox_parent_preauth(box, pid); 669 ssh_sandbox_parent_preauth(box, pid);
662 monitor_child_preauth(authctxt, pmonitor); 670 monitor_child_preauth(authctxt, pmonitor);
@@ -771,6 +779,8 @@ list_hostkey_types(void)
771 for (i = 0; i < options.num_host_key_files; i++) { 779 for (i = 0; i < options.num_host_key_files; i++) {
772 key = sensitive_data.host_keys[i]; 780 key = sensitive_data.host_keys[i];
773 if (key == NULL) 781 if (key == NULL)
782 key = sensitive_data.host_pubkeys[i];
783 if (key == NULL)
774 continue; 784 continue;
775 switch (key->type) { 785 switch (key->type) {
776 case KEY_RSA: 786 case KEY_RSA:
@@ -823,6 +833,8 @@ get_hostkey_by_type(int type, int need_private)
823 break; 833 break;
824 default: 834 default:
825 key = sensitive_data.host_keys[i]; 835 key = sensitive_data.host_keys[i];
836 if (key == NULL && !need_private)
837 key = sensitive_data.host_pubkeys[i];
826 break; 838 break;
827 } 839 }
828 if (key != NULL && key->type == type) 840 if (key != NULL && key->type == type)
@@ -852,6 +864,14 @@ get_hostkey_by_index(int ind)
852 return (sensitive_data.host_keys[ind]); 864 return (sensitive_data.host_keys[ind]);
853} 865}
854 866
867Key *
868get_hostkey_public_by_index(int ind)
869{
870 if (ind < 0 || ind >= options.num_host_key_files)
871 return (NULL);
872 return (sensitive_data.host_pubkeys[ind]);
873}
874
855int 875int
856get_hostkey_index(Key *key) 876get_hostkey_index(Key *key)
857{ 877{
@@ -864,6 +884,8 @@ get_hostkey_index(Key *key)
864 } else { 884 } else {
865 if (key == sensitive_data.host_keys[i]) 885 if (key == sensitive_data.host_keys[i])
866 return (i); 886 return (i);
887 if (key == sensitive_data.host_pubkeys[i])
888 return (i);
867 } 889 }
868 } 890 }
869 return (-1); 891 return (-1);
@@ -904,8 +926,9 @@ usage(void)
904 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); 926 SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
905 fprintf(stderr, 927 fprintf(stderr,
906"usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" 928"usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
907" [-f config_file] [-g login_grace_time] [-h host_key_file]\n" 929" [-E log_file] [-f config_file] [-g login_grace_time]\n"
908" [-k key_gen_time] [-o option] [-p port] [-u len]\n" 930" [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n"
931" [-u len]\n"
909 ); 932 );
910 exit(1); 933 exit(1);
911} 934}
@@ -976,7 +999,7 @@ recv_rexec_state(int fd, Buffer *conf)
976 cp = buffer_get_string(&m, &len); 999 cp = buffer_get_string(&m, &len);
977 if (conf != NULL) 1000 if (conf != NULL)
978 buffer_append(conf, cp, len + 1); 1001 buffer_append(conf, cp, len + 1);
979 xfree(cp); 1002 free(cp);
980 1003
981 if (buffer_get_int(&m)) { 1004 if (buffer_get_int(&m)) {
982 if (sensitive_data.server_key != NULL) 1005 if (sensitive_data.server_key != NULL)
@@ -1027,7 +1050,9 @@ server_accept_inetd(int *sock_in, int *sock_out)
1027 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { 1050 if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
1028 dup2(fd, STDIN_FILENO); 1051 dup2(fd, STDIN_FILENO);
1029 dup2(fd, STDOUT_FILENO); 1052 dup2(fd, STDOUT_FILENO);
1030 if (fd > STDOUT_FILENO) 1053 if (!log_stderr)
1054 dup2(fd, STDERR_FILENO);
1055 if (fd > (log_stderr ? STDERR_FILENO : STDOUT_FILENO))
1031 close(fd); 1056 close(fd);
1032 } 1057 }
1033 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); 1058 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
@@ -1138,7 +1163,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1138 if (received_sighup) 1163 if (received_sighup)
1139 sighup_restart(); 1164 sighup_restart();
1140 if (fdset != NULL) 1165 if (fdset != NULL)
1141 xfree(fdset); 1166 free(fdset);
1142 fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), 1167 fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
1143 sizeof(fd_mask)); 1168 sizeof(fd_mask));
1144 1169
@@ -1187,8 +1212,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1187 *newsock = accept(listen_socks[i], 1212 *newsock = accept(listen_socks[i],
1188 (struct sockaddr *)&from, &fromlen); 1213 (struct sockaddr *)&from, &fromlen);
1189 if (*newsock < 0) { 1214 if (*newsock < 0) {
1190 if (errno != EINTR && errno != EAGAIN && 1215 if (errno != EINTR && errno != EWOULDBLOCK &&
1191 errno != EWOULDBLOCK) 1216 errno != ECONNABORTED && errno != EAGAIN)
1192 error("accept: %.100s", 1217 error("accept: %.100s",
1193 strerror(errno)); 1218 strerror(errno));
1194 if (errno == EMFILE || errno == ENFILE) 1219 if (errno == EMFILE || errno == ENFILE)
@@ -1339,12 +1364,14 @@ main(int ac, char **av)
1339 int sock_in = -1, sock_out = -1, newsock = -1; 1364 int sock_in = -1, sock_out = -1, newsock = -1;
1340 const char *remote_ip; 1365 const char *remote_ip;
1341 int remote_port; 1366 int remote_port;
1342 char *line; 1367 char *line, *logfile = NULL;
1343 int config_s[2] = { -1 , -1 }; 1368 int config_s[2] = { -1 , -1 };
1344 u_int n; 1369 u_int n;
1345 u_int64_t ibytes, obytes; 1370 u_int64_t ibytes, obytes;
1346 mode_t new_umask; 1371 mode_t new_umask;
1347 Key *key; 1372 Key *key;
1373 Key *pubkey;
1374 int keytype;
1348 Authctxt *authctxt; 1375 Authctxt *authctxt;
1349 struct connection_info *connection_info = get_connection_info(0, 0); 1376 struct connection_info *connection_info = get_connection_info(0, 0);
1350 1377
@@ -1377,7 +1404,7 @@ main(int ac, char **av)
1377 initialize_server_options(&options); 1404 initialize_server_options(&options);
1378 1405
1379 /* Parse command-line arguments. */ 1406 /* Parse command-line arguments. */
1380 while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) { 1407 while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeE:iqrtQRT46")) != -1) {
1381 switch (opt) { 1408 switch (opt) {
1382 case '4': 1409 case '4':
1383 options.address_family = AF_INET; 1410 options.address_family = AF_INET;
@@ -1406,6 +1433,9 @@ main(int ac, char **av)
1406 case 'D': 1433 case 'D':
1407 no_daemon_flag = 1; 1434 no_daemon_flag = 1;
1408 break; 1435 break;
1436 case 'E':
1437 logfile = xstrdup(optarg);
1438 /* FALLTHROUGH */
1409 case 'e': 1439 case 'e':
1410 log_stderr = 1; 1440 log_stderr = 1;
1411 break; 1441 break;
@@ -1484,7 +1514,7 @@ main(int ac, char **av)
1484 if (process_server_config_line(&options, line, 1514 if (process_server_config_line(&options, line,
1485 "command-line", 0, NULL, NULL) != 0) 1515 "command-line", 0, NULL, NULL) != 0)
1486 exit(1); 1516 exit(1);
1487 xfree(line); 1517 free(line);
1488 break; 1518 break;
1489 case '?': 1519 case '?':
1490 default: 1520 default:
@@ -1503,6 +1533,11 @@ main(int ac, char **av)
1503 1533
1504 OpenSSL_add_all_algorithms(); 1534 OpenSSL_add_all_algorithms();
1505 1535
1536 /* If requested, redirect the logs to the specified logfile. */
1537 if (logfile != NULL) {
1538 log_redirect_stderr_to(logfile);
1539 free(logfile);
1540 }
1506 /* 1541 /*
1507 * Force logging to stderr until we have loaded the private host 1542 * Force logging to stderr until we have loaded the private host
1508 * key (unless started from inetd) 1543 * key (unless started from inetd)
@@ -1611,27 +1646,50 @@ main(int ac, char **av)
1611 } else { 1646 } else {
1612 memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); 1647 memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
1613 privsep_pw = pwcopy(privsep_pw); 1648 privsep_pw = pwcopy(privsep_pw);
1614 xfree(privsep_pw->pw_passwd); 1649 free(privsep_pw->pw_passwd);
1615 privsep_pw->pw_passwd = xstrdup("*"); 1650 privsep_pw->pw_passwd = xstrdup("*");
1616 } 1651 }
1617 endpwent(); 1652 endpwent();
1618 1653
1619 /* load private host keys */ 1654 /* load host keys */
1620 sensitive_data.host_keys = xcalloc(options.num_host_key_files, 1655 sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1621 sizeof(Key *)); 1656 sizeof(Key *));
1622 for (i = 0; i < options.num_host_key_files; i++) 1657 sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
1658 sizeof(Key *));
1659 for (i = 0; i < options.num_host_key_files; i++) {
1623 sensitive_data.host_keys[i] = NULL; 1660 sensitive_data.host_keys[i] = NULL;
1661 sensitive_data.host_pubkeys[i] = NULL;
1662 }
1663
1664 if (options.host_key_agent) {
1665 if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME))
1666 setenv(SSH_AUTHSOCKET_ENV_NAME,
1667 options.host_key_agent, 1);
1668 have_agent = ssh_agent_present();
1669 }
1624 1670
1625 for (i = 0; i < options.num_host_key_files; i++) { 1671 for (i = 0; i < options.num_host_key_files; i++) {
1626 key = key_load_private(options.host_key_files[i], "", NULL); 1672 key = key_load_private(options.host_key_files[i], "", NULL);
1673 pubkey = key_load_public(options.host_key_files[i], NULL);
1627 sensitive_data.host_keys[i] = key; 1674 sensitive_data.host_keys[i] = key;
1628 if (key == NULL) { 1675 sensitive_data.host_pubkeys[i] = pubkey;
1676
1677 if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 &&
1678 have_agent) {
1679 debug("will rely on agent for hostkey %s",
1680 options.host_key_files[i]);
1681 keytype = pubkey->type;
1682 } else if (key != NULL) {
1683 keytype = key->type;
1684 } else {
1629 error("Could not load host key: %s", 1685 error("Could not load host key: %s",
1630 options.host_key_files[i]); 1686 options.host_key_files[i]);
1631 sensitive_data.host_keys[i] = NULL; 1687 sensitive_data.host_keys[i] = NULL;
1688 sensitive_data.host_pubkeys[i] = NULL;
1632 continue; 1689 continue;
1633 } 1690 }
1634 switch (key->type) { 1691
1692 switch (keytype) {
1635 case KEY_RSA1: 1693 case KEY_RSA1:
1636 sensitive_data.ssh1_host_key = key; 1694 sensitive_data.ssh1_host_key = key;
1637 sensitive_data.have_ssh1_key = 1; 1695 sensitive_data.have_ssh1_key = 1;
@@ -1642,8 +1700,8 @@ main(int ac, char **av)
1642 sensitive_data.have_ssh2_key = 1; 1700 sensitive_data.have_ssh2_key = 1;
1643 break; 1701 break;
1644 } 1702 }
1645 debug("private host key: #%d type %d %s", i, key->type, 1703 debug("private host key: #%d type %d %s", i, keytype,
1646 key_type(key)); 1704 key_type(key ? key : pubkey));
1647 } 1705 }
1648 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { 1706 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
1649 logit("Disabling protocol version 1. Could not load host key"); 1707 logit("Disabling protocol version 1. Could not load host key");
@@ -1813,7 +1871,8 @@ main(int ac, char **av)
1813 1871
1814 /* Chdir to the root directory so that the current disk can be 1872 /* Chdir to the root directory so that the current disk can be
1815 unmounted if desired. */ 1873 unmounted if desired. */
1816 chdir("/"); 1874 if (chdir("/") == -1)
1875 error("chdir(\"/\"): %s", strerror(errno));
1817 1876
1818 /* ignore SIGPIPE */ 1877 /* ignore SIGPIPE */
1819 signal(SIGPIPE, SIG_IGN); 1878 signal(SIGPIPE, SIG_IGN);
@@ -2069,9 +2128,11 @@ main(int ac, char **av)
2069 buffer_init(&loginmsg); 2128 buffer_init(&loginmsg);
2070 auth_debug_reset(); 2129 auth_debug_reset();
2071 2130
2072 if (use_privsep) 2131 if (use_privsep) {
2073 if (privsep_preauth(authctxt) == 1) 2132 if (privsep_preauth(authctxt) == 1)
2074 goto authenticated; 2133 goto authenticated;
2134 } else if (compat20 && have_agent)
2135 auth_conn = ssh_get_authentication_connection();
2075 2136
2076 /* perform the key exchange */ 2137 /* perform the key exchange */
2077 /* authenticate user and start session */ 2138 /* authenticate user and start session */
@@ -2358,7 +2419,7 @@ do_ssh1_kex(void)
2358 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); 2419 MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
2359 MD5_Final(session_key + 16, &md); 2420 MD5_Final(session_key + 16, &md);
2360 memset(buf, 0, bytes); 2421 memset(buf, 0, bytes);
2361 xfree(buf); 2422 free(buf);
2362 for (i = 0; i < 16; i++) 2423 for (i = 0; i < 16; i++)
2363 session_id[i] = session_key[i] ^ session_key[i + 16]; 2424 session_id[i] = session_key[i] ^ session_key[i + 16];
2364 } 2425 }
@@ -2385,6 +2446,23 @@ do_ssh1_kex(void)
2385 packet_write_wait(); 2446 packet_write_wait();
2386} 2447}
2387 2448
2449void
2450sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
2451 u_char *data, u_int dlen)
2452{
2453 if (privkey) {
2454 if (PRIVSEP(key_sign(privkey, signature, slen, data, dlen) < 0))
2455 fatal("%s: key_sign failed", __func__);
2456 } else if (use_privsep) {
2457 if (mm_key_sign(pubkey, signature, slen, data, dlen) < 0)
2458 fatal("%s: pubkey_sign failed", __func__);
2459 } else {
2460 if (ssh_agent_sign(auth_conn, pubkey, signature, slen, data,
2461 dlen))
2462 fatal("%s: ssh_agent_sign failed", __func__);
2463 }
2464}
2465
2388/* 2466/*
2389 * SSH2 key exchange: diffie-hellman-group1-sha1 2467 * SSH2 key exchange: diffie-hellman-group1-sha1
2390 */ 2468 */
@@ -2416,6 +2494,10 @@ do_ssh2_kex(void)
2416 if (options.kex_algorithms != NULL) 2494 if (options.kex_algorithms != NULL)
2417 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2495 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2418 2496
2497 if (options.rekey_limit || options.rekey_interval)
2498 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2499 (time_t)options.rekey_interval);
2500
2419 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2501 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2420 2502
2421#ifdef GSSAPI 2503#ifdef GSSAPI
@@ -2480,6 +2562,7 @@ do_ssh2_kex(void)
2480 kex->load_host_public_key=&get_hostkey_public_by_type; 2562 kex->load_host_public_key=&get_hostkey_public_by_type;
2481 kex->load_host_private_key=&get_hostkey_private_by_type; 2563 kex->load_host_private_key=&get_hostkey_private_by_type;
2482 kex->host_key_index=&get_hostkey_index; 2564 kex->host_key_index=&get_hostkey_index;
2565 kex->sign = sshd_hostkey_sign;
2483 2566
2484 xxx_kex = kex; 2567 xxx_kex = kex;
2485 2568
diff --git a/sshd_config b/sshd_config
index 1af2afd7a..945014124 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 1# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -29,6 +29,9 @@
29#KeyRegenerationInterval 1h 29#KeyRegenerationInterval 1h
30#ServerKeyBits 1024 30#ServerKeyBits 1024
31 31
32# Ciphers and keying
33#RekeyLimit default none
34
32# Logging 35# Logging
33# obsoletes QuietMode and FascistLogging 36# obsoletes QuietMode and FascistLogging
34#SyslogFacility AUTH 37#SyslogFacility AUTH
diff --git a/sshd_config.0 b/sshd_config.0
index 2648db3d4..5f1df7b58 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -90,6 +90,13 @@ DESCRIPTION
90 example, it would not be possible to attempt password or 90 example, it would not be possible to attempt password or
91 keyboard-interactive authentication before public key. 91 keyboard-interactive authentication before public key.
92 92
93 For keyboard interactive authentication it is also possible to
94 restrict authentication to a specific device by appending a colon
95 followed by the device identifier ``bsdauth'', ``pam'', or
96 ``skey'', depending on the server configuration. For example,
97 ``keyboard-interactive:bsdauth'' would restrict keyboard
98 interactive authentication to the ``bsdauth'' device.
99
93 This option is only available for SSH protocol 2 and will yield a 100 This option is only available for SSH protocol 2 and will yield a
94 fatal error if enabled if protocol 1 is also enabled. Note that 101 fatal error if enabled if protocol 1 is also enabled. Note that
95 each authentication method listed should also be explicitly 102 each authentication method listed should also be explicitly
@@ -99,7 +106,8 @@ DESCRIPTION
99 106
100 AuthorizedKeysCommand 107 AuthorizedKeysCommand
101 Specifies a program to be used to look up the user's public keys. 108 Specifies a program to be used to look up the user's public keys.
102 The program will be invoked with a single argument of the 109 The program must be owned by root and not writable by group or
110 others. It will be invoked with a single argument of the
103 username being authenticated, and should produce on standard 111 username being authenticated, and should produce on standard
104 output zero or more lines of authorized_keys output (see 112 output zero or more lines of authorized_keys output (see
105 AUTHORIZED_KEYS in sshd(8)). If a key supplied by 113 AUTHORIZED_KEYS in sshd(8)). If a key supplied by
@@ -322,7 +330,16 @@ DESCRIPTION
322 sshd(8) will refuse to use a file if it is group/world- 330 sshd(8) will refuse to use a file if it is group/world-
323 accessible. It is possible to have multiple host key files. 331 accessible. It is possible to have multiple host key files.
324 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or 332 ``rsa1'' keys are used for version 1 and ``dsa'', ``ecdsa'' or
325 ``rsa'' are used for version 2 of the SSH protocol. 333 ``rsa'' are used for version 2 of the SSH protocol. It is also
334 possible to specify public host key files instead. In this case
335 operations on the private key will be delegated to an
336 ssh-agent(1).
337
338 HostKeyAgent
339 Identifies the UNIX-domain socket used to communicate with an
340 agent that has access to the private host keys. If
341 ``SSH_AUTH_SOCK'' is specified, the location of the socket will
342 be read from the SSH_AUTH_SOCK environment variable.
326 343
327 IgnoreRhosts 344 IgnoreRhosts
328 Specifies that .rhosts and .shosts files will not be used in 345 Specifies that .rhosts and .shosts files will not be used in
@@ -461,8 +478,9 @@ DESCRIPTION
461 KbdInteractiveAuthentication, KerberosAuthentication, 478 KbdInteractiveAuthentication, KerberosAuthentication,
462 MaxAuthTries, MaxSessions, PasswordAuthentication, 479 MaxAuthTries, MaxSessions, PasswordAuthentication,
463 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, 480 PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel,
464 PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, 481 PubkeyAuthentication, RekeyLimit, RhostsRSAAuthentication,
465 X11DisplayOffset, X11Forwarding and X11UseLocalHost. 482 RSAAuthentication, X11DisplayOffset, X11Forwarding and
483 X11UseLocalHost.
466 484
467 MaxAuthTries 485 MaxAuthTries
468 Specifies the maximum number of authentication attempts permitted 486 Specifies the maximum number of authentication attempts permitted
@@ -571,6 +589,21 @@ DESCRIPTION
571 default is ``yes''. Note that this option applies to protocol 589 default is ``yes''. Note that this option applies to protocol
572 version 2 only. 590 version 2 only.
573 591
592 RekeyLimit
593 Specifies the maximum amount of data that may be transmitted
594 before the session key is renegotiated, optionally followed a
595 maximum amount of time that may pass before the session key is
596 renegotiated. The first argument is specified in bytes and may
597 have a suffix of `K', `M', or `G' to indicate Kilobytes,
598 Megabytes, or Gigabytes, respectively. The default is between
599 `1G' and `4G', depending on the cipher. The optional second
600 value is specified in seconds and may use any of the units
601 documented in the TIME FORMATS section. The default value for
602 RekeyLimit is ``default none'', which means that rekeying is
603 performed after the cipher's default amount of data has been sent
604 or received and no time based rekeying is done. This option
605 applies to protocol version 2 only.
606
574 RevokedKeys 607 RevokedKeys
575 Specifies revoked public keys. Keys listed in this file will be 608 Specifies revoked public keys. Keys listed in this file will be
576 refused for public key authentication. Note that if this file is 609 refused for public key authentication. Note that if this file is
@@ -777,4 +810,4 @@ AUTHORS
777 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 810 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
778 for privilege separation. 811 for privilege separation.
779 812
780OpenBSD 5.3 February 6, 2013 OpenBSD 5.3 813OpenBSD 5.4 July 19, 2013 OpenBSD 5.4
diff --git a/sshd_config.5 b/sshd_config.5
index 935bb62fa..525d9c858 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
37.Dd $Mdocdate: February 6 2013 $ 37.Dd $Mdocdate: July 19 2013 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order:
117and finally 117and finally
118.Cm AllowGroups . 118.Cm AllowGroups .
119.Pp 119.Pp
120See 120See PATTERNS in
121.Sx PATTERNS
122in
123.Xr ssh_config 5 121.Xr ssh_config 5
124for more information on patterns. 122for more information on patterns.
125.It Cm AllowTcpForwarding 123.It Cm AllowTcpForwarding
@@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order:
159and finally 157and finally
160.Cm AllowGroups . 158.Cm AllowGroups .
161.Pp 159.Pp
162See 160See PATTERNS in
163.Sx PATTERNS
164in
165.Xr ssh_config 5 161.Xr ssh_config 5
166for more information on patterns. 162for more information on patterns.
167.It Cm AuthenticationMethods 163.It Cm AuthenticationMethods
@@ -180,6 +176,20 @@ Only methods that are next in one or more lists are offered at each stage,
180so for this example, it would not be possible to attempt password or 176so for this example, it would not be possible to attempt password or
181keyboard-interactive authentication before public key. 177keyboard-interactive authentication before public key.
182.Pp 178.Pp
179For keyboard interactive authentication it is also possible to
180restrict authentication to a specific device by appending a
181colon followed by the device identifier
182.Dq bsdauth ,
183.Dq pam ,
184or
185.Dq skey ,
186depending on the server configuration.
187For example,
188.Dq keyboard-interactive:bsdauth
189would restrict keyboard interactive authentication to the
190.Dq bsdauth
191device.
192.Pp
183This option is only available for SSH protocol 2 and will yield a fatal 193This option is only available for SSH protocol 2 and will yield a fatal
184error if enabled if protocol 1 is also enabled. 194error if enabled if protocol 1 is also enabled.
185Note that each authentication method listed should also be explicitly enabled 195Note that each authentication method listed should also be explicitly enabled
@@ -188,11 +198,10 @@ The default is not to require multiple authentication; successful completion
188of a single authentication method is sufficient. 198of a single authentication method is sufficient.
189.It Cm AuthorizedKeysCommand 199.It Cm AuthorizedKeysCommand
190Specifies a program to be used to look up the user's public keys. 200Specifies a program to be used to look up the user's public keys.
191The program will be invoked with a single argument of the username 201The program must be owned by root and not writable by group or others.
202It will be invoked with a single argument of the username
192being authenticated, and should produce on standard output zero or 203being authenticated, and should produce on standard output zero or
193more lines of authorized_keys output (see 204more lines of authorized_keys output (see AUTHORIZED_KEYS in
194.Sx AUTHORIZED_KEYS
195in
196.Xr sshd 8 ) . 205.Xr sshd 8 ) .
197If a key supplied by AuthorizedKeysCommand does not successfully authenticate 206If a key supplied by AuthorizedKeysCommand does not successfully authenticate
198and authorize the user then public key authentication continues using the usual 207and authorize the user then public key authentication continues using the usual
@@ -207,7 +216,7 @@ than running authorized keys commands.
207Specifies the file that contains the public keys that can be used 216Specifies the file that contains the public keys that can be used
208for user authentication. 217for user authentication.
209The format is described in the 218The format is described in the
210.Sx AUTHORIZED_KEYS FILE FORMAT 219AUTHORIZED_KEYS FILE FORMAT
211section of 220section of
212.Xr sshd 8 . 221.Xr sshd 8 .
213.Cm AuthorizedKeysFile 222.Cm AuthorizedKeysFile
@@ -231,9 +240,7 @@ When using certificates signed by a key listed in
231this file lists names, one of which must appear in the certificate for it 240this file lists names, one of which must appear in the certificate for it
232to be accepted for authentication. 241to be accepted for authentication.
233Names are listed one per line preceded by key options (as described 242Names are listed one per line preceded by key options (as described
234in 243in AUTHORIZED_KEYS FILE FORMAT in
235.Sx AUTHORIZED_KEYS FILE FORMAT
236in
237.Xr sshd 8 ) . 244.Xr sshd 8 ) .
238Empty lines and comments starting with 245Empty lines and comments starting with
239.Ql # 246.Ql #
@@ -411,9 +418,7 @@ The allow/deny directives are processed in the following order:
411and finally 418and finally
412.Cm AllowGroups . 419.Cm AllowGroups .
413.Pp 420.Pp
414See 421See PATTERNS in
415.Sx PATTERNS
416in
417.Xr ssh_config 5 422.Xr ssh_config 5
418for more information on patterns. 423for more information on patterns.
419.It Cm DenyUsers 424.It Cm DenyUsers
@@ -432,9 +437,7 @@ The allow/deny directives are processed in the following order:
432and finally 437and finally
433.Cm AllowGroups . 438.Cm AllowGroups .
434.Pp 439.Pp
435See 440See PATTERNS in
436.Sx PATTERNS
437in
438.Xr ssh_config 5 441.Xr ssh_config 5
439for more information on patterns. 442for more information on patterns.
440.It Cm ForceCommand 443.It Cm ForceCommand
@@ -571,6 +574,18 @@ keys are used for version 1 and
571or 574or
572.Dq rsa 575.Dq rsa
573are used for version 2 of the SSH protocol. 576are used for version 2 of the SSH protocol.
577It is also possible to specify public host key files instead.
578In this case operations on the private key will be delegated
579to an
580.Xr ssh-agent 1 .
581.It Cm HostKeyAgent
582Identifies the UNIX-domain socket used to communicate
583with an agent that has access to the private host keys.
584If
585.Dq SSH_AUTH_SOCK
586is specified, the location of the socket will be read from the
587.Ev SSH_AUTH_SOCK
588environment variable.
574.It Cm IgnoreRhosts 589.It Cm IgnoreRhosts
575Specifies that 590Specifies that
576.Pa .rhosts 591.Pa .rhosts
@@ -774,8 +789,7 @@ and
774.Cm Address . 789.Cm Address .
775The match patterns may consist of single entries or comma-separated 790The match patterns may consist of single entries or comma-separated
776lists and may use the wildcard and negation operators described in the 791lists and may use the wildcard and negation operators described in the
777.Sx PATTERNS 792PATTERNS section of
778section of
779.Xr ssh_config 5 . 793.Xr ssh_config 5 .
780.Pp 794.Pp
781The patterns in an 795The patterns in an
@@ -827,6 +841,7 @@ Available keywords are
827.Cm PermitRootLogin , 841.Cm PermitRootLogin ,
828.Cm PermitTunnel , 842.Cm PermitTunnel ,
829.Cm PubkeyAuthentication , 843.Cm PubkeyAuthentication ,
844.Cm RekeyLimit ,
830.Cm RhostsRSAAuthentication , 845.Cm RhostsRSAAuthentication ,
831.Cm RSAAuthentication , 846.Cm RSAAuthentication ,
832.Cm X11DisplayOffset , 847.Cm X11DisplayOffset ,
@@ -1021,6 +1036,32 @@ Specifies whether public key authentication is allowed.
1021The default is 1036The default is
1022.Dq yes . 1037.Dq yes .
1023Note that this option applies to protocol version 2 only. 1038Note that this option applies to protocol version 2 only.
1039.It Cm RekeyLimit
1040Specifies the maximum amount of data that may be transmitted before the
1041session key is renegotiated, optionally followed a maximum amount of
1042time that may pass before the session key is renegotiated.
1043The first argument is specified in bytes and may have a suffix of
1044.Sq K ,
1045.Sq M ,
1046or
1047.Sq G
1048to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1049The default is between
1050.Sq 1G
1051and
1052.Sq 4G ,
1053depending on the cipher.
1054The optional second value is specified in seconds and may use any of the
1055units documented in the
1056.Sx TIME FORMATS
1057section.
1058The default value for
1059.Cm RekeyLimit
1060is
1061.Dq default none ,
1062which means that rekeying is performed after the cipher's default amount
1063of data has been sent or received and no time based rekeying is done.
1064This option applies to protocol version 2 only.
1024.It Cm RevokedKeys 1065.It Cm RevokedKeys
1025Specifies revoked public keys. 1066Specifies revoked public keys.
1026Keys listed in this file will be refused for public key authentication. 1067Keys listed in this file will be refused for public key authentication.
@@ -1029,9 +1070,7 @@ be refused for all users.
1029Keys may be specified as a text file, listing one public key per line, or as 1070Keys may be specified as a text file, listing one public key per line, or as
1030an OpenSSH Key Revocation List (KRL) as generated by 1071an OpenSSH Key Revocation List (KRL) as generated by
1031.Xr ssh-keygen 1 . 1072.Xr ssh-keygen 1 .
1032For more information on KRLs, see the 1073For more information on KRLs, see the KEY REVOCATION LISTS section in
1033.Sx KEY REVOCATION LISTS
1034section in
1035.Xr ssh-keygen 1 . 1074.Xr ssh-keygen 1 .
1036.It Cm RhostsRSAAuthentication 1075.It Cm RhostsRSAAuthentication
1037Specifies whether rhosts or /etc/hosts.equiv authentication together 1076Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -1120,9 +1159,7 @@ listed in the certificate's principals list.
1120Note that certificates that lack a list of principals will not be permitted 1159Note that certificates that lack a list of principals will not be permitted
1121for authentication using 1160for authentication using
1122.Cm TrustedUserCAKeys . 1161.Cm TrustedUserCAKeys .
1123For more details on certificates, see the 1162For more details on certificates, see the CERTIFICATES section in
1124.Sx CERTIFICATES
1125section in
1126.Xr ssh-keygen 1 . 1163.Xr ssh-keygen 1 .
1127.It Cm UseDNS 1164.It Cm UseDNS
1128Specifies whether 1165Specifies whether
diff --git a/sshlogin.c b/sshlogin.c
index 54629f747..2688d8d7b 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -97,7 +97,7 @@ store_lastlog_message(const char *user, uid_t uid)
97 time_string = sys_auth_get_lastlogin_msg(user, uid); 97 time_string = sys_auth_get_lastlogin_msg(user, uid);
98 if (time_string != NULL) { 98 if (time_string != NULL) {
99 buffer_append(&loginmsg, time_string, strlen(time_string)); 99 buffer_append(&loginmsg, time_string, strlen(time_string));
100 xfree(time_string); 100 free(time_string);
101 } 101 }
102# else 102# else
103 last_login_time = get_last_login_time(uid, user, hostname, 103 last_login_time = get_last_login_time(uid, user, hostname,
diff --git a/sshlogin.h b/sshlogin.h
index 500d3fefd..52119a979 100644
--- a/sshlogin.h
+++ b/sshlogin.h
@@ -15,7 +15,7 @@
15void record_login(pid_t, const char *, const char *, uid_t, 15void record_login(pid_t, const char *, const char *, uid_t,
16 const char *, struct sockaddr *, socklen_t); 16 const char *, struct sockaddr *, socklen_t);
17void record_logout(pid_t, const char *, const char *); 17void record_logout(pid_t, const char *, const char *);
18time_t get_last_login_time(uid_t, const char *, char *, u_int); 18time_t get_last_login_time(uid_t, const char *, char *, size_t);
19 19
20#ifdef LOGIN_NEEDS_UTMPX 20#ifdef LOGIN_NEEDS_UTMPX
21void record_utmp_only(pid_t, const char *, const char *, const char *, 21void record_utmp_only(pid_t, const char *, const char *, const char *,
diff --git a/uidswap.c b/uidswap.c
index cdd7309e3..26d17f93a 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -90,8 +90,7 @@ temporarily_use_uid(struct passwd *pw)
90 if (getgroups(saved_egroupslen, saved_egroups) < 0) 90 if (getgroups(saved_egroupslen, saved_egroups) < 0)
91 fatal("getgroups: %.100s", strerror(errno)); 91 fatal("getgroups: %.100s", strerror(errno));
92 } else { /* saved_egroupslen == 0 */ 92 } else { /* saved_egroupslen == 0 */
93 if (saved_egroups != NULL) 93 free(saved_egroups);
94 xfree(saved_egroups);
95 } 94 }
96 95
97 /* set and save the user's groups */ 96 /* set and save the user's groups */
@@ -109,8 +108,7 @@ temporarily_use_uid(struct passwd *pw)
109 if (getgroups(user_groupslen, user_groups) < 0) 108 if (getgroups(user_groupslen, user_groups) < 0)
110 fatal("getgroups: %.100s", strerror(errno)); 109 fatal("getgroups: %.100s", strerror(errno));
111 } else { /* user_groupslen == 0 */ 110 } else { /* user_groupslen == 0 */
112 if (user_groups) 111 free(user_groups);
113 xfree(user_groups);
114 } 112 }
115 } 113 }
116 /* Set the effective uid to the given (unprivileged) uid. */ 114 /* Set the effective uid to the given (unprivileged) uid. */
diff --git a/umac.c b/umac.c
index 0567c37f9..99416a510 100644
--- a/umac.c
+++ b/umac.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */ 1/* $OpenBSD: umac.c,v 1.7 2013/07/22 05:00:17 djm Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.c -- C Implementation UMAC Message Authentication 4 * umac.c -- C Implementation UMAC Message Authentication
@@ -132,13 +132,13 @@ typedef unsigned int UWORD; /* Register */
132/* ---------------------------------------------------------------------- */ 132/* ---------------------------------------------------------------------- */
133 133
134#if HAVE_SWAP32 134#if HAVE_SWAP32
135#define LOAD_UINT32_REVERSED(p) (swap32(*(UINT32 *)(p))) 135#define LOAD_UINT32_REVERSED(p) (swap32(*(const UINT32 *)(p)))
136#define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v)) 136#define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v))
137#else /* HAVE_SWAP32 */ 137#else /* HAVE_SWAP32 */
138 138
139static UINT32 LOAD_UINT32_REVERSED(void *ptr) 139static UINT32 LOAD_UINT32_REVERSED(const void *ptr)
140{ 140{
141 UINT32 temp = *(UINT32 *)ptr; 141 UINT32 temp = *(const UINT32 *)ptr;
142 temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 ) 142 temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 )
143 | ((temp & 0x0000FF00) << 8 ) | (temp << 24); 143 | ((temp & 0x0000FF00) << 8 ) | (temp << 24);
144 return (UINT32)temp; 144 return (UINT32)temp;
@@ -159,7 +159,7 @@ static void STORE_UINT32_REVERSED(void *ptr, UINT32 x)
159 */ 159 */
160 160
161#if (__LITTLE_ENDIAN__) 161#if (__LITTLE_ENDIAN__)
162#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr)) 162#define LOAD_UINT32_LITTLE(ptr) (*(const UINT32 *)(ptr))
163#define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x) 163#define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x)
164#else 164#else
165#define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr) 165#define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr)
@@ -184,7 +184,7 @@ typedef AES_KEY aes_int_key[1];
184#define aes_encryption(in,out,int_key) \ 184#define aes_encryption(in,out,int_key) \
185 AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key) 185 AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key)
186#define aes_key_setup(key,int_key) \ 186#define aes_key_setup(key,int_key) \
187 AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key) 187 AES_set_encrypt_key((const u_char *)(key),UMAC_KEY_LEN*8,int_key)
188 188
189/* The user-supplied UMAC key is stretched using AES in a counter 189/* The user-supplied UMAC key is stretched using AES in a counter
190 * mode to supply all random bits needed by UMAC. The kdf function takes 190 * mode to supply all random bits needed by UMAC. The kdf function takes
@@ -240,7 +240,7 @@ static void pdf_init(pdf_ctx *pc, aes_int_key prf_key)
240 aes_encryption(pc->nonce, pc->cache, pc->prf_key); 240 aes_encryption(pc->nonce, pc->cache, pc->prf_key);
241} 241}
242 242
243static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) 243static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8])
244{ 244{
245 /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes 245 /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes
246 * of the AES output. If last time around we returned the ndx-1st 246 * of the AES output. If last time around we returned the ndx-1st
@@ -254,19 +254,21 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8])
254#elif (UMAC_OUTPUT_LEN > 8) 254#elif (UMAC_OUTPUT_LEN > 8)
255#define LOW_BIT_MASK 0 255#define LOW_BIT_MASK 0
256#endif 256#endif
257 257 union {
258 UINT8 tmp_nonce_lo[4]; 258 UINT8 tmp_nonce_lo[4];
259 UINT32 align;
260 } t;
259#if LOW_BIT_MASK != 0 261#if LOW_BIT_MASK != 0
260 int ndx = nonce[7] & LOW_BIT_MASK; 262 int ndx = nonce[7] & LOW_BIT_MASK;
261#endif 263#endif
262 *(UINT32 *)tmp_nonce_lo = ((UINT32 *)nonce)[1]; 264 *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1];
263 tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ 265 t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */
264 266
265 if ( (((UINT32 *)tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || 267 if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) ||
266 (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) 268 (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) )
267 { 269 {
268 ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; 270 ((UINT32 *)pc->nonce)[0] = ((const UINT32 *)nonce)[0];
269 ((UINT32 *)pc->nonce)[1] = ((UINT32 *)tmp_nonce_lo)[0]; 271 ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0];
270 aes_encryption(pc->nonce, pc->cache, pc->prf_key); 272 aes_encryption(pc->nonce, pc->cache, pc->prf_key);
271 } 273 }
272 274
@@ -333,7 +335,7 @@ typedef struct {
333 335
334#if (UMAC_OUTPUT_LEN == 4) 336#if (UMAC_OUTPUT_LEN == 4)
335 337
336static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 338static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
337/* NH hashing primitive. Previous (partial) hash result is loaded and 339/* NH hashing primitive. Previous (partial) hash result is loaded and
338* then stored via hp pointer. The length of the data pointed at by "dp", 340* then stored via hp pointer. The length of the data pointed at by "dp",
339* "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key 341* "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key
@@ -343,7 +345,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
343 UINT64 h; 345 UINT64 h;
344 UWORD c = dlen / 32; 346 UWORD c = dlen / 32;
345 UINT32 *k = (UINT32 *)kp; 347 UINT32 *k = (UINT32 *)kp;
346 UINT32 *d = (UINT32 *)dp; 348 const UINT32 *d = (const UINT32 *)dp;
347 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 349 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
348 UINT32 k0,k1,k2,k3,k4,k5,k6,k7; 350 UINT32 k0,k1,k2,k3,k4,k5,k6,k7;
349 351
@@ -368,7 +370,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
368 370
369#elif (UMAC_OUTPUT_LEN == 8) 371#elif (UMAC_OUTPUT_LEN == 8)
370 372
371static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 373static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
372/* Same as previous nh_aux, but two streams are handled in one pass, 374/* Same as previous nh_aux, but two streams are handled in one pass,
373 * reading and writing 16 bytes of hash-state per call. 375 * reading and writing 16 bytes of hash-state per call.
374 */ 376 */
@@ -376,7 +378,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
376 UINT64 h1,h2; 378 UINT64 h1,h2;
377 UWORD c = dlen / 32; 379 UWORD c = dlen / 32;
378 UINT32 *k = (UINT32 *)kp; 380 UINT32 *k = (UINT32 *)kp;
379 UINT32 *d = (UINT32 *)dp; 381 const UINT32 *d = (const UINT32 *)dp;
380 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 382 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
381 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 383 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
382 k8,k9,k10,k11; 384 k8,k9,k10,k11;
@@ -415,7 +417,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
415 417
416#elif (UMAC_OUTPUT_LEN == 12) 418#elif (UMAC_OUTPUT_LEN == 12)
417 419
418static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 420static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
419/* Same as previous nh_aux, but two streams are handled in one pass, 421/* Same as previous nh_aux, but two streams are handled in one pass,
420 * reading and writing 24 bytes of hash-state per call. 422 * reading and writing 24 bytes of hash-state per call.
421*/ 423*/
@@ -423,7 +425,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
423 UINT64 h1,h2,h3; 425 UINT64 h1,h2,h3;
424 UWORD c = dlen / 32; 426 UWORD c = dlen / 32;
425 UINT32 *k = (UINT32 *)kp; 427 UINT32 *k = (UINT32 *)kp;
426 UINT32 *d = (UINT32 *)dp; 428 const UINT32 *d = (const UINT32 *)dp;
427 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 429 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
428 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 430 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
429 k8,k9,k10,k11,k12,k13,k14,k15; 431 k8,k9,k10,k11,k12,k13,k14,k15;
@@ -470,7 +472,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
470 472
471#elif (UMAC_OUTPUT_LEN == 16) 473#elif (UMAC_OUTPUT_LEN == 16)
472 474
473static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) 475static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
474/* Same as previous nh_aux, but two streams are handled in one pass, 476/* Same as previous nh_aux, but two streams are handled in one pass,
475 * reading and writing 24 bytes of hash-state per call. 477 * reading and writing 24 bytes of hash-state per call.
476*/ 478*/
@@ -478,7 +480,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
478 UINT64 h1,h2,h3,h4; 480 UINT64 h1,h2,h3,h4;
479 UWORD c = dlen / 32; 481 UWORD c = dlen / 32;
480 UINT32 *k = (UINT32 *)kp; 482 UINT32 *k = (UINT32 *)kp;
481 UINT32 *d = (UINT32 *)dp; 483 const UINT32 *d = (const UINT32 *)dp;
482 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 484 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
483 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 485 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
484 k8,k9,k10,k11,k12,k13,k14,k15, 486 k8,k9,k10,k11,k12,k13,k14,k15,
@@ -539,7 +541,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen)
539 541
540/* ---------------------------------------------------------------------- */ 542/* ---------------------------------------------------------------------- */
541 543
542static void nh_transform(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) 544static void nh_transform(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes)
543/* This function is a wrapper for the primitive NH hash functions. It takes 545/* This function is a wrapper for the primitive NH hash functions. It takes
544 * as argument "hc" the current hash context and a buffer which must be a 546 * as argument "hc" the current hash context and a buffer which must be a
545 * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset 547 * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset
@@ -614,7 +616,7 @@ static void nh_init(nh_ctx *hc, aes_int_key prf_key)
614 616
615/* ---------------------------------------------------------------------- */ 617/* ---------------------------------------------------------------------- */
616 618
617static void nh_update(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) 619static void nh_update(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes)
618/* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */ 620/* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */
619/* even multiple of HASH_BUF_BYTES. */ 621/* even multiple of HASH_BUF_BYTES. */
620{ 622{
@@ -709,7 +711,7 @@ static void nh_final(nh_ctx *hc, UINT8 *result)
709 711
710/* ---------------------------------------------------------------------- */ 712/* ---------------------------------------------------------------------- */
711 713
712static void nh(nh_ctx *hc, UINT8 *buf, UINT32 padded_len, 714static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len,
713 UINT32 unpadded_len, UINT8 *result) 715 UINT32 unpadded_len, UINT8 *result)
714/* All-in-one nh_update() and nh_final() equivalent. 716/* All-in-one nh_update() and nh_final() equivalent.
715 * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is 717 * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is
@@ -1047,7 +1049,7 @@ static int uhash_free(uhash_ctx_t ctx)
1047#endif 1049#endif
1048/* ---------------------------------------------------------------------- */ 1050/* ---------------------------------------------------------------------- */
1049 1051
1050static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) 1052static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len)
1051/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and 1053/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and
1052 * hash each one with NH, calling the polyhash on each NH output. 1054 * hash each one with NH, calling the polyhash on each NH output.
1053 */ 1055 */
@@ -1057,7 +1059,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1057 UINT8 *nh_result = (UINT8 *)&result_buf; 1059 UINT8 *nh_result = (UINT8 *)&result_buf;
1058 1060
1059 if (ctx->msg_len + len <= L1_KEY_LEN) { 1061 if (ctx->msg_len + len <= L1_KEY_LEN) {
1060 nh_update(&ctx->hash, (UINT8 *)input, len); 1062 nh_update(&ctx->hash, (const UINT8 *)input, len);
1061 ctx->msg_len += len; 1063 ctx->msg_len += len;
1062 } else { 1064 } else {
1063 1065
@@ -1072,7 +1074,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1072 /* bytes to complete the current nh_block. */ 1074 /* bytes to complete the current nh_block. */
1073 if (bytes_hashed) { 1075 if (bytes_hashed) {
1074 bytes_remaining = (L1_KEY_LEN - bytes_hashed); 1076 bytes_remaining = (L1_KEY_LEN - bytes_hashed);
1075 nh_update(&ctx->hash, (UINT8 *)input, bytes_remaining); 1077 nh_update(&ctx->hash, (const UINT8 *)input, bytes_remaining);
1076 nh_final(&ctx->hash, nh_result); 1078 nh_final(&ctx->hash, nh_result);
1077 ctx->msg_len += bytes_remaining; 1079 ctx->msg_len += bytes_remaining;
1078 poly_hash(ctx,(UINT32 *)nh_result); 1080 poly_hash(ctx,(UINT32 *)nh_result);
@@ -1082,7 +1084,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1082 1084
1083 /* Hash directly from input stream if enough bytes */ 1085 /* Hash directly from input stream if enough bytes */
1084 while (len >= L1_KEY_LEN) { 1086 while (len >= L1_KEY_LEN) {
1085 nh(&ctx->hash, (UINT8 *)input, L1_KEY_LEN, 1087 nh(&ctx->hash, (const UINT8 *)input, L1_KEY_LEN,
1086 L1_KEY_LEN, nh_result); 1088 L1_KEY_LEN, nh_result);
1087 ctx->msg_len += L1_KEY_LEN; 1089 ctx->msg_len += L1_KEY_LEN;
1088 len -= L1_KEY_LEN; 1090 len -= L1_KEY_LEN;
@@ -1093,7 +1095,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1093 1095
1094 /* pass remaining < L1_KEY_LEN bytes of input data to NH */ 1096 /* pass remaining < L1_KEY_LEN bytes of input data to NH */
1095 if (len) { 1097 if (len) {
1096 nh_update(&ctx->hash, (UINT8 *)input, len); 1098 nh_update(&ctx->hash, (const UINT8 *)input, len);
1097 ctx->msg_len += len; 1099 ctx->msg_len += len;
1098 } 1100 }
1099 } 1101 }
@@ -1209,14 +1211,14 @@ int umac_delete(struct umac_ctx *ctx)
1209 if (ctx) { 1211 if (ctx) {
1210 if (ALLOC_BOUNDARY) 1212 if (ALLOC_BOUNDARY)
1211 ctx = (struct umac_ctx *)ctx->free_ptr; 1213 ctx = (struct umac_ctx *)ctx->free_ptr;
1212 xfree(ctx); 1214 free(ctx);
1213 } 1215 }
1214 return (1); 1216 return (1);
1215} 1217}
1216 1218
1217/* ---------------------------------------------------------------------- */ 1219/* ---------------------------------------------------------------------- */
1218 1220
1219struct umac_ctx *umac_new(u_char key[]) 1221struct umac_ctx *umac_new(const u_char key[])
1220/* Dynamically allocate a umac_ctx struct, initialize variables, 1222/* Dynamically allocate a umac_ctx struct, initialize variables,
1221 * generate subkeys from key. Align to 16-byte boundary. 1223 * generate subkeys from key. Align to 16-byte boundary.
1222 */ 1224 */
@@ -1233,7 +1235,7 @@ struct umac_ctx *umac_new(u_char key[])
1233 ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add); 1235 ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add);
1234 } 1236 }
1235 ctx->free_ptr = octx; 1237 ctx->free_ptr = octx;
1236 aes_key_setup(key,prf_key); 1238 aes_key_setup(key, prf_key);
1237 pdf_init(&ctx->pdf, prf_key); 1239 pdf_init(&ctx->pdf, prf_key);
1238 uhash_init(&ctx->hash, prf_key); 1240 uhash_init(&ctx->hash, prf_key);
1239 } 1241 }
@@ -1243,18 +1245,18 @@ struct umac_ctx *umac_new(u_char key[])
1243 1245
1244/* ---------------------------------------------------------------------- */ 1246/* ---------------------------------------------------------------------- */
1245 1247
1246int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]) 1248int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8])
1247/* Incorporate any pending data, pad, and generate tag */ 1249/* Incorporate any pending data, pad, and generate tag */
1248{ 1250{
1249 uhash_final(&ctx->hash, (u_char *)tag); 1251 uhash_final(&ctx->hash, (u_char *)tag);
1250 pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); 1252 pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag);
1251 1253
1252 return (1); 1254 return (1);
1253} 1255}
1254 1256
1255/* ---------------------------------------------------------------------- */ 1257/* ---------------------------------------------------------------------- */
1256 1258
1257int umac_update(struct umac_ctx *ctx, u_char *input, long len) 1259int umac_update(struct umac_ctx *ctx, const u_char *input, long len)
1258/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */ 1260/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */
1259/* hash each one, calling the PDF on the hashed output whenever the hash- */ 1261/* hash each one, calling the PDF on the hashed output whenever the hash- */
1260/* output buffer is full. */ 1262/* output buffer is full. */
diff --git a/umac.h b/umac.h
index 6795112a3..7fb770f8a 100644
--- a/umac.h
+++ b/umac.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ 1/* $OpenBSD: umac.h,v 1.3 2013/07/22 12:20:02 djm Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.h -- C Implementation UMAC Message Authentication 4 * umac.h -- C Implementation UMAC Message Authentication
@@ -52,7 +52,7 @@
52 extern "C" { 52 extern "C" {
53#endif 53#endif
54 54
55struct umac_ctx *umac_new(u_char key[]); 55struct umac_ctx *umac_new(const u_char key[]);
56/* Dynamically allocate a umac_ctx struct, initialize variables, 56/* Dynamically allocate a umac_ctx struct, initialize variables,
57 * generate subkeys from key. 57 * generate subkeys from key.
58 */ 58 */
@@ -62,10 +62,10 @@ int umac_reset(struct umac_ctx *ctx);
62/* Reset a umac_ctx to begin authenicating a new message */ 62/* Reset a umac_ctx to begin authenicating a new message */
63#endif 63#endif
64 64
65int umac_update(struct umac_ctx *ctx, u_char *input, long len); 65int umac_update(struct umac_ctx *ctx, const u_char *input, long len);
66/* Incorporate len bytes pointed to by input into context ctx */ 66/* Incorporate len bytes pointed to by input into context ctx */
67 67
68int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); 68int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]);
69/* Incorporate any pending data and the ctr value, and return tag. 69/* Incorporate any pending data and the ctr value, and return tag.
70 * This function returns error code if ctr < 0. 70 * This function returns error code if ctr < 0.
71 */ 71 */
@@ -117,9 +117,9 @@ int uhash(uhash_ctx_t ctx,
117#endif 117#endif
118 118
119/* matching umac-128 API, we reuse umac_ctx, since it's opaque */ 119/* matching umac-128 API, we reuse umac_ctx, since it's opaque */
120struct umac_ctx *umac128_new(u_char key[]); 120struct umac_ctx *umac128_new(const u_char key[]);
121int umac128_update(struct umac_ctx *ctx, u_char *input, long len); 121int umac128_update(struct umac_ctx *ctx, const u_char *input, long len);
122int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); 122int umac128_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]);
123int umac128_delete(struct umac_ctx *ctx); 123int umac128_delete(struct umac_ctx *ctx);
124 124
125#ifdef __cplusplus 125#ifdef __cplusplus
diff --git a/uuencode.c b/uuencode.c
index 09d80d2fc..294c74304 100644
--- a/uuencode.c
+++ b/uuencode.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: uuencode.c,v 1.26 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: uuencode.c,v 1.27 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -29,6 +29,7 @@
29#include <netinet/in.h> 29#include <netinet/in.h>
30#include <resolv.h> 30#include <resolv.h>
31#include <stdio.h> 31#include <stdio.h>
32#include <stdlib.h>
32 33
33#include "xmalloc.h" 34#include "xmalloc.h"
34#include "uuencode.h" 35#include "uuencode.h"
@@ -67,7 +68,7 @@ uudecode(const char *src, u_char *target, size_t targsize)
67 /* and remove trailing whitespace because __b64_pton needs this */ 68 /* and remove trailing whitespace because __b64_pton needs this */
68 *p = '\0'; 69 *p = '\0';
69 len = __b64_pton(encoded, target, targsize); 70 len = __b64_pton(encoded, target, targsize);
70 xfree(encoded); 71 free(encoded);
71 return len; 72 return len;
72} 73}
73 74
@@ -90,5 +91,5 @@ dump_base64(FILE *fp, const u_char *data, u_int len)
90 } 91 }
91 if (i % 70 != 69) 92 if (i % 70 != 69)
92 fprintf(fp, "\n"); 93 fprintf(fp, "\n");
93 xfree(buf); 94 free(buf);
94} 95}
diff --git a/version.h b/version.h
index 8f64c4629..f6ec0ee3b 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
1/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ 1/* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_6.2" 3#define SSH_VERSION "OpenSSH_6.3"
4 4
5#define SSH_PORTABLE "p2" 5#define SSH_PORTABLE "p1"
6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/xmalloc.c b/xmalloc.c
index 9985b4cc2..92f781fd0 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: xmalloc.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -73,14 +73,6 @@ xrealloc(void *ptr, size_t nmemb, size_t size)
73 return new_ptr; 73 return new_ptr;
74} 74}
75 75
76void
77xfree(void *ptr)
78{
79 if (ptr == NULL)
80 fatal("xfree: NULL pointer given as argument");
81 free(ptr);
82}
83
84char * 76char *
85xstrdup(const char *str) 77xstrdup(const char *str)
86{ 78{
diff --git a/xmalloc.h b/xmalloc.h
index fb217a45c..261dfd612 100644
--- a/xmalloc.h
+++ b/xmalloc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ 1/* $OpenBSD: xmalloc.h,v 1.14 2013/05/17 00:13:14 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -19,7 +19,6 @@
19void *xmalloc(size_t); 19void *xmalloc(size_t);
20void *xcalloc(size_t, size_t); 20void *xcalloc(size_t, size_t);
21void *xrealloc(void *, size_t, size_t); 21void *xrealloc(void *, size_t, size_t);
22void xfree(void *);
23char *xstrdup(const char *); 22char *xstrdup(const char *);
24int xasprintf(char **, const char *, ...) 23int xasprintf(char **, const char *, ...)
25 __attribute__((__format__ (printf, 2, 3))) 24 __attribute__((__format__ (printf, 2, 3)))