diff options
104 files changed, 3213 insertions, 528 deletions
@@ -1,3 +1,371 @@ | |||
1 | 20070817 | ||
2 | - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked | ||
3 | accounts and that's what the code looks for, so make man page and code | ||
4 | agree. Pointed out by Roumen Petrov. | ||
5 | - (dtucker) [INSTALL] Group the parts describing random options and PAM | ||
6 | implementations together which is hopefully more coherent. | ||
7 | - (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid. | ||
8 | - (dtucker) [INSTALL] Give PAM its own heading. | ||
9 | - (dtucker) [INSTALL] Link to tcpwrappers. | ||
10 | |||
11 | 20070816 | ||
12 | - (dtucker) [session.c] Call PAM cleanup functions for unauthenticated | ||
13 | connections too. Based on a patch from Sandro Wefel, with & ok djm@ | ||
14 | |||
15 | 20070815 | ||
16 | - (dtucker) OpenBSD CVS Sync | ||
17 | - markus@cvs.openbsd.org 2007/08/15 08:14:46 | ||
18 | [clientloop.c] | ||
19 | do NOT fall back to the trused x11 cookie if generation of an untrusted | ||
20 | cookie fails; from Jan Pechanec, via security-alert at sun.com; | ||
21 | ok dtucker | ||
22 | - markus@cvs.openbsd.org 2007/08/15 08:16:49 | ||
23 | [version.h] | ||
24 | openssh 4.7 | ||
25 | - stevesk@cvs.openbsd.org 2007/08/15 12:13:41 | ||
26 | [ssh_config.5] | ||
27 | tun device forwarding now honours ExitOnForwardFailure; ok markus@ | ||
28 | - (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler. | ||
29 | ok djm@ | ||
30 | - (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec | ||
31 | contrib/suse/openssh.spec] Crank version. | ||
32 | |||
33 | 20070813 | ||
34 | - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always | ||
35 | called with PAM_ESTABLISH_CRED at least once, which resolves a problem | ||
36 | with pam_dhkeys. Patch from David Leonard, ok djm@ | ||
37 | |||
38 | 20070810 | ||
39 | - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ | ||
40 | - (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From | ||
41 | Matt Kraai, ok djm@ | ||
42 | |||
43 | 20070809 | ||
44 | - (dtucker) [openbsd-compat/port-aix.c] Comment typo. | ||
45 | - (dtucker) [README.platform] Document the interaction between PermitRootLogin | ||
46 | and the AIX native login restrictions. | ||
47 | - (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't | ||
48 | used anywhere and are a potential source of warnings. | ||
49 | |||
50 | 20070808 | ||
51 | - (djm) OpenBSD CVS Sync | ||
52 | - ray@cvs.openbsd.org 2007/07/12 05:48:05 | ||
53 | [key.c] | ||
54 | Delint: remove some unreachable statements, from Bret Lambert. | ||
55 | OK markus@ and dtucker@. | ||
56 | - sobrado@cvs.openbsd.org 2007/08/06 19:16:06 | ||
57 | [scp.1 scp.c] | ||
58 | the ellipsis is not an optional argument; while here, sync the usage | ||
59 | and synopsis of commands | ||
60 | lots of good ideas by jmc@ | ||
61 | ok jmc@ | ||
62 | - djm@cvs.openbsd.org 2007/08/07 07:32:53 | ||
63 | [clientloop.c clientloop.h ssh.c] | ||
64 | bz#1232: ensure that any specified LocalCommand is executed after the | ||
65 | tunnel device is opened. Also, make failures to open a tunnel device | ||
66 | fatal when ExitOnForwardFailure is active. | ||
67 | Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt | ||
68 | |||
69 | 20070724 | ||
70 | - (tim) [openssh.xml.in] make FMRI match what package scripts use. | ||
71 | - (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call. | ||
72 | Report/patch by David.Leonard AT quest.com (and Bernhard Simon) | ||
73 | - (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5) | ||
74 | - (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}| | ||
75 | |||
76 | 20070628 | ||
77 | - (djm) bz#1325: Fix SELinux in permissive mode where it would | ||
78 | incorrectly fatal() on errors. patch from cjwatson AT debian.org; | ||
79 | ok dtucker | ||
80 | |||
81 | 20070625 | ||
82 | - (dtucker) OpenBSD CVS Sync | ||
83 | - djm@cvs.openbsd.org 2007/06/13 00:21:27 | ||
84 | [scp.c] | ||
85 | don't ftruncate() non-regular files; bz#1236 reported by wood AT | ||
86 | xmission.com; ok dtucker@ | ||
87 | - djm@cvs.openbsd.org 2007/06/14 21:43:25 | ||
88 | [ssh.c] | ||
89 | handle EINTR when waiting for mux exit status properly | ||
90 | - djm@cvs.openbsd.org 2007/06/14 22:48:05 | ||
91 | [ssh.c] | ||
92 | when waiting for the multiplex exit status, read until the master end | ||
93 | writes an entire int of data *and* closes the client_fd; fixes mux | ||
94 | regression spotted by dtucker, ok dtucker@ | ||
95 | - djm@cvs.openbsd.org 2007/06/19 02:04:43 | ||
96 | [atomicio.c] | ||
97 | if the fd passed to atomicio/atomiciov() is non blocking, then poll() to | ||
98 | avoid a spin if it is not yet ready for reading/writing; ok dtucker@ | ||
99 | - dtucker@cvs.openbsd.org 2007/06/25 08:20:03 | ||
100 | [channels.c] | ||
101 | Correct test for window updates every three packets; prevents sending | ||
102 | window updates for every single packet. ok markus@ | ||
103 | - dtucker@cvs.openbsd.org 2007/06/25 12:02:27 | ||
104 | [atomicio.c] | ||
105 | Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@ | ||
106 | - (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match | ||
107 | atomicio. | ||
108 | - (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in | ||
109 | openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h] | ||
110 | Add an implementation of poll() built on top of select(2). Code from | ||
111 | OpenNTPD with changes suggested by djm. ok djm@ | ||
112 | |||
113 | 20070614 | ||
114 | - (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the | ||
115 | USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be | ||
116 | shared with umac.c. Allows building with OpenSSL 0.9.5 again including | ||
117 | umac support. With tim@ djm@, ok djm. | ||
118 | - (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL | ||
119 | sections. Fixes builds with early OpenSSL 0.9.6 versions. | ||
120 | - (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition | ||
121 | of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the | ||
122 | subsequent <0.9.7 test. | ||
123 | |||
124 | 20070612 | ||
125 | - (dtucker) OpenBSD CVS Sync | ||
126 | - markus@cvs.openbsd.org 2007/06/11 09:14:00 | ||
127 | [channels.h] | ||
128 | increase default channel windows; ok djm | ||
129 | - djm@cvs.openbsd.org 2007/06/12 07:41:00 | ||
130 | [ssh-add.1] | ||
131 | better document ssh-add's -d option (delete identies from agent), bz#1224 | ||
132 | new text based on some provided by andrewmc-debian AT celt.dias.ie; | ||
133 | ok dtucker@ | ||
134 | - djm@cvs.openbsd.org 2007/06/12 08:20:00 | ||
135 | [ssh-gss.h gss-serv.c gss-genr.c] | ||
136 | relocate server-only GSSAPI code from libssh to server; bz #1225 | ||
137 | patch from simon AT sxw.org.uk; ok markus@ dtucker@ | ||
138 | - djm@cvs.openbsd.org 2007/06/12 08:24:20 | ||
139 | [scp.c] | ||
140 | make scp try to skip FIFOs rather than blocking when nothing is listening. | ||
141 | depends on the platform supporting sane O_NONBLOCK semantics for open | ||
142 | on FIFOs (apparently POSIX does not mandate this), which OpenBSD does. | ||
143 | bz #856; report by cjwatson AT debian.org; ok markus@ | ||
144 | - djm@cvs.openbsd.org 2007/06/12 11:11:08 | ||
145 | [ssh.c] | ||
146 | fix slave exit value when a control master goes away without passing the | ||
147 | full exit status by ensuring that the slave reads a full int. bz#1261 | ||
148 | reported by frekko AT gmail.com; ok markus@ dtucker@ | ||
149 | - djm@cvs.openbsd.org 2007/06/12 11:15:17 | ||
150 | [ssh.c ssh.1] | ||
151 | Add "-K" flag for ssh to set GSSAPIAuthentication=yes and | ||
152 | GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) | ||
153 | and is useful for hosts with /home on Kerberised NFS; bz #1312 | ||
154 | patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@ | ||
155 | - djm@cvs.openbsd.org 2007/06/12 11:45:27 | ||
156 | [ssh.c] | ||
157 | improved exit message from multiplex slave sessions; bz #1262 | ||
158 | reported by alexandre.nunes AT gmail.com; ok dtucker@ | ||
159 | - dtucker@cvs.openbsd.org 2007/06/12 11:56:15 | ||
160 | [gss-genr.c] | ||
161 | Pass GSS OID to gss_display_status to provide better information in | ||
162 | error messages. Patch from Simon Wilkinson via bz 1220. ok djm@ | ||
163 | - jmc@cvs.openbsd.org 2007/06/12 13:41:03 | ||
164 | [ssh-add.1] | ||
165 | identies -> identities; | ||
166 | - jmc@cvs.openbsd.org 2007/06/12 13:43:55 | ||
167 | [ssh.1] | ||
168 | add -K to SYNOPSIS; | ||
169 | - dtucker@cvs.openbsd.org 2007/06/12 13:54:28 | ||
170 | [scp.c] | ||
171 | Encode filename with strnvis if the name contains a newline (which can't | ||
172 | be represented in the scp protocol), from bz #891. ok markus@ | ||
173 | |||
174 | 20070611 | ||
175 | - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit | ||
176 | fix; tested by dtucker@ and jochen.kirn AT gmail.com | ||
177 | - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34 | ||
178 | [kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] | ||
179 | [ssh_config.5 sshd.8 sshd_config.5] | ||
180 | Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, | ||
181 | must specify umac-64@openssh.com). Provides about 20% end-to-end speedup | ||
182 | compared to hmac-md5. Represents a different approach to message | ||
183 | authentication to that of HMAC that may be beneficial if HMAC based on | ||
184 | one of its underlying hash algorithms is found to be vulnerable to a | ||
185 | new attack. http://www.ietf.org/rfc/rfc4418.txt | ||
186 | in conjunction with and OK djm@ | ||
187 | - pvalchev@cvs.openbsd.org 2007/06/08 04:40:40 | ||
188 | [ssh_config] | ||
189 | Add a "MACs" line after "Ciphers" with the default MAC algorithms, | ||
190 | to ease people who want to tweak both (eg. for performance reasons). | ||
191 | ok deraadt@ djm@ dtucker@ | ||
192 | - jmc@cvs.openbsd.org 2007/06/08 07:43:46 | ||
193 | [ssh_config.5] | ||
194 | put the MAC list into a display, like we do for ciphers, | ||
195 | since groff has trouble handling wide lines; | ||
196 | - jmc@cvs.openbsd.org 2007/06/08 07:48:09 | ||
197 | [sshd_config.5] | ||
198 | oops, here too: put the MAC list into a display, like we do for | ||
199 | ciphers, since groff has trouble with wide lines; | ||
200 | - markus@cvs.openbsd.org 2007/06/11 08:04:44 | ||
201 | [channels.c] | ||
202 | send 'window adjust' messages every tree packets and do not wait | ||
203 | until 50% of the window is consumed. ok djm dtucker | ||
204 | - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then | ||
205 | fallback to provided bit-swizzing functions | ||
206 | - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder" | ||
207 | argument to nanosleep may be NULL. Currently this never happens in OpenSSH, | ||
208 | but check anyway in case this changes or the code gets used elsewhere. | ||
209 | - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should | ||
210 | prevent warnings about redefinitions of various things in paths.h. | ||
211 | Spotted by cartmanltd at hotmail.com. | ||
212 | |||
213 | 20070605 | ||
214 | - (dtucker) OpenBSD CVS Sync | ||
215 | - djm@cvs.openbsd.org 2007/05/22 10:18:52 | ||
216 | [sshd.c] | ||
217 | zap double include; from p_nowaczyk AT o2.pl | ||
218 | (not required in -portable, Id sync only) | ||
219 | - djm@cvs.openbsd.org 2007/05/30 05:58:13 | ||
220 | [kex.c] | ||
221 | tidy: KNF, ARGSUSED and u_int | ||
222 | - jmc@cvs.openbsd.org 2007/05/31 19:20:16 | ||
223 | [scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 | ||
224 | ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] | ||
225 | convert to new .Dd format; | ||
226 | (We will need to teach mdoc2man.awk to understand this too.) | ||
227 | - djm@cvs.openbsd.org 2007/05/31 23:34:29 | ||
228 | [packet.c] | ||
229 | gc unreachable code; spotted by Tavis Ormandy | ||
230 | - djm@cvs.openbsd.org 2007/06/02 09:04:58 | ||
231 | [bufbn.c] | ||
232 | memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca | ||
233 | - djm@cvs.openbsd.org 2007/06/05 06:52:37 | ||
234 | [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c] | ||
235 | Preserve MAC ctx between packets, saving 2xhash calls per-packet. | ||
236 | Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 | ||
237 | patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm | ||
238 | committing at his request) | ||
239 | - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that | ||
240 | OpenBSD's cvs now adds. | ||
241 | - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so | ||
242 | mindrot's cvs doesn't expand it on us. | ||
243 | - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs. | ||
244 | |||
245 | 20070520 | ||
246 | - (dtucker) OpenBSD CVS Sync | ||
247 | - stevesk@cvs.openbsd.org 2007/04/14 22:01:58 | ||
248 | [auth2.c] | ||
249 | remove unused macro; from Dmitry V. Levin <ldv@altlinux.org> | ||
250 | - stevesk@cvs.openbsd.org 2007/04/18 01:12:43 | ||
251 | [sftp-server.c] | ||
252 | cast "%llu" format spec to (unsigned long long); do not assume a | ||
253 | u_int64_t arg is the same as 'unsigned long long'. | ||
254 | from Dmitry V. Levin <ldv@altlinux.org> | ||
255 | ok markus@ 'Yes, that looks correct' millert@ | ||
256 | - dtucker@cvs.openbsd.org 2007/04/23 10:15:39 | ||
257 | [servconf.c] | ||
258 | Remove debug() left over from development. ok deraadt@ | ||
259 | - djm@cvs.openbsd.org 2007/05/17 07:50:31 | ||
260 | [log.c] | ||
261 | save and restore errno when logging; ok deraadt@ | ||
262 | - djm@cvs.openbsd.org 2007/05/17 07:55:29 | ||
263 | [sftp-server.c] | ||
264 | bz#1286 stop reading and processing commands when input or output buffer | ||
265 | is nearly full, otherwise sftp-server would happily try to grow the | ||
266 | input/output buffers past the maximum supported by the buffer API and | ||
267 | promptly fatal() | ||
268 | based on patch from Thue Janus Kristensen; feedback & ok dtucker@ | ||
269 | - djm@cvs.openbsd.org 2007/05/17 20:48:13 | ||
270 | [sshconnect2.c] | ||
271 | fall back to gethostname() when the outgoing connection is not | ||
272 | on a socket, such as is the case when ProxyCommand is used. | ||
273 | Gives hostbased auth an opportunity to work; bz#616, report | ||
274 | and feedback stuart AT kaloram.com; ok markus@ | ||
275 | - djm@cvs.openbsd.org 2007/05/17 20:52:13 | ||
276 | [monitor.c] | ||
277 | pass received SIGINT from monitor to postauth child so it can clean | ||
278 | up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; | ||
279 | ok markus@ | ||
280 | - jolan@cvs.openbsd.org 2007/05/17 23:53:41 | ||
281 | [sshconnect2.c] | ||
282 | djm owes me a vb and a tism cd for breaking ssh compilation | ||
283 | - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from | ||
284 | ldv at altlinux.org. | ||
285 | - (dtucker) [auth-pam.c] Return empty string if fgets fails in | ||
286 | sshpam_tty_conv. Patch from ldv at altlinux.org. | ||
287 | |||
288 | 20070509 | ||
289 | - (tim) [configure.ac] Bug #1287: Add missing test for ucred.h. | ||
290 | |||
291 | 20070429 | ||
292 | - (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h | ||
293 | for select(2) prototype. | ||
294 | - (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype. | ||
295 | - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the | ||
296 | platform's _res if it has one. Should fix problem of DNSSEC record lookups | ||
297 | on NetBSD as reported by Curt Sampson. | ||
298 | - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. | ||
299 | - (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS | ||
300 | so we don't get redefinition warnings. | ||
301 | - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. | ||
302 | - (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__ | ||
303 | __nonnull__ for versions of GCC that don't support it. | ||
304 | - (dtucker) [configure.ac defines.h] Have configure check for offsetof | ||
305 | to prevent redefinition warnings. | ||
306 | |||
307 | 20070406 | ||
308 | - (dtucker) [INSTALL] Update the systems that have PAM as standard. Link | ||
309 | to OpenPAM too. | ||
310 | - (dtucker) [INSTALL] prngd lives at sourceforge these days. | ||
311 | |||
312 | 20070326 | ||
313 | - (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c | ||
314 | openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines | ||
315 | to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@ | ||
316 | |||
317 | 20070325 | ||
318 | - (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX, | ||
319 | LIBWRAP and LIBPAM variables in Makefile with the general-purpose | ||
320 | SSHDLIBS. "I like" djm@ | ||
321 | |||
322 | 20070321 | ||
323 | - (dtucker) OpenBSD CVS Sync | ||
324 | - dtucker@cvs.openbsd.org 2007/03/09 05:20:06 | ||
325 | [servconf.c sshd.c] | ||
326 | Move C/R -> kbdint special case to after the defaults have been | ||
327 | loaded, which makes ChallengeResponse default to yes again. This | ||
328 | was broken by the Match changes and not fixed properly subsequently. | ||
329 | Found by okan at demirmen.com, ok djm@ "please do it" deraadt@ | ||
330 | - djm@cvs.openbsd.org 2007/03/19 01:01:29 | ||
331 | [sshd_config] | ||
332 | Disable the legacy SSH protocol 1 for new installations via | ||
333 | a configuration override. In the future, we will change the | ||
334 | server's default itself so users who need the legacy protocol | ||
335 | will need to turn it on explicitly | ||
336 | - dtucker@cvs.openbsd.org 2007/03/19 12:16:42 | ||
337 | [ssh-agent.c] | ||
338 | Remove the signal handler that checks if the agent's parent process | ||
339 | has gone away, instead check when the select loop returns. Record when | ||
340 | the next key will expire when scanning for expired keys. Set the select | ||
341 | timeout to whichever of these two things happens next. With djm@, with & | ||
342 | ok deraadt@ markus@ | ||
343 | - tedu@cvs.openbsd.org 2007/03/20 03:56:12 | ||
344 | [readconf.c clientloop.c] | ||
345 | remove some bogus *p tests from charles longeau | ||
346 | ok deraadt millert | ||
347 | - jmc@cvs.openbsd.org 2007/03/20 15:57:15 | ||
348 | [sshd.8] | ||
349 | - let synopsis and description agree for -f | ||
350 | - sort FILES | ||
351 | - +.Xr ssh-keyscan 1 , | ||
352 | from Igor Sobrado | ||
353 | - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use | ||
354 | getpeerucred to implement getpeereid (currently only Solaris 10 and up). | ||
355 | Patch by Jan.Pechanec at Sun. | ||
356 | - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have | ||
357 | HAVE_GETPEERUCRED too. Also from Jan Pechanec. | ||
358 | |||
359 | 20070313 | ||
360 | - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include | ||
361 | string.h to prevent warnings, from vapier at gentoo.org. | ||
362 | - (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the | ||
363 | selinux bits in -portable. | ||
364 | - (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in | ||
365 | bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h | ||
366 | in cipher-bf1.c. Patch from Juan Gallego. | ||
367 | - (dtucker) [README.platform] Info about blibpath on AIX. | ||
368 | |||
1 | 20070306 | 369 | 20070306 |
2 | - (djm) OpenBSD CVS Sync | 370 | - (djm) OpenBSD CVS Sync |
3 | - jmc@cvs.openbsd.org 2007/03/01 16:19:33 | 371 | - jmc@cvs.openbsd.org 2007/03/01 16:19:33 |
@@ -2816,4 +3184,4 @@ | |||
2816 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 3184 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
2817 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 3185 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
2818 | 3186 | ||
2819 | $Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $ | 3187 | $Id: ChangeLog,v 1.4738.2.1 2007/09/04 06:49:09 djm Exp $ |
@@ -14,17 +14,37 @@ Blowfish) do not work correctly.) | |||
14 | 14 | ||
15 | The remaining items are optional. | 15 | The remaining items are optional. |
16 | 16 | ||
17 | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system | ||
18 | supports it. PAM is standard on Redhat and Debian Linux, Solaris and | ||
19 | HP-UX 11. | ||
20 | |||
21 | NB. If you operating system supports /dev/random, you should configure | 17 | NB. If you operating system supports /dev/random, you should configure |
22 | OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of | 18 | OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of |
23 | /dev/random. If you don't you will have to rely on ssh-rand-helper, which | 19 | /dev/random, or failing that, either prngd or egd. If you don't have |
24 | is inferior to a good kernel-based solution. | 20 | any of these you will have to rely on ssh-rand-helper, which is inferior |
21 | to a good kernel-based solution or prngd. | ||
22 | |||
23 | PRNGD: | ||
24 | |||
25 | If your system lacks kernel-based random collection, the use of Lutz | ||
26 | Jaenicke's PRNGd is recommended. | ||
27 | |||
28 | http://prngd.sourceforge.net/ | ||
29 | |||
30 | EGD: | ||
31 | |||
32 | The Entropy Gathering Daemon (EGD) is supported if you have a system which | ||
33 | lacks /dev/random and don't want to use OpenSSH's internal entropy collection. | ||
34 | |||
35 | http://www.lothar.com/tech/crypto/ | ||
25 | 36 | ||
26 | PAM: | 37 | PAM: |
27 | http://www.kernel.org/pub/linux/libs/pam/ | 38 | |
39 | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your | ||
40 | system supports it. PAM is standard most Linux distributions, Solaris, | ||
41 | HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. | ||
42 | |||
43 | Information about the various PAM implementations are available: | ||
44 | |||
45 | Solaris PAM: http://www.sun.com/software/solaris/pam/ | ||
46 | Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ | ||
47 | OpenPAM: http://www.openpam.org/ | ||
28 | 48 | ||
29 | If you wish to build the GNOME passphrase requester, you will need the GNOME | 49 | If you wish to build the GNOME passphrase requester, you will need the GNOME |
30 | libraries and headers. | 50 | libraries and headers. |
@@ -37,19 +57,14 @@ passphrase requester. This is maintained separately at: | |||
37 | 57 | ||
38 | http://www.jmknoble.net/software/x11-ssh-askpass/ | 58 | http://www.jmknoble.net/software/x11-ssh-askpass/ |
39 | 59 | ||
40 | PRNGD: | 60 | TCP Wrappers: |
41 | |||
42 | If your system lacks Kernel based random collection, the use of Lutz | ||
43 | Jaenicke's PRNGd is recommended. | ||
44 | |||
45 | http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html | ||
46 | |||
47 | EGD: | ||
48 | 61 | ||
49 | The Entropy Gathering Daemon (EGD) is supported if you have a system which | 62 | If you wish to use the TCP wrappers functionality you will need at least |
50 | lacks /dev/random and don't want to use OpenSSH's internal entropy collection. | 63 | tcpd.h and libwrap.a, either in the standard include and library paths, |
64 | or in the directory specified by --with-tcp-wrappers. Version 7.6 is | ||
65 | known to work. | ||
51 | 66 | ||
52 | http://www.lothar.com/tech/crypto/ | 67 | http://ftp.porcupine.org/pub/security/index.html |
53 | 68 | ||
54 | S/Key Libraries: | 69 | S/Key Libraries: |
55 | 70 | ||
@@ -72,7 +87,7 @@ Autoconf: | |||
72 | If you modify configure.ac or configure doesn't exist (eg if you checked | 87 | If you modify configure.ac or configure doesn't exist (eg if you checked |
73 | the code out of CVS yourself) then you will need autoconf-2.61 to rebuild | 88 | the code out of CVS yourself) then you will need autoconf-2.61 to rebuild |
74 | the automatically generated files by running "autoreconf". Earlier | 89 | the automatically generated files by running "autoreconf". Earlier |
75 | version may also work but this is not guaranteed. | 90 | versions may also work but this is not guaranteed. |
76 | 91 | ||
77 | http://www.gnu.org/software/autoconf/ | 92 | http://www.gnu.org/software/autoconf/ |
78 | 93 | ||
@@ -162,7 +177,7 @@ Integration Architecture. The default for OSF1 machines is enable. | |||
162 | need the S/Key libraries and header files installed for this to work. | 177 | need the S/Key libraries and header files installed for this to work. |
163 | 178 | ||
164 | --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) | 179 | --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) |
165 | support. You will need libwrap.a and tcpd.h installed. | 180 | support. |
166 | 181 | ||
167 | --with-md5-passwords will enable the use of MD5 passwords. Enable this | 182 | --with-md5-passwords will enable the use of MD5 passwords. Enable this |
168 | if your operating system uses MD5 passwords and the system crypt() does | 183 | if your operating system uses MD5 passwords and the system crypt() does |
@@ -180,7 +195,7 @@ $DISPLAY environment variable. Some broken systems need this. | |||
180 | --with-default-path=PATH allows you to specify a default $PATH for sessions | 195 | --with-default-path=PATH allows you to specify a default $PATH for sessions |
181 | started by sshd. This replaces the standard path entirely. | 196 | started by sshd. This replaces the standard path entirely. |
182 | 197 | ||
183 | --with-pid-dir=PATH specifies the directory in which the ssh.pid file is | 198 | --with-pid-dir=PATH specifies the directory in which the sshd.pid file is |
184 | created. | 199 | created. |
185 | 200 | ||
186 | --with-xauth=PATH specifies the location of the xauth binary | 201 | --with-xauth=PATH specifies the location of the xauth binary |
@@ -251,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at | |||
251 | http://www.openssh.com/ | 266 | http://www.openssh.com/ |
252 | 267 | ||
253 | 268 | ||
254 | $Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $ | 269 | $Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $ |
@@ -205,6 +205,7 @@ OpenSSH contains no GPL code. | |||
205 | Darren Tucker | 205 | Darren Tucker |
206 | Sun Microsystems | 206 | Sun Microsystems |
207 | The SCO Group | 207 | The SCO Group |
208 | Daniel Walsh | ||
208 | 209 | ||
209 | * Redistribution and use in source and binary forms, with or without | 210 | * Redistribution and use in source and binary forms, with or without |
210 | * modification, are permitted provided that the following conditions | 211 | * modification, are permitted provided that the following conditions |
diff --git a/Makefile.in b/Makefile.in index 852fb70e4..3ac9aaf45 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.283 2006/10/23 21:44:47 tim Exp $ | 1 | # $Id: Makefile.in,v 1.285 2007/06/11 04:01:42 djm Exp $ |
2 | 2 | ||
3 | # uncomment if you run a non bourne compatable shell. Ie. csh | 3 | # uncomment if you run a non bourne compatable shell. Ie. csh |
4 | #SHELL = @SH@ | 4 | #SHELL = @SH@ |
@@ -44,11 +44,8 @@ LD=@LD@ | |||
44 | CFLAGS=@CFLAGS@ | 44 | CFLAGS=@CFLAGS@ |
45 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ | 45 | CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
46 | LIBS=@LIBS@ | 46 | LIBS=@LIBS@ |
47 | LIBSELINUX=@LIBSELINUX@ | ||
48 | SSHDLIBS=@SSHDLIBS@ | 47 | SSHDLIBS=@SSHDLIBS@ |
49 | LIBEDIT=@LIBEDIT@ | 48 | LIBEDIT=@LIBEDIT@ |
50 | LIBPAM=@LIBPAM@ | ||
51 | LIBWRAP=@LIBWRAP@ | ||
52 | AR=@AR@ | 49 | AR=@AR@ |
53 | AWK=@AWK@ | 50 | AWK=@AWK@ |
54 | RANLIB=@RANLIB@ | 51 | RANLIB=@RANLIB@ |
@@ -74,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | |||
74 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 71 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
75 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ | 72 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ |
76 | kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ | 73 | kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ |
77 | entropy.o scard-opensc.o gss-genr.o kexgssc.o | 74 | entropy.o scard-opensc.o gss-genr.o umac.o kexgssc.o |
78 | 75 | ||
79 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 76 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
80 | sshconnect.o sshconnect1.o sshconnect2.o | 77 | sshconnect.o sshconnect1.o sshconnect2.o |
@@ -139,7 +136,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) | |||
139 | $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 136 | $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
140 | 137 | ||
141 | sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) | 138 | sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) |
142 | $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS) | 139 | $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) |
143 | 140 | ||
144 | scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o | 141 | scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o |
145 | $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 142 | $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
@@ -1,4 +1,4 @@ | |||
1 | See http://www.openssh.com/txt/release-4.6 for the release notes. | 1 | See http://www.openssh.com/txt/release-4.7 for the release notes. |
2 | 2 | ||
3 | - A Japanese translation of this document and of the OpenSSH FAQ is | 3 | - A Japanese translation of this document and of the OpenSSH FAQ is |
4 | - available at http://www.unixuser.org/~haruyama/security/openssh/index.html | 4 | - available at http://www.unixuser.org/~haruyama/security/openssh/index.html |
@@ -62,4 +62,4 @@ References - | |||
62 | [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 | 62 | [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 |
63 | [7] http://www.openssh.com/faq.html | 63 | [7] http://www.openssh.com/faq.html |
64 | 64 | ||
65 | $Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $ | 65 | $Id: README,v 1.66 2007/08/15 09:22:20 dtucker Exp $ |
diff --git a/README.platform b/README.platform index b7dc3f91c..3d7db1494 100644 --- a/README.platform +++ b/README.platform | |||
@@ -23,6 +23,20 @@ to force the previous IPv4-only behaviour. | |||
23 | IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 | 23 | IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 |
24 | IPv6 known broken: 4.3.3ML11 5.1ML4 | 24 | IPv6 known broken: 4.3.3ML11 5.1ML4 |
25 | 25 | ||
26 | If you wish to use dynamic libraries that aren't in the normal system | ||
27 | locations (eg IBM's OpenSSL and zlib packages) then you will need to | ||
28 | define the environment variable blibpath before running configure, eg | ||
29 | |||
30 | blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ | ||
31 | --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware | ||
32 | |||
33 | If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled | ||
34 | by default) then sshd checks that users are permitted via the | ||
35 | loginrestrictions() function, in particular that the user has the | ||
36 | "rlogin" attribute set. This check is not done for the root account, | ||
37 | instead the PermitRootLogin setting in sshd_config is used. | ||
38 | |||
39 | |||
26 | Cygwin | 40 | Cygwin |
27 | ------ | 41 | ------ |
28 | To build on Cygwin, OpenSSH requires the following packages: | 42 | To build on Cygwin, OpenSSH requires the following packages: |
@@ -67,4 +81,4 @@ account stacks which will prevent authentication entirely, but will still | |||
67 | return the output from pam_nologin to the client. | 81 | return the output from pam_nologin to the client. |
68 | 82 | ||
69 | 83 | ||
70 | $Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $ | 84 | $Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $ |
diff --git a/atomicio.c b/atomicio.c index f651a292c..f32ff85ba 100644 --- a/atomicio.c +++ b/atomicio.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */ | 1 | /* $OpenBSD: atomicio.c,v 1.25 2007/06/25 12:02:27 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2006 Damien Miller. All rights reserved. | 3 | * Copyright (c) 2006 Damien Miller. All rights reserved. |
4 | * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. | 4 | * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. |
@@ -32,7 +32,11 @@ | |||
32 | #include <sys/uio.h> | 32 | #include <sys/uio.h> |
33 | 33 | ||
34 | #include <errno.h> | 34 | #include <errno.h> |
35 | #ifdef HAVE_POLL_H | ||
36 | #include <poll.h> | ||
37 | #endif | ||
35 | #include <string.h> | 38 | #include <string.h> |
39 | #include <unistd.h> | ||
36 | 40 | ||
37 | #include "atomicio.h" | 41 | #include "atomicio.h" |
38 | 42 | ||
@@ -45,17 +49,24 @@ atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n) | |||
45 | char *s = _s; | 49 | char *s = _s; |
46 | size_t pos = 0; | 50 | size_t pos = 0; |
47 | ssize_t res; | 51 | ssize_t res; |
52 | struct pollfd pfd; | ||
48 | 53 | ||
54 | pfd.fd = fd; | ||
55 | pfd.events = f == read ? POLLIN : POLLOUT; | ||
49 | while (n > pos) { | 56 | while (n > pos) { |
50 | res = (f) (fd, s + pos, n - pos); | 57 | res = (f) (fd, s + pos, n - pos); |
51 | switch (res) { | 58 | switch (res) { |
52 | case -1: | 59 | case -1: |
53 | #ifdef EWOULDBLOCK | 60 | #ifdef EWOULDBLOCK |
54 | if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK) | 61 | if (errno == EINTR || errno == EWOULDBLOCK) |
55 | #else | 62 | #else |
56 | if (errno == EINTR || errno == EAGAIN) | 63 | if (errno == EINTR) |
57 | #endif | 64 | #endif |
58 | continue; | 65 | continue; |
66 | if (errno == EAGAIN) { | ||
67 | (void)poll(&pfd, 1, -1); | ||
68 | continue; | ||
69 | } | ||
59 | return 0; | 70 | return 0; |
60 | case 0: | 71 | case 0: |
61 | errno = EPIPE; | 72 | errno = EPIPE; |
@@ -77,6 +88,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd, | |||
77 | size_t pos = 0, rem; | 88 | size_t pos = 0, rem; |
78 | ssize_t res; | 89 | ssize_t res; |
79 | struct iovec iov_array[IOV_MAX], *iov = iov_array; | 90 | struct iovec iov_array[IOV_MAX], *iov = iov_array; |
91 | struct pollfd pfd; | ||
80 | 92 | ||
81 | if (iovcnt > IOV_MAX) { | 93 | if (iovcnt > IOV_MAX) { |
82 | errno = EINVAL; | 94 | errno = EINVAL; |
@@ -85,12 +97,22 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd, | |||
85 | /* Make a copy of the iov array because we may modify it below */ | 97 | /* Make a copy of the iov array because we may modify it below */ |
86 | memcpy(iov, _iov, iovcnt * sizeof(*_iov)); | 98 | memcpy(iov, _iov, iovcnt * sizeof(*_iov)); |
87 | 99 | ||
100 | pfd.fd = fd; | ||
101 | pfd.events = f == readv ? POLLIN : POLLOUT; | ||
88 | for (; iovcnt > 0 && iov[0].iov_len > 0;) { | 102 | for (; iovcnt > 0 && iov[0].iov_len > 0;) { |
89 | res = (f) (fd, iov, iovcnt); | 103 | res = (f) (fd, iov, iovcnt); |
90 | switch (res) { | 104 | switch (res) { |
91 | case -1: | 105 | case -1: |
92 | if (errno == EINTR || errno == EAGAIN) | 106 | #ifdef EWOULDBLOCK |
107 | if (errno == EINTR || errno == EWOULDBLOCK) | ||
108 | #else | ||
109 | if (errno == EINTR) | ||
110 | #endif | ||
93 | continue; | 111 | continue; |
112 | if (errno == EAGAIN) { | ||
113 | (void)poll(&pfd, 1, -1); | ||
114 | continue; | ||
115 | } | ||
94 | return 0; | 116 | return 0; |
95 | case 0: | 117 | case 0: |
96 | errno = EPIPE; | 118 | errno = EPIPE; |
diff --git a/auth-pam.c b/auth-pam.c index c08d47229..a07f1fe77 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -161,9 +161,9 @@ sshpam_sigchld_handler(int sig) | |||
161 | WTERMSIG(sshpam_thread_status) == SIGTERM) | 161 | WTERMSIG(sshpam_thread_status) == SIGTERM) |
162 | return; /* terminated by pthread_cancel */ | 162 | return; /* terminated by pthread_cancel */ |
163 | if (!WIFEXITED(sshpam_thread_status)) | 163 | if (!WIFEXITED(sshpam_thread_status)) |
164 | fatal("PAM: authentication thread exited unexpectedly"); | 164 | sigdie("PAM: authentication thread exited unexpectedly"); |
165 | if (WEXITSTATUS(sshpam_thread_status) != 0) | 165 | if (WEXITSTATUS(sshpam_thread_status) != 0) |
166 | fatal("PAM: authentication thread exited uncleanly"); | 166 | sigdie("PAM: authentication thread exited uncleanly"); |
167 | } | 167 | } |
168 | 168 | ||
169 | /* ARGSUSED */ | 169 | /* ARGSUSED */ |
@@ -686,8 +686,7 @@ sshpam_init_ctx(Authctxt *authctxt) | |||
686 | return (NULL); | 686 | return (NULL); |
687 | } | 687 | } |
688 | 688 | ||
689 | ctxt = xmalloc(sizeof *ctxt); | 689 | ctxt = xcalloc(1, sizeof *ctxt); |
690 | memset(ctxt, 0, sizeof(*ctxt)); | ||
691 | 690 | ||
692 | /* Start the authentication thread */ | 691 | /* Start the authentication thread */ |
693 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { | 692 | if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { |
@@ -985,7 +984,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, | |||
985 | break; | 984 | break; |
986 | case PAM_PROMPT_ECHO_ON: | 985 | case PAM_PROMPT_ECHO_ON: |
987 | fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); | 986 | fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); |
988 | fgets(input, sizeof input, stdin); | 987 | if (fgets(input, sizeof input, stdin) == NULL) |
988 | input[0] = '\0'; | ||
989 | if ((reply[i].resp = strdup(input)) == NULL) | 989 | if ((reply[i].resp = strdup(input)) == NULL) |
990 | goto fail; | 990 | goto fail; |
991 | reply[i].resp_retcode = PAM_SUCCESS; | 991 | reply[i].resp_retcode = PAM_SUCCESS; |
@@ -1130,9 +1130,8 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, | |||
1130 | if (n <= 0 || n > PAM_MAX_NUM_MSG) | 1130 | if (n <= 0 || n > PAM_MAX_NUM_MSG) |
1131 | return (PAM_CONV_ERR); | 1131 | return (PAM_CONV_ERR); |
1132 | 1132 | ||
1133 | if ((reply = malloc(n * sizeof(*reply))) == NULL) | 1133 | if ((reply = calloc(n, sizeof(*reply))) == NULL) |
1134 | return (PAM_CONV_ERR); | 1134 | return (PAM_CONV_ERR); |
1135 | memset(reply, 0, n * sizeof(*reply)); | ||
1136 | 1135 | ||
1137 | for (i = 0; i < n; ++i) { | 1136 | for (i = 0; i < n; ++i) { |
1138 | switch (PAM_MSG_MEMBER(msg, i, msg_style)) { | 1137 | switch (PAM_MSG_MEMBER(msg, i, msg_style)) { |
diff --git a/auth-shadow.c b/auth-shadow.c index 8b3160aee..219091677 100644 --- a/auth-shadow.c +++ b/auth-shadow.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <shadow.h> | 28 | #include <shadow.h> |
29 | #include <stdarg.h> | 29 | #include <stdarg.h> |
30 | #include <string.h> | 30 | #include <string.h> |
31 | #include <time.h> | ||
31 | 32 | ||
32 | #include "key.h" | 33 | #include "key.h" |
33 | #include "hostfile.h" | 34 | #include "hostfile.h" |
@@ -115,11 +115,11 @@ allowed_user(struct passwd * pw) | |||
115 | /* grab passwd field for locked account check */ | 115 | /* grab passwd field for locked account check */ |
116 | #ifdef USE_SHADOW | 116 | #ifdef USE_SHADOW |
117 | if (spw != NULL) | 117 | if (spw != NULL) |
118 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | 118 | #ifdef USE_LIBIAF |
119 | passwd = get_iaf_password(pw); | 119 | passwd = get_iaf_password(pw); |
120 | #else | 120 | #else |
121 | passwd = spw->sp_pwdp; | 121 | passwd = spw->sp_pwdp; |
122 | #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ | 122 | #endif /* USE_LIBIAF */ |
123 | #else | 123 | #else |
124 | passwd = pw->pw_passwd; | 124 | passwd = pw->pw_passwd; |
125 | #endif | 125 | #endif |
@@ -141,9 +141,9 @@ allowed_user(struct passwd * pw) | |||
141 | if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) | 141 | if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) |
142 | locked = 1; | 142 | locked = 1; |
143 | #endif | 143 | #endif |
144 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | 144 | #ifdef USE_LIBIAF |
145 | free(passwd); | 145 | free(passwd); |
146 | #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ | 146 | #endif /* USE_LIBIAF */ |
147 | if (locked) { | 147 | if (locked) { |
148 | logit("User %.100s not allowed because account is locked", | 148 | logit("User %.100s not allowed because account is locked", |
149 | pw->pw_name); | 149 | pw->pw_name); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */ | 1 | /* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -292,8 +292,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) | |||
292 | } | 292 | } |
293 | } | 293 | } |
294 | 294 | ||
295 | #define DELIM "," | ||
296 | |||
297 | static char * | 295 | static char * |
298 | authmethods_get(void) | 296 | authmethods_get(void) |
299 | { | 297 | { |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/ | 1 | /* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -201,12 +201,14 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value) | |||
201 | return (-1); | 201 | return (-1); |
202 | } | 202 | } |
203 | if (len > 8 * 1024) { | 203 | if (len > 8 * 1024) { |
204 | error("buffer_get_bignum2_ret: cannot handle BN of size %d", len); | 204 | error("buffer_get_bignum2_ret: cannot handle BN of size %d", |
205 | len); | ||
205 | xfree(bin); | 206 | xfree(bin); |
206 | return (-1); | 207 | return (-1); |
207 | } | 208 | } |
208 | if (BN_bin2bn(bin, len, value) == NULL) { | 209 | if (BN_bin2bn(bin, len, value) == NULL) { |
209 | error("buffer_get_bignum2_ret: BN_bin2bn failed"); | 210 | error("buffer_get_bignum2_ret: BN_bin2bn failed"); |
211 | xfree(bin); | ||
210 | return (-1); | 212 | return (-1); |
211 | } | 213 | } |
212 | xfree(bin); | 214 | xfree(bin); |
diff --git a/buildpkg.sh.in b/buildpkg.sh.in index 8a96b9050..22c66fbd4 100644 --- a/buildpkg.sh.in +++ b/buildpkg.sh.in | |||
@@ -49,6 +49,8 @@ PKG_REQUEST_LOCAL=../pkg-request.local | |||
49 | OPENSSHD=opensshd.init | 49 | OPENSSHD=opensshd.init |
50 | OPENSSH_MANIFEST=openssh.xml | 50 | OPENSSH_MANIFEST=openssh.xml |
51 | OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default | 51 | OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default |
52 | SMF_METHOD_DIR=/lib/svc/method/site | ||
53 | SMF_MANIFEST_DIR=/var/svc/manifest/site | ||
52 | 54 | ||
53 | PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@ | 55 | PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@ |
54 | PATH_USERADD_PROG=@PATH_USERADD_PROG@ | 56 | PATH_USERADD_PROG=@PATH_USERADD_PROG@ |
@@ -196,15 +198,17 @@ then | |||
196 | # For Solaris' SMF, /lib/svc/method/site is the preferred place | 198 | # For Solaris' SMF, /lib/svc/method/site is the preferred place |
197 | # for start/stop scripts that aren't supplied with the OS, and | 199 | # for start/stop scripts that aren't supplied with the OS, and |
198 | # similarly /var/svc/manifest/site for manifests. | 200 | # similarly /var/svc/manifest/site for manifests. |
199 | mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site | 201 | mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR} |
200 | mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site | 202 | mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR} |
201 | 203 | ||
202 | cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME} | 204 | cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME} |
203 | chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME} | 205 | chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME} |
204 | 206 | ||
205 | cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \ | 207 | cat ${OPENSSH_MANIFEST} | \ |
206 | > $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml | 208 | sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \ |
207 | chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml | 209 | -e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \ |
210 | > $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml | ||
211 | chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml | ||
208 | else | 212 | else |
209 | mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d | 213 | mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d |
210 | 214 | ||
@@ -214,19 +218,19 @@ fi | |||
214 | 218 | ||
215 | [ "${PERMIT_ROOT_LOGIN}" = no ] && \ | 219 | [ "${PERMIT_ROOT_LOGIN}" = no ] && \ |
216 | perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ | 220 | perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ |
217 | $FAKE_ROOT/${sysconfdir}/sshd_config | 221 | $FAKE_ROOT${sysconfdir}/sshd_config |
218 | [ "${X11_FORWARDING}" = yes ] && \ | 222 | [ "${X11_FORWARDING}" = yes ] && \ |
219 | perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ | 223 | perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ |
220 | $FAKE_ROOT/${sysconfdir}/sshd_config | 224 | $FAKE_ROOT${sysconfdir}/sshd_config |
221 | # fix PrintMotd | 225 | # fix PrintMotd |
222 | perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \ | 226 | perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \ |
223 | $FAKE_ROOT/${sysconfdir}/sshd_config | 227 | $FAKE_ROOT${sysconfdir}/sshd_config |
224 | 228 | ||
225 | # We don't want to overwrite config files on multiple installs | 229 | # We don't want to overwrite config files on multiple installs |
226 | mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default | 230 | mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default |
227 | mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default | 231 | mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default |
228 | [ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \ | 232 | [ -f $FAKE_ROOT${sysconfdir}/ssh_prng_cmds ] && \ |
229 | mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default | 233 | mv $FAKE_ROOT${sysconfdir}/ssh_prng_cmds $FAKE_ROOT${sysconfdir}/ssh_prng_cmds.default |
230 | 234 | ||
231 | # local tweeks here | 235 | # local tweeks here |
232 | [ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES} | 236 | [ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES} |
@@ -336,7 +340,7 @@ then | |||
336 | svccfg delete -f $OPENSSH_FMRI | 340 | svccfg delete -f $OPENSSH_FMRI |
337 | fi | 341 | fi |
338 | # NOTE, The manifest disables sshd by default. | 342 | # NOTE, The manifest disables sshd by default. |
339 | svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml | 343 | svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml |
340 | else | 344 | else |
341 | if [ "\${USE_SYM_LINKS}" = yes ] | 345 | if [ "\${USE_SYM_LINKS}" = yes ] |
342 | then | 346 | then |
diff --git a/channels.c b/channels.c index 6b0fb0b71..255280e0b 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.270 2007/06/25 08:20:03 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1657,7 +1657,9 @@ channel_check_window(Channel *c) | |||
1657 | { | 1657 | { |
1658 | if (c->type == SSH_CHANNEL_OPEN && | 1658 | if (c->type == SSH_CHANNEL_OPEN && |
1659 | !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && | 1659 | !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && |
1660 | c->local_window < c->local_window_max/2 && | 1660 | ((c->local_window_max - c->local_window > |
1661 | c->local_maxpacket*3) || | ||
1662 | c->local_window < c->local_window_max/2) && | ||
1661 | c->local_consumed > 0) { | 1663 | c->local_consumed > 0) { |
1662 | packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); | 1664 | packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); |
1663 | packet_put_int(c->remote_id); | 1665 | packet_put_int(c->remote_id); |
diff --git a/channels.h b/channels.h index 2674f096e..b632a86af 100644 --- a/channels.h +++ b/channels.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: channels.h,v 1.89 2007/06/11 09:14:00 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -122,9 +122,9 @@ struct Channel { | |||
122 | 122 | ||
123 | /* default window/packet sizes for tcp/x11-fwd-channel */ | 123 | /* default window/packet sizes for tcp/x11-fwd-channel */ |
124 | #define CHAN_SES_PACKET_DEFAULT (32*1024) | 124 | #define CHAN_SES_PACKET_DEFAULT (32*1024) |
125 | #define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) | 125 | #define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) |
126 | #define CHAN_TCP_PACKET_DEFAULT (32*1024) | 126 | #define CHAN_TCP_PACKET_DEFAULT (32*1024) |
127 | #define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) | 127 | #define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) |
128 | #define CHAN_X11_PACKET_DEFAULT (16*1024) | 128 | #define CHAN_X11_PACKET_DEFAULT (16*1024) |
129 | #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) | 129 | #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) |
130 | 130 | ||
diff --git a/cipher-3des1.c b/cipher-3des1.c index fc16e20d7..17a13a133 100644 --- a/cipher-3des1.c +++ b/cipher-3des1.c | |||
@@ -35,9 +35,7 @@ | |||
35 | #include "xmalloc.h" | 35 | #include "xmalloc.h" |
36 | #include "log.h" | 36 | #include "log.h" |
37 | 37 | ||
38 | #if OPENSSL_VERSION_NUMBER < 0x00906000L | 38 | #include "openbsd-compat/openssl-compat.h" |
39 | #define SSH_OLD_EVP | ||
40 | #endif | ||
41 | 39 | ||
42 | /* | 40 | /* |
43 | * This is used by SSH1: | 41 | * This is used by SSH1: |
diff --git a/cipher-bf1.c b/cipher-bf1.c index 292488c5c..e0e33b4c0 100644 --- a/cipher-bf1.c +++ b/cipher-bf1.c | |||
@@ -35,9 +35,7 @@ | |||
35 | #include "xmalloc.h" | 35 | #include "xmalloc.h" |
36 | #include "log.h" | 36 | #include "log.h" |
37 | 37 | ||
38 | #if OPENSSL_VERSION_NUMBER < 0x00906000L | 38 | #include "openbsd-compat/openssl-compat.h" |
39 | #define SSH_OLD_EVP | ||
40 | #endif | ||
41 | 39 | ||
42 | /* | 40 | /* |
43 | * SSH1 uses a variation on Blowfish, all bytes must be swapped before | 41 | * SSH1 uses a variation on Blowfish, all bytes must be swapped before |
diff --git a/cipher-ctr.c b/cipher-ctr.c index b24f3a428..3b86cc10b 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c | |||
@@ -29,13 +29,7 @@ | |||
29 | /* compatibility with old or broken OpenSSL versions */ | 29 | /* compatibility with old or broken OpenSSL versions */ |
30 | #include "openbsd-compat/openssl-compat.h" | 30 | #include "openbsd-compat/openssl-compat.h" |
31 | 31 | ||
32 | #ifdef USE_BUILTIN_RIJNDAEL | 32 | #ifndef USE_BUILTIN_RIJNDAEL |
33 | #include "rijndael.h" | ||
34 | #define AES_KEY rijndael_ctx | ||
35 | #define AES_BLOCK_SIZE 16 | ||
36 | #define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b) | ||
37 | #define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1) | ||
38 | #else | ||
39 | #include <openssl/aes.h> | 33 | #include <openssl/aes.h> |
40 | #endif | 34 | #endif |
41 | 35 | ||
diff --git a/clientloop.c b/clientloop.c index 766a4b3bf..aa8697900 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -290,19 +290,29 @@ client_x11_get_proto(const char *display, const char *xauth_path, | |||
290 | generated = 1; | 290 | generated = 1; |
291 | } | 291 | } |
292 | } | 292 | } |
293 | snprintf(cmd, sizeof(cmd), | 293 | |
294 | "%s %s%s list %s 2>" _PATH_DEVNULL, | 294 | /* |
295 | xauth_path, | 295 | * When in untrusted mode, we read the cookie only if it was |
296 | generated ? "-f " : "" , | 296 | * successfully generated as an untrusted one in the step |
297 | generated ? xauthfile : "", | 297 | * above. |
298 | display); | 298 | */ |
299 | debug2("x11_get_proto: %s", cmd); | 299 | if (trusted || generated) { |
300 | f = popen(cmd, "r"); | 300 | snprintf(cmd, sizeof(cmd), |
301 | if (f && fgets(line, sizeof(line), f) && | 301 | "%s %s%s list %s 2>" _PATH_DEVNULL, |
302 | sscanf(line, "%*s %511s %511s", proto, data) == 2) | 302 | xauth_path, |
303 | got_data = 1; | 303 | generated ? "-f " : "" , |
304 | if (f) | 304 | generated ? xauthfile : "", |
305 | pclose(f); | 305 | display); |
306 | debug2("x11_get_proto: %s", cmd); | ||
307 | f = popen(cmd, "r"); | ||
308 | if (f && fgets(line, sizeof(line), f) && | ||
309 | sscanf(line, "%*s %511s %511s", proto, data) == 2) | ||
310 | got_data = 1; | ||
311 | if (f) | ||
312 | pclose(f); | ||
313 | } else | ||
314 | error("Warning: untrusted X11 forwarding setup failed: " | ||
315 | "xauth key data not generated"); | ||
306 | } | 316 | } |
307 | 317 | ||
308 | if (do_unlink) { | 318 | if (do_unlink) { |
@@ -940,7 +950,7 @@ process_cmdline(void) | |||
940 | cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); | 950 | cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); |
941 | if (s == NULL) | 951 | if (s == NULL) |
942 | goto out; | 952 | goto out; |
943 | while (*s && isspace(*s)) | 953 | while (isspace(*s)) |
944 | s++; | 954 | s++; |
945 | if (*s == '-') | 955 | if (*s == '-') |
946 | s++; /* Skip cmdline '-', if any */ | 956 | s++; /* Skip cmdline '-', if any */ |
@@ -987,9 +997,8 @@ process_cmdline(void) | |||
987 | goto out; | 997 | goto out; |
988 | } | 998 | } |
989 | 999 | ||
990 | s++; | 1000 | while (isspace(*++s)) |
991 | while (*s && isspace(*s)) | 1001 | ; |
992 | s++; | ||
993 | 1002 | ||
994 | if (delete) { | 1003 | if (delete) { |
995 | cancel_port = 0; | 1004 | cancel_port = 0; |
@@ -1781,6 +1790,50 @@ client_request_agent(const char *request_type, int rchan) | |||
1781 | return c; | 1790 | return c; |
1782 | } | 1791 | } |
1783 | 1792 | ||
1793 | int | ||
1794 | client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun) | ||
1795 | { | ||
1796 | Channel *c; | ||
1797 | int fd; | ||
1798 | |||
1799 | if (tun_mode == SSH_TUNMODE_NO) | ||
1800 | return 0; | ||
1801 | |||
1802 | if (!compat20) { | ||
1803 | error("Tunnel forwarding is not support for protocol 1"); | ||
1804 | return -1; | ||
1805 | } | ||
1806 | |||
1807 | debug("Requesting tun unit %d in mode %d", local_tun, tun_mode); | ||
1808 | |||
1809 | /* Open local tunnel device */ | ||
1810 | if ((fd = tun_open(local_tun, tun_mode)) == -1) { | ||
1811 | error("Tunnel device open failed."); | ||
1812 | return -1; | ||
1813 | } | ||
1814 | |||
1815 | c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, | ||
1816 | CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); | ||
1817 | c->datagram = 1; | ||
1818 | |||
1819 | #if defined(SSH_TUN_FILTER) | ||
1820 | if (options.tun_open == SSH_TUNMODE_POINTOPOINT) | ||
1821 | channel_register_filter(c->self, sys_tun_infilter, | ||
1822 | sys_tun_outfilter); | ||
1823 | #endif | ||
1824 | |||
1825 | packet_start(SSH2_MSG_CHANNEL_OPEN); | ||
1826 | packet_put_cstring("tun@openssh.com"); | ||
1827 | packet_put_int(c->self); | ||
1828 | packet_put_int(c->local_window_max); | ||
1829 | packet_put_int(c->local_maxpacket); | ||
1830 | packet_put_int(tun_mode); | ||
1831 | packet_put_int(remote_tun); | ||
1832 | packet_send(); | ||
1833 | |||
1834 | return 0; | ||
1835 | } | ||
1836 | |||
1784 | /* XXXX move to generic input handler */ | 1837 | /* XXXX move to generic input handler */ |
1785 | static void | 1838 | static void |
1786 | client_input_channel_open(int type, u_int32_t seq, void *ctxt) | 1839 | client_input_channel_open(int type, u_int32_t seq, void *ctxt) |
diff --git a/clientloop.h b/clientloop.h index beec62f70..c7d2233d0 100644 --- a/clientloop.h +++ b/clientloop.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.h,v 1.17 2007/08/07 07:32:53 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -44,6 +44,7 @@ void client_x11_get_proto(const char *, const char *, u_int, | |||
44 | void client_global_request_reply_fwd(int, u_int32_t, void *); | 44 | void client_global_request_reply_fwd(int, u_int32_t, void *); |
45 | void client_session2_setup(int, int, int, const char *, struct termios *, | 45 | void client_session2_setup(int, int, int, const char *, struct termios *, |
46 | int, Buffer *, char **, dispatch_fn *); | 46 | int, Buffer *, char **, dispatch_fn *); |
47 | int client_request_tun_fwd(int, int, int); | ||
47 | 48 | ||
48 | /* Multiplexing protocol version */ | 49 | /* Multiplexing protocol version */ |
49 | #define SSHMUX_VER 1 | 50 | #define SSHMUX_VER 1 |
diff --git a/config.h.in b/config.h.in index a913487e1..9577c0e5f 100644 --- a/config.h.in +++ b/config.h.in | |||
@@ -155,6 +155,9 @@ | |||
155 | /* OpenBSD's gcc has bounded */ | 155 | /* OpenBSD's gcc has bounded */ |
156 | #undef HAVE_ATTRIBUTE__BOUNDED__ | 156 | #undef HAVE_ATTRIBUTE__BOUNDED__ |
157 | 157 | ||
158 | /* Have attribute nonnull */ | ||
159 | #undef HAVE_ATTRIBUTE__NONNULL__ | ||
160 | |||
158 | /* OpenBSD's gcc has sentinel */ | 161 | /* OpenBSD's gcc has sentinel */ |
159 | #undef HAVE_ATTRIBUTE__SENTINEL__ | 162 | #undef HAVE_ATTRIBUTE__SENTINEL__ |
160 | 163 | ||
@@ -230,6 +233,14 @@ | |||
230 | don't. */ | 233 | don't. */ |
231 | #undef HAVE_DECL_LOGINSUCCESS | 234 | #undef HAVE_DECL_LOGINSUCCESS |
232 | 235 | ||
236 | /* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you | ||
237 | don't. */ | ||
238 | #undef HAVE_DECL_MAXSYMLINKS | ||
239 | |||
240 | /* Define to 1 if you have the declaration of `offsetof', and to 0 if you | ||
241 | don't. */ | ||
242 | #undef HAVE_DECL_OFFSETOF | ||
243 | |||
233 | /* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you | 244 | /* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you |
234 | don't. */ | 245 | don't. */ |
235 | #undef HAVE_DECL_O_NONBLOCK | 246 | #undef HAVE_DECL_O_NONBLOCK |
@@ -354,6 +365,9 @@ | |||
354 | /* Define to 1 if you have the `getpeereid' function. */ | 365 | /* Define to 1 if you have the `getpeereid' function. */ |
355 | #undef HAVE_GETPEEREID | 366 | #undef HAVE_GETPEEREID |
356 | 367 | ||
368 | /* Define to 1 if you have the `getpeerucred' function. */ | ||
369 | #undef HAVE_GETPEERUCRED | ||
370 | |||
357 | /* Define to 1 if you have the `getpwanam' function. */ | 371 | /* Define to 1 if you have the `getpwanam' function. */ |
358 | #undef HAVE_GETPWANAM | 372 | #undef HAVE_GETPWANAM |
359 | 373 | ||
@@ -480,9 +494,6 @@ | |||
480 | /* Define to 1 if you have the <libgen.h> header file. */ | 494 | /* Define to 1 if you have the <libgen.h> header file. */ |
481 | #undef HAVE_LIBGEN_H | 495 | #undef HAVE_LIBGEN_H |
482 | 496 | ||
483 | /* Define to 1 if you have the `iaf' library (-liaf). */ | ||
484 | #undef HAVE_LIBIAF | ||
485 | |||
486 | /* Define to 1 if you have the `nsl' library (-lnsl). */ | 497 | /* Define to 1 if you have the `nsl' library (-lnsl). */ |
487 | #undef HAVE_LIBNSL | 498 | #undef HAVE_LIBNSL |
488 | 499 | ||
@@ -619,6 +630,12 @@ | |||
619 | /* define if you have pid_t data type */ | 630 | /* define if you have pid_t data type */ |
620 | #undef HAVE_PID_T | 631 | #undef HAVE_PID_T |
621 | 632 | ||
633 | /* Define to 1 if you have the `poll' function. */ | ||
634 | #undef HAVE_POLL | ||
635 | |||
636 | /* Define to 1 if you have the <poll.h> header file. */ | ||
637 | #undef HAVE_POLL_H | ||
638 | |||
622 | /* Define to 1 if you have the `prctl' function. */ | 639 | /* Define to 1 if you have the `prctl' function. */ |
623 | #undef HAVE_PRCTL | 640 | #undef HAVE_PRCTL |
624 | 641 | ||
@@ -736,6 +753,9 @@ | |||
736 | /* Define to 1 if you have the `setvbuf' function. */ | 753 | /* Define to 1 if you have the `setvbuf' function. */ |
737 | #undef HAVE_SETVBUF | 754 | #undef HAVE_SETVBUF |
738 | 755 | ||
756 | /* Define to 1 if you have the `set_id' function. */ | ||
757 | #undef HAVE_SET_ID | ||
758 | |||
739 | /* Define to 1 if you have the `SHA256_Update' function. */ | 759 | /* Define to 1 if you have the `SHA256_Update' function. */ |
740 | #undef HAVE_SHA256_UPDATE | 760 | #undef HAVE_SHA256_UPDATE |
741 | 761 | ||
@@ -844,6 +864,9 @@ | |||
844 | /* define if you have struct timeval */ | 864 | /* define if you have struct timeval */ |
845 | #undef HAVE_STRUCT_TIMEVAL | 865 | #undef HAVE_STRUCT_TIMEVAL |
846 | 866 | ||
867 | /* Define to 1 if you have the `swap32' function. */ | ||
868 | #undef HAVE_SWAP32 | ||
869 | |||
847 | /* Define to 1 if you have the `sysconf' function. */ | 870 | /* Define to 1 if you have the `sysconf' function. */ |
848 | #undef HAVE_SYSCONF | 871 | #undef HAVE_SYSCONF |
849 | 872 | ||
@@ -958,6 +981,9 @@ | |||
958 | /* Define if you have ut_type in utmpx.h */ | 981 | /* Define if you have ut_type in utmpx.h */ |
959 | #undef HAVE_TYPE_IN_UTMPX | 982 | #undef HAVE_TYPE_IN_UTMPX |
960 | 983 | ||
984 | /* Define to 1 if you have the <ucred.h> header file. */ | ||
985 | #undef HAVE_UCRED_H | ||
986 | |||
961 | /* define if you have uintxx_t data type */ | 987 | /* define if you have uintxx_t data type */ |
962 | #undef HAVE_UINTXX_T | 988 | #undef HAVE_UINTXX_T |
963 | 989 | ||
@@ -1039,6 +1065,9 @@ | |||
1039 | /* Define to 1 if you have the `_getshort' function. */ | 1065 | /* Define to 1 if you have the `_getshort' function. */ |
1040 | #undef HAVE__GETSHORT | 1066 | #undef HAVE__GETSHORT |
1041 | 1067 | ||
1068 | /* Define if you have struct __res_state _res as an extern */ | ||
1069 | #undef HAVE__RES_EXTERN | ||
1070 | |||
1042 | /* Define to 1 if you have the `__b64_ntop' function. */ | 1071 | /* Define to 1 if you have the `__b64_ntop' function. */ |
1043 | #undef HAVE___B64_NTOP | 1072 | #undef HAVE___B64_NTOP |
1044 | 1073 | ||
@@ -1,5 +1,5 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # From configure.ac Revision: 1.372 . | 2 | # From configure.ac Revision: 1.383 . |
3 | # Guess values for system-dependent variables and create Makefiles. | 3 | # Guess values for system-dependent variables and create Makefiles. |
4 | # Generated by GNU Autoconf 2.61 for OpenSSH Portable. | 4 | # Generated by GNU Autoconf 2.61 for OpenSSH Portable. |
5 | # | 5 | # |
@@ -693,9 +693,7 @@ LOGIN_PROGRAM_FALLBACK | |||
693 | PATH_PASSWD_PROG | 693 | PATH_PASSWD_PROG |
694 | LD | 694 | LD |
695 | SSHDLIBS | 695 | SSHDLIBS |
696 | LIBWRAP | ||
697 | LIBEDIT | 696 | LIBEDIT |
698 | LIBPAM | ||
699 | INSTALL_SSH_RAND_HELPER | 697 | INSTALL_SSH_RAND_HELPER |
700 | SSH_PRIVSEP_USER | 698 | SSH_PRIVSEP_USER |
701 | PROG_LS | 699 | PROG_LS |
@@ -716,7 +714,6 @@ PROG_IPCS | |||
716 | PROG_TAIL | 714 | PROG_TAIL |
717 | INSTALL_SSH_PRNG_CMDS | 715 | INSTALL_SSH_PRNG_CMDS |
718 | OPENSC_CONFIG | 716 | OPENSC_CONFIG |
719 | LIBSELINUX | ||
720 | PRIVSEP_PATH | 717 | PRIVSEP_PATH |
721 | xauth_path | 718 | xauth_path |
722 | STRIP_OPT | 719 | STRIP_OPT |
@@ -5390,9 +5387,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
5390 | CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" | 5387 | CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" |
5391 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` | 5388 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` |
5392 | case $GCC_VER in | 5389 | case $GCC_VER in |
5393 | 1.*) ;; | 5390 | 1.*) no_attrib_nonnull=1 ;; |
5394 | 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; | 5391 | 2.8* | 2.9*) |
5395 | 2.*) ;; | 5392 | CFLAGS="$CFLAGS -Wsign-compare" |
5393 | no_attrib_nonnull=1 | ||
5394 | ;; | ||
5395 | 2.*) no_attrib_nonnull=1 ;; | ||
5396 | 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;; | 5396 | 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;; |
5397 | 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;; | 5397 | 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;; |
5398 | *) ;; | 5398 | *) ;; |
@@ -5466,6 +5466,14 @@ fi | |||
5466 | fi | 5466 | fi |
5467 | fi | 5467 | fi |
5468 | 5468 | ||
5469 | if test "x$no_attrib_nonnull" != "x1" ; then | ||
5470 | |||
5471 | cat >>confdefs.h <<\_ACEOF | ||
5472 | #define HAVE_ATTRIBUTE__NONNULL__ 1 | ||
5473 | _ACEOF | ||
5474 | |||
5475 | fi | ||
5476 | |||
5469 | 5477 | ||
5470 | # Check whether --with-rpath was given. | 5478 | # Check whether --with-rpath was given. |
5471 | if test "${with_rpath+set}" = set; then | 5479 | if test "${with_rpath+set}" = set; then |
@@ -5604,6 +5612,8 @@ fi | |||
5604 | 5612 | ||
5605 | 5613 | ||
5606 | 5614 | ||
5615 | |||
5616 | |||
5607 | for ac_header in \ | 5617 | for ac_header in \ |
5608 | bstring.h \ | 5618 | bstring.h \ |
5609 | crypt.h \ | 5619 | crypt.h \ |
@@ -5626,6 +5636,7 @@ for ac_header in \ | |||
5626 | netgroup.h \ | 5636 | netgroup.h \ |
5627 | pam/pam_appl.h \ | 5637 | pam/pam_appl.h \ |
5628 | paths.h \ | 5638 | paths.h \ |
5639 | poll.h \ | ||
5629 | pty.h \ | 5640 | pty.h \ |
5630 | readpassphrase.h \ | 5641 | readpassphrase.h \ |
5631 | rpc/types.h \ | 5642 | rpc/types.h \ |
@@ -5657,6 +5668,7 @@ for ac_header in \ | |||
5657 | time.h \ | 5668 | time.h \ |
5658 | tmpdir.h \ | 5669 | tmpdir.h \ |
5659 | ttyent.h \ | 5670 | ttyent.h \ |
5671 | ucred.h \ | ||
5660 | unistd.h \ | 5672 | unistd.h \ |
5661 | usersec.h \ | 5673 | usersec.h \ |
5662 | util.h \ | 5674 | util.h \ |
@@ -8998,6 +9010,14 @@ _ACEOF | |||
8998 | _ACEOF | 9010 | _ACEOF |
8999 | 9011 | ||
9000 | enable_etc_default_login=no # has incompatible /etc/default/login | 9012 | enable_etc_default_login=no # has incompatible /etc/default/login |
9013 | case "$host" in | ||
9014 | *-*-nto-qnx6*) | ||
9015 | cat >>confdefs.h <<\_ACEOF | ||
9016 | #define DISABLE_FD_PASSING 1 | ||
9017 | _ACEOF | ||
9018 | |||
9019 | ;; | ||
9020 | esac | ||
9001 | ;; | 9021 | ;; |
9002 | 9022 | ||
9003 | *-*-ultrix*) | 9023 | *-*-ultrix*) |
@@ -11820,8 +11840,7 @@ if test "${with_tcp_wrappers+set}" = set; then | |||
11820 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | 11840 | CPPFLAGS="-I${withval} ${CPPFLAGS}" |
11821 | fi | 11841 | fi |
11822 | fi | 11842 | fi |
11823 | LIBWRAP="-lwrap" | 11843 | LIBS="-lwrap $LIBS" |
11824 | LIBS="$LIBWRAP $LIBS" | ||
11825 | { echo "$as_me:$LINENO: checking for libwrap" >&5 | 11844 | { echo "$as_me:$LINENO: checking for libwrap" >&5 |
11826 | echo $ECHO_N "checking for libwrap... $ECHO_C" >&6; } | 11845 | echo $ECHO_N "checking for libwrap... $ECHO_C" >&6; } |
11827 | cat >conftest.$ac_ext <<_ACEOF | 11846 | cat >conftest.$ac_ext <<_ACEOF |
@@ -11871,7 +11890,7 @@ cat >>confdefs.h <<\_ACEOF | |||
11871 | #define LIBWRAP 1 | 11890 | #define LIBWRAP 1 |
11872 | _ACEOF | 11891 | _ACEOF |
11873 | 11892 | ||
11874 | 11893 | SSHDLIBS="$SSHDLIBS -lwrap" | |
11875 | TCPW_MSG="yes" | 11894 | TCPW_MSG="yes" |
11876 | 11895 | ||
11877 | else | 11896 | else |
@@ -12500,6 +12519,9 @@ fi | |||
12500 | 12519 | ||
12501 | 12520 | ||
12502 | 12521 | ||
12522 | |||
12523 | |||
12524 | |||
12503 | for ac_func in \ | 12525 | for ac_func in \ |
12504 | arc4random \ | 12526 | arc4random \ |
12505 | asprintf \ | 12527 | asprintf \ |
@@ -12522,6 +12544,7 @@ for ac_func in \ | |||
12522 | getnameinfo \ | 12544 | getnameinfo \ |
12523 | getopt \ | 12545 | getopt \ |
12524 | getpeereid \ | 12546 | getpeereid \ |
12547 | getpeerucred \ | ||
12525 | _getpty \ | 12548 | _getpty \ |
12526 | getrlimit \ | 12549 | getrlimit \ |
12527 | getttyent \ | 12550 | getttyent \ |
@@ -12540,6 +12563,7 @@ for ac_func in \ | |||
12540 | ogetaddrinfo \ | 12563 | ogetaddrinfo \ |
12541 | openlog_r \ | 12564 | openlog_r \ |
12542 | openpty \ | 12565 | openpty \ |
12566 | poll \ | ||
12543 | prctl \ | 12567 | prctl \ |
12544 | pstat \ | 12568 | pstat \ |
12545 | readpassphrase \ | 12569 | readpassphrase \ |
@@ -12573,6 +12597,7 @@ for ac_func in \ | |||
12573 | strtonum \ | 12597 | strtonum \ |
12574 | strtoll \ | 12598 | strtoll \ |
12575 | strtoul \ | 12599 | strtoul \ |
12600 | swap32 \ | ||
12576 | sysconf \ | 12601 | sysconf \ |
12577 | tcgetpgrp \ | 12602 | tcgetpgrp \ |
12578 | truncate \ | 12603 | truncate \ |
@@ -13674,6 +13699,150 @@ fi | |||
13674 | 13699 | ||
13675 | 13700 | ||
13676 | 13701 | ||
13702 | { echo "$as_me:$LINENO: checking whether MAXSYMLINKS is declared" >&5 | ||
13703 | echo $ECHO_N "checking whether MAXSYMLINKS is declared... $ECHO_C" >&6; } | ||
13704 | if test "${ac_cv_have_decl_MAXSYMLINKS+set}" = set; then | ||
13705 | echo $ECHO_N "(cached) $ECHO_C" >&6 | ||
13706 | else | ||
13707 | cat >conftest.$ac_ext <<_ACEOF | ||
13708 | /* confdefs.h. */ | ||
13709 | _ACEOF | ||
13710 | cat confdefs.h >>conftest.$ac_ext | ||
13711 | cat >>conftest.$ac_ext <<_ACEOF | ||
13712 | /* end confdefs.h. */ | ||
13713 | |||
13714 | #include <sys/param.h> | ||
13715 | |||
13716 | |||
13717 | int | ||
13718 | main () | ||
13719 | { | ||
13720 | #ifndef MAXSYMLINKS | ||
13721 | (void) MAXSYMLINKS; | ||
13722 | #endif | ||
13723 | |||
13724 | ; | ||
13725 | return 0; | ||
13726 | } | ||
13727 | _ACEOF | ||
13728 | rm -f conftest.$ac_objext | ||
13729 | if { (ac_try="$ac_compile" | ||
13730 | case "(($ac_try" in | ||
13731 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
13732 | *) ac_try_echo=$ac_try;; | ||
13733 | esac | ||
13734 | eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 | ||
13735 | (eval "$ac_compile") 2>conftest.er1 | ||
13736 | ac_status=$? | ||
13737 | grep -v '^ *+' conftest.er1 >conftest.err | ||
13738 | rm -f conftest.er1 | ||
13739 | cat conftest.err >&5 | ||
13740 | echo "$as_me:$LINENO: \$? = $ac_status" >&5 | ||
13741 | (exit $ac_status); } && { | ||
13742 | test -z "$ac_c_werror_flag" || | ||
13743 | test ! -s conftest.err | ||
13744 | } && test -s conftest.$ac_objext; then | ||
13745 | ac_cv_have_decl_MAXSYMLINKS=yes | ||
13746 | else | ||
13747 | echo "$as_me: failed program was:" >&5 | ||
13748 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
13749 | |||
13750 | ac_cv_have_decl_MAXSYMLINKS=no | ||
13751 | fi | ||
13752 | |||
13753 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
13754 | fi | ||
13755 | { echo "$as_me:$LINENO: result: $ac_cv_have_decl_MAXSYMLINKS" >&5 | ||
13756 | echo "${ECHO_T}$ac_cv_have_decl_MAXSYMLINKS" >&6; } | ||
13757 | if test $ac_cv_have_decl_MAXSYMLINKS = yes; then | ||
13758 | |||
13759 | cat >>confdefs.h <<_ACEOF | ||
13760 | #define HAVE_DECL_MAXSYMLINKS 1 | ||
13761 | _ACEOF | ||
13762 | |||
13763 | |||
13764 | else | ||
13765 | cat >>confdefs.h <<_ACEOF | ||
13766 | #define HAVE_DECL_MAXSYMLINKS 0 | ||
13767 | _ACEOF | ||
13768 | |||
13769 | |||
13770 | fi | ||
13771 | |||
13772 | |||
13773 | |||
13774 | { echo "$as_me:$LINENO: checking whether offsetof is declared" >&5 | ||
13775 | echo $ECHO_N "checking whether offsetof is declared... $ECHO_C" >&6; } | ||
13776 | if test "${ac_cv_have_decl_offsetof+set}" = set; then | ||
13777 | echo $ECHO_N "(cached) $ECHO_C" >&6 | ||
13778 | else | ||
13779 | cat >conftest.$ac_ext <<_ACEOF | ||
13780 | /* confdefs.h. */ | ||
13781 | _ACEOF | ||
13782 | cat confdefs.h >>conftest.$ac_ext | ||
13783 | cat >>conftest.$ac_ext <<_ACEOF | ||
13784 | /* end confdefs.h. */ | ||
13785 | |||
13786 | #include <stddef.h> | ||
13787 | |||
13788 | |||
13789 | int | ||
13790 | main () | ||
13791 | { | ||
13792 | #ifndef offsetof | ||
13793 | (void) offsetof; | ||
13794 | #endif | ||
13795 | |||
13796 | ; | ||
13797 | return 0; | ||
13798 | } | ||
13799 | _ACEOF | ||
13800 | rm -f conftest.$ac_objext | ||
13801 | if { (ac_try="$ac_compile" | ||
13802 | case "(($ac_try" in | ||
13803 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
13804 | *) ac_try_echo=$ac_try;; | ||
13805 | esac | ||
13806 | eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 | ||
13807 | (eval "$ac_compile") 2>conftest.er1 | ||
13808 | ac_status=$? | ||
13809 | grep -v '^ *+' conftest.er1 >conftest.err | ||
13810 | rm -f conftest.er1 | ||
13811 | cat conftest.err >&5 | ||
13812 | echo "$as_me:$LINENO: \$? = $ac_status" >&5 | ||
13813 | (exit $ac_status); } && { | ||
13814 | test -z "$ac_c_werror_flag" || | ||
13815 | test ! -s conftest.err | ||
13816 | } && test -s conftest.$ac_objext; then | ||
13817 | ac_cv_have_decl_offsetof=yes | ||
13818 | else | ||
13819 | echo "$as_me: failed program was:" >&5 | ||
13820 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
13821 | |||
13822 | ac_cv_have_decl_offsetof=no | ||
13823 | fi | ||
13824 | |||
13825 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
13826 | fi | ||
13827 | { echo "$as_me:$LINENO: result: $ac_cv_have_decl_offsetof" >&5 | ||
13828 | echo "${ECHO_T}$ac_cv_have_decl_offsetof" >&6; } | ||
13829 | if test $ac_cv_have_decl_offsetof = yes; then | ||
13830 | |||
13831 | cat >>confdefs.h <<_ACEOF | ||
13832 | #define HAVE_DECL_OFFSETOF 1 | ||
13833 | _ACEOF | ||
13834 | |||
13835 | |||
13836 | else | ||
13837 | cat >>confdefs.h <<_ACEOF | ||
13838 | #define HAVE_DECL_OFFSETOF 0 | ||
13839 | _ACEOF | ||
13840 | |||
13841 | |||
13842 | fi | ||
13843 | |||
13844 | |||
13845 | |||
13677 | 13846 | ||
13678 | for ac_func in setresuid | 13847 | for ac_func in setresuid |
13679 | do | 13848 | do |
@@ -14989,7 +15158,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |||
14989 | 15158 | ||
14990 | # Check for missing getpeereid (or equiv) support | 15159 | # Check for missing getpeereid (or equiv) support |
14991 | NO_PEERCHECK="" | 15160 | NO_PEERCHECK="" |
14992 | if test "x$ac_cv_func_getpeereid" != "xyes" ; then | 15161 | if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then |
14993 | { echo "$as_me:$LINENO: checking whether system supports SO_PEERCRED getsockopt" >&5 | 15162 | { echo "$as_me:$LINENO: checking whether system supports SO_PEERCRED getsockopt" >&5 |
14994 | echo $ECHO_N "checking whether system supports SO_PEERCRED getsockopt... $ECHO_C" >&6; } | 15163 | echo $ECHO_N "checking whether system supports SO_PEERCRED getsockopt... $ECHO_C" >&6; } |
14995 | cat >conftest.$ac_ext <<_ACEOF | 15164 | cat >conftest.$ac_ext <<_ACEOF |
@@ -16430,7 +16599,7 @@ fi | |||
16430 | done | 16599 | done |
16431 | 16600 | ||
16432 | 16601 | ||
16433 | 16602 | saved_LIBS="$LIBS" | |
16434 | { echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5 | 16603 | { echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5 |
16435 | echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6; } | 16604 | echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6; } |
16436 | if test "${ac_cv_lib_iaf_ia_openinfo+set}" = set; then | 16605 | if test "${ac_cv_lib_iaf_ia_openinfo+set}" = set; then |
@@ -16493,14 +16662,106 @@ fi | |||
16493 | { echo "$as_me:$LINENO: result: $ac_cv_lib_iaf_ia_openinfo" >&5 | 16662 | { echo "$as_me:$LINENO: result: $ac_cv_lib_iaf_ia_openinfo" >&5 |
16494 | echo "${ECHO_T}$ac_cv_lib_iaf_ia_openinfo" >&6; } | 16663 | echo "${ECHO_T}$ac_cv_lib_iaf_ia_openinfo" >&6; } |
16495 | if test $ac_cv_lib_iaf_ia_openinfo = yes; then | 16664 | if test $ac_cv_lib_iaf_ia_openinfo = yes; then |
16665 | |||
16666 | LIBS="$LIBS -liaf" | ||
16667 | |||
16668 | for ac_func in set_id | ||
16669 | do | ||
16670 | as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` | ||
16671 | { echo "$as_me:$LINENO: checking for $ac_func" >&5 | ||
16672 | echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } | ||
16673 | if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then | ||
16674 | echo $ECHO_N "(cached) $ECHO_C" >&6 | ||
16675 | else | ||
16676 | cat >conftest.$ac_ext <<_ACEOF | ||
16677 | /* confdefs.h. */ | ||
16678 | _ACEOF | ||
16679 | cat confdefs.h >>conftest.$ac_ext | ||
16680 | cat >>conftest.$ac_ext <<_ACEOF | ||
16681 | /* end confdefs.h. */ | ||
16682 | /* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func. | ||
16683 | For example, HP-UX 11i <limits.h> declares gettimeofday. */ | ||
16684 | #define $ac_func innocuous_$ac_func | ||
16685 | |||
16686 | /* System header to define __stub macros and hopefully few prototypes, | ||
16687 | which can conflict with char $ac_func (); below. | ||
16688 | Prefer <limits.h> to <assert.h> if __STDC__ is defined, since | ||
16689 | <limits.h> exists even on freestanding compilers. */ | ||
16690 | |||
16691 | #ifdef __STDC__ | ||
16692 | # include <limits.h> | ||
16693 | #else | ||
16694 | # include <assert.h> | ||
16695 | #endif | ||
16696 | |||
16697 | #undef $ac_func | ||
16698 | |||
16699 | /* Override any GCC internal prototype to avoid an error. | ||
16700 | Use char because int might match the return type of a GCC | ||
16701 | builtin and then its argument prototype would still apply. */ | ||
16702 | #ifdef __cplusplus | ||
16703 | extern "C" | ||
16704 | #endif | ||
16705 | char $ac_func (); | ||
16706 | /* The GNU C library defines this for functions which it implements | ||
16707 | to always fail with ENOSYS. Some functions are actually named | ||
16708 | something starting with __ and the normal name is an alias. */ | ||
16709 | #if defined __stub_$ac_func || defined __stub___$ac_func | ||
16710 | choke me | ||
16711 | #endif | ||
16712 | |||
16713 | int | ||
16714 | main () | ||
16715 | { | ||
16716 | return $ac_func (); | ||
16717 | ; | ||
16718 | return 0; | ||
16719 | } | ||
16720 | _ACEOF | ||
16721 | rm -f conftest.$ac_objext conftest$ac_exeext | ||
16722 | if { (ac_try="$ac_link" | ||
16723 | case "(($ac_try" in | ||
16724 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
16725 | *) ac_try_echo=$ac_try;; | ||
16726 | esac | ||
16727 | eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 | ||
16728 | (eval "$ac_link") 2>conftest.er1 | ||
16729 | ac_status=$? | ||
16730 | grep -v '^ *+' conftest.er1 >conftest.err | ||
16731 | rm -f conftest.er1 | ||
16732 | cat conftest.err >&5 | ||
16733 | echo "$as_me:$LINENO: \$? = $ac_status" >&5 | ||
16734 | (exit $ac_status); } && { | ||
16735 | test -z "$ac_c_werror_flag" || | ||
16736 | test ! -s conftest.err | ||
16737 | } && test -s conftest$ac_exeext && | ||
16738 | $as_test_x conftest$ac_exeext; then | ||
16739 | eval "$as_ac_var=yes" | ||
16740 | else | ||
16741 | echo "$as_me: failed program was:" >&5 | ||
16742 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
16743 | |||
16744 | eval "$as_ac_var=no" | ||
16745 | fi | ||
16746 | |||
16747 | rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ | ||
16748 | conftest$ac_exeext conftest.$ac_ext | ||
16749 | fi | ||
16750 | ac_res=`eval echo '${'$as_ac_var'}'` | ||
16751 | { echo "$as_me:$LINENO: result: $ac_res" >&5 | ||
16752 | echo "${ECHO_T}$ac_res" >&6; } | ||
16753 | if test `eval echo '${'$as_ac_var'}'` = yes; then | ||
16496 | cat >>confdefs.h <<_ACEOF | 16754 | cat >>confdefs.h <<_ACEOF |
16497 | #define HAVE_LIBIAF 1 | 16755 | #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 |
16498 | _ACEOF | 16756 | _ACEOF |
16757 | SSHDLIBS="$SSHDLIBS -liaf" | ||
16758 | fi | ||
16759 | done | ||
16499 | 16760 | ||
16500 | LIBS="-liaf $LIBS" | ||
16501 | 16761 | ||
16502 | fi | 16762 | fi |
16503 | 16763 | ||
16764 | LIBS="$saved_LIBS" | ||
16504 | 16765 | ||
16505 | ### Configure cryptographic random number support | 16766 | ### Configure cryptographic random number support |
16506 | 16767 | ||
@@ -16926,7 +17187,7 @@ done | |||
16926 | 17187 | ||
16927 | PAM_MSG="yes" | 17188 | PAM_MSG="yes" |
16928 | 17189 | ||
16929 | LIBPAM="-lpam" | 17190 | SSHDLIBS="$SSHDLIBS -lpam" |
16930 | 17191 | ||
16931 | cat >>confdefs.h <<\_ACEOF | 17192 | cat >>confdefs.h <<\_ACEOF |
16932 | #define USE_PAM 1 | 17193 | #define USE_PAM 1 |
@@ -16939,11 +17200,10 @@ _ACEOF | |||
16939 | # libdl already in LIBS | 17200 | # libdl already in LIBS |
16940 | ;; | 17201 | ;; |
16941 | *) | 17202 | *) |
16942 | LIBPAM="$LIBPAM -ldl" | 17203 | SSHDLIBS="$SSHDLIBS -ldl" |
16943 | ;; | 17204 | ;; |
16944 | esac | 17205 | esac |
16945 | fi | 17206 | fi |
16946 | |||
16947 | fi | 17207 | fi |
16948 | 17208 | ||
16949 | 17209 | ||
@@ -25179,6 +25439,59 @@ fi | |||
25179 | fi | 25439 | fi |
25180 | 25440 | ||
25181 | 25441 | ||
25442 | { echo "$as_me:$LINENO: checking if struct __res_state _res is an extern" >&5 | ||
25443 | echo $ECHO_N "checking if struct __res_state _res is an extern... $ECHO_C" >&6; } | ||
25444 | cat >conftest.$ac_ext <<_ACEOF | ||
25445 | |||
25446 | #include <stdio.h> | ||
25447 | #if HAVE_SYS_TYPES_H | ||
25448 | # include <sys/types.h> | ||
25449 | #endif | ||
25450 | #include <netinet/in.h> | ||
25451 | #include <arpa/nameser.h> | ||
25452 | #include <resolv.h> | ||
25453 | extern struct __res_state _res; | ||
25454 | int main() { return 0; } | ||
25455 | |||
25456 | _ACEOF | ||
25457 | rm -f conftest.$ac_objext conftest$ac_exeext | ||
25458 | if { (ac_try="$ac_link" | ||
25459 | case "(($ac_try" in | ||
25460 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | ||
25461 | *) ac_try_echo=$ac_try;; | ||
25462 | esac | ||
25463 | eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 | ||
25464 | (eval "$ac_link") 2>conftest.er1 | ||
25465 | ac_status=$? | ||
25466 | grep -v '^ *+' conftest.er1 >conftest.err | ||
25467 | rm -f conftest.er1 | ||
25468 | cat conftest.err >&5 | ||
25469 | echo "$as_me:$LINENO: \$? = $ac_status" >&5 | ||
25470 | (exit $ac_status); } && { | ||
25471 | test -z "$ac_c_werror_flag" || | ||
25472 | test ! -s conftest.err | ||
25473 | } && test -s conftest$ac_exeext && | ||
25474 | $as_test_x conftest$ac_exeext; then | ||
25475 | { echo "$as_me:$LINENO: result: yes" >&5 | ||
25476 | echo "${ECHO_T}yes" >&6; } | ||
25477 | |||
25478 | cat >>confdefs.h <<\_ACEOF | ||
25479 | #define HAVE__RES_EXTERN 1 | ||
25480 | _ACEOF | ||
25481 | |||
25482 | |||
25483 | else | ||
25484 | echo "$as_me: failed program was:" >&5 | ||
25485 | sed 's/^/| /' conftest.$ac_ext >&5 | ||
25486 | |||
25487 | { echo "$as_me:$LINENO: result: no" >&5 | ||
25488 | echo "${ECHO_T}no" >&6; } | ||
25489 | |||
25490 | fi | ||
25491 | |||
25492 | rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ | ||
25493 | conftest$ac_exeext conftest.$ac_ext | ||
25494 | |||
25182 | # Check whether user wants SELinux support | 25495 | # Check whether user wants SELinux support |
25183 | SELINUX_MSG="no" | 25496 | SELINUX_MSG="no" |
25184 | LIBSELINUX="" | 25497 | LIBSELINUX="" |
@@ -25186,6 +25499,7 @@ LIBSELINUX="" | |||
25186 | # Check whether --with-selinux was given. | 25499 | # Check whether --with-selinux was given. |
25187 | if test "${with_selinux+set}" = set; then | 25500 | if test "${with_selinux+set}" = set; then |
25188 | withval=$with_selinux; if test "x$withval" != "xno" ; then | 25501 | withval=$with_selinux; if test "x$withval" != "xno" ; then |
25502 | save_LIBS="$LIBS" | ||
25189 | 25503 | ||
25190 | cat >>confdefs.h <<\_ACEOF | 25504 | cat >>confdefs.h <<\_ACEOF |
25191 | #define WITH_SELINUX 1 | 25505 | #define WITH_SELINUX 1 |
@@ -25400,8 +25714,7 @@ echo "$as_me: error: SELinux support requires libselinux library" >&2;} | |||
25400 | { (exit 1); exit 1; }; } | 25714 | { (exit 1); exit 1; }; } |
25401 | fi | 25715 | fi |
25402 | 25716 | ||
25403 | save_LIBS="$LIBS" | 25717 | SSHDLIBS="$SSHDLIBS $LIBSELINUX" |
25404 | LIBS="$LIBS $LIBSELINUX" | ||
25405 | 25718 | ||
25406 | 25719 | ||
25407 | for ac_func in getseuserbyname get_default_context_with_level | 25720 | for ac_func in getseuserbyname get_default_context_with_level |
@@ -25503,7 +25816,6 @@ done | |||
25503 | fi | 25816 | fi |
25504 | 25817 | ||
25505 | 25818 | ||
25506 | |||
25507 | # Check whether user wants Kerberos 5 support | 25819 | # Check whether user wants Kerberos 5 support |
25508 | KRB5_MSG="no" | 25820 | KRB5_MSG="no" |
25509 | 25821 | ||
@@ -28917,9 +29229,7 @@ LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim | |||
28917 | PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim | 29229 | PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim |
28918 | LD!$LD$ac_delim | 29230 | LD!$LD$ac_delim |
28919 | SSHDLIBS!$SSHDLIBS$ac_delim | 29231 | SSHDLIBS!$SSHDLIBS$ac_delim |
28920 | LIBWRAP!$LIBWRAP$ac_delim | ||
28921 | LIBEDIT!$LIBEDIT$ac_delim | 29232 | LIBEDIT!$LIBEDIT$ac_delim |
28922 | LIBPAM!$LIBPAM$ac_delim | ||
28923 | INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim | 29233 | INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim |
28924 | SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim | 29234 | SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim |
28925 | PROG_LS!$PROG_LS$ac_delim | 29235 | PROG_LS!$PROG_LS$ac_delim |
@@ -28937,6 +29247,8 @@ PROG_DF!$PROG_DF$ac_delim | |||
28937 | PROG_VMSTAT!$PROG_VMSTAT$ac_delim | 29247 | PROG_VMSTAT!$PROG_VMSTAT$ac_delim |
28938 | PROG_UPTIME!$PROG_UPTIME$ac_delim | 29248 | PROG_UPTIME!$PROG_UPTIME$ac_delim |
28939 | PROG_IPCS!$PROG_IPCS$ac_delim | 29249 | PROG_IPCS!$PROG_IPCS$ac_delim |
29250 | PROG_TAIL!$PROG_TAIL$ac_delim | ||
29251 | INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim | ||
28940 | _ACEOF | 29252 | _ACEOF |
28941 | 29253 | ||
28942 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then | 29254 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then |
@@ -28978,10 +29290,7 @@ _ACEOF | |||
28978 | ac_delim='%!_!# ' | 29290 | ac_delim='%!_!# ' |
28979 | for ac_last_try in false false false false false :; do | 29291 | for ac_last_try in false false false false false :; do |
28980 | cat >conf$$subs.sed <<_ACEOF | 29292 | cat >conf$$subs.sed <<_ACEOF |
28981 | PROG_TAIL!$PROG_TAIL$ac_delim | ||
28982 | INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim | ||
28983 | OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim | 29293 | OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim |
28984 | LIBSELINUX!$LIBSELINUX$ac_delim | ||
28985 | PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim | 29294 | PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim |
28986 | xauth_path!$xauth_path$ac_delim | 29295 | xauth_path!$xauth_path$ac_delim |
28987 | STRIP_OPT!$STRIP_OPT$ac_delim | 29296 | STRIP_OPT!$STRIP_OPT$ac_delim |
@@ -28995,7 +29304,7 @@ LIBOBJS!$LIBOBJS$ac_delim | |||
28995 | LTLIBOBJS!$LTLIBOBJS$ac_delim | 29304 | LTLIBOBJS!$LTLIBOBJS$ac_delim |
28996 | _ACEOF | 29305 | _ACEOF |
28997 | 29306 | ||
28998 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 15; then | 29307 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 12; then |
28999 | break | 29308 | break |
29000 | elif $ac_last_try; then | 29309 | elif $ac_last_try; then |
29001 | { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 | 29310 | { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 |
@@ -29487,7 +29796,10 @@ echo " Compiler: ${CC}" | |||
29487 | echo " Compiler flags: ${CFLAGS}" | 29796 | echo " Compiler flags: ${CFLAGS}" |
29488 | echo "Preprocessor flags: ${CPPFLAGS}" | 29797 | echo "Preprocessor flags: ${CPPFLAGS}" |
29489 | echo " Linker flags: ${LDFLAGS}" | 29798 | echo " Linker flags: ${LDFLAGS}" |
29490 | echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}" | 29799 | echo " Libraries: ${LIBS}" |
29800 | if test ! -z "${SSHDLIBS}"; then | ||
29801 | echo " +for sshd: ${SSHDLIBS}" | ||
29802 | fi | ||
29491 | 29803 | ||
29492 | echo "" | 29804 | echo "" |
29493 | 29805 | ||
@@ -29513,12 +29825,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then | |||
29513 | fi | 29825 | fi |
29514 | 29826 | ||
29515 | if test ! -z "$NO_PEERCHECK" ; then | 29827 | if test ! -z "$NO_PEERCHECK" ; then |
29516 | echo "WARNING: the operating system that you are using does not " | 29828 | echo "WARNING: the operating system that you are using does not" |
29517 | echo "appear to support either the getpeereid() API nor the " | 29829 | echo "appear to support getpeereid(), getpeerucred() or the" |
29518 | echo "SO_PEERCRED getsockopt() option. These facilities are used to " | 29830 | echo "SO_PEERCRED getsockopt() option. These facilities are used to" |
29519 | echo "enforce security checks to prevent unauthorised connections to " | 29831 | echo "enforce security checks to prevent unauthorised connections to" |
29520 | echo "ssh-agent. Their absence increases the risk that a malicious " | 29832 | echo "ssh-agent. Their absence increases the risk that a malicious" |
29521 | echo "user can connect to your agent. " | 29833 | echo "user can connect to your agent." |
29522 | echo "" | 29834 | echo "" |
29523 | fi | 29835 | fi |
29524 | 29836 | ||
diff --git a/configure.ac b/configure.ac index 05ccc2f7e..64ef3c67b 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $ | 1 | # $Id: configure.ac,v 1.383 2007/08/10 04:36:12 dtucker Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) | 17 | AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) |
18 | AC_REVISION($Revision: 1.372 $) | 18 | AC_REVISION($Revision: 1.383 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | 20 | ||
21 | AC_CONFIG_HEADER(config.h) | 21 | AC_CONFIG_HEADER(config.h) |
@@ -94,9 +94,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
94 | CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" | 94 | CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" |
95 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` | 95 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` |
96 | case $GCC_VER in | 96 | case $GCC_VER in |
97 | 1.*) ;; | 97 | 1.*) no_attrib_nonnull=1 ;; |
98 | 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; | 98 | 2.8* | 2.9*) |
99 | 2.*) ;; | 99 | CFLAGS="$CFLAGS -Wsign-compare" |
100 | no_attrib_nonnull=1 | ||
101 | ;; | ||
102 | 2.*) no_attrib_nonnull=1 ;; | ||
100 | 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;; | 103 | 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;; |
101 | 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;; | 104 | 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;; |
102 | *) ;; | 105 | *) ;; |
@@ -115,6 +118,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
115 | fi | 118 | fi |
116 | fi | 119 | fi |
117 | 120 | ||
121 | if test "x$no_attrib_nonnull" != "x1" ; then | ||
122 | AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull]) | ||
123 | fi | ||
124 | |||
118 | AC_ARG_WITH(rpath, | 125 | AC_ARG_WITH(rpath, |
119 | [ --without-rpath Disable auto-added -R linker paths], | 126 | [ --without-rpath Disable auto-added -R linker paths], |
120 | [ | 127 | [ |
@@ -198,6 +205,7 @@ AC_CHECK_HEADERS( \ | |||
198 | netgroup.h \ | 205 | netgroup.h \ |
199 | pam/pam_appl.h \ | 206 | pam/pam_appl.h \ |
200 | paths.h \ | 207 | paths.h \ |
208 | poll.h \ | ||
201 | pty.h \ | 209 | pty.h \ |
202 | readpassphrase.h \ | 210 | readpassphrase.h \ |
203 | rpc/types.h \ | 211 | rpc/types.h \ |
@@ -229,6 +237,7 @@ AC_CHECK_HEADERS( \ | |||
229 | time.h \ | 237 | time.h \ |
230 | tmpdir.h \ | 238 | tmpdir.h \ |
231 | ttyent.h \ | 239 | ttyent.h \ |
240 | ucred.h \ | ||
232 | unistd.h \ | 241 | unistd.h \ |
233 | usersec.h \ | 242 | usersec.h \ |
234 | util.h \ | 243 | util.h \ |
@@ -809,6 +818,11 @@ mips-sony-bsd|mips-sony-newsos4) | |||
809 | AC_DEFINE(DISABLE_LASTLOG) | 818 | AC_DEFINE(DISABLE_LASTLOG) |
810 | AC_DEFINE(SSHD_ACQUIRES_CTTY) | 819 | AC_DEFINE(SSHD_ACQUIRES_CTTY) |
811 | enable_etc_default_login=no # has incompatible /etc/default/login | 820 | enable_etc_default_login=no # has incompatible /etc/default/login |
821 | case "$host" in | ||
822 | *-*-nto-qnx6*) | ||
823 | AC_DEFINE(DISABLE_FD_PASSING) | ||
824 | ;; | ||
825 | esac | ||
812 | ;; | 826 | ;; |
813 | 827 | ||
814 | *-*-ultrix*) | 828 | *-*-ultrix*) |
@@ -1141,8 +1155,7 @@ AC_ARG_WITH(tcp-wrappers, | |||
1141 | CPPFLAGS="-I${withval} ${CPPFLAGS}" | 1155 | CPPFLAGS="-I${withval} ${CPPFLAGS}" |
1142 | fi | 1156 | fi |
1143 | fi | 1157 | fi |
1144 | LIBWRAP="-lwrap" | 1158 | LIBS="-lwrap $LIBS" |
1145 | LIBS="$LIBWRAP $LIBS" | ||
1146 | AC_MSG_CHECKING(for libwrap) | 1159 | AC_MSG_CHECKING(for libwrap) |
1147 | AC_TRY_LINK( | 1160 | AC_TRY_LINK( |
1148 | [ | 1161 | [ |
@@ -1158,7 +1171,7 @@ AC_ARG_WITH(tcp-wrappers, | |||
1158 | AC_DEFINE(LIBWRAP, 1, | 1171 | AC_DEFINE(LIBWRAP, 1, |
1159 | [Define if you want | 1172 | [Define if you want |
1160 | TCP Wrappers support]) | 1173 | TCP Wrappers support]) |
1161 | AC_SUBST(LIBWRAP) | 1174 | SSHDLIBS="$SSHDLIBS -lwrap" |
1162 | TCPW_MSG="yes" | 1175 | TCPW_MSG="yes" |
1163 | ], | 1176 | ], |
1164 | [ | 1177 | [ |
@@ -1273,6 +1286,7 @@ AC_CHECK_FUNCS( \ | |||
1273 | getnameinfo \ | 1286 | getnameinfo \ |
1274 | getopt \ | 1287 | getopt \ |
1275 | getpeereid \ | 1288 | getpeereid \ |
1289 | getpeerucred \ | ||
1276 | _getpty \ | 1290 | _getpty \ |
1277 | getrlimit \ | 1291 | getrlimit \ |
1278 | getttyent \ | 1292 | getttyent \ |
@@ -1291,6 +1305,7 @@ AC_CHECK_FUNCS( \ | |||
1291 | ogetaddrinfo \ | 1305 | ogetaddrinfo \ |
1292 | openlog_r \ | 1306 | openlog_r \ |
1293 | openpty \ | 1307 | openpty \ |
1308 | poll \ | ||
1294 | prctl \ | 1309 | prctl \ |
1295 | pstat \ | 1310 | pstat \ |
1296 | readpassphrase \ | 1311 | readpassphrase \ |
@@ -1324,6 +1339,7 @@ AC_CHECK_FUNCS( \ | |||
1324 | strtonum \ | 1339 | strtonum \ |
1325 | strtoll \ | 1340 | strtoll \ |
1326 | strtoul \ | 1341 | strtoul \ |
1342 | swap32 \ | ||
1327 | sysconf \ | 1343 | sysconf \ |
1328 | tcgetpgrp \ | 1344 | tcgetpgrp \ |
1329 | truncate \ | 1345 | truncate \ |
@@ -1396,6 +1412,14 @@ AC_CHECK_DECLS(writev, , , [ | |||
1396 | #include <unistd.h> | 1412 | #include <unistd.h> |
1397 | ]) | 1413 | ]) |
1398 | 1414 | ||
1415 | AC_CHECK_DECLS(MAXSYMLINKS, , , [ | ||
1416 | #include <sys/param.h> | ||
1417 | ]) | ||
1418 | |||
1419 | AC_CHECK_DECLS(offsetof, , , [ | ||
1420 | #include <stddef.h> | ||
1421 | ]) | ||
1422 | |||
1399 | AC_CHECK_FUNCS(setresuid, [ | 1423 | AC_CHECK_FUNCS(setresuid, [ |
1400 | dnl Some platorms have setresuid that isn't implemented, test for this | 1424 | dnl Some platorms have setresuid that isn't implemented, test for this |
1401 | AC_MSG_CHECKING(if setresuid seems to work) | 1425 | AC_MSG_CHECKING(if setresuid seems to work) |
@@ -1521,7 +1545,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h> | |||
1521 | 1545 | ||
1522 | # Check for missing getpeereid (or equiv) support | 1546 | # Check for missing getpeereid (or equiv) support |
1523 | NO_PEERCHECK="" | 1547 | NO_PEERCHECK="" |
1524 | if test "x$ac_cv_func_getpeereid" != "xyes" ; then | 1548 | if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then |
1525 | AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) | 1549 | AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) |
1526 | AC_TRY_COMPILE( | 1550 | AC_TRY_COMPILE( |
1527 | [#include <sys/types.h> | 1551 | [#include <sys/types.h> |
@@ -2009,7 +2033,12 @@ fi | |||
2009 | # Search for SHA256 support in libc and/or OpenSSL | 2033 | # Search for SHA256 support in libc and/or OpenSSL |
2010 | AC_CHECK_FUNCS(SHA256_Update EVP_sha256) | 2034 | AC_CHECK_FUNCS(SHA256_Update EVP_sha256) |
2011 | 2035 | ||
2012 | AC_CHECK_LIB(iaf, ia_openinfo) | 2036 | saved_LIBS="$LIBS" |
2037 | AC_CHECK_LIB(iaf, ia_openinfo, [ | ||
2038 | LIBS="$LIBS -liaf" | ||
2039 | AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"]) | ||
2040 | ]) | ||
2041 | LIBS="$saved_LIBS" | ||
2013 | 2042 | ||
2014 | ### Configure cryptographic random number support | 2043 | ### Configure cryptographic random number support |
2015 | 2044 | ||
@@ -2059,7 +2088,7 @@ AC_ARG_WITH(pam, | |||
2059 | 2088 | ||
2060 | PAM_MSG="yes" | 2089 | PAM_MSG="yes" |
2061 | 2090 | ||
2062 | LIBPAM="-lpam" | 2091 | SSHDLIBS="$SSHDLIBS -lpam" |
2063 | AC_DEFINE(USE_PAM, 1, | 2092 | AC_DEFINE(USE_PAM, 1, |
2064 | [Define if you want to enable PAM support]) | 2093 | [Define if you want to enable PAM support]) |
2065 | 2094 | ||
@@ -2069,11 +2098,10 @@ AC_ARG_WITH(pam, | |||
2069 | # libdl already in LIBS | 2098 | # libdl already in LIBS |
2070 | ;; | 2099 | ;; |
2071 | *) | 2100 | *) |
2072 | LIBPAM="$LIBPAM -ldl" | 2101 | SSHDLIBS="$SSHDLIBS -ldl" |
2073 | ;; | 2102 | ;; |
2074 | esac | 2103 | esac |
2075 | fi | 2104 | fi |
2076 | AC_SUBST(LIBPAM) | ||
2077 | fi | 2105 | fi |
2078 | ] | 2106 | ] |
2079 | ) | 2107 | ) |
@@ -3182,25 +3210,43 @@ int main() | |||
3182 | [#include <arpa/nameser.h>]) | 3210 | [#include <arpa/nameser.h>]) |
3183 | ]) | 3211 | ]) |
3184 | 3212 | ||
3213 | AC_MSG_CHECKING(if struct __res_state _res is an extern) | ||
3214 | AC_LINK_IFELSE([ | ||
3215 | #include <stdio.h> | ||
3216 | #if HAVE_SYS_TYPES_H | ||
3217 | # include <sys/types.h> | ||
3218 | #endif | ||
3219 | #include <netinet/in.h> | ||
3220 | #include <arpa/nameser.h> | ||
3221 | #include <resolv.h> | ||
3222 | extern struct __res_state _res; | ||
3223 | int main() { return 0; } | ||
3224 | ], | ||
3225 | [AC_MSG_RESULT(yes) | ||
3226 | AC_DEFINE(HAVE__RES_EXTERN, 1, | ||
3227 | [Define if you have struct __res_state _res as an extern]) | ||
3228 | ], | ||
3229 | [ AC_MSG_RESULT(no) ] | ||
3230 | ) | ||
3231 | |||
3185 | # Check whether user wants SELinux support | 3232 | # Check whether user wants SELinux support |
3186 | SELINUX_MSG="no" | 3233 | SELINUX_MSG="no" |
3187 | LIBSELINUX="" | 3234 | LIBSELINUX="" |
3188 | AC_ARG_WITH(selinux, | 3235 | AC_ARG_WITH(selinux, |
3189 | [ --with-selinux Enable SELinux support], | 3236 | [ --with-selinux Enable SELinux support], |
3190 | [ if test "x$withval" != "xno" ; then | 3237 | [ if test "x$withval" != "xno" ; then |
3238 | save_LIBS="$LIBS" | ||
3191 | AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) | 3239 | AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) |
3192 | SELINUX_MSG="yes" | 3240 | SELINUX_MSG="yes" |
3193 | AC_CHECK_HEADER([selinux/selinux.h], , | 3241 | AC_CHECK_HEADER([selinux/selinux.h], , |
3194 | AC_MSG_ERROR(SELinux support requires selinux.h header)) | 3242 | AC_MSG_ERROR(SELinux support requires selinux.h header)) |
3195 | AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], | 3243 | AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], |
3196 | AC_MSG_ERROR(SELinux support requires libselinux library)) | 3244 | AC_MSG_ERROR(SELinux support requires libselinux library)) |
3197 | save_LIBS="$LIBS" | 3245 | SSHDLIBS="$SSHDLIBS $LIBSELINUX" |
3198 | LIBS="$LIBS $LIBSELINUX" | ||
3199 | AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) | 3246 | AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) |
3200 | LIBS="$save_LIBS" | 3247 | LIBS="$save_LIBS" |
3201 | fi ] | 3248 | fi ] |
3202 | ) | 3249 | ) |
3203 | AC_SUBST(LIBSELINUX) | ||
3204 | 3250 | ||
3205 | # Check whether user wants Kerberos 5 support | 3251 | # Check whether user wants Kerberos 5 support |
3206 | KRB5_MSG="no" | 3252 | KRB5_MSG="no" |
@@ -4036,7 +4082,10 @@ echo " Compiler: ${CC}" | |||
4036 | echo " Compiler flags: ${CFLAGS}" | 4082 | echo " Compiler flags: ${CFLAGS}" |
4037 | echo "Preprocessor flags: ${CPPFLAGS}" | 4083 | echo "Preprocessor flags: ${CPPFLAGS}" |
4038 | echo " Linker flags: ${LDFLAGS}" | 4084 | echo " Linker flags: ${LDFLAGS}" |
4039 | echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}" | 4085 | echo " Libraries: ${LIBS}" |
4086 | if test ! -z "${SSHDLIBS}"; then | ||
4087 | echo " +for sshd: ${SSHDLIBS}" | ||
4088 | fi | ||
4040 | 4089 | ||
4041 | echo "" | 4090 | echo "" |
4042 | 4091 | ||
@@ -4062,12 +4111,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then | |||
4062 | fi | 4111 | fi |
4063 | 4112 | ||
4064 | if test ! -z "$NO_PEERCHECK" ; then | 4113 | if test ! -z "$NO_PEERCHECK" ; then |
4065 | echo "WARNING: the operating system that you are using does not " | 4114 | echo "WARNING: the operating system that you are using does not" |
4066 | echo "appear to support either the getpeereid() API nor the " | 4115 | echo "appear to support getpeereid(), getpeerucred() or the" |
4067 | echo "SO_PEERCRED getsockopt() option. These facilities are used to " | 4116 | echo "SO_PEERCRED getsockopt() option. These facilities are used to" |
4068 | echo "enforce security checks to prevent unauthorised connections to " | 4117 | echo "enforce security checks to prevent unauthorised connections to" |
4069 | echo "ssh-agent. Their absence increases the risk that a malicious " | 4118 | echo "ssh-agent. Their absence increases the risk that a malicious" |
4070 | echo "user can connect to your agent. " | 4119 | echo "user can connect to your agent." |
4071 | echo "" | 4120 | echo "" |
4072 | fi | 4121 | fi |
4073 | 4122 | ||
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 3d756eb7f..9cb5cb464 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -17,7 +17,7 @@ | |||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %if %{use_stable} | 19 | %if %{use_stable} |
20 | %define version 4.6p1 | 20 | %define version 4.7p1 |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 1 | 22 | %define release 1 |
23 | %else | 23 | %else |
@@ -357,4 +357,4 @@ fi | |||
357 | * Mon Jan 01 1998 ... | 357 | * Mon Jan 01 1998 ... |
358 | Template Version: 1.31 | 358 | Template Version: 1.31 |
359 | 359 | ||
360 | $Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $ | 360 | $Id: openssh.spec,v 1.61 2007/08/15 09:22:20 dtucker Exp $ |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 08515d2b0..34ec6b7e1 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 4.6p1 | 1 | %define ver 4.7p1 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 95b394f18..1f5230586 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -13,7 +13,7 @@ | |||
13 | 13 | ||
14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
15 | Name: openssh | 15 | Name: openssh |
16 | Version: 4.6p1 | 16 | Version: 4.7p1 |
17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
18 | Release: 1 | 18 | Release: 1 |
19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 43dc83046..a027912ca 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,48 @@ | |||
1 | openssh (1:4.7p1-1) UNRELEASED; urgency=low | ||
2 | |||
3 | * New upstream release (closes: #453367). | ||
4 | - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if | ||
5 | creation of an untrusted cookie fails; found and fixed by Jan Pechanec | ||
6 | (closes: #444738). | ||
7 | - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing | ||
8 | installations are unchanged. | ||
9 | - The SSH channel window size has been increased, and both ssh(1) | ||
10 | sshd(8) now send window updates more aggressively. These improves | ||
11 | performance on high-BDP (Bandwidth Delay Product) networks. | ||
12 | - ssh(1) and sshd(8) now preserve MAC contexts between packets, which | ||
13 | saves 2 hash calls per packet and results in 12-16% speedup for | ||
14 | arcfour256/hmac-md5. | ||
15 | - A new MAC algorithm has been added, UMAC-64 (RFC4418) as | ||
16 | "umac-64@openssh.com". UMAC-64 has been measured to be approximately | ||
17 | 20% faster than HMAC-MD5. | ||
18 | - Failure to establish a ssh(1) TunnelForward is now treated as a fatal | ||
19 | error when the ExitOnForwardFailure option is set. | ||
20 | - ssh(1) returns a sensible exit status if the control master goes away | ||
21 | without passing the full exit status. | ||
22 | - When using a ProxyCommand in ssh(1), set the outgoing hostname with | ||
23 | gethostname(2), allowing hostbased authentication to work. | ||
24 | - Make scp(1) skip FIFOs rather than hanging (closes: #246774). | ||
25 | - Encode non-printing characters in scp(1) filenames. These could cause | ||
26 | copies to be aborted with a "protocol error". | ||
27 | - Handle SIGINT in sshd(8) privilege separation child process to ensure | ||
28 | that wtmp and lastlog records are correctly updated. | ||
29 | - Report GSSAPI mechanism in errors, for libraries that support multiple | ||
30 | mechanisms. | ||
31 | - Improve documentation for ssh-add(1)'s -d option. | ||
32 | - Rearrange and tidy GSSAPI code, removing server-only code being linked | ||
33 | into the client. | ||
34 | - Delay execution of ssh(1)'s LocalCommand until after all forwardings | ||
35 | have been established. | ||
36 | - In scp(1), do not truncate non-regular files. | ||
37 | - Improve exit message from ControlMaster clients. | ||
38 | - Prevent sftp-server(8) from reading until it runs out of buffer space, | ||
39 | whereupon it would exit with a fatal error (closes: #365541). | ||
40 | - pam_end() was not being called if authentication failed | ||
41 | (closes: #405041). | ||
42 | - Manual page datestamps updated (closes: #433181). | ||
43 | |||
44 | -- Colin Watson <cjwatson@debian.org> Sun, 23 Dec 2007 12:53:46 +0000 | ||
45 | |||
1 | openssh (1:4.6p1-7) unstable; urgency=low | 46 | openssh (1:4.6p1-7) unstable; urgency=low |
2 | 47 | ||
3 | * Don't build PIE executables on m68k (closes: #451192). | 48 | * Don't build PIE executables on m68k (closes: #451192). |
@@ -25,7 +25,7 @@ | |||
25 | #ifndef _DEFINES_H | 25 | #ifndef _DEFINES_H |
26 | #define _DEFINES_H | 26 | #define _DEFINES_H |
27 | 27 | ||
28 | /* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */ | 28 | /* $Id: defines.h,v 1.143 2007/08/09 04:37:52 dtucker Exp $ */ |
29 | 29 | ||
30 | 30 | ||
31 | /* Constants */ | 31 | /* Constants */ |
@@ -68,7 +68,7 @@ enum | |||
68 | # endif | 68 | # endif |
69 | #endif | 69 | #endif |
70 | 70 | ||
71 | #ifndef MAXSYMLINKS | 71 | #if defined(HAVE_DECL_MAXSYMLINKS) && HAVE_DECL_MAXSYMLINKS == 0 |
72 | # define MAXSYMLINKS 5 | 72 | # define MAXSYMLINKS 5 |
73 | #endif | 73 | #endif |
74 | 74 | ||
@@ -321,12 +321,6 @@ struct winsize { | |||
321 | #ifndef _PATH_BSHELL | 321 | #ifndef _PATH_BSHELL |
322 | # define _PATH_BSHELL "/bin/sh" | 322 | # define _PATH_BSHELL "/bin/sh" |
323 | #endif | 323 | #endif |
324 | #ifndef _PATH_CSHELL | ||
325 | # define _PATH_CSHELL "/bin/csh" | ||
326 | #endif | ||
327 | #ifndef _PATH_SHELLS | ||
328 | # define _PATH_SHELLS "/etc/shells" | ||
329 | #endif | ||
330 | 324 | ||
331 | #ifdef USER_PATH | 325 | #ifdef USER_PATH |
332 | # ifdef _PATH_STDPATH | 326 | # ifdef _PATH_STDPATH |
@@ -449,6 +443,10 @@ struct winsize { | |||
449 | # define __bounded__(x, y, z) | 443 | # define __bounded__(x, y, z) |
450 | #endif | 444 | #endif |
451 | 445 | ||
446 | #if !defined(HAVE_ATTRIBUTE__NONNULL__) && !defined(__nonnull__) | ||
447 | # define __nonnull__(x) | ||
448 | #endif | ||
449 | |||
452 | /* *-*-nto-qnx doesn't define this macro in the system headers */ | 450 | /* *-*-nto-qnx doesn't define this macro in the system headers */ |
453 | #ifdef MISSING_HOWMANY | 451 | #ifdef MISSING_HOWMANY |
454 | # define howmany(x,y) (((x)+((y)-1))/(y)) | 452 | # define howmany(x,y) (((x)+((y)-1))/(y)) |
@@ -487,7 +485,7 @@ struct winsize { | |||
487 | (struct cmsghdr *)NULL) | 485 | (struct cmsghdr *)NULL) |
488 | #endif /* CMSG_FIRSTHDR */ | 486 | #endif /* CMSG_FIRSTHDR */ |
489 | 487 | ||
490 | #ifndef offsetof | 488 | #if defined(HAVE_DECL_OFFSETOF) && HAVE_DECL_OFFSETOF == 0 |
491 | # define offsetof(type, member) ((size_t) &((type *)0)->member) | 489 | # define offsetof(type, member) ((size_t) &((type *)0)->member) |
492 | #endif | 490 | #endif |
493 | 491 | ||
@@ -696,7 +694,8 @@ struct winsize { | |||
696 | # define CUSTOM_SYS_AUTH_PASSWD 1 | 694 | # define CUSTOM_SYS_AUTH_PASSWD 1 |
697 | #endif | 695 | #endif |
698 | 696 | ||
699 | #ifdef HAVE_LIBIAF | 697 | #if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(BROKEN_LIBIAF) |
698 | # define USE_LIBIAF | ||
700 | # define CUSTOM_SYS_AUTH_PASSWD 1 | 699 | # define CUSTOM_SYS_AUTH_PASSWD 1 |
701 | #endif | 700 | #endif |
702 | 701 | ||
@@ -35,8 +35,9 @@ | |||
35 | # include <fcntl.h> | 35 | # include <fcntl.h> |
36 | #endif | 36 | #endif |
37 | #include <stdarg.h> | 37 | #include <stdarg.h> |
38 | #include <unistd.h> | 38 | #include <string.h> |
39 | #include <signal.h> | 39 | #include <signal.h> |
40 | #include <unistd.h> | ||
40 | 41 | ||
41 | #include <openssl/rand.h> | 42 | #include <openssl/rand.h> |
42 | #include <openssl/crypto.h> | 43 | #include <openssl/crypto.h> |
diff --git a/gss-genr.c b/gss-genr.c index 42f942b58..822a08212 100644 --- a/gss-genr.c +++ b/gss-genr.c | |||
@@ -1,7 +1,7 @@ | |||
1 | /* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */ | 1 | /* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
5 | * | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
diff --git a/gss-serv.c b/gss-serv.c index 841d8bb2f..e157ec515 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. |
@@ -29,6 +29,7 @@ | |||
29 | #ifdef GSSAPI | 29 | #ifdef GSSAPI |
30 | 30 | ||
31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
32 | #include <sys/param.h> | ||
32 | 33 | ||
33 | #include <stdarg.h> | 34 | #include <stdarg.h> |
34 | #include <string.h> | 35 | #include <string.h> |
@@ -68,6 +69,53 @@ ssh_gssapi_mech* supported_mechs[]= { | |||
68 | &gssapi_null_mech, | 69 | &gssapi_null_mech, |
69 | }; | 70 | }; |
70 | 71 | ||
72 | |||
73 | /* | ||
74 | * Acquire credentials for a server running on the current host. | ||
75 | * Requires that the context structure contains a valid OID | ||
76 | */ | ||
77 | |||
78 | /* Returns a GSSAPI error code */ | ||
79 | /* Privileged (called from ssh_gssapi_server_ctx) */ | ||
80 | static OM_uint32 | ||
81 | ssh_gssapi_acquire_cred(Gssctxt *ctx) | ||
82 | { | ||
83 | OM_uint32 status; | ||
84 | char lname[MAXHOSTNAMELEN]; | ||
85 | gss_OID_set oidset; | ||
86 | |||
87 | gss_create_empty_oid_set(&status, &oidset); | ||
88 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
89 | |||
90 | if (gethostname(lname, MAXHOSTNAMELEN)) { | ||
91 | gss_release_oid_set(&status, &oidset); | ||
92 | return (-1); | ||
93 | } | ||
94 | |||
95 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
96 | gss_release_oid_set(&status, &oidset); | ||
97 | return (ctx->major); | ||
98 | } | ||
99 | |||
100 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
101 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
102 | ssh_gssapi_error(ctx); | ||
103 | |||
104 | gss_release_oid_set(&status, &oidset); | ||
105 | return (ctx->major); | ||
106 | } | ||
107 | |||
108 | /* Privileged */ | ||
109 | OM_uint32 | ||
110 | ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | ||
111 | { | ||
112 | if (*ctx) | ||
113 | ssh_gssapi_delete_ctx(ctx); | ||
114 | ssh_gssapi_build_ctx(ctx); | ||
115 | ssh_gssapi_set_oid(*ctx, oid); | ||
116 | return (ssh_gssapi_acquire_cred(*ctx)); | ||
117 | } | ||
118 | |||
71 | /* Unprivileged */ | 119 | /* Unprivileged */ |
72 | char * | 120 | char * |
73 | ssh_gssapi_server_mechanisms() { | 121 | ssh_gssapi_server_mechanisms() { |
@@ -115,56 +163,6 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | |||
115 | gss_release_oid_set(&min_status, &supported); | 163 | gss_release_oid_set(&min_status, &supported); |
116 | } | 164 | } |
117 | 165 | ||
118 | OM_uint32 | ||
119 | ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | ||
120 | { | ||
121 | if (*ctx) | ||
122 | ssh_gssapi_delete_ctx(ctx); | ||
123 | ssh_gssapi_build_ctx(ctx); | ||
124 | ssh_gssapi_set_oid(*ctx, oid); | ||
125 | return (ssh_gssapi_acquire_cred(*ctx)); | ||
126 | } | ||
127 | |||
128 | /* Acquire credentials for a server running on the current host. | ||
129 | * Requires that the context structure contains a valid OID | ||
130 | */ | ||
131 | |||
132 | /* Returns a GSSAPI error code */ | ||
133 | OM_uint32 | ||
134 | ssh_gssapi_acquire_cred(Gssctxt *ctx) | ||
135 | { | ||
136 | OM_uint32 status; | ||
137 | char lname[MAXHOSTNAMELEN]; | ||
138 | gss_OID_set oidset; | ||
139 | |||
140 | if (options.gss_strict_acceptor) { | ||
141 | gss_create_empty_oid_set(&status, &oidset); | ||
142 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
143 | |||
144 | if (gethostname(lname, MAXHOSTNAMELEN)) { | ||
145 | gss_release_oid_set(&status, &oidset); | ||
146 | return (-1); | ||
147 | } | ||
148 | |||
149 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
150 | gss_release_oid_set(&status, &oidset); | ||
151 | return (ctx->major); | ||
152 | } | ||
153 | |||
154 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
155 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
156 | NULL, NULL))) | ||
157 | ssh_gssapi_error(ctx); | ||
158 | |||
159 | gss_release_oid_set(&status, &oidset); | ||
160 | return (ctx->major); | ||
161 | } else { | ||
162 | ctx->name = GSS_C_NO_NAME; | ||
163 | ctx->creds = GSS_C_NO_CREDENTIAL; | ||
164 | } | ||
165 | return GSS_S_COMPLETE; | ||
166 | } | ||
167 | |||
168 | 166 | ||
169 | /* Wrapper around accept_sec_context | 167 | /* Wrapper around accept_sec_context |
170 | * Requires that the context contains: | 168 | * Requires that the context contains: |
diff --git a/includes.h b/includes.h index 967fcc26c..9fcf1b023 100644 --- a/includes.h +++ b/includes.h | |||
@@ -49,7 +49,7 @@ | |||
49 | #ifdef HAVE_NEXT | 49 | #ifdef HAVE_NEXT |
50 | # include <libc.h> | 50 | # include <libc.h> |
51 | #endif | 51 | #endif |
52 | #ifdef HAVE_PATHS | 52 | #ifdef HAVE_PATHS_H |
53 | # include <paths.h> | 53 | # include <paths.h> |
54 | #endif | 54 | #endif |
55 | 55 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -91,7 +91,7 @@ static char ** | |||
91 | kex_buf2prop(Buffer *raw, int *first_kex_follows) | 91 | kex_buf2prop(Buffer *raw, int *first_kex_follows) |
92 | { | 92 | { |
93 | Buffer b; | 93 | Buffer b; |
94 | int i; | 94 | u_int i; |
95 | char **proposal; | 95 | char **proposal; |
96 | 96 | ||
97 | proposal = xcalloc(PROPOSAL_MAX, sizeof(char *)); | 97 | proposal = xcalloc(PROPOSAL_MAX, sizeof(char *)); |
@@ -112,7 +112,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows) | |||
112 | *first_kex_follows = i; | 112 | *first_kex_follows = i; |
113 | debug2("kex_parse_kexinit: first_kex_follows %d ", i); | 113 | debug2("kex_parse_kexinit: first_kex_follows %d ", i); |
114 | i = buffer_get_int(&b); | 114 | i = buffer_get_int(&b); |
115 | debug2("kex_parse_kexinit: reserved %d ", i); | 115 | debug2("kex_parse_kexinit: reserved %u ", i); |
116 | buffer_free(&b); | 116 | buffer_free(&b); |
117 | return proposal; | 117 | return proposal; |
118 | } | 118 | } |
@@ -127,6 +127,7 @@ kex_prop_free(char **proposal) | |||
127 | xfree(proposal); | 127 | xfree(proposal); |
128 | } | 128 | } |
129 | 129 | ||
130 | /* ARGSUSED */ | ||
130 | static void | 131 | static void |
131 | kex_protocol_error(int type, u_int32_t seq, void *ctxt) | 132 | kex_protocol_error(int type, u_int32_t seq, void *ctxt) |
132 | { | 133 | { |
@@ -198,6 +199,7 @@ kex_send_kexinit(Kex *kex) | |||
198 | kex->flags |= KEX_INIT_SENT; | 199 | kex->flags |= KEX_INIT_SENT; |
199 | } | 200 | } |
200 | 201 | ||
202 | /* ARGSUSED */ | ||
201 | void | 203 | void |
202 | kex_input_kexinit(int type, u_int32_t seq, void *ctxt) | 204 | kex_input_kexinit(int type, u_int32_t seq, void *ctxt) |
203 | { | 205 | { |
@@ -262,7 +264,8 @@ choose_enc(Enc *enc, char *client, char *server) | |||
262 | { | 264 | { |
263 | char *name = match_list(client, server, NULL); | 265 | char *name = match_list(client, server, NULL); |
264 | if (name == NULL) | 266 | if (name == NULL) |
265 | fatal("no matching cipher found: client %s server %s", client, server); | 267 | fatal("no matching cipher found: client %s server %s", |
268 | client, server); | ||
266 | if ((enc->cipher = cipher_by_name(name)) == NULL) | 269 | if ((enc->cipher = cipher_by_name(name)) == NULL) |
267 | fatal("matching cipher is not supported: %s", name); | 270 | fatal("matching cipher is not supported: %s", name); |
268 | enc->name = name; | 271 | enc->name = name; |
@@ -278,8 +281,9 @@ choose_mac(Mac *mac, char *client, char *server) | |||
278 | { | 281 | { |
279 | char *name = match_list(client, server, NULL); | 282 | char *name = match_list(client, server, NULL); |
280 | if (name == NULL) | 283 | if (name == NULL) |
281 | fatal("no matching mac found: client %s server %s", client, server); | 284 | fatal("no matching mac found: client %s server %s", |
282 | if (mac_init(mac, name) < 0) | 285 | client, server); |
286 | if (mac_setup(mac, name) < 0) | ||
283 | fatal("unsupported mac %s", name); | 287 | fatal("unsupported mac %s", name); |
284 | /* truncate the key */ | 288 | /* truncate the key */ |
285 | if (datafellows & SSH_BUG_HMAC) | 289 | if (datafellows & SSH_BUG_HMAC) |
@@ -312,7 +316,7 @@ choose_kex(Kex *k, char *client, char *server) | |||
312 | { | 316 | { |
313 | k->name = match_list(client, server, NULL); | 317 | k->name = match_list(client, server, NULL); |
314 | if (k->name == NULL) | 318 | if (k->name == NULL) |
315 | fatal("no kex alg"); | 319 | fatal("Unable to negotiate a key exchange method"); |
316 | if (strcmp(k->name, KEX_DH1) == 0) { | 320 | if (strcmp(k->name, KEX_DH1) == 0) { |
317 | k->kex_type = KEX_DH_GRP1_SHA1; | 321 | k->kex_type = KEX_DH_GRP1_SHA1; |
318 | k->evp_md = EVP_sha1(); | 322 | k->evp_md = EVP_sha1(); |
@@ -406,7 +410,8 @@ kex_choose_conf(Kex *kex) | |||
406 | for (mode = 0; mode < MODE_MAX; mode++) { | 410 | for (mode = 0; mode < MODE_MAX; mode++) { |
407 | newkeys = xcalloc(1, sizeof(*newkeys)); | 411 | newkeys = xcalloc(1, sizeof(*newkeys)); |
408 | kex->newkeys[mode] = newkeys; | 412 | kex->newkeys[mode] = newkeys; |
409 | ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN); | 413 | ctos = (!kex->server && mode == MODE_OUT) || |
414 | (kex->server && mode == MODE_IN); | ||
410 | nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; | 415 | nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; |
411 | nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; | 416 | nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; |
412 | ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; | 417 | ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -28,6 +28,7 @@ | |||
28 | 28 | ||
29 | #include <signal.h> | 29 | #include <signal.h> |
30 | #include <openssl/evp.h> | 30 | #include <openssl/evp.h> |
31 | #include <openssl/hmac.h> | ||
31 | 32 | ||
32 | #define KEX_DH1 "diffie-hellman-group1-sha1" | 33 | #define KEX_DH1 "diffie-hellman-group1-sha1" |
33 | #define KEX_DH14 "diffie-hellman-group14-sha1" | 34 | #define KEX_DH14 "diffie-hellman-group14-sha1" |
@@ -89,10 +90,13 @@ struct Enc { | |||
89 | struct Mac { | 90 | struct Mac { |
90 | char *name; | 91 | char *name; |
91 | int enabled; | 92 | int enabled; |
92 | const EVP_MD *md; | ||
93 | u_int mac_len; | 93 | u_int mac_len; |
94 | u_char *key; | 94 | u_char *key; |
95 | u_int key_len; | 95 | u_int key_len; |
96 | int type; | ||
97 | const EVP_MD *evp_md; | ||
98 | HMAC_CTX evp_ctx; | ||
99 | struct umac_ctx *umac_ctx; | ||
96 | }; | 100 | }; |
97 | struct Comp { | 101 | struct Comp { |
98 | int type; | 102 | int type; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.69 2007/07/12 05:48:05 ray Exp $ */ |
2 | /* | 2 | /* |
3 | * read_bignum(): | 3 | * read_bignum(): |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -170,9 +170,7 @@ key_equal(const Key *a, const Key *b) | |||
170 | BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; | 170 | BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; |
171 | default: | 171 | default: |
172 | fatal("key_equal: bad key type %d", a->type); | 172 | fatal("key_equal: bad key type %d", a->type); |
173 | break; | ||
174 | } | 173 | } |
175 | return 0; | ||
176 | } | 174 | } |
177 | 175 | ||
178 | u_char* | 176 | u_char* |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */ | 1 | /* $OpenBSD: log.c,v 1.40 2007/05/17 07:50:31 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -44,6 +44,7 @@ | |||
44 | #include <string.h> | 44 | #include <string.h> |
45 | #include <syslog.h> | 45 | #include <syslog.h> |
46 | #include <unistd.h> | 46 | #include <unistd.h> |
47 | #include <errno.h> | ||
47 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) | 48 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) |
48 | # include <vis.h> | 49 | # include <vis.h> |
49 | #endif | 50 | #endif |
@@ -315,6 +316,7 @@ do_log(LogLevel level, const char *fmt, va_list args) | |||
315 | char fmtbuf[MSGBUFSIZ]; | 316 | char fmtbuf[MSGBUFSIZ]; |
316 | char *txt = NULL; | 317 | char *txt = NULL; |
317 | int pri = LOG_INFO; | 318 | int pri = LOG_INFO; |
319 | int saved_errno = errno; | ||
318 | 320 | ||
319 | if (level > log_level) | 321 | if (level > log_level) |
320 | return; | 322 | return; |
@@ -375,4 +377,5 @@ do_log(LogLevel level, const char *fmt, va_list args) | |||
375 | closelog(); | 377 | closelog(); |
376 | #endif | 378 | #endif |
377 | } | 379 | } |
380 | errno = saved_errno; | ||
378 | } | 381 | } |
diff --git a/loginrec.c b/loginrec.c index e59127747..b41114198 100644 --- a/loginrec.c +++ b/loginrec.c | |||
@@ -161,6 +161,7 @@ | |||
161 | #include <pwd.h> | 161 | #include <pwd.h> |
162 | #include <stdarg.h> | 162 | #include <stdarg.h> |
163 | #include <string.h> | 163 | #include <string.h> |
164 | #include <time.h> | ||
164 | #include <unistd.h> | 165 | #include <unistd.h> |
165 | 166 | ||
166 | #include "xmalloc.h" | 167 | #include "xmalloc.h" |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: mac.c,v 1.14 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -42,63 +42,126 @@ | |||
42 | #include "mac.h" | 42 | #include "mac.h" |
43 | #include "misc.h" | 43 | #include "misc.h" |
44 | 44 | ||
45 | #include "umac.h" | ||
46 | |||
47 | #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ | ||
48 | #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ | ||
49 | |||
45 | struct { | 50 | struct { |
46 | char *name; | 51 | char *name; |
52 | int type; | ||
47 | const EVP_MD * (*mdfunc)(void); | 53 | const EVP_MD * (*mdfunc)(void); |
48 | int truncatebits; /* truncate digest if != 0 */ | 54 | int truncatebits; /* truncate digest if != 0 */ |
55 | int key_len; /* just for UMAC */ | ||
56 | int len; /* just for UMAC */ | ||
49 | } macs[] = { | 57 | } macs[] = { |
50 | { "hmac-sha1", EVP_sha1, 0, }, | 58 | { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, |
51 | { "hmac-sha1-96", EVP_sha1, 96 }, | 59 | { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, |
52 | { "hmac-md5", EVP_md5, 0 }, | 60 | { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, |
53 | { "hmac-md5-96", EVP_md5, 96 }, | 61 | { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, |
54 | { "hmac-ripemd160", EVP_ripemd160, 0 }, | 62 | { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, |
55 | { "hmac-ripemd160@openssh.com", EVP_ripemd160, 0 }, | 63 | { "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, |
56 | { NULL, NULL, 0 } | 64 | { "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 }, |
65 | { NULL, 0, NULL, 0, -1, -1 } | ||
57 | }; | 66 | }; |
58 | 67 | ||
68 | static void | ||
69 | mac_setup_by_id(Mac *mac, int which) | ||
70 | { | ||
71 | int evp_len; | ||
72 | mac->type = macs[which].type; | ||
73 | if (mac->type == SSH_EVP) { | ||
74 | mac->evp_md = (*macs[which].mdfunc)(); | ||
75 | if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0) | ||
76 | fatal("mac %s len %d", mac->name, evp_len); | ||
77 | mac->key_len = mac->mac_len = (u_int)evp_len; | ||
78 | } else { | ||
79 | mac->mac_len = macs[which].len / 8; | ||
80 | mac->key_len = macs[which].key_len / 8; | ||
81 | mac->umac_ctx = NULL; | ||
82 | } | ||
83 | if (macs[which].truncatebits != 0) | ||
84 | mac->mac_len = macs[which].truncatebits / 8; | ||
85 | } | ||
86 | |||
59 | int | 87 | int |
60 | mac_init(Mac *mac, char *name) | 88 | mac_setup(Mac *mac, char *name) |
61 | { | 89 | { |
62 | int i, evp_len; | 90 | int i; |
63 | 91 | ||
64 | for (i = 0; macs[i].name; i++) { | 92 | for (i = 0; macs[i].name; i++) { |
65 | if (strcmp(name, macs[i].name) == 0) { | 93 | if (strcmp(name, macs[i].name) == 0) { |
66 | if (mac != NULL) { | 94 | if (mac != NULL) |
67 | mac->md = (*macs[i].mdfunc)(); | 95 | mac_setup_by_id(mac, i); |
68 | if ((evp_len = EVP_MD_size(mac->md)) <= 0) | 96 | debug2("mac_setup: found %s", name); |
69 | fatal("mac %s len %d", name, evp_len); | ||
70 | mac->key_len = mac->mac_len = (u_int)evp_len; | ||
71 | if (macs[i].truncatebits != 0) | ||
72 | mac->mac_len = macs[i].truncatebits/8; | ||
73 | } | ||
74 | debug2("mac_init: found %s", name); | ||
75 | return (0); | 97 | return (0); |
76 | } | 98 | } |
77 | } | 99 | } |
78 | debug2("mac_init: unknown %s", name); | 100 | debug2("mac_setup: unknown %s", name); |
79 | return (-1); | 101 | return (-1); |
80 | } | 102 | } |
81 | 103 | ||
104 | int | ||
105 | mac_init(Mac *mac) | ||
106 | { | ||
107 | if (mac->key == NULL) | ||
108 | fatal("mac_init: no key"); | ||
109 | switch (mac->type) { | ||
110 | case SSH_EVP: | ||
111 | if (mac->evp_md == NULL) | ||
112 | return -1; | ||
113 | HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md); | ||
114 | return 0; | ||
115 | case SSH_UMAC: | ||
116 | mac->umac_ctx = umac_new(mac->key); | ||
117 | return 0; | ||
118 | default: | ||
119 | return -1; | ||
120 | } | ||
121 | } | ||
122 | |||
82 | u_char * | 123 | u_char * |
83 | mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) | 124 | mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) |
84 | { | 125 | { |
85 | HMAC_CTX c; | ||
86 | static u_char m[EVP_MAX_MD_SIZE]; | 126 | static u_char m[EVP_MAX_MD_SIZE]; |
87 | u_char b[4]; | 127 | u_char b[4], nonce[8]; |
88 | 128 | ||
89 | if (mac->key == NULL) | ||
90 | fatal("mac_compute: no key"); | ||
91 | if (mac->mac_len > sizeof(m)) | 129 | if (mac->mac_len > sizeof(m)) |
92 | fatal("mac_compute: mac too long"); | 130 | fatal("mac_compute: mac too long %u %lu", |
93 | HMAC_Init(&c, mac->key, mac->key_len, mac->md); | 131 | mac->mac_len, sizeof(m)); |
94 | put_u32(b, seqno); | 132 | |
95 | HMAC_Update(&c, b, sizeof(b)); | 133 | switch (mac->type) { |
96 | HMAC_Update(&c, data, datalen); | 134 | case SSH_EVP: |
97 | HMAC_Final(&c, m, NULL); | 135 | put_u32(b, seqno); |
98 | HMAC_cleanup(&c); | 136 | /* reset HMAC context */ |
137 | HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); | ||
138 | HMAC_Update(&mac->evp_ctx, b, sizeof(b)); | ||
139 | HMAC_Update(&mac->evp_ctx, data, datalen); | ||
140 | HMAC_Final(&mac->evp_ctx, m, NULL); | ||
141 | break; | ||
142 | case SSH_UMAC: | ||
143 | put_u64(nonce, seqno); | ||
144 | umac_update(mac->umac_ctx, data, datalen); | ||
145 | umac_final(mac->umac_ctx, m, nonce); | ||
146 | break; | ||
147 | default: | ||
148 | fatal("mac_compute: unknown MAC type"); | ||
149 | } | ||
99 | return (m); | 150 | return (m); |
100 | } | 151 | } |
101 | 152 | ||
153 | void | ||
154 | mac_clear(Mac *mac) | ||
155 | { | ||
156 | if (mac->type == SSH_UMAC) { | ||
157 | if (mac->umac_ctx != NULL) | ||
158 | umac_delete(mac->umac_ctx); | ||
159 | } else if (mac->evp_md != NULL) | ||
160 | HMAC_cleanup(&mac->evp_ctx); | ||
161 | mac->evp_md = NULL; | ||
162 | mac->umac_ctx = NULL; | ||
163 | } | ||
164 | |||
102 | /* XXX copied from ciphers_valid */ | 165 | /* XXX copied from ciphers_valid */ |
103 | #define MAC_SEP "," | 166 | #define MAC_SEP "," |
104 | int | 167 | int |
@@ -111,7 +174,7 @@ mac_valid(const char *names) | |||
111 | maclist = cp = xstrdup(names); | 174 | maclist = cp = xstrdup(names); |
112 | for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0'; | 175 | for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0'; |
113 | (p = strsep(&cp, MAC_SEP))) { | 176 | (p = strsep(&cp, MAC_SEP))) { |
114 | if (mac_init(NULL, p) < 0) { | 177 | if (mac_setup(NULL, p) < 0) { |
115 | debug("bad mac %s [%s]", p, names); | 178 | debug("bad mac %s [%s]", p, names); |
116 | xfree(maclist); | 179 | xfree(maclist); |
117 | return (0); | 180 | return (0); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */ | 1 | /* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -24,5 +24,7 @@ | |||
24 | */ | 24 | */ |
25 | 25 | ||
26 | int mac_valid(const char *); | 26 | int mac_valid(const char *); |
27 | int mac_init(Mac *, char *); | 27 | int mac_setup(Mac *, char *); |
28 | int mac_init(Mac *); | ||
28 | u_char *mac_compute(Mac *, u_int32_t, u_char *, int); | 29 | u_char *mac_compute(Mac *, u_int32_t, u_char *, int); |
30 | void mac_clear(Mac *); | ||
diff --git a/mdoc2man.awk b/mdoc2man.awk index d6eaf4601..9d1126769 100644 --- a/mdoc2man.awk +++ b/mdoc2man.awk | |||
@@ -1,6 +1,9 @@ | |||
1 | #!/usr/bin/awk | 1 | #!/usr/bin/awk |
2 | # | 2 | # |
3 | # $Id: mdoc2man.awk,v 1.8 2007/06/05 10:01:16 dtucker Exp $ | ||
4 | # | ||
3 | # Version history: | 5 | # Version history: |
6 | # v4+ Adapted for OpenSSH Portable (see cvs Id and history) | ||
4 | # v3, I put the program under a proper license | 7 | # v3, I put the program under a proper license |
5 | # Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo | 8 | # Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo |
6 | # v2, fixed to work on GNU awk --posix and MacOS X | 9 | # v2, fixed to work on GNU awk --posix and MacOS X |
@@ -135,6 +138,12 @@ function add(str) { | |||
135 | nospace=0 | 138 | nospace=0 |
136 | } | 139 | } |
137 | if(match(words[w],"^Dd$")) { | 140 | if(match(words[w],"^Dd$")) { |
141 | if(match(words[w+1],"^\\$Mdocdate:")) { | ||
142 | w++; | ||
143 | if(match(words[w+4],"^\\$$")) { | ||
144 | words[w+4] = "" | ||
145 | } | ||
146 | } | ||
138 | date=wtail() | 147 | date=wtail() |
139 | next | 148 | next |
140 | } else if(match(words[w],"^Dt$")) { | 149 | } else if(match(words[w],"^Dt$")) { |
@@ -157,6 +166,7 @@ function add(str) { | |||
157 | refissue="" | 166 | refissue="" |
158 | refdate="" | 167 | refdate="" |
159 | refopt="" | 168 | refopt="" |
169 | refreport="" | ||
160 | reference=1 | 170 | reference=1 |
161 | next | 171 | next |
162 | } else if(match(words[w],"^Re$")) { | 172 | } else if(match(words[w],"^Re$")) { |
@@ -168,9 +178,14 @@ function add(str) { | |||
168 | } | 178 | } |
169 | if(nrefauthors>1) | 179 | if(nrefauthors>1) |
170 | add(" and ") | 180 | add(" and ") |
171 | add(refauthors[0] ", \\fI" reftitle "\\fP") | 181 | if(nrefauthors>0) |
182 | add(refauthors[0] ", ") | ||
183 | add("\\fI" reftitle "\\fP") | ||
172 | if(length(refissue)) | 184 | if(length(refissue)) |
173 | add(", " refissue) | 185 | add(", " refissue) |
186 | if(length(refreport)) { | ||
187 | add(", " refreport) | ||
188 | } | ||
174 | if(length(refdate)) | 189 | if(length(refdate)) |
175 | add(", " refdate) | 190 | add(", " refdate) |
176 | if(length(refopt)) | 191 | if(length(refopt)) |
@@ -187,6 +202,7 @@ function add(str) { | |||
187 | if(match(words[w],"^%N$")) { refissue=wtail() } | 202 | if(match(words[w],"^%N$")) { refissue=wtail() } |
188 | if(match(words[w],"^%D$")) { refdate=wtail() } | 203 | if(match(words[w],"^%D$")) { refdate=wtail() } |
189 | if(match(words[w],"^%O$")) { refopt=wtail() } | 204 | if(match(words[w],"^%O$")) { refopt=wtail() } |
205 | if(match(words[w],"^%R$")) { refreport=wtail() } | ||
190 | } else if(match(words[w],"^Nm$")) { | 206 | } else if(match(words[w],"^Nm$")) { |
191 | if(synopsis) { | 207 | if(synopsis) { |
192 | add(".br") | 208 | add(".br") |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.91 2007/05/17 20:52:13 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -422,6 +422,7 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
422 | monitor_set_child_handler(pmonitor->m_pid); | 422 | monitor_set_child_handler(pmonitor->m_pid); |
423 | signal(SIGHUP, &monitor_child_handler); | 423 | signal(SIGHUP, &monitor_child_handler); |
424 | signal(SIGTERM, &monitor_child_handler); | 424 | signal(SIGTERM, &monitor_child_handler); |
425 | signal(SIGINT, &monitor_child_handler); | ||
425 | 426 | ||
426 | if (compat20) { | 427 | if (compat20) { |
427 | mon_dispatch = mon_dispatch_postauth20; | 428 | mon_dispatch = mon_dispatch_postauth20; |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 448324b81..752af6f93 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.57 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -494,8 +494,8 @@ mm_newkeys_from_blob(u_char *blob, int blen) | |||
494 | 494 | ||
495 | /* Mac structure */ | 495 | /* Mac structure */ |
496 | mac->name = buffer_get_string(&b, NULL); | 496 | mac->name = buffer_get_string(&b, NULL); |
497 | if (mac->name == NULL || mac_init(mac, mac->name) == -1) | 497 | if (mac->name == NULL || mac_setup(mac, mac->name) == -1) |
498 | fatal("%s: can not init mac %s", __func__, mac->name); | 498 | fatal("%s: can not setup mac %s", __func__, mac->name); |
499 | mac->enabled = buffer_get_int(&b); | 499 | mac->enabled = buffer_get_int(&b); |
500 | mac->key = buffer_get_string(&b, &len); | 500 | mac->key = buffer_get_string(&b, &len); |
501 | if (len > mac->key_len) | 501 | if (len > mac->key_len) |
diff --git a/myproposal.h b/myproposal.h index e246e0dd9..87a9e5820 100644 --- a/myproposal.h +++ b/myproposal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.22 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -47,7 +47,7 @@ | |||
47 | "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ | 47 | "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ |
48 | "aes128-ctr,aes192-ctr,aes256-ctr" | 48 | "aes128-ctr,aes192-ctr,aes256-ctr" |
49 | #define KEX_DEFAULT_MAC \ | 49 | #define KEX_DEFAULT_MAC \ |
50 | "hmac-md5,hmac-sha1,hmac-ripemd160," \ | 50 | "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \ |
51 | "hmac-ripemd160@openssh.com," \ | 51 | "hmac-ripemd160@openssh.com," \ |
52 | "hmac-sha1-96,hmac-md5-96" | 52 | "hmac-sha1-96,hmac-md5-96" |
53 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" | 53 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" |
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 9f06605d7..b44a7851e 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $ | 1 | # $Id: Makefile.in,v 1.41 2007/06/25 12:15:13 dtucker Exp $ |
2 | 2 | ||
3 | sysconfdir=@sysconfdir@ | 3 | sysconfdir=@sysconfdir@ |
4 | piddir=@piddir@ | 4 | piddir=@piddir@ |
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ | |||
18 | 18 | ||
19 | OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o | 19 | OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o |
20 | 20 | ||
21 | COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o | 21 | COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o |
22 | 22 | ||
23 | PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o | 23 | PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o |
24 | 24 | ||
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index 1532c991c..f1bbd7dec 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $ | 2 | * $Id: bsd-cray.c,v 1.17 2007/08/15 09:17:43 dtucker Exp $ |
3 | * | 3 | * |
4 | * bsd-cray.c | 4 | * bsd-cray.c |
5 | * | 5 | * |
@@ -751,8 +751,6 @@ cray_job_termination_handler(int sig) | |||
751 | char *login = NULL; | 751 | char *login = NULL; |
752 | struct jtab jtab; | 752 | struct jtab jtab; |
753 | 753 | ||
754 | debug("received signal %d",sig); | ||
755 | |||
756 | if ((jid = waitjob(&jtab)) == -1 || | 754 | if ((jid = waitjob(&jtab)) == -1 || |
757 | (login = uid2nam(jtab.j_uid)) == NULL) | 755 | (login = uid2nam(jtab.j_uid)) == NULL) |
758 | return; | 756 | return; |
diff --git a/openbsd-compat/bsd-getpeereid.c b/openbsd-compat/bsd-getpeereid.c index bdae8b637..5f7e677e5 100644 --- a/openbsd-compat/bsd-getpeereid.c +++ b/openbsd-compat/bsd-getpeereid.c | |||
@@ -37,6 +37,28 @@ getpeereid(int s, uid_t *euid, gid_t *gid) | |||
37 | 37 | ||
38 | return (0); | 38 | return (0); |
39 | } | 39 | } |
40 | #elif defined(HAVE_GETPEERUCRED) | ||
41 | |||
42 | #ifdef HAVE_UCRED_H | ||
43 | # include <ucred.h> | ||
44 | #endif | ||
45 | |||
46 | int | ||
47 | getpeereid(int s, uid_t *euid, gid_t *gid) | ||
48 | { | ||
49 | ucred_t *ucred = NULL; | ||
50 | |||
51 | if (getpeerucred(s, &ucred) == -1) | ||
52 | return (-1); | ||
53 | if ((*euid = ucred_geteuid(ucred)) == -1) | ||
54 | return (-1); | ||
55 | if ((*gid = ucred_getrgid(ucred)) == -1) | ||
56 | return (-1); | ||
57 | |||
58 | ucred_free(ucred); | ||
59 | |||
60 | return (0); | ||
61 | } | ||
40 | #else | 62 | #else |
41 | int | 63 | int |
42 | getpeereid(int s, uid_t *euid, gid_t *gid) | 64 | getpeereid(int s, uid_t *euid, gid_t *gid) |
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 17d731bd2..55f100ac0 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c | |||
@@ -17,6 +17,7 @@ | |||
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | 19 | ||
20 | #include <sys/types.h> | ||
20 | #ifdef HAVE_SYS_SELECT_H | 21 | #ifdef HAVE_SYS_SELECT_H |
21 | # include <sys/select.h> | 22 | # include <sys/select.h> |
22 | #endif | 23 | #endif |
@@ -27,6 +28,7 @@ | |||
27 | #include <string.h> | 28 | #include <string.h> |
28 | #include <signal.h> | 29 | #include <signal.h> |
29 | #include <stdlib.h> | 30 | #include <stdlib.h> |
31 | #include <unistd.h> | ||
30 | 32 | ||
31 | #include "xmalloc.h" | 33 | #include "xmalloc.h" |
32 | 34 | ||
@@ -156,7 +158,8 @@ int nanosleep(const struct timespec *req, struct timespec *rem) | |||
156 | tremain.tv_sec = 0; | 158 | tremain.tv_sec = 0; |
157 | tremain.tv_usec = 0; | 159 | tremain.tv_usec = 0; |
158 | } | 160 | } |
159 | TIMEVAL_TO_TIMESPEC(&tremain, rem) | 161 | if (rem != NULL) |
162 | TIMEVAL_TO_TIMESPEC(&tremain, rem) | ||
160 | 163 | ||
161 | return(rc); | 164 | return(rc); |
162 | } | 165 | } |
diff --git a/openbsd-compat/bsd-poll.c b/openbsd-compat/bsd-poll.c new file mode 100644 index 000000000..836882eea --- /dev/null +++ b/openbsd-compat/bsd-poll.c | |||
@@ -0,0 +1,117 @@ | |||
1 | /* $Id: bsd-poll.c,v 1.1 2007/06/25 12:15:13 dtucker Exp $ */ | ||
2 | |||
3 | /* | ||
4 | * Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au). | ||
5 | * | ||
6 | * Permission to use, copy, modify, and distribute this software for any | ||
7 | * purpose with or without fee is hereby granted, provided that the above | ||
8 | * copyright notice and this permission notice appear in all copies. | ||
9 | * | ||
10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
17 | */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | #if !defined(HAVE_POLL) && defined(HAVE_SELECT) | ||
21 | |||
22 | #ifdef HAVE_SYS_SELECT_H | ||
23 | # include <sys/select.h> | ||
24 | #endif | ||
25 | |||
26 | #include <errno.h> | ||
27 | #include "bsd-poll.h" | ||
28 | |||
29 | /* | ||
30 | * A minimal implementation of poll(2), built on top of select(2). | ||
31 | * | ||
32 | * Only supports POLLIN and POLLOUT flags in pfd.events, and POLLIN, POLLOUT | ||
33 | * and POLLERR flags in revents. | ||
34 | * | ||
35 | * Supports pfd.fd = -1 meaning "unused" although it's not standard. | ||
36 | */ | ||
37 | |||
38 | int | ||
39 | poll(struct pollfd *fds, nfds_t nfds, int timeout) | ||
40 | { | ||
41 | nfds_t i; | ||
42 | int saved_errno, ret, fd, maxfd = 0; | ||
43 | fd_set *readfds = NULL, *writefds = NULL, *exceptfds = NULL; | ||
44 | size_t nmemb; | ||
45 | struct timeval tv, *tvp = NULL; | ||
46 | |||
47 | for (i = 0; i < nfds; i++) { | ||
48 | if (fd >= FD_SETSIZE) { | ||
49 | errno = EINVAL; | ||
50 | return -1; | ||
51 | } | ||
52 | maxfd = MAX(maxfd, fds[i].fd); | ||
53 | } | ||
54 | |||
55 | nmemb = howmany(maxfd + 1 , NFDBITS); | ||
56 | if ((readfds = calloc(nmemb, sizeof(fd_mask))) == NULL || | ||
57 | (writefds = calloc(nmemb, sizeof(fd_mask))) == NULL || | ||
58 | (exceptfds = calloc(nmemb, sizeof(fd_mask))) == NULL) { | ||
59 | saved_errno = ENOMEM; | ||
60 | ret = -1; | ||
61 | goto out; | ||
62 | } | ||
63 | |||
64 | /* populate event bit vectors for the events we're interested in */ | ||
65 | for (i = 0; i < nfds; i++) { | ||
66 | fd = fds[i].fd; | ||
67 | if (fd == -1) | ||
68 | continue; | ||
69 | if (fds[i].events & POLLIN) { | ||
70 | FD_SET(fd, readfds); | ||
71 | FD_SET(fd, exceptfds); | ||
72 | } | ||
73 | if (fds[i].events & POLLOUT) { | ||
74 | FD_SET(fd, writefds); | ||
75 | FD_SET(fd, exceptfds); | ||
76 | } | ||
77 | } | ||
78 | |||
79 | /* poll timeout is msec, select is timeval (sec + usec) */ | ||
80 | if (timeout >= 0) { | ||
81 | tv.tv_sec = timeout / 1000; | ||
82 | tv.tv_usec = (timeout % 1000) * 1000; | ||
83 | tvp = &tv; | ||
84 | } | ||
85 | |||
86 | ret = select(maxfd + 1, readfds, writefds, exceptfds, tvp); | ||
87 | saved_errno = errno; | ||
88 | |||
89 | /* scan through select results and set poll() flags */ | ||
90 | for (i = 0; i < nfds; i++) { | ||
91 | fd = fds[i].fd; | ||
92 | fds[i].revents = 0; | ||
93 | if (fd == -1) | ||
94 | continue; | ||
95 | if (FD_ISSET(fd, readfds)) { | ||
96 | fds[i].revents |= POLLIN; | ||
97 | } | ||
98 | if (FD_ISSET(fd, writefds)) { | ||
99 | fds[i].revents |= POLLOUT; | ||
100 | } | ||
101 | if (FD_ISSET(fd, exceptfds)) { | ||
102 | fds[i].revents |= POLLERR; | ||
103 | } | ||
104 | } | ||
105 | |||
106 | out: | ||
107 | if (readfds != NULL) | ||
108 | free(readfds); | ||
109 | if (writefds != NULL) | ||
110 | free(writefds); | ||
111 | if (exceptfds != NULL) | ||
112 | free(exceptfds); | ||
113 | if (ret == -1) | ||
114 | errno = saved_errno; | ||
115 | return ret; | ||
116 | } | ||
117 | #endif | ||
diff --git a/openbsd-compat/bsd-poll.h b/openbsd-compat/bsd-poll.h new file mode 100644 index 000000000..dcbb9ca40 --- /dev/null +++ b/openbsd-compat/bsd-poll.h | |||
@@ -0,0 +1,61 @@ | |||
1 | /* $OpenBSD: poll.h,v 1.11 2003/12/10 23:10:08 millert Exp $ */ | ||
2 | |||
3 | /* | ||
4 | * Copyright (c) 1996 Theo de Raadt | ||
5 | * All rights reserved. | ||
6 | * | ||
7 | * Redistribution and use in source and binary forms, with or without | ||
8 | * modification, are permitted provided that the following conditions | ||
9 | * are met: | ||
10 | * 1. Redistributions of source code must retain the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer. | ||
12 | * 2. Redistributions in binary form must reproduce the above copyright | ||
13 | * notice, this list of conditions and the following disclaimer in the | ||
14 | * documentation and/or other materials provided with the distribution. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
17 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
18 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
19 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
21 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
22 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
23 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
25 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | /* OPENBSD ORIGINAL: sys/sys/poll.h */ | ||
29 | |||
30 | #if !defined(HAVE_POLL) && !defined(HAVE_POLL_H) | ||
31 | #ifndef _COMPAT_POLL_H_ | ||
32 | #define _COMPAT_POLL_H_ | ||
33 | |||
34 | typedef struct pollfd { | ||
35 | int fd; | ||
36 | short events; | ||
37 | short revents; | ||
38 | } pollfd_t; | ||
39 | |||
40 | typedef unsigned int nfds_t; | ||
41 | |||
42 | #define POLLIN 0x0001 | ||
43 | #define POLLOUT 0x0004 | ||
44 | #define POLLERR 0x0008 | ||
45 | #if 0 | ||
46 | /* the following are currently not implemented */ | ||
47 | #define POLLPRI 0x0002 | ||
48 | #define POLLHUP 0x0010 | ||
49 | #define POLLNVAL 0x0020 | ||
50 | #define POLLRDNORM 0x0040 | ||
51 | #define POLLNORM POLLRDNORM | ||
52 | #define POLLWRNORM POLLOUT | ||
53 | #define POLLRDBAND 0x0080 | ||
54 | #define POLLWRBAND 0x0100 | ||
55 | #endif | ||
56 | |||
57 | #define INFTIM (-1) /* not standard */ | ||
58 | |||
59 | int poll(struct pollfd *, nfds_t, int); | ||
60 | #endif /* !_COMPAT_POLL_H_ */ | ||
61 | #endif /* !HAVE_POLL_H */ | ||
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 07231d005..80af3f542 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c | |||
@@ -67,13 +67,9 @@ extern int h_errno; | |||
67 | #endif | 67 | #endif |
68 | #define _THREAD_PRIVATE(a,b,c) (c) | 68 | #define _THREAD_PRIVATE(a,b,c) (c) |
69 | 69 | ||
70 | /* to avoid conflicts where a platform already has _res */ | 70 | #ifndef HAVE__RES_EXTERN |
71 | #ifdef _res | ||
72 | # undef _res | ||
73 | #endif | ||
74 | #define _res _compat_res | ||
75 | |||
76 | struct __res_state _res; | 71 | struct __res_state _res; |
72 | #endif | ||
77 | 73 | ||
78 | /* Necessary functions and macros */ | 74 | /* Necessary functions and macros */ |
79 | 75 | ||
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index aac2e6cbc..6406af19d 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */ | 1 | /* $Id: openbsd-compat.h,v 1.43 2007/06/25 12:15:13 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. | 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. |
@@ -140,6 +140,7 @@ int writev(int, struct iovec *, int); | |||
140 | /* Home grown routines */ | 140 | /* Home grown routines */ |
141 | #include "bsd-misc.h" | 141 | #include "bsd-misc.h" |
142 | #include "bsd-waitpid.h" | 142 | #include "bsd-waitpid.h" |
143 | #include "bsd-poll.h" | ||
143 | 144 | ||
144 | #ifndef HAVE_GETPEEREID | 145 | #ifndef HAVE_GETPEEREID |
145 | int getpeereid(int , uid_t *, gid_t *); | 146 | int getpeereid(int , uid_t *, gid_t *); |
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 9b5ccff5f..f1d2f19fc 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */ | 1 | /* $Id: openssl-compat.h,v 1.10 2007/06/14 13:47:31 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> | 4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> |
@@ -29,6 +29,11 @@ | |||
29 | #endif | 29 | #endif |
30 | 30 | ||
31 | #ifdef USE_BUILTIN_RIJNDAEL | 31 | #ifdef USE_BUILTIN_RIJNDAEL |
32 | # include "rijndael.h" | ||
33 | # define AES_KEY rijndael_ctx | ||
34 | # define AES_BLOCK_SIZE 16 | ||
35 | # define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b) | ||
36 | # define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1) | ||
32 | # define EVP_aes_128_cbc evp_rijndael | 37 | # define EVP_aes_128_cbc evp_rijndael |
33 | # define EVP_aes_192_cbc evp_rijndael | 38 | # define EVP_aes_192_cbc evp_rijndael |
34 | # define EVP_aes_256_cbc evp_rijndael | 39 | # define EVP_aes_256_cbc evp_rijndael |
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index b9fabf61f..94faec670 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c | |||
@@ -240,7 +240,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg) | |||
240 | 240 | ||
241 | /* | 241 | /* |
242 | * Don't perform checks for root account (PermitRootLogin controls | 242 | * Don't perform checks for root account (PermitRootLogin controls |
243 | * logins via * ssh) or if running as non-root user (since | 243 | * logins via ssh) or if running as non-root user (since |
244 | * loginrestrictions will always fail due to insufficient privilege). | 244 | * loginrestrictions will always fail due to insufficient privilege). |
245 | */ | 245 | */ |
246 | if (pw->pw_uid == 0 || geteuid() != 0) { | 246 | if (pw->pw_uid == 0 || geteuid() != 0) { |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 7f15d06fb..485929133 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */ | 1 | /* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> | 4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> |
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c index 6f3523902..ebc229a6a 100644 --- a/openbsd-compat/port-uw.c +++ b/openbsd-compat/port-uw.c | |||
@@ -79,7 +79,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) | |||
79 | #endif /* UNIXWARE_LONG_PASSWORDS */ | 79 | #endif /* UNIXWARE_LONG_PASSWORDS */ |
80 | result = (strcmp(xcrypt(password, salt), pw_password) == 0); | 80 | result = (strcmp(xcrypt(password, salt), pw_password) == 0); |
81 | 81 | ||
82 | #if !defined(BROKEN_LIBIAF) | 82 | #ifdef USE_LIBIAF |
83 | if (authctxt->valid) | 83 | if (authctxt->valid) |
84 | free(pw_password); | 84 | free(pw_password); |
85 | #endif | 85 | #endif |
@@ -127,7 +127,7 @@ nischeck(char *namep) | |||
127 | functions that call shadow_pw() will need to free | 127 | functions that call shadow_pw() will need to free |
128 | */ | 128 | */ |
129 | 129 | ||
130 | #if !defined(BROKEN_LIBIAF) | 130 | #ifdef USE_LIBIAF |
131 | char * | 131 | char * |
132 | get_iaf_password(struct passwd *pw) | 132 | get_iaf_password(struct passwd *pw) |
133 | { | 133 | { |
@@ -144,6 +144,6 @@ get_iaf_password(struct passwd *pw) | |||
144 | else | 144 | else |
145 | fatal("ia_openinfo: Unable to open the shadow passwd file"); | 145 | fatal("ia_openinfo: Unable to open the shadow passwd file"); |
146 | } | 146 | } |
147 | #endif /* !BROKEN_LIBIAF */ | 147 | #endif /* USE_LIBIAF */ |
148 | #endif /* HAVE_LIBIAF */ | 148 | #endif /* HAVE_LIBIAF */ |
149 | 149 | ||
diff --git a/openbsd-compat/port-uw.h b/openbsd-compat/port-uw.h index 3589b2e44..263d8b5a7 100644 --- a/openbsd-compat/port-uw.h +++ b/openbsd-compat/port-uw.h | |||
@@ -24,7 +24,7 @@ | |||
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | 26 | ||
27 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | 27 | #ifdef USE_LIBIAF |
28 | char * get_iaf_password(struct passwd *pw); | 28 | char * get_iaf_password(struct passwd *pw); |
29 | #endif | 29 | #endif |
30 | 30 | ||
diff --git a/openbsd-compat/regress/closefromtest.c b/openbsd-compat/regress/closefromtest.c index feb1b567d..bb129fa16 100644 --- a/openbsd-compat/regress/closefromtest.c +++ b/openbsd-compat/regress/closefromtest.c | |||
@@ -38,7 +38,7 @@ main(void) | |||
38 | char buf[512]; | 38 | char buf[512]; |
39 | 39 | ||
40 | for (i = 0; i < NUM_OPENS; i++) | 40 | for (i = 0; i < NUM_OPENS; i++) |
41 | if ((fds[i] = open("/dev/null", "r")) == -1) | 41 | if ((fds[i] = open("/dev/null", O_RDONLY)) == -1) |
42 | exit(0); /* can't test */ | 42 | exit(0); /* can't test */ |
43 | max = i - 1; | 43 | max = i - 1; |
44 | 44 | ||
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index 14899321f..d8636bb39 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c | |||
@@ -98,7 +98,7 @@ shadow_pw(struct passwd *pw) | |||
98 | pw_password = spw->sp_pwdp; | 98 | pw_password = spw->sp_pwdp; |
99 | # endif | 99 | # endif |
100 | 100 | ||
101 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | 101 | #ifdef USE_LIBIAF |
102 | return(get_iaf_password(pw)); | 102 | return(get_iaf_password(pw)); |
103 | #endif | 103 | #endif |
104 | 104 | ||
diff --git a/openbsd-compat/xmmap.c b/openbsd-compat/xmmap.c index 0fb23269b..23efe3888 100644 --- a/openbsd-compat/xmmap.c +++ b/openbsd-compat/xmmap.c | |||
@@ -23,7 +23,7 @@ | |||
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | */ | 24 | */ |
25 | 25 | ||
26 | /* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */ | 26 | /* $Id: xmmap.c,v 1.14 2007/06/11 02:52:24 djm Exp $ */ |
27 | 27 | ||
28 | #include "includes.h" | 28 | #include "includes.h" |
29 | 29 | ||
@@ -38,12 +38,14 @@ | |||
38 | #endif | 38 | #endif |
39 | #include <errno.h> | 39 | #include <errno.h> |
40 | #include <stdarg.h> | 40 | #include <stdarg.h> |
41 | #include <stdlib.h> | ||
41 | #include <string.h> | 42 | #include <string.h> |
42 | #include <unistd.h> | 43 | #include <unistd.h> |
43 | 44 | ||
44 | #include "log.h" | 45 | #include "log.h" |
45 | 46 | ||
46 | void *xmmap(size_t size) | 47 | void * |
48 | xmmap(size_t size) | ||
47 | { | 49 | { |
48 | #ifdef HAVE_MMAP | 50 | #ifdef HAVE_MMAP |
49 | void *address; | 51 | void *address; |
diff --git a/openssh.xml.in b/openssh.xml.in index 2fcdea0a1..8afe1d366 100644 --- a/openssh.xml.in +++ b/openssh.xml.in | |||
@@ -19,7 +19,7 @@ | |||
19 | <service_bundle type='manifest' name='OpenSSH server'> | 19 | <service_bundle type='manifest' name='OpenSSH server'> |
20 | 20 | ||
21 | <service | 21 | <service |
22 | name='site/openssh' | 22 | name='site/__SYSVINIT_NAME__' |
23 | type='service' | 23 | type='service' |
24 | version='1'> | 24 | version='1'> |
25 | 25 | ||
@@ -56,7 +56,7 @@ | |||
56 | <exec_method | 56 | <exec_method |
57 | name='start' | 57 | name='start' |
58 | type='method' | 58 | type='method' |
59 | exec='/lib/svc/method/site/__SYSVINIT_NAME__ start' | 59 | exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start' |
60 | timeout_seconds='60'> | 60 | timeout_seconds='60'> |
61 | <method_context/> | 61 | <method_context/> |
62 | </exec_method> | 62 | </exec_method> |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -632,7 +632,7 @@ set_newkeys(int mode) | |||
632 | enc = &newkeys[mode]->enc; | 632 | enc = &newkeys[mode]->enc; |
633 | mac = &newkeys[mode]->mac; | 633 | mac = &newkeys[mode]->mac; |
634 | comp = &newkeys[mode]->comp; | 634 | comp = &newkeys[mode]->comp; |
635 | memset(mac->key, 0, mac->key_len); | 635 | mac_clear(mac); |
636 | xfree(enc->name); | 636 | xfree(enc->name); |
637 | xfree(enc->iv); | 637 | xfree(enc->iv); |
638 | xfree(enc->key); | 638 | xfree(enc->key); |
@@ -647,14 +647,15 @@ set_newkeys(int mode) | |||
647 | enc = &newkeys[mode]->enc; | 647 | enc = &newkeys[mode]->enc; |
648 | mac = &newkeys[mode]->mac; | 648 | mac = &newkeys[mode]->mac; |
649 | comp = &newkeys[mode]->comp; | 649 | comp = &newkeys[mode]->comp; |
650 | if (mac->md != NULL) | 650 | if (mac_init(mac) == 0) |
651 | mac->enabled = 1; | 651 | mac->enabled = 1; |
652 | DBG(debug("cipher_init_context: %d", mode)); | 652 | DBG(debug("cipher_init_context: %d", mode)); |
653 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, | 653 | cipher_init(cc, enc->cipher, enc->key, enc->key_len, |
654 | enc->iv, enc->block_size, crypt_type); | 654 | enc->iv, enc->block_size, crypt_type); |
655 | /* Deleting the keys does not gain extra security */ | 655 | /* Deleting the keys does not gain extra security */ |
656 | /* memset(enc->iv, 0, enc->block_size); | 656 | /* memset(enc->iv, 0, enc->block_size); |
657 | memset(enc->key, 0, enc->key_len); */ | 657 | memset(enc->key, 0, enc->key_len); |
658 | memset(mac->key, 0, mac->key_len); */ | ||
658 | if ((comp->type == COMP_ZLIB || | 659 | if ((comp->type == COMP_ZLIB || |
659 | (comp->type == COMP_DELAYED && after_authentication)) && | 660 | (comp->type == COMP_DELAYED && after_authentication)) && |
660 | comp->enabled == 0) { | 661 | comp->enabled == 0) { |
@@ -1249,7 +1250,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) | |||
1249 | logit("Received disconnect from %s: %.400s", | 1250 | logit("Received disconnect from %s: %.400s", |
1250 | get_remote_ipaddr(), msg); | 1251 | get_remote_ipaddr(), msg); |
1251 | cleanup_exit(255); | 1252 | cleanup_exit(255); |
1252 | xfree(msg); | ||
1253 | break; | 1253 | break; |
1254 | default: | 1254 | default: |
1255 | if (type) | 1255 | if (type) |
diff --git a/readconf.c b/readconf.c index 39e195837..0999f28e3 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1286,7 +1286,7 @@ parse_forward(Forward *fwd, const char *fwdspec) | |||
1286 | cp = p = xstrdup(fwdspec); | 1286 | cp = p = xstrdup(fwdspec); |
1287 | 1287 | ||
1288 | /* skip leading spaces */ | 1288 | /* skip leading spaces */ |
1289 | while (*cp && isspace(*cp)) | 1289 | while (isspace(*cp)) |
1290 | cp++; | 1290 | cp++; |
1291 | 1291 | ||
1292 | for (i = 0; i < 4; ++i) | 1292 | for (i = 0; i < 4; ++i) |
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index e5fcedda7..d71324241 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh | |||
@@ -7,7 +7,9 @@ UNPRIV=nobody | |||
7 | ASOCK=${OBJ}/agent | 7 | ASOCK=${OBJ}/agent |
8 | SSH_AUTH_SOCK=/nonexistant | 8 | SSH_AUTH_SOCK=/nonexistant |
9 | 9 | ||
10 | if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 | 10 | if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 && \ |
11 | grep "#undef.*HAVE_GETPEERUCRED" ${BUILDDIR}/config.h >/dev/null && \ | ||
12 | grep "#undef.*HAVE_SO_PEERCRED" ${BUILDDIR}/config.h >/dev/null | ||
11 | then | 13 | then |
12 | echo "skipped (not supported on this platform)" | 14 | echo "skipped (not supported on this platform)" |
13 | exit 0 | 15 | exit 0 |
diff --git a/scard-opensc.c b/scard-opensc.c index 4751ea295..36dae05fd 100644 --- a/scard-opensc.c +++ b/scard-opensc.c | |||
@@ -32,6 +32,7 @@ | |||
32 | #include <openssl/x509.h> | 32 | #include <openssl/x509.h> |
33 | 33 | ||
34 | #include <stdarg.h> | 34 | #include <stdarg.h> |
35 | #include <string.h> | ||
35 | 36 | ||
36 | #include <opensc/opensc.h> | 37 | #include <opensc/opensc.h> |
37 | #include <opensc/pkcs15.h> | 38 | #include <opensc/pkcs15.h> |
@@ -6,7 +6,7 @@ NAME | |||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] | 7 | scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file] |
8 | [-l limit] [-o ssh_option] [-P port] [-S program] | 8 | [-l limit] [-o ssh_option] [-P port] [-S program] |
9 | [[user@]host1:]file1 [...] [[user@]host2:]file2 | 9 | [[user@]host1:]file1 ... [[user@]host2:]file2 |
10 | 10 | ||
11 | DESCRIPTION | 11 | DESCRIPTION |
12 | scp copies files between hosts on a network. It uses ssh(1) for data | 12 | scp copies files between hosts on a network. It uses ssh(1) for data |
@@ -141,4 +141,4 @@ AUTHORS | |||
141 | Timo Rinne <tri@iki.fi> | 141 | Timo Rinne <tri@iki.fi> |
142 | Tatu Ylonen <ylo@cs.hut.fi> | 142 | Tatu Ylonen <ylo@cs.hut.fi> |
143 | 143 | ||
144 | OpenBSD 4.1 September 25, 1999 3 | 144 | OpenBSD 4.2 August 8, 2007 3 |
@@ -9,9 +9,9 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sun May 7 00:14:37 1995 ylo | 10 | .\" Created: Sun May 7 00:14:37 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $ | 12 | .\" $OpenBSD: scp.1,v 1.42 2007/08/06 19:16:06 sobrado Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd $Mdocdate: August 8 2007 $ |
15 | .Dt SCP 1 | 15 | .Dt SCP 1 |
16 | .Os | 16 | .Os |
17 | .Sh NAME | 17 | .Sh NAME |
@@ -34,7 +34,7 @@ | |||
34 | .Ar host1 No : | 34 | .Ar host1 No : |
35 | .Oc Ns Ar file1 | 35 | .Oc Ns Ar file1 |
36 | .Sm on | 36 | .Sm on |
37 | .Op Ar ... | 37 | .Ar ... |
38 | .Sm off | 38 | .Sm off |
39 | .Oo | 39 | .Oo |
40 | .Op Ar user No @ | 40 | .Op Ar user No @ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */ | 1 | /* $OpenBSD: scp.c,v 1.160 2007/08/06 19:16:06 sobrado Exp $ */ |
2 | /* | 2 | /* |
3 | * scp - secure remote copy. This is basically patched BSD rcp which | 3 | * scp - secure remote copy. This is basically patched BSD rcp which |
4 | * uses ssh to do the data transfer (instead of using rcmd). | 4 | * uses ssh to do the data transfer (instead of using rcmd). |
@@ -96,6 +96,9 @@ | |||
96 | #include <string.h> | 96 | #include <string.h> |
97 | #include <time.h> | 97 | #include <time.h> |
98 | #include <unistd.h> | 98 | #include <unistd.h> |
99 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) | ||
100 | #include <vis.h> | ||
101 | #endif | ||
99 | 102 | ||
100 | #include "xmalloc.h" | 103 | #include "xmalloc.h" |
101 | #include "atomicio.h" | 104 | #include "atomicio.h" |
@@ -582,7 +585,7 @@ source(int argc, char **argv) | |||
582 | off_t i, amt, statbytes; | 585 | off_t i, amt, statbytes; |
583 | size_t result; | 586 | size_t result; |
584 | int fd = -1, haderr, indx; | 587 | int fd = -1, haderr, indx; |
585 | char *last, *name, buf[2048]; | 588 | char *last, *name, buf[2048], encname[MAXPATHLEN]; |
586 | int len; | 589 | int len; |
587 | 590 | ||
588 | for (indx = 0; indx < argc; ++indx) { | 591 | for (indx = 0; indx < argc; ++indx) { |
@@ -591,17 +594,17 @@ source(int argc, char **argv) | |||
591 | len = strlen(name); | 594 | len = strlen(name); |
592 | while (len > 1 && name[len-1] == '/') | 595 | while (len > 1 && name[len-1] == '/') |
593 | name[--len] = '\0'; | 596 | name[--len] = '\0'; |
597 | if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0) | ||
598 | goto syserr; | ||
594 | if (strchr(name, '\n') != NULL) { | 599 | if (strchr(name, '\n') != NULL) { |
595 | run_err("%s: skipping, filename contains a newline", | 600 | strnvis(encname, name, sizeof(encname), VIS_NL); |
596 | name); | 601 | name = encname; |
597 | goto next; | ||
598 | } | 602 | } |
599 | if ((fd = open(name, O_RDONLY, 0)) < 0) | ||
600 | goto syserr; | ||
601 | if (fstat(fd, &stb) < 0) { | 603 | if (fstat(fd, &stb) < 0) { |
602 | syserr: run_err("%s: %s", name, strerror(errno)); | 604 | syserr: run_err("%s: %s", name, strerror(errno)); |
603 | goto next; | 605 | goto next; |
604 | } | 606 | } |
607 | unset_nonblock(fd); | ||
605 | switch (stb.st_mode & S_IFMT) { | 608 | switch (stb.st_mode & S_IFMT) { |
606 | case S_IFREG: | 609 | case S_IFREG: |
607 | break; | 610 | break; |
@@ -1021,7 +1024,8 @@ bad: run_err("%s: %s", np, strerror(errno)); | |||
1021 | wrerr = YES; | 1024 | wrerr = YES; |
1022 | wrerrno = errno; | 1025 | wrerrno = errno; |
1023 | } | 1026 | } |
1024 | if (wrerr == NO && ftruncate(ofd, size) != 0) { | 1027 | if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) && |
1028 | ftruncate(ofd, size) != 0) { | ||
1025 | run_err("%s: truncate: %s", np, strerror(errno)); | 1029 | run_err("%s: truncate: %s", np, strerror(errno)); |
1026 | wrerr = DISPLAYED; | 1030 | wrerr = DISPLAYED; |
1027 | } | 1031 | } |
@@ -1116,7 +1120,7 @@ usage(void) | |||
1116 | (void) fprintf(stderr, | 1120 | (void) fprintf(stderr, |
1117 | "usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n" | 1121 | "usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n" |
1118 | " [-l limit] [-o ssh_option] [-P port] [-S program]\n" | 1122 | " [-l limit] [-o ssh_option] [-P port] [-S program]\n" |
1119 | " [[user@]host1:]file1 [...] [[user@]host2:]file2\n"); | 1123 | " [[user@]host1:]file1 ... [[user@]host2:]file2\n"); |
1120 | exit(1); | 1124 | exit(1); |
1121 | } | 1125 | } |
1122 | 1126 | ||
diff --git a/servconf.c b/servconf.c index 04b1a597e..14a9dde3d 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -608,7 +608,6 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, | |||
608 | debug("connection from %.100s matched 'Host " | 608 | debug("connection from %.100s matched 'Host " |
609 | "%.100s' at line %d", host, arg, line); | 609 | "%.100s' at line %d", host, arg, line); |
610 | } else if (strcasecmp(attrib, "address") == 0) { | 610 | } else if (strcasecmp(attrib, "address") == 0) { |
611 | debug("address '%s' arg '%s'", address, arg); | ||
612 | if (!address) { | 611 | if (!address) { |
613 | result = 0; | 612 | result = 0; |
614 | continue; | 613 | continue; |
@@ -1310,7 +1310,7 @@ do_setusercontext(struct passwd *pw) | |||
1310 | # ifdef USE_PAM | 1310 | # ifdef USE_PAM |
1311 | if (options.use_pam) { | 1311 | if (options.use_pam) { |
1312 | do_pam_session(); | 1312 | do_pam_session(); |
1313 | do_pam_setcred(0); | 1313 | do_pam_setcred(use_privsep); |
1314 | } | 1314 | } |
1315 | # endif /* USE_PAM */ | 1315 | # endif /* USE_PAM */ |
1316 | if (setusercontext(lc, pw, pw->pw_uid, | 1316 | if (setusercontext(lc, pw, pw->pw_uid, |
@@ -1352,7 +1352,7 @@ do_setusercontext(struct passwd *pw) | |||
1352 | */ | 1352 | */ |
1353 | if (options.use_pam) { | 1353 | if (options.use_pam) { |
1354 | do_pam_session(); | 1354 | do_pam_session(); |
1355 | do_pam_setcred(0); | 1355 | do_pam_setcred(use_privsep); |
1356 | } | 1356 | } |
1357 | # endif /* USE_PAM */ | 1357 | # endif /* USE_PAM */ |
1358 | # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) | 1358 | # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) |
@@ -1361,11 +1361,11 @@ do_setusercontext(struct passwd *pw) | |||
1361 | # ifdef _AIX | 1361 | # ifdef _AIX |
1362 | aix_usrinfo(pw); | 1362 | aix_usrinfo(pw); |
1363 | # endif /* _AIX */ | 1363 | # endif /* _AIX */ |
1364 | #if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) | 1364 | #ifdef USE_LIBIAF |
1365 | if (set_id(pw->pw_name) != 0) { | 1365 | if (set_id(pw->pw_name) != 0) { |
1366 | exit(1); | 1366 | exit(1); |
1367 | } | 1367 | } |
1368 | #endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ | 1368 | #endif /* USE_LIBIAF */ |
1369 | /* Permanently switch to the desired uid. */ | 1369 | /* Permanently switch to the desired uid. */ |
1370 | permanently_set_uid(pw); | 1370 | permanently_set_uid(pw); |
1371 | #endif | 1371 | #endif |
@@ -2478,8 +2478,19 @@ do_cleanup(Authctxt *authctxt) | |||
2478 | return; | 2478 | return; |
2479 | called = 1; | 2479 | called = 1; |
2480 | 2480 | ||
2481 | if (authctxt == NULL || !authctxt->authenticated) | 2481 | if (authctxt == NULL) |
2482 | return; | 2482 | return; |
2483 | |||
2484 | #ifdef USE_PAM | ||
2485 | if (options.use_pam) { | ||
2486 | sshpam_cleanup(); | ||
2487 | sshpam_thread_cleanup(); | ||
2488 | } | ||
2489 | #endif | ||
2490 | |||
2491 | if (!authctxt->authenticated) | ||
2492 | return; | ||
2493 | |||
2483 | #ifdef KRB5 | 2494 | #ifdef KRB5 |
2484 | if (options.kerberos_ticket_cleanup && | 2495 | if (options.kerberos_ticket_cleanup && |
2485 | authctxt->krb5_ctx) | 2496 | authctxt->krb5_ctx) |
@@ -2491,13 +2502,6 @@ do_cleanup(Authctxt *authctxt) | |||
2491 | ssh_gssapi_cleanup_creds(); | 2502 | ssh_gssapi_cleanup_creds(); |
2492 | #endif | 2503 | #endif |
2493 | 2504 | ||
2494 | #ifdef USE_PAM | ||
2495 | if (options.use_pam) { | ||
2496 | sshpam_cleanup(); | ||
2497 | sshpam_thread_cleanup(); | ||
2498 | } | ||
2499 | #endif | ||
2500 | |||
2501 | /* remove agent socket */ | 2505 | /* remove agent socket */ |
2502 | auth_sock_cleanup_proc(authctxt->pw); | 2506 | auth_sock_cleanup_proc(authctxt->pw); |
2503 | 2507 | ||
diff --git a/sftp-server.0 b/sftp-server.0 index a5caf8229..0837fff9b 100644 --- a/sftp-server.0 +++ b/sftp-server.0 | |||
@@ -43,4 +43,4 @@ HISTORY | |||
43 | AUTHORS | 43 | AUTHORS |
44 | Markus Friedl <markus@openbsd.org> | 44 | Markus Friedl <markus@openbsd.org> |
45 | 45 | ||
46 | OpenBSD 4.1 August 30, 2000 1 | 46 | OpenBSD 4.2 June 5, 2007 1 |
diff --git a/sftp-server.8 b/sftp-server.8 index 195507e39..41c0f7664 100644 --- a/sftp-server.8 +++ b/sftp-server.8 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $ | 1 | .\" $OpenBSD: sftp-server.8,v 1.12 2007/05/31 19:20:16 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | .\" Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | .\" | 4 | .\" |
@@ -22,7 +22,7 @@ | |||
22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | .\" | 24 | .\" |
25 | .Dd August 30, 2000 | 25 | .Dd $Mdocdate: June 5 2007 $ |
26 | .Dt SFTP-SERVER 8 | 26 | .Dt SFTP-SERVER 8 |
27 | .Os | 27 | .Os |
28 | .Sh NAME | 28 | .Sh NAME |
diff --git a/sftp-server.c b/sftp-server.c index 64777beff..76edebc5a 100644 --- a/sftp-server.c +++ b/sftp-server.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */ | 1 | /* $OpenBSD: sftp-server.c,v 1.73 2007/05/17 07:55:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -319,7 +319,8 @@ handle_log_close(int handle, char *emsg) | |||
319 | logit("%s%sclose \"%s\" bytes read %llu written %llu", | 319 | logit("%s%sclose \"%s\" bytes read %llu written %llu", |
320 | emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ", | 320 | emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ", |
321 | handle_to_name(handle), | 321 | handle_to_name(handle), |
322 | handle_bytes_read(handle), handle_bytes_write(handle)); | 322 | (unsigned long long)handle_bytes_read(handle), |
323 | (unsigned long long)handle_bytes_write(handle)); | ||
323 | } else { | 324 | } else { |
324 | logit("%s%sclosedir \"%s\"", | 325 | logit("%s%sclosedir \"%s\"", |
325 | emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ", | 326 | emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ", |
@@ -702,7 +703,8 @@ process_setstat(void) | |||
702 | a = get_attrib(); | 703 | a = get_attrib(); |
703 | debug("request %u: setstat name \"%s\"", id, name); | 704 | debug("request %u: setstat name \"%s\"", id, name); |
704 | if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { | 705 | if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { |
705 | logit("set \"%s\" size %llu", name, a->size); | 706 | logit("set \"%s\" size %llu", |
707 | name, (unsigned long long)a->size); | ||
706 | ret = truncate(name, a->size); | 708 | ret = truncate(name, a->size); |
707 | if (ret == -1) | 709 | if (ret == -1) |
708 | status = errno_to_portable(errno); | 710 | status = errno_to_portable(errno); |
@@ -754,7 +756,8 @@ process_fsetstat(void) | |||
754 | char *name = handle_to_name(handle); | 756 | char *name = handle_to_name(handle); |
755 | 757 | ||
756 | if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { | 758 | if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { |
757 | logit("set \"%s\" size %llu", name, a->size); | 759 | logit("set \"%s\" size %llu", |
760 | name, (unsigned long long)a->size); | ||
758 | ret = ftruncate(fd, a->size); | 761 | ret = ftruncate(fd, a->size); |
759 | if (ret == -1) | 762 | if (ret == -1) |
760 | status = errno_to_portable(errno); | 763 | status = errno_to_portable(errno); |
@@ -1211,7 +1214,7 @@ main(int argc, char **argv) | |||
1211 | int in, out, max, ch, skipargs = 0, log_stderr = 0; | 1214 | int in, out, max, ch, skipargs = 0, log_stderr = 0; |
1212 | ssize_t len, olen, set_size; | 1215 | ssize_t len, olen, set_size; |
1213 | SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; | 1216 | SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; |
1214 | char *cp; | 1217 | char *cp, buf[4*4096]; |
1215 | 1218 | ||
1216 | extern char *optarg; | 1219 | extern char *optarg; |
1217 | extern char *__progname; | 1220 | extern char *__progname; |
@@ -1295,7 +1298,15 @@ main(int argc, char **argv) | |||
1295 | memset(rset, 0, set_size); | 1298 | memset(rset, 0, set_size); |
1296 | memset(wset, 0, set_size); | 1299 | memset(wset, 0, set_size); |
1297 | 1300 | ||
1298 | FD_SET(in, rset); | 1301 | /* |
1302 | * Ensure that we can read a full buffer and handle | ||
1303 | * the worst-case length packet it can generate, | ||
1304 | * otherwise apply backpressure by stopping reads. | ||
1305 | */ | ||
1306 | if (buffer_check_alloc(&iqueue, sizeof(buf)) && | ||
1307 | buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH)) | ||
1308 | FD_SET(in, rset); | ||
1309 | |||
1299 | olen = buffer_len(&oqueue); | 1310 | olen = buffer_len(&oqueue); |
1300 | if (olen > 0) | 1311 | if (olen > 0) |
1301 | FD_SET(out, wset); | 1312 | FD_SET(out, wset); |
@@ -1309,7 +1320,6 @@ main(int argc, char **argv) | |||
1309 | 1320 | ||
1310 | /* copy stdin to iqueue */ | 1321 | /* copy stdin to iqueue */ |
1311 | if (FD_ISSET(in, rset)) { | 1322 | if (FD_ISSET(in, rset)) { |
1312 | char buf[4*4096]; | ||
1313 | len = read(in, buf, sizeof buf); | 1323 | len = read(in, buf, sizeof buf); |
1314 | if (len == 0) { | 1324 | if (len == 0) { |
1315 | debug("read eof"); | 1325 | debug("read eof"); |
@@ -1331,7 +1341,13 @@ main(int argc, char **argv) | |||
1331 | buffer_consume(&oqueue, len); | 1341 | buffer_consume(&oqueue, len); |
1332 | } | 1342 | } |
1333 | } | 1343 | } |
1334 | /* process requests from client */ | 1344 | |
1335 | process(); | 1345 | /* |
1346 | * Process requests from client if we can fit the results | ||
1347 | * into the output buffer, otherwise stop processing input | ||
1348 | * and let the output queue drain. | ||
1349 | */ | ||
1350 | if (buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH)) | ||
1351 | process(); | ||
1336 | } | 1352 | } |
1337 | } | 1353 | } |
@@ -263,4 +263,4 @@ SEE ALSO | |||
263 | T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- | 263 | T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- |
264 | filexfer-00.txt, January 2001, work in progress material. | 264 | filexfer-00.txt, January 2001, work in progress material. |
265 | 265 | ||
266 | OpenBSD 4.1 February 4, 2001 4 | 266 | OpenBSD 4.2 June 5, 2007 4 |
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $ | 1 | .\" $OpenBSD: sftp.1,v 1.64 2007/05/31 19:20:16 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2001 Damien Miller. All rights reserved. | 3 | .\" Copyright (c) 2001 Damien Miller. All rights reserved. |
4 | .\" | 4 | .\" |
@@ -22,7 +22,7 @@ | |||
22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | .\" | 24 | .\" |
25 | .Dd February 4, 2001 | 25 | .Dd $Mdocdate: June 5 2007 $ |
26 | .Dt SFTP 1 | 26 | .Dt SFTP 1 |
27 | .Os | 27 | .Os |
28 | .Sh NAME | 28 | .Sh NAME |
@@ -30,8 +30,12 @@ DESCRIPTION | |||
30 | 30 | ||
31 | -D Deletes all identities from the agent. | 31 | -D Deletes all identities from the agent. |
32 | 32 | ||
33 | -d Instead of adding the identity, removes the identity from the | 33 | -d Instead of adding identities, removes identities from the agent. |
34 | agent. | 34 | If ssh-add has been run without arguments, the keys for the de- |
35 | fault identities will be removed. Otherwise, the argument list | ||
36 | will be interpreted as a list of paths to public key files and | ||
37 | matching keys will be removed from the agent. If no public key | ||
38 | is found at a given path, ssh-add will append .pub and retry. | ||
35 | 39 | ||
36 | -e reader | 40 | -e reader |
37 | Remove key in smartcard reader. | 41 | Remove key in smartcard reader. |
@@ -99,4 +103,4 @@ AUTHORS | |||
99 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 103 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
100 | versions 1.5 and 2.0. | 104 | versions 1.5 and 2.0. |
101 | 105 | ||
102 | OpenBSD 4.1 September 25, 1999 2 | 106 | OpenBSD 4.2 June 12, 2007 2 |
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $ | 1 | .\" $OpenBSD: ssh-add.1,v 1.46 2007/06/12 13:41:03 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -37,7 +37,7 @@ | |||
37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
39 | .\" | 39 | .\" |
40 | .Dd September 25, 1999 | 40 | .Dd $Mdocdate: June 12 2007 $ |
41 | .Dt SSH-ADD 1 | 41 | .Dt SSH-ADD 1 |
42 | .Os | 42 | .Os |
43 | .Sh NAME | 43 | .Sh NAME |
@@ -89,7 +89,18 @@ program, rather than text entered into the requester. | |||
89 | .It Fl D | 89 | .It Fl D |
90 | Deletes all identities from the agent. | 90 | Deletes all identities from the agent. |
91 | .It Fl d | 91 | .It Fl d |
92 | Instead of adding the identity, removes the identity from the agent. | 92 | Instead of adding identities, removes identities from the agent. |
93 | If | ||
94 | .Nm | ||
95 | has been run without arguments, the keys for the default identities will | ||
96 | be removed. | ||
97 | Otherwise, the argument list will be interpreted as a list of paths to | ||
98 | public key files and matching keys will be removed from the agent. | ||
99 | If no public key is found at a given path, | ||
100 | .Nm | ||
101 | will append | ||
102 | .Pa .pub | ||
103 | and retry. | ||
93 | .It Fl e Ar reader | 104 | .It Fl e Ar reader |
94 | Remove key in smartcard | 105 | Remove key in smartcard |
95 | .Ar reader . | 106 | .Ar reader . |
diff --git a/ssh-agent.0 b/ssh-agent.0 index f3f52b67d..823456a26 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 | |||
@@ -114,4 +114,4 @@ AUTHORS | |||
114 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 114 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
115 | versions 1.5 and 2.0. | 115 | versions 1.5 and 2.0. |
116 | 116 | ||
117 | OpenBSD 4.1 September 25, 1999 2 | 117 | OpenBSD 4.2 June 5, 2007 2 |
diff --git a/ssh-agent.1 b/ssh-agent.1 index f1b877790..1b5a5bb2a 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $ | 1 | .\" $OpenBSD: ssh-agent.1,v 1.45 2007/05/31 19:20:16 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .Dd September 25, 1999 | 37 | .Dd $Mdocdate: June 5 2007 $ |
38 | .Dt SSH-AGENT 1 | 38 | .Dt SSH-AGENT 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
diff --git a/ssh-agent.c b/ssh-agent.c index a3a867c33..c3d5e5a75 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.155 2007/03/19 12:16:42 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -120,6 +120,7 @@ int max_fd = 0; | |||
120 | 120 | ||
121 | /* pid of shell == parent of agent */ | 121 | /* pid of shell == parent of agent */ |
122 | pid_t parent_pid = -1; | 122 | pid_t parent_pid = -1; |
123 | u_int parent_alive_interval = 0; | ||
123 | 124 | ||
124 | /* pathname and directory for AUTH_SOCKET */ | 125 | /* pathname and directory for AUTH_SOCKET */ |
125 | char socket_name[MAXPATHLEN]; | 126 | char socket_name[MAXPATHLEN]; |
@@ -421,10 +422,11 @@ process_remove_all_identities(SocketEntry *e, int version) | |||
421 | buffer_put_char(&e->output, SSH_AGENT_SUCCESS); | 422 | buffer_put_char(&e->output, SSH_AGENT_SUCCESS); |
422 | } | 423 | } |
423 | 424 | ||
424 | static void | 425 | /* removes expired keys and returns number of seconds until the next expiry */ |
426 | static u_int | ||
425 | reaper(void) | 427 | reaper(void) |
426 | { | 428 | { |
427 | u_int now = time(NULL); | 429 | u_int deadline = 0, now = time(NULL); |
428 | Identity *id, *nxt; | 430 | Identity *id, *nxt; |
429 | int version; | 431 | int version; |
430 | Idtab *tab; | 432 | Idtab *tab; |
@@ -433,14 +435,22 @@ reaper(void) | |||
433 | tab = idtab_lookup(version); | 435 | tab = idtab_lookup(version); |
434 | for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { | 436 | for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { |
435 | nxt = TAILQ_NEXT(id, next); | 437 | nxt = TAILQ_NEXT(id, next); |
436 | if (id->death != 0 && now >= id->death) { | 438 | if (id->death == 0) |
439 | continue; | ||
440 | if (now >= id->death) { | ||
437 | debug("expiring key '%s'", id->comment); | 441 | debug("expiring key '%s'", id->comment); |
438 | TAILQ_REMOVE(&tab->idlist, id, next); | 442 | TAILQ_REMOVE(&tab->idlist, id, next); |
439 | free_identity(id); | 443 | free_identity(id); |
440 | tab->nentries--; | 444 | tab->nentries--; |
441 | } | 445 | } else |
446 | deadline = (deadline == 0) ? id->death : | ||
447 | MIN(deadline, id->death); | ||
442 | } | 448 | } |
443 | } | 449 | } |
450 | if (deadline == 0 || deadline <= now) | ||
451 | return 0; | ||
452 | else | ||
453 | return (deadline - now); | ||
444 | } | 454 | } |
445 | 455 | ||
446 | static void | 456 | static void |
@@ -826,10 +836,12 @@ new_socket(sock_type type, int fd) | |||
826 | } | 836 | } |
827 | 837 | ||
828 | static int | 838 | static int |
829 | prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp) | 839 | prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, |
840 | struct timeval **tvpp) | ||
830 | { | 841 | { |
831 | u_int i, sz; | 842 | u_int i, sz, deadline; |
832 | int n = 0; | 843 | int n = 0; |
844 | static struct timeval tv; | ||
833 | 845 | ||
834 | for (i = 0; i < sockets_alloc; i++) { | 846 | for (i = 0; i < sockets_alloc; i++) { |
835 | switch (sockets[i].type) { | 847 | switch (sockets[i].type) { |
@@ -873,6 +885,17 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp) | |||
873 | break; | 885 | break; |
874 | } | 886 | } |
875 | } | 887 | } |
888 | deadline = reaper(); | ||
889 | if (parent_alive_interval != 0) | ||
890 | deadline = (deadline == 0) ? parent_alive_interval : | ||
891 | MIN(deadline, parent_alive_interval); | ||
892 | if (deadline == 0) { | ||
893 | *tvpp = NULL; | ||
894 | } else { | ||
895 | tv.tv_sec = deadline; | ||
896 | tv.tv_usec = 0; | ||
897 | *tvpp = &tv; | ||
898 | } | ||
876 | return (1); | 899 | return (1); |
877 | } | 900 | } |
878 | 901 | ||
@@ -980,19 +1003,14 @@ cleanup_handler(int sig) | |||
980 | _exit(2); | 1003 | _exit(2); |
981 | } | 1004 | } |
982 | 1005 | ||
983 | /*ARGSUSED*/ | ||
984 | static void | 1006 | static void |
985 | check_parent_exists(int sig) | 1007 | check_parent_exists(void) |
986 | { | 1008 | { |
987 | int save_errno = errno; | ||
988 | |||
989 | if (parent_pid != -1 && kill(parent_pid, 0) < 0) { | 1009 | if (parent_pid != -1 && kill(parent_pid, 0) < 0) { |
990 | /* printf("Parent has died - Authentication agent exiting.\n"); */ | 1010 | /* printf("Parent has died - Authentication agent exiting.\n"); */ |
991 | cleanup_handler(sig); /* safe */ | 1011 | cleanup_socket(); |
1012 | _exit(2); | ||
992 | } | 1013 | } |
993 | mysignal(SIGALRM, check_parent_exists); | ||
994 | alarm(10); | ||
995 | errno = save_errno; | ||
996 | } | 1014 | } |
997 | 1015 | ||
998 | static void | 1016 | static void |
@@ -1027,7 +1045,7 @@ main(int ac, char **av) | |||
1027 | extern char *optarg; | 1045 | extern char *optarg; |
1028 | pid_t pid; | 1046 | pid_t pid; |
1029 | char pidstrbuf[1 + 3 * sizeof pid]; | 1047 | char pidstrbuf[1 + 3 * sizeof pid]; |
1030 | struct timeval tv; | 1048 | struct timeval *tvp = NULL; |
1031 | 1049 | ||
1032 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 1050 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
1033 | sanitise_stdfd(); | 1051 | sanitise_stdfd(); |
@@ -1228,10 +1246,8 @@ main(int ac, char **av) | |||
1228 | 1246 | ||
1229 | skip: | 1247 | skip: |
1230 | new_socket(AUTH_SOCKET, sock); | 1248 | new_socket(AUTH_SOCKET, sock); |
1231 | if (ac > 0) { | 1249 | if (ac > 0) |
1232 | mysignal(SIGALRM, check_parent_exists); | 1250 | parent_alive_interval = 10; |
1233 | alarm(10); | ||
1234 | } | ||
1235 | idtab_init(); | 1251 | idtab_init(); |
1236 | if (!d_flag) | 1252 | if (!d_flag) |
1237 | signal(SIGINT, SIG_IGN); | 1253 | signal(SIGINT, SIG_IGN); |
@@ -1241,12 +1257,12 @@ skip: | |||
1241 | nalloc = 0; | 1257 | nalloc = 0; |
1242 | 1258 | ||
1243 | while (1) { | 1259 | while (1) { |
1244 | tv.tv_sec = 10; | 1260 | prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp); |
1245 | tv.tv_usec = 0; | 1261 | result = select(max_fd + 1, readsetp, writesetp, NULL, tvp); |
1246 | prepare_select(&readsetp, &writesetp, &max_fd, &nalloc); | ||
1247 | result = select(max_fd + 1, readsetp, writesetp, NULL, &tv); | ||
1248 | saved_errno = errno; | 1262 | saved_errno = errno; |
1249 | reaper(); /* remove expired keys */ | 1263 | if (parent_alive_interval != 0) |
1264 | check_parent_exists(); | ||
1265 | (void) reaper(); /* remove expired keys */ | ||
1250 | if (result < 0) { | 1266 | if (result < 0) { |
1251 | if (saved_errno == EINTR) | 1267 | if (saved_errno == EINTR) |
1252 | continue; | 1268 | continue; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */ | 1 | /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 3 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
4 | * | 4 | * |
@@ -117,7 +117,6 @@ void ssh_gssapi_supported_oids(gss_OID_set *); | |||
117 | ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *); | 117 | ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *); |
118 | 118 | ||
119 | OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); | 119 | OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); |
120 | OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *); | ||
121 | OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, | 120 | OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, |
122 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 121 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
123 | OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *, | 122 | OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *, |
@@ -128,7 +127,6 @@ char *ssh_gssapi_last_error(Gssctxt *, OM_uint32 *, OM_uint32 *); | |||
128 | void ssh_gssapi_build_ctx(Gssctxt **); | 127 | void ssh_gssapi_build_ctx(Gssctxt **); |
129 | void ssh_gssapi_delete_ctx(Gssctxt **); | 128 | void ssh_gssapi_delete_ctx(Gssctxt **); |
130 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 129 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
131 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | ||
132 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 130 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
133 | int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); | 131 | int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); |
134 | 132 | ||
@@ -138,6 +136,7 @@ char *ssh_gssapi_client_mechanisms(const char *host); | |||
138 | char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *); | 136 | char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *); |
139 | gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); | 137 | gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); |
140 | int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *); | 138 | int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *); |
139 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | ||
141 | int ssh_gssapi_userok(char *name); | 140 | int ssh_gssapi_userok(char *name); |
142 | OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); | 141 | OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); |
143 | void ssh_gssapi_do_child(char ***, u_int *); | 142 | void ssh_gssapi_do_child(char ***, u_int *); |
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index fe169d81c..2f8ee264e 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -284,4 +284,4 @@ AUTHORS | |||
284 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 284 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
285 | versions 1.5 and 2.0. | 285 | versions 1.5 and 2.0. |
286 | 286 | ||
287 | OpenBSD 4.1 September 25, 1999 5 | 287 | OpenBSD 4.2 June 5, 2007 5 |
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 5a8c8c471..4e629de74 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.75 2007/05/31 19:20:16 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -37,7 +37,7 @@ | |||
37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
39 | .\" | 39 | .\" |
40 | .Dd September 25, 1999 | 40 | .Dd $Mdocdate: June 5 2007 $ |
41 | .Dt SSH-KEYGEN 1 | 41 | .Dt SSH-KEYGEN 1 |
42 | .Os | 42 | .Os |
43 | .Sh NAME | 43 | .Sh NAME |
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index f655abd47..64d23c436 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 | |||
@@ -104,4 +104,4 @@ BUGS | |||
104 | This is because it opens a connection to the ssh port, reads the public | 104 | This is because it opens a connection to the ssh port, reads the public |
105 | key, and drops the connection as soon as it gets the key. | 105 | key, and drops the connection as soon as it gets the key. |
106 | 106 | ||
107 | OpenBSD 4.1 January 1, 1996 2 | 107 | OpenBSD 4.2 June 5, 2007 2 |
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index a3656fc77..005e57a2b 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $ | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.23 2007/05/31 19:20:16 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | 3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
4 | .\" | 4 | .\" |
@@ -6,7 +6,7 @@ | |||
6 | .\" permitted provided that due credit is given to the author and the | 6 | .\" permitted provided that due credit is given to the author and the |
7 | .\" OpenBSD project by leaving this copyright notice intact. | 7 | .\" OpenBSD project by leaving this copyright notice intact. |
8 | .\" | 8 | .\" |
9 | .Dd January 1, 1996 | 9 | .Dd $Mdocdate: June 5 2007 $ |
10 | .Dt SSH-KEYSCAN 1 | 10 | .Dt SSH-KEYSCAN 1 |
11 | .Os | 11 | .Os |
12 | .Sh NAME | 12 | .Sh NAME |
diff --git a/ssh-keysign.0 b/ssh-keysign.0 index d509f5ef0..32d3c6a7a 100644 --- a/ssh-keysign.0 +++ b/ssh-keysign.0 | |||
@@ -39,4 +39,4 @@ HISTORY | |||
39 | AUTHORS | 39 | AUTHORS |
40 | Markus Friedl <markus@openbsd.org> | 40 | Markus Friedl <markus@openbsd.org> |
41 | 41 | ||
42 | OpenBSD 4.1 May 24, 2002 1 | 42 | OpenBSD 4.2 June 5, 2007 1 |
diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 4cdcb7a43..814bcb66e 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2002 Markus Friedl. All rights reserved. | 3 | .\" Copyright (c) 2002 Markus Friedl. All rights reserved. |
4 | .\" | 4 | .\" |
@@ -22,7 +22,7 @@ | |||
22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 22 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | .\" | 24 | .\" |
25 | .Dd May 24, 2002 | 25 | .Dd $Mdocdate: June 5 2007 $ |
26 | .Dt SSH-KEYSIGN 8 | 26 | .Dt SSH-KEYSIGN 8 |
27 | .Os | 27 | .Os |
28 | .Sh NAME | 28 | .Sh NAME |
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0 index 429582b78..131e0bf3a 100644 --- a/ssh-rand-helper.0 +++ b/ssh-rand-helper.0 | |||
@@ -48,4 +48,4 @@ AUTHORS | |||
48 | SEE ALSO | 48 | SEE ALSO |
49 | ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) | 49 | ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) |
50 | 50 | ||
51 | OpenBSD 4.1 April 14, 2002 1 | 51 | OpenBSD 4.2 April 14, 2002 1 |
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index 8520c3a62..8b1c4b4f4 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c | |||
@@ -32,6 +32,7 @@ | |||
32 | 32 | ||
33 | #include <stdarg.h> | 33 | #include <stdarg.h> |
34 | #include <stddef.h> | 34 | #include <stddef.h> |
35 | #include <string.h> | ||
35 | 36 | ||
36 | #include <netinet/in.h> | 37 | #include <netinet/in.h> |
37 | #include <arpa/inet.h> | 38 | #include <arpa/inet.h> |
@@ -4,7 +4,7 @@ NAME | |||
4 | ssh - OpenSSH SSH client (remote login program) | 4 | ssh - OpenSSH SSH client (remote login program) |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] | 7 | ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] |
8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] | 8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] |
9 | [-i identity_file] [-L [bind_address:]port:host:hostport] | 9 | [-i identity_file] [-L [bind_address:]port:host:hostport] |
10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | 10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] |
@@ -147,6 +147,9 @@ DESCRIPTION | |||
147 | multiple -i options (and multiple identities specified in config- | 147 | multiple -i options (and multiple identities specified in config- |
148 | uration files). | 148 | uration files). |
149 | 149 | ||
150 | -K Enables GSSAPI-based authentication and forwarding (delegation) | ||
151 | of GSSAPI credentials to the server. | ||
152 | |||
150 | -k Disables forwarding (delegation) of GSSAPI credentials to the | 153 | -k Disables forwarding (delegation) of GSSAPI credentials to the |
151 | server. | 154 | server. |
152 | 155 | ||
@@ -371,8 +374,8 @@ AUTHENTICATION | |||
371 | protocols support similar authentication methods, but protocol 2 is pre- | 374 | protocols support similar authentication methods, but protocol 2 is pre- |
372 | ferred since it provides additional mechanisms for confidentiality (the | 375 | ferred since it provides additional mechanisms for confidentiality (the |
373 | traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and | 376 | traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and |
374 | integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a | 377 | integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 |
375 | strong mechanism for ensuring the integrity of the connection. | 378 | lacks a strong mechanism for ensuring the integrity of the connection. |
376 | 379 | ||
377 | The methods available for authentication are: GSSAPI-based authentica- | 380 | The methods available for authentication are: GSSAPI-based authentica- |
378 | tion, host-based authentication, public key authentication, challenge-re- | 381 | tion, host-based authentication, public key authentication, challenge-re- |
@@ -829,4 +832,4 @@ AUTHORS | |||
829 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 832 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
830 | versions 1.5 and 2.0. | 833 | versions 1.5 and 2.0. |
831 | 834 | ||
832 | OpenBSD 4.1 September 25, 1999 13 | 835 | OpenBSD 4.2 June 12, 2007 13 |
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd $Mdocdate: June 12 2007 $ |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -316,7 +316,8 @@ It is possible to have multiple | |||
316 | options (and multiple identities specified in | 316 | options (and multiple identities specified in |
317 | configuration files). | 317 | configuration files). |
318 | .It Fl K | 318 | .It Fl K |
319 | Enables forwarding (delegation) of GSSAPI credentials to the server. | 319 | Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI |
320 | credentials to the server. | ||
320 | .It Fl k | 321 | .It Fl k |
321 | Disables forwarding (delegation) of GSSAPI credentials to the server. | 322 | Disables forwarding (delegation) of GSSAPI credentials to the server. |
322 | .It Fl L Xo | 323 | .It Fl L Xo |
@@ -681,7 +682,7 @@ Both protocols support similar authentication methods, | |||
681 | but protocol 2 is preferred since | 682 | but protocol 2 is preferred since |
682 | it provides additional mechanisms for confidentiality | 683 | it provides additional mechanisms for confidentiality |
683 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) | 684 | (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) |
684 | and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). | 685 | and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). |
685 | Protocol 1 lacks a strong mechanism for ensuring the | 686 | Protocol 1 lacks a strong mechanism for ensuring the |
686 | integrity of the connection. | 687 | integrity of the connection. |
687 | .Pp | 688 | .Pp |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.301 2007/08/07 07:32:53 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -327,6 +327,7 @@ main(int ac, char **av) | |||
327 | options.gss_deleg_creds = 0; | 327 | options.gss_deleg_creds = 0; |
328 | break; | 328 | break; |
329 | case 'K': | 329 | case 'K': |
330 | options.gss_authentication = 1; | ||
330 | options.gss_deleg_creds = 1; | 331 | options.gss_deleg_creds = 1; |
331 | break; | 332 | break; |
332 | case 'i': | 333 | case 'i': |
@@ -861,6 +862,17 @@ ssh_init_forwarding(void) | |||
861 | "forwarding."); | 862 | "forwarding."); |
862 | } | 863 | } |
863 | } | 864 | } |
865 | |||
866 | /* Initiate tunnel forwarding. */ | ||
867 | if (options.tun_open != SSH_TUNMODE_NO) { | ||
868 | if (client_request_tun_fwd(options.tun_open, | ||
869 | options.tun_local, options.tun_remote) == -1) { | ||
870 | if (options.exit_on_forward_failure) | ||
871 | fatal("Could not request tunnel forwarding."); | ||
872 | else | ||
873 | error("Could not request tunnel forwarding."); | ||
874 | } | ||
875 | } | ||
864 | } | 876 | } |
865 | 877 | ||
866 | static void | 878 | static void |
@@ -1123,33 +1135,6 @@ ssh_session2_setup(int id, void *arg) | |||
1123 | packet_send(); | 1135 | packet_send(); |
1124 | } | 1136 | } |
1125 | 1137 | ||
1126 | if (options.tun_open != SSH_TUNMODE_NO) { | ||
1127 | Channel *c; | ||
1128 | int fd; | ||
1129 | |||
1130 | debug("Requesting tun."); | ||
1131 | if ((fd = tun_open(options.tun_local, | ||
1132 | options.tun_open)) >= 0) { | ||
1133 | c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, | ||
1134 | CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, | ||
1135 | 0, "tun", 1); | ||
1136 | c->datagram = 1; | ||
1137 | #if defined(SSH_TUN_FILTER) | ||
1138 | if (options.tun_open == SSH_TUNMODE_POINTOPOINT) | ||
1139 | channel_register_filter(c->self, sys_tun_infilter, | ||
1140 | sys_tun_outfilter); | ||
1141 | #endif | ||
1142 | packet_start(SSH2_MSG_CHANNEL_OPEN); | ||
1143 | packet_put_cstring("tun@openssh.com"); | ||
1144 | packet_put_int(c->self); | ||
1145 | packet_put_int(c->local_window_max); | ||
1146 | packet_put_int(c->local_maxpacket); | ||
1147 | packet_put_int(options.tun_open); | ||
1148 | packet_put_int(options.tun_remote); | ||
1149 | packet_send(); | ||
1150 | } | ||
1151 | } | ||
1152 | |||
1153 | client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), | 1138 | client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), |
1154 | NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); | 1139 | NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); |
1155 | 1140 | ||
@@ -1209,7 +1194,6 @@ ssh_session2(void) | |||
1209 | 1194 | ||
1210 | /* XXX should be pre-session */ | 1195 | /* XXX should be pre-session */ |
1211 | ssh_init_forwarding(); | 1196 | ssh_init_forwarding(); |
1212 | ssh_control_listener(); | ||
1213 | 1197 | ||
1214 | if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) | 1198 | if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) |
1215 | id = ssh_session2_open(); | 1199 | id = ssh_session2_open(); |
@@ -1219,6 +1203,9 @@ ssh_session2(void) | |||
1219 | options.permit_local_command) | 1203 | options.permit_local_command) |
1220 | ssh_local_cmd(options.local_command); | 1204 | ssh_local_cmd(options.local_command); |
1221 | 1205 | ||
1206 | /* Start listening for multiplex clients */ | ||
1207 | ssh_control_listener(); | ||
1208 | |||
1222 | /* If requested, let ssh continue in the background. */ | 1209 | /* If requested, let ssh continue in the background. */ |
1223 | if (fork_after_authentication_flag) | 1210 | if (fork_after_authentication_flag) |
1224 | if (daemon(1, 1) < 0) | 1211 | if (daemon(1, 1) < 0) |
@@ -1315,7 +1302,7 @@ static void | |||
1315 | control_client(const char *path) | 1302 | control_client(const char *path) |
1316 | { | 1303 | { |
1317 | struct sockaddr_un addr; | 1304 | struct sockaddr_un addr; |
1318 | int i, r, fd, sock, exitval, num_env, addr_len; | 1305 | int i, r, fd, sock, exitval[2], num_env, addr_len; |
1319 | Buffer m; | 1306 | Buffer m; |
1320 | char *term; | 1307 | char *term; |
1321 | extern char **environ; | 1308 | extern char **environ; |
@@ -1464,29 +1451,44 @@ control_client(const char *path) | |||
1464 | if (tty_flag) | 1451 | if (tty_flag) |
1465 | enter_raw_mode(); | 1452 | enter_raw_mode(); |
1466 | 1453 | ||
1467 | /* Stick around until the controlee closes the client_fd */ | 1454 | /* |
1468 | exitval = 0; | 1455 | * Stick around until the controlee closes the client_fd. |
1469 | for (;!control_client_terminate;) { | 1456 | * Before it does, it is expected to write this process' exit |
1470 | r = read(sock, &exitval, sizeof(exitval)); | 1457 | * value (one int). This process must read the value and wait for |
1458 | * the closure of the client_fd; if this one closes early, the | ||
1459 | * multiplex master will terminate early too (possibly losing data). | ||
1460 | */ | ||
1461 | exitval[0] = 0; | ||
1462 | for (i = 0; !control_client_terminate && i < (int)sizeof(exitval);) { | ||
1463 | r = read(sock, (char *)exitval + i, sizeof(exitval) - i); | ||
1471 | if (r == 0) { | 1464 | if (r == 0) { |
1472 | debug2("Received EOF from master"); | 1465 | debug2("Received EOF from master"); |
1473 | break; | 1466 | break; |
1474 | } | 1467 | } |
1475 | if (r > 0) | 1468 | if (r == -1) { |
1476 | debug2("Received exit status from master %d", exitval); | 1469 | if (errno == EINTR) |
1477 | if (r == -1 && errno != EINTR) | 1470 | continue; |
1478 | fatal("%s: read %s", __func__, strerror(errno)); | 1471 | fatal("%s: read %s", __func__, strerror(errno)); |
1472 | } | ||
1473 | i += r; | ||
1479 | } | 1474 | } |
1480 | 1475 | ||
1481 | if (control_client_terminate) | ||
1482 | debug2("Exiting on signal %d", control_client_terminate); | ||
1483 | |||
1484 | close(sock); | 1476 | close(sock); |
1485 | |||
1486 | leave_raw_mode(); | 1477 | leave_raw_mode(); |
1478 | if (i > (int)sizeof(int)) | ||
1479 | fatal("%s: master returned too much data (%d > %lu)", | ||
1480 | __func__, i, sizeof(int)); | ||
1481 | if (control_client_terminate) { | ||
1482 | debug2("Exiting on signal %d", control_client_terminate); | ||
1483 | exitval[0] = 255; | ||
1484 | } else if (i < (int)sizeof(int)) { | ||
1485 | debug2("Control master terminated unexpectedly"); | ||
1486 | exitval[0] = 255; | ||
1487 | } else | ||
1488 | debug2("Received exit status from master %d", exitval[0]); | ||
1487 | 1489 | ||
1488 | if (tty_flag && options.log_level > SYSLOG_LEVEL_QUIET) | 1490 | if (tty_flag && options.log_level > SYSLOG_LEVEL_QUIET) |
1489 | fprintf(stderr, "Connection to master closed.\r\n"); | 1491 | fprintf(stderr, "Shared connection to %s closed.\r\n", host); |
1490 | 1492 | ||
1491 | exit(exitval); | 1493 | exit(exitval[0]); |
1492 | } | 1494 | } |
diff --git a/ssh_config b/ssh_config index 12bdb2b22..122f6331e 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $ | 1 | # $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $ |
2 | 2 | ||
3 | # This is the ssh client system-wide configuration file. See | 3 | # This is the ssh client system-wide configuration file. See |
4 | # ssh_config(5) for more information. This file provides defaults for | 4 | # ssh_config(5) for more information. This file provides defaults for |
@@ -41,6 +41,7 @@ Host * | |||
41 | # Protocol 2,1 | 41 | # Protocol 2,1 |
42 | # Cipher 3des | 42 | # Cipher 3des |
43 | # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc | 43 | # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc |
44 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | ||
44 | # EscapeChar ~ | 45 | # EscapeChar ~ |
45 | # Tunnel no | 46 | # Tunnel no |
46 | # TunnelDevice any:any | 47 | # TunnelDevice any:any |
diff --git a/ssh_config.0 b/ssh_config.0 index 2ca4ee31b..381c1ba0a 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -200,9 +200,9 @@ DESCRIPTION | |||
200 | 200 | ||
201 | ExitOnForwardFailure | 201 | ExitOnForwardFailure |
202 | Specifies whether ssh(1) should terminate the connection if it | 202 | Specifies whether ssh(1) should terminate the connection if it |
203 | cannot set up all requested dynamic, local, and remote port for- | 203 | cannot set up all requested dynamic, tunnel, local, and remote |
204 | wardings. The argument must be ``yes'' or ``no''. The default | 204 | port forwardings. The argument must be ``yes'' or ``no''. The |
205 | is ``no''. | 205 | default is ``no''. |
206 | 206 | ||
207 | ForwardAgent | 207 | ForwardAgent |
208 | Specifies whether the connection to the authentication agent (if | 208 | Specifies whether the connection to the authentication agent (if |
@@ -365,8 +365,10 @@ DESCRIPTION | |||
365 | MACs Specifies the MAC (message authentication code) algorithms in or- | 365 | MACs Specifies the MAC (message authentication code) algorithms in or- |
366 | der of preference. The MAC algorithm is used in protocol version | 366 | der of preference. The MAC algorithm is used in protocol version |
367 | 2 for data integrity protection. Multiple algorithms must be | 367 | 2 for data integrity protection. Multiple algorithms must be |
368 | comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac- | 368 | comma-separated. The default is: |
369 | ripemd160,hmac-sha1-96,hmac-md5-96''. | 369 | |
370 | hmac-md5,hmac-sha1,umac-64@openssh.com, | ||
371 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | ||
370 | 372 | ||
371 | NoHostAuthenticationForLocalhost | 373 | NoHostAuthenticationForLocalhost |
372 | This option can be used if the home directory is shared across | 374 | This option can be used if the home directory is shared across |
@@ -642,4 +644,4 @@ AUTHORS | |||
642 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 644 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
643 | versions 1.5 and 2.0. | 645 | versions 1.5 and 2.0. |
644 | 646 | ||
645 | OpenBSD 4.1 September 25, 1999 10 | 647 | OpenBSD 4.2 August 15, 2007 10 |
diff --git a/ssh_config.5 b/ssh_config.5 index 532bb191a..585a36878 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.102 2007/08/15 12:13:41 stevesk Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd $Mdocdate: August 15 2007 $ |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -393,7 +393,7 @@ data). | |||
393 | Specifies whether | 393 | Specifies whether |
394 | .Xr ssh 1 | 394 | .Xr ssh 1 |
395 | should terminate the connection if it cannot set up all requested | 395 | should terminate the connection if it cannot set up all requested |
396 | dynamic, local, and remote port forwardings. | 396 | dynamic, tunnel, local, and remote port forwardings. |
397 | The argument must be | 397 | The argument must be |
398 | .Dq yes | 398 | .Dq yes |
399 | or | 399 | or |
@@ -668,7 +668,10 @@ The MAC algorithm is used in protocol version 2 | |||
668 | for data integrity protection. | 668 | for data integrity protection. |
669 | Multiple algorithms must be comma-separated. | 669 | Multiple algorithms must be comma-separated. |
670 | The default is: | 670 | The default is: |
671 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | 671 | .Bd -literal -offset indent |
672 | hmac-md5,hmac-sha1,umac-64@openssh.com, | ||
673 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | ||
674 | .Ed | ||
672 | .It Cm NoHostAuthenticationForLocalhost | 675 | .It Cm NoHostAuthenticationForLocalhost |
673 | This option can be used if the home directory is shared across machines. | 676 | This option can be used if the home directory is shared across machines. |
674 | In this case localhost will refer to a different machine on each of | 677 | In this case localhost will refer to a different machine on each of |
diff --git a/sshconnect2.c b/sshconnect2.c index 63e9369b1..72d328692 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -31,6 +31,7 @@ | |||
31 | #include <sys/stat.h> | 31 | #include <sys/stat.h> |
32 | 32 | ||
33 | #include <errno.h> | 33 | #include <errno.h> |
34 | #include <netdb.h> | ||
34 | #include <pwd.h> | 35 | #include <pwd.h> |
35 | #include <signal.h> | 36 | #include <signal.h> |
36 | #include <stdarg.h> | 37 | #include <stdarg.h> |
@@ -173,11 +174,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
173 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 174 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
174 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 175 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
175 | #ifdef GSSAPI | 176 | #ifdef GSSAPI |
176 | if (options.gss_keyex) { | 177 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
177 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 178 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; |
178 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; | 179 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; |
179 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
180 | } | ||
181 | #endif | 180 | #endif |
182 | kex->client_version_string=client_version_string; | 181 | kex->client_version_string=client_version_string; |
183 | kex->server_version_string=server_version_string; | 182 | kex->server_version_string=server_version_string; |
@@ -687,7 +686,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | |||
687 | Authctxt *authctxt = ctxt; | 686 | Authctxt *authctxt = ctxt; |
688 | Gssctxt *gssctxt; | 687 | Gssctxt *gssctxt; |
689 | u_int oidlen; | 688 | u_int oidlen; |
690 | u_char *oidv, *oidv_free; | 689 | u_char *oidv; |
691 | 690 | ||
692 | if (authctxt == NULL) | 691 | if (authctxt == NULL) |
693 | fatal("input_gssapi_response: no authentication context"); | 692 | fatal("input_gssapi_response: no authentication context"); |
@@ -1433,7 +1432,7 @@ userauth_hostbased(Authctxt *authctxt) | |||
1433 | Sensitive *sensitive = authctxt->sensitive; | 1432 | Sensitive *sensitive = authctxt->sensitive; |
1434 | Buffer b; | 1433 | Buffer b; |
1435 | u_char *signature, *blob; | 1434 | u_char *signature, *blob; |
1436 | char *chost, *pkalg, *p; | 1435 | char *chost, *pkalg, *p, myname[NI_MAXHOST]; |
1437 | const char *service; | 1436 | const char *service; |
1438 | u_int blen, slen; | 1437 | u_int blen, slen; |
1439 | int ok, i, len, found = 0; | 1438 | int ok, i, len, found = 0; |
@@ -1457,7 +1456,16 @@ userauth_hostbased(Authctxt *authctxt) | |||
1457 | return 0; | 1456 | return 0; |
1458 | } | 1457 | } |
1459 | /* figure out a name for the client host */ | 1458 | /* figure out a name for the client host */ |
1460 | p = get_local_name(packet_get_connection_in()); | 1459 | p = NULL; |
1460 | if (packet_connection_is_on_socket()) | ||
1461 | p = get_local_name(packet_get_connection_in()); | ||
1462 | if (p == NULL) { | ||
1463 | if (gethostname(myname, sizeof(myname)) == -1) { | ||
1464 | verbose("userauth_hostbased: gethostname: %s", | ||
1465 | strerror(errno)); | ||
1466 | } else | ||
1467 | p = xstrdup(myname); | ||
1468 | } | ||
1461 | if (p == NULL) { | 1469 | if (p == NULL) { |
1462 | error("userauth_hostbased: cannot get local ipaddr/name"); | 1470 | error("userauth_hostbased: cannot get local ipaddr/name"); |
1463 | key_free(private); | 1471 | key_free(private); |
@@ -9,8 +9,8 @@ SYNOPSIS | |||
9 | 9 | ||
10 | DESCRIPTION | 10 | DESCRIPTION |
11 | sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these | 11 | sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these |
12 | programs replace rlogin and rsh, and provide secure encrypted communica- | 12 | programs replace rlogin(1) and rsh(1), and provide secure encrypted com- |
13 | tions between two untrusted hosts over an insecure network. | 13 | munications between two untrusted hosts over an insecure network. |
14 | 14 | ||
15 | sshd listens for connections from clients. It is normally started at | 15 | sshd listens for connections from clients. It is normally started at |
16 | boot from /etc/rc. It forks a new daemon for each incoming connection. | 16 | boot from /etc/rc. It forks a new daemon for each incoming connection. |
@@ -45,7 +45,7 @@ DESCRIPTION | |||
45 | -e When this option is specified, sshd will send the output to the | 45 | -e When this option is specified, sshd will send the output to the |
46 | standard error instead of the system log. | 46 | standard error instead of the system log. |
47 | 47 | ||
48 | -f configuration_file | 48 | -f config_file |
49 | Specifies the name of the configuration file. The default is | 49 | Specifies the name of the configuration file. The default is |
50 | /etc/ssh/sshd_config. sshd refuses to start if there is no con- | 50 | /etc/ssh/sshd_config. sshd refuses to start if there is no con- |
51 | figuration file. | 51 | figuration file. |
@@ -143,7 +143,8 @@ AUTHENTICATION | |||
143 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The | 143 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The |
144 | client selects the encryption algorithm to use from those offered by the | 144 | client selects the encryption algorithm to use from those offered by the |
145 | server. Additionally, session integrity is provided through a crypto- | 145 | server. Additionally, session integrity is provided through a crypto- |
146 | graphic message authentication code (hmac-sha1 or hmac-md5). | 146 | graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or |
147 | hmac-ripemd160). | ||
147 | 148 | ||
148 | Finally, the server and the client enter an authentication dialog. The | 149 | Finally, the server and the client enter an authentication dialog. The |
149 | client tries to authenticate itself using host-based authentication, pub- | 150 | client tries to authenticate itself using host-based authentication, pub- |
@@ -156,10 +157,10 @@ AUTHENTICATION | |||
156 | tion of a locked account is system dependant. Some platforms have their | 157 | tion of a locked account is system dependant. Some platforms have their |
157 | own account database (eg AIX) and some modify the passwd field ( `*LK*' | 158 | own account database (eg AIX) and some modify the passwd field ( `*LK*' |
158 | on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a | 159 | on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a |
159 | leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is | 160 | leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If |
160 | a requirement to disable password authentication for the account while | 161 | there is a requirement to disable password authentication for the account |
161 | allowing still public-key, then the passwd field should be set to some- | 162 | while allowing still public-key, then the passwd field should be set to |
162 | thing other than these values (eg `NP' or `*NP*' ). | 163 | something other than these values (eg `NP' or `*NP*' ). |
163 | 164 | ||
164 | If the client successfully authenticates itself, a dialog for preparing | 165 | If the client successfully authenticates itself, a dialog for preparing |
165 | the session is entered. At this time the client may request things like | 166 | the session is entered. At this time the client may request things like |
@@ -477,13 +478,6 @@ FILES | |||
477 | lows host-based authentication without permitting login with | 478 | lows host-based authentication without permitting login with |
478 | rlogin/rsh. | 479 | rlogin/rsh. |
479 | 480 | ||
480 | /etc/ssh/ssh_known_hosts | ||
481 | Systemwide list of known host keys. This file should be prepared | ||
482 | by the system administrator to contain the public host keys of | ||
483 | all machines in the organization. The format of this file is de- | ||
484 | scribed above. This file should be writable only by root/the | ||
485 | owner and should be world-readable. | ||
486 | |||
487 | /etc/ssh/ssh_host_key | 481 | /etc/ssh/ssh_host_key |
488 | /etc/ssh/ssh_host_dsa_key | 482 | /etc/ssh/ssh_host_dsa_key |
489 | /etc/ssh/ssh_host_rsa_key | 483 | /etc/ssh/ssh_host_rsa_key |
@@ -502,6 +496,13 @@ FILES | |||
502 | convenience of the user so their contents can be copied to known | 496 | convenience of the user so their contents can be copied to known |
503 | hosts files. These files are created using ssh-keygen(1). | 497 | hosts files. These files are created using ssh-keygen(1). |
504 | 498 | ||
499 | /etc/ssh/ssh_known_hosts | ||
500 | Systemwide list of known host keys. This file should be prepared | ||
501 | by the system administrator to contain the public host keys of | ||
502 | all machines in the organization. The format of this file is de- | ||
503 | scribed above. This file should be writable only by root/the | ||
504 | owner and should be world-readable. | ||
505 | |||
505 | /etc/ssh/sshd_config | 506 | /etc/ssh/sshd_config |
506 | Contains configuration data for sshd. The file format and con- | 507 | Contains configuration data for sshd. The file format and con- |
507 | figuration options are described in sshd_config(5). | 508 | figuration options are described in sshd_config(5). |
@@ -526,8 +527,8 @@ FILES | |||
526 | 527 | ||
527 | SEE ALSO | 528 | SEE ALSO |
528 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 529 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
529 | chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5), | 530 | ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5), |
530 | inetd(8), sftp-server(8) | 531 | sshd_config(5), inetd(8), sftp-server(8) |
531 | 532 | ||
532 | AUTHORS | 533 | AUTHORS |
533 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 534 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
@@ -541,4 +542,4 @@ CAVEATS | |||
541 | System security is not improved unless rshd, rlogind, and rexecd are dis- | 542 | System security is not improved unless rshd, rlogind, and rexecd are dis- |
542 | abled (thus completely disabling rlogin and rsh into the machine). | 543 | abled (thus completely disabling rlogin and rsh into the machine). |
543 | 544 | ||
544 | OpenBSD 4.1 September 25, 1999 9 | 545 | OpenBSD 4.2 August 16, 2007 9 |
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd $Mdocdate: August 16 2007 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -58,8 +58,11 @@ | |||
58 | .Nm | 58 | .Nm |
59 | (OpenSSH Daemon) is the daemon program for | 59 | (OpenSSH Daemon) is the daemon program for |
60 | .Xr ssh 1 . | 60 | .Xr ssh 1 . |
61 | Together these programs replace rlogin and rsh, and | 61 | Together these programs replace |
62 | provide secure encrypted communications between two untrusted hosts | 62 | .Xr rlogin 1 |
63 | and | ||
64 | .Xr rsh 1 , | ||
65 | and provide secure encrypted communications between two untrusted hosts | ||
63 | over an insecure network. | 66 | over an insecure network. |
64 | .Pp | 67 | .Pp |
65 | .Nm | 68 | .Nm |
@@ -117,7 +120,7 @@ Maximum is 3. | |||
117 | When this option is specified, | 120 | When this option is specified, |
118 | .Nm | 121 | .Nm |
119 | will send the output to the standard error instead of the system log. | 122 | will send the output to the standard error instead of the system log. |
120 | .It Fl f Ar configuration_file | 123 | .It Fl f Ar config_file |
121 | Specifies the name of the configuration file. | 124 | Specifies the name of the configuration file. |
122 | The default is | 125 | The default is |
123 | .Pa /etc/ssh/sshd_config . | 126 | .Pa /etc/ssh/sshd_config . |
@@ -276,7 +279,7 @@ The client selects the encryption algorithm | |||
276 | to use from those offered by the server. | 279 | to use from those offered by the server. |
277 | Additionally, session integrity is provided | 280 | Additionally, session integrity is provided |
278 | through a cryptographic message authentication code | 281 | through a cryptographic message authentication code |
279 | (hmac-sha1 or hmac-md5). | 282 | (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). |
280 | .Pp | 283 | .Pp |
281 | Finally, the server and the client enter an authentication dialog. | 284 | Finally, the server and the client enter an authentication dialog. |
282 | The client tries to authenticate itself using | 285 | The client tries to authenticate itself using |
@@ -302,8 +305,9 @@ on Tru64, | |||
302 | a leading | 305 | a leading |
303 | .Ql \&*LOCKED\&* | 306 | .Ql \&*LOCKED\&* |
304 | on FreeBSD and a leading | 307 | on FreeBSD and a leading |
305 | .Ql \&!! | 308 | .Ql \&! |
306 | on Linux). If there is a requirement to disable password authentication | 309 | on most Linuxes). |
310 | If there is a requirement to disable password authentication | ||
307 | for the account while allowing still public-key, then the passwd field | 311 | for the account while allowing still public-key, then the passwd field |
308 | should be set to something other than these values (eg | 312 | should be set to something other than these values (eg |
309 | .Ql NP | 313 | .Ql NP |
@@ -761,15 +765,6 @@ This file is used in exactly the same way as | |||
761 | but allows host-based authentication without permitting login with | 765 | but allows host-based authentication without permitting login with |
762 | rlogin/rsh. | 766 | rlogin/rsh. |
763 | .Pp | 767 | .Pp |
764 | .It /etc/ssh/ssh_known_hosts | ||
765 | Systemwide list of known host keys. | ||
766 | This file should be prepared by the | ||
767 | system administrator to contain the public host keys of all machines in the | ||
768 | organization. | ||
769 | The format of this file is described above. | ||
770 | This file should be writable only by root/the owner and | ||
771 | should be world-readable. | ||
772 | .Pp | ||
773 | .It /etc/ssh/ssh_host_key | 768 | .It /etc/ssh/ssh_host_key |
774 | .It /etc/ssh/ssh_host_dsa_key | 769 | .It /etc/ssh/ssh_host_dsa_key |
775 | .It /etc/ssh/ssh_host_rsa_key | 770 | .It /etc/ssh/ssh_host_rsa_key |
@@ -793,6 +788,15 @@ the user so their contents can be copied to known hosts files. | |||
793 | These files are created using | 788 | These files are created using |
794 | .Xr ssh-keygen 1 . | 789 | .Xr ssh-keygen 1 . |
795 | .Pp | 790 | .Pp |
791 | .It /etc/ssh/ssh_known_hosts | ||
792 | Systemwide list of known host keys. | ||
793 | This file should be prepared by the | ||
794 | system administrator to contain the public host keys of all machines in the | ||
795 | organization. | ||
796 | The format of this file is described above. | ||
797 | This file should be writable only by root/the owner and | ||
798 | should be world-readable. | ||
799 | .Pp | ||
796 | .It /etc/ssh/sshd_config | 800 | .It /etc/ssh/sshd_config |
797 | Contains configuration data for | 801 | Contains configuration data for |
798 | .Nm sshd . | 802 | .Nm sshd . |
@@ -829,6 +833,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
829 | .Xr ssh-add 1 , | 833 | .Xr ssh-add 1 , |
830 | .Xr ssh-agent 1 , | 834 | .Xr ssh-agent 1 , |
831 | .Xr ssh-keygen 1 , | 835 | .Xr ssh-keygen 1 , |
836 | .Xr ssh-keyscan 1 , | ||
832 | .Xr chroot 2 , | 837 | .Xr chroot 2 , |
833 | .Xr hosts_access 5 , | 838 | .Xr hosts_access 5 , |
834 | .Xr login.conf 5 , | 839 | .Xr login.conf 5 , |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
diff --git a/sshd_config b/sshd_config index 68c8752c0..aa1e4abdf 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ | 1 | # $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -11,11 +11,15 @@ | |||
11 | # default value. | 11 | # default value. |
12 | 12 | ||
13 | #Port 22 | 13 | #Port 22 |
14 | #Protocol 2,1 | ||
15 | #AddressFamily any | 14 | #AddressFamily any |
16 | #ListenAddress 0.0.0.0 | 15 | #ListenAddress 0.0.0.0 |
17 | #ListenAddress :: | 16 | #ListenAddress :: |
18 | 17 | ||
18 | # Disable legacy (protocol version 1) support in the server for new | ||
19 | # installations. In future the default will change to require explicit | ||
20 | # activation of protocol 1 | ||
21 | Protocol 2 | ||
22 | |||
19 | # HostKey for protocol version 1 | 23 | # HostKey for protocol version 1 |
20 | #HostKey /etc/ssh/ssh_host_key | 24 | #HostKey /etc/ssh/ssh_host_key |
21 | # HostKeys for protocol version 2 | 25 | # HostKeys for protocol version 2 |
diff --git a/sshd_config.0 b/sshd_config.0 index c9a09a4ff..0b340ad20 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -282,8 +282,10 @@ DESCRIPTION | |||
282 | MACs Specifies the available MAC (message authentication code) algo- | 282 | MACs Specifies the available MAC (message authentication code) algo- |
283 | rithms. The MAC algorithm is used in protocol version 2 for data | 283 | rithms. The MAC algorithm is used in protocol version 2 for data |
284 | integrity protection. Multiple algorithms must be comma-separat- | 284 | integrity protection. Multiple algorithms must be comma-separat- |
285 | ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- | 285 | ed. The default is: |
286 | sha1-96,hmac-md5-96''. | 286 | |
287 | hmac-md5,hmac-sha1,umac-64@openssh.com, | ||
288 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | ||
287 | 289 | ||
288 | Match Introduces a conditional block. If all of the criteria on the | 290 | Match Introduces a conditional block. If all of the criteria on the |
289 | Match line are satisfied, the keywords on the following lines | 291 | Match line are satisfied, the keywords on the following lines |
@@ -570,4 +572,4 @@ AUTHORS | |||
570 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 572 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
571 | for privilege separation. | 573 | for privilege separation. |
572 | 574 | ||
573 | OpenBSD 4.1 September 25, 1999 9 | 575 | OpenBSD 4.2 June 11, 2007 9 |
diff --git a/sshd_config.5 b/sshd_config.5 index b66cabbba..54b757b7f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd $Mdocdate: June 11 2007 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -512,7 +512,10 @@ The MAC algorithm is used in protocol version 2 | |||
512 | for data integrity protection. | 512 | for data integrity protection. |
513 | Multiple algorithms must be comma-separated. | 513 | Multiple algorithms must be comma-separated. |
514 | The default is: | 514 | The default is: |
515 | .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . | 515 | .Bd -literal -offset indent |
516 | hmac-md5,hmac-sha1,umac-64@openssh.com, | ||
517 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | ||
518 | .Ed | ||
516 | .It Cm Match | 519 | .It Cm Match |
517 | Introduces a conditional block. | 520 | Introduces a conditional block. |
518 | If all of the criteria on the | 521 | If all of the criteria on the |
@@ -0,0 +1,1272 @@ | |||
1 | /* $OpenBSD: umac.c,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ | ||
2 | /* ----------------------------------------------------------------------- | ||
3 | * | ||
4 | * umac.c -- C Implementation UMAC Message Authentication | ||
5 | * | ||
6 | * Version 0.93b of rfc4418.txt -- 2006 July 18 | ||
7 | * | ||
8 | * For a full description of UMAC message authentication see the UMAC | ||
9 | * world-wide-web page at http://www.cs.ucdavis.edu/~rogaway/umac | ||
10 | * Please report bugs and suggestions to the UMAC webpage. | ||
11 | * | ||
12 | * Copyright (c) 1999-2006 Ted Krovetz | ||
13 | * | ||
14 | * Permission to use, copy, modify, and distribute this software and | ||
15 | * its documentation for any purpose and with or without fee, is hereby | ||
16 | * granted provided that the above copyright notice appears in all copies | ||
17 | * and in supporting documentation, and that the name of the copyright | ||
18 | * holder not be used in advertising or publicity pertaining to | ||
19 | * distribution of the software without specific, written prior permission. | ||
20 | * | ||
21 | * Comments should be directed to Ted Krovetz (tdk@acm.org) | ||
22 | * | ||
23 | * ---------------------------------------------------------------------- */ | ||
24 | |||
25 | /* ////////////////////// IMPORTANT NOTES ///////////////////////////////// | ||
26 | * | ||
27 | * 1) This version does not work properly on messages larger than 16MB | ||
28 | * | ||
29 | * 2) If you set the switch to use SSE2, then all data must be 16-byte | ||
30 | * aligned | ||
31 | * | ||
32 | * 3) When calling the function umac(), it is assumed that msg is in | ||
33 | * a writable buffer of length divisible by 32 bytes. The message itself | ||
34 | * does not have to fill the entire buffer, but bytes beyond msg may be | ||
35 | * zeroed. | ||
36 | * | ||
37 | * 4) Three free AES implementations are supported by this implementation of | ||
38 | * UMAC. Paulo Barreto's version is in the public domain and can be found | ||
39 | * at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ (search for | ||
40 | * "Barreto"). The only two files needed are rijndael-alg-fst.c and | ||
41 | * rijndael-alg-fst.h. Brian Gladman's version is distributed with the GNU | ||
42 | * Public lisence at http://fp.gladman.plus.com/AES/index.htm. It | ||
43 | * includes a fast IA-32 assembly version. The OpenSSL crypo library is | ||
44 | * the third. | ||
45 | * | ||
46 | * 5) With FORCE_C_ONLY flags set to 0, incorrect results are sometimes | ||
47 | * produced under gcc with optimizations set -O3 or higher. Dunno why. | ||
48 | * | ||
49 | /////////////////////////////////////////////////////////////////////// */ | ||
50 | |||
51 | /* ---------------------------------------------------------------------- */ | ||
52 | /* --- User Switches ---------------------------------------------------- */ | ||
53 | /* ---------------------------------------------------------------------- */ | ||
54 | |||
55 | #define UMAC_OUTPUT_LEN 8 /* Alowable: 4, 8, 12, 16 */ | ||
56 | /* #define FORCE_C_ONLY 1 ANSI C and 64-bit integers req'd */ | ||
57 | /* #define AES_IMPLEMENTAION 1 1 = OpenSSL, 2 = Barreto, 3 = Gladman */ | ||
58 | /* #define SSE2 0 Is SSE2 is available? */ | ||
59 | /* #define RUN_TESTS 0 Run basic correctness/speed tests */ | ||
60 | /* #define UMAC_AE_SUPPORT 0 Enable auhthenticated encrytion */ | ||
61 | |||
62 | /* ---------------------------------------------------------------------- */ | ||
63 | /* -- Global Includes --------------------------------------------------- */ | ||
64 | /* ---------------------------------------------------------------------- */ | ||
65 | |||
66 | #include "includes.h" | ||
67 | #include <sys/types.h> | ||
68 | |||
69 | #include "umac.h" | ||
70 | #include <string.h> | ||
71 | #include <stdlib.h> | ||
72 | #include <stddef.h> | ||
73 | |||
74 | /* ---------------------------------------------------------------------- */ | ||
75 | /* --- Primitive Data Types --- */ | ||
76 | /* ---------------------------------------------------------------------- */ | ||
77 | |||
78 | /* The following assumptions may need change on your system */ | ||
79 | typedef u_int8_t UINT8; /* 1 byte */ | ||
80 | typedef u_int16_t UINT16; /* 2 byte */ | ||
81 | typedef u_int32_t UINT32; /* 4 byte */ | ||
82 | typedef u_int64_t UINT64; /* 8 bytes */ | ||
83 | typedef unsigned int UWORD; /* Register */ | ||
84 | |||
85 | /* ---------------------------------------------------------------------- */ | ||
86 | /* --- Constants -------------------------------------------------------- */ | ||
87 | /* ---------------------------------------------------------------------- */ | ||
88 | |||
89 | #define UMAC_KEY_LEN 16 /* UMAC takes 16 bytes of external key */ | ||
90 | |||
91 | /* Message "words" are read from memory in an endian-specific manner. */ | ||
92 | /* For this implementation to behave correctly, __LITTLE_ENDIAN__ must */ | ||
93 | /* be set true if the host computer is little-endian. */ | ||
94 | |||
95 | #if BYTE_ORDER == LITTLE_ENDIAN | ||
96 | #define __LITTLE_ENDIAN__ 1 | ||
97 | #else | ||
98 | #define __LITTLE_ENDIAN__ 0 | ||
99 | #endif | ||
100 | |||
101 | /* ---------------------------------------------------------------------- */ | ||
102 | /* ---------------------------------------------------------------------- */ | ||
103 | /* ----- Architecture Specific ------------------------------------------ */ | ||
104 | /* ---------------------------------------------------------------------- */ | ||
105 | /* ---------------------------------------------------------------------- */ | ||
106 | |||
107 | |||
108 | /* ---------------------------------------------------------------------- */ | ||
109 | /* ---------------------------------------------------------------------- */ | ||
110 | /* ----- Primitive Routines --------------------------------------------- */ | ||
111 | /* ---------------------------------------------------------------------- */ | ||
112 | /* ---------------------------------------------------------------------- */ | ||
113 | |||
114 | |||
115 | /* ---------------------------------------------------------------------- */ | ||
116 | /* --- 32-bit by 32-bit to 64-bit Multiplication ------------------------ */ | ||
117 | /* ---------------------------------------------------------------------- */ | ||
118 | |||
119 | #define MUL64(a,b) ((UINT64)((UINT64)(UINT32)(a) * (UINT64)(UINT32)(b))) | ||
120 | |||
121 | /* ---------------------------------------------------------------------- */ | ||
122 | /* --- Endian Conversion --- Forcing assembly on some platforms */ | ||
123 | /* ---------------------------------------------------------------------- */ | ||
124 | |||
125 | #if HAVE_SWAP32 | ||
126 | #define LOAD_UINT32_REVERSED(p) (swap32(*(UINT32 *)(p))) | ||
127 | #define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v)) | ||
128 | #else /* HAVE_SWAP32 */ | ||
129 | |||
130 | static UINT32 LOAD_UINT32_REVERSED(void *ptr) | ||
131 | { | ||
132 | UINT32 temp = *(UINT32 *)ptr; | ||
133 | temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 ) | ||
134 | | ((temp & 0x0000FF00) << 8 ) | (temp << 24); | ||
135 | return (UINT32)temp; | ||
136 | } | ||
137 | |||
138 | static void STORE_UINT32_REVERSED(void *ptr, UINT32 x) | ||
139 | { | ||
140 | UINT32 i = (UINT32)x; | ||
141 | *(UINT32 *)ptr = (i >> 24) | ((i & 0x00FF0000) >> 8 ) | ||
142 | | ((i & 0x0000FF00) << 8 ) | (i << 24); | ||
143 | } | ||
144 | #endif /* HAVE_SWAP32 */ | ||
145 | |||
146 | /* The following definitions use the above reversal-primitives to do the right | ||
147 | * thing on endian specific load and stores. | ||
148 | */ | ||
149 | |||
150 | #if (__LITTLE_ENDIAN__) | ||
151 | #define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr)) | ||
152 | #define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x) | ||
153 | #else | ||
154 | #define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr) | ||
155 | #define STORE_UINT32_BIG(ptr,x) (*(UINT32 *)(ptr) = (UINT32)(x)) | ||
156 | #endif | ||
157 | |||
158 | /* ---------------------------------------------------------------------- */ | ||
159 | /* ---------------------------------------------------------------------- */ | ||
160 | /* ----- Begin KDF & PDF Section ---------------------------------------- */ | ||
161 | /* ---------------------------------------------------------------------- */ | ||
162 | /* ---------------------------------------------------------------------- */ | ||
163 | |||
164 | /* UMAC uses AES with 16 byte block and key lengths */ | ||
165 | #define AES_BLOCK_LEN 16 | ||
166 | |||
167 | /* OpenSSL's AES */ | ||
168 | #include "openbsd-compat/openssl-compat.h" | ||
169 | #ifndef USE_BUILTIN_RIJNDAEL | ||
170 | # include <openssl/aes.h> | ||
171 | #endif | ||
172 | typedef AES_KEY aes_int_key[1]; | ||
173 | #define aes_encryption(in,out,int_key) \ | ||
174 | AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key) | ||
175 | #define aes_key_setup(key,int_key) \ | ||
176 | AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key) | ||
177 | |||
178 | /* The user-supplied UMAC key is stretched using AES in a counter | ||
179 | * mode to supply all random bits needed by UMAC. The kdf function takes | ||
180 | * an AES internal key representation 'key' and writes a stream of | ||
181 | * 'nbytes' bytes to the memory pointed at by 'buffer_ptr'. Each distinct | ||
182 | * 'ndx' causes a distinct byte stream. | ||
183 | */ | ||
184 | static void kdf(void *buffer_ptr, aes_int_key key, UINT8 ndx, int nbytes) | ||
185 | { | ||
186 | UINT8 in_buf[AES_BLOCK_LEN] = {0}; | ||
187 | UINT8 out_buf[AES_BLOCK_LEN]; | ||
188 | UINT8 *dst_buf = (UINT8 *)buffer_ptr; | ||
189 | int i; | ||
190 | |||
191 | /* Setup the initial value */ | ||
192 | in_buf[AES_BLOCK_LEN-9] = ndx; | ||
193 | in_buf[AES_BLOCK_LEN-1] = i = 1; | ||
194 | |||
195 | while (nbytes >= AES_BLOCK_LEN) { | ||
196 | aes_encryption(in_buf, out_buf, key); | ||
197 | memcpy(dst_buf,out_buf,AES_BLOCK_LEN); | ||
198 | in_buf[AES_BLOCK_LEN-1] = ++i; | ||
199 | nbytes -= AES_BLOCK_LEN; | ||
200 | dst_buf += AES_BLOCK_LEN; | ||
201 | } | ||
202 | if (nbytes) { | ||
203 | aes_encryption(in_buf, out_buf, key); | ||
204 | memcpy(dst_buf,out_buf,nbytes); | ||
205 | } | ||
206 | } | ||
207 | |||
208 | /* The final UHASH result is XOR'd with the output of a pseudorandom | ||
209 | * function. Here, we use AES to generate random output and | ||
210 | * xor the appropriate bytes depending on the last bits of nonce. | ||
211 | * This scheme is optimized for sequential, increasing big-endian nonces. | ||
212 | */ | ||
213 | |||
214 | typedef struct { | ||
215 | UINT8 cache[AES_BLOCK_LEN]; /* Previous AES output is saved */ | ||
216 | UINT8 nonce[AES_BLOCK_LEN]; /* The AES input making above cache */ | ||
217 | aes_int_key prf_key; /* Expanded AES key for PDF */ | ||
218 | } pdf_ctx; | ||
219 | |||
220 | static void pdf_init(pdf_ctx *pc, aes_int_key prf_key) | ||
221 | { | ||
222 | UINT8 buf[UMAC_KEY_LEN]; | ||
223 | |||
224 | kdf(buf, prf_key, 0, UMAC_KEY_LEN); | ||
225 | aes_key_setup(buf, pc->prf_key); | ||
226 | |||
227 | /* Initialize pdf and cache */ | ||
228 | memset(pc->nonce, 0, sizeof(pc->nonce)); | ||
229 | aes_encryption(pc->nonce, pc->cache, pc->prf_key); | ||
230 | } | ||
231 | |||
232 | static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) | ||
233 | { | ||
234 | /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes | ||
235 | * of the AES output. If last time around we returned the ndx-1st | ||
236 | * element, then we may have the result in the cache already. | ||
237 | */ | ||
238 | |||
239 | #if (UMAC_OUTPUT_LEN == 4) | ||
240 | #define LOW_BIT_MASK 3 | ||
241 | #elif (UMAC_OUTPUT_LEN == 8) | ||
242 | #define LOW_BIT_MASK 1 | ||
243 | #elif (UMAC_OUTPUT_LEN > 8) | ||
244 | #define LOW_BIT_MASK 0 | ||
245 | #endif | ||
246 | |||
247 | UINT8 tmp_nonce_lo[4]; | ||
248 | #if LOW_BIT_MASK != 0 | ||
249 | int ndx = nonce[7] & LOW_BIT_MASK; | ||
250 | #endif | ||
251 | *(UINT32 *)tmp_nonce_lo = ((UINT32 *)nonce)[1]; | ||
252 | tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ | ||
253 | |||
254 | if ( (((UINT32 *)tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || | ||
255 | (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) | ||
256 | { | ||
257 | ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; | ||
258 | ((UINT32 *)pc->nonce)[1] = ((UINT32 *)tmp_nonce_lo)[0]; | ||
259 | aes_encryption(pc->nonce, pc->cache, pc->prf_key); | ||
260 | } | ||
261 | |||
262 | #if (UMAC_OUTPUT_LEN == 4) | ||
263 | *((UINT32 *)buf) ^= ((UINT32 *)pc->cache)[ndx]; | ||
264 | #elif (UMAC_OUTPUT_LEN == 8) | ||
265 | *((UINT64 *)buf) ^= ((UINT64 *)pc->cache)[ndx]; | ||
266 | #elif (UMAC_OUTPUT_LEN == 12) | ||
267 | ((UINT64 *)buf)[0] ^= ((UINT64 *)pc->cache)[0]; | ||
268 | ((UINT32 *)buf)[2] ^= ((UINT32 *)pc->cache)[2]; | ||
269 | #elif (UMAC_OUTPUT_LEN == 16) | ||
270 | ((UINT64 *)buf)[0] ^= ((UINT64 *)pc->cache)[0]; | ||
271 | ((UINT64 *)buf)[1] ^= ((UINT64 *)pc->cache)[1]; | ||
272 | #endif | ||
273 | } | ||
274 | |||
275 | /* ---------------------------------------------------------------------- */ | ||
276 | /* ---------------------------------------------------------------------- */ | ||
277 | /* ----- Begin NH Hash Section ------------------------------------------ */ | ||
278 | /* ---------------------------------------------------------------------- */ | ||
279 | /* ---------------------------------------------------------------------- */ | ||
280 | |||
281 | /* The NH-based hash functions used in UMAC are described in the UMAC paper | ||
282 | * and specification, both of which can be found at the UMAC website. | ||
283 | * The interface to this implementation has two | ||
284 | * versions, one expects the entire message being hashed to be passed | ||
285 | * in a single buffer and returns the hash result immediately. The second | ||
286 | * allows the message to be passed in a sequence of buffers. In the | ||
287 | * muliple-buffer interface, the client calls the routine nh_update() as | ||
288 | * many times as necessary. When there is no more data to be fed to the | ||
289 | * hash, the client calls nh_final() which calculates the hash output. | ||
290 | * Before beginning another hash calculation the nh_reset() routine | ||
291 | * must be called. The single-buffer routine, nh(), is equivalent to | ||
292 | * the sequence of calls nh_update() and nh_final(); however it is | ||
293 | * optimized and should be prefered whenever the multiple-buffer interface | ||
294 | * is not necessary. When using either interface, it is the client's | ||
295 | * responsability to pass no more than L1_KEY_LEN bytes per hash result. | ||
296 | * | ||
297 | * The routine nh_init() initializes the nh_ctx data structure and | ||
298 | * must be called once, before any other PDF routine. | ||
299 | */ | ||
300 | |||
301 | /* The "nh_aux" routines do the actual NH hashing work. They | ||
302 | * expect buffers to be multiples of L1_PAD_BOUNDARY. These routines | ||
303 | * produce output for all STREAMS NH iterations in one call, | ||
304 | * allowing the parallel implementation of the streams. | ||
305 | */ | ||
306 | |||
307 | #define STREAMS (UMAC_OUTPUT_LEN / 4) /* Number of times hash is applied */ | ||
308 | #define L1_KEY_LEN 1024 /* Internal key bytes */ | ||
309 | #define L1_KEY_SHIFT 16 /* Toeplitz key shift between streams */ | ||
310 | #define L1_PAD_BOUNDARY 32 /* pad message to boundary multiple */ | ||
311 | #define ALLOC_BOUNDARY 16 /* Keep buffers aligned to this */ | ||
312 | #define HASH_BUF_BYTES 64 /* nh_aux_hb buffer multiple */ | ||
313 | |||
314 | typedef struct { | ||
315 | UINT8 nh_key [L1_KEY_LEN + L1_KEY_SHIFT * (STREAMS - 1)]; /* NH Key */ | ||
316 | UINT8 data [HASH_BUF_BYTES]; /* Incomming data buffer */ | ||
317 | int next_data_empty; /* Bookeeping variable for data buffer. */ | ||
318 | int bytes_hashed; /* Bytes (out of L1_KEY_LEN) incorperated. */ | ||
319 | UINT64 state[STREAMS]; /* on-line state */ | ||
320 | } nh_ctx; | ||
321 | |||
322 | |||
323 | #if (UMAC_OUTPUT_LEN == 4) | ||
324 | |||
325 | static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) | ||
326 | /* NH hashing primitive. Previous (partial) hash result is loaded and | ||
327 | * then stored via hp pointer. The length of the data pointed at by "dp", | ||
328 | * "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key | ||
329 | * is expected to be endian compensated in memory at key setup. | ||
330 | */ | ||
331 | { | ||
332 | UINT64 h; | ||
333 | UWORD c = dlen / 32; | ||
334 | UINT32 *k = (UINT32 *)kp; | ||
335 | UINT32 *d = (UINT32 *)dp; | ||
336 | UINT32 d0,d1,d2,d3,d4,d5,d6,d7; | ||
337 | UINT32 k0,k1,k2,k3,k4,k5,k6,k7; | ||
338 | |||
339 | h = *((UINT64 *)hp); | ||
340 | do { | ||
341 | d0 = LOAD_UINT32_LITTLE(d+0); d1 = LOAD_UINT32_LITTLE(d+1); | ||
342 | d2 = LOAD_UINT32_LITTLE(d+2); d3 = LOAD_UINT32_LITTLE(d+3); | ||
343 | d4 = LOAD_UINT32_LITTLE(d+4); d5 = LOAD_UINT32_LITTLE(d+5); | ||
344 | d6 = LOAD_UINT32_LITTLE(d+6); d7 = LOAD_UINT32_LITTLE(d+7); | ||
345 | k0 = *(k+0); k1 = *(k+1); k2 = *(k+2); k3 = *(k+3); | ||
346 | k4 = *(k+4); k5 = *(k+5); k6 = *(k+6); k7 = *(k+7); | ||
347 | h += MUL64((k0 + d0), (k4 + d4)); | ||
348 | h += MUL64((k1 + d1), (k5 + d5)); | ||
349 | h += MUL64((k2 + d2), (k6 + d6)); | ||
350 | h += MUL64((k3 + d3), (k7 + d7)); | ||
351 | |||
352 | d += 8; | ||
353 | k += 8; | ||
354 | } while (--c); | ||
355 | *((UINT64 *)hp) = h; | ||
356 | } | ||
357 | |||
358 | #elif (UMAC_OUTPUT_LEN == 8) | ||
359 | |||
360 | static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) | ||
361 | /* Same as previous nh_aux, but two streams are handled in one pass, | ||
362 | * reading and writing 16 bytes of hash-state per call. | ||
363 | */ | ||
364 | { | ||
365 | UINT64 h1,h2; | ||
366 | UWORD c = dlen / 32; | ||
367 | UINT32 *k = (UINT32 *)kp; | ||
368 | UINT32 *d = (UINT32 *)dp; | ||
369 | UINT32 d0,d1,d2,d3,d4,d5,d6,d7; | ||
370 | UINT32 k0,k1,k2,k3,k4,k5,k6,k7, | ||
371 | k8,k9,k10,k11; | ||
372 | |||
373 | h1 = *((UINT64 *)hp); | ||
374 | h2 = *((UINT64 *)hp + 1); | ||
375 | k0 = *(k+0); k1 = *(k+1); k2 = *(k+2); k3 = *(k+3); | ||
376 | do { | ||
377 | d0 = LOAD_UINT32_LITTLE(d+0); d1 = LOAD_UINT32_LITTLE(d+1); | ||
378 | d2 = LOAD_UINT32_LITTLE(d+2); d3 = LOAD_UINT32_LITTLE(d+3); | ||
379 | d4 = LOAD_UINT32_LITTLE(d+4); d5 = LOAD_UINT32_LITTLE(d+5); | ||
380 | d6 = LOAD_UINT32_LITTLE(d+6); d7 = LOAD_UINT32_LITTLE(d+7); | ||
381 | k4 = *(k+4); k5 = *(k+5); k6 = *(k+6); k7 = *(k+7); | ||
382 | k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11); | ||
383 | |||
384 | h1 += MUL64((k0 + d0), (k4 + d4)); | ||
385 | h2 += MUL64((k4 + d0), (k8 + d4)); | ||
386 | |||
387 | h1 += MUL64((k1 + d1), (k5 + d5)); | ||
388 | h2 += MUL64((k5 + d1), (k9 + d5)); | ||
389 | |||
390 | h1 += MUL64((k2 + d2), (k6 + d6)); | ||
391 | h2 += MUL64((k6 + d2), (k10 + d6)); | ||
392 | |||
393 | h1 += MUL64((k3 + d3), (k7 + d7)); | ||
394 | h2 += MUL64((k7 + d3), (k11 + d7)); | ||
395 | |||
396 | k0 = k8; k1 = k9; k2 = k10; k3 = k11; | ||
397 | |||
398 | d += 8; | ||
399 | k += 8; | ||
400 | } while (--c); | ||
401 | ((UINT64 *)hp)[0] = h1; | ||
402 | ((UINT64 *)hp)[1] = h2; | ||
403 | } | ||
404 | |||
405 | #elif (UMAC_OUTPUT_LEN == 12) | ||
406 | |||
407 | static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) | ||
408 | /* Same as previous nh_aux, but two streams are handled in one pass, | ||
409 | * reading and writing 24 bytes of hash-state per call. | ||
410 | */ | ||
411 | { | ||
412 | UINT64 h1,h2,h3; | ||
413 | UWORD c = dlen / 32; | ||
414 | UINT32 *k = (UINT32 *)kp; | ||
415 | UINT32 *d = (UINT32 *)dp; | ||
416 | UINT32 d0,d1,d2,d3,d4,d5,d6,d7; | ||
417 | UINT32 k0,k1,k2,k3,k4,k5,k6,k7, | ||
418 | k8,k9,k10,k11,k12,k13,k14,k15; | ||
419 | |||
420 | h1 = *((UINT64 *)hp); | ||
421 | h2 = *((UINT64 *)hp + 1); | ||
422 | h3 = *((UINT64 *)hp + 2); | ||
423 | k0 = *(k+0); k1 = *(k+1); k2 = *(k+2); k3 = *(k+3); | ||
424 | k4 = *(k+4); k5 = *(k+5); k6 = *(k+6); k7 = *(k+7); | ||
425 | do { | ||
426 | d0 = LOAD_UINT32_LITTLE(d+0); d1 = LOAD_UINT32_LITTLE(d+1); | ||
427 | d2 = LOAD_UINT32_LITTLE(d+2); d3 = LOAD_UINT32_LITTLE(d+3); | ||
428 | d4 = LOAD_UINT32_LITTLE(d+4); d5 = LOAD_UINT32_LITTLE(d+5); | ||
429 | d6 = LOAD_UINT32_LITTLE(d+6); d7 = LOAD_UINT32_LITTLE(d+7); | ||
430 | k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11); | ||
431 | k12 = *(k+12); k13 = *(k+13); k14 = *(k+14); k15 = *(k+15); | ||
432 | |||
433 | h1 += MUL64((k0 + d0), (k4 + d4)); | ||
434 | h2 += MUL64((k4 + d0), (k8 + d4)); | ||
435 | h3 += MUL64((k8 + d0), (k12 + d4)); | ||
436 | |||
437 | h1 += MUL64((k1 + d1), (k5 + d5)); | ||
438 | h2 += MUL64((k5 + d1), (k9 + d5)); | ||
439 | h3 += MUL64((k9 + d1), (k13 + d5)); | ||
440 | |||
441 | h1 += MUL64((k2 + d2), (k6 + d6)); | ||
442 | h2 += MUL64((k6 + d2), (k10 + d6)); | ||
443 | h3 += MUL64((k10 + d2), (k14 + d6)); | ||
444 | |||
445 | h1 += MUL64((k3 + d3), (k7 + d7)); | ||
446 | h2 += MUL64((k7 + d3), (k11 + d7)); | ||
447 | h3 += MUL64((k11 + d3), (k15 + d7)); | ||
448 | |||
449 | k0 = k8; k1 = k9; k2 = k10; k3 = k11; | ||
450 | k4 = k12; k5 = k13; k6 = k14; k7 = k15; | ||
451 | |||
452 | d += 8; | ||
453 | k += 8; | ||
454 | } while (--c); | ||
455 | ((UINT64 *)hp)[0] = h1; | ||
456 | ((UINT64 *)hp)[1] = h2; | ||
457 | ((UINT64 *)hp)[2] = h3; | ||
458 | } | ||
459 | |||
460 | #elif (UMAC_OUTPUT_LEN == 16) | ||
461 | |||
462 | static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) | ||
463 | /* Same as previous nh_aux, but two streams are handled in one pass, | ||
464 | * reading and writing 24 bytes of hash-state per call. | ||
465 | */ | ||
466 | { | ||
467 | UINT64 h1,h2,h3,h4; | ||
468 | UWORD c = dlen / 32; | ||
469 | UINT32 *k = (UINT32 *)kp; | ||
470 | UINT32 *d = (UINT32 *)dp; | ||
471 | UINT32 d0,d1,d2,d3,d4,d5,d6,d7; | ||
472 | UINT32 k0,k1,k2,k3,k4,k5,k6,k7, | ||
473 | k8,k9,k10,k11,k12,k13,k14,k15, | ||
474 | k16,k17,k18,k19; | ||
475 | |||
476 | h1 = *((UINT64 *)hp); | ||
477 | h2 = *((UINT64 *)hp + 1); | ||
478 | h3 = *((UINT64 *)hp + 2); | ||
479 | h4 = *((UINT64 *)hp + 3); | ||
480 | k0 = *(k+0); k1 = *(k+1); k2 = *(k+2); k3 = *(k+3); | ||
481 | k4 = *(k+4); k5 = *(k+5); k6 = *(k+6); k7 = *(k+7); | ||
482 | do { | ||
483 | d0 = LOAD_UINT32_LITTLE(d+0); d1 = LOAD_UINT32_LITTLE(d+1); | ||
484 | d2 = LOAD_UINT32_LITTLE(d+2); d3 = LOAD_UINT32_LITTLE(d+3); | ||
485 | d4 = LOAD_UINT32_LITTLE(d+4); d5 = LOAD_UINT32_LITTLE(d+5); | ||
486 | d6 = LOAD_UINT32_LITTLE(d+6); d7 = LOAD_UINT32_LITTLE(d+7); | ||
487 | k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11); | ||
488 | k12 = *(k+12); k13 = *(k+13); k14 = *(k+14); k15 = *(k+15); | ||
489 | k16 = *(k+16); k17 = *(k+17); k18 = *(k+18); k19 = *(k+19); | ||
490 | |||
491 | h1 += MUL64((k0 + d0), (k4 + d4)); | ||
492 | h2 += MUL64((k4 + d0), (k8 + d4)); | ||
493 | h3 += MUL64((k8 + d0), (k12 + d4)); | ||
494 | h4 += MUL64((k12 + d0), (k16 + d4)); | ||
495 | |||
496 | h1 += MUL64((k1 + d1), (k5 + d5)); | ||
497 | h2 += MUL64((k5 + d1), (k9 + d5)); | ||
498 | h3 += MUL64((k9 + d1), (k13 + d5)); | ||
499 | h4 += MUL64((k13 + d1), (k17 + d5)); | ||
500 | |||
501 | h1 += MUL64((k2 + d2), (k6 + d6)); | ||
502 | h2 += MUL64((k6 + d2), (k10 + d6)); | ||
503 | h3 += MUL64((k10 + d2), (k14 + d6)); | ||
504 | h4 += MUL64((k14 + d2), (k18 + d6)); | ||
505 | |||
506 | h1 += MUL64((k3 + d3), (k7 + d7)); | ||
507 | h2 += MUL64((k7 + d3), (k11 + d7)); | ||
508 | h3 += MUL64((k11 + d3), (k15 + d7)); | ||
509 | h4 += MUL64((k15 + d3), (k19 + d7)); | ||
510 | |||
511 | k0 = k8; k1 = k9; k2 = k10; k3 = k11; | ||
512 | k4 = k12; k5 = k13; k6 = k14; k7 = k15; | ||
513 | k8 = k16; k9 = k17; k10 = k18; k11 = k19; | ||
514 | |||
515 | d += 8; | ||
516 | k += 8; | ||
517 | } while (--c); | ||
518 | ((UINT64 *)hp)[0] = h1; | ||
519 | ((UINT64 *)hp)[1] = h2; | ||
520 | ((UINT64 *)hp)[2] = h3; | ||
521 | ((UINT64 *)hp)[3] = h4; | ||
522 | } | ||
523 | |||
524 | /* ---------------------------------------------------------------------- */ | ||
525 | #endif /* UMAC_OUTPUT_LENGTH */ | ||
526 | /* ---------------------------------------------------------------------- */ | ||
527 | |||
528 | |||
529 | /* ---------------------------------------------------------------------- */ | ||
530 | |||
531 | static void nh_transform(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) | ||
532 | /* This function is a wrapper for the primitive NH hash functions. It takes | ||
533 | * as argument "hc" the current hash context and a buffer which must be a | ||
534 | * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset | ||
535 | * appropriately according to how much message has been hashed already. | ||
536 | */ | ||
537 | { | ||
538 | UINT8 *key; | ||
539 | |||
540 | key = hc->nh_key + hc->bytes_hashed; | ||
541 | nh_aux(key, buf, hc->state, nbytes); | ||
542 | } | ||
543 | |||
544 | /* ---------------------------------------------------------------------- */ | ||
545 | |||
546 | static void endian_convert(void *buf, UWORD bpw, UINT32 num_bytes) | ||
547 | /* We endian convert the keys on little-endian computers to */ | ||
548 | /* compensate for the lack of big-endian memory reads during hashing. */ | ||
549 | { | ||
550 | UWORD iters = num_bytes / bpw; | ||
551 | if (bpw == 4) { | ||
552 | UINT32 *p = (UINT32 *)buf; | ||
553 | do { | ||
554 | *p = LOAD_UINT32_REVERSED(p); | ||
555 | p++; | ||
556 | } while (--iters); | ||
557 | } else if (bpw == 8) { | ||
558 | UINT32 *p = (UINT32 *)buf; | ||
559 | UINT32 t; | ||
560 | do { | ||
561 | t = LOAD_UINT32_REVERSED(p+1); | ||
562 | p[1] = LOAD_UINT32_REVERSED(p); | ||
563 | p[0] = t; | ||
564 | p += 2; | ||
565 | } while (--iters); | ||
566 | } | ||
567 | } | ||
568 | #if (__LITTLE_ENDIAN__) | ||
569 | #define endian_convert_if_le(x,y,z) endian_convert((x),(y),(z)) | ||
570 | #else | ||
571 | #define endian_convert_if_le(x,y,z) do{}while(0) /* Do nothing */ | ||
572 | #endif | ||
573 | |||
574 | /* ---------------------------------------------------------------------- */ | ||
575 | |||
576 | static void nh_reset(nh_ctx *hc) | ||
577 | /* Reset nh_ctx to ready for hashing of new data */ | ||
578 | { | ||
579 | hc->bytes_hashed = 0; | ||
580 | hc->next_data_empty = 0; | ||
581 | hc->state[0] = 0; | ||
582 | #if (UMAC_OUTPUT_LEN >= 8) | ||
583 | hc->state[1] = 0; | ||
584 | #endif | ||
585 | #if (UMAC_OUTPUT_LEN >= 12) | ||
586 | hc->state[2] = 0; | ||
587 | #endif | ||
588 | #if (UMAC_OUTPUT_LEN == 16) | ||
589 | hc->state[3] = 0; | ||
590 | #endif | ||
591 | |||
592 | } | ||
593 | |||
594 | /* ---------------------------------------------------------------------- */ | ||
595 | |||
596 | static void nh_init(nh_ctx *hc, aes_int_key prf_key) | ||
597 | /* Generate nh_key, endian convert and reset to be ready for hashing. */ | ||
598 | { | ||
599 | kdf(hc->nh_key, prf_key, 1, sizeof(hc->nh_key)); | ||
600 | endian_convert_if_le(hc->nh_key, 4, sizeof(hc->nh_key)); | ||
601 | nh_reset(hc); | ||
602 | } | ||
603 | |||
604 | /* ---------------------------------------------------------------------- */ | ||
605 | |||
606 | static void nh_update(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) | ||
607 | /* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */ | ||
608 | /* even multiple of HASH_BUF_BYTES. */ | ||
609 | { | ||
610 | UINT32 i,j; | ||
611 | |||
612 | j = hc->next_data_empty; | ||
613 | if ((j + nbytes) >= HASH_BUF_BYTES) { | ||
614 | if (j) { | ||
615 | i = HASH_BUF_BYTES - j; | ||
616 | memcpy(hc->data+j, buf, i); | ||
617 | nh_transform(hc,hc->data,HASH_BUF_BYTES); | ||
618 | nbytes -= i; | ||
619 | buf += i; | ||
620 | hc->bytes_hashed += HASH_BUF_BYTES; | ||
621 | } | ||
622 | if (nbytes >= HASH_BUF_BYTES) { | ||
623 | i = nbytes & ~(HASH_BUF_BYTES - 1); | ||
624 | nh_transform(hc, buf, i); | ||
625 | nbytes -= i; | ||
626 | buf += i; | ||
627 | hc->bytes_hashed += i; | ||
628 | } | ||
629 | j = 0; | ||
630 | } | ||
631 | memcpy(hc->data + j, buf, nbytes); | ||
632 | hc->next_data_empty = j + nbytes; | ||
633 | } | ||
634 | |||
635 | /* ---------------------------------------------------------------------- */ | ||
636 | |||
637 | static void zero_pad(UINT8 *p, int nbytes) | ||
638 | { | ||
639 | /* Write "nbytes" of zeroes, beginning at "p" */ | ||
640 | if (nbytes >= (int)sizeof(UWORD)) { | ||
641 | while ((ptrdiff_t)p % sizeof(UWORD)) { | ||
642 | *p = 0; | ||
643 | nbytes--; | ||
644 | p++; | ||
645 | } | ||
646 | while (nbytes >= (int)sizeof(UWORD)) { | ||
647 | *(UWORD *)p = 0; | ||
648 | nbytes -= sizeof(UWORD); | ||
649 | p += sizeof(UWORD); | ||
650 | } | ||
651 | } | ||
652 | while (nbytes) { | ||
653 | *p = 0; | ||
654 | nbytes--; | ||
655 | p++; | ||
656 | } | ||
657 | } | ||
658 | |||
659 | /* ---------------------------------------------------------------------- */ | ||
660 | |||
661 | static void nh_final(nh_ctx *hc, UINT8 *result) | ||
662 | /* After passing some number of data buffers to nh_update() for integration | ||
663 | * into an NH context, nh_final is called to produce a hash result. If any | ||
664 | * bytes are in the buffer hc->data, incorporate them into the | ||
665 | * NH context. Finally, add into the NH accumulation "state" the total number | ||
666 | * of bits hashed. The resulting numbers are written to the buffer "result". | ||
667 | * If nh_update was never called, L1_PAD_BOUNDARY zeroes are incorporated. | ||
668 | */ | ||
669 | { | ||
670 | int nh_len, nbits; | ||
671 | |||
672 | if (hc->next_data_empty != 0) { | ||
673 | nh_len = ((hc->next_data_empty + (L1_PAD_BOUNDARY - 1)) & | ||
674 | ~(L1_PAD_BOUNDARY - 1)); | ||
675 | zero_pad(hc->data + hc->next_data_empty, | ||
676 | nh_len - hc->next_data_empty); | ||
677 | nh_transform(hc, hc->data, nh_len); | ||
678 | hc->bytes_hashed += hc->next_data_empty; | ||
679 | } else if (hc->bytes_hashed == 0) { | ||
680 | nh_len = L1_PAD_BOUNDARY; | ||
681 | zero_pad(hc->data, L1_PAD_BOUNDARY); | ||
682 | nh_transform(hc, hc->data, nh_len); | ||
683 | } | ||
684 | |||
685 | nbits = (hc->bytes_hashed << 3); | ||
686 | ((UINT64 *)result)[0] = ((UINT64 *)hc->state)[0] + nbits; | ||
687 | #if (UMAC_OUTPUT_LEN >= 8) | ||
688 | ((UINT64 *)result)[1] = ((UINT64 *)hc->state)[1] + nbits; | ||
689 | #endif | ||
690 | #if (UMAC_OUTPUT_LEN >= 12) | ||
691 | ((UINT64 *)result)[2] = ((UINT64 *)hc->state)[2] + nbits; | ||
692 | #endif | ||
693 | #if (UMAC_OUTPUT_LEN == 16) | ||
694 | ((UINT64 *)result)[3] = ((UINT64 *)hc->state)[3] + nbits; | ||
695 | #endif | ||
696 | nh_reset(hc); | ||
697 | } | ||
698 | |||
699 | /* ---------------------------------------------------------------------- */ | ||
700 | |||
701 | static void nh(nh_ctx *hc, UINT8 *buf, UINT32 padded_len, | ||
702 | UINT32 unpadded_len, UINT8 *result) | ||
703 | /* All-in-one nh_update() and nh_final() equivalent. | ||
704 | * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is | ||
705 | * well aligned | ||
706 | */ | ||
707 | { | ||
708 | UINT32 nbits; | ||
709 | |||
710 | /* Initialize the hash state */ | ||
711 | nbits = (unpadded_len << 3); | ||
712 | |||
713 | ((UINT64 *)result)[0] = nbits; | ||
714 | #if (UMAC_OUTPUT_LEN >= 8) | ||
715 | ((UINT64 *)result)[1] = nbits; | ||
716 | #endif | ||
717 | #if (UMAC_OUTPUT_LEN >= 12) | ||
718 | ((UINT64 *)result)[2] = nbits; | ||
719 | #endif | ||
720 | #if (UMAC_OUTPUT_LEN == 16) | ||
721 | ((UINT64 *)result)[3] = nbits; | ||
722 | #endif | ||
723 | |||
724 | nh_aux(hc->nh_key, buf, result, padded_len); | ||
725 | } | ||
726 | |||
727 | /* ---------------------------------------------------------------------- */ | ||
728 | /* ---------------------------------------------------------------------- */ | ||
729 | /* ----- Begin UHASH Section -------------------------------------------- */ | ||
730 | /* ---------------------------------------------------------------------- */ | ||
731 | /* ---------------------------------------------------------------------- */ | ||
732 | |||
733 | /* UHASH is a multi-layered algorithm. Data presented to UHASH is first | ||
734 | * hashed by NH. The NH output is then hashed by a polynomial-hash layer | ||
735 | * unless the initial data to be hashed is short. After the polynomial- | ||
736 | * layer, an inner-product hash is used to produce the final UHASH output. | ||
737 | * | ||
738 | * UHASH provides two interfaces, one all-at-once and another where data | ||
739 | * buffers are presented sequentially. In the sequential interface, the | ||
740 | * UHASH client calls the routine uhash_update() as many times as necessary. | ||
741 | * When there is no more data to be fed to UHASH, the client calls | ||
742 | * uhash_final() which | ||
743 | * calculates the UHASH output. Before beginning another UHASH calculation | ||
744 | * the uhash_reset() routine must be called. The all-at-once UHASH routine, | ||
745 | * uhash(), is equivalent to the sequence of calls uhash_update() and | ||
746 | * uhash_final(); however it is optimized and should be | ||
747 | * used whenever the sequential interface is not necessary. | ||
748 | * | ||
749 | * The routine uhash_init() initializes the uhash_ctx data structure and | ||
750 | * must be called once, before any other UHASH routine. | ||
751 | */ | ||
752 | |||
753 | /* ---------------------------------------------------------------------- */ | ||
754 | /* ----- Constants and uhash_ctx ---------------------------------------- */ | ||
755 | /* ---------------------------------------------------------------------- */ | ||
756 | |||
757 | /* ---------------------------------------------------------------------- */ | ||
758 | /* ----- Poly hash and Inner-Product hash Constants --------------------- */ | ||
759 | /* ---------------------------------------------------------------------- */ | ||
760 | |||
761 | /* Primes and masks */ | ||
762 | #define p36 ((UINT64)0x0000000FFFFFFFFBull) /* 2^36 - 5 */ | ||
763 | #define p64 ((UINT64)0xFFFFFFFFFFFFFFC5ull) /* 2^64 - 59 */ | ||
764 | #define m36 ((UINT64)0x0000000FFFFFFFFFull) /* The low 36 of 64 bits */ | ||
765 | |||
766 | |||
767 | /* ---------------------------------------------------------------------- */ | ||
768 | |||
769 | typedef struct uhash_ctx { | ||
770 | nh_ctx hash; /* Hash context for L1 NH hash */ | ||
771 | UINT64 poly_key_8[STREAMS]; /* p64 poly keys */ | ||
772 | UINT64 poly_accum[STREAMS]; /* poly hash result */ | ||
773 | UINT64 ip_keys[STREAMS*4]; /* Inner-product keys */ | ||
774 | UINT32 ip_trans[STREAMS]; /* Inner-product translation */ | ||
775 | UINT32 msg_len; /* Total length of data passed */ | ||
776 | /* to uhash */ | ||
777 | } uhash_ctx; | ||
778 | typedef struct uhash_ctx *uhash_ctx_t; | ||
779 | |||
780 | /* ---------------------------------------------------------------------- */ | ||
781 | |||
782 | |||
783 | /* The polynomial hashes use Horner's rule to evaluate a polynomial one | ||
784 | * word at a time. As described in the specification, poly32 and poly64 | ||
785 | * require keys from special domains. The following implementations exploit | ||
786 | * the special domains to avoid overflow. The results are not guaranteed to | ||
787 | * be within Z_p32 and Z_p64, but the Inner-Product hash implementation | ||
788 | * patches any errant values. | ||
789 | */ | ||
790 | |||
791 | static UINT64 poly64(UINT64 cur, UINT64 key, UINT64 data) | ||
792 | { | ||
793 | UINT32 key_hi = (UINT32)(key >> 32), | ||
794 | key_lo = (UINT32)key, | ||
795 | cur_hi = (UINT32)(cur >> 32), | ||
796 | cur_lo = (UINT32)cur, | ||
797 | x_lo, | ||
798 | x_hi; | ||
799 | UINT64 X,T,res; | ||
800 | |||
801 | X = MUL64(key_hi, cur_lo) + MUL64(cur_hi, key_lo); | ||
802 | x_lo = (UINT32)X; | ||
803 | x_hi = (UINT32)(X >> 32); | ||
804 | |||
805 | res = (MUL64(key_hi, cur_hi) + x_hi) * 59 + MUL64(key_lo, cur_lo); | ||
806 | |||
807 | T = ((UINT64)x_lo << 32); | ||
808 | res += T; | ||
809 | if (res < T) | ||
810 | res += 59; | ||
811 | |||
812 | res += data; | ||
813 | if (res < data) | ||
814 | res += 59; | ||
815 | |||
816 | return res; | ||
817 | } | ||
818 | |||
819 | |||
820 | /* Although UMAC is specified to use a ramped polynomial hash scheme, this | ||
821 | * implementation does not handle all ramp levels. Because we don't handle | ||
822 | * the ramp up to p128 modulus in this implementation, we are limited to | ||
823 | * 2^14 poly_hash() invocations per stream (for a total capacity of 2^24 | ||
824 | * bytes input to UMAC per tag, ie. 16MB). | ||
825 | */ | ||
826 | static void poly_hash(uhash_ctx_t hc, UINT32 data_in[]) | ||
827 | { | ||
828 | int i; | ||
829 | UINT64 *data=(UINT64*)data_in; | ||
830 | |||
831 | for (i = 0; i < STREAMS; i++) { | ||
832 | if ((UINT32)(data[i] >> 32) == 0xfffffffful) { | ||
833 | hc->poly_accum[i] = poly64(hc->poly_accum[i], | ||
834 | hc->poly_key_8[i], p64 - 1); | ||
835 | hc->poly_accum[i] = poly64(hc->poly_accum[i], | ||
836 | hc->poly_key_8[i], (data[i] - 59)); | ||
837 | } else { | ||
838 | hc->poly_accum[i] = poly64(hc->poly_accum[i], | ||
839 | hc->poly_key_8[i], data[i]); | ||
840 | } | ||
841 | } | ||
842 | } | ||
843 | |||
844 | |||
845 | /* ---------------------------------------------------------------------- */ | ||
846 | |||
847 | |||
848 | /* The final step in UHASH is an inner-product hash. The poly hash | ||
849 | * produces a result not neccesarily WORD_LEN bytes long. The inner- | ||
850 | * product hash breaks the polyhash output into 16-bit chunks and | ||
851 | * multiplies each with a 36 bit key. | ||
852 | */ | ||
853 | |||
854 | static UINT64 ip_aux(UINT64 t, UINT64 *ipkp, UINT64 data) | ||
855 | { | ||
856 | t = t + ipkp[0] * (UINT64)(UINT16)(data >> 48); | ||
857 | t = t + ipkp[1] * (UINT64)(UINT16)(data >> 32); | ||
858 | t = t + ipkp[2] * (UINT64)(UINT16)(data >> 16); | ||
859 | t = t + ipkp[3] * (UINT64)(UINT16)(data); | ||
860 | |||
861 | return t; | ||
862 | } | ||
863 | |||
864 | static UINT32 ip_reduce_p36(UINT64 t) | ||
865 | { | ||
866 | /* Divisionless modular reduction */ | ||
867 | UINT64 ret; | ||
868 | |||
869 | ret = (t & m36) + 5 * (t >> 36); | ||
870 | if (ret >= p36) | ||
871 | ret -= p36; | ||
872 | |||
873 | /* return least significant 32 bits */ | ||
874 | return (UINT32)(ret); | ||
875 | } | ||
876 | |||
877 | |||
878 | /* If the data being hashed by UHASH is no longer than L1_KEY_LEN, then | ||
879 | * the polyhash stage is skipped and ip_short is applied directly to the | ||
880 | * NH output. | ||
881 | */ | ||
882 | static void ip_short(uhash_ctx_t ahc, UINT8 *nh_res, u_char *res) | ||
883 | { | ||
884 | UINT64 t; | ||
885 | UINT64 *nhp = (UINT64 *)nh_res; | ||
886 | |||
887 | t = ip_aux(0,ahc->ip_keys, nhp[0]); | ||
888 | STORE_UINT32_BIG((UINT32 *)res+0, ip_reduce_p36(t) ^ ahc->ip_trans[0]); | ||
889 | #if (UMAC_OUTPUT_LEN >= 8) | ||
890 | t = ip_aux(0,ahc->ip_keys+4, nhp[1]); | ||
891 | STORE_UINT32_BIG((UINT32 *)res+1, ip_reduce_p36(t) ^ ahc->ip_trans[1]); | ||
892 | #endif | ||
893 | #if (UMAC_OUTPUT_LEN >= 12) | ||
894 | t = ip_aux(0,ahc->ip_keys+8, nhp[2]); | ||
895 | STORE_UINT32_BIG((UINT32 *)res+2, ip_reduce_p36(t) ^ ahc->ip_trans[2]); | ||
896 | #endif | ||
897 | #if (UMAC_OUTPUT_LEN == 16) | ||
898 | t = ip_aux(0,ahc->ip_keys+12, nhp[3]); | ||
899 | STORE_UINT32_BIG((UINT32 *)res+3, ip_reduce_p36(t) ^ ahc->ip_trans[3]); | ||
900 | #endif | ||
901 | } | ||
902 | |||
903 | /* If the data being hashed by UHASH is longer than L1_KEY_LEN, then | ||
904 | * the polyhash stage is not skipped and ip_long is applied to the | ||
905 | * polyhash output. | ||
906 | */ | ||
907 | static void ip_long(uhash_ctx_t ahc, u_char *res) | ||
908 | { | ||
909 | int i; | ||
910 | UINT64 t; | ||
911 | |||
912 | for (i = 0; i < STREAMS; i++) { | ||
913 | /* fix polyhash output not in Z_p64 */ | ||
914 | if (ahc->poly_accum[i] >= p64) | ||
915 | ahc->poly_accum[i] -= p64; | ||
916 | t = ip_aux(0,ahc->ip_keys+(i*4), ahc->poly_accum[i]); | ||
917 | STORE_UINT32_BIG((UINT32 *)res+i, | ||
918 | ip_reduce_p36(t) ^ ahc->ip_trans[i]); | ||
919 | } | ||
920 | } | ||
921 | |||
922 | |||
923 | /* ---------------------------------------------------------------------- */ | ||
924 | |||
925 | /* ---------------------------------------------------------------------- */ | ||
926 | |||
927 | /* Reset uhash context for next hash session */ | ||
928 | static int uhash_reset(uhash_ctx_t pc) | ||
929 | { | ||
930 | nh_reset(&pc->hash); | ||
931 | pc->msg_len = 0; | ||
932 | pc->poly_accum[0] = 1; | ||
933 | #if (UMAC_OUTPUT_LEN >= 8) | ||
934 | pc->poly_accum[1] = 1; | ||
935 | #endif | ||
936 | #if (UMAC_OUTPUT_LEN >= 12) | ||
937 | pc->poly_accum[2] = 1; | ||
938 | #endif | ||
939 | #if (UMAC_OUTPUT_LEN == 16) | ||
940 | pc->poly_accum[3] = 1; | ||
941 | #endif | ||
942 | return 1; | ||
943 | } | ||
944 | |||
945 | /* ---------------------------------------------------------------------- */ | ||
946 | |||
947 | /* Given a pointer to the internal key needed by kdf() and a uhash context, | ||
948 | * initialize the NH context and generate keys needed for poly and inner- | ||
949 | * product hashing. All keys are endian adjusted in memory so that native | ||
950 | * loads cause correct keys to be in registers during calculation. | ||
951 | */ | ||
952 | static void uhash_init(uhash_ctx_t ahc, aes_int_key prf_key) | ||
953 | { | ||
954 | int i; | ||
955 | UINT8 buf[(8*STREAMS+4)*sizeof(UINT64)]; | ||
956 | |||
957 | /* Zero the entire uhash context */ | ||
958 | memset(ahc, 0, sizeof(uhash_ctx)); | ||
959 | |||
960 | /* Initialize the L1 hash */ | ||
961 | nh_init(&ahc->hash, prf_key); | ||
962 | |||
963 | /* Setup L2 hash variables */ | ||
964 | kdf(buf, prf_key, 2, sizeof(buf)); /* Fill buffer with index 1 key */ | ||
965 | for (i = 0; i < STREAMS; i++) { | ||
966 | /* Fill keys from the buffer, skipping bytes in the buffer not | ||
967 | * used by this implementation. Endian reverse the keys if on a | ||
968 | * little-endian computer. | ||
969 | */ | ||
970 | memcpy(ahc->poly_key_8+i, buf+24*i, 8); | ||
971 | endian_convert_if_le(ahc->poly_key_8+i, 8, 8); | ||
972 | /* Mask the 64-bit keys to their special domain */ | ||
973 | ahc->poly_key_8[i] &= ((UINT64)0x01ffffffu << 32) + 0x01ffffffu; | ||
974 | ahc->poly_accum[i] = 1; /* Our polyhash prepends a non-zero word */ | ||
975 | } | ||
976 | |||
977 | /* Setup L3-1 hash variables */ | ||
978 | kdf(buf, prf_key, 3, sizeof(buf)); /* Fill buffer with index 2 key */ | ||
979 | for (i = 0; i < STREAMS; i++) | ||
980 | memcpy(ahc->ip_keys+4*i, buf+(8*i+4)*sizeof(UINT64), | ||
981 | 4*sizeof(UINT64)); | ||
982 | endian_convert_if_le(ahc->ip_keys, sizeof(UINT64), | ||
983 | sizeof(ahc->ip_keys)); | ||
984 | for (i = 0; i < STREAMS*4; i++) | ||
985 | ahc->ip_keys[i] %= p36; /* Bring into Z_p36 */ | ||
986 | |||
987 | /* Setup L3-2 hash variables */ | ||
988 | /* Fill buffer with index 4 key */ | ||
989 | kdf(ahc->ip_trans, prf_key, 4, STREAMS * sizeof(UINT32)); | ||
990 | endian_convert_if_le(ahc->ip_trans, sizeof(UINT32), | ||
991 | STREAMS * sizeof(UINT32)); | ||
992 | } | ||
993 | |||
994 | /* ---------------------------------------------------------------------- */ | ||
995 | |||
996 | #if 0 | ||
997 | static uhash_ctx_t uhash_alloc(u_char key[]) | ||
998 | { | ||
999 | /* Allocate memory and force to a 16-byte boundary. */ | ||
1000 | uhash_ctx_t ctx; | ||
1001 | u_char bytes_to_add; | ||
1002 | aes_int_key prf_key; | ||
1003 | |||
1004 | ctx = (uhash_ctx_t)malloc(sizeof(uhash_ctx)+ALLOC_BOUNDARY); | ||
1005 | if (ctx) { | ||
1006 | if (ALLOC_BOUNDARY) { | ||
1007 | bytes_to_add = ALLOC_BOUNDARY - | ||
1008 | ((ptrdiff_t)ctx & (ALLOC_BOUNDARY -1)); | ||
1009 | ctx = (uhash_ctx_t)((u_char *)ctx + bytes_to_add); | ||
1010 | *((u_char *)ctx - 1) = bytes_to_add; | ||
1011 | } | ||
1012 | aes_key_setup(key,prf_key); | ||
1013 | uhash_init(ctx, prf_key); | ||
1014 | } | ||
1015 | return (ctx); | ||
1016 | } | ||
1017 | #endif | ||
1018 | |||
1019 | /* ---------------------------------------------------------------------- */ | ||
1020 | |||
1021 | #if 0 | ||
1022 | static int uhash_free(uhash_ctx_t ctx) | ||
1023 | { | ||
1024 | /* Free memory allocated by uhash_alloc */ | ||
1025 | u_char bytes_to_sub; | ||
1026 | |||
1027 | if (ctx) { | ||
1028 | if (ALLOC_BOUNDARY) { | ||
1029 | bytes_to_sub = *((u_char *)ctx - 1); | ||
1030 | ctx = (uhash_ctx_t)((u_char *)ctx - bytes_to_sub); | ||
1031 | } | ||
1032 | free(ctx); | ||
1033 | } | ||
1034 | return (1); | ||
1035 | } | ||
1036 | #endif | ||
1037 | /* ---------------------------------------------------------------------- */ | ||
1038 | |||
1039 | static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) | ||
1040 | /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and | ||
1041 | * hash each one with NH, calling the polyhash on each NH output. | ||
1042 | */ | ||
1043 | { | ||
1044 | UWORD bytes_hashed, bytes_remaining; | ||
1045 | UINT8 nh_result[STREAMS*sizeof(UINT64)]; | ||
1046 | |||
1047 | if (ctx->msg_len + len <= L1_KEY_LEN) { | ||
1048 | nh_update(&ctx->hash, (UINT8 *)input, len); | ||
1049 | ctx->msg_len += len; | ||
1050 | } else { | ||
1051 | |||
1052 | bytes_hashed = ctx->msg_len % L1_KEY_LEN; | ||
1053 | if (ctx->msg_len == L1_KEY_LEN) | ||
1054 | bytes_hashed = L1_KEY_LEN; | ||
1055 | |||
1056 | if (bytes_hashed + len >= L1_KEY_LEN) { | ||
1057 | |||
1058 | /* If some bytes have been passed to the hash function */ | ||
1059 | /* then we want to pass at most (L1_KEY_LEN - bytes_hashed) */ | ||
1060 | /* bytes to complete the current nh_block. */ | ||
1061 | if (bytes_hashed) { | ||
1062 | bytes_remaining = (L1_KEY_LEN - bytes_hashed); | ||
1063 | nh_update(&ctx->hash, (UINT8 *)input, bytes_remaining); | ||
1064 | nh_final(&ctx->hash, nh_result); | ||
1065 | ctx->msg_len += bytes_remaining; | ||
1066 | poly_hash(ctx,(UINT32 *)nh_result); | ||
1067 | len -= bytes_remaining; | ||
1068 | input += bytes_remaining; | ||
1069 | } | ||
1070 | |||
1071 | /* Hash directly from input stream if enough bytes */ | ||
1072 | while (len >= L1_KEY_LEN) { | ||
1073 | nh(&ctx->hash, (UINT8 *)input, L1_KEY_LEN, | ||
1074 | L1_KEY_LEN, nh_result); | ||
1075 | ctx->msg_len += L1_KEY_LEN; | ||
1076 | len -= L1_KEY_LEN; | ||
1077 | input += L1_KEY_LEN; | ||
1078 | poly_hash(ctx,(UINT32 *)nh_result); | ||
1079 | } | ||
1080 | } | ||
1081 | |||
1082 | /* pass remaining < L1_KEY_LEN bytes of input data to NH */ | ||
1083 | if (len) { | ||
1084 | nh_update(&ctx->hash, (UINT8 *)input, len); | ||
1085 | ctx->msg_len += len; | ||
1086 | } | ||
1087 | } | ||
1088 | |||
1089 | return (1); | ||
1090 | } | ||
1091 | |||
1092 | /* ---------------------------------------------------------------------- */ | ||
1093 | |||
1094 | static int uhash_final(uhash_ctx_t ctx, u_char *res) | ||
1095 | /* Incorporate any pending data, pad, and generate tag */ | ||
1096 | { | ||
1097 | UINT8 nh_result[STREAMS*sizeof(UINT64)]; | ||
1098 | |||
1099 | if (ctx->msg_len > L1_KEY_LEN) { | ||
1100 | if (ctx->msg_len % L1_KEY_LEN) { | ||
1101 | nh_final(&ctx->hash, nh_result); | ||
1102 | poly_hash(ctx,(UINT32 *)nh_result); | ||
1103 | } | ||
1104 | ip_long(ctx, res); | ||
1105 | } else { | ||
1106 | nh_final(&ctx->hash, nh_result); | ||
1107 | ip_short(ctx,nh_result, res); | ||
1108 | } | ||
1109 | uhash_reset(ctx); | ||
1110 | return (1); | ||
1111 | } | ||
1112 | |||
1113 | /* ---------------------------------------------------------------------- */ | ||
1114 | |||
1115 | #if 0 | ||
1116 | static int uhash(uhash_ctx_t ahc, u_char *msg, long len, u_char *res) | ||
1117 | /* assumes that msg is in a writable buffer of length divisible by */ | ||
1118 | /* L1_PAD_BOUNDARY. Bytes beyond msg[len] may be zeroed. */ | ||
1119 | { | ||
1120 | UINT8 nh_result[STREAMS*sizeof(UINT64)]; | ||
1121 | UINT32 nh_len; | ||
1122 | int extra_zeroes_needed; | ||
1123 | |||
1124 | /* If the message to be hashed is no longer than L1_HASH_LEN, we skip | ||
1125 | * the polyhash. | ||
1126 | */ | ||
1127 | if (len <= L1_KEY_LEN) { | ||
1128 | if (len == 0) /* If zero length messages will not */ | ||
1129 | nh_len = L1_PAD_BOUNDARY; /* be seen, comment out this case */ | ||
1130 | else | ||
1131 | nh_len = ((len + (L1_PAD_BOUNDARY - 1)) & ~(L1_PAD_BOUNDARY - 1)); | ||
1132 | extra_zeroes_needed = nh_len - len; | ||
1133 | zero_pad((UINT8 *)msg + len, extra_zeroes_needed); | ||
1134 | nh(&ahc->hash, (UINT8 *)msg, nh_len, len, nh_result); | ||
1135 | ip_short(ahc,nh_result, res); | ||
1136 | } else { | ||
1137 | /* Otherwise, we hash each L1_KEY_LEN chunk with NH, passing the NH | ||
1138 | * output to poly_hash(). | ||
1139 | */ | ||
1140 | do { | ||
1141 | nh(&ahc->hash, (UINT8 *)msg, L1_KEY_LEN, L1_KEY_LEN, nh_result); | ||
1142 | poly_hash(ahc,(UINT32 *)nh_result); | ||
1143 | len -= L1_KEY_LEN; | ||
1144 | msg += L1_KEY_LEN; | ||
1145 | } while (len >= L1_KEY_LEN); | ||
1146 | if (len) { | ||
1147 | nh_len = ((len + (L1_PAD_BOUNDARY - 1)) & ~(L1_PAD_BOUNDARY - 1)); | ||
1148 | extra_zeroes_needed = nh_len - len; | ||
1149 | zero_pad((UINT8 *)msg + len, extra_zeroes_needed); | ||
1150 | nh(&ahc->hash, (UINT8 *)msg, nh_len, len, nh_result); | ||
1151 | poly_hash(ahc,(UINT32 *)nh_result); | ||
1152 | } | ||
1153 | |||
1154 | ip_long(ahc, res); | ||
1155 | } | ||
1156 | |||
1157 | uhash_reset(ahc); | ||
1158 | return 1; | ||
1159 | } | ||
1160 | #endif | ||
1161 | |||
1162 | /* ---------------------------------------------------------------------- */ | ||
1163 | /* ---------------------------------------------------------------------- */ | ||
1164 | /* ----- Begin UMAC Section --------------------------------------------- */ | ||
1165 | /* ---------------------------------------------------------------------- */ | ||
1166 | /* ---------------------------------------------------------------------- */ | ||
1167 | |||
1168 | /* The UMAC interface has two interfaces, an all-at-once interface where | ||
1169 | * the entire message to be authenticated is passed to UMAC in one buffer, | ||
1170 | * and a sequential interface where the message is presented a little at a | ||
1171 | * time. The all-at-once is more optimaized than the sequential version and | ||
1172 | * should be preferred when the sequential interface is not required. | ||
1173 | */ | ||
1174 | struct umac_ctx { | ||
1175 | uhash_ctx hash; /* Hash function for message compression */ | ||
1176 | pdf_ctx pdf; /* PDF for hashed output */ | ||
1177 | void *free_ptr; /* Address to free this struct via */ | ||
1178 | } umac_ctx; | ||
1179 | |||
1180 | /* ---------------------------------------------------------------------- */ | ||
1181 | |||
1182 | #if 0 | ||
1183 | int umac_reset(struct umac_ctx *ctx) | ||
1184 | /* Reset the hash function to begin a new authentication. */ | ||
1185 | { | ||
1186 | uhash_reset(&ctx->hash); | ||
1187 | return (1); | ||
1188 | } | ||
1189 | #endif | ||
1190 | |||
1191 | /* ---------------------------------------------------------------------- */ | ||
1192 | |||
1193 | int umac_delete(struct umac_ctx *ctx) | ||
1194 | /* Deallocate the ctx structure */ | ||
1195 | { | ||
1196 | if (ctx) { | ||
1197 | if (ALLOC_BOUNDARY) | ||
1198 | ctx = (struct umac_ctx *)ctx->free_ptr; | ||
1199 | free(ctx); | ||
1200 | } | ||
1201 | return (1); | ||
1202 | } | ||
1203 | |||
1204 | /* ---------------------------------------------------------------------- */ | ||
1205 | |||
1206 | struct umac_ctx *umac_new(u_char key[]) | ||
1207 | /* Dynamically allocate a umac_ctx struct, initialize variables, | ||
1208 | * generate subkeys from key. Align to 16-byte boundary. | ||
1209 | */ | ||
1210 | { | ||
1211 | struct umac_ctx *ctx, *octx; | ||
1212 | size_t bytes_to_add; | ||
1213 | aes_int_key prf_key; | ||
1214 | |||
1215 | octx = ctx = malloc(sizeof(*ctx) + ALLOC_BOUNDARY); | ||
1216 | if (ctx) { | ||
1217 | if (ALLOC_BOUNDARY) { | ||
1218 | bytes_to_add = ALLOC_BOUNDARY - | ||
1219 | ((ptrdiff_t)ctx & (ALLOC_BOUNDARY - 1)); | ||
1220 | ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add); | ||
1221 | } | ||
1222 | ctx->free_ptr = octx; | ||
1223 | aes_key_setup(key,prf_key); | ||
1224 | pdf_init(&ctx->pdf, prf_key); | ||
1225 | uhash_init(&ctx->hash, prf_key); | ||
1226 | } | ||
1227 | |||
1228 | return (ctx); | ||
1229 | } | ||
1230 | |||
1231 | /* ---------------------------------------------------------------------- */ | ||
1232 | |||
1233 | int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]) | ||
1234 | /* Incorporate any pending data, pad, and generate tag */ | ||
1235 | { | ||
1236 | uhash_final(&ctx->hash, (u_char *)tag); | ||
1237 | pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); | ||
1238 | |||
1239 | return (1); | ||
1240 | } | ||
1241 | |||
1242 | /* ---------------------------------------------------------------------- */ | ||
1243 | |||
1244 | int umac_update(struct umac_ctx *ctx, u_char *input, long len) | ||
1245 | /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */ | ||
1246 | /* hash each one, calling the PDF on the hashed output whenever the hash- */ | ||
1247 | /* output buffer is full. */ | ||
1248 | { | ||
1249 | uhash_update(&ctx->hash, input, len); | ||
1250 | return (1); | ||
1251 | } | ||
1252 | |||
1253 | /* ---------------------------------------------------------------------- */ | ||
1254 | |||
1255 | #if 0 | ||
1256 | int umac(struct umac_ctx *ctx, u_char *input, | ||
1257 | long len, u_char tag[], | ||
1258 | u_char nonce[8]) | ||
1259 | /* All-in-one version simply calls umac_update() and umac_final(). */ | ||
1260 | { | ||
1261 | uhash(&ctx->hash, input, len, (u_char *)tag); | ||
1262 | pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); | ||
1263 | |||
1264 | return (1); | ||
1265 | } | ||
1266 | #endif | ||
1267 | |||
1268 | /* ---------------------------------------------------------------------- */ | ||
1269 | /* ---------------------------------------------------------------------- */ | ||
1270 | /* ----- End UMAC Section ----------------------------------------------- */ | ||
1271 | /* ---------------------------------------------------------------------- */ | ||
1272 | /* ---------------------------------------------------------------------- */ | ||
@@ -0,0 +1,123 @@ | |||
1 | /* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */ | ||
2 | /* ----------------------------------------------------------------------- | ||
3 | * | ||
4 | * umac.h -- C Implementation UMAC Message Authentication | ||
5 | * | ||
6 | * Version 0.93a of rfc4418.txt -- 2006 July 14 | ||
7 | * | ||
8 | * For a full description of UMAC message authentication see the UMAC | ||
9 | * world-wide-web page at http://www.cs.ucdavis.edu/~rogaway/umac | ||
10 | * Please report bugs and suggestions to the UMAC webpage. | ||
11 | * | ||
12 | * Copyright (c) 1999-2004 Ted Krovetz | ||
13 | * | ||
14 | * Permission to use, copy, modify, and distribute this software and | ||
15 | * its documentation for any purpose and with or without fee, is hereby | ||
16 | * granted provided that the above copyright notice appears in all copies | ||
17 | * and in supporting documentation, and that the name of the copyright | ||
18 | * holder not be used in advertising or publicity pertaining to | ||
19 | * distribution of the software without specific, written prior permission. | ||
20 | * | ||
21 | * Comments should be directed to Ted Krovetz (tdk@acm.org) | ||
22 | * | ||
23 | * ---------------------------------------------------------------------- */ | ||
24 | |||
25 | /* ////////////////////// IMPORTANT NOTES ///////////////////////////////// | ||
26 | * | ||
27 | * 1) This version does not work properly on messages larger than 16MB | ||
28 | * | ||
29 | * 2) If you set the switch to use SSE2, then all data must be 16-byte | ||
30 | * aligned | ||
31 | * | ||
32 | * 3) When calling the function umac(), it is assumed that msg is in | ||
33 | * a writable buffer of length divisible by 32 bytes. The message itself | ||
34 | * does not have to fill the entire buffer, but bytes beyond msg may be | ||
35 | * zeroed. | ||
36 | * | ||
37 | * 4) Two free AES implementations are supported by this implementation of | ||
38 | * UMAC. Paulo Barreto's version is in the public domain and can be found | ||
39 | * at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ (search for | ||
40 | * "Barreto"). The only two files needed are rijndael-alg-fst.c and | ||
41 | * rijndael-alg-fst.h. | ||
42 | * Brian Gladman's version is distributed with GNU Public lisence | ||
43 | * and can be found at http://fp.gladman.plus.com/AES/index.htm. It | ||
44 | * includes a fast IA-32 assembly version. | ||
45 | * | ||
46 | /////////////////////////////////////////////////////////////////////// */ | ||
47 | #ifndef HEADER_UMAC_H | ||
48 | #define HEADER_UMAC_H | ||
49 | |||
50 | |||
51 | #ifdef __cplusplus | ||
52 | extern "C" { | ||
53 | #endif | ||
54 | |||
55 | struct umac_ctx *umac_new(u_char key[]); | ||
56 | /* Dynamically allocate a umac_ctx struct, initialize variables, | ||
57 | * generate subkeys from key. | ||
58 | */ | ||
59 | |||
60 | #if 0 | ||
61 | int umac_reset(struct umac_ctx *ctx); | ||
62 | /* Reset a umac_ctx to begin authenicating a new message */ | ||
63 | #endif | ||
64 | |||
65 | int umac_update(struct umac_ctx *ctx, u_char *input, long len); | ||
66 | /* Incorporate len bytes pointed to by input into context ctx */ | ||
67 | |||
68 | int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); | ||
69 | /* Incorporate any pending data and the ctr value, and return tag. | ||
70 | * This function returns error code if ctr < 0. | ||
71 | */ | ||
72 | |||
73 | int umac_delete(struct umac_ctx *ctx); | ||
74 | /* Deallocate the context structure */ | ||
75 | |||
76 | #if 0 | ||
77 | int umac(struct umac_ctx *ctx, u_char *input, | ||
78 | long len, u_char tag[], | ||
79 | u_char nonce[8]); | ||
80 | /* All-in-one implementation of the functions Reset, Update and Final */ | ||
81 | #endif | ||
82 | |||
83 | /* uhash.h */ | ||
84 | |||
85 | |||
86 | #if 0 | ||
87 | typedef struct uhash_ctx *uhash_ctx_t; | ||
88 | /* The uhash_ctx structure is defined by the implementation of the */ | ||
89 | /* UHASH functions. */ | ||
90 | |||
91 | uhash_ctx_t uhash_alloc(u_char key[16]); | ||
92 | /* Dynamically allocate a uhash_ctx struct and generate subkeys using */ | ||
93 | /* the kdf and kdf_key passed in. If kdf_key_len is 0 then RC6 is */ | ||
94 | /* used to generate key with a fixed key. If kdf_key_len > 0 but kdf */ | ||
95 | /* is NULL then the first 16 bytes pointed at by kdf_key is used as a */ | ||
96 | /* key for an RC6 based KDF. */ | ||
97 | |||
98 | int uhash_free(uhash_ctx_t ctx); | ||
99 | |||
100 | int uhash_set_params(uhash_ctx_t ctx, | ||
101 | void *params); | ||
102 | |||
103 | int uhash_reset(uhash_ctx_t ctx); | ||
104 | |||
105 | int uhash_update(uhash_ctx_t ctx, | ||
106 | u_char *input, | ||
107 | long len); | ||
108 | |||
109 | int uhash_final(uhash_ctx_t ctx, | ||
110 | u_char ouput[]); | ||
111 | |||
112 | int uhash(uhash_ctx_t ctx, | ||
113 | u_char *input, | ||
114 | long len, | ||
115 | u_char output[]); | ||
116 | |||
117 | #endif | ||
118 | |||
119 | #ifdef __cplusplus | ||
120 | } | ||
121 | #endif | ||
122 | |||
123 | #endif /* HEADER_UMAC_H */ | ||
@@ -1,6 +1,6 @@ | |||
1 | /* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */ | 1 | /* $OpenBSD: version.h,v 1.50 2007/08/15 08:16:49 markus Exp $ */ |
2 | 2 | ||
3 | #define SSH_VERSION "OpenSSH_4.6" | 3 | #define SSH_VERSION "OpenSSH_4.7" |
4 | 4 | ||
5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p1" |
6 | #ifndef SSH_EXTRAVERSION | 6 | #ifndef SSH_EXTRAVERSION |