13 files changed, 70 insertions, 115 deletions

diff --git a/CREDITS b/CREDITS
index 0c8668473..8d7b8a484 100644
--- a/CREDITS
+++ b/CREDITS
@@ -5,7 +5,7 @@ Theo de Raadt, and Dug Song - Creators of OpenSSH
 
 Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
 Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
+Andre Lucas <andre@ae-35.com> - new login code, many fixes
 Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
 Andrew McGill <andrewm@datrix.co.za> - SCO fixes
 Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
@@ -91,5 +91,5 @@ Apologies to anyone I have missed.
 
 Damien Miller <djm@mindrot.org>
 
-$Id: CREDITS,v 1.67 2002/07/28 20:31:19 stevesk Exp $
+$Id: CREDITS,v 1.67.6.1 2003/04/29 09:12:07 djm Exp $
 
diff --git a/ChangeLog b/ChangeLog
index 3959098e9..6ccc4d4ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,56 +1,9 @@
-20030428
- - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit 
-   hacked code.
-
-20030427
- - (bal) Bug #541: return; was dropped by mistake.  Reported by 
-   furrier@iglou.com
- - (bal) Since we don't support platforms lacking u_int_64.  We may
-   as well clean out some of those evil #ifdefs
- - (bal) auth1.c minor resync while looking at the code.
- - (bal) auth2.c same changed as above.
-
-20030409
- - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report 
-   from matth@eecs.berkeley.edu
- - (djm) Make the spec work with Redhat 9.0 (which renames sharutils)
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/04/02 09:48:07
-     [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
-     [readconf.h serverloop.c sshconnect2.c]
-     reapply rekeying chage, tested by henning@, ok djm@
-   - markus@cvs.openbsd.org 2003/04/02 14:36:26
-     [ssh-keysign.c]
-     potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526
-   - itojun@cvs.openbsd.org 2003/04/03 07:25:27
-     [progressmeter.c]
-     $OpenBSD$
-   - itojun@cvs.openbsd.org 2003/04/03 10:17:35
-     [progressmeter.c]
-     remove $OpenBSD$, as other *.c does not have it.
-   - markus@cvs.openbsd.org 2003/04/07 08:29:57
-     [monitor_wrap.c]
-     typo: get correct counters; introduced during rekeying change.
-   - millert@cvs.openbsd.org 2003/04/07 21:58:05
-     [progressmeter.c]
-     The UCB copyright here is incorrect.  This code did not originate
-     at UCB, it was written by Luke Mewburn.  Updated the copyright at
-     the author's request.  markus@ OK
-   - itojun@cvs.openbsd.org 2003/04/08 20:21:29
-     [*.c *.h]
-     rename log() into logit() to avoid name conflict.  markus ok, from
-     netbsd
-     - (djm) XXX - Performed locally using:
-       "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h"
-   - hin@cvs.openbsd.org 2003/04/09 08:23:52
-     [servconf.c]
-     Don't include <krb.h> when compiling with Kerberos 5 support
-   - (djm) Fix up missing include for packet.c
-   - (djm) Fix missed log => logit occurance (reference by function pointer)
-
-20030402
- - (bal) if IP_TOS is not found or broken don't try to compile in
-   packet_set_tos() function call.  bug #527
+20030429
+ - (djm) Add back radix.o (used by AFS support), after it went missing from
+   Makefile many moons ago
+ - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
+ - (djm) Fix blibpath specification for AIX/gcc
+ - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
 
 20030401
  - (djm) OpenBSD CVS Sync
@@ -1349,4 +1302,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2663 2003/04/28 23:30:43 mouring Exp $
+$Id: ChangeLog,v 1.2648.2.1 2003/04/29 09:12:07 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 6702eb96e..39bbf344d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.228 2003/03/21 00:34:34 mouring Exp $
+# $Id: Makefile.in,v 1.228.2.1 2003/04/29 09:12:08 djm Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -62,7 +62,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
 
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
         cipher.o compat.o compress.o crc32.o deattack.o fatal.o \
-        hostfile.o log.o match.o mpaux.o nchan.o packet.o readpass.o \
+        hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \
         rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
         key.o dispatch.o kex.o mac.o uuencode.o misc.o \
         rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
diff --git a/auth-pam.c b/auth-pam.c
index b29444e89..cb57ba110 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -38,7 +38,7 @@ extern char *__progname;
 
 extern int use_privsep;
 
-RCSID("$Id: auth-pam.c,v 1.56 2003/04/09 10:59:48 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.55.4.1 2003/04/29 09:12:08 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
         "Warning: Your password has expired, please change it now."
@@ -182,7 +182,7 @@ void do_pam_cleanup_proc(void *context)
         if (__pamh && session_opened) {
                 pam_retval = pam_close_session(__pamh, 0);
                 if (pam_retval != PAM_SUCCESS)
-                        logit("Cannot close PAM session[%d]: %.200s",
+                        log("Cannot close PAM session[%d]: %.200s",
                             pam_retval, PAM_STRERROR(__pamh, pam_retval));
         }
 
@@ -196,12 +196,12 @@ void do_pam_cleanup_proc(void *context)
         if (__pamh) {
                 pam_retval = pam_end(__pamh, pam_retval);
                 if (pam_retval != PAM_SUCCESS)
-                        logit("Cannot release PAM authentication[%d]: %.200s",
+                        log("Cannot release PAM authentication[%d]: %.200s",
                             pam_retval, PAM_STRERROR(__pamh, pam_retval));
         }
 }
 
-/* Attempt password authentation using PAM */
+/* Attempt password authentication using PAM */
 int auth_pam_password(Authctxt *authctxt, const char *password)
 {
         extern ServerOptions options;
@@ -215,13 +215,13 @@ int auth_pam_password(Authctxt *authctxt, const char *password)
         pamstate = INITIAL_LOGIN;
         pam_retval = do_pam_authenticate(
             options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
-        if (pam_retval == PAM_SUCCESS) {
-                debug("PAM Password authentication accepted for "
-                    "user \"%.100s\"", pw->pw_name);
+        if (pam_retval == PAM_SUCCESS && pw) {
+                debug("PAM password authentication accepted for "
+                    "%.100s", pw->pw_name);
                 return 1;
         } else {
-                debug("PAM Password authentication for \"%.100s\" "
-                    "failed[%d]: %s", pw->pw_name, pam_retval, 
+                debug("PAM password authentication failed for "
+                    "%.100s: %s", pw ? pw->pw_name : "an illegal user",
                     PAM_STRERROR(__pamh, pam_retval));
                 return 0;
         }
@@ -261,7 +261,7 @@ int do_pam_account(char *username, char *remote_user)
                         break;
 #endif
                 default:
-                        logit("PAM rejected by account configuration[%d]: "
+                        log("PAM rejected by account configuration[%d]: "
                             "%.200s", pam_retval, PAM_STRERROR(__pamh, 
                             pam_retval));
                         return(0);
diff --git a/auth-passwd.c b/auth-passwd.c
index 9901d4842..62ea3a52d 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -93,6 +93,7 @@ int
 auth_password(Authctxt *authctxt, const char *password)
 {
         struct passwd * pw = authctxt->pw;
+        int ok = authctxt->valid;
 #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
         char *encrypted_password;
         char *pw_password;
@@ -115,19 +116,23 @@ auth_password(Authctxt *authctxt, const char *password)
 
         /* deny if no user. */
         if (pw == NULL)
-                return 0;
+                ok = 0;
 #ifndef HAVE_CYGWIN
-       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-                return 0;
+        if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+                ok = 0;
 #endif
         if (*password == '\0' && options.permit_empty_passwd == 0)
-                return 0;
+                ok = 0;
 
 #if defined(USE_PAM)
-        return auth_pam_password(authctxt, password);
+        return auth_pam_password(authctxt, password) && ok;
 #elif defined(HAVE_OSF_SIA)
+        if (!ok)
+                return 0;
         return auth_sia_password(authctxt, password);
 #else
+        if (!ok)
+                return 0;
 # ifdef KRB5
         if (options.kerberos_authentication == 1) {
                 int ret = auth_krb5_password(authctxt, password);
diff --git a/auth2-none.c b/auth2-none.c
index c07b2dd81..692a2961f 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -100,7 +100,7 @@ userauth_none(Authctxt *authctxt)
         if (check_nt_auth(1, authctxt->pw) == 0)
                 return(0);
 #endif
-        return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0);
+        return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
 }
 
 Authmethod method_none = {
diff --git a/auth2-passwd.c b/auth2-passwd.c
index a8f15161a..5026969f8 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -44,14 +44,14 @@ userauth_passwd(Authctxt *authctxt)
         u_int len;
         change = packet_get_char();
         if (change)
-                logit("password change not supported");
+                log("password change not supported");
         password = packet_get_string(&len);
         packet_check_eom();
-        if (authctxt->valid &&
+        if (PRIVSEP(auth_password(authctxt, password)) == 1 && authctxt->valid
 #ifdef HAVE_CYGWIN
-            check_nt_auth(1, authctxt->pw) &&
+            && check_nt_auth(1, authctxt->pw)
 #endif
-            PRIVSEP(auth_password(authctxt, password)) == 1)
+            )
                 authenticated = 1;
         memset(password, 0, len);
         xfree(password);
diff --git a/configure.ac b/configure.ac
index 47fef0cbe..e5a8d6f05 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $
+# $Id: configure.ac,v 1.113.2.1 2003/04/29 09:12:08 djm Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -57,20 +57,24 @@ case "$host" in
         AFS_LIBS="-lld"
         CPPFLAGS="$CPPFLAGS -I/usr/local/include"
         LDFLAGS="$LDFLAGS -L/usr/local/lib"
-        if (test "$LD" != "gcc" && test -z "$blibpath"); then
-                AC_MSG_CHECKING([if linkage editor ($LD) accepts -blibpath])
-                saved_LDFLAGS="$LDFLAGS"
-                LDFLAGS="$LDFLAGS -blibpath:/usr/lib:/lib:/usr/local/lib"
-                AC_TRY_LINK([],
-                        [],
-                        [
-                                AC_MSG_RESULT(yes)
-                                blibpath="/usr/lib:/lib:/usr/local/lib"
-                        ],
-                        [ AC_MSG_RESULT(no) ]
-                )
-                LDFLAGS="$saved_LDFLAGS"
+        AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) 
+        if (test -z "$blibpath"); then
+                blibpath="/usr/lib:/lib:/usr/local/lib"
+        fi
+        saved_LDFLAGS="$LDFLAGS"
+        for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do
+                if (test -z "$blibflags"); then
+                        LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
+                        AC_TRY_LINK([], [], [blibflags=$tryflags])
+                fi
+        done
+        if (test -z "$blibflags"); then
+                AC_MSG_RESULT(not found)
+                AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
+        else
+                AC_MSG_RESULT($blibflags)
         fi
+        LDFLAGS="$saved_LDFLAGS"
         AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
                 [AC_CHECK_LIB(s,authenticate,
                         [ AC_DEFINE(WITH_AIXAUTHENTICATE)
@@ -618,6 +622,7 @@ AC_CHECK_FUNCS(\
 )
 
 AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
 
 dnl Make sure strsep prototype is defined before defining HAVE_STRSEP
 AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
@@ -2473,8 +2478,8 @@ fi
 
 
 if test ! -z "$blibpath" ; then
-        LDFLAGS="$LDFLAGS -blibpath:$blibpath"
-        AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile])
+        LDFLAGS="$LDFLAGS $blibflags$blibpath"
+        AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
 fi
 
 dnl remove pam and dl because they are in $LIBPAM
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 142d30d88..f7fbe15e5 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,7 +17,7 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       3.6.1p1
+  %define version       3.6.1p2
   %define cvs           %{nil}
   %define release       2
 %else
@@ -364,4 +364,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.42 2003/04/01 11:46:53 djm Exp $
+$Id: openssh.spec,v 1.42.2.1 2003/04/29 09:12:08 djm Exp $
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 11d86a83c..e7c3bb121 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,5 +1,5 @@
-%define ver 3.6.1p1
-%define rel 2
+%define ver 3.6.1p2
+%define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    74
@@ -87,7 +87,7 @@ PreReq: initscripts >= 5.00
 %else
 PreReq: initscripts >= 5.20
 %endif
-BuildPreReq: perl, openssl-devel, tcp_wrappers
+BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
 BuildPreReq: /bin/login
 %if ! %{build6x}
 BuildPreReq: glibc-devel, pam
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 194dbb7d1..707c3a221 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 3.6.1p1
+Version: 3.6.1p2
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz
diff --git a/monitor.c b/monitor.c
index 46db0e9b0..bce9e684c 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.37 2003/04/02 09:48:07 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -606,7 +606,7 @@ mm_answer_authpassword(int socket, Buffer *m)
         passwd = buffer_get_string(m, &plen);
         /* Only authenticate if the context is valid */
         authenticated = options.password_authentication &&
-            authctxt->valid && auth_password(authctxt, passwd);
+            auth_password(authctxt, passwd) && authctxt->valid;
         memset(passwd, 0, strlen(passwd));
         xfree(passwd);
 
@@ -870,7 +870,7 @@ monitor_valid_userblob(u_char *data, u_int datalen)
                 fail++;
         p = buffer_get_string(&b, NULL);
         if (strcmp(authctxt->user, p) != 0) {
-                logit("wrong user name passed to monitor: expected %s != %.100s",
+                log("wrong user name passed to monitor: expected %s != %.100s",
                     authctxt->user, p);
                 fail++;
         }
@@ -918,7 +918,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
                 fail++;
         p = buffer_get_string(&b, NULL);
         if (strcmp(authctxt->user, p) != 0) {
-                logit("wrong user name passed to monitor: expected %s != %.100s",
+                log("wrong user name passed to monitor: expected %s != %.100s",
                     authctxt->user, p);
                 fail++;
         }
@@ -1497,8 +1497,6 @@ mm_get_keystate(struct monitor *pmonitor)
         Buffer m;
         u_char *blob, *p;
         u_int bloblen, plen;
-        u_int32_t seqnr, packets;
-        u_int64_t blocks;
 
         debug3("%s: Waiting for new keys", __func__);
 
@@ -1528,14 +1526,8 @@ mm_get_keystate(struct monitor *pmonitor)
         xfree(blob);
 
         /* Now get sequence numbers for the packets */
-        seqnr = buffer_get_int(&m);
-        blocks = buffer_get_int64(&m);
-        packets = buffer_get_int(&m);
-        packet_set_state(MODE_OUT, seqnr, blocks, packets);
-        seqnr = buffer_get_int(&m);
-        blocks = buffer_get_int64(&m);
-        packets = buffer_get_int(&m);
-        packet_set_state(MODE_IN, seqnr, blocks, packets);
+        packet_set_seqnr(MODE_OUT, buffer_get_int(&m));
+        packet_set_seqnr(MODE_IN, buffer_get_int(&m));
 
  skip:
         /* Get the key context */
diff --git a/version.h b/version.h
index 75a2b2554..3b2a35d91 100644
--- a/version.h
+++ b/version.h
@@ -1,3 +1,3 @@
 /* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
 
-#define SSH_VERSION    "OpenSSH_3.6.1p1"
+#define SSH_VERSION    "OpenSSH_3.6.1p2"