1 files changed, 24 insertions, 34 deletions
diff --git a/sshd.c b/sshd.c
index 038fb2a56..101c31671 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.388 2011/09/30 21:22:49 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -423,10 +423,12 @@ sshd_exchange_identification(int sock_in, int sock_out)
                major = PROTOCOL_MAJOR_1;
                minor = PROTOCOL_MINOR_1;
        }
-        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+            major, minor,
            options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
-            newline);
+            *options.version_addendum == '\0' ? "" : " ",
-        server_version_string = xstrdup(buf);
+            options.version_addendum, newline);
        /* Send our protocol version identification. */
        if (roaming_atomicio(vwrite, sock_out, server_version_string,
@@ -631,14 +633,14 @@ privsep_preauth(Authctxt *authctxt)
 {
        int status;
        pid_t pid;
-        void *box = NULL;
+        struct ssh_sandbox *box = NULL;
        /* Set up unprivileged child process to deal with network data */
        pmonitor = monitor_init();
        /* Store a pointer to the kex for later rekeying */
        pmonitor->m_pkex = &xxx_kex;
-        if (use_privsep == PRIVSEP_SANDBOX)
+        if (use_privsep == PRIVSEP_ON)
                box = ssh_sandbox_init();
        pid = fork();
        if (pid == -1) {
@@ -646,9 +648,9 @@ privsep_preauth(Authctxt *authctxt)
        } else if (pid != 0) {
                debug2("Network child is on pid %ld", (long)pid);
+                pmonitor->m_pid = pid;
                if (box != NULL)
                        ssh_sandbox_parent_preauth(box, pid);
-                pmonitor->m_pid = pid;
                monitor_child_preauth(authctxt, pmonitor);
                /* Sync memory */
@@ -1179,7 +1181,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                        if (*newsock < 0) {
                                if (errno != EINTR && errno != EAGAIN &&
                                    errno != EWOULDBLOCK)
-                                        error("accept: %.100s", strerror(errno));
+                                        error("accept: %.100s",
+                                            strerror(errno));
+                                if (errno == EMFILE || errno == ENFILE)
+                                        usleep(100 * 1000);
                                continue;
                        }
                        if (unset_nonblock(*newsock) == -1) {
@@ -1325,14 +1330,14 @@ main(int ac, char **av)
        int opt, i, j, on = 1;
        int sock_in = -1, sock_out = -1, newsock = -1;
        const char *remote_ip;
-        char *test_user = NULL, *test_host = NULL, *test_addr = NULL;
        int remote_port;
-        char *line, *p, *cp;
+        char *line;
        int config_s[2] = { -1 , -1 };
        u_int64_t ibytes, obytes;
        mode_t new_umask;
        Key *key;
        Authctxt *authctxt;
+        struct connection_info *connection_info = get_connection_info(0, 0);
 #ifdef HAVE_SECUREWARE
        (void)set_auth_parameters(ac, av);
@@ -1454,20 +1459,9 @@ main(int ac, char **av)
                        test_flag = 2;
                        break;
                case 'C':
-                        cp = optarg;
+                        if (parse_server_match_testspec(connection_info,
-                        while ((p = strsep(&cp, ",")) && *p != '\0') {
+                            optarg) == -1)
-                                if (strncmp(p, "addr=", 5) == 0)
+                                exit(1);
-                                        test_addr = xstrdup(p + 5);
-                                else if (strncmp(p, "host=", 5) == 0)
-                                        test_host = xstrdup(p + 5);
-                                else if (strncmp(p, "user=", 5) == 0)
-                                        test_user = xstrdup(p + 5);
-                                else {
-                                        fprintf(stderr, "Invalid test "
-                                            "mode specification %s\n", p);
-                                        exit(1);
-                                }
-                        }
                        break;
                case 'u':
                        utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);
@@ -1479,7 +1473,7 @@ main(int ac, char **av)
                case 'o':
                        line = xstrdup(optarg);
                        if (process_server_config_line(&options, line,
-                            "command-line", 0, NULL, NULL, NULL, NULL) != 0)
+                            "command-line", 0, NULL, NULL) != 0)
                                exit(1);
                        xfree(line);
                        break;
@@ -1535,13 +1529,10 @@ main(int ac, char **av)
         * the parameters we need.  If we're not doing an extended test,
         * do not silently ignore connection test params.
         */
-        if (test_flag >= 2 &&
+        if (test_flag >= 2 && server_match_spec_complete(connection_info) == 0)
-           (test_user != NULL || test_host != NULL || test_addr != NULL)
-            && (test_user == NULL || test_host == NULL || test_addr == NULL))
                fatal("user, host and addr are all required when testing "
                   "Match configs");
-        if (test_flag < 2 && (test_user != NULL || test_host != NULL ||
+        if (test_flag < 2 && server_match_spec_complete(connection_info) >= 0)
-            test_addr != NULL))
                fatal("Config test connection parameter (-C) provided without "
                   "test mode (-T)");
@@ -1553,7 +1544,7 @@ main(int ac, char **av)
                load_server_config(config_file_name, &cfg);
        parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
-            &cfg, NULL, NULL, NULL);
+            &cfg, NULL);
        seed_rng();
@@ -1723,9 +1714,8 @@ main(int ac, char **av)
        }
        if (test_flag > 1) {
-                if (test_user != NULL && test_addr != NULL && test_host != NULL)
+                if (server_match_spec_complete(connection_info) == 1)
-                        parse_server_match_config(&options, test_user,
+                        parse_server_match_config(&options, connection_info);
-                            test_host, test_addr);
                dump_config(&options);
        }

diff --git a/sshd.c b/sshd.c index 038fb2a56..101c31671 100644 --- a/sshd.c +++ b/sshd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshd.c,v 1.388 2011/09/30 21:22:49 djm Exp $ */	1	/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -423,10 +423,12 @@ sshd_exchange_identification(int sock_in, int sock_out)
423	major = PROTOCOL_MAJOR_1;	423	major = PROTOCOL_MAJOR_1;
424	minor = PROTOCOL_MINOR_1;	424	minor = PROTOCOL_MINOR_1;
425	}	425	}
426	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,	426
		427	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
		428	major, minor,
427	options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,	429	options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
428	newline);	430	*options.version_addendum == '\0' ? "" : " ",
429	server_version_string = xstrdup(buf);	431	options.version_addendum, newline);
430		432
431	/* Send our protocol version identification. */	433	/* Send our protocol version identification. */
432	if (roaming_atomicio(vwrite, sock_out, server_version_string,	434	if (roaming_atomicio(vwrite, sock_out, server_version_string,
@@ -631,14 +633,14 @@ privsep_preauth(Authctxt *authctxt)
631	{	633	{
632	int status;	634	int status;
633	pid_t pid;	635	pid_t pid;
634	void *box = NULL;	636	struct ssh_sandbox *box = NULL;
635		637
636	/* Set up unprivileged child process to deal with network data */	638	/* Set up unprivileged child process to deal with network data */
637	pmonitor = monitor_init();	639	pmonitor = monitor_init();
638	/* Store a pointer to the kex for later rekeying */	640	/* Store a pointer to the kex for later rekeying */
639	pmonitor->m_pkex = &xxx_kex;	641	pmonitor->m_pkex = &xxx_kex;
640		642
641	if (use_privsep == PRIVSEP_SANDBOX)	643	if (use_privsep == PRIVSEP_ON)
642	box = ssh_sandbox_init();	644	box = ssh_sandbox_init();
643	pid = fork();	645	pid = fork();
644	if (pid == -1) {	646	if (pid == -1) {
@@ -646,9 +648,9 @@ privsep_preauth(Authctxt *authctxt)
646	} else if (pid != 0) {	648	} else if (pid != 0) {
647	debug2("Network child is on pid %ld", (long)pid);	649	debug2("Network child is on pid %ld", (long)pid);
648		650
		651	pmonitor->m_pid = pid;
649	if (box != NULL)	652	if (box != NULL)
650	ssh_sandbox_parent_preauth(box, pid);	653	ssh_sandbox_parent_preauth(box, pid);
651	pmonitor->m_pid = pid;
652	monitor_child_preauth(authctxt, pmonitor);	654	monitor_child_preauth(authctxt, pmonitor);
653		655
654	/* Sync memory */	656	/* Sync memory */
@@ -1179,7 +1181,10 @@ server_accept_loop(int sock_in, int sock_out, int newsock, int config_s)
1179	if (*newsock < 0) {	1181	if (*newsock < 0) {
1180	if (errno != EINTR && errno != EAGAIN &&	1182	if (errno != EINTR && errno != EAGAIN &&
1181	errno != EWOULDBLOCK)	1183	errno != EWOULDBLOCK)
1182	error("accept: %.100s", strerror(errno));	1184	error("accept: %.100s",
		1185	strerror(errno));
		1186	if (errno == EMFILE \|\| errno == ENFILE)
		1187	usleep(100 * 1000);
1183	continue;	1188	continue;
1184	}	1189	}
1185	if (unset_nonblock(*newsock) == -1) {	1190	if (unset_nonblock(*newsock) == -1) {
@@ -1325,14 +1330,14 @@ main(int ac, char **av)
1325	int opt, i, j, on = 1;	1330	int opt, i, j, on = 1;
1326	int sock_in = -1, sock_out = -1, newsock = -1;	1331	int sock_in = -1, sock_out = -1, newsock = -1;
1327	const char *remote_ip;	1332	const char *remote_ip;
1328	char test_user = NULL, test_host = NULL, *test_addr = NULL;
1329	int remote_port;	1333	int remote_port;
1330	char line, p, *cp;	1334	char *line;
1331	int config_s[2] = { -1 , -1 };	1335	int config_s[2] = { -1 , -1 };
1332	u_int64_t ibytes, obytes;	1336	u_int64_t ibytes, obytes;
1333	mode_t new_umask;	1337	mode_t new_umask;
1334	Key *key;	1338	Key *key;
1335	Authctxt *authctxt;	1339	Authctxt *authctxt;
		1340	struct connection_info *connection_info = get_connection_info(0, 0);
1336		1341
1337	#ifdef HAVE_SECUREWARE	1342	#ifdef HAVE_SECUREWARE
1338	(void)set_auth_parameters(ac, av);	1343	(void)set_auth_parameters(ac, av);
@@ -1454,20 +1459,9 @@ main(int ac, char **av)
1454	test_flag = 2;	1459	test_flag = 2;
1455	break;	1460	break;
1456	case 'C':	1461	case 'C':
1457	cp = optarg;	1462	if (parse_server_match_testspec(connection_info,
1458	while ((p = strsep(&cp, ",")) && *p != '\0') {	1463	optarg) == -1)
1459	if (strncmp(p, "addr=", 5) == 0)	1464	exit(1);
1460	test_addr = xstrdup(p + 5);
1461	else if (strncmp(p, "host=", 5) == 0)
1462	test_host = xstrdup(p + 5);
1463	else if (strncmp(p, "user=", 5) == 0)
1464	test_user = xstrdup(p + 5);
1465	else {
1466	fprintf(stderr, "Invalid test "
1467	"mode specification %s\n", p);
1468	exit(1);
1469	}
1470	}
1471	break;	1465	break;
1472	case 'u':	1466	case 'u':
1473	utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);	1467	utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);
@@ -1479,7 +1473,7 @@ main(int ac, char **av)
1479	case 'o':	1473	case 'o':
1480	line = xstrdup(optarg);	1474	line = xstrdup(optarg);
1481	if (process_server_config_line(&options, line,	1475	if (process_server_config_line(&options, line,
1482	"command-line", 0, NULL, NULL, NULL, NULL) != 0)	1476	"command-line", 0, NULL, NULL) != 0)
1483	exit(1);	1477	exit(1);
1484	xfree(line);	1478	xfree(line);
1485	break;	1479	break;
@@ -1535,13 +1529,10 @@ main(int ac, char **av)
1535	* the parameters we need. If we're not doing an extended test,	1529	* the parameters we need. If we're not doing an extended test,
1536	* do not silently ignore connection test params.	1530	* do not silently ignore connection test params.
1537	*/	1531	*/
1538	if (test_flag >= 2 &&	1532	if (test_flag >= 2 && server_match_spec_complete(connection_info) == 0)
1539	(test_user != NULL \|\| test_host != NULL \|\| test_addr != NULL)
1540	&& (test_user == NULL \|\| test_host == NULL \|\| test_addr == NULL))
1541	fatal("user, host and addr are all required when testing "	1533	fatal("user, host and addr are all required when testing "
1542	"Match configs");	1534	"Match configs");
1543	if (test_flag < 2 && (test_user != NULL \|\| test_host != NULL \|\|	1535	if (test_flag < 2 && server_match_spec_complete(connection_info) >= 0)
1544	test_addr != NULL))
1545	fatal("Config test connection parameter (-C) provided without "	1536	fatal("Config test connection parameter (-C) provided without "
1546	"test mode (-T)");	1537	"test mode (-T)");
1547		1538
@@ -1553,7 +1544,7 @@ main(int ac, char **av)
1553	load_server_config(config_file_name, &cfg);	1544	load_server_config(config_file_name, &cfg);
1554		1545
1555	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,	1546	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
1556	&cfg, NULL, NULL, NULL);	1547	&cfg, NULL);
1557		1548
1558	seed_rng();	1549	seed_rng();
1559		1550
@@ -1723,9 +1714,8 @@ main(int ac, char **av)
1723	}	1714	}
1724		1715
1725	if (test_flag > 1) {	1716	if (test_flag > 1) {
1726	if (test_user != NULL && test_addr != NULL && test_host != NULL)	1717	if (server_match_spec_complete(connection_info) == 1)
1727	parse_server_match_config(&options, test_user,	1718	parse_server_match_config(&options, connection_info);
1728	test_host, test_addr);
1729	dump_config(&options);	1719	dump_config(&options);
1730	}	1720	}
1731		1721