From 1910478c2d2c3d0e1edacaeff21ed388d70759e9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Apr 2013 11:13:08 +1100 Subject: - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 [readconf.c ssh.c readconf.h sshconnect2.c] Keep track of which IndentityFile options were manually supplied and which were default options, and don't warn if the latter are missing. ok markus@ --- ChangeLog | 8 ++++++++ readconf.c | 55 ++++++++++++++++++++++++++++++------------------------- readconf.h | 4 +++- ssh.c | 9 ++------- sshconnect2.c | 4 ++-- 5 files changed, 45 insertions(+), 35 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9668465b5..abcc11ad4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20130404 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 + [readconf.c ssh.c readconf.h sshconnect2.c] + Keep track of which IndentityFile options were manually supplied and which + were default options, and don't warn if the latter are missing. + ok markus@ + 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h to avoid conflicting definitions of __int64, adding the required bits. diff --git a/readconf.c b/readconf.c index 097bb0515..6f978f828 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.194 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: readconf.c,v 1.195 2013/02/17 23:16:57 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -326,6 +326,26 @@ clear_forwardings(Options *options) options->tun_open = SSH_TUNMODE_NO; } +void +add_identity_file(Options *options, const char *dir, const char *filename, + int userprovided) +{ + char *path; + + if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES) + fatal("Too many identity files specified (max %d)", + SSH_MAX_IDENTITY_FILES); + + if (dir == NULL) /* no dir, filename is absolute */ + path = xstrdup(filename); + else + (void)xasprintf(&path, "%.100s%.100s", dir, filename); + + options->identity_file_userprovided[options->num_identity_files] = + userprovided; + options->identity_files[options->num_identity_files++] = path; +} + /* * Returns the number of the token pointed to by cp or oBadOption. */ @@ -586,9 +606,7 @@ parse_yesnoask: if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - charptr = &options->identity_files[*intptr]; - *charptr = xstrdup(arg); - *intptr = *intptr + 1; + add_identity_file(options, NULL, arg, 1); } break; @@ -1280,30 +1298,17 @@ fill_default_options(Options * options) options->protocol = SSH_PROTO_2; if (options->num_identity_files == 0) { if (options->protocol & SSH_PROTO_1) { - len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_IDENTITY, 0); } if (options->protocol & SSH_PROTO_2) { - len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); - - len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_RSA, 0); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_DSA, 0); #ifdef OPENSSL_HAS_ECC - len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1; - options->identity_files[options->num_identity_files] = - xmalloc(len); - snprintf(options->identity_files[options->num_identity_files++], - len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA); + add_identity_file(options, "~/", + _PATH_SSH_CLIENT_ID_ECDSA, 0); #endif } } diff --git a/readconf.h b/readconf.h index be30ee0e1..35f596626 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.91 2011/09/23 07:45:05 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.92 2013/02/17 23:16:57 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -96,6 +96,7 @@ typedef struct { int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; + int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; Key *identity_keys[SSH_MAX_IDENTITY_FILES]; /* Local TCP/IP forward requests. */ @@ -158,5 +159,6 @@ process_config_line(Options *, const char *, char *, const char *, int, int *); void add_local_forward(Options *, const Forward *); void add_remote_forward(Options *, const Forward *); +void add_identity_file(Options *, const char *, const char *, int); #endif /* READCONF_H */ diff --git a/ssh.c b/ssh.c index 3f61eb028..8a7aea09f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.370 2012/07/06 01:47:38 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.371 2013/02/17 23:16:57 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -405,12 +405,7 @@ main(int ac, char **av) strerror(errno)); break; } - if (options.num_identity_files >= - SSH_MAX_IDENTITY_FILES) - fatal("Too many identity files specified " - "(max %d)", SSH_MAX_IDENTITY_FILES); - options.identity_files[options.num_identity_files++] = - xstrdup(optarg); + add_identity_file(&options, NULL, optarg, 1); break; case 'I': #ifdef ENABLE_PKCS11 diff --git a/sshconnect2.c b/sshconnect2.c index d6af0b940..58015c0d3 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1384,7 +1384,7 @@ pubkey_prepare(Authctxt *authctxt) id = xcalloc(1, sizeof(*id)); id->key = key; id->filename = xstrdup(options.identity_files[i]); - id->userprovided = 1; + id->userprovided = options.identity_file_userprovided[i]; TAILQ_INSERT_TAIL(&files, id, next); } /* Prefer PKCS11 keys that are explicitly listed */ -- cgit v1.2.3 From f3c38142435622d056582e851579d8647a233c7f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Apr 2013 11:16:52 +1100 Subject: - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 [krl.c] Remove bogus include. ok djm (id sync only) --- ChangeLog | 3 +++ krl.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index abcc11ad4..b961c6ce7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ Keep track of which IndentityFile options were manually supplied and which were default options, and don't warn if the latter are missing. ok markus@ + - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 + [krl.c] + Remove bogus include. ok djm 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/krl.c b/krl.c index 5a6bd14aa..0d9bb5411 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.9 2013/01/27 10:06:12 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ #include "includes.h" -- cgit v1.2.3 From aefa3682431f59cf1ad9a0f624114b135135aa44 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Apr 2013 11:18:35 +1100 Subject: - dtucker@cvs.openbsd.org 2013/02/22 04:45:09 [ssh.c readconf.c readconf.h] Don't complain if IdentityFiles specified in system-wide configs are missing. ok djm, deraadt --- ChangeLog | 4 ++++ readconf.c | 13 +++++++------ readconf.h | 8 ++++++-- ssh.c | 10 ++++++---- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index b961c6ce7..259d798e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ - dtucker@cvs.openbsd.org 2013/02/19 02:12:47 [krl.c] Remove bogus include. ok djm + - dtucker@cvs.openbsd.org 2013/02/22 04:45:09 + [ssh.c readconf.c readconf.h] + Don't complain if IdentityFiles specified in system-wide configs are + missing. ok djm, deraadt. 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/readconf.c b/readconf.c index 6f978f828..36265e431 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.195 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -373,7 +373,7 @@ parse_token(const char *cp, const char *filename, int linenum) int process_config_line(Options *options, const char *host, char *line, const char *filename, int linenum, - int *activep) + int *activep, int userconfig) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; @@ -606,7 +606,7 @@ parse_yesnoask: if (*intptr >= SSH_MAX_IDENTITY_FILES) fatal("%.200s line %d: Too many identity files specified (max %d).", filename, linenum, SSH_MAX_IDENTITY_FILES); - add_identity_file(options, NULL, arg, 1); + add_identity_file(options, NULL, arg, userconfig); } break; @@ -1093,7 +1093,7 @@ parse_int: int read_config_file(const char *filename, const char *host, Options *options, - int checkperm) + int flags) { FILE *f; char line[1024]; @@ -1103,7 +1103,7 @@ read_config_file(const char *filename, const char *host, Options *options, if ((f = fopen(filename, "r")) == NULL) return 0; - if (checkperm) { + if (flags & SSHCONF_CHECKPERM) { struct stat sb; if (fstat(fileno(f), &sb) == -1) @@ -1124,7 +1124,8 @@ read_config_file(const char *filename, const char *host, Options *options, while (fgets(line, sizeof(line), f)) { /* Update line number counter. */ linenum++; - if (process_config_line(options, host, line, filename, linenum, &active) != 0) + if (process_config_line(options, host, line, filename, linenum, + &active, flags & SSHCONF_USERCONF) != 0) bad_options++; } fclose(f); diff --git a/readconf.h b/readconf.h index 35f596626..841648906 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.92 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -149,13 +149,17 @@ typedef struct { #define REQUEST_TTY_YES 2 #define REQUEST_TTY_FORCE 3 +#define SSHCONF_CHECKPERM 1 /* check permissions on config file */ +#define SSHCONF_USERCONF 2 /* user provided config file not system */ + void initialize_options(Options *); void fill_default_options(Options *); int read_config_file(const char *, const char *, Options *, int); int parse_forward(Forward *, const char *, int, int); int -process_config_line(Options *, const char *, char *, const char *, int, int *); +process_config_line(Options *, const char *, char *, const char *, int, int *, + int); void add_local_forward(Options *, const Forward *); void add_remote_forward(Options *, const Forward *); diff --git a/ssh.c b/ssh.c index 8a7aea09f..5d3f492f0 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.371 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.372 2013/02/22 04:45:09 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -579,7 +579,8 @@ main(int ac, char **av) dummy = 1; line = xstrdup(optarg); if (process_config_line(&options, host ? host : "", - line, "command-line", 0, &dummy) != 0) + line, "command-line", 0, &dummy, SSHCONF_USERCONF) + != 0) exit(255); xfree(line); break; @@ -673,14 +674,15 @@ main(int ac, char **av) * file if the user specifies a config file on the command line. */ if (config != NULL) { - if (!read_config_file(config, host, &options, 0)) + if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); if (r > 0 && (size_t)r < sizeof(buf)) - (void)read_config_file(buf, host, &options, 1); + (void)read_config_file(buf, host, &options, + SSHCONF_CHECKPERM|SSHCONF_USERCONF); /* Read systemwide configuration file after user config. */ (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, -- cgit v1.2.3 From 5d1d9541a7c83963cd887b6b36e25b46463a05d4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Apr 2013 11:20:00 +1100 Subject: - markus@cvs.openbsd.org 2013/02/22 19:13:56 [sshconnect.c] support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ --- ChangeLog | 3 +++ sshconnect.c | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 259d798e1..f53fa055b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ [ssh.c readconf.c readconf.h] Don't complain if IdentityFiles specified in system-wide configs are missing. ok djm, deraadt. + - markus@cvs.openbsd.org 2013/02/22 19:13:56 + [sshconnect.c] + support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/sshconnect.c b/sshconnect.c index 07800a65f..cf0711285 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.236 2012/09/14 16:51:34 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,6 +89,13 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) pid_t pid; char *shell, strport[NI_MAXSERV]; + if (!strcmp(proxy_command, "-")) { + packet_set_connection(STDIN_FILENO, STDOUT_FILENO); + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); + return 0; + } + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; -- cgit v1.2.3 From 15fd19c4c9943cf02bc6f462d52c86ee6a8f422e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 5 Apr 2013 11:22:26 +1100 Subject: - djm@cvs.openbsd.org 2013/02/22 22:09:01 [ssh.c] Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier version) --- ChangeLog | 4 ++++ ssh.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f53fa055b..d7180176e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - markus@cvs.openbsd.org 2013/02/22 19:13:56 [sshconnect.c] support ProxyCommand=- (stdin/out already point to the proxy); ok djm@ + - djm@cvs.openbsd.org 2013/02/22 22:09:01 + [ssh.c] + Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier + version) 20130401 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h diff --git a/ssh.c b/ssh.c index 5d3f492f0..5ec89f2cc 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.372 2013/02/22 04:45:09 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1536,7 +1536,8 @@ load_public_identity_files(void) fatal("load_public_identity_files: gethostname: %s", strerror(errno)); for (i = 0; i < options.num_identity_files; i++) { - if (n_ids >= SSH_MAX_IDENTITY_FILES) { + if (n_ids >= SSH_MAX_IDENTITY_FILES || + strcasecmp(options.identity_files[i], "none") == 0) { xfree(options.identity_files[i]); continue; } -- cgit v1.2.3 From bc68f2451b836e6a3fa65df8774a8b1f10049ded Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Apr 2013 11:26:25 +1000 Subject: - (djm) [config.guess config.sub] Update to last versions before they switch to GPL3. ok dtucker@ --- ChangeLog | 4 + config.guess | 262 ++++++++++++++++++++++++++++++++--------------------------- config.sub | 190 +++++++++++++++++++++++++++---------------- 3 files changed, 270 insertions(+), 186 deletions(-) diff --git a/ChangeLog b/ChangeLog index d7180176e..c9f466d1f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130418 + - (djm) [config.guess config.sub] Update to last versions before they switch + to GPL3. ok dtucker@ + 20130404 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/02/17 23:16:57 diff --git a/config.guess b/config.guess index 78553c4ea..b94cde8ef 100755 --- a/config.guess +++ b/config.guess @@ -2,9 +2,9 @@ # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012, 2013 Free Software Foundation, Inc. -timestamp='2011-01-23' +timestamp='2012-12-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -17,9 +17,7 @@ timestamp='2011-01-23' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -57,8 +55,8 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, +2012, 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in fi ;; *) - os=netbsd + os=netbsd ;; esac # The OS release @@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} @@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on @@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in echo s390-ibm-zvmoe exit ;; *:OS400:*:*) - echo powerpc-ibm-os400 + echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; - arm:riscos:*:*|arm:RISCOS:*:*) + arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) @@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit ;; + exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit ;; + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit ;; + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit ;; + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; @@ -484,8 +486,8 @@ EOF echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ @@ -498,7 +500,7 @@ EOF else echo i586-dg-dgux${UNAME_RELEASE} fi - exit ;; + exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; @@ -598,52 +600,52 @@ EOF 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac + esac ;; + esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + sed 's/^ //' << EOF >$dummy.c - #define _HPUX_SOURCE - #include - #include + #define _HPUX_SOURCE + #include + #include - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa @@ -734,22 +736,22 @@ EOF exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd - exit ;; + exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit ;; + exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd - exit ;; + exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd - exit ;; + exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd - exit ;; + exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; @@ -773,14 +775,14 @@ EOF exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` - echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} @@ -792,30 +794,35 @@ EOF echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) - case ${UNAME_MACHINE} in - pc98) - echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; + *:MINGW64*:*) + echo ${UNAME_MACHINE}-pc-mingw64 + exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; + i*:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; @@ -861,6 +868,13 @@ EOF i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -870,7 +884,7 @@ EOF EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; - esac + esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} @@ -882,20 +896,29 @@ EOF then echo ${UNAME_MACHINE}-unknown-linux-gnu else - echo ${UNAME_MACHINE}-unknown-linux-gnueabi + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo ${UNAME_MACHINE}-unknown-linux-gnueabi + else + echo ${UNAME_MACHINE}-unknown-linux-gnueabihf + fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; cris:Linux:*:*) - echo cris-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; crisv32:Linux:*:*) - echo crisv32-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; frv:Linux:*:*) - echo frv-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:Linux:*:*) LIBC=gnu @@ -937,7 +960,7 @@ EOF test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) - echo or32-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu @@ -963,7 +986,7 @@ EOF echo ${UNAME_MACHINE}-ibm-linux exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu @@ -972,16 +995,16 @@ EOF echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-tilera-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-gnu exit ;; x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -990,11 +1013,11 @@ EOF echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. + # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) @@ -1026,7 +1049,7 @@ EOF fi exit ;; i*86:*:5:[678]*) - # UnixWare 7.x, OpenUNIX and OpenServer 6. + # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; @@ -1054,13 +1077,13 @@ EOF exit ;; pc:*:*:*) # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i586. + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp - exit ;; + exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; @@ -1095,8 +1118,8 @@ EOF /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4; exit; } ;; + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ @@ -1139,10 +1162,10 @@ EOF echo ns32k-sni-sysv fi exit ;; - PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm @@ -1168,11 +1191,11 @@ EOF exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv${UNAME_RELEASE} else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv${UNAME_RELEASE} fi - exit ;; + exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; @@ -1185,6 +1208,9 @@ EOF BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; + x86_64:Haiku:*:*) + echo x86_64-unknown-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1240,7 +1266,7 @@ EOF NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; - NSE-?:NONSTOP_KERNEL:*:*) + NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) @@ -1285,13 +1311,13 @@ EOF echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) - UNAME_MACHINE=`(uname -p) 2>/dev/null` + UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; @@ -1309,11 +1335,11 @@ EOF i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; esac -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - eval $set_cc_for_build cat >$dummy.c < printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 - "4" + "4" #else - "" + "" #endif - ); exit (0); + ); exit (0); #endif #endif diff --git a/config.sub b/config.sub index 2d8169626..eee8dccb0 100755 --- a/config.sub +++ b/config.sub @@ -2,9 +2,9 @@ # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012, 2013 Free Software Foundation, Inc. -timestamp='2011-01-01' +timestamp='2012-12-23' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -21,9 +21,7 @@ timestamp='2011-01-01' # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -76,8 +74,8 @@ version="\ GNU config.sub ($timestamp) Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, +2012, 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -125,13 +123,17 @@ esac maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] @@ -154,12 +156,12 @@ case $os in -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze) + -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; - -bluegene*) - os=-cnk + -bluegene*) + os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= @@ -175,10 +177,10 @@ case $os in os=-chorusos basic_machine=$1 ;; - -chorusrdb) - os=-chorusrdb + -chorusrdb) + os=-chorusrdb basic_machine=$1 - ;; + ;; -hiux*) os=-hiuxwe2 ;; @@ -223,6 +225,12 @@ case $os in -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; + -lynx*178) + os=-lynxos178 + ;; + -lynx*5) + os=-lynxos5 + ;; -lynx*) os=-lynxos ;; @@ -247,20 +255,27 @@ case $basic_machine in # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ + | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | arc \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ + | be32 | be64 \ | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ + | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | mcore | mep | metag \ + | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -286,22 +301,23 @@ case $basic_machine in | nds32 | nds32le | nds32be \ | nios | nios2 \ | ns16k | ns32k \ + | open8 \ | or32 \ | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ - | rx \ + | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu | strongarm \ - | tahoe | thumb | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ + | spu \ + | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ - | v850 | v850e \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ - | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; @@ -314,8 +330,7 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | picochip) - # Motorola 68HC11/12. + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -325,6 +340,21 @@ case $basic_machine in basic_machine=mt-unknown ;; + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; + xscaleeb) + basic_machine=armeb-unknown + ;; + + xscaleel) + basic_machine=armel-unknown + ;; + # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. @@ -339,11 +369,13 @@ case $basic_machine in # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ + | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | clipper-* | craynv-* | cydra-* \ @@ -352,12 +384,15 @@ case $basic_machine in | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -382,24 +417,26 @@ case $basic_machine in | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ + | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ - | romp-* | rs6000-* | rx-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ - | tahoe-* | thumb-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile-* | tilegx-* \ + | tile*-* \ | tron-* \ | ubicom32-* \ - | v850-* | v850e-* | vax-* \ + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) @@ -424,7 +461,7 @@ case $basic_machine in basic_machine=a29k-amd os=-udi ;; - abacus) + abacus) basic_machine=abacus-unknown ;; adobe68k) @@ -507,7 +544,7 @@ case $basic_machine in basic_machine=c90-cray os=-unicos ;; - cegcc) + cegcc) basic_machine=arm-unknown os=-cegcc ;; @@ -697,7 +734,6 @@ case $basic_machine in i370-ibm* | ibm*) basic_machine=i370-ibm ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 @@ -755,9 +791,13 @@ case $basic_machine in basic_machine=ns32k-utek os=-sysv ;; - microblaze) + microblaze*) basic_machine=microblaze-xilinx ;; + mingw64) + basic_machine=x86_64-pc + os=-mingw64 + ;; mingw32) basic_machine=i386-pc os=-mingw32 @@ -794,10 +834,18 @@ case $basic_machine in ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; + msys) + basic_machine=i386-pc + os=-msys + ;; mvs) basic_machine=i370-ibm os=-mvs ;; + nacl) + basic_machine=le32-unknown + os=-nacl + ;; ncr3000) basic_machine=i486-ncr os=-sysv4 @@ -862,10 +910,10 @@ case $basic_machine in np1) basic_machine=np1-gould ;; - neo-tandem) + neo-tandem) basic_machine=neo-tandem ;; - nse-tandem) + nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) @@ -950,9 +998,10 @@ case $basic_machine in ;; power) basic_machine=power-ibm ;; - ppc) basic_machine=powerpc-unknown + ppc | ppcbe) basic_machine=powerpc-unknown ;; - ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ppc-* | ppcbe-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown @@ -977,7 +1026,11 @@ case $basic_machine in basic_machine=i586-unknown os=-pw32 ;; - rdos) + rdos | rdos64) + basic_machine=x86_64-pc + os=-rdos + ;; + rdos32) basic_machine=i386-pc os=-rdos ;; @@ -1046,6 +1099,9 @@ case $basic_machine in basic_machine=i860-stratus os=-sysv4 ;; + strongarm-* | thumb-*) + basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; sun2) basic_machine=m68000-sun ;; @@ -1102,13 +1158,8 @@ case $basic_machine in basic_machine=t90-cray os=-unicos ;; - # This must be matched before tile*. - tilegx*) - basic_machine=tilegx-unknown - os=-linux-gnu - ;; tile*) - basic_machine=tile-unknown + basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) @@ -1178,6 +1229,9 @@ case $basic_machine in xps | xps100) basic_machine=xps100-honeywell ;; + xscale-* | xscalee[bl]-*) + basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + ;; ymp) basic_machine=ymp-cray os=-unicos @@ -1275,11 +1329,11 @@ esac if [ x"$os" != x"" ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. + # First match some system type aliases + # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. - -auroraux) - os=-auroraux + -auroraux) + os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` @@ -1309,15 +1363,15 @@ case $os in | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-uclibc* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ @@ -1364,7 +1418,7 @@ case $os in -opened*) os=-openedition ;; - -os400*) + -os400*) os=-os400 ;; -wince*) @@ -1413,7 +1467,7 @@ case $os in -sinix*) os=-sysv4 ;; - -tpf*) + -tpf*) os=-tpf ;; -triton*) @@ -1458,8 +1512,8 @@ case $os in -dicos*) os=-dicos ;; - -nacl*) - ;; + -nacl*) + ;; -none) ;; *) @@ -1482,10 +1536,10 @@ else # system, and we'll never get to this point. case $basic_machine in - score-*) + score-*) os=-elf ;; - spu-*) + spu-*) os=-elf ;; *-acorn) @@ -1497,8 +1551,11 @@ case $basic_machine in arm*-semi) os=-aout ;; - c4x-* | tic4x-*) - os=-coff + c4x-* | tic4x-*) + os=-coff + ;; + hexagon-*) + os=-elf ;; tic54x-*) os=-coff @@ -1527,14 +1584,11 @@ case $basic_machine in ;; m68000-sun) os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 ;; m68*-cisco) os=-aout ;; - mep-*) + mep-*) os=-elf ;; mips*-cisco) @@ -1561,7 +1615,7 @@ case $basic_machine in *-ibm) os=-aix ;; - *-knuth) + *-knuth) os=-mmixware ;; *-wec) -- cgit v1.2.3 From ce1c9574fcfaf753a062276867335c1e237f725c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 18 Apr 2013 21:36:19 +1000 Subject: - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from unused argument warnings (in particular, -fno-builtin-memset) from clang. --- ChangeLog | 2 ++ configure.ac | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c9f466d1f..cfd95e449 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch to GPL3. ok dtucker@ + - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from + unused argument warnings (in particular, -fno-builtin-memset) from clang. 20130404 - (dtucker) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 5db4b623b..9777d597f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.519 2013/03/22 01:49:15 dtucker Exp $ +# $Id: configure.ac,v 1.520 2013/04/18 11:36:20 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.519 $) +AC_REVISION($Revision: 1.520 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -137,6 +137,7 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` -- cgit v1.2.3 From 6332da2ae88db623d7da8070dd807efa26d9dfe8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 14:25:52 +1000 Subject: - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support platforms, such as Android, that lack struct passwd.pw_gecos. Report and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ --- ChangeLog | 5 +++++ auth.c | 4 +++- configure.ac | 54 +++++++++++------------------------------------------- misc.c | 8 +++++--- monitor.c | 4 +++- monitor_wrap.c | 4 +++- 6 files changed, 30 insertions(+), 49 deletions(-) diff --git a/ChangeLog b/ChangeLog index cfd95e449..3fd81aa35 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130423 + - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support + platforms, such as Android, that lack struct passwd.pw_gecos. Report + and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ + 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch to GPL3. ok dtucker@ diff --git a/auth.c b/auth.c index 6128fa460..666c493dc 100644 --- a/auth.c +++ b/auth.c @@ -721,10 +721,12 @@ fakepw(void) fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS fake.pw_gecos = "NOUSER"; +#endif fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS fake.pw_class = ""; #endif fake.pw_dir = "/nonexist"; diff --git a/configure.ac b/configure.ac index 9777d597f..c30d547d9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.520 2013/04/18 11:36:20 dtucker Exp $ +# $Id: configure.ac,v 1.521 2013/04/23 04:25:53 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.520 $) +AC_REVISION($Revision: 1.521 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3303,9 +3303,16 @@ OSSH_CHECK_HEADER_FOR_FIELD([ut_time], [utmpx.h], [HAVE_TIME_IN_UTMPX]) OSSH_CHECK_HEADER_FOR_FIELD([ut_tv], [utmpx.h], [HAVE_TV_IN_UTMPX]) AC_CHECK_MEMBERS([struct stat.st_blksize]) +AC_CHECK_MEMBERS([struct passwd.pw_gecos, struct passwd.pw_class, +struct passwd.pw_change, struct passwd.pw_expire], +[], [], [[ +#include +#include +]]) + AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [state], [Define if we don't have struct __res_state in resolv.h])], -[ +[[ #include #if HAVE_SYS_TYPES_H # include @@ -3313,7 +3320,7 @@ AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE([__res_state], [sta #include #include #include -]) +]]) AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], ac_cv_have_ss_family_in_struct_ss, [ @@ -3343,45 +3350,6 @@ if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then [Fields in struct sockaddr_storage]) fi -AC_CACHE_CHECK([for pw_class field in struct passwd], - ac_cv_have_pw_class_in_struct_passwd, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], - [[ struct passwd p; p.pw_class = 0; ]])], - [ ac_cv_have_pw_class_in_struct_passwd="yes" ], - [ ac_cv_have_pw_class_in_struct_passwd="no" - ]) -]) -if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then - AC_DEFINE([HAVE_PW_CLASS_IN_PASSWD], [1], - [Define if your password has a pw_class field]) -fi - -AC_CACHE_CHECK([for pw_expire field in struct passwd], - ac_cv_have_pw_expire_in_struct_passwd, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], - [[ struct passwd p; p.pw_expire = 0; ]])], - [ ac_cv_have_pw_expire_in_struct_passwd="yes" ], - [ ac_cv_have_pw_expire_in_struct_passwd="no" - ]) -]) -if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then - AC_DEFINE([HAVE_PW_EXPIRE_IN_PASSWD], [1], - [Define if your password has a pw_expire field]) -fi - -AC_CACHE_CHECK([for pw_change field in struct passwd], - ac_cv_have_pw_change_in_struct_passwd, [ - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], - [[ struct passwd p; p.pw_change = 0; ]])], - [ ac_cv_have_pw_change_in_struct_passwd="yes" ], - [ ac_cv_have_pw_change_in_struct_passwd="no" - ]) -]) -if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then - AC_DEFINE([HAVE_PW_CHANGE_IN_PASSWD], [1], - [Define if your password has a pw_change field]) -fi - dnl make sure we're using the real structure members and not defines AC_CACHE_CHECK([for msg_accrights field in struct msghdr], ac_cv_have_accrights_in_msghdr, [ diff --git a/misc.c b/misc.c index a7a23dcc6..9e287433a 100644 --- a/misc.c +++ b/misc.c @@ -206,16 +206,18 @@ pwcopy(struct passwd *pw) copy->pw_name = xstrdup(pw->pw_name); copy->pw_passwd = xstrdup(pw->pw_passwd); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS copy->pw_gecos = xstrdup(pw->pw_gecos); +#endif copy->pw_uid = pw->pw_uid; copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_EXPIRE_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE copy->pw_expire = pw->pw_expire; #endif -#ifdef HAVE_PW_CHANGE_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE copy->pw_change = pw->pw_change; #endif -#ifdef HAVE_PW_CLASS_IN_PASSWD +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS copy->pw_class = xstrdup(pw->pw_class); #endif copy->pw_dir = xstrdup(pw->pw_dir); diff --git a/monitor.c b/monitor.c index 8006b833c..6560740b6 100644 --- a/monitor.c +++ b/monitor.c @@ -778,8 +778,10 @@ mm_answer_pwnamallow(int sock, Buffer *m) buffer_put_string(m, pwent, sizeof(struct passwd)); buffer_put_cstring(m, pwent->pw_name); buffer_put_cstring(m, "*"); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS buffer_put_cstring(m, pwent->pw_gecos); -#ifdef HAVE_PW_CLASS_IN_PASSWD +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS buffer_put_cstring(m, pwent->pw_class); #endif buffer_put_cstring(m, pwent->pw_dir); diff --git a/monitor_wrap.c b/monitor_wrap.c index ea654a73f..3304f5bf2 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -259,8 +259,10 @@ mm_getpwnamallow(const char *username) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS pw->pw_gecos = buffer_get_string(&m, NULL); -#ifdef HAVE_PW_CLASS_IN_PASSWD +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS pw->pw_class = buffer_get_string(&m, NULL); #endif pw->pw_dir = buffer_get_string(&m, NULL); -- cgit v1.2.3 From 62e9c4f9b6027620f9091a2f43328e057bdb33f1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:15:49 +1000 Subject: - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2013/03/05 20:16:09 [sshconnect2.c] reset pubkey order on partial success; ok djm@ --- ChangeLog | 4 ++++ sshconnect2.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fd81aa35..3f80a25c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support platforms, such as Android, that lack struct passwd.pw_gecos. Report and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@ + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/03/05 20:16:09 + [sshconnect2.c] + reset pubkey order on partial success; ok djm@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/sshconnect2.c b/sshconnect2.c index 58015c0d3..1a6a5850d 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.193 2013/03/05 20:16:09 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -540,8 +540,12 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt) partial = packet_get_char(); packet_check_eom(); - if (partial != 0) + if (partial != 0) { logit("Authenticated with partial success."); + /* reset state */ + pubkey_cleanup(authctxt); + pubkey_prepare(authctxt); + } debug("Authentications that can continue: %s", authlist); userauth(authctxt, authlist); -- cgit v1.2.3 From 998cc56b65682d490c9bbf5977dceb1aa84a0233 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:16:43 +1000 Subject: - djm@cvs.openbsd.org 2013/03/06 23:35:23 [session.c] fatal() when ChrootDirectory specified by running without root privileges; ok markus@ --- ChangeLog | 4 ++++ session.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f80a25c1..dbe5d8eae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - markus@cvs.openbsd.org 2013/03/05 20:16:09 [sshconnect2.c] reset pubkey order on partial success; ok djm@ + - djm@cvs.openbsd.org 2013/03/06 23:35:23 + [session.c] + fatal() when ChrootDirectory specified by running without root privileges; + ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/session.c b/session.c index 19eaa20c3..3064ea227 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: session.c,v 1.262 2013/03/06 23:35:23 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1529,7 +1529,9 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif - } + } else if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) + fatal("server lacks privileges to chroot to ChrootDirectory"); if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -- cgit v1.2.3 From 5cbec4c25954b184e43bf3d3ac09e65eb474f5f9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:17:12 +1000 Subject: - djm@cvs.openbsd.org 2013/03/06 23:36:53 [readconf.c] g/c unused variable (-Wunused) --- ChangeLog | 3 +++ readconf.c | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index dbe5d8eae..687f0e1f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ [session.c] fatal() when ChrootDirectory specified by running without root privileges; ok markus@ + - djm@cvs.openbsd.org 2013/03/06 23:36:53 + [readconf.c] + g/c unused variable (-Wunused) 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/readconf.c b/readconf.c index 36265e431..6e708e02e 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.197 2013/03/06 23:36:53 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1232,8 +1232,6 @@ initialize_options(Options * options) void fill_default_options(Options * options) { - int len; - if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) -- cgit v1.2.3 From 4ce189d9108c62090a0dd5dea973d175328440db Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:17:52 +1000 Subject: - djm@cvs.openbsd.org 2013/03/07 00:19:59 [auth2-pubkey.c monitor.c] reconstruct the original username that was sent by the client, which may have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@ --- ChangeLog | 6 ++++++ auth2-pubkey.c | 10 +++++++--- monitor.c | 30 +++++++++++++++++++----------- 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 687f0e1f1..38f6fa8c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,12 @@ - djm@cvs.openbsd.org 2013/03/06 23:36:53 [readconf.c] g/c unused variable (-Wunused) + - djm@cvs.openbsd.org 2013/03/07 00:19:59 + [auth2-pubkey.c monitor.c] + reconstruct the original username that was sent by the client, which may + have included a style (e.g. "root:skey") when checking public key + signatures. Fixes public key and hostbased auth when the client specified + a style; ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 3ff6faa8b..c28bef7a2 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.35 2013/03/07 00:19:59 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt) { Buffer b; Key *key = NULL; - char *pkalg; + char *pkalg, *userstyle; u_char *pkblob, *sig; u_int alen, blen, slen; int have_sig, pktype; @@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); - buffer_put_cstring(&b, authctxt->user); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + buffer_put_cstring(&b, userstyle); + free(userstyle); buffer_put_cstring(&b, datafellows & SSH_BUG_PKSERVICE ? "ssh-userauth" : diff --git a/monitor.c b/monitor.c index 6560740b6..34d7e1805 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.121 2013/03/07 00:19:59 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1237,7 +1237,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; - char *p; + char *p, *userstyle; u_int len; int fail = 0; @@ -1262,19 +1262,23 @@ monitor_valid_userblob(u_char *data, u_int datalen) } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); - if (strcmp(authctxt->user, p) != 0) { + p = buffer_get_cstring(&b, NULL); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + if (strcmp(userstyle, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); + userstyle, p); fail++; } + xfree(userstyle); xfree(p); buffer_skip_string(&b); if (datafellows & SSH_BUG_PKAUTH) { if (!buffer_get_char(&b)) fail++; } else { - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); if (strcmp("publickey", p) != 0) fail++; xfree(p); @@ -1294,7 +1298,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, char *chost) { Buffer b; - char *p; + char *p, *userstyle; u_int len; int fail = 0; @@ -1310,15 +1314,19 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); - if (strcmp(authctxt->user, p) != 0) { + p = buffer_get_cstring(&b, NULL); + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); + if (strcmp(userstyle, p) != 0) { logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); + userstyle, p); fail++; } + free(userstyle); xfree(p); buffer_skip_string(&b); /* service */ - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); if (strcmp(p, "hostbased") != 0) fail++; xfree(p); -- cgit v1.2.3 From 91a55f28f35431f9000b95815c343b5a18fda712 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:18:10 +1000 Subject: - markus@cvs.openbsd.org 2013/03/07 19:27:25 [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5] add submethod support to AuthenticationMethods; ok and freedback djm@ --- ChangeLog | 3 +++ auth.h | 5 ++-- auth2-chall.c | 12 ++++++---- auth2.c | 76 ++++++++++++++++++++++++++++++++++++++++++----------------- monitor.c | 11 +++++---- sshd_config.5 | 18 ++++++++++++-- 6 files changed, 91 insertions(+), 34 deletions(-) diff --git a/ChangeLog b/ChangeLog index 38f6fa8c3..7be6f7bfe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ have included a style (e.g. "root:skey") when checking public key signatures. Fixes public key and hostbased auth when the client specified a style; ok markus@ + - markus@cvs.openbsd.org 2013/03/07 19:27:25 + [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5] + add submethod support to AuthenticationMethods; ok and freedback djm@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/auth.h b/auth.h index c6fe84722..7ff59f1ba 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.73 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -157,8 +157,9 @@ void userauth_send_banner(const char *); char *auth2_read_banner(void); int auth2_methods_valid(const char *, int); -int auth2_update_methods_lists(Authctxt *, const char *); +int auth2_update_methods_lists(Authctxt *, const char *, const char *); int auth2_setup_methods_lists(Authctxt *); +int auth2_method_allowed(Authctxt *, const char *, const char *); void privsep_challenge_enable(void); diff --git a/auth2-chall.c b/auth2-chall.c index 6505d4009..ed1acdd3b 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.37 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -155,7 +155,7 @@ kbdint_free(KbdintAuthctxt *kbdintctxt) } /* get next device */ static int -kbdint_next_device(KbdintAuthctxt *kbdintctxt) +kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) { size_t len; char *t; @@ -169,9 +169,13 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt) if (len == 0) break; - for (i = 0; devices[i]; i++) + for (i = 0; devices[i]; i++) { + if (!auth2_method_allowed(authctxt, + "keyboard-interactive", devices[i]->name)) + continue; if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) kbdintctxt->device = devices[i]; + } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; xfree(t); @@ -221,7 +225,7 @@ auth2_challenge_start(Authctxt *authctxt) debug2("auth2_challenge_start: devices %s", kbdintctxt->devices ? kbdintctxt->devices : ""); - if (kbdint_next_device(kbdintctxt) == 0) { + if (kbdint_next_device(authctxt, kbdintctxt) == 0) { auth2_challenge_stop(authctxt); return 0; } diff --git a/auth2.c b/auth2.c index e367a1045..e44482164 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.127 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -98,8 +98,12 @@ static void input_userauth_request(int, u_int32_t, void *); /* helper */ static Authmethod *authmethod_lookup(Authctxt *, const char *); static char *authmethods_get(Authctxt *authctxt); -static int method_allowed(Authctxt *, const char *); -static int list_starts_with(const char *, const char *); + +#define MATCH_NONE 0 /* method or submethod mismatch */ +#define MATCH_METHOD 1 /* method matches (no submethod specified) */ +#define MATCH_BOTH 2 /* method and submethod match */ +#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ +static int list_starts_with(const char *, const char *, const char *); char * auth2_read_banner(void) @@ -316,7 +320,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, } if (authenticated && options.num_auth_methods != 0) { - if (!auth2_update_methods_lists(authctxt, method)) { + if (!auth2_update_methods_lists(authctxt, method, submethod)) { authenticated = 0; partial = 1; } @@ -387,8 +391,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, * methods list. Returns 1 if allowed, or no methods lists configured. * 0 otherwise. */ -static int -method_allowed(Authctxt *authctxt, const char *method) +int +auth2_method_allowed(Authctxt *authctxt, const char *method, + const char *submethod) { u_int i; @@ -399,7 +404,8 @@ method_allowed(Authctxt *authctxt, const char *method) if (options.num_auth_methods == 0) return 1; for (i = 0; i < authctxt->num_auth_methods; i++) { - if (list_starts_with(authctxt->auth_methods[i], method)) + if (list_starts_with(authctxt->auth_methods[i], method, + submethod) != MATCH_NONE) return 1; } return 0; @@ -419,7 +425,8 @@ authmethods_get(Authctxt *authctxt) if (authmethods[i]->enabled == NULL || *(authmethods[i]->enabled) == 0) continue; - if (!method_allowed(authctxt, authmethods[i]->name)) + if (!auth2_method_allowed(authctxt, authmethods[i]->name, + NULL)) continue; if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); @@ -442,7 +449,8 @@ authmethod_lookup(Authctxt *authctxt, const char *name) if (authmethods[i]->enabled != NULL && *(authmethods[i]->enabled) != 0 && strcmp(name, authmethods[i]->name) == 0 && - method_allowed(authctxt, authmethods[i]->name)) + auth2_method_allowed(authctxt, + authmethods[i]->name, NULL)) return authmethods[i]; debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); @@ -457,7 +465,7 @@ authmethod_lookup(Authctxt *authctxt, const char *name) int auth2_methods_valid(const char *_methods, int need_enable) { - char *methods, *omethods, *method; + char *methods, *omethods, *method, *p; u_int i, found; int ret = -1; @@ -468,6 +476,8 @@ auth2_methods_valid(const char *_methods, int need_enable) omethods = methods = xstrdup(_methods); while ((method = strsep(&methods, ",")) != NULL) { for (found = i = 0; !found && authmethods[i] != NULL; i++) { + if ((p = strchr(method, ':')) != NULL) + *p = '\0'; if (strcmp(method, authmethods[i]->name) != 0) continue; if (need_enable) { @@ -533,15 +543,30 @@ auth2_setup_methods_lists(Authctxt *authctxt) } static int -list_starts_with(const char *methods, const char *method) +list_starts_with(const char *methods, const char *method, + const char *submethod) { size_t l = strlen(method); + int match; + const char *p; if (strncmp(methods, method, l) != 0) - return 0; - if (methods[l] != ',' && methods[l] != '\0') - return 0; - return 1; + return MATCH_NONE; + p = methods + l; + match = MATCH_METHOD; + if (*p == ':') { + if (!submethod) + return MATCH_PARTIAL; + l = strlen(submethod); + p += 1; + if (strncmp(submethod, p, l)) + return MATCH_NONE; + p += l; + match = MATCH_BOTH; + } + if (*p != ',' && *p != '\0') + return MATCH_NONE; + return match; } /* @@ -550,14 +575,21 @@ list_starts_with(const char *methods, const char *method) * if it did. */ static int -remove_method(char **methods, const char *method) +remove_method(char **methods, const char *method, const char *submethod) { - char *omethods = *methods; + char *omethods = *methods, *p; size_t l = strlen(method); + int match; - if (!list_starts_with(omethods, method)) + match = list_starts_with(omethods, method, submethod); + if (match != MATCH_METHOD && match != MATCH_BOTH) return 0; - *methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0)); + p = omethods + l; + if (submethod && match == MATCH_BOTH) + p += 1 + strlen(submethod); /* include colon */ + if (*p == ',') + p++; + *methods = xstrdup(p); free(omethods); return 1; } @@ -569,13 +601,15 @@ remove_method(char **methods, const char *method) * Returns 1 if the method completed any authentication list or 0 otherwise. */ int -auth2_update_methods_lists(Authctxt *authctxt, const char *method) +auth2_update_methods_lists(Authctxt *authctxt, const char *method, + const char *submethod) { u_int i, found = 0; debug3("%s: updating methods list after \"%s\"", __func__, method); for (i = 0; i < authctxt->num_auth_methods; i++) { - if (!remove_method(&(authctxt->auth_methods[i]), method)) + if (!remove_method(&(authctxt->auth_methods[i]), method, + submethod)) continue; found = 1; if (*authctxt->auth_methods[i] == '\0') { diff --git a/monitor.c b/monitor.c index 34d7e1805..c0471a176 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.121 2013/03/07 00:19:59 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.122 2013/03/07 19:27:25 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -392,7 +392,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) "with SSH protocol 1"); if (authenticated && !auth2_update_methods_lists(authctxt, - auth_method)) { + auth_method, auth_submethod)) { debug3("%s: method %s: partial", __func__, auth_method); authenticated = 0; @@ -949,9 +949,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) debug3("%s: sending authenticated: %d", __func__, authok); mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); - if (compat20) - auth_method = "keyboard-interactive"; /* XXX auth_submethod */ - else + if (compat20) { + auth_method = "keyboard-interactive"; + auth_submethod = "bsdauth"; + } else auth_method = "bsdauth"; return (authok != 0); diff --git a/sshd_config.5 b/sshd_config.5 index cfa480697..4fe3c55b6 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.156 2013/02/06 00:20:42 dtucker Exp $ -.Dd $Mdocdate: February 6 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.157 2013/03/07 19:27:25 markus Exp $ +.Dd $Mdocdate: March 7 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -180,6 +180,20 @@ Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. .Pp +For keyboard interactive authentication it is also possible to +restrict authentication to a specific device by appending a +colon followed by the device identifier +.Dq bsdauth , +.Dq pam , +or +.Dq skey , +depending on the server configuration. +For example, +.Dq keyboard-interactive:bsdauth +would restrict keyboard interactive authentication to the +.Dq bsdauth +device. +.Pp This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled -- cgit v1.2.3 From 508b6c3d3b95c8ec078fd4801368597ab29b2db9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:18:28 +1000 Subject: - djm@cvs.openbsd.org 2013/03/08 06:32:58 [ssh.c] allow "ssh -f none ..." ok markus@ --- ChangeLog | 3 +++ ssh.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7be6f7bfe..2a7c70a36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ - markus@cvs.openbsd.org 2013/03/07 19:27:25 [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5] add submethod support to AuthenticationMethods; ok and freedback djm@ + - djm@cvs.openbsd.org 2013/03/08 06:32:58 + [ssh.c] + allow "ssh -f none ..." ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/ssh.c b/ssh.c index 5ec89f2cc..b50fca38f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.373 2013/02/22 22:09:01 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.374 2013/03/08 06:32:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -674,7 +674,8 @@ main(int ac, char **av) * file if the user specifies a config file on the command line. */ if (config != NULL) { - if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) + if (strcasecmp(config, "none") != 0 && + !read_config_file(config, host, &options, SSHCONF_USERCONF)) fatal("Can't open user config file %.100s: " "%.100s", config, strerror(errno)); } else { -- cgit v1.2.3 From d677ad14ff7efedf21745ee1694058350e758e18 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:18:51 +1000 Subject: - djm@cvs.openbsd.org 2013/04/05 00:14:00 [auth2-gss.c krl.c sshconnect2.c] hush some {unused, printf type} warnings --- ChangeLog | 3 +++ auth2-gss.c | 5 +---- krl.c | 17 +++++++++++------ sshconnect2.c | 11 +++++------ 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2a7c70a36..eb45674c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - djm@cvs.openbsd.org 2013/03/08 06:32:58 [ssh.c] allow "ssh -f none ..." ok markus@ + - djm@cvs.openbsd.org 2013/04/05 00:14:00 + [auth2-gss.c krl.c sshconnect2.c] + hush some {unused, printf type} warnings 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/auth2-gss.c b/auth2-gss.c index 93d576bfb..de1bd0644 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.19 2013/04/05 00:14:00 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -229,14 +229,11 @@ static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) { Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; int authenticated; if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) fatal("No authentication or GSSAPI context"); - gssctxt = authctxt->methoddata; - /* * We don't need to check the status, because we're only enabled in * the dispatcher once the exchange is complete diff --git a/krl.c b/krl.c index 0d9bb5411..7ac6261cb 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */ +/* $OpenBSD: krl.c,v 1.11 2013/04/05 00:14:00 djm Exp $ */ #include "includes.h" @@ -502,8 +502,11 @@ choose_next_state(int current_state, u_int64_t contig, int final, } debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" "list %llu range %llu bitmap %llu new bitmap %llu, " - "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, - cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, + "selected 0x%02x%s", __func__, (long long unsigned)contig, + (long long unsigned)last_gap, (long long unsigned)next_gap, final, + (long long unsigned)cost_list, (long long unsigned)cost_range, + (long long unsigned)cost_bitmap, + (long long unsigned)cost_bitmap_restart, new_state, *force_new_section ? " restart" : ""); return new_state; } @@ -539,7 +542,8 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) rs != NULL; rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { debug3("%s: serial %llu:%llu state 0x%02x", __func__, - rs->lo, rs->hi, state); + (long long unsigned)rs->lo, (long long unsigned)rs->hi, + state); /* Check contiguous length and gap to next section (if any) */ nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); @@ -928,8 +932,9 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, } format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); - debug("KRL version %llu generated at %s%s%s", krl->krl_version, - timestamp, *krl->comment ? ": " : "", krl->comment); + debug("KRL version %llu generated at %s%s%s", + (long long unsigned)krl->krl_version, timestamp, + *krl->comment ? ": " : "", krl->comment); /* * 1st pass: verify signatures, if any. This is done to avoid diff --git a/sshconnect2.c b/sshconnect2.c index 1a6a5850d..c811c3652 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.193 2013/03/05 20:16:09 markus Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.194 2013/04/05 00:14:00 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -810,7 +810,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) Gssctxt *gssctxt; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; - OM_uint32 status, ms; + OM_uint32 ms; u_int len; if (authctxt == NULL) @@ -823,7 +823,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) packet_check_eom(); /* Stick it into GSSAPI and see what it says */ - status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, &recv_tok, &send_tok, NULL); xfree(recv_tok.value); @@ -836,12 +836,11 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) void input_gssapi_error(int type, u_int32_t plen, void *ctxt) { - OM_uint32 maj, min; char *msg; char *lang; - maj=packet_get_int(); - min=packet_get_int(); + /* maj */(void)packet_get_int(); + /* min */(void)packet_get_int(); msg=packet_get_string(NULL); lang=packet_get_string(NULL); -- cgit v1.2.3 From 9f12b5dcd5f7772e633fb2786c63bfcbea1f1aea Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:19:11 +1000 Subject: - djm@cvs.openbsd.org 2013/04/05 00:31:49 [pathnames.h] use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change) --- ChangeLog | 4 ++++ pathnames.h | 22 +++++++++++----------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index eb45674c4..c28e00beb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,10 @@ - djm@cvs.openbsd.org 2013/04/05 00:14:00 [auth2-gss.c krl.c sshconnect2.c] hush some {unused, printf type} warnings + - djm@cvs.openbsd.org 2013/04/05 00:31:49 + [pathnames.h] + use the existing _PATH_SSH_USER_RC define to construct the other + pathnames; bz#2077, ok dtucker@ (no binary change) 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/pathnames.h b/pathnames.h index c3d9abff5..5027fbaed 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */ +/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */ /* * Author: Tatu Ylonen @@ -65,18 +65,18 @@ * readable by anyone except the user him/herself, though this does not * contain anything particularly secret. */ -#define _PATH_SSH_USER_HOSTFILE "~/.ssh/known_hosts" +#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts" /* backward compat for protocol 2 */ -#define _PATH_SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2" +#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2" /* * Name of the default file containing client-side authentication key. This * file should only be readable by the user him/herself. */ -#define _PATH_SSH_CLIENT_IDENTITY ".ssh/identity" -#define _PATH_SSH_CLIENT_ID_DSA ".ssh/id_dsa" -#define _PATH_SSH_CLIENT_ID_ECDSA ".ssh/id_ecdsa" -#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa" +#define _PATH_SSH_CLIENT_IDENTITY _PATH_SSH_USER_DIR "/identity" +#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa" +#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa" +#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa" /* * Configuration file in user's home directory. This file need not be @@ -84,7 +84,7 @@ * particularly secret. If the user's home directory resides on an NFS * volume where root is mapped to nobody, this may need to be world-readable. */ -#define _PATH_SSH_USER_CONFFILE ".ssh/config" +#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config" /* * File containing a list of those rsa keys that permit logging in as this @@ -94,10 +94,10 @@ * may need to be world-readable. (This file is read by the daemon which is * running as root.) */ -#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys" +#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys" /* backward compat for protocol v2 */ -#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" +#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2" /* * Per-user and system-wide ssh "rc" files. These files are executed with @@ -105,7 +105,7 @@ * passed "proto cookie" as arguments if X11 forwarding with spoofing is in * use. xauth will be run if neither of these exists. */ -#define _PATH_SSH_USER_RC ".ssh/rc" +#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc" #define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc" /* -- cgit v1.2.3 From 172859cff7df9fd8a29a1f0a4de568f644bbda50 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:19:27 +1000 Subject: - djm@cvs.openbsd.org 2013/04/05 00:58:51 [mux.c] cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too (in addition to ones already in OPEN); bz#2079, ok dtucker@ --- ChangeLog | 4 ++++ mux.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c28e00beb..0bd623b1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,10 @@ [pathnames.h] use the existing _PATH_SSH_USER_RC define to construct the other pathnames; bz#2077, ok dtucker@ (no binary change) + - djm@cvs.openbsd.org 2013/04/05 00:58:51 + [mux.c] + cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too + (in addition to ones already in OPEN); bz#2079, ok dtucker@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/mux.c b/mux.c index 1ae0e0915..9f458c4cf 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.39 2013/04/05 00:58:51 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -219,7 +219,8 @@ mux_master_control_cleanup_cb(int cid, void *unused) __func__, c->self, c->remote_id); c->remote_id = -1; sc->ctl_chan = -1; - if (sc->type != SSH_CHANNEL_OPEN) { + if (sc->type != SSH_CHANNEL_OPEN && + sc->type != SSH_CHANNEL_OPENING) { debug2("%s: channel %d: not open", __func__, sc->self); chan_mark_dead(sc); } else { -- cgit v1.2.3 From 37f1c08473b1ef2a188ee178ce2e11e841f88563 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:20:43 +1000 Subject: - markus@cvs.openbsd.org 2013/04/06 16:07:00 [channels.c sshd.c] handle ECONNABORTED for accept(); ok deraadt some time ago... --- ChangeLog | 3 +++ channels.c | 14 ++++++++++---- sshd.c | 6 +++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0bd623b1b..47c7ce01c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ [mux.c] cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too (in addition to ones already in OPEN); bz#2079, ok dtucker@ + - markus@cvs.openbsd.org 2013/04/06 16:07:00 + [channels.c sshd.c] + handle ECONNABORTED for accept(); ok deraadt some time ago... 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/channels.c b/channels.c index 9cf85a38d..12db962de 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.320 2013/04/06 16:07:00 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1324,7 +1324,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) { Channel *nc; struct sockaddr_storage addr; - int newsock; + int newsock, oerrno; socklen_t addrlen; char buf[16384], *remote_ipaddr; int remote_port; @@ -1334,12 +1334,16 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (c->single_connection) { + oerrno = errno; debug2("single_connection: closing X11 listener."); channel_close_fd(&c->sock); chan_mark_dead(c); + errno = oerrno; } if (newsock < 0) { - error("accept: %.100s", strerror(errno)); + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED) + error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) c->notbefore = time(NULL) + 1; return; @@ -1484,7 +1488,9 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) addrlen = sizeof(addr); newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); if (newsock < 0) { - error("accept: %.100s", strerror(errno)); + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED) + error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) c->notbefore = time(NULL) + 1; return; diff --git a/sshd.c b/sshd.c index 3e9d17640..5fb2897fa 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.397 2013/02/11 21:21:58 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.398 2013/04/06 16:07:00 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1183,8 +1183,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) *newsock = accept(listen_socks[i], (struct sockaddr *)&from, &fromlen); if (*newsock < 0) { - if (errno != EINTR && errno != EAGAIN && - errno != EWOULDBLOCK) + if (errno != EINTR && errno != EWOULDBLOCK && + errno != ECONNABORTED && errno != EAGAIN) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) -- cgit v1.2.3 From 03d4d7e60b16f913c75382e32e136ddfa8d6485f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:21:06 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 02:10:33 [log.c log.h ssh.1 ssh.c sshd.8 sshd.c] Add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. ok markus@, man page help jmc@ --- ChangeLog | 4 ++++ log.c | 20 ++++++++++++++++++-- log.h | 3 ++- ssh.1 | 9 +++++++-- ssh.c | 28 ++++++++++++++++++++-------- sshd.8 | 9 +++++++-- sshd.c | 19 ++++++++++++++----- 7 files changed, 72 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index 47c7ce01c..51077256d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,10 @@ - markus@cvs.openbsd.org 2013/04/06 16:07:00 [channels.c sshd.c] handle ECONNABORTED for accept(); ok deraadt some time ago... + - dtucker@cvs.openbsd.org 2013/04/07 02:10:33 + [log.c log.h ssh.1 ssh.c sshd.8 sshd.c] + Add -E option to ssh and sshd to append debugging logs to a specified file + instead of stderr or syslog. ok markus@, man page help jmc@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/log.c b/log.c index d69154a67..81497a442 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.44 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -38,6 +38,7 @@ #include +#include #include #include #include @@ -54,6 +55,7 @@ static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; +static int log_stderr_fd = STDERR_FILENO; static int log_facility = LOG_AUTH; static char *argv0; static log_handler_fn *log_handler; @@ -344,6 +346,20 @@ log_is_on_stderr(void) return log_on_stderr; } +/* redirect what would usually get written to stderr to specified file */ +void +log_redirect_stderr_to(const char *logfile) +{ + int fd; + + if ((fd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0600)) == -1) { + fprintf(stderr, "Couldn't open logfile %s: %s\n", logfile, + strerror(errno)); + exit(1); + } + log_stderr_fd = fd; +} + #define MSGBUFSIZ 1024 void @@ -429,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args) log_handler = tmp_handler; } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(STDERR_FILENO, msgbuf, strlen(msgbuf)); + write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); diff --git a/log.h b/log.h index e3e328b06..ae7df25d3 100644 --- a/log.h +++ b/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */ +/* $OpenBSD: log.h,v 1.20 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -51,6 +51,7 @@ typedef void (log_handler_fn)(LogLevel, const char *, void *); void log_init(char *, LogLevel, SyslogFacility, int); void log_change_level(LogLevel); int log_is_on_stderr(void); +void log_redirect_stderr_to(const char *); SyslogFacility log_facility_number(char *); const char * log_facility_name(SyslogFacility); diff --git a/ssh.1 b/ssh.1 index a5576edb6..d77494b83 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: ssh.1,v 1.331 2013/04/07 02:10:33 dtucker Exp $ +.Dd $Mdocdate: April 7 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -47,6 +47,7 @@ .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port +.Op Fl E Ar log_file .Op Fl e Ar escape_char .Op Fl F Ar configfile .Op Fl I Ar pkcs11 @@ -217,6 +218,10 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. +.It Fl E Ar log_file +Append debug logs to +.Ar log_file +instead of standard error. .It Fl e Ar escape_char Sets the escape character for sessions with a pty (default: .Ql ~ ) . diff --git a/ssh.c b/ssh.c index b50fca38f..cd56f8a74 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.374 2013/03/08 06:32:58 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.375 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -197,8 +197,8 @@ usage(void) { fprintf(stderr, "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" -" [-I pkcs11] [-i identity_file]\n" +" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +" [-F configfile] [-I pkcs11] [-i identity_file]\n" " [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" @@ -238,7 +238,7 @@ int main(int ac, char **av) { int i, r, opt, exit_status, use_syslog; - char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg; + char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; struct stat st; struct passwd *pw; @@ -322,11 +322,12 @@ main(int ac, char **av) /* Parse command-line arguments. */ host = NULL; use_syslog = 0; + logfile = NULL; argv0 = av[0]; again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { + "ACD:E:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -356,6 +357,9 @@ main(int ac, char **av) case 'y': use_syslog = 1; break; + case 'E': + logfile = xstrdup(optarg); + break; case 'Y': options.forward_x11 = 1; options.forward_x11_trusted = 1; @@ -427,9 +431,8 @@ main(int ac, char **av) } else { if (options.log_level < SYSLOG_LEVEL_DEBUG3) options.log_level++; - break; } - /* FALLTHROUGH */ + break; case 'V': fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); @@ -663,12 +666,21 @@ main(int ac, char **av) /* * Initialize "log" output. Since we are the client all output - * actually goes to stderr. + * goes to stderr unless otherwise specified by -y or -E. */ + if (use_syslog && logfile != NULL) + fatal("Can't specify both -y and -E"); + if (logfile != NULL) { + log_redirect_stderr_to(logfile); + xfree(logfile); + } log_init(argv0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, SYSLOG_FACILITY_USER, !use_syslog); + if (debug_flag) + logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + /* * Read per-user configuration file. Ignore the system wide config * file if the user specifies a config file on the command line. diff --git a/sshd.8 b/sshd.8 index 132397839..3ce0da6a3 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $ -.Dd $Mdocdate: October 4 2012 $ +.\" $OpenBSD: sshd.8,v 1.268 2013/04/07 02:10:33 dtucker Exp $ +.Dd $Mdocdate: April 7 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -47,6 +47,7 @@ .Op Fl b Ar bits .Op Fl C Ar connection_spec .Op Fl c Ar host_certificate_file +.Op Fl E Ar log_file .Op Fl f Ar config_file .Op Fl g Ar login_grace_time .Op Fl h Ar host_key_file @@ -146,6 +147,10 @@ Multiple .Fl d options increase the debugging level. Maximum is 3. +.It Fl E Ar log_file +Append debug logs to +.Ar log_file +instead of the system log. .It Fl e When this option is specified, .Nm diff --git a/sshd.c b/sshd.c index 5fb2897fa..a0f5c0d26 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.398 2013/04/06 16:07:00 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.399 2013/04/07 02:10:33 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -900,8 +900,9 @@ usage(void) SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" -" [-f config_file] [-g login_grace_time] [-h host_key_file]\n" -" [-k key_gen_time] [-o option] [-p port] [-u len]\n" +" [-E log_file] [-f config_file] [-g login_grace_time]\n" +" [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n" +" [-u len]\n" ); exit(1); } @@ -1335,7 +1336,7 @@ main(int ac, char **av) int sock_in = -1, sock_out = -1, newsock = -1; const char *remote_ip; int remote_port; - char *line; + char *line, *logfile = NULL; int config_s[2] = { -1 , -1 }; u_int n; u_int64_t ibytes, obytes; @@ -1373,7 +1374,7 @@ main(int ac, char **av) initialize_server_options(&options); /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) { + while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeE:iqrtQRT46")) != -1) { switch (opt) { case '4': options.address_family = AF_INET; @@ -1402,6 +1403,9 @@ main(int ac, char **av) case 'D': no_daemon_flag = 1; break; + case 'E': + logfile = xstrdup(optarg); + /* FALLTHROUGH */ case 'e': log_stderr = 1; break; @@ -1499,6 +1503,11 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) { + log_redirect_stderr_to(logfile); + xfree(logfile); + } /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -- cgit v1.2.3 From 6901032b05291fc5d2bd4067fc47904de3506fda Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:21:24 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 09:40:27 [sshd.8] clarify -e text. suggested by & ok jmc@ --- ChangeLog | 3 +++ sshd.8 | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 51077256d..84a6ae38a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ [log.c log.h ssh.1 ssh.c sshd.8 sshd.c] Add -E option to ssh and sshd to append debugging logs to a specified file instead of stderr or syslog. ok markus@, man page help jmc@ + - dtucker@cvs.openbsd.org 2013/04/07 09:40:27 + [sshd.8] + clarify -e text. suggested by & ok jmc@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/sshd.8 b/sshd.8 index 3ce0da6a3..03b77b04e 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.268 2013/04/07 02:10:33 dtucker Exp $ +.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $ .Dd $Mdocdate: April 7 2013 $ .Dt SSHD 8 .Os @@ -152,9 +152,7 @@ Append debug logs to .Ar log_file instead of the system log. .It Fl e -When this option is specified, -.Nm -will send the output to the standard error instead of the system log. +Write debug logs to standard error instead of the system log. .It Fl f Ar config_file Specifies the name of the configuration file. The default is -- cgit v1.2.3 From d5edefd27a30768cc7a4817302e964b6cb2f9be7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:21:39 +1000 Subject: - djm@cvs.openbsd.org 2013/04/11 02:27:50 [packet.c] quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@ --- ChangeLog | 4 ++++ packet.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 84a6ae38a..545a524b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,10 @@ - dtucker@cvs.openbsd.org 2013/04/07 09:40:27 [sshd.8] clarify -e text. suggested by & ok jmc@ + - djm@cvs.openbsd.org 2013/04/11 02:27:50 + [packet.c] + quiet disconnect notifications on the server from error() back to logit() + if it is a normal client closure; bz#2057 ok+feedback dtucker@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/packet.c b/packet.c index 9326ddea6..3e835d360 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1460,7 +1460,11 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) case SSH2_MSG_DISCONNECT: reason = packet_get_int(); msg = packet_get_string(NULL); - error("Received disconnect from %s: %u: %.400s", + /* Ignore normal client exit notifications */ + do_log2(active_state->server_side && + reason == SSH2_DISCONNECT_BY_APPLICATION ? + SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, + "Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); xfree(msg); cleanup_exit(255); -- cgit v1.2.3 From f1a02aea35504e8bef2ed9eef6f9ddeab12bacb3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:22:13 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/17 09:04:09 [session.c] revert rev 1.262; it fails because uid is already set here. ok djm@ --- ChangeLog | 3 +++ session.c | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 545a524b5..5b8c44bf1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,9 @@ [packet.c] quiet disconnect notifications on the server from error() back to logit() if it is a normal client closure; bz#2057 ok+feedback dtucker@ + - dtucker@cvs.openbsd.org 2013/04/17 09:04:09 + [session.c] + revert rev 1.262; it fails because uid is already set here. ok djm@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/session.c b/session.c index 3064ea227..f5c777086 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.262 2013/03/06 23:35:23 djm Exp $ */ +/* $OpenBSD: session.c,v 1.263 2013/04/17 09:04:09 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1529,9 +1529,7 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif - } else if (options.chroot_directory != NULL && - strcasecmp(options.chroot_directory, "none") != 0) - fatal("server lacks privileges to chroot to ChrootDirectory"); + } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); -- cgit v1.2.3 From 9303e6527bb5ca7630c765f28624702c212bfd6c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:22:40 +1000 Subject: - djm@cvs.openbsd.org 2013/04/18 02:16:07 [sftp.c] make "sftp -q" do what it says on the sticker: hush everything but errors; --- ChangeLog | 3 +++ sftp.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5b8c44bf1..b7a189221 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,9 @@ - dtucker@cvs.openbsd.org 2013/04/17 09:04:09 [session.c] revert rev 1.262; it fails because uid is already set here. ok djm@ + - djm@cvs.openbsd.org 2013/04/18 02:16:07 + [sftp.c] + make "sftp -q" do what it says on the sticker: hush everything but errors; 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/sftp.c b/sftp.c index 342ae7efc..24396ef3c 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.142 2013/02/08 00:41:12 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.143 2013/04/18 02:16:07 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -76,6 +76,9 @@ int batchmode = 0; /* PID of ssh transport process */ static pid_t sshpid = -1; +/* Suppress diagnositic messages */ +int quiet = 0; + /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; @@ -565,7 +568,8 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } xfree(tmp); - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); + if (!quiet) + printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, pflag || global_pflag, 1) == -1) @@ -650,7 +654,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } xfree(tmp); - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); + if (!quiet) + printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { if (upload_dir(conn, g.gl_pathv[i], abs_dst, pflag || global_pflag, 1) == -1) @@ -1335,7 +1340,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, path1 = make_absolute(path1, *pwd); remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i] && !interrupted; i++) { - printf("Removing %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Removing %s\n", g.gl_pathv[i]); err = do_rm(conn, g.gl_pathv[i]); if (err != 0 && err_abort) break; @@ -1431,7 +1437,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, a.perm = n_arg; remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i] && !interrupted; i++) { - printf("Changing mode on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing mode on %s\n", g.gl_pathv[i]); err = do_setstat(conn, g.gl_pathv[i], &a); if (err != 0 && err_abort) break; @@ -1460,10 +1467,14 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, } aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; if (cmdnum == I_CHOWN) { - printf("Changing owner on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing owner on %s\n", + g.gl_pathv[i]); aa->uid = n_arg; } else { - printf("Changing group on %s\n", g.gl_pathv[i]); + if (!quiet) + printf("Changing group on %s\n", + g.gl_pathv[i]); aa->gid = n_arg; } err = do_setstat(conn, g.gl_pathv[i], aa); @@ -1922,7 +1933,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) dir = make_absolute(dir, remote_path); if (remote_is_dir(conn, dir) && file2 == NULL) { - printf("Changing to: %s\n", dir); + if (!quiet) + printf("Changing to: %s\n", dir); snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); if (parse_dispatch_command(conn, cmd, &remote_path, 1) != 0) { @@ -2143,6 +2155,8 @@ main(int argc, char **argv) addargs(&args, "%s", optarg); break; case 'q': + ll = SYSLOG_LEVEL_ERROR; + quiet = 1; showprogress = 0; addargs(&args, "-%c", ch); break; @@ -2178,7 +2192,7 @@ main(int argc, char **argv) (infile = fopen(optarg, "r")) == NULL) fatal("%s (%s).", strerror(errno), optarg); showprogress = 0; - batchmode = 1; + quiet = batchmode = 1; addargs(&args, "-obatchmode yes"); break; case 'p': @@ -2275,7 +2289,7 @@ main(int argc, char **argv) if (conn == NULL) fatal("Couldn't initialise connection to server"); - if (!batchmode) { + if (!quiet) { if (sftp_direct == NULL) fprintf(stderr, "Connected to %s.\n", host); else -- cgit v1.2.3 From 467b00c38ba244f9966466e57a89d003f3afb159 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:23:07 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:00:10 [sshd_config.5] document the requirment that the AuthorizedKeysCommand be owned by root; ok dtucker@ markus@ --- ChangeLog | 5 +++++ sshd_config.5 | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b7a189221..666596b55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,6 +56,11 @@ - djm@cvs.openbsd.org 2013/04/18 02:16:07 [sftp.c] make "sftp -q" do what it says on the sticker: hush everything but errors; + ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:00:10 + [sshd_config.5] + document the requirment that the AuthorizedKeysCommand be owned by root; + ok dtucker@ markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/sshd_config.5 b/sshd_config.5 index 4fe3c55b6..590fb4088 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.157 2013/03/07 19:27:25 markus Exp $ -.Dd $Mdocdate: March 7 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ +.Dd $Mdocdate: April 19 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -202,7 +202,8 @@ The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. -The program will be invoked with a single argument of the username +The program must be owned by root and not writable by group or others. +It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see .Sx AUTHORIZED_KEYS -- cgit v1.2.3 From 0d6771b4648889ae5bc4235f9e3fc6cd82b710bd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:23:24 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:01:00 [ssh-keygen.c] fix some memory leaks; bz#2088 ok dtucker@ --- ChangeLog | 3 +++ ssh-keygen.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 666596b55..e64d8a43b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,9 @@ [sshd_config.5] document the requirment that the AuthorizedKeysCommand be owned by root; ok dtucker@ markus@ + - djm@cvs.openbsd.org 2013/04/19 01:01:00 + [ssh-keygen.c] + fix some memory leaks; bz#2088 ok dtucker@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/ssh-keygen.c b/ssh-keygen.c index d1a205e18..8acbcc493 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.225 2013/02/10 23:32:10 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.226 2013/04/19 01:01:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2038,6 +2038,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, } if (strcmp(path, "-") != 0) fclose(krl_spec); + free(path); } static void @@ -2090,6 +2091,8 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) close(fd); buffer_free(&kbuf); ssh_krl_free(krl); + if (ca != NULL) + key_free(ca); } static void -- cgit v1.2.3 From a56086b9903b62c1c4fdedf01b68338fe4dc90e4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:24:18 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:03:01 [session.c] reintroduce 1.262 without the connection-killing bug: fatal() when ChrootDirectory specified by running without root privileges; ok markus@ --- ChangeLog | 5 +++++ session.c | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e64d8a43b..0966a11bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -64,6 +64,11 @@ - djm@cvs.openbsd.org 2013/04/19 01:01:00 [ssh-keygen.c] fix some memory leaks; bz#2088 ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:03:01 + [session.c] + reintroduce 1.262 without the connection-killing bug: + fatal() when ChrootDirectory specified by running without root privileges; + ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/session.c b/session.c index f5c777086..4c4461ded 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.263 2013/04/17 09:04:09 dtucker Exp $ */ +/* $OpenBSD: session.c,v 1.264 2013/04/19 01:03:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1513,6 +1513,9 @@ do_setusercontext(struct passwd *pw) safely_chroot(chroot_path, pw->pw_uid); free(tmp); free(chroot_path); + /* Make sure we don't attempt to chroot again */ + free(options.chroot_directory); + options.chroot_directory = NULL; } #ifdef HAVE_LOGIN_CAP @@ -1529,6 +1532,9 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif + } else if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + fatal("server lacks privileges to chroot to ChrootDirectory"); } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) -- cgit v1.2.3 From ea11119eee3c5e2429b1f5f8688b25b028fa991a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 19:24:32 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:06:50 [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@ --- ChangeLog | 6 ++ authfile.c | 6 +- cipher.c | 55 ++++++++++----- cipher.h | 13 ++-- kex.c | 86 +++++++++++++++-------- kex.h | 16 ++--- kexecdh.c | 20 +----- kexecdhc.c | 7 +- kexecdhs.c | 7 +- key.c | 230 +++++++++++++++++++++++++++---------------------------------- key.h | 7 +- mac.c | 62 +++++++++++------ mac.h | 3 +- packet.c | 6 +- ssh.1 | 21 +++++- ssh.c | 20 +++++- 16 files changed, 314 insertions(+), 251 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0966a11bb..3d2950e8c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,12 @@ reintroduce 1.262 without the connection-killing bug: fatal() when ChrootDirectory specified by running without root privileges; ok markus@ + - djm@cvs.openbsd.org 2013/04/19 01:06:50 + [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] + [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] + add the ability to query supported ciphers, MACs, key type and KEX + algorithms to ssh. Includes some refactoring of KEX and key type handling + to be table-driven; ok markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/authfile.c b/authfile.c index 3544d170b..91812bf87 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.96 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,7 +89,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase, u_char buf[100], *cp; int i, cipher_num; CipherContext ciphercontext; - Cipher *cipher; + const Cipher *cipher; u_int32_t rnd; /* @@ -421,7 +421,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) Buffer decrypted; u_char *cp; CipherContext ciphercontext; - Cipher *cipher; + const Cipher *cipher; Key *prv = NULL; Buffer copy; diff --git a/cipher.c b/cipher.c index 9ca1d0065..5e3652135 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.88 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -65,7 +65,9 @@ struct Cipher { u_int discard_len; u_int cbc_mode; const EVP_CIPHER *(*evptype)(void); -} ciphers[] = { +}; + +static const struct Cipher ciphers[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, @@ -98,6 +100,27 @@ struct Cipher { /*--*/ +/* Returns a comma-separated list of supported ciphers. */ +char * +cipher_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const Cipher *c; + + for (c = ciphers; c->name != NULL; c++) { + if (c->number != SSH_CIPHER_SSH2) + continue; + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(c->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, c->name, nlen + 1); + rlen += nlen; + } + return ret; +} + u_int cipher_blocksize(const Cipher *c) { @@ -146,20 +169,20 @@ cipher_mask_ssh1(int client) return mask; } -Cipher * +const Cipher * cipher_by_name(const char *name) { - Cipher *c; + const Cipher *c; for (c = ciphers; c->name != NULL; c++) if (strcmp(c->name, name) == 0) return c; return NULL; } -Cipher * +const Cipher * cipher_by_number(int id) { - Cipher *c; + const Cipher *c; for (c = ciphers; c->name != NULL; c++) if (c->number == id) return c; @@ -170,7 +193,7 @@ cipher_by_number(int id) int ciphers_valid(const char *names) { - Cipher *c; + const Cipher *c; char *cipher_list, *cp; char *p; @@ -201,7 +224,7 @@ ciphers_valid(const char *names) int cipher_number(const char *name) { - Cipher *c; + const Cipher *c; if (name == NULL) return -1; for (c = ciphers; c->name != NULL; c++) @@ -213,12 +236,12 @@ cipher_number(const char *name) char * cipher_name(int id) { - Cipher *c = cipher_by_number(id); + const Cipher *c = cipher_by_number(id); return (c==NULL) ? "" : c->name; } void -cipher_init(CipherContext *cc, Cipher *cipher, +cipher_init(CipherContext *cc, const Cipher *cipher, const u_char *key, u_int keylen, const u_char *iv, u_int ivlen, int do_encrypt) { @@ -364,7 +387,7 @@ cipher_cleanup(CipherContext *cc) */ void -cipher_set_key_string(CipherContext *cc, Cipher *cipher, +cipher_set_key_string(CipherContext *cc, const Cipher *cipher, const char *passphrase, int do_encrypt) { MD5_CTX md; @@ -389,7 +412,7 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher, int cipher_get_keyiv_len(const CipherContext *cc) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int ivlen; if (c->number == SSH_CIPHER_3DES) @@ -402,7 +425,7 @@ cipher_get_keyiv_len(const CipherContext *cc) void cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int evplen; switch (c->number) { @@ -438,7 +461,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) void cipher_set_keyiv(CipherContext *cc, u_char *iv) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int evplen = 0; switch (c->number) { @@ -471,7 +494,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) int cipher_get_keycontext(const CipherContext *cc, u_char *dat) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int plen = 0; if (c->evptype == EVP_rc4) { @@ -486,7 +509,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat) void cipher_set_keycontext(CipherContext *cc, u_char *dat) { - Cipher *c = cc->cipher; + const Cipher *c = cc->cipher; int plen; if (c->evptype == EVP_rc4) { diff --git a/cipher.h b/cipher.h index 8cb57c3e5..b878d50f4 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen @@ -66,21 +66,22 @@ struct CipherContext { int plaintext; int encrypt; EVP_CIPHER_CTX evp; - Cipher *cipher; + const Cipher *cipher; }; u_int cipher_mask_ssh1(int); -Cipher *cipher_by_name(const char *); -Cipher *cipher_by_number(int); +const Cipher *cipher_by_name(const char *); +const Cipher *cipher_by_number(int); int cipher_number(const char *); char *cipher_name(int); int ciphers_valid(const char *); -void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, +char *cipher_alg_list(void); +void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int, const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int, u_int); void cipher_cleanup(CipherContext *); -void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); +void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_authlen(const Cipher *); diff --git a/kex.c b/kex.c index 57a79dd9e..65a227bc1 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: kex.c,v 1.89 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -62,6 +62,55 @@ extern const EVP_MD *evp_ssh_sha256(void); static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); +struct kexalg { + char *name; + int type; + int ec_nid; + const EVP_MD *(*mdfunc)(void); +}; +static const struct kexalg kexalgs[] = { + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 }, + { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 }, + { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 }, +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 }, + { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, + { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, + { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, +#endif + { NULL, -1, -1, NULL}, +}; + +char * +kex_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct kexalg *k; + + for (k = kexalgs; k->name != NULL; k++) { + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(k->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, k->name, nlen + 1); + rlen += nlen; + } + return ret; +} + +static const struct kexalg * +kex_alg_by_name(const char *name) +{ + const struct kexalg *k; + + for (k = kexalgs; k->name != NULL; k++) { + if (strcmp(k->name, name) == 0) + return k; + } + return NULL; +} + /* Validate KEX method name list */ int kex_names_valid(const char *names) @@ -73,13 +122,7 @@ kex_names_valid(const char *names) s = cp = xstrdup(names); for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { - if (strcmp(p, KEX_DHGEX_SHA256) != 0 && - strcmp(p, KEX_DHGEX_SHA1) != 0 && - strcmp(p, KEX_DH14) != 0 && - strcmp(p, KEX_DH1) != 0 && - (strncmp(p, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 || - kex_ecdh_name_to_nid(p) == -1)) { + if (kex_alg_by_name(p) == NULL) { error("Unsupported KEX algorithm \"%.100s\"", p); xfree(s); return 0; @@ -348,29 +391,16 @@ choose_comp(Comp *comp, char *client, char *server) static void choose_kex(Kex *k, char *client, char *server) { + const struct kexalg *kexalg; + k->name = match_list(client, server, NULL); if (k->name == NULL) fatal("Unable to negotiate a key exchange method"); - if (strcmp(k->name, KEX_DH1) == 0) { - k->kex_type = KEX_DH_GRP1_SHA1; - k->evp_md = EVP_sha1(); - } else if (strcmp(k->name, KEX_DH14) == 0) { - k->kex_type = KEX_DH_GRP14_SHA1; - k->evp_md = EVP_sha1(); - } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) { - k->kex_type = KEX_DH_GEX_SHA1; - k->evp_md = EVP_sha1(); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { - k->kex_type = KEX_DH_GEX_SHA256; - k->evp_md = evp_ssh_sha256(); - } else if (strncmp(k->name, KEX_ECDH_SHA2_STEM, - sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) { - k->kex_type = KEX_ECDH_SHA2; - k->evp_md = kex_ecdh_name_to_evpmd(k->name); -#endif - } else - fatal("bad kex alg %s", k->name); + if ((kexalg = kex_alg_by_name(k->name)) == NULL) + fatal("unsupported kex alg %s", k->name); + k->kex_type = kexalg->type; + k->evp_md = kexalg->mdfunc(); + k->ec_nid = kexalg->ec_nid; } static void diff --git a/kex.h b/kex.h index 46731fa45..680264af2 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.55 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -40,8 +40,9 @@ #define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" #define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256" #define KEX_RESUME "resume@appgate.com" -/* The following represents the family of ECDH methods */ -#define KEX_ECDH_SHA2_STEM "ecdh-sha2-" +#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256" +#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384" +#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" #define COMP_NONE 0 #define COMP_ZLIB 1 @@ -86,7 +87,7 @@ typedef struct Newkeys Newkeys; struct Enc { char *name; - Cipher *cipher; + const Cipher *cipher; int enabled; u_int key_len; u_int iv_len; @@ -131,6 +132,7 @@ struct Kex { sig_atomic_t done; int flags; const EVP_MD *evp_md; + int ec_nid; char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); @@ -141,6 +143,7 @@ struct Kex { }; int kex_names_valid(const char *); +char *kex_alg_list(void); Kex *kex_setup(char *[PROPOSAL_MAX]); void kex_finish(Kex *); @@ -170,11 +173,6 @@ void kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int, char *, int, u_char *, int, const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char **, u_int *); -int kex_ecdh_name_to_nid(const char *); -const EVP_MD *kex_ecdh_name_to_evpmd(const char *); -#else -# define kex_ecdh_name_to_nid(x) (-1) -# define kex_ecdh_name_to_evpmd(x) (NULL) #endif void diff --git a/kexecdh.c b/kexecdh.c index f13f69d3b..c948fe20a 100644 --- a/kexecdh.c +++ b/kexecdh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdh.c,v 1.4 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -45,24 +45,6 @@ #include "kex.h" #include "log.h" -int -kex_ecdh_name_to_nid(const char *kexname) -{ - if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1) - fatal("%s: kexname too short \"%s\"", __func__, kexname); - return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1); -} - -const EVP_MD * -kex_ecdh_name_to_evpmd(const char *kexname) -{ - int nid = kex_ecdh_name_to_nid(kexname); - - if (nid == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname); - return key_ec_nid_to_evpmd(nid); -} - void kex_ecdh_hash( const EVP_MD *evp_md, diff --git a/kexecdhc.c b/kexecdhc.c index 115d4bf83..04239a471 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -57,11 +57,8 @@ kexecdh_client(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; - int curve_nid; - if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); - if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) + if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(client_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); diff --git a/kexecdhs.c b/kexecdhs.c index 8c515dfa6..6519abbef 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -59,11 +59,8 @@ kexecdh_server(Kex *kex) u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; u_int klen, slen, sbloblen, hashlen; - int curve_nid; - if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1) - fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name); - if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL) + if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", __func__); if (EC_KEY_generate_key(server_key) != 1) fatal("%s: EC_KEY_generate_key failed", __func__); diff --git a/key.c b/key.c index 4cc5c5d35..471cd1fcc 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: key.c,v 1.101 2013/04/19 01:06:50 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -891,36 +891,6 @@ key_write(const Key *key, FILE *f) return success; } -const char * -key_type(const Key *k) -{ - switch (k->type) { - case KEY_RSA1: - return "RSA1"; - case KEY_RSA: - return "RSA"; - case KEY_DSA: - return "DSA"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - return "ECDSA"; -#endif - case KEY_RSA_CERT_V00: - return "RSA-CERT-V00"; - case KEY_DSA_CERT_V00: - return "DSA-CERT-V00"; - case KEY_RSA_CERT: - return "RSA-CERT"; - case KEY_DSA_CERT: - return "DSA-CERT"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA_CERT: - return "ECDSA-CERT"; -#endif - } - return "unknown"; -} - const char * key_cert_type(const Key *k) { @@ -934,48 +904,59 @@ key_cert_type(const Key *k) } } +struct keytype { + char *name; + char *shortname; + int type; + int nid; + int cert; +}; +static const struct keytype keytypes[] = { + { NULL, "RSA1", KEY_RSA1, 0, 0 }, + { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, + { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, +#ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, + { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, + { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, +#endif /* OPENSSL_HAS_ECC */ + { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, + { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, +#ifdef OPENSSL_HAS_ECC + { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, + { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_secp384r1, 1 }, + { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", + KEY_ECDSA_CERT, NID_secp521r1, 1 }, +#endif /* OPENSSL_HAS_ECC */ + { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", + KEY_RSA_CERT_V00, 0, 1 }, + { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", + KEY_DSA_CERT_V00, 0, 1 }, + { NULL, NULL, -1, -1, 0 } +}; + +const char * +key_type(const Key *k) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == k->type) + return kt->shortname; + } + return "unknown"; +} + static const char * key_ssh_name_from_type_nid(int type, int nid) { - switch (type) { - case KEY_RSA: - return "ssh-rsa"; - case KEY_DSA: - return "ssh-dss"; - case KEY_RSA_CERT_V00: - return "ssh-rsa-cert-v00@openssh.com"; - case KEY_DSA_CERT_V00: - return "ssh-dss-cert-v00@openssh.com"; - case KEY_RSA_CERT: - return "ssh-rsa-cert-v01@openssh.com"; - case KEY_DSA_CERT: - return "ssh-dss-cert-v01@openssh.com"; -#ifdef OPENSSL_HAS_ECC - case KEY_ECDSA: - switch (nid) { - case NID_X9_62_prime256v1: - return "ecdsa-sha2-nistp256"; - case NID_secp384r1: - return "ecdsa-sha2-nistp384"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521"; - default: - break; - } - break; - case KEY_ECDSA_CERT: - switch (nid) { - case NID_X9_62_prime256v1: - return "ecdsa-sha2-nistp256-cert-v01@openssh.com"; - case NID_secp384r1: - return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; - case NID_secp521r1: - return "ecdsa-sha2-nistp521-cert-v01@openssh.com"; - default: - break; - } - break; -#endif /* OPENSSL_HAS_ECC */ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) + return kt->name; } return "ssh-unknown"; } @@ -993,6 +974,56 @@ key_ssh_name_plain(const Key *k) k->ecdsa_nid); } +int +key_type_from_name(char *name) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + /* Only allow shortname matches for plain key types */ + if ((kt->name != NULL && strcmp(name, kt->name) == 0) || + (!kt->cert && strcasecmp(kt->shortname, name) == 0)) + return kt->type; + } + debug2("key_type_from_name: unknown key type '%s'", name); + return KEY_UNSPEC; +} + +int +key_ecdsa_nid_from_name(const char *name) +{ + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) + continue; + if (kt->name != NULL && strcmp(name, kt->name) == 0) + return kt->nid; + } + debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); + return -1; +} + +char * +key_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { + if (kt->name == NULL) + continue; + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(kt->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, kt->name, nlen + 1); + rlen += nlen; + } + return ret; +} + u_int key_size(const Key *k) { @@ -1247,65 +1278,6 @@ key_from_private(const Key *k) return n; } -int -key_type_from_name(char *name) -{ - if (strcmp(name, "rsa1") == 0) { - return KEY_RSA1; - } else if (strcmp(name, "rsa") == 0) { - return KEY_RSA; - } else if (strcmp(name, "dsa") == 0) { - return KEY_DSA; - } else if (strcmp(name, "ssh-rsa") == 0) { - return KEY_RSA; - } else if (strcmp(name, "ssh-dss") == 0) { - return KEY_DSA; -#ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa") == 0 || - strcmp(name, "ecdsa-sha2-nistp256") == 0 || - strcmp(name, "ecdsa-sha2-nistp384") == 0 || - strcmp(name, "ecdsa-sha2-nistp521") == 0) { - return KEY_ECDSA; -#endif - } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { - return KEY_RSA_CERT_V00; - } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { - return KEY_DSA_CERT_V00; - } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) { - return KEY_RSA_CERT; - } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { - return KEY_DSA_CERT; -#ifdef OPENSSL_HAS_ECC - } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { - return KEY_ECDSA_CERT; -#endif - } - - debug2("key_type_from_name: unknown key type '%s'", name); - return KEY_UNSPEC; -} - -int -key_ecdsa_nid_from_name(const char *name) -{ -#ifdef OPENSSL_HAS_ECC - if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || - strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) - return NID_X9_62_prime256v1; - if (strcmp(name, "ecdsa-sha2-nistp384") == 0 || - strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0) - return NID_secp384r1; - if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) - return NID_secp521r1; -#endif /* OPENSSL_HAS_ECC */ - - debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); - return -1; -} - int key_names_valid2(const char *names) { diff --git a/key.h b/key.h index ebdf45677..f2e058e9e 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */ +/* $OpenBSD: key.h,v 1.36 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -118,15 +118,16 @@ int key_cert_is_legacy(const Key *); int key_ecdsa_nid_from_name(const char *); int key_curve_name_to_nid(const char *); -const char * key_curve_nid_to_name(int); +const char *key_curve_nid_to_name(int); u_int key_curve_nid_to_bits(int); int key_ecdsa_bits_to_nid(int); #ifdef OPENSSL_HAS_ECC int key_ecdsa_key_to_nid(EC_KEY *); -const EVP_MD * key_ec_nid_to_evpmd(int nid); +const EVP_MD *key_ec_nid_to_evpmd(int nid); int key_ec_validate_public(const EC_GROUP *, const EC_POINT *); int key_ec_validate_private(const EC_KEY *); #endif +char *key_alg_list(void); Key *key_from_blob(const u_char *, u_int); int key_to_blob(const Key *, u_char **, u_int *); diff --git a/mac.c b/mac.c index 3f2dc6f2a..da68803f5 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */ +/* $OpenBSD: mac.c,v 1.22 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -50,7 +50,7 @@ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ #define SSH_UMAC128 3 -struct { +struct macalg { char *name; int type; const EVP_MD * (*mdfunc)(void); @@ -58,7 +58,9 @@ struct { int key_len; /* just for UMAC */ int len; /* just for UMAC */ int etm; /* Encrypt-then-MAC */ -} macs[] = { +}; + +static const struct macalg macs[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, @@ -89,38 +91,58 @@ struct { { NULL, 0, NULL, 0, 0, 0, 0 } }; +/* Returns a comma-separated list of supported MACs. */ +char * +mac_alg_list(void) +{ + char *ret = NULL; + size_t nlen, rlen = 0; + const struct macalg *m; + + for (m = macs; m->name != NULL; m++) { + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(m->name); + ret = xrealloc(ret, 1, rlen + nlen + 2); + memcpy(ret + rlen, m->name, nlen + 1); + rlen += nlen; + } + return ret; +} + static void -mac_setup_by_id(Mac *mac, int which) +mac_setup_by_alg(Mac *mac, const struct macalg *macalg) { int evp_len; - mac->type = macs[which].type; + + mac->type = macalg->type; if (mac->type == SSH_EVP) { - mac->evp_md = (*macs[which].mdfunc)(); + mac->evp_md = macalg->mdfunc(); if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0) fatal("mac %s len %d", mac->name, evp_len); mac->key_len = mac->mac_len = (u_int)evp_len; } else { - mac->mac_len = macs[which].len / 8; - mac->key_len = macs[which].key_len / 8; + mac->mac_len = macalg->len / 8; + mac->key_len = macalg->key_len / 8; mac->umac_ctx = NULL; } - if (macs[which].truncatebits != 0) - mac->mac_len = macs[which].truncatebits / 8; - mac->etm = macs[which].etm; + if (macalg->truncatebits != 0) + mac->mac_len = macalg->truncatebits / 8; + mac->etm = macalg->etm; } int mac_setup(Mac *mac, char *name) { - int i; - - for (i = 0; macs[i].name; i++) { - if (strcmp(name, macs[i].name) == 0) { - if (mac != NULL) - mac_setup_by_id(mac, i); - debug2("mac_setup: found %s", name); - return (0); - } + const struct macalg *m; + + for (m = macs; m->name != NULL; m++) { + if (strcmp(name, m->name) != 0) + continue; + if (mac != NULL) + mac_setup_by_alg(mac, m); + debug2("mac_setup: found %s", name); + return (0); } debug2("mac_setup: unknown %s", name); return (-1); diff --git a/mac.h b/mac.h index 39f564dd3..260798ab3 100644 --- a/mac.h +++ b/mac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */ +/* $OpenBSD: mac.h,v 1.7 2013/04/19 01:06:50 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -24,6 +24,7 @@ */ int mac_valid(const char *); +char *mac_alg_list(void); int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); diff --git a/packet.c b/packet.c index 3e835d360..3c97383ec 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.183 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -215,7 +215,7 @@ alloc_session_state(void) void packet_set_connection(int fd_in, int fd_out) { - Cipher *none = cipher_by_name("none"); + const Cipher *none = cipher_by_name("none"); if (none == NULL) fatal("packet_set_connection: cannot load cipher 'none'"); @@ -545,7 +545,7 @@ packet_start_compression(int level) void packet_set_encryption_key(const u_char *key, u_int keylen, int number) { - Cipher *cipher = cipher_by_number(number); + const Cipher *cipher = cipher_by_number(number); if (cipher == NULL) fatal("packet_set_encryption_key: unknown cipher number %d", number); diff --git a/ssh.1 b/ssh.1 index d77494b83..dc7af4864 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.331 2013/04/07 02:10:33 dtucker Exp $ -.Dd $Mdocdate: April 7 2013 $ +.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $ +.Dd $Mdocdate: April 19 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -65,6 +65,8 @@ .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Ek +.Nm +.Fl Q Ar protocol_feature .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -487,6 +489,21 @@ For full details of the options listed below, and their possible values, see Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. +.It Fl Q Ar protocol_feature +Queries +.Nm +for the algorithms supported for the specified version 2 +.Ar protocol_feature . +The queriable features are: +.Dq cipher +(supported symmetric ciphers), +.Dq MAC +(supported message integrity codes), +.Dq KEX +(key exchange algorithms), +.Dq key +(key types). +Protocol features are treated case-insensitively. .It Fl q Quiet mode. Causes most warning and diagnostic messages to be suppressed. diff --git a/ssh.c b/ssh.c index cd56f8a74..b077dc828 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.375 2013/04/07 02:10:33 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.376 2013/04/19 01:06:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -327,7 +327,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "ACD:E:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { + "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -389,6 +389,22 @@ main(int ac, char **av) case 'P': /* deprecated */ options.use_privileged_port = 0; break; + case 'Q': /* deprecated */ + cp = NULL; + if (strcasecmp(optarg, "cipher") == 0) + cp = cipher_alg_list(); + else if (strcasecmp(optarg, "mac") == 0) + cp = mac_alg_list(); + else if (strcasecmp(optarg, "kex") == 0) + cp = kex_alg_list(); + else if (strcasecmp(optarg, "key") == 0) + cp = key_alg_list(); + if (cp == NULL) + fatal("Unsupported query \"%s\"", optarg); + printf("%s\n", cp); + free(cp); + exit(0); + break; case 'a': options.forward_agent = 0; break; -- cgit v1.2.3 From 34bd20a1e53b63ceb01f06c1654d9112e6784b0a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 19:25:00 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 11:10:18 [ssh.c] add -Q to usage; reminded by jmc@ --- ChangeLog | 3 +++ ssh.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3d2950e8c..3c2050fdd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -75,6 +75,9 @@ add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@ + - djm@cvs.openbsd.org 2013/04/19 11:10:18 + [ssh.c] + add -Q to usage; reminded by jmc@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/ssh.c b/ssh.c index b077dc828..534e7c6cf 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.376 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.377 2013/04/19 11:10:18 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -199,7 +199,7 @@ usage(void) "usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" " [-F configfile] [-I pkcs11] [-i identity_file]\n" -" [-L [bind_address:]port:host:hostport]\n" +" [-L [bind_address:]port:host:hostport] [-Q protocol_feature]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" " [-W host:port] [-w local_tun[:remote_tun]]\n" -- cgit v1.2.3 From f8b894e31dc3530c7eb6d0a378848260d54f74c4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 19:25:29 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 12:07:08 [kex.c] remove duplicated list entry pointed out by naddy@ --- ChangeLog | 3 +++ kex.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3c2050fdd..6d7d1d225 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,9 @@ - djm@cvs.openbsd.org 2013/04/19 11:10:18 [ssh.c] add -Q to usage; reminded by jmc@ + - djm@cvs.openbsd.org 2013/04/19 12:07:08 + [kex.c] + remove duplicated list entry pointed out by naddy@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/kex.c b/kex.c index 65a227bc1..f6e683bde 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.89 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.90 2013/04/19 12:07:08 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * -- cgit v1.2.3 From bc02f163f6e882d390abfb925b47b41e13ae523b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 19:25:49 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/22 01:17:18 [mux.c] typo in debug output: evitval->exitval --- ChangeLog | 3 +++ mux.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6d7d1d225..9865d41b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -81,6 +81,9 @@ - djm@cvs.openbsd.org 2013/04/19 12:07:08 [kex.c] remove duplicated list entry pointed out by naddy@ + - dtucker@cvs.openbsd.org 2013/04/22 01:17:18 + [mux.c] + typo in debug output: evitval->exitval 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/mux.c b/mux.c index 9f458c4cf..a6bcbbaca 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.39 2013/04/05 00:58:51 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.40 2013/04/22 01:17:18 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1101,7 +1101,7 @@ mux_exit_message(Channel *c, int exitval) Buffer m; Channel *mux_chan; - debug3("%s: channel %d: exit message, evitval %d", __func__, c->self, + debug3("%s: channel %d: exit message, exitval %d", __func__, c->self, exitval); if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) -- cgit v1.2.3 From abbc7a7c02e45787d023f50a30f62d7a3e14fe9e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 13:54:23 +1000 Subject: - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler supports it. Mentioned by Colin Watson in bz#2100, ok djm. --- ChangeLog | 4 ++++ configure.ac | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9865d41b2..dbc9679bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130510 + - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler + supports it. Mentioned by Colin Watson in bz#2100, ok djm. + 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support platforms, such as Android, that lack struct passwd.pw_gecos. Report diff --git a/configure.ac b/configure.ac index c30d547d9..93c50e085 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.521 2013/04/23 04:25:53 djm Exp $ +# $Id: configure.ac,v 1.522 2013/05/10 03:54:23 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.521 $) +AC_REVISION($Revision: 1.522 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -134,6 +134,7 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare]) OSSH_CHECK_CFLAG_COMPILE([-Wformat-security]) + OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) -- cgit v1.2.3 From 35b2fe99bee4f332d1c1efa49107cdb3c67da07a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 15:35:26 +1000 Subject: - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to getopt.c. Preprocessed source is identical other than line numbers. --- ChangeLog | 2 ++ openbsd-compat/getopt.c | 58 ++++++++++++++++++++++++++++--------------------- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index dbc9679bb..bbc799737 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler supports it. Mentioned by Colin Watson in bz#2100, ok djm. + - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to + getopt.c. Preprocessed source is identical other than line numbers. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c index 5450e43d9..e5e80af06 100644 --- a/openbsd-compat/getopt.c +++ b/openbsd-compat/getopt.c @@ -32,6 +32,14 @@ #include "includes.h" #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) +/* some defines to make it easier to keep the code in sync with upstream */ +/* #define getopt BSDgetopt is in defines.h */ +#define opterr BSDopterr +#define optind BSDoptind +#define optopt BSDoptopt +#define optreset BSDoptreset +#define optarg BSDoptarg + #if defined(LIBC_SCCS) && !defined(lint) static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $"; #endif /* LIBC_SCCS and not lint */ @@ -40,11 +48,11 @@ static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $ #include #include -int BSDopterr = 1, /* if error message should be printed */ - BSDoptind = 1, /* index into parent argv vector */ - BSDoptopt, /* character checked for validity */ - BSDoptreset; /* reset getopt */ -char *BSDoptarg; /* argument associated with option */ +int opterr = 1, /* if error message should be printed */ + optind = 1, /* index into parent argv vector */ + optopt, /* character checked for validity */ + optreset; /* reset getopt */ +char *optarg; /* argument associated with option */ #define BADCH (int)'?' #define BADARG (int)':' @@ -55,7 +63,7 @@ char *BSDoptarg; /* argument associated with option */ * Parse argc/argv argument vector. */ int -BSDgetopt(nargc, nargv, ostr) +getopt(nargc, nargv, ostr) int nargc; char * const *nargv; const char *ostr; @@ -67,57 +75,57 @@ BSDgetopt(nargc, nargv, ostr) if (ostr == NULL) return (-1); - if (BSDoptreset || !*place) { /* update scanning pointer */ - BSDoptreset = 0; - if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { + if (optreset || !*place) { /* update scanning pointer */ + optreset = 0; + if (optind >= nargc || *(place = nargv[optind]) != '-') { place = EMSG; return (-1); } if (place[1] && *++place == '-') { /* found "--" */ - ++BSDoptind; + ++optind; place = EMSG; return (-1); } } /* option letter okay? */ - if ((BSDoptopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, BSDoptopt))) { + if ((optopt = (int)*place++) == (int)':' || + !(oli = strchr(ostr, optopt))) { /* * if the user didn't specify '-' as an option, * assume it means -1. */ - if (BSDoptopt == (int)'-') + if (optopt == (int)'-') return (-1); if (!*place) - ++BSDoptind; - if (BSDopterr && *ostr != ':') + ++optind; + if (opterr && *ostr != ':') (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, BSDoptopt); + "%s: illegal option -- %c\n", __progname, optopt); return (BADCH); } if (*++oli != ':') { /* don't need argument */ - BSDoptarg = NULL; + optarg = NULL; if (!*place) - ++BSDoptind; + ++optind; } else { /* need an argument */ if (*place) /* no white space */ - BSDoptarg = place; - else if (nargc <= ++BSDoptind) { /* no arg */ + optarg = place; + else if (nargc <= ++optind) { /* no arg */ place = EMSG; if (*ostr == ':') return (BADARG); - if (BSDopterr) + if (opterr) (void)fprintf(stderr, "%s: option requires an argument -- %c\n", - __progname, BSDoptopt); + __progname, optopt); return (BADCH); } else /* white space */ - BSDoptarg = nargv[BSDoptind]; + optarg = nargv[optind]; place = EMSG; - ++BSDoptind; + ++optind; } - return (BSDoptopt); /* dump back option letter */ + return (optopt); /* dump back option letter */ } #endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ -- cgit v1.2.3 From 39332020078aa8fd4fc28e00b336438dc64b0f5a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 15:38:11 +1000 Subject: - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No portability changes yet. --- ChangeLog | 2 + openbsd-compat/getopt_long.c | 511 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 513 insertions(+) create mode 100644 openbsd-compat/getopt_long.c diff --git a/ChangeLog b/ChangeLog index bbc799737..71c3ea61d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ supports it. Mentioned by Colin Watson in bz#2100, ok djm. - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to getopt.c. Preprocessed source is identical other than line numbers. + - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No + portability changes yet. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c new file mode 100644 index 000000000..e149fe0ac --- /dev/null +++ b/openbsd-compat/getopt_long.c @@ -0,0 +1,511 @@ +/* $OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $ */ +/* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */ + +/* + * Copyright (c) 2002 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ +/*- + * Copyright (c) 2000 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Dieter Baron and Thomas Klausner. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include + +int opterr = 1; /* if error message should be printed */ +int optind = 1; /* index into parent argv vector */ +int optopt = '?'; /* character checked for validity */ +int optreset; /* reset getopt */ +char *optarg; /* argument associated with option */ + +#define PRINT_ERROR ((opterr) && (*options != ':')) + +#define FLAG_PERMUTE 0x01 /* permute non-options to the end of argv */ +#define FLAG_ALLARGS 0x02 /* treat non-options as args to option "-1" */ +#define FLAG_LONGONLY 0x04 /* operate as getopt_long_only */ + +/* return values */ +#define BADCH (int)'?' +#define BADARG ((*options == ':') ? (int)':' : (int)'?') +#define INORDER (int)1 + +#define EMSG "" + +static int getopt_internal(int, char * const *, const char *, + const struct option *, int *, int); +static int parse_long_options(char * const *, const char *, + const struct option *, int *, int); +static int gcd(int, int); +static void permute_args(int, int, int, char * const *); + +static char *place = EMSG; /* option letter processing */ + +/* XXX: set optreset to 1 rather than these two */ +static int nonopt_start = -1; /* first non option argument (for permute) */ +static int nonopt_end = -1; /* first option after non options (for permute) */ + +/* Error messages */ +static const char recargchar[] = "option requires an argument -- %c"; +static const char recargstring[] = "option requires an argument -- %s"; +static const char ambig[] = "ambiguous option -- %.*s"; +static const char noarg[] = "option doesn't take an argument -- %.*s"; +static const char illoptchar[] = "unknown option -- %c"; +static const char illoptstring[] = "unknown option -- %s"; + +/* + * Compute the greatest common divisor of a and b. + */ +static int +gcd(int a, int b) +{ + int c; + + c = a % b; + while (c != 0) { + a = b; + b = c; + c = a % b; + } + + return (b); +} + +/* + * Exchange the block from nonopt_start to nonopt_end with the block + * from nonopt_end to opt_end (keeping the same order of arguments + * in each block). + */ +static void +permute_args(int panonopt_start, int panonopt_end, int opt_end, + char * const *nargv) +{ + int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos; + char *swap; + + /* + * compute lengths of blocks and number and size of cycles + */ + nnonopts = panonopt_end - panonopt_start; + nopts = opt_end - panonopt_end; + ncycle = gcd(nnonopts, nopts); + cyclelen = (opt_end - panonopt_start) / ncycle; + + for (i = 0; i < ncycle; i++) { + cstart = panonopt_end+i; + pos = cstart; + for (j = 0; j < cyclelen; j++) { + if (pos >= panonopt_end) + pos -= nnonopts; + else + pos += nopts; + swap = nargv[pos]; + /* LINTED const cast */ + ((char **) nargv)[pos] = nargv[cstart]; + /* LINTED const cast */ + ((char **)nargv)[cstart] = swap; + } + } +} + +/* + * parse_long_options -- + * Parse long options in argc/argv argument vector. + * Returns -1 if short_too is set and the option does not match long_options. + */ +static int +parse_long_options(char * const *nargv, const char *options, + const struct option *long_options, int *idx, int short_too) +{ + char *current_argv, *has_equal; + size_t current_argv_len; + int i, match; + + current_argv = place; + match = -1; + + optind++; + + if ((has_equal = strchr(current_argv, '=')) != NULL) { + /* argument found (--option=arg) */ + current_argv_len = has_equal - current_argv; + has_equal++; + } else + current_argv_len = strlen(current_argv); + + for (i = 0; long_options[i].name; i++) { + /* find matching long option */ + if (strncmp(current_argv, long_options[i].name, + current_argv_len)) + continue; + + if (strlen(long_options[i].name) == current_argv_len) { + /* exact match */ + match = i; + break; + } + /* + * If this is a known short option, don't allow + * a partial match of a single character. + */ + if (short_too && current_argv_len == 1) + continue; + + if (match == -1) /* partial match */ + match = i; + else { + /* ambiguous abbreviation */ + if (PRINT_ERROR) + warnx(ambig, (int)current_argv_len, + current_argv); + optopt = 0; + return (BADCH); + } + } + if (match != -1) { /* option found */ + if (long_options[match].has_arg == no_argument + && has_equal) { + if (PRINT_ERROR) + warnx(noarg, (int)current_argv_len, + current_argv); + /* + * XXX: GNU sets optopt to val regardless of flag + */ + if (long_options[match].flag == NULL) + optopt = long_options[match].val; + else + optopt = 0; + return (BADARG); + } + if (long_options[match].has_arg == required_argument || + long_options[match].has_arg == optional_argument) { + if (has_equal) + optarg = has_equal; + else if (long_options[match].has_arg == + required_argument) { + /* + * optional argument doesn't use next nargv + */ + optarg = nargv[optind++]; + } + } + if ((long_options[match].has_arg == required_argument) + && (optarg == NULL)) { + /* + * Missing argument; leading ':' indicates no error + * should be generated. + */ + if (PRINT_ERROR) + warnx(recargstring, + current_argv); + /* + * XXX: GNU sets optopt to val regardless of flag + */ + if (long_options[match].flag == NULL) + optopt = long_options[match].val; + else + optopt = 0; + --optind; + return (BADARG); + } + } else { /* unknown option */ + if (short_too) { + --optind; + return (-1); + } + if (PRINT_ERROR) + warnx(illoptstring, current_argv); + optopt = 0; + return (BADCH); + } + if (idx) + *idx = match; + if (long_options[match].flag) { + *long_options[match].flag = long_options[match].val; + return (0); + } else + return (long_options[match].val); +} + +/* + * getopt_internal -- + * Parse argc/argv argument vector. Called by user level routines. + */ +static int +getopt_internal(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx, int flags) +{ + char *oli; /* option letter list index */ + int optchar, short_too; + static int posixly_correct = -1; + + if (options == NULL) + return (-1); + + /* + * XXX Some GNU programs (like cvs) set optind to 0 instead of + * XXX using optreset. Work around this braindamage. + */ + if (optind == 0) + optind = optreset = 1; + + /* + * Disable GNU extensions if POSIXLY_CORRECT is set or options + * string begins with a '+'. + */ + if (posixly_correct == -1 || optreset) + posixly_correct = (getenv("POSIXLY_CORRECT") != NULL); + if (*options == '-') + flags |= FLAG_ALLARGS; + else if (posixly_correct || *options == '+') + flags &= ~FLAG_PERMUTE; + if (*options == '+' || *options == '-') + options++; + + optarg = NULL; + if (optreset) + nonopt_start = nonopt_end = -1; +start: + if (optreset || !*place) { /* update scanning pointer */ + optreset = 0; + if (optind >= nargc) { /* end of argument vector */ + place = EMSG; + if (nonopt_end != -1) { + /* do permutation, if we have to */ + permute_args(nonopt_start, nonopt_end, + optind, nargv); + optind -= nonopt_end - nonopt_start; + } + else if (nonopt_start != -1) { + /* + * If we skipped non-options, set optind + * to the first of them. + */ + optind = nonopt_start; + } + nonopt_start = nonopt_end = -1; + return (-1); + } + if (*(place = nargv[optind]) != '-' || + (place[1] == '\0' && strchr(options, '-') == NULL)) { + place = EMSG; /* found non-option */ + if (flags & FLAG_ALLARGS) { + /* + * GNU extension: + * return non-option as argument to option 1 + */ + optarg = nargv[optind++]; + return (INORDER); + } + if (!(flags & FLAG_PERMUTE)) { + /* + * If no permutation wanted, stop parsing + * at first non-option. + */ + return (-1); + } + /* do permutation */ + if (nonopt_start == -1) + nonopt_start = optind; + else if (nonopt_end != -1) { + permute_args(nonopt_start, nonopt_end, + optind, nargv); + nonopt_start = optind - + (nonopt_end - nonopt_start); + nonopt_end = -1; + } + optind++; + /* process next argument */ + goto start; + } + if (nonopt_start != -1 && nonopt_end == -1) + nonopt_end = optind; + + /* + * If we have "-" do nothing, if "--" we are done. + */ + if (place[1] != '\0' && *++place == '-' && place[1] == '\0') { + optind++; + place = EMSG; + /* + * We found an option (--), so if we skipped + * non-options, we have to permute. + */ + if (nonopt_end != -1) { + permute_args(nonopt_start, nonopt_end, + optind, nargv); + optind -= nonopt_end - nonopt_start; + } + nonopt_start = nonopt_end = -1; + return (-1); + } + } + + /* + * Check long options if: + * 1) we were passed some + * 2) the arg is not just "-" + * 3) either the arg starts with -- we are getopt_long_only() + */ + if (long_options != NULL && place != nargv[optind] && + (*place == '-' || (flags & FLAG_LONGONLY))) { + short_too = 0; + if (*place == '-') + place++; /* --foo long option */ + else if (*place != ':' && strchr(options, *place) != NULL) + short_too = 1; /* could be short option too */ + + optchar = parse_long_options(nargv, options, long_options, + idx, short_too); + if (optchar != -1) { + place = EMSG; + return (optchar); + } + } + + if ((optchar = (int)*place++) == (int)':' || + (optchar == (int)'-' && *place != '\0') || + (oli = strchr(options, optchar)) == NULL) { + /* + * If the user specified "-" and '-' isn't listed in + * options, return -1 (non-option) as per POSIX. + * Otherwise, it is an unknown option character (or ':'). + */ + if (optchar == (int)'-' && *place == '\0') + return (-1); + if (!*place) + ++optind; + if (PRINT_ERROR) + warnx(illoptchar, optchar); + optopt = optchar; + return (BADCH); + } + if (long_options != NULL && optchar == 'W' && oli[1] == ';') { + /* -W long-option */ + if (*place) /* no space */ + /* NOTHING */; + else if (++optind >= nargc) { /* no arg */ + place = EMSG; + if (PRINT_ERROR) + warnx(recargchar, optchar); + optopt = optchar; + return (BADARG); + } else /* white space */ + place = nargv[optind]; + optchar = parse_long_options(nargv, options, long_options, + idx, 0); + place = EMSG; + return (optchar); + } + if (*++oli != ':') { /* doesn't take argument */ + if (!*place) + ++optind; + } else { /* takes (optional) argument */ + optarg = NULL; + if (*place) /* no white space */ + optarg = place; + else if (oli[1] != ':') { /* arg not optional */ + if (++optind >= nargc) { /* no arg */ + place = EMSG; + if (PRINT_ERROR) + warnx(recargchar, optchar); + optopt = optchar; + return (BADARG); + } else + optarg = nargv[optind]; + } + place = EMSG; + ++optind; + } + /* dump back option letter */ + return (optchar); +} + +/* + * getopt -- + * Parse argc/argv argument vector. + * + * [eventually this will replace the BSD getopt] + */ +int +getopt(int nargc, char * const *nargv, const char *options) +{ + + /* + * We don't pass FLAG_PERMUTE to getopt_internal() since + * the BSD getopt(3) (unlike GNU) has never done this. + * + * Furthermore, since many privileged programs call getopt() + * before dropping privileges it makes sense to keep things + * as simple (and bug-free) as possible. + */ + return (getopt_internal(nargc, nargv, options, NULL, NULL, 0)); +} + +/* + * getopt_long -- + * Parse argc/argv argument vector. + */ +int +getopt_long(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx) +{ + + return (getopt_internal(nargc, nargv, options, long_options, idx, + FLAG_PERMUTE)); +} + +/* + * getopt_long_only -- + * Parse argc/argv argument vector. + */ +int +getopt_long_only(int nargc, char * const *nargv, const char *options, + const struct option *long_options, int *idx) +{ + + return (getopt_internal(nargc, nargv, options, long_options, idx, + FLAG_PERMUTE|FLAG_LONGONLY)); +} -- cgit v1.2.3 From ccfdfceacb7e23d1479ed4cc91976c5ac6e23c56 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 16:28:55 +1000 Subject: - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add portability code to getopt_long.c and switch over Makefile and the ugly hack in modpipe.c. Fixes bz#1448. --- ChangeLog | 4 ++ openbsd-compat/Makefile.in | 4 +- openbsd-compat/getopt.c | 131 ------------------------------------------- openbsd-compat/getopt_long.c | 19 +++++++ regress/modpipe.c | 2 +- 5 files changed, 26 insertions(+), 134 deletions(-) delete mode 100644 openbsd-compat/getopt.c diff --git a/ChangeLog b/ChangeLog index 71c3ea61d..e0604abe1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ getopt.c. Preprocessed source is identical other than line numbers. - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No portability changes yet. + - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c + openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add + portability code to getopt_long.c and switch over Makefile and the ugly + hack in modpipe.c. Fixes bz#1448. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index e1c3651e8..365cf006d 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.50 2013/02/15 01:13:02 dtucker Exp $ +# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o +OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c deleted file mode 100644 index e5e80af06..000000000 --- a/openbsd-compat/getopt.c +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright (c) 1987, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ - -#include "includes.h" -#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) - -/* some defines to make it easier to keep the code in sync with upstream */ -/* #define getopt BSDgetopt is in defines.h */ -#define opterr BSDopterr -#define optind BSDoptind -#define optopt BSDoptopt -#define optreset BSDoptreset -#define optarg BSDoptarg - -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include - -int opterr = 1, /* if error message should be printed */ - optind = 1, /* index into parent argv vector */ - optopt, /* character checked for validity */ - optreset; /* reset getopt */ -char *optarg; /* argument associated with option */ - -#define BADCH (int)'?' -#define BADARG (int)':' -#define EMSG "" - -/* - * getopt -- - * Parse argc/argv argument vector. - */ -int -getopt(nargc, nargv, ostr) - int nargc; - char * const *nargv; - const char *ostr; -{ - extern char *__progname; - static char *place = EMSG; /* option letter processing */ - char *oli; /* option letter list index */ - - if (ostr == NULL) - return (-1); - - if (optreset || !*place) { /* update scanning pointer */ - optreset = 0; - if (optind >= nargc || *(place = nargv[optind]) != '-') { - place = EMSG; - return (-1); - } - if (place[1] && *++place == '-') { /* found "--" */ - ++optind; - place = EMSG; - return (-1); - } - } /* option letter okay? */ - if ((optopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, optopt))) { - /* - * if the user didn't specify '-' as an option, - * assume it means -1. - */ - if (optopt == (int)'-') - return (-1); - if (!*place) - ++optind; - if (opterr && *ostr != ':') - (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, optopt); - return (BADCH); - } - if (*++oli != ':') { /* don't need argument */ - optarg = NULL; - if (!*place) - ++optind; - } - else { /* need an argument */ - if (*place) /* no white space */ - optarg = place; - else if (nargc <= ++optind) { /* no arg */ - place = EMSG; - if (*ostr == ':') - return (BADARG); - if (opterr) - (void)fprintf(stderr, - "%s: option requires an argument -- %c\n", - __progname, optopt); - return (BADCH); - } - else /* white space */ - optarg = nargv[optind]; - place = EMSG; - ++optind; - } - return (optopt); /* dump back option letter */ -} - -#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c index e149fe0ac..6b36d0672 100644 --- a/openbsd-compat/getopt_long.c +++ b/openbsd-compat/getopt_long.c @@ -49,7 +49,22 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt_long.c */ +#include "includes.h" + +#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) +#include "log.h" + +/* + * Some defines to make it easier to keep the code in sync with upstream. + * getopt opterr optind optopt optreset optarg are all in defines.h which is + * pulled in by includes.h. + */ +#define warnx logit + +#if 0 #include +#endif #include #include #include @@ -484,6 +499,7 @@ getopt(int nargc, char * const *nargv, const char *options) return (getopt_internal(nargc, nargv, options, NULL, NULL, 0)); } +#if 0 /* * getopt_long -- * Parse argc/argv argument vector. @@ -509,3 +525,6 @@ getopt_long_only(int nargc, char * const *nargv, const char *options, return (getopt_internal(nargc, nargv, options, long_options, idx, FLAG_PERMUTE|FLAG_LONGONLY)); } +#endif + +#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff --git a/regress/modpipe.c b/regress/modpipe.c index 9629aa80b..3322d1a70 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -25,7 +25,7 @@ #include #include #include -#include "openbsd-compat/getopt.c" +#include "openbsd-compat/getopt_long.c" static void err(int, const char *, ...) __attribute__((format(printf, 2, 3))); static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3))); -- cgit v1.2.3 From 0abfb559e3f79d1f217773510d7626c3722aa3c1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 18:08:49 +1000 Subject: - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb in to use it when we're using our own getopt. --- ChangeLog | 3 ++ openbsd-compat/getopt.h | 78 +++++++++++++++++++++++++++++++++++++++++ openbsd-compat/getopt_long.c | 6 ++-- openbsd-compat/openbsd-compat.h | 3 +- 4 files changed, 87 insertions(+), 3 deletions(-) create mode 100644 openbsd-compat/getopt.h diff --git a/ChangeLog b/ChangeLog index e0604abe1..650400f83 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add portability code to getopt_long.c and switch over Makefile and the ugly hack in modpipe.c. Fixes bz#1448. + - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c + openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb + in to use it when we're using our own getopt. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h new file mode 100644 index 000000000..0311b078b --- /dev/null +++ b/openbsd-compat/getopt.h @@ -0,0 +1,78 @@ +/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */ +/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */ + +/*- + * Copyright (c) 2000 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Dieter Baron and Thomas Klausner. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _GETOPT_H_ +#define _GETOPT_H_ + +#include + +/* + * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions + */ +#define no_argument 0 +#define required_argument 1 +#define optional_argument 2 + +struct option { + /* name of long option */ + const char *name; + /* + * one of no_argument, required_argument, and optional_argument: + * whether option takes an argument + */ + int has_arg; + /* if not NULL, set *flag to val when option found */ + int *flag; + /* if flag not NULL, value to set *flag to; else return value */ + int val; +}; + +__BEGIN_DECLS +int getopt_long(int, char * const *, const char *, + const struct option *, int *); +int getopt_long_only(int, char * const *, const char *, + const struct option *, int *); +#ifndef _GETOPT_DEFINED_ +#define _GETOPT_DEFINED_ +int getopt(int, char * const *, const char *); +int getsubopt(char **, char * const *, char **); + +extern char *optarg; /* getopt(3) external variables */ +extern int opterr; +extern int optind; +extern int optopt; +extern int optreset; +extern char *suboptarg; /* getsubopt(3) external variable */ +#endif +__END_DECLS + +#endif /* !_GETOPT_H_ */ diff --git a/openbsd-compat/getopt_long.c b/openbsd-compat/getopt_long.c index 6b36d0672..e28947430 100644 --- a/openbsd-compat/getopt_long.c +++ b/openbsd-compat/getopt_long.c @@ -53,7 +53,6 @@ #include "includes.h" #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) -#include "log.h" /* * Some defines to make it easier to keep the code in sync with upstream. @@ -64,11 +63,14 @@ #if 0 #include +#include #endif #include -#include #include #include +#include + +#include "log.h" int opterr = 1; /* if error message should be printed */ int optind = 1; /* index into parent argv vector */ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index a8c579f49..94d172aaa 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.56 2013/05/10 08:08:49 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -139,6 +139,7 @@ int getgrouplist(const char *, gid_t, gid_t *, int *); #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) int BSDgetopt(int argc, char * const *argv, const char *opts); +#include "openbsd-compat/getopt.h" #endif #if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0 -- cgit v1.2.3 From a75d247a18a5099c60226395354eb252c097ac86 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 18:11:55 +1000 Subject: - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the underlying libraries support them. --- ChangeLog | 2 ++ kex.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 650400f83..d03a43527 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb in to use it when we're using our own getopt. + - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the + underlying libraries support them. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/kex.c b/kex.c index f6e683bde..6b43a6dee 100644 --- a/kex.c +++ b/kex.c @@ -72,8 +72,10 @@ static const struct kexalg kexalgs[] = { { KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 }, { KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 }, { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 }, -#if OPENSSL_VERSION_NUMBER >= 0x00907000L +#ifdef HAVE_EVP_SHA256 { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 }, +#endif +#ifdef OPENSSL_HAS_ECC { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 }, { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, -- cgit v1.2.3 From c54e3e0741a27119b3badd8ff92b1988b7e9bd50 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 10 May 2013 18:53:14 +1000 Subject: - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so we don't get a warning on compilers that *don't* support it. Add -Wno-unknown-warning-option. Move both to the start of the list for maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9. --- ChangeLog | 4 ++++ configure.ac | 9 ++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index d03a43527..94a23fb1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ in to use it when we're using our own getopt. - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the underlying libraries support them. + - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so + we don't get a warning on compilers that *don't* support it. Add + -Wno-unknown-warning-option. Move both to the start of the list for + maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9. 20130423 - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support diff --git a/configure.ac b/configure.ac index 93c50e085..6bcbef638 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.522 2013/05/10 03:54:23 dtucker Exp $ +# $Id: configure.ac,v 1.523 2013/05/10 08:53:14 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.522 $) +AC_REVISION($Revision: 1.523 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -129,6 +129,10 @@ AC_ARG_WITH([stackprotect], if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], + [-Qunused-arguments]) + OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror], + [-Wno-unknown-warning-option]) OSSH_CHECK_CFLAG_COMPILE([-Wall]) OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) @@ -138,7 +142,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign]) OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) - OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` -- cgit v1.2.3 From 6aa3eacc5e5f39702b6dd5b27970d9fd97bc2383 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 16 May 2013 11:10:17 +1000 Subject: - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be executed if mktemp failed; bz#2105 ok dtucker@ --- ChangeLog | 4 ++++ contrib/ssh-copy-id | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 94a23fb1c..97eccf9b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130516 + - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be + executed if mktemp failed; bz#2105 ok dtucker@ + 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler supports it. Mentioned by Colin Watson in bz#2100, ok djm. diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index af18a1929..9f2817b6b 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -165,6 +165,9 @@ done eval set -- "$SAVEARGS" +if [ $# == 0 ] ; then + usage +fi if [ $# != 1 ] ; then printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2 usage @@ -196,7 +199,11 @@ populate_new_ids() { umask 0177 local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) - trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT + if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then + echo "mktemp failed" 1>&2 + exit 1 + fi + trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2 NEW_IDS=$( eval $GET_ID | { -- cgit v1.2.3 From 2ca51bf140ef2c2409fd220778529dc17c11d8fa Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:22:46 +1000 Subject: - tedu@cvs.openbsd.org 2013/04/23 17:49:45 [misc.c] use xasprintf instead of a series of strlcats and strdup. ok djm --- ChangeLog | 4 ++++ misc.c | 21 ++++++++++----------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 97eccf9b5..4864be92f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be executed if mktemp failed; bz#2105 ok dtucker@ + - (dtucker) OpenBSD CVS Sync + - tedu@cvs.openbsd.org 2013/04/23 17:49:45 + [misc.c] + use xasprintf instead of a series of strlcats and strdup. ok djm 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/misc.c b/misc.c index 9e287433a..ee5711d19 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.87 2013/04/23 17:49:45 tedu Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -517,8 +517,8 @@ freeargs(arglist *args) char * tilde_expand_filename(const char *filename, uid_t uid) { - const char *path; - char user[128], ret[MAXPATHLEN]; + const char *path, *sep; + char user[128], *ret; struct passwd *pw; u_int len, slash; @@ -538,22 +538,21 @@ tilde_expand_filename(const char *filename, uid_t uid) } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ fatal("tilde_expand_filename: No such uid %ld", (long)uid); - if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret)) - fatal("tilde_expand_filename: Path too long"); - /* Make sure directory has a trailing '/' */ len = strlen(pw->pw_dir); - if ((len == 0 || pw->pw_dir[len - 1] != '/') && - strlcat(ret, "/", sizeof(ret)) >= sizeof(ret)) - fatal("tilde_expand_filename: Path too long"); + if ((len == 0 || pw->pw_dir[len - 1] != '/')) + sep = "/"; + else + sep = ""; /* Skip leading '/' from specified path */ if (path != NULL) filename = path + 1; - if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret)) + + if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= MAXPATHLEN) fatal("tilde_expand_filename: Path too long"); - return (xstrdup(ret)); + return (ret); } /* -- cgit v1.2.3 From 026d9db3fbe311b5a7e98d62472cb666aa559648 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:23:52 +1000 Subject: - tedu@cvs.openbsd.org 2013/04/24 16:01:46 [misc.c] remove extra parens noticed by nicm --- ChangeLog | 3 +++ misc.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4864be92f..413adfec0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ - tedu@cvs.openbsd.org 2013/04/23 17:49:45 [misc.c] use xasprintf instead of a series of strlcats and strdup. ok djm + - tedu@cvs.openbsd.org 2013/04/24 16:01:46 + [misc.c] + remove extra parens noticed by nicm 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/misc.c b/misc.c index ee5711d19..77f4a37a1 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.87 2013/04/23 17:49:45 tedu Exp $ */ +/* $OpenBSD: misc.c,v 1.88 2013/04/24 16:01:46 tedu Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -540,7 +540,7 @@ tilde_expand_filename(const char *filename, uid_t uid) /* Make sure directory has a trailing '/' */ len = strlen(pw->pw_dir); - if ((len == 0 || pw->pw_dir[len - 1] != '/')) + if (len == 0 || pw->pw_dir[len - 1] != '/') sep = "/"; else sep = ""; -- cgit v1.2.3 From 5d8b702d95c0dfc338726fecfbb709695afd1377 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:24:23 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 [sftp-server.8] Reference the version of the sftp draft we actually implement. ok djm@ --- ChangeLog | 3 +++ sftp-server.8 | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 413adfec0..f322ebb6e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ - tedu@cvs.openbsd.org 2013/04/24 16:01:46 [misc.c] remove extra parens noticed by nicm + - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 + [sftp-server.8] + Reference the version of the sftp draft we actually implement. ok djm@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/sftp-server.8 b/sftp-server.8 index 2fd3df20c..d35af6840 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.21 2013/01/04 19:26:38 jmc Exp $ +.\" $OpenBSD: sftp-server.8,v 1.22 2013/05/06 07:35:12 dtucker Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 4 2013 $ +.Dd $Mdocdate: May 6 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -124,8 +124,8 @@ establish a logging socket inside the chroot directory. .%A T. Ylonen .%A S. Lehtinen .%T "SSH File Transfer Protocol" -.%N draft-ietf-secsh-filexfer-00.txt -.%D January 2001 +.%N draft-ietf-secsh-filexfer-02.txt +.%D October 2001 .%O work in progress material .Re .Sh HISTORY -- cgit v1.2.3 From 54da6be320495604ddf65d10ac4cc8cf7849c533 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:25:04 +1000 Subject: - djm@cvs.openbsd.org 2013/05/10 03:40:07 [sshconnect2.c] fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from --- ChangeLog | 3 +++ sshconnect2.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f322ebb6e..5baca853d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - dtucker@cvs.openbsd.org 2013/05/06 07:35:12 [sftp-server.8] Reference the version of the sftp draft we actually implement. ok djm@ + - djm@cvs.openbsd.org 2013/05/10 03:40:07 + [sshconnect2.c] + fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/sshconnect2.c b/sshconnect2.c index c811c3652..c01efe38c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.194 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.195 2013/05/10 03:40:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1409,7 +1409,7 @@ pubkey_prepare(Authctxt *authctxt) /* If IdentitiesOnly set and key not found then don't use it */ if (!found && options.identities_only) { TAILQ_REMOVE(&files, id, next); - bzero(id, sizeof(id)); + bzero(id, sizeof(*id)); free(id); } } -- cgit v1.2.3 From 7e831edbf7a1b0b9aeeb08328b9fceafaad1bf22 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:25:40 +1000 Subject: add missing attribution --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 5baca853d..375e4d879 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,7 @@ - djm@cvs.openbsd.org 2013/05/10 03:40:07 [sshconnect2.c] fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from + Colin Watson 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler -- cgit v1.2.3 From caf00109346e4ab6bb495b0e22bc5b1e7ee22f26 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:26:18 +1000 Subject: - djm@cvs.openbsd.org 2013/05/10 04:08:01 [key.c] memleak in cert_free(), wasn't actually freeing the struct; bz#2096 from shm AT digitalsun.pl --- ChangeLog | 4 ++++ key.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 375e4d879..506faa40d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ [sshconnect2.c] fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from Colin Watson + - djm@cvs.openbsd.org 2013/05/10 04:08:01 + [key.c] + memleak in cert_free(), wasn't actually freeing the struct; + bz#2096 from shm AT digitalsun.pl 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/key.c b/key.c index 471cd1fcc..b8c60cb2c 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.101 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: key.c,v 1.102 2013/05/10 04:08:01 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -195,6 +195,7 @@ cert_free(struct KeyCert *cert) xfree(cert->principals); if (cert->signature_key != NULL) key_free(cert->signature_key); + xfree(cert); } void -- cgit v1.2.3 From 64c6fceecd27e1739040b42de8f3759454260b39 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:27:14 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 [ssh-pkcs11-helper.c] remove unused extern optarg. ok markus@ --- ChangeLog | 3 +++ ssh-pkcs11-helper.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 506faa40d..7f4249222 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ [key.c] memleak in cert_free(), wasn't actually freeing the struct; bz#2096 from shm AT digitalsun.pl + - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 + [ssh-pkcs11-helper.c] + remove unused extern optarg. ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index fcb5defc0..5c09f1221 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.4 2012/07/02 12:13:26 dtucker Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.5 2013/05/10 10:13:50 dtucker Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -274,7 +274,6 @@ main(int argc, char **argv) LogLevel log_level = SYSLOG_LEVEL_ERROR; char buf[4*4096]; - extern char *optarg; extern char *__progname; TAILQ_INIT(&pkcs11_keylist); -- cgit v1.2.3 From c53c2af173cf67fd1c26f98e7900299b1b65b6ec Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:28:16 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 02:00:34 [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c ssh_config.5 packet.h] Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm --- ChangeLog | 6 +++++ clientloop.c | 23 ++++++++++++----- packet.c | 33 +++++++++++++++++++++--- packet.h | 5 ++-- readconf.c | 80 ++++++++++++++++++++++++++++++++++++----------------------- readconf.h | 3 ++- ssh_config | 3 ++- ssh_config.5 | 20 ++++++++++++--- sshconnect2.c | 7 +++--- 9 files changed, 129 insertions(+), 51 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f4249222..85a5edcce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,12 @@ - dtucker@cvs.openbsd.org 2013/05/10 10:13:50 [ssh-pkcs11-helper.c] remove unused extern optarg. ok markus@ + - dtucker@cvs.openbsd.org 2013/05/16 02:00:34 + [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c + ssh_config.5 packet.h] + Add an optional second argument to RekeyLimit in the client to allow + rekeying based on elapsed time in addition to amount of traffic. + with djm@ jmc@, ok djm 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/clientloop.c b/clientloop.c index c1d1d4472..f1b108fcd 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.249 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -583,7 +583,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; - time_t minwait_secs = 0; + time_t minwait_secs = 0, server_alive_time = 0, now = time(NULL); int ret; /* Add any selections by the channel mechanism. */ @@ -632,12 +632,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, */ timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ - if (options.server_alive_interval > 0 && compat20) + if (options.server_alive_interval > 0 && compat20) { timeout_secs = options.server_alive_interval; + server_alive_time = now + options.server_alive_interval; + } + if (options.rekey_interval > 0 && compat20 && !rekeying) + timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout()); set_control_persist_exit_time(); if (control_persist_exit_time > 0) { timeout_secs = MIN(timeout_secs, - control_persist_exit_time - time(NULL)); + control_persist_exit_time - now); if (timeout_secs < 0) timeout_secs = 0; } @@ -669,8 +673,15 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } else if (ret == 0) - server_alive_check(); + } else if (ret == 0) { + /* + * Timeout. Could have been either keepalive or rekeying. + * Keepalive we check here, rekeying is checked in clientloop. + */ + if (server_alive_time != 0 && server_alive_time <= time(NULL)) + server_alive_check(); + } + } static void diff --git a/packet.c b/packet.c index 3c97383ec..dd9d26f5d 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.183 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.184 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -58,6 +58,7 @@ #include #include #include +#include #include "xmalloc.h" #include "buffer.h" @@ -165,9 +166,14 @@ struct session_state { Newkeys *newkeys[MODE_MAX]; struct packet_state p_read, p_send; + /* Volume-based rekeying */ u_int64_t max_blocks_in, max_blocks_out; u_int32_t rekey_limit; + /* Time-based rekeying */ + time_t rekey_interval; /* how often in seconds */ + time_t rekey_time; /* time of last rekeying */ + /* Session key for protocol v1 */ u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; u_int ssh1_keylen; @@ -1009,6 +1015,7 @@ packet_send2(void) /* after a NEWKEYS message we can send the complete queue */ if (type == SSH2_MSG_NEWKEYS) { active_state->rekeying = 0; + active_state->rekey_time = time(NULL); while ((p = TAILQ_FIRST(&active_state->outgoing))) { type = p->type; debug("dequeue packet: %u", type); @@ -1933,13 +1940,33 @@ packet_need_rekeying(void) (active_state->max_blocks_out && (active_state->p_send.blocks > active_state->max_blocks_out)) || (active_state->max_blocks_in && - (active_state->p_read.blocks > active_state->max_blocks_in)); + (active_state->p_read.blocks > active_state->max_blocks_in)) || + (active_state->rekey_interval != 0 && active_state->rekey_time + + active_state->rekey_interval <= time(NULL)); } void -packet_set_rekey_limit(u_int32_t bytes) +packet_set_rekey_limits(u_int32_t bytes, time_t seconds) { + debug3("rekey after %lld bytes, %d seconds", (long long)bytes, + (int)seconds); active_state->rekey_limit = bytes; + active_state->rekey_interval = seconds; + /* + * We set the time here so that in post-auth privsep slave we count + * from the completion of the authentication. + */ + active_state->rekey_time = time(NULL); +} + +time_t +packet_get_rekey_timeout(void) +{ + time_t seconds; + + seconds = active_state->rekey_time + active_state->rekey_interval - + time(NULL); + return (seconds < 0 ? 0 : seconds); } void diff --git a/packet.h b/packet.h index 09ba07951..bc548f2b1 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */ +/* $OpenBSD: packet.h,v 1.58 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -115,7 +115,8 @@ do { \ } while (0) int packet_need_rekeying(void); -void packet_set_rekey_limit(u_int32_t); +void packet_set_rekey_limits(u_int32_t, time_t); +time_t packet_get_rekey_timeout(void); void packet_backup_state(void); void packet_restore_state(void); diff --git a/readconf.c b/readconf.c index 6e708e02e..d8898a029 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.197 2013/03/06 23:36:53 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.198 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -562,39 +562,54 @@ parse_yesnoask: case oRekeyLimit: arg = strdelim(&s); if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", filename, linenum); - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit suffix", - filename, linenum); + fatal("%.200s line %d: Missing argument.", filename, + linenum); + if (strcmp(arg, "default") == 0) { + val64 = 0; + } else { + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, + linenum); + orig = val64 = strtoll(arg, &endofnumber, 10); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, + linenum); + switch (toupper(*endofnumber)) { + case '\0': + scale = 1; + break; + case 'K': + scale = 1<<10; + break; + case 'M': + scale = 1<<20; + break; + case 'G': + scale = 1<<30; + break; + default: + fatal("%.200s line %d: Invalid RekeyLimit " + "suffix", filename, linenum); + } + val64 *= scale; + /* detect integer wrap and too-large limits */ + if ((val64 / scale) != orig || val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 != 0 && val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) - fatal("%.200s line %d: RekeyLimit too large", - filename, linenum); - if (val64 < 16) - fatal("%.200s line %d: RekeyLimit too small", - filename, linenum); if (*activep && options->rekey_limit == -1) options->rekey_limit = (u_int32_t)val64; + if (s != NULL) { /* optional rekey interval present */ + if (strcmp(s, "none") == 0) { + (void)strdelim(&s); /* discard */ + break; + } + intptr = &options->rekey_interval; + goto parse_time; + } break; case oIdentityFile: @@ -1202,6 +1217,7 @@ initialize_options(Options * options) options->no_host_authentication_for_localhost = - 1; options->identities_only = - 1; options->rekey_limit = - 1; + options->rekey_interval = -1; options->verify_host_key_dns = -1; options->server_alive_interval = -1; options->server_alive_count_max = -1; @@ -1337,6 +1353,8 @@ fill_default_options(Options * options) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; if (options->server_alive_interval == -1) diff --git a/readconf.h b/readconf.h index 841648906..e20573090 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.94 2013/05/16 02:00:34 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -110,6 +110,7 @@ typedef struct { int enable_ssh_keysign; int64_t rekey_limit; + int rekey_interval; int no_host_authentication_for_localhost; int identities_only; int server_alive_interval; diff --git a/ssh_config b/ssh_config index 18936740f..bb4081936 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -45,3 +45,4 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h diff --git a/ssh_config.5 b/ssh_config.5 index 269529c00..97897e00e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ -.Dd $Mdocdate: January 8 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.162 2013/05/16 02:00:34 dtucker Exp $ +.Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -931,8 +931,9 @@ The default is This option applies to protocol version 2 only. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted before the -session key is renegotiated. -The argument is the number of bytes, with an optional suffix of +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of .Sq K , .Sq M , or @@ -943,6 +944,17 @@ The default is between and .Sq 4G , depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over diff --git a/sshconnect2.c b/sshconnect2.c index c01efe38c..7b83c591b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.195 2013/05/10 03:40:07 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.196 2013/05/16 02:00:34 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -197,8 +197,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - if (options.rekey_limit) - packet_set_rekey_limit((u_int32_t)options.rekey_limit); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); /* start key exchange */ kex = kex_setup(myproposal); -- cgit v1.2.3 From 5f96f3b4bee11ae2b9b32ff9b881c3693e210f96 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:29:28 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 04:09:14 [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page. --- ChangeLog | 5 ++++ monitor.c | 6 ++++- packet.c | 4 ++-- servconf.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---- servconf.h | 5 +++- serverloop.c | 14 +++++++---- sshd.c | 6 ++++- sshd_config | 5 +++- sshd_config.5 | 32 +++++++++++++++++++++++-- 9 files changed, 135 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85a5edcce..186c43247 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,11 @@ Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm + - dtucker@cvs.openbsd.org 2013/05/16 04:09:14 + [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config + sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing + rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man + page. 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/monitor.c b/monitor.c index c0471a176..372c9d044 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.122 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.123 2013/05/16 04:09:13 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1810,6 +1810,10 @@ monitor_apply_keystate(struct monitor *pmonitor) if (options.compression) mm_init_compression(pmonitor->m_zlib); + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + /* Network I/O buffers */ /* XXX inefficient for large buffers, need: buffer_init_from_string */ buffer_clear(packet_get_input()); diff --git a/packet.c b/packet.c index dd9d26f5d..a64bbae3c 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.184 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: packet.c,v 1.185 2013/05/16 04:09:13 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1966,7 +1966,7 @@ packet_get_rekey_timeout(void) seconds = active_state->rekey_time + active_state->rekey_interval - time(NULL); - return (seconds < 0 ? 0 : seconds); + return (seconds <= 0 ? 1 : seconds); } void diff --git a/servconf.c b/servconf.c index b2a60fd6c..4e3026b83 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -20,6 +20,7 @@ #include #include +#include #include #include #include @@ -110,6 +111,8 @@ initialize_server_options(ServerOptions *options) options->permit_user_env = -1; options->use_login = -1; options->compression = -1; + options->rekey_limit = -1; + options->rekey_interval = -1; options->allow_tcp_forwarding = -1; options->allow_agent_forwarding = -1; options->num_allow_users = 0; @@ -249,6 +252,10 @@ fill_default_server_options(ServerOptions *options) options->use_login = 0; if (options->compression == -1) options->compression = COMP_DELAYED; + if (options->rekey_limit == -1) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) @@ -320,7 +327,7 @@ typedef enum { sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -422,6 +429,7 @@ static struct { { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, { "uselogin", sUseLogin, SSHCFG_GLOBAL }, { "compression", sCompression, SSHCFG_GLOBAL }, + { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, @@ -800,14 +808,14 @@ process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, struct connection_info *connectinfo) { - char *cp, **charptr, *arg, *p; - int cmdline = 0, *intptr, value, value2, n; + char *cp, **charptr, *arg, *p, *endofnumber; + int cmdline = 0, *intptr, value, value2, n, port, scale; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; - int port; u_int i, flags = 0; size_t len; + long long orig, val64; const struct multistate *multistate_ptr; cp = line; @@ -1118,6 +1126,59 @@ process_server_config_line(ServerOptions *options, char *line, multistate_ptr = multistate_compression; goto parse_multistate; + case sRekeyLimit: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, + linenum); + if (strcmp(arg, "default") == 0) { + val64 = 0; + } else { + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, + linenum); + orig = val64 = strtoll(arg, &endofnumber, 10); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, + linenum); + switch (toupper(*endofnumber)) { + case '\0': + scale = 1; + break; + case 'K': + scale = 1<<10; + break; + case 'M': + scale = 1<<20; + break; + case 'G': + scale = 1<<30; + break; + default: + fatal("%.200s line %d: Invalid RekeyLimit " + "suffix", filename, linenum); + } + val64 *= scale; + /* detect integer wrap and too-large limits */ + if ((val64 / scale) != orig || val64 > UINT_MAX) + fatal("%.200s line %d: RekeyLimit too large", + filename, linenum); + if (val64 != 0 && val64 < 16) + fatal("%.200s line %d: RekeyLimit too small", + filename, linenum); + } + if (*activep && options->rekey_limit == -1) + options->rekey_limit = (u_int32_t)val64; + if (cp != NULL) { /* optional rekey interval present */ + if (strcmp(cp, "none") == 0) { + (void)strdelim(&cp); /* discard */ + break; + } + intptr = &options->rekey_interval; + goto parse_time; + } + break; + case sGatewayPorts: intptr = &options->gateway_ports; multistate_ptr = multistate_gatewayports; @@ -1718,6 +1779,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); + M_CP_INTOPT(rekey_limit); + M_CP_INTOPT(rekey_interval); /* See comment in servconf.h */ COPY_MATCH_STRING_OPTS(); @@ -2006,5 +2069,7 @@ dump_config(ServerOptions *o) printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); + printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); + channel_print_adm_permitted_opens(); } diff --git a/servconf.h b/servconf.h index 870c70982..fc051bd4b 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.108 2013/05/16 04:09:14 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -176,6 +176,9 @@ typedef struct { char *authorized_keys_command; char *authorized_keys_command_user; + int64_t rekey_limit; + int rekey_interval; + char *version_addendum; /* Appended to SSH banner */ u_int num_auth_methods; diff --git a/serverloop.c b/serverloop.c index e224bd08a..595899f61 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.165 2013/05/16 04:09:14 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -277,7 +277,7 @@ client_alive_check(void) */ static void wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, - u_int *nallocp, u_int max_time_milliseconds) + u_int *nallocp, u_int64_t max_time_milliseconds) { struct timeval tv, *tvp; int ret; @@ -563,7 +563,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) int wait_status; /* Status returned by wait(). */ pid_t wait_pid; /* pid returned by wait(). */ int waiting_termination = 0; /* Have displayed waiting close message. */ - u_int max_time_milliseconds; + u_int64_t max_time_milliseconds; u_int previous_stdout_buffer_bytes; u_int stdout_buffer_bytes; int type; @@ -826,6 +826,7 @@ server_loop2(Authctxt *authctxt) { fd_set *readset = NULL, *writeset = NULL; int rekeying = 0, max_fd, nalloc = 0; + u_int64_t rekey_timeout_ms = 0; debug("Entering interactive session for SSH2."); @@ -854,8 +855,13 @@ server_loop2(Authctxt *authctxt) if (!rekeying && packet_not_very_much_data_to_write()) channel_output_poll(); + if (options.rekey_interval > 0 && compat20 && !rekeying) + rekey_timeout_ms = packet_get_rekey_timeout() * 1000; + else + rekey_timeout_ms = 0; + wait_until_can_do_something(&readset, &writeset, &max_fd, - &nalloc, 0); + &nalloc, rekey_timeout_ms); if (received_sigterm) { logit("Exiting on signal %d", (int)received_sigterm); diff --git a/sshd.c b/sshd.c index a0f5c0d26..9a8e7b8ba 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.399 2013/04/07 02:10:33 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.400 2013/05/16 04:09:14 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2364,6 +2364,10 @@ do_ssh2_kex(void) if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); /* start key exchange */ diff --git a/sshd_config b/sshd_config index 9cd2fddce..b786361d1 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -29,6 +29,9 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH diff --git a/sshd_config.5 b/sshd_config.5 index 590fb4088..9e0b3a5c0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ -.Dd $Mdocdate: April 19 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $ +.Dd $Mdocdate: May 16 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -814,6 +814,7 @@ Available keywords are .Cm PermitRootLogin , .Cm PermitTunnel , .Cm PubkeyAuthentication , +.Cm RekeyLimit , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , @@ -1008,6 +1009,33 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted before the +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of +.Sq K , +.Sq M , +or +.Sq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Sq 1G +and +.Sq 4G , +depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. +This option applies to protocol version 2 only. .It Cm RevokedKeys Specifies revoked public keys. Keys listed in this file will be refused for public key authentication. -- cgit v1.2.3 From 0763698f71efef8b3f8460c5700758359219eb7c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:30:03 +1000 Subject: - djm@cvs.openbsd.org 2013/05/16 04:27:50 [ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@ --- ChangeLog | 4 ++++ readconf.c | 35 ++++++++++++++++++++++++++--------- readconf.h | 4 +++- ssh_config.5 | 13 ++++++++++++- 4 files changed, 45 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 186c43247..ae0f84777 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page. + - djm@cvs.openbsd.org 2013/05/16 04:27:50 + [ssh_config.5 readconf.h readconf.c] + add the ability to ignore specific unrecognised ssh_config options; + bz#866; ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/readconf.c b/readconf.c index d8898a029..51b23a3b8 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.198 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.199 2013/05/16 04:27:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -134,8 +134,8 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, - oDeprecated, oUnsupported + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -246,6 +246,7 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } }; @@ -351,14 +352,17 @@ add_identity_file(Options *options, const char *dir, const char *filename, */ static OpCodes -parse_token(const char *cp, const char *filename, int linenum) +parse_token(const char *cp, const char *filename, int linenum, + const char *ignored_unknown) { - u_int i; + int i; for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + if (strcmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - + if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown, + strlen(ignored_unknown), 1) == 1) + return oIgnoredUnknownOption; error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); return oBadOption; @@ -377,7 +381,7 @@ process_config_line(Options *options, const char *host, { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; - u_int *uintptr, max_entries = 0; + u_int i, *uintptr, max_entries = 0; int negated, opcode, *intptr, value, value2, scale; LogLevel *log_level_ptr; long long orig, val64; @@ -400,14 +404,22 @@ process_config_line(Options *options, const char *host, keyword = strdelim(&s); if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') return 0; + /* Match lowercase keyword */ + for (i = 0; i < strlen(keyword); i++) + keyword[i] = tolower(keyword[i]); - opcode = parse_token(keyword, filename, linenum); + opcode = parse_token(keyword, filename, linenum, + options->ignored_unknown); switch (opcode) { case oBadOption: /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oIgnoredUnknownOption: + debug("%s line %d: Ignored unknown option \"%s\"", + filename, linenum, keyword); + return 0; case oConnectTimeout: intptr = &options->connection_timeout; parse_time: @@ -1077,6 +1089,10 @@ parse_int: *intptr = value; break; + case oIgnoreUnknown: + charptr = &options->ignored_unknown; + goto parse_string; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1238,6 +1254,7 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->ignored_unknown = NULL; } /* diff --git a/readconf.h b/readconf.h index e20573090..23fc500da 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.94 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */ /* * Author: Tatu Ylonen @@ -137,6 +137,8 @@ typedef struct { int use_roaming; int request_tty; + + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; #define SSHCTL_MASTER_NO 0 diff --git a/ssh_config.5 b/ssh_config.5 index 97897e00e..955afe351 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.162 2013/05/16 02:00:34 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.163 2013/05/16 04:27:50 djm Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -597,6 +597,17 @@ The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 -- cgit v1.2.3 From 63e0df2b936770baadc8844617b99e5174b476d0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:30:31 +1000 Subject: - jmc@cvs.openbsd.org 2013/05/16 06:28:45 [ssh_config.5] put IgnoreUnknown in the right place; --- ChangeLog | 3 +++ ssh_config.5 | 24 ++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae0f84777..2eaa2a857 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@ + - jmc@cvs.openbsd.org 2013/05/16 06:28:45 + [ssh_config.5] + put IgnoreUnknown in the right place; 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/ssh_config.5 b/ssh_config.5 index 955afe351..003ed68ff 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.163 2013/05/16 04:27:50 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.164 2013/05/16 06:28:45 jmc Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -597,17 +597,6 @@ The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). -.It Cm IgnoreUnknown -Specifies a pattern-list of unknown options to be ignored if they are -encountered in configuration parsing. -This may be used to suppress errors if -.Nm -contains options that are unrecognised by -.Xr ssh 1 . -It is recommended that -.Cm IgnoreUnknown -be listed early in the configuration file as it will not be applied -to unknown options that appear before it. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 @@ -668,6 +657,17 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. Accepted values are -- cgit v1.2.3 From 64d22946d664dad8165f1fae9e78b53831ed728d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:31:29 +1000 Subject: - jmc@cvs.openbsd.org 2013/05/16 06:30:06 [sshd_config.5] oops! avoid Xr to self; --- ChangeLog | 3 +++ sshd_config.5 | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2eaa2a857..e5cc7d5e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - jmc@cvs.openbsd.org 2013/05/16 06:28:45 [ssh_config.5] put IgnoreUnknown in the right place; + - jmc@cvs.openbsd.org 2013/05/16 06:30:06 + [sshd_config.5] + oops! avoid Xr to self; 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/sshd_config.5 b/sshd_config.5 index 9e0b3a5c0..18b1d81a0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSHD_CONFIG 5 .Os @@ -1027,8 +1027,7 @@ depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the .Sx TIME FORMATS -section of -.Xr sshd_config 5 . +section. The default value for .Cm RekeyLimit is -- cgit v1.2.3 From dbee308253931f8c1aeebf781d7e7730ff6a0dc1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:32:29 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 09:08:41 [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] Fix some "unused result" warnings found via clang and -portable. ok markus@ --- ChangeLog | 4 ++++ log.c | 4 ++-- schnorr.c | 12 +++++++----- scp.c | 4 ++-- serverloop.c | 4 ++-- sftp.c | 4 ++-- sshd.c | 5 +++-- 7 files changed, 22 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5cc7d5e7..cc59a47d0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,10 @@ - jmc@cvs.openbsd.org 2013/05/16 06:30:06 [sshd_config.5] oops! avoid Xr to self; + - dtucker@cvs.openbsd.org 2013/05/16 09:08:41 + [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] + Fix some "unused result" warnings found via clang and -portable. + ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/log.c b/log.c index 81497a442..32e1d2e45 100644 --- a/log.c +++ b/log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.44 2013/04/07 02:10:33 dtucker Exp $ */ +/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -445,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args) log_handler = tmp_handler; } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(log_stderr_fd, msgbuf, strlen(msgbuf)); + (void)write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); diff --git a/schnorr.c b/schnorr.c index 4d54d6881..05c2e7758 100644 --- a/schnorr.c +++ b/schnorr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.c,v 1.5 2010/12/03 23:49:26 djm Exp $ */ +/* $OpenBSD: schnorr.c,v 1.6 2013/05/16 09:08:41 dtucker Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -488,12 +488,13 @@ debug3_bn(const BIGNUM *n, const char *fmt, ...) { char *out, *h; va_list args; + int ret; out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); + ret = vasprintf(&out, fmt, args); va_end(args); - if (out == NULL) + if (ret == -1 || out == NULL) fatal("%s: vasprintf failed", __func__); if (n == NULL) @@ -513,12 +514,13 @@ debug3_buf(const u_char *buf, u_int len, const char *fmt, ...) char *out, h[65]; u_int i, j; va_list args; + int ret; out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); + ret = vasprintf(&out, fmt, args); va_end(args); - if (out == NULL) + if (ret == -1 || out == NULL) fatal("%s: vasprintf failed", __func__); debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : ""); diff --git a/scp.c b/scp.c index 645d7403b..ae3d38802 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.172 2013/05/16 09:08:41 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -1325,7 +1325,7 @@ void lostconn(int signo) { if (!iamremote) - write(STDERR_FILENO, "lost connection\n", 16); + (void)write(STDERR_FILENO, "lost connection\n", 16); if (signo) _exit(1); else diff --git a/serverloop.c b/serverloop.c index 595899f61..a61d4ad32 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.165 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.166 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -148,7 +148,7 @@ static void notify_parent(void) { if (notify_pipe[1] != -1) - write(notify_pipe[1], "", 1); + (void)write(notify_pipe[1], "", 1); } static void notify_prepare(fd_set *readset) diff --git a/sftp.c b/sftp.c index 24396ef3c..12c4958d9 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.143 2013/04/18 02:16:07 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.144 2013/05/16 09:08:41 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -218,7 +218,7 @@ cmd_interrupt(int signo) const char msg[] = "\rInterrupt \n"; int olderrno = errno; - write(STDERR_FILENO, msg, sizeof(msg) - 1); + (void)write(STDERR_FILENO, msg, sizeof(msg) - 1); interrupted = 1; errno = olderrno; } diff --git a/sshd.c b/sshd.c index 9a8e7b8ba..df9d0d61e 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.400 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.401 2013/05/16 09:08:41 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1815,7 +1815,8 @@ main(int ac, char **av) /* Chdir to the root directory so that the current disk can be unmounted if desired. */ - chdir("/"); + if (chdir("/") == -1) + error("chdir(\"/\"): %s", strerror(errno)); /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); -- cgit v1.2.3 From b7ee8521448100e5b268111ff90feb017e657e44 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:33:10 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 [readconf.c servconf.c] switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ --- ChangeLog | 3 +++ readconf.c | 35 +++++++---------------------------- servconf.c | 35 +++++++---------------------------- 3 files changed, 17 insertions(+), 56 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc59a47d0..845a6a28d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,9 @@ [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c] Fix some "unused result" warnings found via clang and -portable. ok markus@ + - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 + [readconf.c servconf.c] + switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/readconf.c b/readconf.c index 51b23a3b8..dccf3ba16 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.199 2013/05/16 04:27:50 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.200 2013/05/16 09:12:31 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -30,6 +30,7 @@ #include #include #include +#include #include "xmalloc.h" #include "ssh.h" @@ -579,33 +580,11 @@ parse_yesnoask: if (strcmp(arg, "default") == 0) { val64 = 0; } else { - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, - linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, - linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit " - "suffix", filename, linenum); - } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) + if (scan_scaled(arg, &val64) == -1) + fatal("%.200s line %d: Bad number '%s': %s", + filename, linenum, arg, strerror(errno)); + /* check for too-large or too-small limits */ + if (val64 > UINT_MAX) fatal("%.200s line %d: RekeyLimit too large", filename, linenum); if (val64 != 0 && val64 < 16) diff --git a/servconf.c b/servconf.c index 4e3026b83..145239342 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.236 2013/05/16 09:12:31 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -30,6 +30,7 @@ #include #include #include +#include #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -1134,33 +1135,11 @@ process_server_config_line(ServerOptions *options, char *line, if (strcmp(arg, "default") == 0) { val64 = 0; } else { - if (arg[0] < '0' || arg[0] > '9') - fatal("%.200s line %d: Bad number.", filename, - linenum); - orig = val64 = strtoll(arg, &endofnumber, 10); - if (arg == endofnumber) - fatal("%.200s line %d: Bad number.", filename, - linenum); - switch (toupper(*endofnumber)) { - case '\0': - scale = 1; - break; - case 'K': - scale = 1<<10; - break; - case 'M': - scale = 1<<20; - break; - case 'G': - scale = 1<<30; - break; - default: - fatal("%.200s line %d: Invalid RekeyLimit " - "suffix", filename, linenum); - } - val64 *= scale; - /* detect integer wrap and too-large limits */ - if ((val64 / scale) != orig || val64 > UINT_MAX) + if (scan_scaled(arg, &val64) == -1) + fatal("%.200s line %d: Bad number '%s': %s", + filename, linenum, arg, strerror(errno)); + /* check for too-large or too-small limits */ + if (val64 > UINT_MAX) fatal("%.200s line %d: RekeyLimit too large", filename, linenum); if (val64 != 0 && val64 < 16) -- cgit v1.2.3 From e194ba4111ffd47cd1f4c8be1ddc8a4cb673d005 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:47:31 +1000 Subject: - (dtucker) [configure.ac readconf.c servconf.c openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. --- ChangeLog | 2 ++ configure.ac | 7 ++++--- openbsd-compat/openbsd-compat.h | 6 +++++- readconf.c | 2 ++ servconf.c | 2 ++ 5 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 845a6a28d..1779aa748 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,8 @@ - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 [readconf.c servconf.c] switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ + - (dtucker) [configure.ac readconf.c servconf.c + openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/configure.ac b/configure.ac index 6bcbef638..7d8adfcbc 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.523 2013/05/10 08:53:14 dtucker Exp $ +# $Id: configure.ac,v 1.524 2013/05/16 10:47:32 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.523 $) +AC_REVISION($Revision: 1.524 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1175,12 +1175,13 @@ AC_CHECK_FUNCS([utimes], dnl Checks for libutil functions AC_CHECK_HEADERS([bsd/libutil.h libutil.h]) AC_SEARCH_LIBS([fmt_scaled], [util bsd]) +AC_SEARCH_LIBS([scan_scaled], [util bsd]) AC_SEARCH_LIBS([login], [util bsd]) AC_SEARCH_LIBS([logout], [util bsd]) AC_SEARCH_LIBS([logwtmp], [util bsd]) AC_SEARCH_LIBS([openpty], [util bsd]) AC_SEARCH_LIBS([updwtmp], [util bsd]) -AC_CHECK_FUNCS([fmt_scaled login logout openpty updwtmp logwtmp]) +AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) AC_FUNC_STRFTIME diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 94d172aaa..3dbf1f244 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.56 2013/05/10 08:08:49 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.57 2013/05/16 10:47:32 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -111,6 +111,10 @@ char *dirname(const char *path); int fmt_scaled(long long number, char *result); #endif +#ifndef HAVE_SCAN_SCALED +int scan_scaled(char *, long long *); +#endif + #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) char *inet_ntoa(struct in_addr in); #endif diff --git a/readconf.c b/readconf.c index dccf3ba16..cbc1981ab 100644 --- a/readconf.c +++ b/readconf.c @@ -30,7 +30,9 @@ #include #include #include +#ifdef HAVE_UTIL_H #include +#endif #include "xmalloc.h" #include "ssh.h" diff --git a/servconf.c b/servconf.c index 145239342..b2123c6c7 100644 --- a/servconf.c +++ b/servconf.c @@ -30,7 +30,9 @@ #include #include #include +#ifdef HAVE_UTIL_H #include +#endif #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -- cgit v1.2.3 From 9113d0c2381202412c912a20c8083ab7d6824ec9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:48:14 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 [servconf.c readconf.c] remove now-unused variables --- ChangeLog | 3 +++ readconf.c | 6 +++--- servconf.c | 6 +++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1779aa748..c1fb0e4fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 09:12:31 [readconf.c servconf.c] switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@ + - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 + [servconf.c readconf.c] + remove now-unused variables - (dtucker) [configure.ac readconf.c servconf.c openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. diff --git a/readconf.c b/readconf.c index cbc1981ab..30c1e83bd 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.200 2013/05/16 09:12:31 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.201 2013/05/16 10:43:34 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -385,9 +385,9 @@ process_config_line(Options *options, const char *host, char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; u_int i, *uintptr, max_entries = 0; - int negated, opcode, *intptr, value, value2, scale; + int negated, opcode, *intptr, value, value2; LogLevel *log_level_ptr; - long long orig, val64; + long long val64; size_t len; Forward fwd; diff --git a/servconf.c b/servconf.c index b2123c6c7..d77694476 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.236 2013/05/16 09:12:31 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.237 2013/05/16 10:43:34 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -812,13 +812,13 @@ process_server_config_line(ServerOptions *options, char *line, struct connection_info *connectinfo) { char *cp, **charptr, *arg, *p, *endofnumber; - int cmdline = 0, *intptr, value, value2, n, port, scale; + int cmdline = 0, *intptr, value, value2, n, port; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; u_int i, flags = 0; size_t len; - long long orig, val64; + long long val64; const struct multistate *multistate_ptr; cp = line; -- cgit v1.2.3 From 09c0f0325b2f538de9a1073e03b8ef26dece4c16 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:48:57 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 10:44:06 [servconf.c] remove another now-unused variable --- ChangeLog | 3 +++ servconf.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c1fb0e4fc..dc9d7f63c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 10:43:34 [servconf.c readconf.c] remove now-unused variables + - dtucker@cvs.openbsd.org 2013/05/16 10:44:06 + [servconf.c] + remove another now-unused variable - (dtucker) [configure.ac readconf.c servconf.c openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled. diff --git a/servconf.c b/servconf.c index d77694476..90f6d4653 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.237 2013/05/16 10:43:34 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.238 2013/05/16 10:44:06 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -811,7 +811,7 @@ process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, struct connection_info *connectinfo) { - char *cp, **charptr, *arg, *p, *endofnumber; + char *cp, **charptr, *arg, *p; int cmdline = 0, *intptr, value, value2, n, port; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; -- cgit v1.2.3 From 712de4d1100963b11bc618472f95ce36bf7e2ae3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:07:12 +1000 Subject: - djm@cvs.openbsd.org 2013/03/07 00:20:34 [regress/proxy-connect.sh] repeat test with a style appended to the username --- ChangeLog | 6 ++++++ regress/proxy-connect.sh | 10 +++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index dc9d7f63c..98b742825 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ + 20130517 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/03/07 00:20:34 + [regress/proxy-connect.sh] + repeat test with a style appended to the username + 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be executed if mktemp failed; bz#2105 ok dtucker@ diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh index 6a36b2513..76e602dd6 100644 --- a/regress/proxy-connect.sh +++ b/regress/proxy-connect.sh @@ -1,8 +1,9 @@ -# $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $ +# $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $ # Placed in the Public Domain. tid="proxy connect" +verbose "plain username" for p in 1 2; do ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true if [ $? -ne 0 ]; then @@ -16,3 +17,10 @@ for p in 1 2; do fail "bad SSH_CONNECTION" fi done + +verbose "username with style" +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ + fail "ssh proxyconnect protocol $p failed" +done + -- cgit v1.2.3 From 7c8b1e72331293b4707dc6f7f68a69e975a3fa70 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:10:20 +1000 Subject: - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 [test-exec.sh] Only regenerate host keys if they don't exist or if ssh-keygen has changed since they were. Reduces test runtime by 5-30% depending on machine speed. --- ChangeLog | 5 +++++ regress/test-exec.sh | 10 ++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 98b742825..95586e871 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - djm@cvs.openbsd.org 2013/03/07 00:20:34 [regress/proxy-connect.sh] repeat test with a style appended to the username + - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 + [test-exec.sh] + Only regenerate host keys if they don't exist or if ssh-keygen has changed + since they were. Reduces test runtime by 5-30% depending on machine + speed. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/test-exec.sh b/regress/test-exec.sh index aa4e6e5c0..29dac3de9 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.37 2010/02/24 06:21:56 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.38 2013/03/23 11:09:43 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -309,9 +309,11 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER trace "generate keys" for t in rsa rsa1; do # generate user key - rm -f $OBJ/$t - ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\ - fail "ssh-keygen for $t failed" + if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then + rm -f $OBJ/$t + ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ + fail "ssh-keygen for $t failed" + fi # known hosts file for client ( -- cgit v1.2.3 From 75129025a2d504b630d1718fef0da002f5662f63 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:19:10 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/06 06:00:22 [regress/rekey.sh regress/test-exec.sh regress/integrity.sh regress/multiplex.sh Makefile regress/cfgmatch.sh] Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added. --- ChangeLog | 8 +++++++- regress/Makefile | 6 +++--- regress/cfgmatch.sh | 4 ++-- regress/integrity.sh | 4 ++-- regress/multiplex.sh | 14 +++++++------- regress/rekey.sh | 6 +++--- regress/test-exec.sh | 33 ++++++++++++++++++++++++--------- 7 files changed, 48 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 95586e871..14450ac65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,10 +4,16 @@ [regress/proxy-connect.sh] repeat test with a style appended to the username - dtucker@cvs.openbsd.org 2013/03/23 11:09:43 - [test-exec.sh] + [regress/test-exec.sh] Only regenerate host keys if they don't exist or if ssh-keygen has changed since they were. Reduces test runtime by 5-30% depending on machine speed. + - dtucker@cvs.openbsd.org 2013/04/06 06:00:22 + [regress/rekey.sh regress/test-exec.sh regress/integrity.sh + regress/multiplex.sh Makefile regress/cfgmatch.sh] + Split the regress log into 3 parts: the debug output from ssh, the debug + log from sshd and the output from the client command (ssh, scp or sftp). + Somewhat functional now, will become more useful when ssh/sshd -E is added. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index 6ef5d9cce..b99bd3e83 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $ +# $OpenBSD: Makefile,v 1.63 2013/04/06 06:00:22 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -82,8 +82,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ - sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* - + sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ + ssh.log sshd.log regress.log # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 0603fab64..02755d9d0 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.7 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -15,7 +15,7 @@ start_client() rm -f $pidfile ${SSH} -q -$p $fwd "$@" somehost \ exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ - >>$TEST_SSH_LOGFILE 2>&1 & + >>$TEST_REGRESS_LOGFILE 2>&1 & client_pid=$! # Wait for remote end n=0 diff --git a/regress/integrity.sh b/regress/integrity.sh index 4d46926d5..1bd330a18 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ +# $OpenBSD: integrity.sh,v 1.8 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -22,7 +22,7 @@ config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" # sshd-command for proxy (see test-exec.sh) -cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" +cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 1e6cc7606..6491837a4 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.18 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -55,13 +55,13 @@ cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" rm -f ${COPY} trace "sftp transfer over multiplexed connection and check result" echo "get ${DATA} ${COPY}" | \ - ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_SSH_LOGFILE 2>&1 + ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1 test -f ${COPY} || fail "sftp: failed copy ${DATA}" cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" rm -f ${COPY} trace "scp transfer over multiplexed connection and check result" -${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_SSH_LOGFILE 2>&1 +${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1 test -f ${COPY} || fail "scp: failed copy ${DATA}" cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" @@ -87,11 +87,11 @@ for s in 0 1 4 5 44; do done verbose "test $tid: cmd check" -${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \ +${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "check command failed" verbose "test $tid: cmd exit" -${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \ +${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "send exit command failed" # Wait for master to exit @@ -107,9 +107,9 @@ wait_for_mux_master_ready # start a long-running command then immediately request a stop ${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ - >>$TEST_SSH_LOGFILE 2>&1 & + >>$TEST_REGRESS_LOGFILE 2>&1 & SLEEP_PID=$! -${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \ +${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "send stop command failed" # wait until both long-running command and master have exited. diff --git a/regress/rekey.sh b/regress/rekey.sh index 3c5f266fc..b23cfca70 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,11 +1,11 @@ -# $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $ +# $OpenBSD: rekey.sh,v 1.2 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" DATA=${OBJ}/data COPY=${OBJ}/copy -LOG=${OBJ}/log +LOG=${TEST_SSH_LOGFILE} rm -f ${COPY} ${LOG} ${DATA} touch ${DATA} @@ -29,4 +29,4 @@ for s in 16 1k 128k 256k; do fail "no rekeying occured" fi done -rm -f ${COPY} ${LOG} ${DATA} +rm -f ${COPY} ${DATA} diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 29dac3de9..b02172c03 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.38 2013/03/23 11:09:43 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.39 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -136,9 +136,24 @@ case "$SSHD" in *) SSHD=`which sshd` ;; esac +# Logfiles. +# SSH_LOGFILE should be the debug output of ssh(1) only +# SSHD_LOGFILE should be the debug output of sshd(8) only +# REGRESS_LOGFILE is the output of the test itself stdout and stderr if [ "x$TEST_SSH_LOGFILE" = "x" ]; then - TEST_SSH_LOGFILE=/dev/null + TEST_SSH_LOGFILE=$OBJ/ssh.log fi +if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then + TEST_SSHD_LOGFILE=$OBJ/sshd.log +fi +if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then + TEST_REGRESS_LOGFILE=$OBJ/regress.log +fi + +# truncate logfiles +>$TEST_SSH_LOGFILE +>$TEST_SSHD_LOGFILE +>$TEST_REGRESS_LOGFILE # Some data for test copies DATA=$OBJ/testdata @@ -201,7 +216,7 @@ cleanup () trace () { - echo "trace: $@" >>$TEST_SSH_LOGFILE + echo "trace: $@" >>$TEST_REGRESS_LOGFILE if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then echo "$@" fi @@ -209,7 +224,7 @@ trace () verbose () { - echo "verbose: $@" >>$TEST_SSH_LOGFILE + echo "verbose: $@" >>$TEST_REGRESS_LOGFILE if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then echo "$@" fi @@ -223,14 +238,14 @@ warn () fail () { - echo "FAIL: $@" >>$TEST_SSH_LOGFILE + echo "FAIL: $@" >>$TEST_REGRESS_LOGFILE RESULT=1 echo "$@" } fatal () { - echo "FATAL: $@" >>$TEST_SSH_LOGFILE + echo "FATAL: $@" >>$TEST_REGRESS_LOGFILE echon "FATAL: " fail "$@" cleanup @@ -372,7 +387,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy - echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy REGRESS_INTEROP_PUTTY=yes fi @@ -380,7 +395,7 @@ fi # create a proxy version of the client config ( cat $OBJ/ssh_config - echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy + echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy ) > $OBJ/ssh_proxy # check proxy config @@ -390,7 +405,7 @@ start_sshd () { # start sshd $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" - $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSH_LOGFILE 2>&1 + $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSHD_LOGFILE 2>&1 trace "wait for sshd" i=0; -- cgit v1.2.3 From dfea3bcdd7c980c2335402464b7dd8d8721e426d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:31:39 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 [regress/Makefile regress/rekey.sh regress/integrity.sh regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and save the output from any failing tests. If a test fails the debug output from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. --- ChangeLog | 7 +++++++ regress/Makefile | 5 +++-- regress/forwarding.sh | 6 +++--- regress/integrity.sh | 11 ++++++----- regress/rekey.sh | 5 ++--- regress/sshd-log-wrapper.sh | 4 ++-- regress/test-exec.sh | 44 ++++++++++++++++++++++++++++++++++++-------- 7 files changed, 59 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 14450ac65..bb6787cf4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,13 @@ Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added. + - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 + [regress/Makefile regress/rekey.sh regress/integrity.sh + regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] + use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and + save the output from any failing tests. If a test fails the debug output + from ssh and sshd for the failing tests (and only the failing tests) should + be available in failed-ssh{,d}.log. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index b99bd3e83..4ac5b4d42 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.63 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: Makefile,v 1.64 2013/04/07 02:16:03 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -83,7 +83,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ - ssh.log sshd.log regress.log + ssh.log failed-ssh.log sshd.log failed-sshd.log \ + regress.log failed-regress.log ssh-log-wrapper.sh # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/forwarding.sh b/regress/forwarding.sh index f9c367beb..6a7003070 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $ +# $OpenBSD: forwarding.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -75,7 +75,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>>$TEST_SSH_LOGFILE && \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ fail "local forwarding not cleared" fi sleep 10 @@ -88,7 +88,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>>$TEST_SSH_LOGFILE && \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ fail "remote forwarding not cleared" fi sleep 10 diff --git a/regress/integrity.sh b/regress/integrity.sh index 1bd330a18..3950b7d1f 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.8 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -47,14 +47,15 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ - 999.999.999.999 'printf "%4096s" " "' 2>&1` + verbose "test $tid: $m @$off $output" + ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" fi ecnt=`expr $ecnt + 1` - output=`echo $output | tr -s '\r\n' '.'` - verbose "test $tid: $m @$off $output" + output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \ + tr -s '\r\n' '.') case "$output" in Bad?packet*) elen=`expr $elen + 1`; skip=3;; Corrupted?MAC* | Decryption?integrity?check?failed*) diff --git a/regress/rekey.sh b/regress/rekey.sh index b23cfca70..d2542ecd4 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.2 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -16,8 +16,7 @@ for s in 16 1k 128k 256k; do rm -f ${COPY} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \ - 2> ${LOG} + -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh failed" fi diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh index c7a5ef3a6..a9386be4d 100644 --- a/regress/sshd-log-wrapper.sh +++ b/regress/sshd-log-wrapper.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $ +# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. # # simple wrapper for sshd proxy mode to catch stderr output @@ -10,4 +10,4 @@ log=$2 shift shift -exec $sshd $@ -e 2>>$log +exec $sshd -E$log $@ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b02172c03..f797ab68d 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.39 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.40 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -159,6 +159,15 @@ fi DATA=$OBJ/testdata cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA +# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." +# because sftp and scp don't handle spaces in arguments. +SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh +echo "#!/bin/sh" > $SSHLOGWRAP +echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP + +chmod a+rx $OBJ/ssh-log-wrapper.sh +SSH="$SSHLOGWRAP" + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP @@ -214,9 +223,26 @@ cleanup () fi } +start_debug_log () +{ + echo "trace: $@" >$TEST_REGRESS_LOGFILE + echo "trace: $@" >$TEST_SSH_LOGFILE + echo "trace: $@" >$TEST_SSHD_LOGFILE +} + +save_debug_log () +{ + echo $@ >>$TEST_REGRESS_LOGFILE + echo $@ >>$TEST_SSH_LOGFILE + echo $@ >>$TEST_SSHD_LOGFILE + (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log + (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log + (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log +} + trace () { - echo "trace: $@" >>$TEST_REGRESS_LOGFILE + start_debug_log $@ if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then echo "$@" fi @@ -224,7 +250,7 @@ trace () verbose () { - echo "verbose: $@" >>$TEST_REGRESS_LOGFILE + start_debug_log $@ if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then echo "$@" fi @@ -238,15 +264,16 @@ warn () fail () { - echo "FAIL: $@" >>$TEST_REGRESS_LOGFILE + save_debug_log "FAIL: $@" RESULT=1 echo "$@" + } fatal () { - echo "FATAL: $@" >>$TEST_REGRESS_LOGFILE - echon "FATAL: " + save_debug_log "FATAL: $@" + echo -n "FATAL: " fail "$@" cleanup exit $RESULT @@ -278,7 +305,7 @@ cat << EOF > $OBJ/sshd_config #ListenAddress ::1 PidFile $PIDFILE AuthorizedKeysFile $OBJ/authorized_keys_%u - LogLevel VERBOSE + LogLevel DEBUG3 AcceptEnv _XXX_TEST_* AcceptEnv _XXX_TEST Subsystem sftp $SFTPSERVER @@ -312,6 +339,7 @@ Host * PasswordAuthentication no BatchMode yes StrictHostKeyChecking yes + LogLevel DEBUG3 EOF if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then @@ -405,7 +433,7 @@ start_sshd () { # start sshd $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" - $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSHD_LOGFILE 2>&1 + $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE trace "wait for sshd" i=0; -- cgit v1.2.3 From f3568fc62b73b50a0a3c8447e4a00f4892cab25e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:35:26 +1000 Subject: - djm@cvs.openbsd.org 2013/04/18 02:46:12 [Makefile regress/sftp-chroot.sh] test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ --- ChangeLog | 3 +++ regress/Makefile | 6 +++++- regress/sftp-chroot.sh | 26 ++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 regress/sftp-chroot.sh diff --git a/ChangeLog b/ChangeLog index bb6787cf4..aec54e436 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ save the output from any failing tests. If a test fails the debug output from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. + - djm@cvs.openbsd.org 2013/04/18 02:46:12 + [Makefile regress/sftp-chroot.sh] + test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index 4ac5b4d42..b19c7ae22 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.64 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -8,6 +8,7 @@ interop interop-tests: t-exec-interop clean: for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done + test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} rm -rf $(OBJ).putty distclean: clean @@ -38,6 +39,7 @@ LTESTS= connect \ key-options \ scp \ sftp \ + sftp-chroot \ sftp-cmds \ sftp-badcmds \ sftp-batch \ @@ -86,6 +88,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ regress.log failed-regress.log ssh-log-wrapper.sh +SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} + # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh new file mode 100644 index 000000000..8c07979b4 --- /dev/null +++ b/regress/sftp-chroot.sh @@ -0,0 +1,26 @@ +# $OpenBSD: sftp-chroot.sh,v 1.1 2013/04/18 02:46:12 djm Exp $ +# Placed in the Public Domain. + +tid="sftp in chroot" + +COPY=${OBJ}/copy +CHROOT=/var/run +FILENAME=testdata_${USER} +PRIVDATA=${CHROOT}/${FILENAME} + +if [ -z "$SUDO" ]; then + fatal "need SUDO to create file in /var/run, test won't work without" +fi + +$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ + fatal "create $PRIVDATA failed" + +start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /" + +verbose "test $tid: get" +rm -f ${COPY} +${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \ + fatal "Fetch ${FILENAME} failed" +cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" + +$SUDO rm $PRIVDATA -- cgit v1.2.3 From 40aaff7e4bcb05b05e3d24938b6d34885be817da Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:36:20 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 [multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate --- ChangeLog | 5 ++++- regress/multiplex.sh | 20 ++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index aec54e436..3b50d2e55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,8 +22,11 @@ from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. - djm@cvs.openbsd.org 2013/04/18 02:46:12 - [Makefile regress/sftp-chroot.sh] + [regress/Makefile regress/sftp-chroot.sh] test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ + - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 + [multiplex.sh] + Write mux master logs to regress.log instead of ssh.log to keep separate 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 6491837a4..619fec9b9 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.18 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.19 2013/04/22 07:23:08 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -25,10 +25,16 @@ wait_for_mux_master_ready() start_sshd -trace "start master, fork to background" -${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & -MASTER_PID=$! -wait_for_mux_master_ready +start_mux_master() +{ + trace "start master, fork to background" + ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \ + -E $TEST_REGRESS_LOGFILE 2>&1 & + MASTER_PID=$! + wait_for_mux_master_ready +} + +start_mux_master verbose "test $tid: envpass" trace "env passing over multiplexed connection" @@ -101,9 +107,7 @@ kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" # Restart master and test -O stop command with master using -N verbose "test $tid: cmd stop" trace "restart master, fork to background" -${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & -MASTER_PID=$! -wait_for_mux_master_ready +start_mux_master # start a long-running command then immediately request a stop ${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \ -- cgit v1.2.3 From a4df65b9fc68a555a7d8781700475fb03ed6e694 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:37:31 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/22 07:28:53 [multiplex.sh] Add tests for -Oforward and -Ocancel for local and remote forwards --- ChangeLog | 2 +- regress/multiplex.sh | 23 ++++++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b50d2e55..46f2d5e8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,7 +25,7 @@ [regress/Makefile regress/sftp-chroot.sh] test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@ - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 - [multiplex.sh] + [regress/multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate 20130516 diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 619fec9b9..8389b3840 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.19 2013/04/22 07:23:08 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.20 2013/04/22 07:28:53 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -12,6 +12,7 @@ fi DATA=/bin/ls${EXEEXT} COPY=$OBJ/ls.copy +P=3301 # test port wait_for_mux_master_ready() { @@ -96,6 +97,26 @@ verbose "test $tid: cmd check" ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "check command failed" +verbose "test $tid: cmd forward local" +${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \ + || fail "request local forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + || fail "connect to local forward port failed" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \ + || fail "cancel local forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + && fail "local forward port still listening" + +verbose "test $tid: cmd forward remote" +${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \ + || fail "request remote forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + || fail "connect to remote forwarded port failed" +${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \ + || fail "cancel remote forward failed" +${SSH} -F $OBJ/ssh_config -p$P otherhost true \ + && fail "remote forward port still listening" + verbose "test $tid: cmd exit" ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \ || fail "send exit command failed" -- cgit v1.2.3 From 5e95173715d516e6014485e2b6def1fb3db84036 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:41:33 +1000 Subject: - djm@cvs.openbsd.org 2013/05/10 03:46:14 [modpipe.c] sync some portability changes from portable OpenSSH (id sync only) --- ChangeLog | 3 +++ regress/modpipe.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 46f2d5e8b..5df073c92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,9 @@ - dtucker@cvs.openbsd.org 2013/04/22 07:23:08 [regress/multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate + - djm@cvs.openbsd.org 2013/05/10 03:46:14 + [modpipe.c] + sync some portability changes from portable OpenSSH (id sync only) 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/modpipe.c b/regress/modpipe.c index 3322d1a70..85747cf7d 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ +/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */ #include "includes.h" -- cgit v1.2.3 From a8a62fcc46c19997797846197a6256ed9a777a47 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:42:34 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 [rekey.sh] Add test for time-based rekeying --- ChangeLog | 3 +++ regress/rekey.sh | 23 +++++++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5df073c92..41a628fa8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ - djm@cvs.openbsd.org 2013/05/10 03:46:14 [modpipe.c] sync some portability changes from portable OpenSSH (id sync only) + - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 + [rekey.sh] + Add test for time-based rekeying 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index d2542ecd4..24d6c9652 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.4 2013/05/16 02:10:35 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -13,7 +13,7 @@ dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do trace "rekeylimit ${s}" - rm -f ${COPY} + rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" @@ -28,4 +28,23 @@ for s in 16 1k 128k 256k; do fail "no rekeying occured" fi done + +for s in 5 10 15 ; do + trace "rekeylimit default ${s}" + rm -f ${COPY} ${LOG} + cat $DATA | \ + ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 5" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + rm -f ${COPY} ${DATA} -- cgit v1.2.3 From c31c8729c15f83fba14ef9da0d66bda6215ff69a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:43:33 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 [regress/rekey.sh] test rekeying when there's no data being transferred --- ChangeLog | 7 +++++-- regress/rekey.sh | 26 +++++++++++++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 41a628fa8..b44002024 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,11 +28,14 @@ [regress/multiplex.sh] Write mux master logs to regress.log instead of ssh.log to keep separate - djm@cvs.openbsd.org 2013/05/10 03:46:14 - [modpipe.c] + [regress/modpipe.c] sync some portability changes from portable OpenSSH (id sync only) - dtucker@cvs.openbsd.org 2013/05/16 02:10:35 - [rekey.sh] + [regress/rekey.sh] Add test for time-based rekeying + - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 + [regress/rekey.sh] + test rekeying when there's no data being transferred 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index 24d6c9652..3576a2a01 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.4 2013/05/16 02:10:35 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.5 2013/05/16 03:33:30 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -12,7 +12,7 @@ touch ${DATA} dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do - trace "rekeylimit ${s}" + verbose "rekeylimit ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ @@ -29,12 +29,12 @@ for s in 16 1k 128k 256k; do fi done -for s in 5 10 15 ; do - trace "rekeylimit default ${s}" +for s in 5 10; do + verbose "rekeylimit default ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ - $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 5" + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" if [ $? -ne 0 ]; then fail "ssh failed" fi @@ -47,4 +47,20 @@ for s in 5 10 15 ; do fi done +for s in 5 10; do + verbose "rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + rm -f ${COPY} ${DATA} -- cgit v1.2.3 From 14490fe7b0f45b1b19f8a3dc10eb3d214f27f5bd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:44:20 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 [regress/rekey.sh] add server-side rekey test --- ChangeLog | 3 +++ regress/rekey.sh | 24 ++++++++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b44002024..cff12dd94 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 03:33:30 [regress/rekey.sh] test rekeying when there's no data being transferred + - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 + [regress/rekey.sh] + add server-side rekey test 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index 3576a2a01..736da9f92 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.5 2013/05/16 03:33:30 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.6 2013/05/16 04:26:10 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -12,7 +12,7 @@ touch ${DATA} dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do - verbose "rekeylimit ${s}" + verbose "client rekeylimit ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ @@ -30,7 +30,7 @@ for s in 16 1k 128k 256k; do done for s in 5 10; do - verbose "rekeylimit default ${s}" + verbose "client rekeylimit default ${s}" rm -f ${COPY} ${LOG} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ @@ -48,7 +48,7 @@ for s in 5 10; do done for s in 5 10; do - verbose "rekeylimit default ${s} no data" + verbose "client rekeylimit default ${s} no data" rm -f ${COPY} ${LOG} ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ $OBJ/ssh_proxy somehost "sleep $s;sleep 3" @@ -63,4 +63,20 @@ for s in 5 10; do fi done +echo "rekeylimit default 5" >>$OBJ/sshd_proxy +for s in 5 10; do + verbose "server rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + rm -f ${COPY} ${DATA} -- cgit v1.2.3 From 982b0cbc4c2b5ea14725f4b339393cdf343dd0fe Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:45:12 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 [regress/rekey.sh] add tests for RekeyLimit parsing --- ChangeLog | 3 +++ regress/rekey.sh | 35 +++++++++++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index cff12dd94..aabd6acd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,9 @@ - dtucker@cvs.openbsd.org 2013/05/16 04:26:10 [regress/rekey.sh] add server-side rekey test + - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 + [regress/rekey.sh] + add tests for RekeyLimit parsing 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/rekey.sh b/regress/rekey.sh index 736da9f92..cefdea534 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,7 +1,7 @@ -# $OpenBSD: rekey.sh,v 1.6 2013/05/16 04:26:10 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.7 2013/05/16 05:48:31 dtucker Exp $ # Placed in the Public Domain. -tid="rekey during transfer data" +tid="rekey" DATA=${OBJ}/data COPY=${OBJ}/copy @@ -79,4 +79,35 @@ for s in 5 10; do fi done +verbose "rekeylimit parsing" +for size in 16 1k 1K 1m 1M 1g 1G; do + for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do + case $size in + 16) bytes=16 ;; + 1k|1K) bytes=1024 ;; + 1m|1M) bytes=1048576 ;; + 1g|1G) bytes=1073741824 ;; + esac + case $time in + 1) seconds=1 ;; + 1m|1M) seconds=60 ;; + 1h|1H) seconds=3600 ;; + 1d|1D) seconds=86400 ;; + 1w|1W) seconds=604800 ;; + esac + + b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $2}'` + s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $3}'` + + if [ "$bytes" != "$b" ]; then + fatal "rekeylimit size: expected $bytes got $b" + fi + if [ "$seconds" != "$s" ]; then + fatal "rekeylimit time: expected $time got $s" + fi + done +done + rm -f ${COPY} ${DATA} -- cgit v1.2.3 From 6e1e60c3c2e16c32bb7ca0876caaa6182a4e4b2c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 11:23:41 +1000 Subject: - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. --- ChangeLog | 2 ++ regress/bsd.regress.mk | 79 -------------------------------------------------- 2 files changed, 2 insertions(+), 79 deletions(-) delete mode 100644 regress/bsd.regress.mk diff --git a/ChangeLog b/ChangeLog index aabd6acd0..61601f6ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,8 @@ - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 [regress/rekey.sh] add tests for RekeyLimit parsing + - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it + in portable and it's long gone in openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/bsd.regress.mk b/regress/bsd.regress.mk deleted file mode 100644 index 9b8011a01..000000000 --- a/regress/bsd.regress.mk +++ /dev/null @@ -1,79 +0,0 @@ -# $OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $ -# No man pages for regression tests. -NOMAN= - -# No installation. -install: - -# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG -.if defined(REGRESSTARGETS) && !defined(PROG) -NOPROG= -.endif - -.include - -.MAIN: all -all: regress - -# XXX - Need full path to REGRESSLOG, otherwise there will be much pain. - -REGRESSLOG?=/dev/null -REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///} - -.if defined(PROG) && !empty(PROG) -run-regress-${PROG}: ${PROG} - ./${PROG} -.endif - -.if !defined(REGRESSTARGETS) -REGRESSTARGETS=run-regress-${PROG} -. if defined(REGRESSSKIP) -REGRESSSKIPTARGETS=run-regress-${PROG} -. endif -.endif - -REGRESSSKIPSLOW?=no - -#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS) - -.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS) -REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS} -.endif - -.if defined(REGRESSROOTTARGETS) -ROOTUSER!=id -g -SUDO?= -. if (${ROOTUSER} != 0) && empty(SUDO) -REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS} -. endif -.endif - -REGRESSSKIPTARGETS?= - -regress: -.for RT in ${REGRESSTARGETS} -. if ${REGRESSSKIPTARGETS:M${RT}} - @echo -n "SKIP " >> ${REGRESSLOG} -. else -# XXX - we need a better method to see if a test fails due to timeout or just -# normal failure. -. if !defined(REGRESSMAXTIME) - @if cd ${.CURDIR} && ${MAKE} ${RT}; then \ - echo -n "SUCCESS " >> ${REGRESSLOG} ; \ - else \ - echo -n "FAIL " >> ${REGRESSLOG} ; \ - echo FAILED ; \ - fi -. else - @if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \ - echo -n "SUCCESS " >> ${REGRESSLOG} ; \ - else \ - echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \ - echo FAILED ; \ - fi -. endif -. endif - @echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG} -.endfor - -.PHONY: regress -- cgit v1.2.3 From 91af05c5167fe0aa5bd41d2e4a83757d9f627c18 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 13:16:59 +1000 Subject: - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange methods. When the openssl version doesn't support ECDH then next one on the list is DH group exchange, but that causes a bit more traffic which can mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. --- ChangeLog | 5 +++++ regress/integrity.sh | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/ChangeLog b/ChangeLog index 61601f6ba..2f6572779 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,11 @@ add tests for RekeyLimit parsing - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. + - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange + methods. When the openssl version doesn't support ECDH then next one on + the list is DH group exchange, but that causes a bit more traffic which can + mean that the tests flip bits in the initial exchange rather than the MACed + traffic and we get different errors to what the tests look for. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/integrity.sh b/regress/integrity.sh index 3950b7d1f..2621a0025 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -21,6 +21,11 @@ config_defined HAVE_EVP_SHA256 && config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" +# avoid DH group exchange as the extra traffic makes it harder to get the +# offset into the stream right. +echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ + >> $OBJ/ssh_proxy + # sshd-command for proxy (see test-exec.sh) cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" -- cgit v1.2.3 From 56347efe796a0506e846621ae65562b978e45f1d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 13:28:36 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 00:37:40 [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh regress/ssh-com.sh] replace 'echo -n' with 'printf' since it's more portable also remove "echon" hack. --- ChangeLog | 7 +++++++ regress/agent.sh | 4 ++-- regress/cert-hostkey.sh | 48 ++++++++++++++++++++++++------------------------ regress/cert-userkey.sh | 10 +++++----- regress/cfgmatch.sh | 6 +++--- regress/cipher-speed.sh | 2 +- regress/forcecommand.sh | 8 ++++---- regress/keytype.sh | 4 ++-- regress/proto-version.sh | 4 ++-- regress/ssh-com.sh | 4 ++-- regress/test-exec.sh | 18 +++--------------- 11 files changed, 55 insertions(+), 60 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2f6572779..da5495f59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,13 @@ - dtucker@cvs.openbsd.org 2013/05/16 05:48:31 [regress/rekey.sh] add tests for RekeyLimit parsing + - dtucker@cvs.openbsd.org 2013/05/17 00:37:40 + [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh + regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh + regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh + regress/ssh-com.sh] + replace 'echo -n' with 'printf' since it's more portable + also remove "echon" hack. - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/agent.sh b/regress/agent.sh index 094cf694b..be7d91334 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.7 2007/11/25 15:35:09 jmc Exp $ +# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -19,7 +19,7 @@ else fail "ssh-add -l did not fail with exit code 1" fi trace "overwrite authorized keys" - echon > $OBJ/authorized_keys_$USER + printf '' > $OBJ/authorized_keys_$USER for t in rsa rsa1; do # generate user key for agent rm -f $OBJ/$t-agent diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 6216abd87..35cd39293 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -18,8 +18,8 @@ HOSTS='localhost-with-alias,127.0.0.1,::1' ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ fail "ssh-keygen of host_ca_key failed" ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert @@ -66,25 +66,25 @@ done # Revoked certificates with key present ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_rsa.pub if test "x$TEST_SSH_ECC" = "xyes"; then - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_ecdsa.pub fi - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_dsa.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_rsa_v00.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_dsa_v00.pub ) > $OBJ/known_hosts-cert for privsep in yes no ; do @@ -108,11 +108,11 @@ done # Revoked CA ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub - echon '@revoked ' - echon "* " + printf '@revoked ' + printf "* " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do @@ -132,8 +132,8 @@ done # Create a CA key and add it to known hosts ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert @@ -200,7 +200,7 @@ for v in v01 v00 ; do -n $HOSTS $OBJ/cert_host_key_${ktype} || fail "couldn't sign cert_host_key_${ktype}" ( - echon "$HOSTS " + printf "$HOSTS " cat $OBJ/cert_host_key_${ktype}.pub ) > $OBJ/known_hosts-cert ( @@ -220,8 +220,8 @@ done # Wrong certificate ( - echon '@cert-authority ' - echon "$HOSTS " + printf '@cert-authority ' + printf "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for v in v01 v00 ; do diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 3bba9f8f2..6018b38f4 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -126,7 +126,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do # Wrong principals list verbose "$tid: ${_prefix} wrong principals key option" ( - echon 'cert-authority,principals="gregorsamsa" ' + printf 'cert-authority,principals="gregorsamsa" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -138,7 +138,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do # Correct principals list verbose "$tid: ${_prefix} correct principals key option" ( - echon 'cert-authority,principals="mekmitasdigoat" ' + printf 'cert-authority,principals="mekmitasdigoat" ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER ${SSH} -2i $OBJ/cert_user_key_${ktype} \ @@ -154,7 +154,7 @@ basic_tests() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon 'cert-authority ' + printf 'cert-authority ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else @@ -264,7 +264,7 @@ test_one() { if test "x$auth" = "xauthorized_keys" ; then # Add CA to authorized_keys ( - echon "cert-authority${auth_opt} " + printf "cert-authority${auth_opt} " cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER else diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 02755d9d0..df4acfe0c 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.7 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -75,9 +75,9 @@ for p in 1 2; do done # Retry previous with key option, should also be denied. -echon 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER +printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER -echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER +printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do trace "match permitopen proxy w/key opts proto $p" diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 65e5f35ec..07daebe62 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $ +# $OpenBSD: cipher-speed.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index 99e51a60f..ba21c0eb1 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh @@ -5,9 +5,9 @@ tid="forced command" cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -echon 'command="true" ' >$OBJ/authorized_keys_$USER +printf 'command="true" ' >$OBJ/authorized_keys_$USER cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER -echon 'command="true" ' >>$OBJ/authorized_keys_$USER +printf 'command="true" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do @@ -16,9 +16,9 @@ for p in 1 2; do fail "forced command in key proto $p" done -echon 'command="false" ' >$OBJ/authorized_keys_$USER +printf 'command="false" ' >$OBJ/authorized_keys_$USER cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER -echon 'command="false" ' >>$OBJ/authorized_keys_$USER +printf 'command="false" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy diff --git a/regress/keytype.sh b/regress/keytype.sh index cb40c6864..59586bf0d 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.1 2010/09/02 16:12:55 markus Exp $ +# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -40,7 +40,7 @@ for ut in $ktypes; do echo IdentityFile $OBJ/key.$ut ) > $OBJ/ssh_proxy ( - echon 'localhost-with-alias,127.0.0.1,::1 ' + printf 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/key.$ht.pub ) > $OBJ/known_hosts cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER diff --git a/regress/proto-version.sh b/regress/proto-version.sh index 1651a69e1..b876dd7ec 100644 --- a/regress/proto-version.sh +++ b/regress/proto-version.sh @@ -1,4 +1,4 @@ -# $OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="sshd version with different protocol combinations" @@ -8,7 +8,7 @@ check_version () { version=$1 expect=$2 - banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` + banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` case ${banner} in SSH-1.99-*) proto=199 diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh index 7bcd85b65..6c5cfe888 100644 --- a/regress/ssh-com.sh +++ b/regress/ssh-com.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $ +# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="connect to ssh.com server" @@ -70,7 +70,7 @@ done # convert and append DSA hostkey ( - echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' + printf 'ssh2-localhost-with-alias,127.0.0.1,::1 ' ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub ) >> $OBJ/known_hosts diff --git a/regress/test-exec.sh b/regress/test-exec.sh index f797ab68d..0680eaa94 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.40 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.41 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -172,18 +172,6 @@ SSH="$SSHLOGWRAP" export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP -# helper -echon() -{ - if [ "x`echo -n`" = "x" ]; then - echo -n "$@" - elif [ "x`echo '\c'`" = "x" ]; then - echo "$@\c" - else - fatal "Don't know how to echo without newline." - fi -} - have_prog() { saved_IFS="$IFS" @@ -273,7 +261,7 @@ fail () fatal () { save_debug_log "FATAL: $@" - echo -n "FATAL: " + printf "FATAL: " fail "$@" cleanup exit $RESULT @@ -360,7 +348,7 @@ for t in rsa rsa1; do # known hosts file for client ( - echon 'localhost-with-alias,127.0.0.1,::1 ' + printf 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/$t.pub ) >> $OBJ/known_hosts -- cgit v1.2.3 From a40d97ff46831c9081a6a4472036689360847fb1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 14:44:53 +1000 Subject: sync missing ID --- regress/forcecommand.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index ba21c0eb1..44d2b7ffd 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $ +# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ # Placed in the Public Domain. tid="forced command" -- cgit v1.2.3 From b8b96b0aa634d440feba4331c80ae4de9dda2081 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 14:46:20 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 01:16:09 [regress/agent-timeout.sh] Pull back some portability changes from -portable: - TIMEOUT is a read-only variable in some shells - not all greps have -q so redirect to /dev/null instead. (ID sync only) --- ChangeLog | 6 ++++++ regress/agent-timeout.sh | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index da5495f59..db23b2e2a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,12 @@ regress/ssh-com.sh] replace 'echo -n' with 'printf' since it's more portable also remove "echon" hack. + - dtucker@cvs.openbsd.org 2013/05/17 01:16:09 + [regress/agent-timeout.sh] + Pull back some portability changes from -portable: + - TIMEOUT is a read-only variable in some shells + - not all greps have -q so redirect to /dev/null instead. + (ID sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh index 3a40e7af8..68826594e 100644 --- a/regress/agent-timeout.sh +++ b/regress/agent-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $ +# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $ # Placed in the Public Domain. tid="agent timeout test" -- cgit v1.2.3 From 34035be27b7ddd84706fe95c39d37cba7d5c9572 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 14:47:51 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 [regress/integrity.sh] don't print output from ssh before getting it (it's available in ssh.log) --- ChangeLog | 3 +++ regress/integrity.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index db23b2e2a..a12bf335c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,9 @@ - TIMEOUT is a read-only variable in some shells - not all greps have -q so redirect to /dev/null instead. (ID sync only) + - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 + [regress/integrity.sh] + don't print output from ssh before getting it (it's available in ssh.log) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/integrity.sh b/regress/integrity.sh index 2621a0025..982eced21 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -52,7 +52,7 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - verbose "test $tid: $m @$off $output" + verbose "test $tid: $m @$off" ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then -- cgit v1.2.3 From 59d928d3b47e8298f4a8b4b3fb37fb8c8ce1b098 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 15:32:29 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 04:29:14 [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh regress/multiplex.sh] Move the setting of DATA and COPY into test-exec.sh --- ChangeLog | 10 ++++++++++ regress/cipher-speed.sh | 2 +- regress/conch-ciphers.sh | 5 +---- regress/dynamic-forward.sh | 4 +--- regress/forwarding.sh | 9 ++++----- regress/multiplex.sh | 4 +--- regress/putty-ciphers.sh | 5 +---- regress/putty-kex.sh | 5 +---- regress/putty-transfer.sh | 5 +---- regress/reexec.sh | 8 +++----- regress/rekey.sh | 8 ++------ regress/scp.sh | 4 +--- regress/sftp-badcmds.sh | 4 +--- regress/sftp-batch.sh | 4 +--- regress/sftp-chroot.sh | 4 +--- regress/sftp-cmds.sh | 4 +--- regress/sftp.sh | 5 +---- regress/ssh-com-client.sh | 6 +----- regress/ssh-com-sftp.sh | 4 +--- regress/stderr-after-eof.sh | 6 +----- regress/stderr-data.sh | 6 +----- regress/test-exec.sh | 15 ++++++++++----- regress/transfer.sh | 5 +---- 23 files changed, 47 insertions(+), 85 deletions(-) diff --git a/ChangeLog b/ChangeLog index a12bf335c..a0dd182f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,16 @@ - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 [regress/integrity.sh] don't print output from ssh before getting it (it's available in ssh.log) + - dtucker@cvs.openbsd.org 2013/05/17 04:29:14 + [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh + regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh + regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh + regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh + regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh + regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh + regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh + regress/multiplex.sh] + Move the setting of DATA and COPY into test-exec.sh - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 07daebe62..489d9f5fa 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh index 5b65cd993..199d863a0 100644 --- a/regress/conch-ciphers.sh +++ b/regress/conch-ciphers.sh @@ -1,11 +1,8 @@ -# $OpenBSD: conch-ciphers.sh,v 1.2 2008/06/30 10:43:03 djm Exp $ +# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="conch ciphers" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then echo "conch interop tests not enabled" exit 0 diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index d1ab8059b..42fa8acdc 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,12 +1,10 @@ -# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" FWDPORT=`expr $PORT + 1` -DATA=/bin/ls${EXEEXT} - if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then proxycmd="nc -x 127.0.0.1:$FWDPORT -X" elif have_prog connect; then diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 6a7003070..2ba140fee 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,8 +1,7 @@ -# $OpenBSD: forwarding.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: forwarding.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" -DATA=/bin/ls${EXEEXT} start_sshd @@ -26,9 +25,9 @@ for p in 1 2; do trace "transfer over forwarded channels and check result" ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ - somehost cat $DATA > $OBJ/ls.copy - test -f $OBJ/ls.copy || fail "failed copy $DATA" - cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy of ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" sleep 10 done diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 8389b3840..3e697e691 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.20 2013/04/22 07:28:53 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ @@ -10,8 +10,6 @@ if config_defined DISABLE_FD_PASSING ; then exit 0 fi -DATA=/bin/ls${EXEEXT} -COPY=$OBJ/ls.copy P=3301 # test port wait_for_mux_master_ready() diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh index 928ea60d2..724a98cc1 100644 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh @@ -1,11 +1,8 @@ -# $OpenBSD: putty-ciphers.sh,v 1.3 2008/11/10 02:06:35 djm Exp $ +# $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="putty ciphers" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then echo "putty interop tests not enabled" exit 0 diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh index 293885a8a..1844d6599 100644 --- a/regress/putty-kex.sh +++ b/regress/putty-kex.sh @@ -1,11 +1,8 @@ -# $OpenBSD: putty-kex.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ +# $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="putty KEX" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then echo "putty interop tests not enabled" exit 0 diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh index 9e1e1550a..aec0e04ee 100644 --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh @@ -1,11 +1,8 @@ -# $OpenBSD: putty-transfer.sh,v 1.2 2008/06/30 10:31:11 djm Exp $ +# $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="putty transfer data" -DATA=/bin/ls -COPY=${OBJ}/copy - if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then echo "putty interop tests not enabled" exit 0 diff --git a/regress/reexec.sh b/regress/reexec.sh index 9464eb699..5fff62a66 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -1,12 +1,10 @@ -# $OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $ +# $OpenBSD: reexec.sh,v 1.6 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="reexec tests" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy -SSHD_ORIG=$SSHD${EXEEXT} -SSHD_COPY=$OBJ/sshd${EXEEXT} +SSHD_ORIG=$SSHD +SSHD_COPY=$OBJ/sshd # Start a sshd and then delete it start_sshd_copy () diff --git a/regress/rekey.sh b/regress/rekey.sh index cefdea534..8eb7efaf9 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,15 +1,11 @@ -# $OpenBSD: rekey.sh,v 1.7 2013/05/16 05:48:31 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="rekey" -DATA=${OBJ}/data -COPY=${OBJ}/copy LOG=${TEST_SSH_LOGFILE} -rm -f ${COPY} ${LOG} ${DATA} -touch ${DATA} -dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 +rm -f ${LOG} for s in 16 1k 128k 256k; do verbose "client rekeylimit ${s}" diff --git a/regress/scp.sh b/regress/scp.sh index c5d412dd9..ba5ba887d 100644 --- a/regress/scp.sh +++ b/regress/scp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $ +# $OpenBSD: scp.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="scp" @@ -12,8 +12,6 @@ else DIFFOPT="-r" fi -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy COPY2=${OBJ}/copy2 DIR=${COPY}.dd DIR2=${COPY}.dd2 diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh index 08009f26b..3dbeb58ca 100644 --- a/regress/sftp-badcmds.sh +++ b/regress/sftp-badcmds.sh @@ -1,12 +1,10 @@ -# $OpenBSD: sftp-badcmds.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ +# $OpenBSD: sftp-badcmds.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="sftp invalid commands" -DATA=/bin/ls${EXEEXT} DATA2=/bin/sh${EXEEXT} NONEXIST=/NONEXIST.$$ -COPY=${OBJ}/copy GLOBFILES=`(cd /bin;echo l*)` rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh index a51ef0782..41011549b 100644 --- a/regress/sftp-batch.sh +++ b/regress/sftp-batch.sh @@ -1,10 +1,8 @@ -# $OpenBSD: sftp-batch.sh,v 1.4 2009/08/13 01:11:55 djm Exp $ +# $OpenBSD: sftp-batch.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="sftp batchfile" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy BATCH=${OBJ}/sftp.bb rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 8c07979b4..98a364ebf 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -1,9 +1,8 @@ -# $OpenBSD: sftp-chroot.sh,v 1.1 2013/04/18 02:46:12 djm Exp $ +# $OpenBSD: sftp-chroot.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="sftp in chroot" -COPY=${OBJ}/copy CHROOT=/var/run FILENAME=testdata_${USER} PRIVDATA=${CHROOT}/${FILENAME} @@ -18,7 +17,6 @@ $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /" verbose "test $tid: get" -rm -f ${COPY} ${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \ fatal "Fetch ${FILENAME} failed" cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index 2e0300e16..ba5ef066d 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.12 2012/06/01 00:52:52 djm Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.13 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -7,8 +7,6 @@ tid="sftp commands" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy # test that these files are readable! for i in `(cd /bin;echo l*)` do diff --git a/regress/sftp.sh b/regress/sftp.sh index f84fa6f4e..5f823ee23 100644 --- a/regress/sftp.sh +++ b/regress/sftp.sh @@ -1,11 +1,8 @@ -# $OpenBSD: sftp.sh,v 1.3 2009/08/13 01:11:55 djm Exp $ +# $OpenBSD: sftp.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="basic sftp put/get" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy - SFTPCMDFILE=${OBJ}/batch cat >$SFTPCMDFILE <$SFTPCMDFILE <$TEST_SSHD_LOGFILE >$TEST_REGRESS_LOGFILE -# Some data for test copies -DATA=$OBJ/testdata -cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA - # Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." # because sftp and scp don't handle spaces in arguments. SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh @@ -168,6 +164,15 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP chmod a+rx $OBJ/ssh-log-wrapper.sh SSH="$SSHLOGWRAP" +# Some test data. We make a copy because some tests will overwrite it. +# The tests may assume that $DATA exists and is writable and $COPY does +# not exist. +DATA=$OBJ/data +cat $SSHD $SSHD $SSHD $SSHD >${DATA} +chmod u+w ${DATA} +COPY=$OBJ/copy +rm -f ${COPY} + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP diff --git a/regress/transfer.sh b/regress/transfer.sh index 13ea367d5..1ae3ef5bf 100644 --- a/regress/transfer.sh +++ b/regress/transfer.sh @@ -1,11 +1,8 @@ -# $OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $ +# $OpenBSD: transfer.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. tid="transfer data" -DATA=/bin/ls${EXEEXT} -COPY=${OBJ}/copy - for p in 1 2; do verbose "$tid: proto $p" rm -f ${COPY} -- cgit v1.2.3 From 8654dd2d737800d09e7730b3dfc2a54411f4cf90 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 16:03:48 +1000 Subject: - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. --- ChangeLog | 1 + openbsd-compat/getopt.h | 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index a0dd182f8..a64ea46a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -75,6 +75,7 @@ the list is DH group exchange, but that causes a bit more traffic which can mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. + - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/openbsd-compat/getopt.h b/openbsd-compat/getopt.h index 0311b078b..8eb12447e 100644 --- a/openbsd-compat/getopt.h +++ b/openbsd-compat/getopt.h @@ -33,8 +33,6 @@ #ifndef _GETOPT_H_ #define _GETOPT_H_ -#include - /* * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions */ @@ -56,7 +54,6 @@ struct option { int val; }; -__BEGIN_DECLS int getopt_long(int, char * const *, const char *, const struct option *, int *); int getopt_long_only(int, char * const *, const char *, @@ -73,6 +70,5 @@ extern int optopt; extern int optreset; extern char *suboptarg; /* getsubopt(3) external variable */ #endif -__END_DECLS #endif /* !_GETOPT_H_ */ -- cgit v1.2.3 From 7f193236594e8328ad133ea05eded31f837b45b5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 19:02:28 +1000 Subject: - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. --- ChangeLog | 1 + regress/cfgmatch.sh | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index a64ea46a7..e3e3b6577 100644 --- a/ChangeLog +++ b/ChangeLog @@ -76,6 +76,7 @@ mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. + - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index df4acfe0c..e5907354b 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -40,15 +40,15 @@ stop_client() } cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config -echo "Match user $USER" >>$OBJ/sshd_proxy -echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_config echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy -- cgit v1.2.3 From 96457a54d05dea81f34ecb4e059d2f8b98382b85 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 19:03:38 +1000 Subject: - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. --- ChangeLog | 1 + regress/agent-getpeereid.sh | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e3e3b6577..b02acb2d9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -77,6 +77,7 @@ traffic and we get different errors to what the tests look for. - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. + - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index faf654c04..1726c2b9d 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -18,7 +18,6 @@ if [ -z "$SUDO" ]; then exit 0 fi - trace "start agent" eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null r=$? -- cgit v1.2.3 From 5f1a89a3b67264f4aa83e057cd4f74fd60b9ffa4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 19:17:58 +1000 Subject: - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] Move the jot helper function to portable-specific part of test-exec.sh. --- ChangeLog | 2 ++ regress/integrity.sh | 4 ---- regress/krl.sh | 4 ---- regress/test-exec.sh | 6 ++++++ 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index b02acb2d9..620a635f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,8 @@ - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. + - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] + Move the jot helper function to portable-specific part of test-exec.sh. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/integrity.sh b/regress/integrity.sh index 982eced21..1d17fe10a 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -29,10 +29,6 @@ echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ # sshd-command for proxy (see test-exec.sh) cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" -jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -} - for m in $macs; do trace "test $tid: mac $m" elen=0 diff --git a/regress/krl.sh b/regress/krl.sh index 62a239c38..de9cc8764 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -39,10 +39,6 @@ serial: 799 serial: 599-701 EOF -jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -} - # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 599b8d9ba..910ed4f70 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -177,6 +177,7 @@ rm -f ${COPY} export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP +# Portable specific functions have_prog() { saved_IFS="$IFS" @@ -192,6 +193,11 @@ have_prog() return 1 } +jot() { + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" +} +# End of portable specific functions + cleanup () { if [ -f $PIDFILE ]; then -- cgit v1.2.3 From 6f66981ed3c6bb83b937959f329323975e356c33 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 19:28:51 +1000 Subject: - (dtucker) [regress/test-exec.sh] Move the portable-specific functions together and add a couple of missing lines from openbsd. --- ChangeLog | 2 ++ regress/test-exec.sh | 24 +++++++++++++----------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 620a635f6..f998c301c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -80,6 +80,8 @@ - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] Move the jot helper function to portable-specific part of test-exec.sh. + - (dtucker) [regress/test-exec.sh] Move the portable-specific functions + together and add a couple of missing lines from openbsd. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 910ed4f70..69e5042ba 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -196,8 +196,20 @@ have_prog() jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" } + +# Check whether preprocessor symbols are defined in config.h. +config_defined () +{ + str=$1 + while test "x$2" != "x" ; do + str="$str|$2" + shift + done + egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 +} # End of portable specific functions +# helper cleanup () { if [ -f $PIDFILE ]; then @@ -278,17 +290,6 @@ fatal () exit $RESULT } -# Check whether preprocessor symbols are defined in config.h. -config_defined () -{ - str=$1 - while test "x$2" != "x" ; do - str="$str|$2" - shift - done - egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 -} - RESULT=0 PIDFILE=$OBJ/pidfile @@ -336,6 +337,7 @@ Host * ChallengeResponseAuthentication no HostbasedAuthentication no PasswordAuthentication no + RhostsRSAAuthentication no BatchMode yes StrictHostKeyChecking yes LogLevel DEBUG3 -- cgit v1.2.3 From f8d5b3451726530a864b172c556c311370c244e1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 19:53:25 +1000 Subject: - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 helper function to the portable part of test-exec.sh. --- ChangeLog | 2 ++ regress/stderr-after-eof.sh | 14 +------------- regress/test-exec.sh | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index f998c301c..ec9ab1229 100644 --- a/ChangeLog +++ b/ChangeLog @@ -82,6 +82,8 @@ Move the jot helper function to portable-specific part of test-exec.sh. - (dtucker) [regress/test-exec.sh] Move the portable-specific functions together and add a couple of missing lines from openbsd. + - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 + helper function to the portable part of test-exec.sh. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh index 9072db282..218ac6b68 100644 --- a/regress/stderr-after-eof.sh +++ b/regress/stderr-after-eof.sh @@ -3,23 +3,11 @@ tid="stderr data after eof" -if have_prog md5sum; then - CHECKSUM=md5sum -elif have_prog openssl; then - CHECKSUM="openssl md5" -elif have_prog cksum; then - CHECKSUM=cksum -elif have_prog sum; then - CHECKSUM=sum -else - fatal "No checksum program available, aborting $tid test" -fi - # setup data rm -f ${DATA} ${COPY} cp /dev/null ${DATA} for i in 1 2 3 4 5 6; do - (date;echo $i) | $CHECKSUM >> ${DATA} + (date;echo $i) | md5 >> ${DATA} done ${SSH} -2 -F $OBJ/ssh_proxy otherhost \ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 69e5042ba..d336e6193 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -207,6 +207,20 @@ config_defined () done egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 } + +md5 () { + if have_prog md5sum; then + md5sum + elif have_prog openssl; then + openssl md5 + elif have_prog cksum; then + cksum + elif have_prog sum; then + sum + else + wc -c + fi +} # End of portable specific functions # helper -- cgit v1.2.3 From 9cc8ff7b63f175661c8807006f6d2649d56ac402 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:01:52 +1000 Subject: - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. --- ChangeLog | 1 + regress/runtests.sh | 13 ------------- 2 files changed, 1 insertion(+), 13 deletions(-) delete mode 100755 regress/runtests.sh diff --git a/ChangeLog b/ChangeLog index ec9ab1229..26a183cba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ together and add a couple of missing lines from openbsd. - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 helper function to the portable part of test-exec.sh. + - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/runtests.sh b/regress/runtests.sh deleted file mode 100755 index 9808eb8a7..000000000 --- a/regress/runtests.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -TEST_SSH_SSH=../ssh -TEST_SSH_SSHD=../sshd -TEST_SSH_SSHAGENT=../ssh-agent -TEST_SSH_SSHADD=../ssh-add -TEST_SSH_SSHKEYGEN=../ssh-keygen -TEST_SSH_SSHKEYSCAN=../ssh-keyscan -TEST_SSH_SFTP=../sftp -TEST_SSH_SFTPSERVER=../sftp-server - -pmake - -- cgit v1.2.3 From 044f32f4c6fd342f9f5949bb0ca77624c0db4494 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:12:57 +1000 Subject: - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by rev 1.6 which calls wait. --- ChangeLog | 2 ++ regress/cfgmatch.sh | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 26a183cba..f4be9bc9c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -85,6 +85,8 @@ - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5 helper function to the portable part of test-exec.sh. - (dtucker) [regress/runtests.sh] Remove obsolete test driver script. + - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by + rev 1.6 which calls wait. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index e5907354b..80cf22930 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -34,7 +34,6 @@ stop_client() pid=`cat $pidfile` if [ ! -z "$pid" ]; then kill $pid - sleep 1 fi wait } -- cgit v1.2.3 From dd669173f93ea8c8397e0af758eaf13ab4f1c591 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:39:57 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:16:26 [regress/try-ciphers.sh] use expr for math to keep diffs vs portable down (id sync only) --- ChangeLog | 4 ++++ regress/try-ciphers.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f4be9bc9c..72df13609 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,10 @@ regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh regress/multiplex.sh] Move the setting of DATA and COPY into test-exec.sh + - dtucker@cvs.openbsd.org 2013/05/17 10:16:26 + [regress/try-ciphers.sh] + use expr for math to keep diffs vs portable down + (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 084a1457a..e17c9f5e9 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $ +# $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" -- cgit v1.2.3 From 05b5e518c9969d63471f2ccfd85b1de6e724d30b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:41:07 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:23:52 [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh] Use SUDO when cat'ing pid files and running the sshd log wrapper so that it works with a restrictive umask and the pid files are not world readable. Changes from -portable. (id sync only) --- ChangeLog | 5 +++++ regress/login-timeout.sh | 2 +- regress/reexec.sh | 2 +- regress/test-exec.sh | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 72df13609..bf1c3b953 100644 --- a/ChangeLog +++ b/ChangeLog @@ -72,6 +72,11 @@ [regress/try-ciphers.sh] use expr for math to keep diffs vs portable down (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:23:52 + [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh] + Use SUDO when cat'ing pid files and running the sshd log wrapper so that + it works with a restrictive umask and the pid files are not world readable. + Changes from -portable. (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 55fbb324d..d73923b9c 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $ +# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $ # Placed in the Public Domain. tid="connect after login grace timeout" diff --git a/regress/reexec.sh b/regress/reexec.sh index 5fff62a66..433573f06 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: reexec.sh,v 1.6 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: reexec.sh,v 1.7 2013/05/17 10:23:52 dtucker Exp $ # Placed in the Public Domain. tid="reexec tests" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index d336e6193..c9a9b64ee 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.42 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.43 2013/05/17 10:23:52 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.3 From 1466bd25a8d1ff7ae455a795d2d7d52dc17d2938 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:42:05 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 [localcommand.sh] use backticks for portability. (id sync only) --- ChangeLog | 3 +++ regress/localcommand.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index bf1c3b953..fc5c7005c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -77,6 +77,9 @@ Use SUDO when cat'ing pid files and running the sshd log wrapper so that it works with a restrictive umask and the pid files are not world readable. Changes from -portable. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 + [localcommand.sh] + use backticks for portability. (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/localcommand.sh b/regress/localcommand.sh index feade7a9d..8a9b56971 100644 --- a/regress/localcommand.sh +++ b/regress/localcommand.sh @@ -1,4 +1,4 @@ -# $OpenBSD: localcommand.sh,v 1.1 2007/10/29 06:57:13 dtucker Exp $ +# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $ # Placed in the Public Domain. tid="localcommand" -- cgit v1.2.3 From 438f60eb9a5f7cd40bb242cfec865e4fde71b07c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:43:13 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 [regress/sftp-badcmds.sh] remove unused BATCH variable. (id sync only) --- ChangeLog | 5 ++++- regress/sftp-badcmds.sh | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc5c7005c..a582dfc8f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,8 +78,11 @@ it works with a restrictive umask and the pid files are not world readable. Changes from -portable. (id sync only) - dtucker@cvs.openbsd.org 2013/05/17 10:24:48 - [localcommand.sh] + [regress/localcommand.sh] use backticks for portability. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 + [regress/sftp-badcmds.sh] + remove unused BATCH variable. (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh index 3dbeb58ca..7f85c4f22 100644 --- a/regress/sftp-badcmds.sh +++ b/regress/sftp-badcmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-badcmds.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $ # Placed in the Public Domain. tid="sftp invalid commands" -- cgit v1.2.3 From 98989eb95eef0aefed7e9fb4e65c2f625be946f6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:44:09 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 [regress/sftp.sh] only compare copied data if sftp succeeds. from portable (id sync only) --- ChangeLog | 3 +++ regress/sftp.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a582dfc8f..d3e5253d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -83,6 +83,9 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:26:26 [regress/sftp-badcmds.sh] remove unused BATCH variable. (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 + [regress/sftp.sh] + only compare copied data if sftp succeeds. from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/sftp.sh b/regress/sftp.sh index 5f823ee23..b8e9f7527 100644 --- a/regress/sftp.sh +++ b/regress/sftp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $ # Placed in the Public Domain. tid="basic sftp put/get" -- cgit v1.2.3 From 00478d30cb4bcc18dc1ced8144d16b03cdf790f6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:45:06 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:30:07 [regress/test-exec.sh] wait a bit longer for startup and use case for absolute path. from portable (id sync only) --- ChangeLog | 4 ++++ regress/test-exec.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d3e5253d1..cbf96d642 100644 --- a/ChangeLog +++ b/ChangeLog @@ -86,6 +86,10 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:28:11 [regress/sftp.sh] only compare copied data if sftp succeeds. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:30:07 + [regress/test-exec.sh] + wait a bit longer for startup and use case for absolute path. + from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/test-exec.sh b/regress/test-exec.sh index c9a9b64ee..2eab32341 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.43 2013/05/17 10:23:52 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.44 2013/05/17 10:30:07 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.3 From 62ee222e6f3f5ee288434f58b5136ae3d56f5164 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:46:00 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 [regress/agent-getpeereid.sh] don't redirect stdout from sudo. from portable (id sync only) --- ChangeLog | 3 +++ regress/agent-getpeereid.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cbf96d642..a2ac83ddb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -90,6 +90,9 @@ [regress/test-exec.sh] wait a bit longer for startup and use case for absolute path. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 + [regress/agent-getpeereid.sh] + don't redirect stdout from sudo. from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 1726c2b9d..d5ae2d6e2 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.4 2007/11/25 15:35:09 jmc Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" -- cgit v1.2.3 From 0a404b0ed79ba45ccaf7ed5528a8f5004c3698cb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:47:29 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 [regress/portnum.sh] use a more portable negated if structure. from portable (id sync only) --- ChangeLog | 3 +++ regress/portnum.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a2ac83ddb..edc92e63a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -93,6 +93,9 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:33:09 [regress/agent-getpeereid.sh] don't redirect stdout from sudo. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 + [regress/portnum.sh] + use a more portable negated if structure. from portable (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/portnum.sh b/regress/portnum.sh index 1de0680fe..c56b869a3 100644 --- a/regress/portnum.sh +++ b/regress/portnum.sh @@ -1,4 +1,4 @@ -# $OpenBSD: portnum.sh,v 1.1 2009/08/13 00:57:17 djm Exp $ +# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $ # Placed in the Public Domain. tid="port number parsing" -- cgit v1.2.3 From 9b42d327380e5cd04efde6fb70e1535fecedf0d7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 20:48:59 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 10:35:43 [regress/scp.sh] use a file extention that's not special on some platforms. from portable (id sync only) --- ChangeLog | 4 ++++ regress/scp.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index edc92e63a..50054ef01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -96,6 +96,10 @@ - dtucker@cvs.openbsd.org 2013/05/17 10:34:30 [regress/portnum.sh] use a more portable negated if structure. from portable (id sync only) + - dtucker@cvs.openbsd.org 2013/05/17 10:35:43 + [regress/scp.sh] + use a file extention that's not special on some platforms. from portable + (id sync only) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/scp.sh b/regress/scp.sh index ba5ba887d..29c5b35d4 100644 --- a/regress/scp.sh +++ b/regress/scp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: scp.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: scp.sh,v 1.9 2013/05/17 10:35:43 dtucker Exp $ # Placed in the Public Domain. tid="scp" -- cgit v1.2.3 From efdf5342143a887013a1daae583167dadf6752a7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 30 May 2013 08:29:08 +1000 Subject: - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null implementation of endgrent for platforms that don't have it (eg Android). Loosely based on a patch from Nathan Osman, ok djm --- ChangeLog | 4 ++++ configure.ac | 5 +++-- openbsd-compat/bsd-misc.h | 6 +++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 50054ef01..ef4dc7050 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ + 20130529 + - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null + implementation of endgrent for platforms that don't have it (eg Android). + Loosely based on a patch from Nathan Osman, ok djm 20130517 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/03/07 00:20:34 diff --git a/configure.ac b/configure.ac index 7d8adfcbc..13c055849 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.524 2013/05/16 10:47:32 dtucker Exp $ +# $Id: configure.ac,v 1.525 2013/05/29 22:29:09 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.524 $) +AC_REVISION($Revision: 1.525 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1531,6 +1531,7 @@ AC_CHECK_FUNCS([ \ clock \ closefrom \ dirfd \ + endgrent \ fchmod \ fchown \ freeaddrinfo \ diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index 430066376..9ebd83c3a 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */ +/* $Id: bsd-misc.h,v 1.24 2013/05/29 22:29:09 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -110,4 +110,8 @@ int isblank(int); pid_t getpgid(pid_t); #endif +#ifndef HAVE_ENDGRENT +# define endgrent() {} +#endif + #endif /* _BSD_MISC_H */ -- cgit v1.2.3 From c0c3373216801797053e123b5f62d35bf41b3611 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 06:28:03 +1000 Subject: - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to using openssl's DES_crpyt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman. --- ChangeLog | 8 +++++++- configure.ac | 5 +++-- openbsd-compat/xcrypt.c | 7 ++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index ef4dc7050..58efd7b1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,13 @@ - 20130529 +20130601 + - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to + using openssl's DES_crpyt function on platorms that don't have a native + one, eg Android. Based on a patch from Nathan Osman. + +20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null implementation of endgrent for platforms that don't have it (eg Android). Loosely based on a patch from Nathan Osman, ok djm + 20130517 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/03/07 00:20:34 diff --git a/configure.ac b/configure.ac index 13c055849..c70c504f9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.525 2013/05/29 22:29:09 dtucker Exp $ +# $Id: configure.ac,v 1.526 2013/06/01 20:28:04 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.525 $) +AC_REVISION($Revision: 1.526 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2388,6 +2388,7 @@ fi if test "x$check_for_libcrypt_later" = "x1"; then AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) fi +AC_CHECK_FUNCS([crypt DES_crypt]) # Search for SHA256 support in libc and/or OpenSSL AC_CHECK_FUNCS([SHA256_Update EVP_sha256], [TEST_SSH_SHA256=yes], diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index 6291e2884..c8aea461d 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c @@ -55,7 +55,12 @@ # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) # include "md5crypt.h" -# endif +# endif + +# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) +# include +# define crypt DES_crypt +# endif char * xcrypt(const char *password, const char *salt) -- cgit v1.2.3 From c7aad0058c957afeb26a3f703e8cb0eddeb62365 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:18:47 +1000 Subject: - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. Based on a patch from Nathan Osman, with help from tim@. --- ChangeLog | 3 +++ configure.ac | 39 +++++++++++++++++++++++++++++++++------ defines.h | 24 +++++++++++------------- 3 files changed, 47 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index 58efd7b1c..3fe13dfad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to using openssl's DES_crpyt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman. + - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS + rather than trying to enumerate the plaforms that don't have them. + Based on a patch from Nathan Osman, with help from tim@. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/configure.ac b/configure.ac index c70c504f9..d35a19bcc 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.526 2013/06/01 20:28:04 dtucker Exp $ +# $Id: configure.ac,v 1.527 2013/06/01 21:18:48 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.526 $) +AC_REVISION($Revision: 1.527 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -979,9 +979,6 @@ mips-sony-bsd|mips-sony-newsos4) *-*-nto-qnx*) AC_DEFINE([USE_PIPES]) AC_DEFINE([NO_X11_UNIX_SOCKETS]) - AC_DEFINE([MISSING_NFDBITS], [1], [Define on *nto-qnx systems]) - AC_DEFINE([MISSING_HOWMANY], [1], [Define on *nto-qnx systems]) - AC_DEFINE([MISSING_FD_MASK], [1], [Define on *nto-qnx systems]) AC_DEFINE([DISABLE_LASTLOG]) AC_DEFINE([SSHD_ACQUIRES_CTTY]) AC_DEFINE([BROKEN_SHADOW_EXPIRE], [1], [QNX shadow support is broken]) @@ -1002,7 +999,6 @@ mips-sony-bsd|mips-sony-newsos4) *-*-lynxos) CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" - AC_DEFINE([MISSING_HOWMANY]) AC_DEFINE([BROKEN_SETVBUF], [1], [LynxOS has broken setvbuf() implementation]) ;; esac @@ -1703,6 +1699,37 @@ AC_CHECK_DECLS([offsetof], , , [ #include ]) +# extra bits for select(2) +AC_CHECK_DECLS([howmany, NFDBITS], [], [], [[ +#include +#include +#ifdef HAVE_SYS_SYSMACROS_H +#include +#endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + ]]) +AC_CHECK_TYPES([fd_mask], [], [], [[ +#include +#include +#ifdef HAVE_SYS_SELECT_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif + ]]) + AC_CHECK_FUNCS([setresuid], [ dnl Some platorms have setresuid that isn't implemented, test for this AC_MSG_CHECKING([if setresuid seems to work]) diff --git a/defines.h b/defines.h index 64515c2ff..d5ce52f32 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */ +/* $Id: defines.h,v 1.172 2013/06/01 21:18:48 dtucker Exp $ */ /* Constants */ @@ -171,11 +171,6 @@ enum # define MAP_FAILED ((void *)-1) #endif -/* *-*-nto-qnx doesn't define this constant in the system headers */ -#ifdef MISSING_NFDBITS -# define NFDBITS (8 * sizeof(unsigned long)) -#endif - /* SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but including rpc/rpc.h breaks Solaris 6 @@ -355,11 +350,19 @@ struct winsize { }; #endif -/* *-*-nto-qnx does not define this type in the system headers */ -#ifdef MISSING_FD_MASK +/* bits needed for select that may not be in the system headers */ +#ifndef HAVE_FD_MASK typedef unsigned long int fd_mask; #endif +#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0 +# define NFDBITS (8 * sizeof(unsigned long)) +#endif + +#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0 +# define howmany(x,y) (((x)+((y)-1))/(y)) +#endif + /* Paths */ #ifndef _PATH_BSHELL @@ -484,11 +487,6 @@ struct winsize { # define __nonnull__(x) #endif -/* *-*-nto-qnx doesn't define this macro in the system headers */ -#ifdef MISSING_HOWMANY -# define howmany(x,y) (((x)+((y)-1))/(y)) -#endif - #ifndef OSSH_ALIGNBYTES #define OSSH_ALIGNBYTES (sizeof(int) - 1) #endif -- cgit v1.2.3 From a627d42e51ffa71e014d7b2d2c07118122fd3ec3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:31:17 +1000 Subject: - djm@cvs.openbsd.org 2013/05/17 00:13:13 [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@ --- ChangeLog | 17 ++++++ addrmatch.c | 6 +-- auth-chall.c | 12 ++--- auth-options.c | 60 +++++++++++----------- auth-rsa.c | 6 +-- auth.c | 16 +++--- auth1.c | 14 +++-- auth2-chall.c | 27 +++++----- auth2-gss.c | 17 +++--- auth2-hostbased.c | 14 ++--- auth2-jpake.c | 24 ++++----- auth2-kbdint.c | 6 +-- auth2-passwd.c | 6 +-- auth2-pubkey.c | 26 +++++----- auth2.c | 17 +++--- authfd.c | 10 ++-- authfile.c | 10 ++-- bufaux.c | 6 +-- bufbn.c | 18 +++---- bufec.c | 6 +-- buffer.c | 4 +- canohost.c | 10 ++-- channels.c | 98 +++++++++++++++-------------------- cipher-3des1.c | 6 +-- cipher.c | 10 ++-- clientloop.c | 55 +++++++++----------- compat.c | 6 +-- dns.c | 10 ++-- groupaccess.c | 5 +- gss-genr.c | 16 +++--- hostfile.c | 16 +++--- jpake.c | 8 +-- kex.c | 18 +++---- kexdhc.c | 8 +-- kexdhs.c | 8 +-- kexecdhc.c | 8 +-- kexecdhs.c | 8 +-- kexgexc.c | 8 +-- kexgexs.c | 8 +-- key.c | 57 +++++++++------------ mac.c | 6 +-- match.c | 15 +++--- misc.c | 12 ++--- moduli.c | 10 ++-- monitor.c | 125 ++++++++++++++++++++++---------------------- monitor_mm.c | 13 ++--- monitor_wrap.c | 30 +++++------ mux.c | 122 +++++++++++++++++++------------------------ packet.c | 30 +++++------ readconf.c | 30 +++++------ readpass.c | 4 +- roaming_client.c | 9 ++-- rsa.c | 10 ++-- schnorr.c | 8 +-- scp.c | 22 ++++---- servconf.c | 9 ++-- serverloop.c | 32 +++++------- session.c | 92 ++++++++++++++------------------- sftp-client.c | 54 +++++++++---------- sftp-common.c | 6 +-- sftp-glob.c | 6 +-- sftp-server.c | 58 ++++++++++----------- sftp.c | 92 ++++++++++++++++----------------- ssh-add.c | 20 ++++---- ssh-agent.c | 63 ++++++++++------------- ssh-dss.c | 10 ++-- ssh-ecdsa.c | 10 ++-- ssh-keygen.c | 104 ++++++++++++++++++------------------- ssh-keyscan.c | 16 +++--- ssh-keysign.c | 20 ++++---- ssh-pkcs11-client.c | 10 ++-- ssh-pkcs11-helper.c | 23 ++++----- ssh-pkcs11.c | 27 +++++----- ssh-rsa.c | 23 ++++----- ssh.c | 44 ++++++++-------- sshconnect.c | 41 ++++++++------- sshconnect1.c | 18 +++---- sshconnect2.c | 145 ++++++++++++++++++++++++---------------------------- sshd.c | 12 ++--- umac.c | 4 +- uuencode.c | 7 +-- xmalloc.c | 10 +--- xmalloc.h | 3 +- 83 files changed, 987 insertions(+), 1103 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3fe13dfad..1de8ff835 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,23 @@ - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. Based on a patch from Nathan Osman, with help from tim@. + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/05/17 00:13:13 + [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c + ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c + gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c + auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c + servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c + auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c + sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c + kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c + kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c + monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c + ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c + sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c + ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c + dns.c packet.c readpass.c authfd.c moduli.c] + bye, bye xfree(); ok markus@ 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/addrmatch.c b/addrmatch.c index 388603cae..fb6de92e7 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list) goto foundit; } } - xfree(o); + free(o); return ret; } @@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list) continue; } } - xfree(o); + free(o); return ret; } diff --git a/auth-chall.c b/auth-chall.c index 919b1eaa4..bfc51eae6 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt) fatal("get_challenge: numprompts < 1"); challenge = xstrdup(prompts[0]); for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); + free(prompts[i]); + free(prompts); + free(name); + free(echo_on); + free(info); return (challenge); } diff --git a/auth-options.c b/auth-options.c index 23d0423e1..a8d738ace 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.58 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -72,15 +72,15 @@ auth_clear_options(void) while (custom_environment) { struct envstring *ce = custom_environment; custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + free(ce->s); + free(ce); } if (forced_command) { - xfree(forced_command); + free(forced_command); forced_command = NULL; } if (authorized_principals) { - xfree(authorized_principals); + free(authorized_principals); authorized_principals = NULL; } forced_tun_device = -1; @@ -149,7 +149,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); if (forced_command != NULL) - xfree(forced_command); + free(forced_command); forced_command = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -167,7 +167,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(forced_command); + free(forced_command); forced_command = NULL; goto bad_option; } @@ -180,7 +180,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) if (strncasecmp(opts, cp, strlen(cp)) == 0) { opts += strlen(cp); if (authorized_principals != NULL) - xfree(authorized_principals); + free(authorized_principals); authorized_principals = xmalloc(strlen(opts) + 1); i = 0; while (*opts) { @@ -198,7 +198,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(authorized_principals); + free(authorized_principals); authorized_principals = NULL; goto bad_option; } @@ -232,7 +232,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(s); + free(s); goto bad_option; } s[i] = '\0'; @@ -269,7 +269,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } patterns[i] = '\0'; @@ -277,7 +277,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) switch (match_host_and_ip(remote_host, remote_ip, patterns)) { case 1: - xfree(patterns); + free(patterns); /* Host name matches. */ goto next_option; case -1: @@ -287,7 +287,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) "invalid criteria", file, linenum); /* FALLTHROUGH */ case 0: - xfree(patterns); + free(patterns); logit("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", @@ -323,7 +323,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing " "end quote", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } patterns[i] = '\0'; @@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) auth_debug_add("%.100s, line %lu: " "Bad permitopen specification", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } host = cleanhostname(host); @@ -346,12 +346,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) "<%.100s>", file, linenum, p ? p : ""); auth_debug_add("%.100s, line %lu: " "Bad permitopen port", file, linenum); - xfree(patterns); + free(patterns); goto bad_option; } if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) channel_add_permitted_opens(host, port); - xfree(patterns); + free(patterns); goto next_option; } cp = "tunnel=\""; @@ -370,13 +370,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) file, linenum); auth_debug_add("%.100s, line %lu: missing end quote", file, linenum); - xfree(tun); + free(tun); forced_tun_device = -1; goto bad_option; } tun[i] = '\0'; forced_tun_device = a2tun(tun, NULL); - xfree(tun); + free(tun); if (forced_tun_device == SSH_TUNID_ERR) { debug("%.100s, line %lu: invalid tun device", file, linenum); @@ -484,7 +484,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if (*cert_forced_command != NULL) { error("Certificate has multiple " "force-command options"); - xfree(command); + free(command); goto out; } *cert_forced_command = command; @@ -500,7 +500,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if ((*cert_source_address_done)++) { error("Certificate has multiple " "source-address options"); - xfree(allowed); + free(allowed); goto out; } remote_ip = get_remote_ipaddr(); @@ -508,7 +508,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, allowed)) { case 1: /* accepted */ - xfree(allowed); + free(allowed); break; case 0: /* no match */ @@ -521,12 +521,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, "is not permitted to use this " "certificate for login.", remote_ip); - xfree(allowed); + free(allowed); goto out; case -1: error("Certificate source-address " "contents invalid"); - xfree(allowed); + free(allowed); goto out; } found = 1; @@ -548,8 +548,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, goto out; } buffer_clear(&data); - xfree(name); - xfree(data_blob); + free(name); + free(data_blob); name = data_blob = NULL; } /* successfully parsed all options */ @@ -559,13 +559,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, if (ret != 0 && cert_forced_command != NULL && *cert_forced_command != NULL) { - xfree(*cert_forced_command); + free(*cert_forced_command); *cert_forced_command = NULL; } if (name != NULL) - xfree(name); + free(name); if (data_blob != NULL) - xfree(data_blob); + free(data_blob); buffer_free(&data); buffer_free(&c); return ret; @@ -627,7 +627,7 @@ auth_cert_options(Key *k, struct passwd *pw) /* CA-specified forced command supersedes key option */ if (cert_forced_command != NULL) { if (forced_command != NULL) - xfree(forced_command); + free(forced_command); forced_command = cert_forced_command; } return 0; diff --git a/auth-rsa.c b/auth-rsa.c index 2c8a7cb35..748eaae09 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.82 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -281,7 +281,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) file = expand_authorized_keys( options.authorized_keys_files[i], pw); allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey); - xfree(file); + free(file); } restore_uid(); @@ -331,7 +331,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(key), fp); - xfree(fp); + free(fp); key_free(key); packet_send_debug("RSA authentication accepted."); diff --git a/auth.c b/auth.c index 666c493dc..ac126e6f3 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.102 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -165,17 +165,17 @@ allowed_user(struct passwd * pw) if (stat(shell, &st) != 0) { logit("User %.100s not allowed because shell %.100s " "does not exist", pw->pw_name, shell); - xfree(shell); + free(shell); return 0; } if (S_ISREG(st.st_mode) == 0 || (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { logit("User %.100s not allowed because shell %.100s " "is not executable", pw->pw_name, shell); - xfree(shell); + free(shell); return 0; } - xfree(shell); + free(shell); } if (options.num_deny_users > 0 || options.num_allow_users > 0 || @@ -355,7 +355,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); if (i < 0 || (size_t)i >= sizeof(ret)) fatal("expand_authorized_keys: path too long"); - xfree(file); + free(file); return (xstrdup(ret)); } @@ -397,7 +397,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, load_hostkeys(hostkeys, host, user_hostfile); restore_uid(); } - xfree(user_hostfile); + free(user_hostfile); } host_status = check_key_in_hostkeys(hostkeys, key, &found); if (host_status == HOST_REVOKED) @@ -666,7 +666,7 @@ auth_key_is_revoked(Key *key) key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); - xfree(key_fp); + free(key_fp); return 1; } fatal("key_in_file returned junk"); @@ -697,7 +697,7 @@ auth_debug_send(void) while (buffer_len(&auth_debug)) { msg = buffer_get_string(&auth_debug, NULL); packet_send_debug("%s", msg); - xfree(msg); + free(msg); } } diff --git a/auth1.c b/auth1.c index 6eea8d81e..238b3c9c3 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.78 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -130,7 +130,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) authenticated = PRIVSEP(auth_password(authctxt, password)); memset(password, 0, dlen); - xfree(password); + free(password); return (authenticated); } @@ -204,7 +204,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) debug("sending challenge '%s'", challenge); packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); packet_put_cstring(challenge); - xfree(challenge); + free(challenge); packet_send(); packet_write_wait(); @@ -223,7 +223,7 @@ auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) packet_check_eom(); authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); - xfree(response); + free(response); return (authenticated); } @@ -356,10 +356,8 @@ do_authloop(Authctxt *authctxt) auth_log(authctxt, authenticated, 0, get_authname(type), NULL, info); - if (client_user != NULL) { - xfree(client_user); - client_user = NULL; - } + free(client_user); + client_user = NULL; if (authenticated) return; diff --git a/auth2-chall.c b/auth2-chall.c index ed1acdd3b..98f3093ce 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.37 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.38 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -147,11 +147,9 @@ kbdint_free(KbdintAuthctxt *kbdintctxt) { if (kbdintctxt->device) kbdint_reset_device(kbdintctxt); - if (kbdintctxt->devices) { - xfree(kbdintctxt->devices); - kbdintctxt->devices = NULL; - } - xfree(kbdintctxt); + free(kbdintctxt->devices); + bzero(kbdintctxt, sizeof(*kbdintctxt)); + free(kbdintctxt); } /* get next device */ static int @@ -178,7 +176,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; - xfree(t); + free(t); debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? kbdintctxt->devices : ""); } while (kbdintctxt->devices && !kbdintctxt->device); @@ -272,11 +270,11 @@ send_userauth_info_request(Authctxt *authctxt) packet_write_wait(); for (i = 0; i < kbdintctxt->nreq; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(echo_on); - xfree(name); - xfree(instr); + free(prompts[i]); + free(prompts); + free(echo_on); + free(name); + free(instr); return 1; } @@ -315,10 +313,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); - xfree(response[i]); + free(response[i]); } - if (response) - xfree(response); + free(response); switch (res) { case 0: diff --git a/auth2-gss.c b/auth2-gss.c index de1bd0644..638d8f88e 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.19 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -81,8 +81,7 @@ userauth_gssapi(Authctxt *authctxt) do { mechs--; - if (doid) - xfree(doid); + free(doid); present = 0; doid = packet_get_string(&len); @@ -101,7 +100,7 @@ userauth_gssapi(Authctxt *authctxt) gss_release_oid_set(&ms, &supported); if (!present) { - xfree(doid); + free(doid); authctxt->server_caused_failure = 1; return (0); } @@ -109,7 +108,7 @@ userauth_gssapi(Authctxt *authctxt) if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); - xfree(doid); + free(doid); authctxt->server_caused_failure = 1; return (0); } @@ -122,7 +121,7 @@ userauth_gssapi(Authctxt *authctxt) packet_put_string(doid, len); packet_send(); - xfree(doid); + free(doid); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); @@ -153,7 +152,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok, &flags)); - xfree(recv_tok.value); + free(recv_tok.value); if (GSS_ERROR(maj_status)) { if (send_tok.length != 0) { @@ -208,7 +207,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, &send_tok, NULL)); - xfree(recv_tok.value); + free(recv_tok.value); /* We can't return anything to the client, even if we wanted to */ dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); @@ -281,7 +280,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) logit("GSSAPI MIC check failed"); buffer_free(&b); - xfree(mic.value); + free(mic.value); authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); diff --git a/auth2-hostbased.c b/auth2-hostbased.c index cdf442f97..e6d05e261 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -128,11 +128,11 @@ done: debug2("userauth_hostbased: authenticated %d", authenticated); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); - xfree(cuser); - xfree(chost); - xfree(sig); + free(pkalg); + free(pkblob); + free(cuser); + free(chost); + free(sig); return authenticated; } @@ -207,7 +207,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, verbose("Accepted %s public key %s from %s@%s", key_type(key), fp, cuser, lookup); } - xfree(fp); + free(fp); } return (host_status == HOST_OK); diff --git a/auth2-jpake.c b/auth2-jpake.c index ed0eba47b..78a6b8817 100644 --- a/auth2-jpake.c +++ b/auth2-jpake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */ +/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -179,7 +179,7 @@ derive_rawsalt(const char *username, u_char *rawsalt, u_int len) __func__, len, digest_len); memcpy(rawsalt, digest, len); bzero(digest, digest_len); - xfree(digest); + free(digest); } /* ASCII an integer [0, 64) for inclusion in a password/salt */ @@ -258,7 +258,7 @@ fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme) makesalt(22, authctxt->user)); *scheme = xstrdup("bcrypt"); } - xfree(style); + free(style); debug3("%s: fake %s salt for user %s: %s", __func__, *scheme, authctxt->user, *salt); } @@ -361,7 +361,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s, JPAKE_DEBUG_BN((*s, "%s: s = ", __func__)); #endif bzero(secret, secret_len); - xfree(secret); + free(secret); } /* @@ -403,12 +403,12 @@ auth2_jpake_start(Authctxt *authctxt) bzero(hash_scheme, strlen(hash_scheme)); bzero(salt, strlen(salt)); - xfree(hash_scheme); - xfree(salt); + free(hash_scheme); + free(salt); bzero(x3_proof, x3_proof_len); bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); + free(x3_proof); + free(x4_proof); /* Expect step 1 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, @@ -455,8 +455,8 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt) bzero(x1_proof, x1_proof_len); bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); + free(x1_proof); + free(x2_proof); if (!use_privsep) JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); @@ -469,7 +469,7 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt) packet_write_wait(); bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); + free(x4_s_proof); /* Expect step 2 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, @@ -510,7 +510,7 @@ input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt) &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len)); bzero(x2_s_proof, x2_s_proof_len); - xfree(x2_s_proof); + free(x2_s_proof); if (!use_privsep) JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); diff --git a/auth2-kbdint.c b/auth2-kbdint.c index fae67da6e..c39bdc62d 100644 --- a/auth2-kbdint.c +++ b/auth2-kbdint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -56,8 +56,8 @@ userauth_kbdint(Authctxt *authctxt) if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); - xfree(devs); - xfree(lang); + free(devs); + free(lang); return authenticated; } diff --git a/auth2-passwd.c b/auth2-passwd.c index 5f1f3635f..21bc5047d 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-passwd.c,v 1.10 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -60,7 +60,7 @@ userauth_passwd(Authctxt *authctxt) /* discard new password from packet */ newpass = packet_get_string(&newlen); memset(newpass, 0, newlen); - xfree(newpass); + free(newpass); } packet_check_eom(); @@ -69,7 +69,7 @@ userauth_passwd(Authctxt *authctxt) else if (PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; memset(password, 0, len); - xfree(password); + free(password); return authenticated; } diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c28bef7a2..4c326df7a 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.35 2013/03/07 00:19:59 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -154,7 +154,7 @@ userauth_pubkey(Authctxt *authctxt) buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); - xfree(sig); + free(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); @@ -182,8 +182,8 @@ done: debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); return authenticated; } @@ -200,7 +200,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert) principal_list, NULL)) != NULL) { debug3("matched principal from key options \"%.100s\"", result); - xfree(result); + free(result); return 1; } } @@ -336,7 +336,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) reason = "Certificate does not contain an " "authorized principal"; fail_reason: - xfree(fp); + free(fp); error("%s", reason); auth_debug_add("%s", reason); continue; @@ -346,13 +346,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) &reason) != 0) goto fail_reason; if (auth_cert_options(key, pw) != 0) { - xfree(fp); + free(fp); continue; } verbose("Accepted certificate ID \"%s\" " "signed by %s CA %s via %s", key->cert->key_id, key_type(found), fp, file); - xfree(fp); + free(fp); found_key = 1; break; } else if (key_equal(found, key)) { @@ -367,7 +367,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); - xfree(fp); + free(fp); break; } } @@ -425,10 +425,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) ret = 1; out: - if (principals_file != NULL) - xfree(principals_file); - if (ca_fp != NULL) - xfree(ca_fp); + free(principals_file); + free(ca_fp); return ret; } @@ -633,7 +631,7 @@ user_key_allowed(struct passwd *pw, Key *key) options.authorized_keys_files[i], pw); success = user_key_allowed2(pw, key, file); - xfree(file); + free(file); } return success; diff --git a/auth2.c b/auth2.c index e44482164..5f136ce09 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.127 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: auth2.c,v 1.128 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -130,7 +130,7 @@ auth2_read_banner(void) close(fd); if (n != len) { - xfree(banner); + free(banner); return (NULL); } banner[n] = '\0'; @@ -166,8 +166,7 @@ userauth_banner(void) userauth_send_banner(banner); done: - if (banner) - xfree(banner); + free(banner); } /* @@ -212,7 +211,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt) debug("bad service request %s", service); packet_disconnect("bad service request %s", service); } - xfree(service); + free(service); } /*ARGSUSED*/ @@ -292,9 +291,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } userauth_finish(authctxt, authenticated, method, NULL); - xfree(service); - xfree(user); - xfree(method); + free(service); + free(user); + free(method); } void @@ -382,7 +381,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, packet_put_char(partial); packet_send(); packet_write_wait(); - xfree(methods); + free(methods); } } diff --git a/authfd.c b/authfd.c index f037e838b..775786bee 100644 --- a/authfd.c +++ b/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */ +/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -224,7 +224,7 @@ ssh_close_authentication_connection(AuthenticationConnection *auth) { buffer_free(&auth->identities); close(auth->fd); - xfree(auth); + free(auth); } /* Lock/unlock agent */ @@ -343,7 +343,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio blob = buffer_get_string(&auth->identities, &blen); *comment = buffer_get_string(&auth->identities, NULL); key = key_from_blob(blob, blen); - xfree(blob); + free(blob); break; default: return NULL; @@ -436,7 +436,7 @@ ssh_agent_sign(AuthenticationConnection *auth, buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, data, datalen); buffer_put_int(&msg, flags); - xfree(blob); + free(blob); if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); @@ -612,7 +612,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); - xfree(blob); + free(blob); } else { buffer_free(&msg); return 0; diff --git a/authfile.c b/authfile.c index 91812bf87..63ae16bbd 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.96 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.97 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -509,8 +509,8 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp) return prv; fail: - if (commentp) - xfree(*commentp); + if (commentp != NULL) + free(*commentp); key_free(prv); return NULL; } @@ -832,10 +832,10 @@ key_load_cert(const char *filename) pub = key_new(KEY_UNSPEC); xasprintf(&file, "%s-cert.pub", filename); if (key_try_load_public(pub, file, NULL) == 1) { - xfree(file); + free(file); return pub; } - xfree(file); + free(file); key_free(pub); return NULL; } diff --git a/bufaux.c b/bufaux.c index 00208ca27..ec8853f8b 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.50 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -181,7 +181,7 @@ buffer_get_string_ret(Buffer *buffer, u_int *length_ptr) /* Get the string. */ if (buffer_get_ret(buffer, value, len) == -1) { error("buffer_get_string_ret: buffer_get failed"); - xfree(value); + free(value); return (NULL); } /* Append a null character to make processing easier. */ @@ -216,7 +216,7 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr) error("buffer_get_cstring_ret: string contains \\0"); else { bzero(ret, length); - xfree(ret); + free(ret); return NULL; } } diff --git a/bufbn.c b/bufbn.c index 251cd0951..1fbfbbcc9 100644 --- a/bufbn.c +++ b/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.7 2013/05/17 00:13:13 djm Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -69,7 +69,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) if (oi != bin_size) { error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", oi, bin_size); - xfree(buf); + free(buf); return (-1); } @@ -80,7 +80,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) buffer_append(buffer, buf, oi); memset(buf, 0, bin_size); - xfree(buf); + free(buf); return (0); } @@ -167,13 +167,13 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) if (oi < 0 || (u_int)oi != bytes - 1) { error("buffer_put_bignum2_ret: BN_bn2bin() failed: " "oi %d != bin_size %d", oi, bytes); - xfree(buf); + free(buf); return (-1); } hasnohigh = (buf[1] & 0x80) ? 0 : 1; buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); memset(buf, 0, bytes); - xfree(buf); + free(buf); return (0); } @@ -197,21 +197,21 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value) if (len > 0 && (bin[0] & 0x80)) { error("buffer_get_bignum2_ret: negative numbers not supported"); - xfree(bin); + free(bin); return (-1); } if (len > 8 * 1024) { error("buffer_get_bignum2_ret: cannot handle BN of size %d", len); - xfree(bin); + free(bin); return (-1); } if (BN_bin2bn(bin, len, value) == NULL) { error("buffer_get_bignum2_ret: BN_bin2bn failed"); - xfree(bin); + free(bin); return (-1); } - xfree(bin); + free(bin); return (0); } diff --git a/bufec.c b/bufec.c index 3dcb49477..6c0048978 100644 --- a/bufec.c +++ b/bufec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufec.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: bufec.c,v 1.2 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2010 Damien Miller * @@ -78,7 +78,7 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve, out: if (buf != NULL) { bzero(buf, len); - xfree(buf); + free(buf); } BN_CTX_free(bnctx); return ret; @@ -131,7 +131,7 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve, out: BN_CTX_free(bnctx); bzero(buf, len); - xfree(buf); + free(buf); return ret; } diff --git a/buffer.c b/buffer.c index ae9700344..007e7f94e 100644 --- a/buffer.c +++ b/buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.c,v 1.32 2010/02/09 03:56:28 djm Exp $ */ +/* $OpenBSD: buffer.c,v 1.33 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -50,7 +50,7 @@ buffer_free(Buffer *buffer) if (buffer->alloc > 0) { memset(buffer->buf, 0, buffer->alloc); buffer->alloc = 0; - xfree(buffer->buf); + free(buffer->buf); } } diff --git a/canohost.c b/canohost.c index dabd8a31a..69e8e6f6d 100644 --- a/canohost.c +++ b/canohost.c @@ -1,4 +1,4 @@ -/* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */ +/* $OpenBSD: canohost.c,v 1.67 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -41,7 +41,7 @@ static int cached_port = -1; /* * Return the canonical name of the host at the other end of the socket. The - * caller should free the returned string with xfree. + * caller should free the returned string. */ static char * @@ -323,10 +323,8 @@ get_local_name(int fd) void clear_cached_addr(void) { - if (canonical_host_ip != NULL) { - xfree(canonical_host_ip); - canonical_host_ip = NULL; - } + free(canonical_host_ip); + canonical_host_ip = NULL; cached_port = -1; } diff --git a/channels.c b/channels.c index 12db962de..6031394cc 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.320 2013/04/06 16:07:00 markus Exp $ */ +/* $OpenBSD: channels.c,v 1.321 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -401,7 +401,7 @@ channel_free(Channel *c) s = channel_open_message(); debug3("channel %d: status: %s", c->self, s); - xfree(s); + free(s); if (c->sock != -1) shutdown(c->sock, SHUT_RDWR); @@ -409,29 +409,23 @@ channel_free(Channel *c) buffer_free(&c->input); buffer_free(&c->output); buffer_free(&c->extended); - if (c->remote_name) { - xfree(c->remote_name); - c->remote_name = NULL; - } - if (c->path) { - xfree(c->path); - c->path = NULL; - } - if (c->listening_addr) { - xfree(c->listening_addr); - c->listening_addr = NULL; - } + free(c->remote_name); + c->remote_name = NULL; + free(c->path); + c->path = NULL; + free(c->listening_addr); + c->listening_addr = NULL; while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { if (cc->abandon_cb != NULL) cc->abandon_cb(c, cc->ctx); TAILQ_REMOVE(&c->status_confirms, cc, entry); bzero(cc, sizeof(*cc)); - xfree(cc); + free(cc); } if (c->filter_cleanup != NULL && c->filter_ctx != NULL) c->filter_cleanup(c->self, c->filter_ctx); channels[c->self] = NULL; - xfree(c); + free(c); } void @@ -1080,10 +1074,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) strlcpy(username, p, sizeof(username)); buffer_consume(&c->input, len); - if (c->path != NULL) { - xfree(c->path); - c->path = NULL; - } + free(c->path); + c->path = NULL; if (need == 1) { /* SOCKS4: one string */ host = inet_ntoa(s4_req.dest_addr); c->path = xstrdup(host); @@ -1216,10 +1208,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) buffer_get(&c->input, (char *)&dest_addr, addrlen); buffer_get(&c->input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; - if (c->path != NULL) { - xfree(c->path); - c->path = NULL; - } + free(c->path); + c->path = NULL; if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { if (addrlen >= NI_MAXHOST) { error("channel %d: dynamic request: socks5 hostname " @@ -1379,7 +1369,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) packet_put_cstring(buf); packet_send(); } - xfree(remote_ipaddr); + free(remote_ipaddr); } } @@ -1393,7 +1383,7 @@ port_open_helper(Channel *c, char *rtype) if (remote_port == -1) { /* Fake addr/port to appease peers that validate it (Tectia) */ - xfree(remote_ipaddr); + free(remote_ipaddr); remote_ipaddr = xstrdup("127.0.0.1"); remote_port = 65535; } @@ -1406,7 +1396,7 @@ port_open_helper(Channel *c, char *rtype) rtype, c->listening_port, c->path, c->host_port, remote_ipaddr, remote_port); - xfree(c->remote_name); + free(c->remote_name); c->remote_name = xstrdup(buf); if (compat20) { @@ -1438,7 +1428,7 @@ port_open_helper(Channel *c, char *rtype) packet_put_cstring(c->remote_name); packet_send(); } - xfree(remote_ipaddr); + free(remote_ipaddr); } static void @@ -1691,7 +1681,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) if (c->datagram) { /* ignore truncated writes, datagrams might get lost */ len = write(c->wfd, buf, dlen); - xfree(data); + free(data); if (len < 0 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) return 1; @@ -2225,7 +2215,7 @@ channel_output_poll(void) debug("channel %d: datagram " "too big for channel", c->self); - xfree(data); + free(data); continue; } packet_start(SSH2_MSG_CHANNEL_DATA); @@ -2233,7 +2223,7 @@ channel_output_poll(void) packet_put_string(data, dlen); packet_send(); c->remote_window -= dlen + 4; - xfree(data); + free(data); } continue; } @@ -2405,13 +2395,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt) if (data_len > c->local_window) { logit("channel %d: rcvd too much extended_data %d, win %d", c->self, data_len, c->local_window); - xfree(data); + free(data); return; } debug2("channel %d: rcvd ext data %d", c->self, data_len); c->local_window -= data_len; buffer_append(&c->extended, data, data_len); - xfree(data); + free(data); } /* ARGSUSED */ @@ -2577,10 +2567,8 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt) } logit("channel %d: open failed: %s%s%s", id, reason2txt(reason), msg ? ": ": "", msg ? msg : ""); - if (msg != NULL) - xfree(msg); - if (lang != NULL) - xfree(lang); + free(msg); + free(lang); if (c->open_confirm) { debug2("callback start"); c->open_confirm(c->self, 0, c->open_confirm_ctx); @@ -2638,8 +2626,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt) packet_check_eom(); c = channel_connect_to(host, host_port, "connected socket", originator_string); - xfree(originator_string); - xfree(host); + free(originator_string); + free(host); if (c == NULL) { packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); @@ -2674,7 +2662,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) cc->cb(type, c, cc->ctx); TAILQ_REMOVE(&c->status_confirms, cc, entry); bzero(cc, sizeof(*cc)); - xfree(cc); + free(cc); } /* -- tcp forwarding */ @@ -3054,7 +3042,7 @@ channel_request_rforward_cancel(const char *host, u_short port) permitted_opens[i].listen_port = 0; permitted_opens[i].port_to_connect = 0; - xfree(permitted_opens[i].host_to_connect); + free(permitted_opens[i].host_to_connect); permitted_opens[i].host_to_connect = NULL; return 0; @@ -3095,7 +3083,7 @@ channel_input_port_forward_request(int is_root, int gateway_ports) host_port, gateway_ports); /* Free the argument string. */ - xfree(hostname); + free(hostname); return (success ? 0 : -1); } @@ -3150,7 +3138,7 @@ channel_update_permitted_opens(int idx, int newport) } else { permitted_opens[idx].listen_port = 0; permitted_opens[idx].port_to_connect = 0; - xfree(permitted_opens[idx].host_to_connect); + free(permitted_opens[idx].host_to_connect); permitted_opens[idx].host_to_connect = NULL; } } @@ -3183,12 +3171,9 @@ channel_clear_permitted_opens(void) int i; for (i = 0; i < num_permitted_opens; i++) - if (permitted_opens[i].host_to_connect != NULL) - xfree(permitted_opens[i].host_to_connect); - if (num_permitted_opens > 0) { - xfree(permitted_opens); - permitted_opens = NULL; - } + free(permitted_opens[i].host_to_connect); + free(permitted_opens); + permitted_opens = NULL; num_permitted_opens = 0; } @@ -3198,12 +3183,9 @@ channel_clear_adm_permitted_opens(void) int i; for (i = 0; i < num_adm_permitted_opens; i++) - if (permitted_adm_opens[i].host_to_connect != NULL) - xfree(permitted_adm_opens[i].host_to_connect); - if (num_adm_permitted_opens > 0) { - xfree(permitted_adm_opens); - permitted_adm_opens = NULL; - } + free(permitted_adm_opens[i].host_to_connect); + free(permitted_adm_opens); + permitted_adm_opens = NULL; num_adm_permitted_opens = 0; } @@ -3297,7 +3279,7 @@ connect_next(struct channel_connect *cctx) static void channel_connect_ctx_free(struct channel_connect *cctx) { - xfree(cctx->host); + free(cctx->host); if (cctx->aitop) freeaddrinfo(cctx->aitop); bzero(cctx, sizeof(*cctx)); @@ -3692,7 +3674,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt) c->remote_id = remote_id; c->force_drain = 1; } - xfree(remote_host); + free(remote_host); if (c == NULL) { /* Send refusal to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); @@ -3800,7 +3782,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, packet_put_int(screen_number); packet_send(); packet_write_wait(); - xfree(new_data); + free(new_data); } diff --git a/cipher-3des1.c b/cipher-3des1.c index b7aa588cd..c8a70244b 100644 --- a/cipher-3des1.c +++ b/cipher-3des1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher-3des1.c,v 1.7 2010/10/01 23:05:32 djm Exp $ */ +/* $OpenBSD: cipher-3des1.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. * @@ -94,7 +94,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); return (0); } @@ -135,7 +135,7 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) EVP_CIPHER_CTX_cleanup(&c->k2); EVP_CIPHER_CTX_cleanup(&c->k3); memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/cipher.c b/cipher.c index 5e3652135..a2cbe2bea 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.88 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -205,14 +205,14 @@ ciphers_valid(const char *names) c = cipher_by_name(p); if (c == NULL || c->number != SSH_CIPHER_SSH2) { debug("bad cipher %s [%s]", p, names); - xfree(cipher_list); + free(cipher_list); return 0; } else { debug3("cipher ok: %s [%s]", p, names); } } debug3("ciphers ok: [%s]", names); - xfree(cipher_list); + free(cipher_list); return 1; } @@ -314,8 +314,8 @@ cipher_init(CipherContext *cc, const Cipher *cipher, cipher->discard_len) == 0) fatal("evp_crypt: EVP_Cipher failed during discard"); memset(discard, 0, cipher->discard_len); - xfree(junk); - xfree(discard); + free(junk); + free(discard); } } diff --git a/clientloop.c b/clientloop.c index f1b108fcd..22138560b 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.249 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.250 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -393,10 +393,8 @@ client_x11_get_proto(const char *display, const char *xauth_path, unlink(xauthfile); rmdir(xauthdir); } - if (xauthdir) - xfree(xauthdir); - if (xauthfile) - xfree(xauthfile); + free(xauthdir); + free(xauthfile); /* * If we didn't get authentication data, just make up some @@ -552,7 +550,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) if (--gc->ref_count <= 0) { TAILQ_REMOVE(&global_confirms, gc, entry); bzero(gc, sizeof(*gc)); - xfree(gc); + free(gc); } packet_set_alive_timeouts(0); @@ -826,13 +824,13 @@ client_status_confirm(int type, Channel *c, void *ctx) chan_write_failed(c); } } - xfree(cr); + free(cr); } static void client_abandon_status_confirm(Channel *c, void *ctx) { - xfree(ctx); + free(ctx); } void @@ -999,12 +997,9 @@ process_cmdline(void) out: signal(SIGINT, handler); enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - if (cmd) - xfree(cmd); - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(cmd); + free(fwd.listen_host); + free(fwd.connect_host); } /* reasons to suppress output of an escape command in help output */ @@ -1261,7 +1256,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, buffer_append(berr, string, strlen(string)); s = channel_open_message(); buffer_append(berr, s, strlen(s)); - xfree(s); + free(s); continue; case 'C': @@ -1450,7 +1445,7 @@ client_new_escape_filter_ctx(int escape_char) void client_filter_cleanup(int cid, void *ctx) { - xfree(ctx); + free(ctx); } int @@ -1661,10 +1656,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) } } } - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* Terminate the session. */ @@ -1766,7 +1759,7 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt) packet_check_eom(); buffer_append(&stdout_buffer, data, data_len); memset(data, 0, data_len); - xfree(data); + free(data); } static void client_input_stderr_data(int type, u_int32_t seq, void *ctxt) @@ -1776,7 +1769,7 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt) packet_check_eom(); buffer_append(&stderr_buffer, data, data_len); memset(data, 0, data_len); - xfree(data); + free(data); } static void client_input_exit_status(int type, u_int32_t seq, void *ctxt) @@ -1856,8 +1849,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan) c = channel_connect_by_listen_address(listen_port, "forwarded-tcpip", originator_address); - xfree(originator_address); - xfree(listen_address); + free(originator_address); + free(listen_address); return c; } @@ -1891,7 +1884,7 @@ client_request_x11(const char *request_type, int rchan) /* XXX check permission */ debug("client_request_x11: request from %s %d", originator, originator_port); - xfree(originator); + free(originator); sock = x11_connect_display(); if (sock < 0) return NULL; @@ -2018,7 +2011,7 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt) } packet_send(); } - xfree(ctype); + free(ctype); } static void client_input_channel_req(int type, u_int32_t seq, void *ctxt) @@ -2064,7 +2057,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt) packet_put_int(c->remote_id); packet_send(); } - xfree(rtype); + free(rtype); } static void client_input_global_request(int type, u_int32_t seq, void *ctxt) @@ -2083,7 +2076,7 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt) packet_send(); packet_write_wait(); } - xfree(rtype); + free(rtype); } void @@ -2133,7 +2126,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, /* Split */ name = xstrdup(env[i]); if ((val = strchr(name, '=')) == NULL) { - xfree(name); + free(name); continue; } *val++ = '\0'; @@ -2147,7 +2140,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, } if (!matched) { debug3("Ignored env %s", name); - xfree(name); + free(name); continue; } @@ -2156,7 +2149,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, packet_put_cstring(name); packet_put_cstring(val); packet_send(); - xfree(name); + free(name); } } diff --git a/compat.c b/compat.c index f680f4fe3..ac353a706 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -204,7 +204,7 @@ proto_spec(const char *spec) break; } } - xfree(s); + free(s); return ret; } @@ -230,7 +230,7 @@ compat_cipher_proposal(char *cipher_prop) buffer_append(&b, "\0", 1); fix_ciphers = xstrdup(buffer_ptr(&b)); buffer_free(&b); - xfree(orig_prop); + free(orig_prop); debug2("Original cipher proposal: %s", cipher_prop); debug2("Compat cipher proposal: %s", fix_ciphers); if (!*fix_ciphers) diff --git a/dns.c b/dns.c index 9e3084ba5..630b97ae8 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -261,7 +261,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (hostkey_digest_type != dnskey_digest_type) { hostkey_digest_type = dnskey_digest_type; - xfree(hostkey_digest); + free(hostkey_digest); /* Initialize host key parameters */ if (!dns_read_key(&hostkey_algorithm, @@ -281,10 +281,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, hostkey_digest_len) == 0) *flags |= DNS_VERIFY_MATCH; } - xfree(dnskey_digest); + free(dnskey_digest); } - xfree(hostkey_digest); /* from key_fingerprint_raw() */ + free(hostkey_digest); /* from key_fingerprint_raw() */ freerrset(fingerprints); if (*flags & DNS_VERIFY_FOUND) @@ -327,7 +327,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) for (i = 0; i < rdata_digest_len; i++) fprintf(f, "%02x", rdata_digest[i]); fprintf(f, "\n"); - xfree(rdata_digest); /* from key_fingerprint_raw() */ + free(rdata_digest); /* from key_fingerprint_raw() */ success = 1; } } diff --git a/groupaccess.c b/groupaccess.c index 2381aeb15..020deace7 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -31,6 +31,7 @@ #include #include #include +#include #include #include "xmalloc.h" @@ -122,7 +123,7 @@ ga_free(void) if (ngroups > 0) { for (i = 0; i < ngroups; i++) - xfree(groups_byname[i]); + free(groups_byname[i]); ngroups = 0; xfree(groups_byname); } diff --git a/gss-genr.c b/gss-genr.c index 842f38582..bf164a77b 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -59,8 +59,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) { if (ctx->oid != GSS_C_NO_OID) { - xfree(ctx->oid->elements); - xfree(ctx->oid); + free(ctx->oid->elements); + free(ctx->oid); } ctx->oid = xmalloc(sizeof(gss_OID_desc)); ctx->oid->length = len; @@ -83,7 +83,7 @@ ssh_gssapi_error(Gssctxt *ctxt) s = ssh_gssapi_last_error(ctxt, NULL, NULL); debug("%s", s); - xfree(s); + free(s); } char * @@ -164,8 +164,8 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) if ((*ctx)->name != GSS_C_NO_NAME) gss_release_name(&ms, &(*ctx)->name); if ((*ctx)->oid != GSS_C_NO_OID) { - xfree((*ctx)->oid->elements); - xfree((*ctx)->oid); + free((*ctx)->oid->elements); + free((*ctx)->oid); (*ctx)->oid = GSS_C_NO_OID; } if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) @@ -175,7 +175,7 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) gss_release_cred(&ms, &(*ctx)->client_creds); - xfree(*ctx); + free(*ctx); *ctx = NULL; } @@ -222,7 +222,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) ssh_gssapi_error(ctx); - xfree(gssbuf.value); + free(gssbuf.value); return (ctx->major); } diff --git a/hostfile.c b/hostfile.c index b6f924b23..69d0d289e 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.50 2010/12/04 13:31:37 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -96,7 +96,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len) b64salt[b64len] = '\0'; ret = __b64_pton(b64salt, salt, salt_len); - xfree(b64salt); + free(b64salt); if (ret == -1) { debug2("extract_salt: salt decode error"); return (-1); @@ -327,16 +327,14 @@ free_hostkeys(struct hostkeys *hostkeys) u_int i; for (i = 0; i < hostkeys->num_entries; i++) { - xfree(hostkeys->entries[i].host); - xfree(hostkeys->entries[i].file); + free(hostkeys->entries[i].host); + free(hostkeys->entries[i].file); key_free(hostkeys->entries[i].key); bzero(hostkeys->entries + i, sizeof(*hostkeys->entries)); } - if (hostkeys->entries != NULL) - xfree(hostkeys->entries); - hostkeys->entries = NULL; - hostkeys->num_entries = 0; - xfree(hostkeys); + free(hostkeys->entries); + bzero(hostkeys, sizeof(*hostkeys)); + free(hostkeys); } static int diff --git a/jpake.c b/jpake.c index b010dafaa..3dd87916a 100644 --- a/jpake.c +++ b/jpake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */ +/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -106,7 +106,7 @@ jpake_free(struct jpake_ctx *pctx) do { \ if ((v) != NULL) { \ bzero((v), (l)); \ - xfree(v); \ + free(v); \ (v) = NULL; \ (l) = 0; \ } \ @@ -134,7 +134,7 @@ jpake_free(struct jpake_ctx *pctx) #undef JPAKE_BUF_CLEAR_FREE bzero(pctx, sizeof(*pctx)); - xfree(pctx); + free(pctx); } /* dump entire jpake_ctx. NB. includes private values! */ @@ -445,7 +445,7 @@ jpake_check_confirm(const BIGNUM *k, expected_confirm_hash_len) == 0) success = 1; bzero(expected_confirm_hash, expected_confirm_hash_len); - xfree(expected_confirm_hash); + free(expected_confirm_hash); debug3("%s: success = %d", __func__, success); return success; } diff --git a/kex.c b/kex.c index 6b43a6dee..54bd1a438 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.90 2013/04/19 12:07:08 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -126,12 +126,12 @@ kex_names_valid(const char *names) (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { error("Unsupported KEX algorithm \"%.100s\"", p); - xfree(s); + free(s); return 0; } } debug3("kex names ok: [%s]", names); - xfree(s); + free(s); return 1; } @@ -191,8 +191,8 @@ kex_prop_free(char **proposal) u_int i; for (i = 0; i < PROPOSAL_MAX; i++) - xfree(proposal[i]); - xfree(proposal); + free(proposal[i]); + free(proposal); } /* ARGSUSED */ @@ -229,7 +229,7 @@ kex_finish(Kex *kex) buffer_clear(&kex->peer); /* buffer_clear(&kex->my); */ kex->flags &= ~KEX_INIT_SENT; - xfree(kex->name); + free(kex->name); kex->name = NULL; } @@ -286,7 +286,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) for (i = 0; i < KEX_COOKIE_LEN; i++) packet_get_char(); for (i = 0; i < PROPOSAL_MAX; i++) - xfree(packet_get_string(NULL)); + free(packet_get_string(NULL)); /* * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported * KEX method has the server move first, but a server might be using @@ -414,7 +414,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server) k->hostkey_type = key_type_from_name(hostkeyalg); if (k->hostkey_type == KEY_UNSPEC) fatal("bad hostkey alg '%s'", hostkeyalg); - xfree(hostkeyalg); + free(hostkeyalg); } static int @@ -468,7 +468,7 @@ kex_choose_conf(Kex *kex) roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL); if (roaming) { kex->roaming = 1; - xfree(roaming); + free(roaming); } } diff --git a/kexdhc.c b/kexdhc.c index 76ceb5dd8..ccd137cac 100644 --- a/kexdhc.c +++ b/kexdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexdhc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -125,7 +125,7 @@ kexdh_client(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexdh_client: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); /* calc and verify H */ kex_dh_hash( @@ -139,14 +139,14 @@ kexdh_client(Kex *kex) shared_secret, &hash, &hashlen ); - xfree(server_host_key_blob); + free(server_host_key_blob); BN_clear_free(dh_server_pub); DH_free(dh); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { diff --git a/kexdhs.c b/kexdhs.c index f56e88764..15128632c 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -118,7 +118,7 @@ kexdh_server(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexdh_server: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -157,8 +157,8 @@ kexdh_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free DH */ DH_free(dh); diff --git a/kexecdhc.c b/kexecdhc.c index 04239a471..6193836c7 100644 --- a/kexecdhc.c +++ b/kexecdhc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhc.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kexecdhc.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -120,7 +120,7 @@ kexecdh_client(Kex *kex) if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); /* calc and verify H */ kex_ecdh_hash( @@ -136,14 +136,14 @@ kexecdh_client(Kex *kex) shared_secret, &hash, &hashlen ); - xfree(server_host_key_blob); + free(server_host_key_blob); EC_POINT_clear_free(server_public); EC_KEY_free(client_key); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { diff --git a/kexecdhs.c b/kexecdhs.c index 6519abbef..c42dcf448 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.3 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -112,7 +112,7 @@ kexecdh_server(Kex *kex) if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) fatal("%s: BN_bin2bn failed", __func__); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); /* calc H */ key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -152,8 +152,8 @@ kexecdh_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free server key */ EC_KEY_free(server_key); diff --git a/kexgexc.c b/kexgexc.c index 79552d709..5a3be2005 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -163,7 +163,7 @@ kexgex_client(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexgex_client: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); if (datafellows & SSH_OLD_DHGEX) min = max = -1; @@ -186,13 +186,13 @@ kexgex_client(Kex *kex) /* have keys, free DH */ DH_free(dh); - xfree(server_host_key_blob); + free(server_host_key_blob); BN_clear_free(dh_server_pub); if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); - xfree(signature); + free(signature); /* save session id */ if (kex->session_id == NULL) { diff --git a/kexgexs.c b/kexgexs.c index a5e3df7bc..a543dda82 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.14 2010/11/10 01:33:07 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -155,7 +155,7 @@ kexgex_server(Kex *kex) if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) fatal("kexgex_server: BN_bin2bn failed"); memset(kbuf, 0, klen); - xfree(kbuf); + free(kbuf); key_to_blob(server_host_public, &server_host_key_blob, &sbloblen); @@ -201,8 +201,8 @@ kexgex_server(Kex *kex) packet_put_string(signature, slen); packet_send(); - xfree(signature); - xfree(server_host_key_blob); + free(signature); + free(server_host_key_blob); /* have keys, free DH */ DH_free(dh); diff --git a/key.c b/key.c index b8c60cb2c..8183ec90e 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.102 2013/05/10 04:08:01 djm Exp $ */ +/* $OpenBSD: key.c,v 1.103 2013/05/17 00:13:13 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -187,15 +187,13 @@ cert_free(struct KeyCert *cert) buffer_free(&cert->certblob); buffer_free(&cert->critical); buffer_free(&cert->extensions); - if (cert->key_id != NULL) - xfree(cert->key_id); + free(cert->key_id); for (i = 0; i < cert->nprincipals; i++) - xfree(cert->principals[i]); - if (cert->principals != NULL) - xfree(cert->principals); + free(cert->principals[i]); + free(cert->principals); if (cert->signature_key != NULL) key_free(cert->signature_key); - xfree(cert); + free(cert); } void @@ -239,7 +237,7 @@ key_free(Key *k) k->cert = NULL; } - xfree(k); + free(k); } static int @@ -389,7 +387,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, EVP_DigestUpdate(&ctx, blob, len); EVP_DigestFinal(&ctx, retval, dgst_raw_length); memset(blob, 0, len); - xfree(blob); + free(blob); } else { fatal("key_fingerprint_raw: blob is null"); } @@ -596,7 +594,7 @@ key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) break; } memset(dgst_raw, 0, dgst_raw_len); - xfree(dgst_raw); + free(dgst_raw); return retval; } @@ -741,11 +739,11 @@ key_read(Key *ret, char **cpp) n = uudecode(cp, blob, len); if (n < 0) { error("key_read: uudecode %s failed", cp); - xfree(blob); + free(blob); return -1; } k = key_from_blob(blob, (u_int)n); - xfree(blob); + free(blob); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); return -1; @@ -886,8 +884,8 @@ key_write(const Key *key, FILE *f) fprintf(f, "%s %s", key_ssh_name(key), uu); success = 1; } - xfree(blob); - xfree(uu); + free(blob); + free(uu); return success; } @@ -1292,12 +1290,12 @@ key_names_valid2(const char *names) switch (key_type_from_name(p)) { case KEY_RSA1: case KEY_UNSPEC: - xfree(s); + free(s); return 0; } } debug3("key names ok: [%s]", names); - xfree(s); + free(s); return 1; } @@ -1419,16 +1417,11 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) out: buffer_free(&tmp); - if (principals != NULL) - xfree(principals); - if (critical != NULL) - xfree(critical); - if (exts != NULL) - xfree(exts); - if (sig_key != NULL) - xfree(sig_key); - if (sig != NULL) - xfree(sig); + free(principals); + free(critical); + free(exts); + free(sig_key); + free(sig); return ret; } @@ -1548,10 +1541,8 @@ key_from_blob(const u_char *blob, u_int blen) if (key != NULL && rlen != 0) error("key_from_blob: remaining bytes in key blob %d", rlen); out: - if (ktype != NULL) - xfree(ktype); - if (curve != NULL) - xfree(curve); + free(ktype); + free(curve); #ifdef OPENSSL_HAS_ECC if (q != NULL) EC_POINT_free(q); @@ -1901,7 +1892,7 @@ key_certify(Key *k, Key *ca) default: error("%s: key has incorrect type %s", __func__, key_type(k)); buffer_clear(&k->cert->certblob); - xfree(ca_blob); + free(ca_blob); return -1; } @@ -1937,7 +1928,7 @@ key_certify(Key *k, Key *ca) buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ buffer_put_string(&k->cert->certblob, ca_blob, ca_len); - xfree(ca_blob); + free(ca_blob); /* Sign the whole mess */ if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), @@ -1948,7 +1939,7 @@ key_certify(Key *k, Key *ca) } /* Append signature and we are done */ buffer_put_string(&k->cert->certblob, sig_blob, sig_len); - xfree(sig_blob); + free(sig_blob); return 0; } diff --git a/mac.c b/mac.c index da68803f5..907e19781 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.22 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: mac.c,v 1.23 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -235,13 +235,13 @@ mac_valid(const char *names) (p = strsep(&cp, MAC_SEP))) { if (mac_setup(NULL, p) < 0) { debug("bad mac %s [%s]", p, names); - xfree(maclist); + free(maclist); return (0); } else { debug3("mac ok: %s [%s]", p, names); } } debug3("macs ok: [%s]", names); - xfree(maclist); + free(maclist); return (1); } diff --git a/match.c b/match.c index 238947778..7be7d2c5c 100644 --- a/match.c +++ b/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ +/* $OpenBSD: match.c,v 1.28 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -40,6 +40,7 @@ #include #include +#include #include #include "xmalloc.h" @@ -226,14 +227,14 @@ match_user(const char *user, const char *host, const char *ipaddr, if ((ret = match_pattern(user, pat)) == 1) ret = match_host_and_ip(host, ipaddr, p); - xfree(pat); + free(pat); return ret; } /* * Returns first item from client-list that is also supported by server-list, - * caller must xfree() returned string. + * caller must free the returned string. */ #define MAX_PROP 40 #define SEP "," @@ -264,15 +265,15 @@ match_list(const char *client, const char *server, u_int *next) if (next != NULL) *next = (cp == NULL) ? strlen(c) : (u_int)(cp - c); - xfree(c); - xfree(s); + free(c); + free(s); return ret; } } } if (next != NULL) *next = strlen(c); - xfree(c); - xfree(s); + free(c); + free(s); return NULL; } diff --git a/misc.c b/misc.c index 77f4a37a1..4aa5fdc8b 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.88 2013/04/24 16:01:46 tedu Exp $ */ +/* $OpenBSD: misc.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -253,13 +253,13 @@ a2tun(const char *s, int *remote) *remote = SSH_TUNID_ANY; sp = xstrdup(s); if ((ep = strchr(sp, ':')) == NULL) { - xfree(sp); + free(sp); return (a2tun(s, NULL)); } ep[0] = '\0'; ep++; *remote = a2tun(ep, NULL); tun = a2tun(sp, NULL); - xfree(sp); + free(sp); return (*remote == SSH_TUNID_ERR ? *remote : tun); } @@ -492,7 +492,7 @@ replacearg(arglist *args, u_int which, char *fmt, ...) if (which >= args->num) fatal("replacearg: tried to replace invalid arg %d >= %d", which, args->num); - xfree(args->list[which]); + free(args->list[which]); args->list[which] = cp; } @@ -503,8 +503,8 @@ freeargs(arglist *args) if (args->list != NULL) { for (i = 0; i < args->num; i++) - xfree(args->list[i]); - xfree(args->list); + free(args->list[i]); + free(args->list); args->nalloc = args->num = 0; args->list = NULL; } diff --git a/moduli.c b/moduli.c index 5267bb9ab..294ff8fde 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */ +/* $OpenBSD: moduli.c,v 1.27 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -433,9 +433,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) time(&time_stop); - xfree(LargeSieve); - xfree(SmallSieve); - xfree(TinySieve); + free(LargeSieve); + free(SmallSieve); + free(TinySieve); logit("%.24s Found %u candidates", ctime(&time_stop), r); @@ -709,7 +709,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, } time(&time_stop); - xfree(lp); + free(lp); BN_free(p); BN_free(q); BN_CTX_free(ctx); diff --git a/monitor.c b/monitor.c index 372c9d044..132f60df9 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.123 2013/05/16 04:09:13 dtucker Exp $ */ +/* $OpenBSD: monitor.c,v 1.124 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -551,7 +551,7 @@ monitor_read_log(struct monitor *pmonitor) do_log2(level, "%s [preauth]", msg); buffer_free(&logmsg); - xfree(msg); + free(msg); return 0; } @@ -642,12 +642,9 @@ static void monitor_reset_key_state(void) { /* reset state */ - if (key_blob != NULL) - xfree(key_blob); - if (hostbased_cuser != NULL) - xfree(hostbased_cuser); - if (hostbased_chost != NULL) - xfree(hostbased_chost); + free(key_blob); + free(hostbased_cuser); + free(hostbased_chost); key_blob = NULL; key_bloblen = 0; key_blobtype = MM_NOKEY; @@ -728,8 +725,8 @@ mm_answer_sign(int sock, Buffer *m) buffer_clear(m); buffer_put_string(m, signature, siglen); - xfree(p); - xfree(signature); + free(p); + free(signature); mm_request_send(sock, MONITOR_ANS_SIGN, m); @@ -760,7 +757,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) authctxt->user = xstrdup(username); setproctitle("%s [priv]", pwent ? username : "unknown"); - xfree(username); + free(username); buffer_clear(m); @@ -840,9 +837,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m) banner = auth2_read_banner(); buffer_put_cstring(m, banner != NULL ? banner : ""); mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m); - - if (banner != NULL) - xfree(banner); + free(banner); return (0); } @@ -858,7 +853,7 @@ mm_answer_authserv(int sock, Buffer *m) __func__, authctxt->service, authctxt->style); if (strlen(authctxt->style) == 0) { - xfree(authctxt->style); + free(authctxt->style); authctxt->style = NULL; } @@ -878,7 +873,7 @@ mm_answer_authpassword(int sock, Buffer *m) authenticated = options.password_authentication && auth_password(authctxt, passwd); memset(passwd, 0, strlen(passwd)); - xfree(passwd); + free(passwd); buffer_clear(m); buffer_put_int(m, authenticated); @@ -918,10 +913,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m); if (success) { - xfree(name); - xfree(infotxt); - xfree(prompts); - xfree(echo_on); + free(name); + free(infotxt); + free(prompts); + free(echo_on); } return (0); @@ -941,7 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) auth_userresponse(authctxt->as, response, 0); authctxt->as = NULL; debug3("%s: <%s> = <%d>", __func__, response, authok); - xfree(response); + free(response); buffer_clear(m); buffer_put_int(m, authok); @@ -1214,9 +1209,9 @@ mm_answer_keyallowed(int sock, Buffer *m) /* Log failed attempt */ auth_log(authctxt, 0, 0, auth_method, NULL, compat20 ? " ssh2" : ""); - xfree(blob); - xfree(cuser); - xfree(chost); + free(blob); + free(cuser); + free(chost); } debug3("%s: key %p is %s", @@ -1259,7 +1254,7 @@ monitor_valid_userblob(u_char *data, u_int datalen) (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - xfree(p); + free(p); } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -1272,8 +1267,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) userstyle, p); fail++; } - xfree(userstyle); - xfree(p); + free(userstyle); + free(p); buffer_skip_string(&b); if (datafellows & SSH_BUG_PKAUTH) { if (!buffer_get_char(&b)) @@ -1282,7 +1277,7 @@ monitor_valid_userblob(u_char *data, u_int datalen) p = buffer_get_cstring(&b, NULL); if (strcmp("publickey", p) != 0) fail++; - xfree(p); + free(p); if (!buffer_get_char(&b)) fail++; buffer_skip_string(&b); @@ -1311,7 +1306,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, (len != session_id2_len) || (timingsafe_bcmp(p, session_id2, session_id2_len) != 0)) fail++; - xfree(p); + free(p); if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -1325,12 +1320,12 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, fail++; } free(userstyle); - xfree(p); + free(p); buffer_skip_string(&b); /* service */ p = buffer_get_cstring(&b, NULL); if (strcmp(p, "hostbased") != 0) fail++; - xfree(p); + free(p); buffer_skip_string(&b); /* pkalg */ buffer_skip_string(&b); /* pkblob */ @@ -1340,13 +1335,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, p[len - 1] = '\0'; if (strcmp(p, chost) != 0) fail++; - xfree(p); + free(p); /* verify client user */ p = buffer_get_string(&b, NULL); if (strcmp(p, cuser) != 0) fail++; - xfree(p); + free(p); if (buffer_len(&b) != 0) fail++; @@ -1395,9 +1390,9 @@ mm_answer_keyverify(int sock, Buffer *m) __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); - xfree(blob); - xfree(signature); - xfree(data); + free(blob); + free(signature); + free(data); auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; @@ -1525,7 +1520,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m) if ((s = session_by_tty(tty)) != NULL) mm_session_close(s); buffer_clear(m); - xfree(tty); + free(tty); return (0); } @@ -1657,7 +1652,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); - xfree(blob); + free(blob); key_free(key); return (0); } @@ -1689,9 +1684,9 @@ mm_answer_rsa_response(int sock, Buffer *m) fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); - xfree(blob); + free(blob); key_free(key); - xfree(response); + free(response); auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa"; @@ -1785,20 +1780,20 @@ monitor_apply_keystate(struct monitor *pmonitor) packet_set_protocol_flags(child_state.ssh1protoflags); packet_set_encryption_key(child_state.ssh1key, child_state.ssh1keylen, child_state.ssh1cipher); - xfree(child_state.ssh1key); + free(child_state.ssh1key); } /* for rc4 and other stateful ciphers */ packet_set_keycontext(MODE_OUT, child_state.keyout); - xfree(child_state.keyout); + free(child_state.keyout); packet_set_keycontext(MODE_IN, child_state.keyin); - xfree(child_state.keyin); + free(child_state.keyin); if (!compat20) { packet_set_iv(MODE_OUT, child_state.ivout); - xfree(child_state.ivout); + free(child_state.ivout); packet_set_iv(MODE_IN, child_state.ivin); - xfree(child_state.ivin); + free(child_state.ivin); } memcpy(&incoming_stream, &child_state.incoming, @@ -1819,13 +1814,13 @@ monitor_apply_keystate(struct monitor *pmonitor) buffer_clear(packet_get_input()); buffer_append(packet_get_input(), child_state.input, child_state.ilen); memset(child_state.input, 0, child_state.ilen); - xfree(child_state.input); + free(child_state.input); buffer_clear(packet_get_output()); buffer_append(packet_get_output(), child_state.output, child_state.olen); memset(child_state.output, 0, child_state.olen); - xfree(child_state.output); + free(child_state.output); /* Roaming */ if (compat20) @@ -1857,11 +1852,11 @@ mm_get_kex(Buffer *m) blob = buffer_get_string(m, &bloblen); buffer_init(&kex->my); buffer_append(&kex->my, blob, bloblen); - xfree(blob); + free(blob); blob = buffer_get_string(m, &bloblen); buffer_init(&kex->peer); buffer_append(&kex->peer, blob, bloblen); - xfree(blob); + free(blob); kex->done = 1; kex->flags = buffer_get_int(m); kex->client_version_string = buffer_get_string(m, NULL); @@ -1904,12 +1899,12 @@ mm_get_keystate(struct monitor *pmonitor) blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); - xfree(blob); + free(blob); debug3("%s: Waiting for second key", __func__); blob = buffer_get_string(&m, &bloblen); current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); - xfree(blob); + free(blob); /* Now get sequence numbers for the packets */ seqnr = buffer_get_int(&m); @@ -1934,13 +1929,13 @@ mm_get_keystate(struct monitor *pmonitor) if (plen != sizeof(child_state.outgoing)) fatal("%s: bad request size", __func__); memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); - xfree(p); + free(p); p = buffer_get_string(&m, &plen); if (plen != sizeof(child_state.incoming)) fatal("%s: bad request size", __func__); memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); - xfree(p); + free(p); /* Network I/O buffers */ debug3("%s: Getting Network I/O buffers", __func__); @@ -2062,7 +2057,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) major = ssh_gssapi_server_ctx(&gsscontext, &goid); - xfree(goid.elements); + free(goid.elements); buffer_clear(m); buffer_put_int(m, major); @@ -2087,7 +2082,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); - xfree(in.value); + free(in.value); buffer_clear(m); buffer_put_int(m, major); @@ -2119,8 +2114,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); - xfree(gssbuf.value); - xfree(mic.value); + free(gssbuf.value); + free(mic.value); buffer_clear(m); buffer_put_int(m, ret); @@ -2190,8 +2185,8 @@ mm_answer_jpake_step1(int sock, Buffer *m) bzero(x3_proof, x3_proof_len); bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); + free(x3_proof); + free(x4_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0); @@ -2220,8 +2215,8 @@ mm_answer_jpake_get_pwdata(int sock, Buffer *m) bzero(hash_scheme, strlen(hash_scheme)); bzero(salt, strlen(salt)); - xfree(hash_scheme); - xfree(salt); + free(hash_scheme); + free(salt); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1); @@ -2260,8 +2255,8 @@ mm_answer_jpake_step2(int sock, Buffer *m) bzero(x1_proof, x1_proof_len); bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); + free(x1_proof); + free(x2_proof); buffer_clear(m); @@ -2272,7 +2267,7 @@ mm_answer_jpake_step2(int sock, Buffer *m) mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); + free(x4_s_proof); monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); @@ -2340,7 +2335,7 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m) JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); bzero(peer_confirm_hash, peer_confirm_hash_len); - xfree(peer_confirm_hash); + free(peer_confirm_hash); buffer_clear(m); buffer_put_int(m, authenticated); diff --git a/monitor_mm.c b/monitor_mm.c index faf9f3dcb..ee7bad4b4 100644 --- a/monitor_mm.c +++ b/monitor_mm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */ +/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -35,6 +35,7 @@ #include #include +#include #include #include "xmalloc.h" @@ -124,7 +125,7 @@ mm_freelist(struct mm_master *mmalloc, struct mmtree *head) next = RB_NEXT(mmtree, head, mms); RB_REMOVE(mmtree, head, mms); if (mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mmalloc, mms); } @@ -147,7 +148,7 @@ mm_destroy(struct mm_master *mm) __func__); #endif if (mm->mmalloc == NULL) - xfree(mm); + free(mm); else mm_free(mm->mmalloc, mm); } @@ -198,7 +199,7 @@ mm_malloc(struct mm_master *mm, size_t size) if (mms->size == 0) { RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } @@ -254,7 +255,7 @@ mm_free(struct mm_master *mm, void *address) prev->size += mms->size; RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } else @@ -278,7 +279,7 @@ mm_free(struct mm_master *mm, void *address) RB_REMOVE(mmtree, &mm->rb_free, mms); if (mm->mmalloc == NULL) - xfree(mms); + free(mms); else mm_free(mm->mmalloc, mms); } diff --git a/monitor_wrap.c b/monitor_wrap.c index 3304f5bf2..b1870fcba 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.76 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -288,7 +288,7 @@ out: #undef M_CP_STRARRAYOPT copy_set_server_options(&options, newopts, 1); - xfree(newopts); + free(newopts); buffer_free(&m); @@ -314,7 +314,7 @@ mm_auth2_read_banner(void) /* treat empty banner as missing banner */ if (strlen(banner) == 0) { - xfree(banner); + free(banner); banner = NULL; } return (banner); @@ -407,7 +407,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) buffer_put_cstring(&m, user ? user : ""); buffer_put_cstring(&m, host ? host : ""); buffer_put_string(&m, blob, len); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); @@ -450,7 +450,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); @@ -619,7 +619,7 @@ mm_send_keystate(struct monitor *monitor) keylen = packet_get_encryption_key(key); buffer_put_string(&m, key, keylen); memset(key, 0, keylen); - xfree(key); + free(key); ivlen = packet_get_keyiv_len(MODE_OUT); packet_get_keyiv(MODE_OUT, iv, ivlen); @@ -642,13 +642,13 @@ mm_send_keystate(struct monitor *monitor) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); - xfree(blob); + free(blob); if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); - xfree(blob); + free(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); buffer_put_int(&m, seqnr); @@ -668,13 +668,13 @@ mm_send_keystate(struct monitor *monitor) p = xmalloc(plen+1); packet_get_keycontext(MODE_OUT, p); buffer_put_string(&m, p, plen); - xfree(p); + free(p); plen = packet_get_keycontext(MODE_IN, NULL); p = xmalloc(plen+1); packet_get_keycontext(MODE_IN, p); buffer_put_string(&m, p, plen); - xfree(p); + free(p); /* Compression state */ debug3("%s: Sending compression state", __func__); @@ -736,10 +736,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) buffer_free(&m); strlcpy(namebuf, p, namebuflen); /* Possible truncation */ - xfree(p); + free(p); buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); + free(msg); if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 || (*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1) @@ -1109,7 +1109,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) if ((key = key_from_blob(blob, blen)) == NULL) fatal("%s: key_from_blob failed", __func__); *rkey = key; - xfree(blob); + free(blob); } buffer_free(&m); @@ -1136,7 +1136,7 @@ mm_auth_rsa_generate_challenge(Key *key) buffer_init(&m); buffer_put_string(&m, blob, blen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m); @@ -1165,7 +1165,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) buffer_init(&m); buffer_put_string(&m, blob, blen); buffer_put_string(&m, response, 16); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m); diff --git a/mux.c b/mux.c index a6bcbbaca..6c55db981 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.40 2013/04/22 01:17:18 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.41 2013/05/17 00:13:13 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -287,13 +287,12 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) char *value = buffer_get_string_ret(m, NULL); if (name == NULL || value == NULL) { - if (name != NULL) - xfree(name); + free(name); goto malf; } debug2("Unrecognised slave extension \"%s\"", name); - xfree(name); - xfree(value); + free(name); + free(value); } state->hello_rcvd = 1; return 0; @@ -324,21 +323,17 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) (cctx->term = buffer_get_string_ret(m, &len)) == NULL || (cmd = buffer_get_string_ret(m, &len)) == NULL) { malf: - if (cmd != NULL) - xfree(cmd); - if (reserved != NULL) - xfree(reserved); + free(cmd); + free(reserved); for (j = 0; j < env_len; j++) - xfree(cctx->env[j]); - if (env_len > 0) - xfree(cctx->env); - if (cctx->term != NULL) - xfree(cctx->term); - xfree(cctx); + free(cctx->env[j]); + free(cctx->env); + free(cctx->term); + free(cctx); error("%s: malformed message", __func__); return -1; } - xfree(reserved); + free(reserved); reserved = NULL; while (buffer_len(m) > 0) { @@ -346,7 +341,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) if ((cp = buffer_get_string_ret(m, &len)) == NULL) goto malf; if (!env_permitted(cp)) { - xfree(cp); + free(cp); continue; } cctx->env = xrealloc(cctx->env, env_len + 2, @@ -367,7 +362,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_init(&cctx->cmd); buffer_append(&cctx->cmd, cmd, strlen(cmd)); - xfree(cmd); + free(cmd); cmd = NULL; /* Gather fds from client */ @@ -378,12 +373,11 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) for (j = 0; j < i; j++) close(new_fd[j]); for (j = 0; j < env_len; j++) - xfree(cctx->env[j]); - if (env_len > 0) - xfree(cctx->env); - xfree(cctx->term); + free(cctx->env[j]); + free(cctx->env); + free(cctx->term); buffer_free(&cctx->cmd); - xfree(cctx); + free(cctx); /* prepare reply */ buffer_put_int(r, MUX_S_FAILURE); @@ -408,14 +402,14 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) close(new_fd[0]); close(new_fd[1]); close(new_fd[2]); - xfree(cctx->term); + free(cctx->term); if (env_len != 0) { for (i = 0; i < env_len; i++) - xfree(cctx->env[i]); - xfree(cctx->env); + free(cctx->env[i]); + free(cctx->env); } buffer_free(&cctx->cmd); - xfree(cctx); + free(cctx); return 0; } @@ -620,7 +614,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) buffer_put_int(&out, MUX_S_FAILURE); buffer_put_int(&out, fctx->rid); buffer_put_cstring(&out, failmsg); - xfree(failmsg); + free(failmsg); out: buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); buffer_free(&out); @@ -649,11 +643,11 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) } if (*fwd.listen_host == '\0') { - xfree(fwd.listen_host); + free(fwd.listen_host); fwd.listen_host = NULL; } if (*fwd.connect_host == '\0') { - xfree(fwd.connect_host); + free(fwd.connect_host); fwd.connect_host = NULL; } @@ -664,10 +658,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) ftype != MUX_FWD_DYNAMIC) { logit("%s: invalid forwarding type %u", __func__, ftype); invalid: - if (fwd.listen_host) - xfree(fwd.listen_host); - if (fwd.connect_host) - xfree(fwd.connect_host); + free(fwd.listen_host); + free(fwd.connect_host); buffer_put_int(r, MUX_S_FAILURE); buffer_put_int(r, rid); buffer_put_cstring(r, "Invalid forwarding request"); @@ -769,13 +761,10 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_int(r, MUX_S_OK); buffer_put_int(r, rid); out: - if (fwd_desc != NULL) - xfree(fwd_desc); + free(fwd_desc); if (freefwd) { - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(fwd.listen_host); + free(fwd.connect_host); } return ret; } @@ -801,11 +790,11 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) } if (*fwd.listen_host == '\0') { - xfree(fwd.listen_host); + free(fwd.listen_host); fwd.listen_host = NULL; } if (*fwd.connect_host == '\0') { - xfree(fwd.connect_host); + free(fwd.connect_host); fwd.connect_host = NULL; } @@ -862,10 +851,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_int(r, MUX_S_OK); buffer_put_int(r, rid); - if (found_fwd->listen_host != NULL) - xfree(found_fwd->listen_host); - if (found_fwd->connect_host != NULL) - xfree(found_fwd->connect_host); + free(found_fwd->listen_host); + free(found_fwd->connect_host); found_fwd->listen_host = found_fwd->connect_host = NULL; found_fwd->listen_port = found_fwd->connect_port = 0; } else { @@ -874,12 +861,9 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) buffer_put_cstring(r, error_reason); } out: - if (fwd_desc != NULL) - xfree(fwd_desc); - if (fwd.listen_host != NULL) - xfree(fwd.listen_host); - if (fwd.connect_host != NULL) - xfree(fwd.connect_host); + free(fwd_desc); + free(fwd.listen_host); + free(fwd.connect_host); return ret; } @@ -896,14 +880,12 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || (chost = buffer_get_string_ret(m, NULL)) == NULL || buffer_get_int_ret(&cport, m) != 0) { - if (reserved != NULL) - xfree(reserved); - if (chost != NULL) - xfree(chost); + free(reserved); + free(chost); error("%s: malformed message", __func__); return -1; } - xfree(reserved); + free(reserved); debug2("%s: channel %d: request stdio fwd to %s:%u", __func__, c->self, chost, cport); @@ -915,7 +897,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) __func__, i); for (j = 0; j < i; j++) close(new_fd[j]); - xfree(chost); + free(chost); /* prepare reply */ buffer_put_int(r, MUX_S_FAILURE); @@ -939,7 +921,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) cleanup: close(new_fd[0]); close(new_fd[1]); - xfree(chost); + free(chost); return 0; } @@ -1001,7 +983,7 @@ process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r) if (mux_listener_channel != NULL) { channel_free(mux_listener_channel); client_stop_mux(); - xfree(options.control_path); + free(options.control_path); options.control_path = NULL; mux_listener_channel = NULL; muxserver_sock = -1; @@ -1198,8 +1180,8 @@ muxserver_listen(void) close(muxserver_sock); muxserver_sock = -1; } - xfree(orig_control_path); - xfree(options.control_path); + free(orig_control_path); + free(options.control_path); options.control_path = NULL; options.control_master = SSHCTL_MASTER_NO; return; @@ -1224,7 +1206,7 @@ muxserver_listen(void) goto disable_mux_master; } unlink(options.control_path); - xfree(options.control_path); + free(options.control_path); options.control_path = orig_control_path; set_nonblock(muxserver_sock); @@ -1309,13 +1291,13 @@ mux_session_confirm(int id, int success, void *arg) cc->mux_pause = 0; /* start processing messages again */ c->open_confirm_ctx = NULL; buffer_free(&cctx->cmd); - xfree(cctx->term); + free(cctx->term); if (cctx->env != NULL) { for (i = 0; cctx->env[i] != NULL; i++) - xfree(cctx->env[i]); - xfree(cctx->env); + free(cctx->env[i]); + free(cctx->env); } - xfree(cctx); + free(cctx); } /* ** Multiplexing client support */ @@ -1499,8 +1481,8 @@ mux_client_hello_exchange(int fd) char *value = buffer_get_string(&m, NULL); debug2("Unrecognised master extension \"%s\"", name); - xfree(name); - xfree(value); + free(name); + free(value); } buffer_free(&m); return 0; @@ -1609,7 +1591,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd) fwd_desc = format_forward(ftype, fwd); debug("Requesting %s %s", cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); - xfree(fwd_desc); + free(fwd_desc); buffer_init(&m); buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD); diff --git a/packet.c b/packet.c index a64bbae3c..84ebd81d5 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.185 2013/05/16 04:09:13 dtucker Exp $ */ +/* $OpenBSD: packet.c,v 1.186 2013/05/17 00:13:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -766,13 +766,13 @@ set_newkeys(int mode) memset(enc->iv, 0, enc->iv_len); memset(enc->key, 0, enc->key_len); memset(mac->key, 0, mac->key_len); - xfree(enc->name); - xfree(enc->iv); - xfree(enc->key); - xfree(mac->name); - xfree(mac->key); - xfree(comp->name); - xfree(active_state->newkeys[mode]); + free(enc->name); + free(enc->iv); + free(enc->key); + free(mac->name); + free(mac->key); + free(comp->name); + free(active_state->newkeys[mode]); } active_state->newkeys[mode] = kex_get_newkeys(mode); if (active_state->newkeys[mode] == NULL) @@ -1023,7 +1023,7 @@ packet_send2(void) memcpy(&active_state->outgoing_packet, &p->payload, sizeof(Buffer)); TAILQ_REMOVE(&active_state->outgoing, p, next); - xfree(p); + free(p); packet_send2_wrapped(); } } @@ -1073,7 +1073,7 @@ packet_read_seqnr(u_int32_t *seqnr_p) packet_check_eom(); /* If we got a packet, return it. */ if (type != SSH_MSG_NONE) { - xfree(setp); + free(setp); return type; } /* @@ -1460,9 +1460,9 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) packet_get_char(); msg = packet_get_string(NULL); debug("Remote: %.900s", msg); - xfree(msg); + free(msg); msg = packet_get_string(NULL); - xfree(msg); + free(msg); break; case SSH2_MSG_DISCONNECT: reason = packet_get_int(); @@ -1473,7 +1473,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, "Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); - xfree(msg); + free(msg); cleanup_exit(255); break; case SSH2_MSG_UNIMPLEMENTED: @@ -1492,7 +1492,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) case SSH_MSG_DEBUG: msg = packet_get_string(NULL); debug("Remote: %.900s", msg); - xfree(msg); + free(msg); break; case SSH_MSG_DISCONNECT: msg = packet_get_string(NULL); @@ -1780,7 +1780,7 @@ packet_write_wait(void) } packet_write_poll(); } - xfree(setp); + free(setp); } /* Returns true if there is buffered data to write to the connection. */ diff --git a/readconf.c b/readconf.c index 30c1e83bd..45cf910fe 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.201 2013/05/16 10:43:34 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.202 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -308,22 +308,20 @@ clear_forwardings(Options *options) int i; for (i = 0; i < options->num_local_forwards; i++) { - if (options->local_forwards[i].listen_host != NULL) - xfree(options->local_forwards[i].listen_host); - xfree(options->local_forwards[i].connect_host); + free(options->local_forwards[i].listen_host); + free(options->local_forwards[i].connect_host); } if (options->num_local_forwards > 0) { - xfree(options->local_forwards); + free(options->local_forwards); options->local_forwards = NULL; } options->num_local_forwards = 0; for (i = 0; i < options->num_remote_forwards; i++) { - if (options->remote_forwards[i].listen_host != NULL) - xfree(options->remote_forwards[i].listen_host); - xfree(options->remote_forwards[i].connect_host); + free(options->remote_forwards[i].listen_host); + free(options->remote_forwards[i].connect_host); } if (options->num_remote_forwards > 0) { - xfree(options->remote_forwards); + free(options->remote_forwards); options->remote_forwards = NULL; } options->num_remote_forwards = 0; @@ -1456,7 +1454,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) i = 0; /* failure */ } - xfree(p); + free(p); if (dynamicfwd) { if (!(i == 1 || i == 2)) @@ -1482,13 +1480,9 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd) return (i); fail_free: - if (fwd->connect_host != NULL) { - xfree(fwd->connect_host); - fwd->connect_host = NULL; - } - if (fwd->listen_host != NULL) { - xfree(fwd->listen_host); - fwd->listen_host = NULL; - } + free(fwd->connect_host); + fwd->connect_host = NULL; + free(fwd->listen_host); + fwd->listen_host = NULL; return (0); } diff --git a/readpass.c b/readpass.c index 599c8ef9a..e37d31158 100644 --- a/readpass.c +++ b/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.48 2010/12/15 00:49:27 djm Exp $ */ +/* $OpenBSD: readpass.c,v 1.49 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -186,7 +186,7 @@ ask_permission(const char *fmt, ...) if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0) allowed = 1; - xfree(p); + free(p); } return (allowed); diff --git a/roaming_client.c b/roaming_client.c index 48009d781..81c496827 100644 --- a/roaming_client.c +++ b/roaming_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: roaming_client.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -187,10 +187,10 @@ roaming_resume(void) debug("server doesn't allow resume"); goto fail; } - xfree(str); + free(str); for (i = 1; i < PROPOSAL_MAX; i++) { /* kex algorithm taken care of so start with i=1 and not 0 */ - xfree(packet_get_string(&len)); + free(packet_get_string(&len)); } i = packet_get_char(); /* first_kex_packet_follows */ if (i && (c = strchr(kexlist, ','))) @@ -226,8 +226,7 @@ roaming_resume(void) return 0; fail: - if (kexlist) - xfree(kexlist); + free(kexlist); if (packet_get_connection_in() == packet_get_connection_out()) close(packet_get_connection_in()); else { diff --git a/rsa.c b/rsa.c index bec1d190b..a9ee6b0ed 100644 --- a/rsa.c +++ b/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: rsa.c,v 1.30 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -96,8 +96,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) memset(outbuf, 0, olen); memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); + free(outbuf); + free(inbuf); } int @@ -122,8 +122,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) } memset(outbuf, 0, olen); memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); + free(outbuf); + free(inbuf); return len; } diff --git a/schnorr.c b/schnorr.c index 05c2e7758..9549dcf0e 100644 --- a/schnorr.c +++ b/schnorr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: schnorr.c,v 1.6 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: schnorr.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2008 Damien Miller. All rights reserved. * @@ -102,7 +102,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g, out: buffer_free(&b); bzero(digest, digest_len); - xfree(digest); + free(digest); digest_len = 0; if (success == 0) return h; @@ -573,7 +573,7 @@ modp_group_free(struct modp_group *grp) if (grp->q != NULL) BN_clear_free(grp->q); bzero(grp, sizeof(*grp)); - xfree(grp); + free(grp); } /* main() function for self-test */ @@ -608,7 +608,7 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q, if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4, sig, siglen) != 0) fatal("%s: verify should have failed (bit error)", __func__); - xfree(sig); + free(sig); BN_free(g_x); BN_CTX_free(bn_ctx); } diff --git a/scp.c b/scp.c index ae3d38802..32e9d00b2 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.172 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -578,7 +578,7 @@ toremote(char *targ, int argc, char **argv) } if (tuser != NULL && !okname(tuser)) { - xfree(arg); + free(arg); return; } @@ -605,13 +605,13 @@ toremote(char *targ, int argc, char **argv) *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) exit(1); - (void) xfree(bp); + free(bp); host = cleanhostname(thost); xasprintf(&bp, "%s -t %s%s", cmd, *targ == '-' ? "-- " : "", targ); if (do_cmd2(host, tuser, bp, remin, remout) < 0) exit(1); - (void) xfree(bp); + free(bp); (void) close(remin); (void) close(remout); remin = remout = -1; @@ -662,12 +662,12 @@ toremote(char *targ, int argc, char **argv) exit(1); if (response() < 0) exit(1); - (void) xfree(bp); + free(bp); } source(1, argv + i); } } - xfree(arg); + free(arg); } void @@ -711,11 +711,11 @@ tolocal(int argc, char **argv) xasprintf(&bp, "%s -f %s%s", cmd, *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) { - (void) xfree(bp); + free(bp); ++errs; continue; } - xfree(bp); + free(bp); sink(1, argv + argc - 1); (void) close(remin); remin = remout = -1; @@ -1023,8 +1023,7 @@ sink(int argc, char **argv) need = strlen(targ) + strlen(cp) + 250; if (need > cursize) { - if (namebuf) - xfree(namebuf); + free(namebuf); namebuf = xmalloc(need); cursize = need; } @@ -1063,8 +1062,7 @@ sink(int argc, char **argv) } if (mod_flag) (void) chmod(vect[0], mode); - if (vect[0]) - xfree(vect[0]); + free(vect[0]); continue; } omode = mode; diff --git a/servconf.c b/servconf.c index 90f6d4653..36b8efecf 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.238 2013/05/16 10:44:06 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.239 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -520,7 +520,7 @@ derelativise_path(const char *path) if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - xfree(expanded); + free(expanded); return ret; } @@ -1713,8 +1713,7 @@ int server_match_spec_complete(struct connection_info *ci) } while (0) #define M_CP_STROPT(n) do {\ if (src->n != NULL) { \ - if (dst->n != NULL) \ - xfree(dst->n); \ + free(dst->n); \ dst->n = src->n; \ } \ } while(0) @@ -1798,7 +1797,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, linenum++, &active, connectinfo) != 0) bad_options++; } - xfree(obuf); + free(obuf); if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); diff --git a/serverloop.c b/serverloop.c index a61d4ad32..7c250b22f 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.166 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.167 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -694,7 +694,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) /* Display list of open channels. */ cp = channel_open_message(); buffer_append(&stderr_buffer, cp, strlen(cp)); - xfree(cp); + free(cp); } } max_fd = MAX(connection_in, connection_out); @@ -722,10 +722,8 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) /* Process output to the client and to program stdin. */ process_output(writeset); } - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* Cleanup and termination code. */ @@ -885,10 +883,8 @@ server_loop2(Authctxt *authctxt) } collect_children(); - if (readset) - xfree(readset); - if (writeset) - xfree(writeset); + free(readset); + free(writeset); /* free all channels, no more reads and writes */ channel_free_all(); @@ -923,7 +919,7 @@ server_input_stdin_data(int type, u_int32_t seq, void *ctxt) packet_check_eom(); buffer_append(&stdin_buffer, data, data_len); memset(data, 0, data_len); - xfree(data); + free(data); } static void @@ -980,8 +976,8 @@ server_request_direct_tcpip(void) originator, originator_port, target, target_port); } - xfree(originator); - xfree(target); + free(originator); + free(target); return c; } @@ -1110,7 +1106,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) } packet_send(); } - xfree(ctype); + free(ctype); } static void @@ -1155,7 +1151,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port, &allocated_listen_port, options.gateway_ports); } - xfree(listen_address); + free(listen_address); } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { char *cancel_address; u_short cancel_port; @@ -1167,7 +1163,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) success = channel_cancel_rport_listener(cancel_address, cancel_port); - xfree(cancel_address); + free(cancel_address); } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { no_more_sessions = 1; success = 1; @@ -1180,7 +1176,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) packet_send(); packet_write_wait(); } - xfree(rtype); + free(rtype); } static void @@ -1212,7 +1208,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt) packet_put_int(c->remote_id); packet_send(); } - xfree(rtype); + free(rtype); } static void diff --git a/session.c b/session.c index 4c4461ded..f47cc1788 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.264 2013/04/19 01:03:01 djm Exp $ */ +/* $OpenBSD: session.c,v 1.265 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -199,7 +199,7 @@ auth_input_request_forwarding(struct passwd * pw) packet_send_debug("Agent forwarding disabled: " "mkdtemp() failed: %.100s", strerror(errno)); restore_uid(); - xfree(auth_sock_dir); + free(auth_sock_dir); auth_sock_dir = NULL; goto authsock_err; } @@ -244,11 +244,10 @@ auth_input_request_forwarding(struct passwd * pw) return 1; authsock_err: - if (auth_sock_name != NULL) - xfree(auth_sock_name); + free(auth_sock_name); if (auth_sock_dir != NULL) { rmdir(auth_sock_dir); - xfree(auth_sock_dir); + free(auth_sock_dir); } if (sock != -1) close(sock); @@ -364,8 +363,8 @@ do_authenticated1(Authctxt *authctxt) packet_check_eom(); success = session_setup_x11fwd(s); if (!success) { - xfree(s->auth_proto); - xfree(s->auth_data); + free(s->auth_proto); + free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } @@ -412,7 +411,7 @@ do_authenticated1(Authctxt *authctxt) if (do_exec(s, command) != 0) packet_disconnect( "command execution failed"); - xfree(command); + free(command); } else { if (do_exec(s, NULL) != 0) packet_disconnect( @@ -977,7 +976,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, break; if (env[i]) { /* Reuse the slot. */ - xfree(env[i]); + free(env[i]); } else { /* New variable. Expand if necessary. */ envsize = *envsizep; @@ -1219,8 +1218,8 @@ do_setup_env(Session *s, const char *shell) child_set_env(&env, &envsize, str, str + i + 1); } custom_environment = ce->next; - xfree(ce->s); - xfree(ce); + free(ce->s); + free(ce); } } @@ -1232,7 +1231,7 @@ do_setup_env(Session *s, const char *shell) laddr = get_local_ipaddr(packet_get_connection_in()); snprintf(buf, sizeof buf, "%.50s %d %.50s %d", get_remote_ipaddr(), get_remote_port(), laddr, get_local_port()); - xfree(laddr); + free(laddr); child_set_env(&env, &envsize, "SSH_CONNECTION", buf); if (s->ttyfd != -1) @@ -1403,7 +1402,7 @@ do_nologin(struct passwd *pw) #endif if (stat(nl, &sb) == -1) { if (nl != def_nl) - xfree(nl); + free(nl); return; } @@ -2054,7 +2053,7 @@ session_pty_req(Session *s) s->ypixel = packet_get_int(); if (strcmp(s->term, "") == 0) { - xfree(s->term); + free(s->term); s->term = NULL; } @@ -2062,8 +2061,7 @@ session_pty_req(Session *s) debug("Allocating pty."); if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { - if (s->term) - xfree(s->term); + free(s->term); s->term = NULL; s->ptyfd = -1; s->ttyfd = -1; @@ -2124,7 +2122,7 @@ session_subsystem_req(Session *s) logit("subsystem request for %.100s failed, subsystem not found", subsys); - xfree(subsys); + free(subsys); return success; } @@ -2146,8 +2144,8 @@ session_x11_req(Session *s) success = session_setup_x11fwd(s); if (!success) { - xfree(s->auth_proto); - xfree(s->auth_data); + free(s->auth_proto); + free(s->auth_data); s->auth_proto = NULL; s->auth_data = NULL; } @@ -2169,7 +2167,7 @@ session_exec_req(Session *s) char *command = packet_get_string(&len); packet_check_eom(); success = do_exec(s, command) == 0; - xfree(command); + free(command); return success; } @@ -2215,8 +2213,8 @@ session_env_req(Session *s) debug2("Ignoring env request %s: disallowed name", name); fail: - xfree(name); - xfree(val); + free(name); + free(val); return (0); } @@ -2398,24 +2396,16 @@ session_close_single_x11(int id, void *arg) if (s->x11_chanids[i] != id) session_close_x11(s->x11_chanids[i]); } - xfree(s->x11_chanids); + free(s->x11_chanids); s->x11_chanids = NULL; - if (s->display) { - xfree(s->display); - s->display = NULL; - } - if (s->auth_proto) { - xfree(s->auth_proto); - s->auth_proto = NULL; - } - if (s->auth_data) { - xfree(s->auth_data); - s->auth_data = NULL; - } - if (s->auth_display) { - xfree(s->auth_display); - s->auth_display = NULL; - } + free(s->display); + s->display = NULL; + free(s->auth_proto); + s->auth_proto = NULL; + free(s->auth_data); + s->auth_data = NULL; + free(s->auth_display); + s->auth_display = NULL; } static void @@ -2477,24 +2467,18 @@ session_close(Session *s) debug("session_close: session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) session_pty_cleanup(s); - if (s->term) - xfree(s->term); - if (s->display) - xfree(s->display); - if (s->x11_chanids) - xfree(s->x11_chanids); - if (s->auth_display) - xfree(s->auth_display); - if (s->auth_data) - xfree(s->auth_data); - if (s->auth_proto) - xfree(s->auth_proto); + free(s->term); + free(s->display); + free(s->x11_chanids); + free(s->auth_display); + free(s->auth_data); + free(s->auth_proto); if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { - xfree(s->env[i].name); - xfree(s->env[i].val); + free(s->env[i].name); + free(s->env[i].val); } - xfree(s->env); + free(s->env); } session_proctitle(s); session_unused(s->self); diff --git a/sftp-client.c b/sftp-client.c index 85f2bd444..038e1c347 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.97 2012/07/02 12:13:26 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.98 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -394,8 +394,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, } else { debug2("Unrecognised server extension \"%s\"", name); } - xfree(name); - xfree(value); + free(name); + free(value); } buffer_free(&msg); @@ -509,7 +509,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, error("Couldn't read directory: %s", fx2txt(status)); do_close(conn, handle, handle_len); - xfree(handle); + free(handle); buffer_free(&msg); return(status); } @@ -552,14 +552,14 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, (*dir)[++ents] = NULL; } next: - xfree(filename); - xfree(longname); + free(filename); + free(longname); } } buffer_free(&msg); do_close(conn, handle, handle_len); - xfree(handle); + free(handle); /* Don't return partial matches on interrupt */ if (interrupted && dir != NULL && *dir != NULL) { @@ -582,11 +582,11 @@ void free_sftp_dirents(SFTP_DIRENT **s) int i; for (i = 0; s[i]; i++) { - xfree(s[i]->filename); - xfree(s[i]->longname); - xfree(s[i]); + free(s[i]->filename); + free(s[i]->longname); + free(s[i]); } - xfree(s); + free(s); } int @@ -760,7 +760,7 @@ do_realpath(struct sftp_conn *conn, char *path) debug3("SSH_FXP_REALPATH %s -> %s size %lu", path, filename, (unsigned long)a->size); - xfree(longname); + free(longname); buffer_free(&msg); @@ -907,7 +907,7 @@ do_readlink(struct sftp_conn *conn, char *path) debug3("SSH_FXP_READLINK %s -> %s", path, filename); - xfree(longname); + free(longname); buffer_free(&msg); @@ -1057,7 +1057,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, local_path, strerror(errno)); do_close(conn, handle, handle_len); buffer_free(&msg); - xfree(handle); + free(handle); return(-1); } @@ -1121,7 +1121,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, read_error = 1; max_req = 0; TAILQ_REMOVE(&requests, req, tq); - xfree(req); + free(req); num_req--; break; case SSH2_FXP_DATA: @@ -1140,11 +1140,11 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, max_req = 0; } progress_counter += len; - xfree(data); + free(data); if (len == req->len) { TAILQ_REMOVE(&requests, req, tq); - xfree(req); + free(req); num_req--; } else { /* Resend the request for the missing data */ @@ -1220,7 +1220,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, } close(local_fd); buffer_free(&msg); - xfree(handle); + free(handle); return(status); } @@ -1292,8 +1292,8 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, } else logit("%s: not a regular file\n", new_src); - xfree(new_dst); - xfree(new_src); + free(new_dst); + free(new_src); } if (pflag) { @@ -1329,7 +1329,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst, ret = download_dir_internal(conn, src_canon, dst, dirattrib, pflag, printflag, 0); - xfree(src_canon); + free(src_canon); return ret; } @@ -1481,7 +1481,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, debug3("In write loop, ack for %u %u bytes at %lld", ack->id, ack->len, (long long)ack->offset); ++ackid; - xfree(ack); + free(ack); } offset += len; if (offset < 0) @@ -1491,7 +1491,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (showprogress) stop_progress_meter(); - xfree(data); + free(data); if (status != SSH2_FX_OK) { error("Couldn't write to remote file \"%s\": %s", @@ -1511,7 +1511,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, if (do_close(conn, handle, handle_len) != SSH2_FX_OK) status = -1; - xfree(handle); + free(handle); return status; } @@ -1597,8 +1597,8 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, } } else logit("%s: not a regular file\n", filename); - xfree(new_dst); - xfree(new_src); + free(new_dst); + free(new_src); } do_setstat(conn, dst, &a); @@ -1620,7 +1620,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int printflag, } ret = upload_dir_internal(conn, src, dst_canon, pflag, printflag, 0); - xfree(dst_canon); + free(dst_canon); return ret; } diff --git a/sftp-common.c b/sftp-common.c index a042875c6..413efc209 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.23 2010/01/15 09:24:23 markus Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -128,8 +128,8 @@ decode_attrib(Buffer *b) type = buffer_get_string(b, NULL); data = buffer_get_string(b, NULL); debug3("Got file attribute \"%s\"", type); - xfree(type); - xfree(data); + free(type); + free(data); } } return &a; diff --git a/sftp-glob.c b/sftp-glob.c index 06bf157ca..79b7bdb2f 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */ +/* $OpenBSD: sftp-glob.c,v 1.24 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -51,7 +51,7 @@ fudge_opendir(const char *path) r = xmalloc(sizeof(*r)); if (do_readdir(cur.conn, (char *)path, &r->dir)) { - xfree(r); + free(r); return(NULL); } @@ -103,7 +103,7 @@ static void fudge_closedir(struct SFTP_OPENDIR *od) { free_sftp_dirents(od->dir); - xfree(od); + free(od); } static int diff --git a/sftp-server.c b/sftp-server.c index cce074a56..285f21aaf 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.96 2013/01/04 19:26:38 jmc Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.97 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -319,11 +319,11 @@ handle_close(int handle) if (handle_is_ok(handle, HANDLE_FILE)) { ret = close(handles[handle].fd); - xfree(handles[handle].name); + free(handles[handle].name); handle_unused(handle); } else if (handle_is_ok(handle, HANDLE_DIR)) { ret = closedir(handles[handle].dirp); - xfree(handles[handle].name); + free(handles[handle].name); handle_unused(handle); } else { errno = ENOENT; @@ -367,7 +367,7 @@ get_handle(void) handle = get_string(&hlen); if (hlen < 256) val = handle_from_string(handle, hlen); - xfree(handle); + free(handle); return val; } @@ -450,7 +450,7 @@ send_handle(u_int32_t id, int handle) handle_to_string(handle, &string, &hlen); debug("request %u: sent handle handle %d", id, handle); send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen); - xfree(string); + free(string); } static void @@ -578,7 +578,7 @@ process_open(void) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(name); + free(name); } static void @@ -679,7 +679,7 @@ process_write(void) } } send_status(id, status); - xfree(data); + free(data); } static void @@ -705,7 +705,7 @@ process_do_stat(int do_lstat) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(name); + free(name); } static void @@ -807,7 +807,7 @@ process_setstat(void) status = errno_to_portable(errno); } send_status(id, status); - xfree(name); + free(name); } static void @@ -904,7 +904,7 @@ process_opendir(void) } if (status != SSH2_FX_OK) send_status(id, status); - xfree(path); + free(path); } static void @@ -953,13 +953,13 @@ process_readdir(void) if (count > 0) { send_names(id, count, stats); for (i = 0; i < count; i++) { - xfree(stats[i].name); - xfree(stats[i].long_name); + free(stats[i].name); + free(stats[i].long_name); } } else { send_status(id, SSH2_FX_EOF); } - xfree(stats); + free(stats); } } @@ -982,7 +982,7 @@ process_remove(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(name); + free(name); } static void @@ -1007,7 +1007,7 @@ process_mkdir(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(name); + free(name); } static void @@ -1028,7 +1028,7 @@ process_rmdir(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(name); + free(name); } static void @@ -1041,7 +1041,7 @@ process_realpath(void) id = get_int(); path = get_string(NULL); if (path[0] == '\0') { - xfree(path); + free(path); path = xstrdup("."); } debug3("request %u: realpath", id); @@ -1054,7 +1054,7 @@ process_realpath(void) s.name = s.long_name = resolvedname; send_names(id, 1, &s); } - xfree(path); + free(path); } static void @@ -1115,8 +1115,8 @@ process_rename(void) status = SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1141,7 +1141,7 @@ process_readlink(void) s.name = s.long_name = buf; send_names(id, 1, &s); } - xfree(path); + free(path); } static void @@ -1164,8 +1164,8 @@ process_symlink(void) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1185,8 +1185,8 @@ process_extended_posix_rename(u_int32_t id) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1203,7 +1203,7 @@ process_extended_statvfs(u_int32_t id) send_status(id, errno_to_portable(errno)); else send_statvfs(id, &st); - xfree(path); + free(path); } static void @@ -1242,8 +1242,8 @@ process_extended_hardlink(u_int32_t id) status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); - xfree(oldpath); - xfree(newpath); + free(oldpath); + free(newpath); } static void @@ -1264,7 +1264,7 @@ process_extended(void) process_extended_hardlink(id); else send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ - xfree(request); + free(request); } /* stolen from ssh-agent */ diff --git a/sftp.c b/sftp.c index 12c4958d9..a723fa643 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.144 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.145 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -309,7 +309,7 @@ local_do_ls(const char *args) /* XXX: quoting - rip quoting code from ftp? */ snprintf(buf, len, _PATH_LS " %s", args); local_do_shell(buf); - xfree(buf); + free(buf); } } @@ -340,7 +340,7 @@ make_absolute(char *p, char *pwd) /* Derelativise */ if (p && p[0] != '/') { abs_str = path_append(pwd, p); - xfree(p); + free(p); return(abs_str); } else return(p); @@ -550,7 +550,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); - xfree(tmp); + free(tmp); err = -1; goto out; } @@ -566,7 +566,7 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } else { abs_dst = xstrdup(filename); } - xfree(tmp); + free(tmp); if (!quiet) printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); @@ -579,12 +579,12 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, pflag || global_pflag) == -1) err = -1; } - xfree(abs_dst); + free(abs_dst); abs_dst = NULL; } out: - xfree(abs_src); + free(abs_src); globfree(&g); return(err); } @@ -636,7 +636,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); - xfree(tmp); + free(tmp); err = -1; goto out; } @@ -652,7 +652,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } else { abs_dst = make_absolute(xstrdup(filename), pwd); } - xfree(tmp); + free(tmp); if (!quiet) printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); @@ -668,10 +668,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, } out: - if (abs_dst) - xfree(abs_dst); - if (tmp_dst) - xfree(tmp_dst); + free(abs_dst); + free(tmp_dst); globfree(&g); return(err); } @@ -719,7 +717,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) /* Add any subpath that also needs to be counted */ tmp = path_strip(path, strip_path); m += strlen(tmp); - xfree(tmp); + free(tmp); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; @@ -745,7 +743,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) tmp = path_append(path, d[n]->filename); fname = path_strip(tmp, strip_path); - xfree(tmp); + free(tmp); if (lflag & LS_LONG_VIEW) { if (lflag & (LS_NUMERIC_VIEW|LS_SI_UNITS)) { @@ -757,7 +755,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) lname = ls_file(fname, &sb, 1, (lflag & LS_SI_UNITS)); printf("%s\n", lname); - xfree(lname); + free(lname); } else printf("%s\n", d[n]->longname); } else { @@ -769,7 +767,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) c++; } - xfree(fname); + free(fname); } if (!(lflag & LS_LONG_VIEW) && (c != 1)) @@ -839,7 +837,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, lname = ls_file(fname, g.gl_statv[i], 1, (lflag & LS_SI_UNITS)); printf("%s\n", lname); - xfree(lname); + free(lname); } else { printf("%-*s", colspace, fname); if (c >= columns) { @@ -848,7 +846,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, } else c++; } - xfree(fname); + free(fname); } if (!(lflag & LS_LONG_VIEW) && (c != 1)) @@ -1365,24 +1363,24 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, break; } if ((aa = do_stat(conn, tmp, 0)) == NULL) { - xfree(tmp); + free(tmp); err = 1; break; } if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { error("Can't change directory: Can't check target"); - xfree(tmp); + free(tmp); err = 1; break; } if (!S_ISDIR(aa->perm)) { error("Can't change directory: \"%s\" is not " "a directory", tmp); - xfree(tmp); + free(tmp); err = 1; break; } - xfree(*pwd); + free(*pwd); *pwd = tmp; break; case I_LS: @@ -1515,10 +1513,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, if (g.gl_pathc) globfree(&g); - if (path1) - xfree(path1); - if (path2) - xfree(path2); + free(path1); + free(path2); /* If an unignored error occurs in batch mode we should abort. */ if (err_abort && err != 0) @@ -1628,8 +1624,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, complete_display(list, 0); for (y = 0; list[y] != NULL; y++) - xfree(list[y]); - xfree(list); + free(list[y]); + free(list); return count; } @@ -1642,7 +1638,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, list[count] = NULL; if (count == 0) { - xfree(list); + free(list); return 0; } @@ -1652,8 +1648,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, complete_display(list, 0); for (y = 0; list[y]; y++) - xfree(list[y]); - xfree(list); + free(list[y]); + free(list); if (tmp != NULL) { tmplen = strlen(tmp); @@ -1674,7 +1670,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (y > 0 && el_insertstr(el, argterm) == -1) fatal("el_insertstr failed."); } - xfree(tmp); + free(tmp); } return count; @@ -1738,7 +1734,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (tmp[tmplen] == '/') pwdlen = tmplen + 1; /* track last seen '/' */ } - xfree(tmp); + free(tmp); if (g.gl_matchc == 0) goto out; @@ -1753,7 +1749,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc); tmp = path_strip(tmp2, isabs ? NULL : remote_path); - xfree(tmp2); + free(tmp2); if (tmp == NULL) goto out; @@ -1815,7 +1811,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (i > 0 && el_insertstr(el, ins) == -1) fatal("el_insertstr failed."); } - xfree(tmp); + free(tmp); out: globfree(&g); @@ -1841,7 +1837,7 @@ complete(EditLine *el, int ch) memcpy(line, lf->buffer, cursor); line[cursor] = '\0'; argv = makeargv(line, &carg, 1, "e, &terminated); - xfree(line); + free(line); /* Get all the arguments on the line */ len = lf->lastchar - lf->buffer; @@ -1853,7 +1849,7 @@ complete(EditLine *el, int ch) /* Ensure cursor is at EOL or a argument boundary */ if (line[cursor] != ' ' && line[cursor] != '\0' && line[cursor] != '\n') { - xfree(line); + free(line); return ret; } @@ -1881,7 +1877,7 @@ complete(EditLine *el, int ch) ret = CC_REDISPLAY; } - xfree(line); + free(line); return ret; } #endif /* USE_LIBEDIT */ @@ -1938,9 +1934,9 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); if (parse_dispatch_command(conn, cmd, &remote_path, 1) != 0) { - xfree(dir); - xfree(remote_path); - xfree(conn); + free(dir); + free(remote_path); + free(conn); return (-1); } } else { @@ -1953,12 +1949,12 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) err = parse_dispatch_command(conn, cmd, &remote_path, 1); - xfree(dir); - xfree(remote_path); - xfree(conn); + free(dir); + free(remote_path); + free(conn); return (err); } - xfree(dir); + free(dir); } setlinebuf(stdout); @@ -2016,8 +2012,8 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) if (err != 0) break; } - xfree(remote_path); - xfree(conn); + free(remote_path); + free(conn); #ifdef USE_LIBEDIT if (el != NULL) diff --git a/ssh-add.c b/ssh-add.c index 008084704..5e8166f66 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.106 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -90,7 +90,7 @@ clear_pass(void) { if (pass) { memset(pass, 0, strlen(pass)); - xfree(pass); + free(pass); pass = NULL; } } @@ -215,7 +215,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) pass = read_passphrase(msg, RP_ALLOW_STDIN); if (strcmp(pass, "") == 0) { clear_pass(); - xfree(comment); + free(comment); buffer_free(&keyblob); return -1; } @@ -282,8 +282,8 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) fprintf(stderr, "The user must confirm each use of the key\n"); out: if (certpath != NULL) - xfree(certpath); - xfree(comment); + free(certpath); + free(comment); key_free(private); return ret; @@ -308,7 +308,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) add ? "add" : "remove", id); ret = -1; } - xfree(pin); + free(pin); return ret; } @@ -330,14 +330,14 @@ list_identities(AuthenticationConnection *ac, int do_fp) SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); - xfree(fp); + free(fp); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); } key_free(key); - xfree(comment); + free(comment); } } if (!had_identities) { @@ -363,7 +363,7 @@ lock_agent(AuthenticationConnection *ac, int lock) passok = 0; } memset(p2, 0, strlen(p2)); - xfree(p2); + free(p2); } if (passok && ssh_lock_agent(ac, lock, p1)) { fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un"); @@ -371,7 +371,7 @@ lock_agent(AuthenticationConnection *ac, int lock) } else fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un"); memset(p1, 0, strlen(p1)); - xfree(p1); + free(p1); return (ret); } diff --git a/ssh-agent.c b/ssh-agent.c index b9498e6ef..3f94851eb 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.172 2011/06/03 01:37:40 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -172,10 +172,9 @@ static void free_identity(Identity *id) { key_free(id->key); - if (id->provider != NULL) - xfree(id->provider); - xfree(id->comment); - xfree(id); + free(id->provider); + free(id->comment); + free(id); } /* return matching private key for given public key */ @@ -203,7 +202,7 @@ confirm_key(Identity *id) if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", id->comment, p)) ret = 0; - xfree(p); + free(p); return (ret); } @@ -230,7 +229,7 @@ process_request_identities(SocketEntry *e, int version) u_int blen; key_to_blob(id->key, &blob, &blen); buffer_put_string(&msg, blob, blen); - xfree(blob); + free(blob); } buffer_put_cstring(&msg, id->comment); } @@ -348,10 +347,9 @@ process_sign_request2(SocketEntry *e) buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg)); buffer_free(&msg); - xfree(data); - xfree(blob); - if (signature != NULL) - xfree(signature); + free(data); + free(blob); + free(signature); datafellows = odatafellows; } @@ -378,7 +376,7 @@ process_remove_identity(SocketEntry *e, int version) case 2: blob = buffer_get_string(&e->request, &blen); key = key_from_blob(blob, blen); - xfree(blob); + free(blob); break; } if (key != NULL) { @@ -509,7 +507,7 @@ process_add_identity(SocketEntry *e, int version) cert = buffer_get_string(&e->request, &len); if ((k = key_from_blob(cert, len)) == NULL) fatal("Certificate parse failed"); - xfree(cert); + free(cert); key_add_private(k); buffer_get_bignum2(&e->request, k->dsa->priv_key); break; @@ -520,7 +518,7 @@ process_add_identity(SocketEntry *e, int version) curve = buffer_get_string(&e->request, NULL); if (k->ecdsa_nid != key_curve_name_to_nid(curve)) fatal("%s: curve names mismatch", __func__); - xfree(curve); + free(curve); k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); if (k->ecdsa == NULL) fatal("%s: EC_KEY_new_by_curve_name failed", @@ -551,7 +549,7 @@ process_add_identity(SocketEntry *e, int version) cert = buffer_get_string(&e->request, &len); if ((k = key_from_blob(cert, len)) == NULL) fatal("Certificate parse failed"); - xfree(cert); + free(cert); key_add_private(k); if ((exponent = BN_new()) == NULL) fatal("%s: BN_new failed", __func__); @@ -583,7 +581,7 @@ process_add_identity(SocketEntry *e, int version) cert = buffer_get_string(&e->request, &len); if ((k = key_from_blob(cert, len)) == NULL) fatal("Certificate parse failed"); - xfree(cert); + free(cert); key_add_private(k); buffer_get_bignum2(&e->request, k->rsa->d); buffer_get_bignum2(&e->request, k->rsa->iqmp); @@ -591,11 +589,11 @@ process_add_identity(SocketEntry *e, int version) buffer_get_bignum2(&e->request, k->rsa->q); break; default: - xfree(type_name); + free(type_name); buffer_clear(&e->request); goto send; } - xfree(type_name); + free(type_name); break; } /* enable blinding */ @@ -613,7 +611,7 @@ process_add_identity(SocketEntry *e, int version) } comment = buffer_get_string(&e->request, NULL); if (k == NULL) { - xfree(comment); + free(comment); goto send; } while (buffer_len(&e->request)) { @@ -627,7 +625,7 @@ process_add_identity(SocketEntry *e, int version) default: error("process_add_identity: " "Unknown constraint type %d", type); - xfree(comment); + free(comment); key_free(k); goto send; } @@ -643,7 +641,7 @@ process_add_identity(SocketEntry *e, int version) tab->nentries++; } else { key_free(k); - xfree(id->comment); + free(id->comment); } id->comment = comment; id->death = death; @@ -665,7 +663,7 @@ process_lock_agent(SocketEntry *e, int lock) if (locked && !lock && strcmp(passwd, lock_passwd) == 0) { locked = 0; memset(lock_passwd, 0, strlen(lock_passwd)); - xfree(lock_passwd); + free(lock_passwd); lock_passwd = NULL; success = 1; } else if (!locked && lock) { @@ -674,7 +672,7 @@ process_lock_agent(SocketEntry *e, int lock) success = 1; } memset(passwd, 0, strlen(passwd)); - xfree(passwd); + free(passwd); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, @@ -747,12 +745,9 @@ process_add_smartcard_key(SocketEntry *e) keys[i] = NULL; } send: - if (pin) - xfree(pin); - if (provider) - xfree(provider); - if (keys) - xfree(keys); + free(pin); + free(provider); + free(keys); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -768,7 +763,7 @@ process_remove_smartcard_key(SocketEntry *e) provider = buffer_get_string(&e->request, NULL); pin = buffer_get_string(&e->request, NULL); - xfree(pin); + free(pin); for (version = 1; version < 3; version++) { tab = idtab_lookup(version); @@ -786,7 +781,7 @@ process_remove_smartcard_key(SocketEntry *e) else error("process_remove_smartcard_key:" " pkcs11_del_provider failed"); - xfree(provider); + free(provider); buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); @@ -951,10 +946,8 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); if (*fdrp == NULL || sz > *nallocp) { - if (*fdrp) - xfree(*fdrp); - if (*fdwp) - xfree(*fdwp); + free(*fdrp); + free(*fdwp); *fdrp = xmalloc(sz); *fdwp = xmalloc(sz); *nallocp = sz; diff --git a/ssh-dss.c b/ssh-dss.c index ede5e21e5..322ec9fd8 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.27 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -137,17 +137,17 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp("ssh-dss", ktype) != 0) { error("ssh_dss_verify: cannot handle type %s", ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("ssh_dss_verify: " "remaining bytes in signature %d", rlen); - xfree(sigblob); + free(sigblob); return -1; } } @@ -169,7 +169,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, /* clean up */ memset(sigblob, 0, len); - xfree(sigblob); + free(sigblob); /* sha1 the data */ EVP_DigestInit(&md, evp_md); diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 085468ee7..766338941 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */ +/* $OpenBSD: ssh-ecdsa.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -119,16 +119,16 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp(key_ssh_name_plain(key), ktype) != 0) { error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("%s: remaining bytes in signature %d", __func__, rlen); - xfree(sigblob); + free(sigblob); return -1; } @@ -149,7 +149,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, /* clean up */ memset(sigblob, 0, len); - xfree(sigblob); + free(sigblob); /* hash the data */ EVP_DigestInit(&md, evp_md); diff --git a/ssh-keygen.c b/ssh-keygen.c index 8acbcc493..f24387475 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.226 2013/04/19 01:01:00 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.227 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -252,7 +252,7 @@ load_identity(char *filename) RP_ALLOW_STDIN); prv = key_load_private(filename, pass, NULL); memset(pass, 0, strlen(pass)); - xfree(pass); + free(pass); } return prv; } @@ -288,7 +288,7 @@ do_convert_to_ssh2(struct passwd *pw, Key *k) dump_base64(stdout, blob, len); fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); key_free(k); - xfree(blob); + free(blob); exit(0); } @@ -415,12 +415,12 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) debug("ignore (%d %d %d %d)", i1, i2, i3, i4); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); - xfree(cipher); + free(cipher); buffer_free(&b); - xfree(type); + free(type); return NULL; } - xfree(cipher); + free(cipher); if (strstr(type, "dsa")) { ktype = KEY_DSA; @@ -428,11 +428,11 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) ktype = KEY_RSA; } else { buffer_free(&b); - xfree(type); + free(type); return NULL; } key = key_new_private(ktype); - xfree(type); + free(type); switch (key->type) { case KEY_DSA: @@ -475,7 +475,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) /* try the key */ key_sign(key, &sig, &slen, data, sizeof(data)); key_verify(key, sig, slen, data, sizeof(data)); - xfree(sig); + free(sig); return key; } @@ -746,15 +746,15 @@ do_download(struct passwd *pw) fp, key_type(keys[i])); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { key_write(keys[i], stdout); fprintf(stdout, "\n"); } key_free(keys[i]); } - xfree(keys); + free(keys); pkcs11_terminate(); exit(0); #else @@ -791,13 +791,13 @@ do_fingerprint(struct passwd *pw) if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); key_free(public); - xfree(comment); - xfree(ra); - xfree(fp); + free(comment); + free(ra); + free(fp); exit(0); } if (comment) { - xfree(comment); + free(comment); comment = NULL; } @@ -856,8 +856,8 @@ do_fingerprint(struct passwd *pw) comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); key_free(public); invalid = 0; } @@ -980,8 +980,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) fatal("hash_host failed"); @@ -1007,7 +1007,7 @@ do_known_hosts(struct passwd *pw, const char *name) if (strlcpy(identity_file, cp, sizeof(identity_file)) >= sizeof(identity_file)) fatal("Specified known hosts path too long"); - xfree(cp); + free(cp); have_identity = 1; } if ((in = fopen(identity_file, "r")) == NULL) @@ -1238,7 +1238,7 @@ do_change_passphrase(struct passwd *pw) private = key_load_private(identity_file, old_passphrase, &comment); memset(old_passphrase, 0, strlen(old_passphrase)); - xfree(old_passphrase); + free(old_passphrase); if (private == NULL) { printf("Bad passphrase.\n"); exit(1); @@ -1261,30 +1261,30 @@ do_change_passphrase(struct passwd *pw) if (strcmp(passphrase1, passphrase2) != 0) { memset(passphrase1, 0, strlen(passphrase1)); memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase1); - xfree(passphrase2); + free(passphrase1); + free(passphrase2); printf("Pass phrases do not match. Try again.\n"); exit(1); } /* Destroy the other copy. */ memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase2); + free(passphrase2); } /* Save the file using the new passphrase. */ if (!key_save_private(private, identity_file, passphrase1, comment)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); key_free(private); - xfree(comment); + free(comment); exit(1); } /* Destroy the passphrase and the copy of the key in memory. */ memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); key_free(private); /* Destroys contents */ - xfree(comment); + free(comment); printf("Your identification has been saved with the new passphrase.\n"); exit(0); @@ -1312,11 +1312,11 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname) if (public != NULL) { export_dns_rr(hname, public, stdout, print_generic); key_free(public); - xfree(comment); + free(comment); return 1; } if (comment) - xfree(comment); + free(comment); printf("failed to read v2 public key from %s.\n", fname); exit(1); @@ -1354,7 +1354,7 @@ do_change_comment(struct passwd *pw) private = key_load_private(identity_file, passphrase, &comment); if (private == NULL) { memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); printf("Bad passphrase.\n"); exit(1); } @@ -1385,13 +1385,13 @@ do_change_comment(struct passwd *pw) if (!key_save_private(private, identity_file, passphrase, new_comment)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); key_free(private); - xfree(comment); + free(comment); exit(1); } memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); public = key_from_private(private); key_free(private); @@ -1412,7 +1412,7 @@ do_change_comment(struct passwd *pw) fprintf(f, " %s\n", new_comment); fclose(f); - xfree(comment); + free(comment); printf("The comment in your key file has been changed.\n"); exit(0); @@ -1529,7 +1529,7 @@ load_pkcs11_key(char *path) } key_free(keys[i]); } - xfree(keys); + free(keys); key_free(public); return private; #else @@ -1573,7 +1573,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) fatal("No PKCS#11 key matching %s found", ca_key_path); } else if ((ca = load_identity(tmp)) == NULL) fatal("Couldn't load CA key \"%s\"", tmp); - xfree(tmp); + free(tmp); for (i = 0; i < argc; i++) { /* Split list of principals */ @@ -1586,7 +1586,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if (*(plist[n] = xstrdup(cp)) == '\0') fatal("Empty principal name"); } - xfree(otmp); + free(otmp); } tmp = tilde_expand_filename(argv[i], pw->pw_uid); @@ -1624,7 +1624,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0) *cp = '\0'; xasprintf(&out, "%s-cert.pub", tmp); - xfree(tmp); + free(tmp); if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) fatal("Could not open \"%s\" for writing: %s", out, @@ -1647,7 +1647,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) } key_free(public); - xfree(out); + free(out); } pkcs11_terminate(); exit(0); @@ -1744,7 +1744,7 @@ parse_cert_times(char *timespec) if (cert_valid_to <= cert_valid_from) fatal("Empty certificate validity interval"); - xfree(from); + free(from); } static void @@ -1822,13 +1822,13 @@ show_options(const Buffer *optbuf, int v00, int in_critical) strcmp(name, "source-address") == 0)) { data = buffer_get_string(&option, NULL); printf(" %s\n", data); - xfree(data); + free(data); } else { printf(" UNKNOWN OPTION (len %u)\n", buffer_len(&option)); buffer_clear(&option); } - xfree(name); + free(name); if (buffer_len(&option) != 0) fatal("Option corrupt: extra data at end"); } @@ -2064,7 +2064,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); if ((ca = key_load_public(tmp, NULL)) == NULL) fatal("Cannot load CA public key %s", tmp); - xfree(tmp); + free(tmp); } if (updating) @@ -2602,14 +2602,14 @@ passphrase_again: */ memset(passphrase1, 0, strlen(passphrase1)); memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase1); - xfree(passphrase2); + free(passphrase1); + free(passphrase2); printf("Passphrases do not match. Try again.\n"); goto passphrase_again; } /* Clear the other copy of the passphrase. */ memset(passphrase2, 0, strlen(passphrase2)); - xfree(passphrase2); + free(passphrase2); } if (identity_comment) { @@ -2623,12 +2623,12 @@ passphrase_again: if (!key_save_private(private, identity_file, passphrase1, comment)) { printf("Saving the key failed: %s.\n", identity_file); memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); exit(1); } /* Clear the passphrase. */ memset(passphrase1, 0, strlen(passphrase1)); - xfree(passphrase1); + free(passphrase1); /* Clear the private key and the random number generator. */ key_free(private); @@ -2663,8 +2663,8 @@ passphrase_again: printf("%s %s\n", fp, comment); printf("The key's randomart image is:\n"); printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } key_free(public); diff --git a/ssh-keyscan.c b/ssh-keyscan.c index c9de130f4..8b807c10a 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.86 2012/04/11 13:34:17 djm Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.87 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -263,7 +263,7 @@ keygrab_ssh2(con *c) exit(1); } nonfatal_fatal = 0; - xfree(c->c_kex); + free(c->c_kex); c->c_kex = NULL; packet_close(); @@ -329,7 +329,7 @@ conalloc(char *iname, char *oname, int keytype) do { name = xstrsep(&namelist, ","); if (!name) { - xfree(namebase); + free(namebase); return (-1); } } while ((s = tcpconnect(name)) < 0); @@ -363,10 +363,10 @@ confree(int s) if (s >= maxfd || fdcon[s].c_status == CS_UNUSED) fatal("confree: attempt to free bad fdno %d", s); close(s); - xfree(fdcon[s].c_namebase); - xfree(fdcon[s].c_output_name); + free(fdcon[s].c_namebase); + free(fdcon[s].c_output_name); if (fdcon[s].c_status == CS_KEYS) - xfree(fdcon[s].c_data); + free(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; fdcon[s].c_keytype = 0; TAILQ_REMOVE(&tq, &fdcon[s], c_link); @@ -553,8 +553,8 @@ conloop(void) } else if (FD_ISSET(i, r)) conread(i); } - xfree(r); - xfree(e); + free(r); + free(e); c = TAILQ_FIRST(&tq); while (c && (c->c_tv.tv_sec < now.tv_sec || diff --git a/ssh-keysign.c b/ssh-keysign.c index 1deb7e141..9a6653c7c 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.36 2011/02/16 00:31:14 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.37 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -78,7 +78,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, p = buffer_get_string(&b, &len); if (len != 20 && len != 32) fail++; - xfree(p); + free(p); if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -90,13 +90,13 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, p = buffer_get_string(&b, NULL); if (strcmp("ssh-connection", p) != 0) fail++; - xfree(p); + free(p); /* method */ p = buffer_get_string(&b, NULL); if (strcmp("hostbased", p) != 0) fail++; - xfree(p); + free(p); /* pubkey */ pkalg = buffer_get_string(&b, NULL); @@ -109,8 +109,8 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, fail++; else if (key->type != pktype) fail++; - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); /* client host name, handle trailing dot */ p = buffer_get_string(&b, &len); @@ -121,14 +121,14 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, fail++; else if (strncasecmp(host, p, len - 1) != 0) fail++; - xfree(p); + free(p); /* local user */ p = buffer_get_string(&b, NULL); if (strcmp(pw->pw_name, p) != 0) fail++; - xfree(p); + free(p); /* end of message */ if (buffer_len(&b) != 0) @@ -233,7 +233,7 @@ main(int argc, char **argv) data = buffer_get_string(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); - xfree(host); + free(host); found = 0; for (i = 0; i < NUM_KEYTYPES; i++) { @@ -248,7 +248,7 @@ main(int argc, char **argv) if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) fatal("key_sign failed"); - xfree(data); + free(data); /* send reply */ buffer_clear(&b); diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 82b11daf5..6c9f9d2c1 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */ +/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -121,7 +121,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, from, flen); buffer_put_int(&msg, 0); - xfree(blob); + free(blob); send_msg(&msg); buffer_clear(&msg); @@ -131,7 +131,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, memcpy(to, signature, slen); ret = slen; } - xfree(signature); + free(signature); } buffer_free(&msg); return (ret); @@ -205,11 +205,11 @@ pkcs11_add_provider(char *name, char *pin, Key ***keysp) *keysp = xcalloc(nkeys, sizeof(Key *)); for (i = 0; i < nkeys; i++) { blob = buffer_get_string(&msg, &blen); - xfree(buffer_get_string(&msg, NULL)); + free(buffer_get_string(&msg, NULL)); k = key_from_blob(blob, blen); wrap_key(k->rsa); (*keysp)[i] = k; - xfree(blob); + free(blob); } } else { nkeys = -1; diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 5c09f1221..39b2e7c56 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.5 2013/05/10 10:13:50 dtucker Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.6 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -79,7 +79,7 @@ del_keys_by_name(char *name) nxt = TAILQ_NEXT(ki, next); if (!strcmp(ki->providername, name)) { TAILQ_REMOVE(&pkcs11_keylist, ki, next); - xfree(ki->providername); + free(ki->providername); key_free(ki->key); free(ki); } @@ -130,15 +130,15 @@ process_add(void) key_to_blob(keys[i], &blob, &blen); buffer_put_string(&msg, blob, blen); buffer_put_cstring(&msg, name); - xfree(blob); + free(blob); add_key(keys[i], name); } - xfree(keys); + free(keys); } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } - xfree(pin); - xfree(name); + free(pin); + free(name); send_msg(&msg); buffer_free(&msg); } @@ -157,8 +157,8 @@ process_del(void) buffer_put_char(&msg, SSH_AGENT_SUCCESS); else buffer_put_char(&msg, SSH_AGENT_FAILURE); - xfree(pin); - xfree(name); + free(pin); + free(name); send_msg(&msg); buffer_free(&msg); } @@ -195,10 +195,9 @@ process_sign(void) } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } - xfree(data); - xfree(blob); - if (signature != NULL) - xfree(signature); + free(data); + free(blob); + free(signature); send_msg(&msg); buffer_free(&msg); } diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 1f4c1c8e4..a17326baa 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -120,9 +120,9 @@ pkcs11_provider_unref(struct pkcs11_provider *p) if (--p->refcount <= 0) { if (p->valid) error("pkcs11_provider_unref: %p still valid", p); - xfree(p->slotlist); - xfree(p->slotinfo); - xfree(p); + free(p->slotlist); + free(p->slotinfo); + free(p); } } @@ -180,9 +180,8 @@ pkcs11_rsa_finish(RSA *rsa) rv = k11->orig_finish(rsa); if (k11->provider) pkcs11_provider_unref(k11->provider); - if (k11->keyid) - xfree(k11->keyid); - xfree(k11); + free(k11->keyid); + free(k11); } return (rv); } @@ -266,11 +265,11 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, return (-1); /* bail out */ if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) != CKR_OK) { - xfree(pin); + free(pin); error("C_Login failed: %lu", rv); return (-1); } - xfree(pin); + free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid; @@ -470,7 +469,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, } } for (i = 0; i < 3; i++) - xfree(attribs[i].pValue); + free(attribs[i].pValue); } if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) error("C_FindObjectsFinal failed: %lu", rv); @@ -579,11 +578,9 @@ fail: if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK) error("C_Finalize failed: %lu", rv); if (p) { - if (p->slotlist) - xfree(p->slotlist); - if (p->slotinfo) - xfree(p->slotinfo); - xfree(p); + free(p->slotlist); + free(p->slotinfo); + free(p); } if (handle) dlclose(handle); diff --git a/ssh-rsa.c b/ssh-rsa.c index c6355fa09..30f96abc2 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */ +/* $OpenBSD: ssh-rsa.c,v 1.46 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000, 2003 Markus Friedl * @@ -72,7 +72,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, error("ssh_rsa_sign: RSA_sign failed: %s", ERR_error_string(ecode, NULL)); - xfree(sig); + free(sig); return -1; } if (len < slen) { @@ -82,7 +82,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, memset(sig, 0, diff); } else if (len > slen) { error("ssh_rsa_sign: slen %u slen2 %u", slen, len); - xfree(sig); + free(sig); return -1; } /* encode signature */ @@ -98,7 +98,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, } buffer_free(&b); memset(sig, 's', slen); - xfree(sig); + free(sig); return 0; } @@ -131,23 +131,23 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, if (strcmp("ssh-rsa", ktype) != 0) { error("ssh_rsa_verify: cannot handle type %s", ktype); buffer_free(&b); - xfree(ktype); + free(ktype); return -1; } - xfree(ktype); + free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("ssh_rsa_verify: remaining bytes in signature %d", rlen); - xfree(sigblob); + free(sigblob); return -1; } /* RSA_verify expects a signature of RSA_size */ modlen = RSA_size(key->rsa); if (len > modlen) { error("ssh_rsa_verify: len %u > modlen %u", len, modlen); - xfree(sigblob); + free(sigblob); return -1; } else if (len < modlen) { u_int diff = modlen - len; @@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); - xfree(sigblob); + free(sigblob); return -1; } EVP_DigestInit(&md, evp_md); @@ -171,7 +171,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); memset(digest, 'd', sizeof(digest)); memset(sigblob, 's', len); - xfree(sigblob); + free(sigblob); debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); return ret; } @@ -262,7 +262,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen, } ret = 1; done: - if (decrypted) - xfree(decrypted); + free(decrypted); return ret; } diff --git a/ssh.c b/ssh.c index 534e7c6cf..0e96c9219 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.377 2013/04/19 11:10:18 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.378 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -226,7 +226,7 @@ tilde_expand_paths(char **paths, u_int num_paths) for (i = 0; i < num_paths; i++) { cp = tilde_expand_filename(paths[i], original_real_uid); - xfree(paths[i]); + free(paths[i]); paths[i] = cp; } } @@ -473,7 +473,7 @@ main(int ac, char **av) if (parse_forward(&fwd, optarg, 1, 0)) { stdio_forward_host = fwd.listen_host; stdio_forward_port = fwd.listen_port; - xfree(fwd.connect_host); + free(fwd.connect_host); } else { fprintf(stderr, "Bad stdio forwarding specification '%s'\n", @@ -601,7 +601,7 @@ main(int ac, char **av) line, "command-line", 0, &dummy, SSHCONF_USERCONF) != 0) exit(255); - xfree(line); + free(line); break; case 's': subsystem_flag = 1; @@ -688,7 +688,7 @@ main(int ac, char **av) fatal("Can't specify both -y and -E"); if (logfile != NULL) { log_redirect_stderr_to(logfile); - xfree(logfile); + free(logfile); } log_init(argv0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, @@ -778,7 +778,7 @@ main(int ac, char **av) "p", portstr, "u", pw->pw_name, "L", shorthost, (char *)NULL); debug3("expanded LocalCommand: %s", options.local_command); - xfree(cp); + free(cp); } /* force lowercase for hostkey matching */ @@ -790,24 +790,24 @@ main(int ac, char **av) if (options.proxy_command != NULL && strcmp(options.proxy_command, "none") == 0) { - xfree(options.proxy_command); + free(options.proxy_command); options.proxy_command = NULL; } if (options.control_path != NULL && strcmp(options.control_path, "none") == 0) { - xfree(options.control_path); + free(options.control_path); options.control_path = NULL; } if (options.control_path != NULL) { cp = tilde_expand_filename(options.control_path, original_real_uid); - xfree(options.control_path); + free(options.control_path); options.control_path = percent_expand(cp, "h", host, "l", thishost, "n", host_arg, "r", options.user, "p", portstr, "u", pw->pw_name, "L", shorthost, (char *)NULL); - xfree(cp); + free(cp); } if (muxclient_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); @@ -958,13 +958,11 @@ main(int ac, char **av) sensitive_data.keys[i] = NULL; } } - xfree(sensitive_data.keys); + free(sensitive_data.keys); } for (i = 0; i < options.num_identity_files; i++) { - if (options.identity_files[i]) { - xfree(options.identity_files[i]); - options.identity_files[i] = NULL; - } + free(options.identity_files[i]); + options.identity_files[i] = NULL; if (options.identity_keys[i]) { key_free(options.identity_keys[i]); options.identity_keys[i] = NULL; @@ -1554,7 +1552,7 @@ load_public_identity_files(void) xstrdup(options.pkcs11_provider); /* XXX */ n_ids++; } - xfree(keys); + free(keys); } #endif /* ENABLE_PKCS11 */ if ((pw = getpwuid(original_real_uid)) == NULL) @@ -1567,7 +1565,7 @@ load_public_identity_files(void) for (i = 0; i < options.num_identity_files; i++) { if (n_ids >= SSH_MAX_IDENTITY_FILES || strcasecmp(options.identity_files[i], "none") == 0) { - xfree(options.identity_files[i]); + free(options.identity_files[i]); continue; } cp = tilde_expand_filename(options.identity_files[i], @@ -1575,11 +1573,11 @@ load_public_identity_files(void) filename = percent_expand(cp, "d", pwdir, "u", pwname, "l", thishost, "h", host, "r", options.user, (char *)NULL); - xfree(cp); + free(cp); public = key_load_public(filename, NULL); debug("identity file %s type %d", filename, public ? public->type : -1); - xfree(options.identity_files[i]); + free(options.identity_files[i]); identity_files[n_ids] = filename; identity_keys[n_ids] = public; @@ -1592,14 +1590,14 @@ load_public_identity_files(void) debug("identity file %s type %d", cp, public ? public->type : -1); if (public == NULL) { - xfree(cp); + free(cp); continue; } if (!key_is_cert(public)) { debug("%s: key %s type %s is not a certificate", __func__, cp, key_type(public)); key_free(public); - xfree(cp); + free(cp); continue; } identity_keys[n_ids] = public; @@ -1612,9 +1610,9 @@ load_public_identity_files(void) memcpy(options.identity_keys, identity_keys, sizeof(identity_keys)); bzero(pwname, strlen(pwname)); - xfree(pwname); + free(pwname); bzero(pwdir, strlen(pwdir)); - xfree(pwdir); + free(pwdir); } static void diff --git a/sshconnect.c b/sshconnect.c index cf0711285..483eb85ac 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.237 2013/02/22 19:13:56 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -112,7 +112,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) xasprintf(&tmp, "exec %s", proxy_command); command_string = percent_expand(tmp, "h", host, "p", strport, "r", options.user, (char *)NULL); - xfree(tmp); + free(tmp); /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) @@ -166,7 +166,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) close(pout[1]); /* Free the command name. */ - xfree(command_string); + free(command_string); /* Set the connection file descriptors. */ packet_set_connection(pout[0], pin[1]); @@ -315,7 +315,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, fatal("Bogus return (%d) from select()", rc); } - xfree(fdset); + free(fdset); done: if (result == 0 && *timeoutp > 0) { @@ -534,7 +534,7 @@ ssh_exchange_identification(int timeout_ms) debug("ssh_exchange_identification: %s", buf); } server_version_string = xstrdup(buf); - xfree(fdset); + free(fdset); /* * Check that the versions match. In future this might accept @@ -610,8 +610,7 @@ confirm(const char *prompt) ret = 0; if (p && strncasecmp(p, "yes", 3) == 0) ret = 1; - if (p) - xfree(p); + free(p); if (ret != -1) return ret; } @@ -835,8 +834,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, ra = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_RANDOMART); logit("Host key fingerprint is %s\n%s\n", fp, ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } break; case HOST_NEW: @@ -896,8 +895,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, options.visual_host_key ? "\n" : "", options.visual_host_key ? ra : "", msg2); - xfree(ra); - xfree(fp); + free(ra); + free(fp); if (!confirm(msg)) goto fail; } @@ -1098,8 +1097,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, } } - xfree(ip); - xfree(host); + free(ip); + free(host); if (host_hostkeys != NULL) free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) @@ -1121,8 +1120,8 @@ fail: } if (raw_key != NULL) key_free(raw_key); - xfree(ip); - xfree(host); + free(ip); + free(host); if (host_hostkeys != NULL) free_hostkeys(host_hostkeys); if (ip_hostkeys != NULL) @@ -1139,7 +1138,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); debug("Server host key: %s %s", key_type(host_key), fp); - xfree(fp); + free(fp); /* XXX certs are not yet supported for DNS */ if (!key_is_cert(host_key) && options.verify_host_key_dns && @@ -1204,7 +1203,7 @@ ssh_login(Sensitive *sensitive, const char *orighost, ssh_kex(host, hostaddr); ssh_userauth1(local_user, server_user, host, sensitive); } - xfree(local_user); + free(local_user); } void @@ -1222,7 +1221,7 @@ ssh_put_password(char *password) strlcpy(padded, password, size); packet_put_string(padded, size); memset(padded, 0, size); - xfree(padded); + free(padded); } /* print all known host keys for a given host, but skip keys of given type */ @@ -1249,8 +1248,8 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) key_type(found->key), fp); if (options.visual_host_key) logit("%s", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); ret = 1; } return ret; @@ -1273,7 +1272,7 @@ warn_changed_key(Key *host_key) key_type(host_key), fp); error("Please contact your system administrator."); - xfree(fp); + free(fp); } /* diff --git a/sshconnect1.c b/sshconnect1.c index fd07bbf74..d285e23c0 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.71 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -84,7 +84,7 @@ try_agent_authentication(void) /* Try this identity. */ debug("Trying RSA authentication via agent with '%.100s'", comment); - xfree(comment); + free(comment); /* Tell the server that we are willing to authenticate using this key. */ packet_start(SSH_CMSG_AUTH_RSA); @@ -231,7 +231,7 @@ try_rsa_authentication(int idx) */ if (type == SSH_SMSG_FAILURE) { debug("Server refused our key."); - xfree(comment); + free(comment); return 0; } /* Otherwise, the server should respond with a challenge. */ @@ -270,14 +270,14 @@ try_rsa_authentication(int idx) quit = 1; } memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); } } /* We no longer need the comment. */ - xfree(comment); + free(comment); if (private == NULL) { if (!options.batch_mode && perm_ok) @@ -412,7 +412,7 @@ try_challenge_response_authentication(void) packet_check_eom(); snprintf(prompt, sizeof prompt, "%s%s", challenge, strchr(challenge, '\n') ? "" : "\nResponse: "); - xfree(challenge); + free(challenge); if (i != 0) error("Permission denied, please try again."); if (options.cipher == SSH_CIPHER_NONE) @@ -420,13 +420,13 @@ try_challenge_response_authentication(void) "Response will be transmitted in clear text."); response = read_passphrase(prompt, 0); if (strcmp(response, "") == 0) { - xfree(response); + free(response); break; } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); ssh_put_password(response); memset(response, 0, strlen(response)); - xfree(response); + free(response); packet_send(); packet_write_wait(); type = packet_read(); @@ -459,7 +459,7 @@ try_password_authentication(char *prompt) packet_start(SSH_CMSG_AUTH_PASSWORD); ssh_put_password(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); packet_send(); packet_write_wait(); diff --git a/sshconnect2.c b/sshconnect2.c index 7b83c591b..19ed3459f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.196 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.197 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -146,10 +146,10 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) if (*first != '\0') debug3("%s: prefer hostkeyalgs: %s", __func__, first); - xfree(first); - xfree(last); - xfree(hostname); - xfree(oavail); + free(first); + free(last); + free(hostname); + free(oavail); free_hostkeys(hostkeys); return ret; @@ -384,7 +384,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, if (packet_remaining() > 0) { char *reply = packet_get_string(NULL); debug2("service_accept: %s", reply); - xfree(reply); + free(reply); } else { debug2("buggy server: service_accept w/o service"); } @@ -431,15 +431,12 @@ userauth(Authctxt *authctxt, char *authlist) if (authctxt->method != NULL && authctxt->method->cleanup != NULL) authctxt->method->cleanup(authctxt); - if (authctxt->methoddata) { - xfree(authctxt->methoddata); - authctxt->methoddata = NULL; - } + free(authctxt->methoddata); + authctxt->methoddata = NULL; if (authlist == NULL) { authlist = authctxt->authlist; } else { - if (authctxt->authlist) - xfree(authctxt->authlist); + free(authctxt->authlist); authctxt->authlist = authlist; } for (;;) { @@ -487,10 +484,10 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt) msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); fprintf(stderr, "%s", msg); - xfree(msg); + free(msg); } - xfree(raw); - xfree(lang); + free(raw); + free(lang); } /* ARGSUSED */ @@ -501,16 +498,12 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt) if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); - if (authctxt->authlist) { - xfree(authctxt->authlist); - authctxt->authlist = NULL; - } + free(authctxt->authlist); + authctxt->authlist = NULL; if (authctxt->method != NULL && authctxt->method->cleanup != NULL) authctxt->method->cleanup(authctxt); - if (authctxt->methoddata) { - xfree(authctxt->methoddata); - authctxt->methoddata = NULL; - } + free(authctxt->methoddata); + authctxt->methoddata = NULL; authctxt->success = 1; /* break out */ } @@ -599,7 +592,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) } fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); debug2("input_userauth_pk_ok: fp %s", fp); - xfree(fp); + free(fp); /* * search keys in the reverse order, because last candidate has been @@ -615,8 +608,8 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) done: if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); /* try another method if we did not send a packet */ if (sent == 0) @@ -754,7 +747,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) if (oidlen <= 2 || oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen - 2) { - xfree(oidv); + free(oidv); debug("Badly encoded mechanism OID received"); userauth(authctxt, NULL); return; @@ -765,7 +758,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) packet_check_eom(); - xfree(oidv); + free(oidv); if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { /* Start again with next method on list */ @@ -794,7 +787,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) status = process_gssapi_token(ctxt, &recv_tok); - xfree(recv_tok.value); + free(recv_tok.value); if (GSS_ERROR(status)) { /* Start again with the next method in the list */ @@ -827,7 +820,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) (void)ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, &recv_tok, &send_tok, NULL); - xfree(recv_tok.value); + free(recv_tok.value); gss_release_buffer(&ms, &send_tok); /* Server will be returning a failed packet after this one */ @@ -848,8 +841,8 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) packet_check_eom(); debug("Server GSSAPI Error:\n%s", msg); - xfree(msg); - xfree(lang); + free(msg); + free(lang); } #endif /* GSSAPI */ @@ -890,7 +883,7 @@ userauth_passwd(Authctxt *authctxt) packet_put_char(0); packet_put_cstring(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); packet_add_padding(64); packet_send(); @@ -923,8 +916,8 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) lang = packet_get_string(NULL); if (strlen(info) > 0) logit("%s", info); - xfree(info); - xfree(lang); + free(info); + free(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); @@ -936,7 +929,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) password = read_passphrase(prompt, 0); packet_put_cstring(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); password = NULL; while (password == NULL) { snprintf(prompt, sizeof(prompt), @@ -953,16 +946,16 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) retype = read_passphrase(prompt, 0); if (strcmp(password, retype) != 0) { memset(password, 0, strlen(password)); - xfree(password); + free(password); logit("Mismatch; try again, EOF to quit."); password = NULL; } memset(retype, 0, strlen(retype)); - xfree(retype); + free(retype); } packet_put_cstring(password); memset(password, 0, strlen(password)); - xfree(password); + free(password); packet_add_padding(64); packet_send(); @@ -1017,13 +1010,13 @@ jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme, bzero(password, strlen(password)); bzero(crypted, strlen(crypted)); - xfree(password); - xfree(crypted); + free(password); + free(crypted); if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL) fatal("%s: BN_bin2bn (secret)", __func__); bzero(secret, secret_len); - xfree(secret); + free(secret); return ret; } @@ -1061,8 +1054,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt); bzero(crypt_scheme, strlen(crypt_scheme)); bzero(salt, strlen(salt)); - xfree(crypt_scheme); - xfree(salt); + free(crypt_scheme); + free(salt); JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__)); /* Calculate step 2 values */ @@ -1077,8 +1070,8 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) bzero(x3_proof, x3_proof_len); bzero(x4_proof, x4_proof_len); - xfree(x3_proof); - xfree(x4_proof); + free(x3_proof); + free(x4_proof); JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__)); @@ -1089,7 +1082,7 @@ input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt) packet_send(); bzero(x2_s_proof, x2_s_proof_len); - xfree(x2_s_proof); + free(x2_s_proof); /* Expect step 2 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, @@ -1129,7 +1122,7 @@ input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt) &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len); bzero(x4_s_proof, x4_s_proof_len); - xfree(x4_s_proof); + free(x4_s_proof); JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); @@ -1211,7 +1204,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); - xfree(fp); + free(fp); if (key_to_blob(id->key, &blob, &bloblen) == 0) { /* we cannot handle this key */ @@ -1246,7 +1239,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) ret = identity_sign(id, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { - xfree(blob); + free(blob); buffer_free(&b); return 0; } @@ -1266,11 +1259,11 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) buffer_put_cstring(&b, key_ssh_name(id->key)); buffer_put_string(&b, blob, bloblen); } - xfree(blob); + free(blob); /* append signature */ buffer_put_string(&b, signature, slen); - xfree(signature); + free(signature); /* skip session id and packet type */ if (buffer_len(&b) < skip + 1) @@ -1310,7 +1303,7 @@ send_pubkey_test(Authctxt *authctxt, Identity *id) if (!(datafellows & SSH_BUG_PKAUTH)) packet_put_cstring(key_ssh_name(id->key)); packet_put_string(blob, bloblen); - xfree(blob); + free(blob); packet_send(); return 1; } @@ -1347,7 +1340,7 @@ load_identity_file(char *filename, int userprovided) quit = 1; } memset(passphrase, 0, strlen(passphrase)); - xfree(passphrase); + free(passphrase); if (private != NULL || quit) break; debug2("bad passphrase given, try again..."); @@ -1424,7 +1417,7 @@ pubkey_prepare(Authctxt *authctxt) /* agent keys from the config file are preferred */ if (key_equal(key, id->key)) { key_free(key); - xfree(comment); + free(comment); TAILQ_REMOVE(&files, id, next); TAILQ_INSERT_TAIL(preferred, id, next); id->ac = ac; @@ -1470,9 +1463,8 @@ pubkey_cleanup(Authctxt *authctxt) TAILQ_REMOVE(&authctxt->keys, id, next); if (id->key) key_free(id->key); - if (id->filename) - xfree(id->filename); - xfree(id); + free(id->filename); + free(id); } } @@ -1570,9 +1562,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt) logit("%s", name); if (strlen(inst) > 0) logit("%s", inst); - xfree(name); - xfree(inst); - xfree(lang); + free(name); + free(inst); + free(lang); num_prompts = packet_get_int(); /* @@ -1593,8 +1585,8 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt) packet_put_cstring(response); memset(response, 0, strlen(response)); - xfree(response); - xfree(prompt); + free(response); + free(prompt); } packet_check_eom(); /* done with parsing incoming message. */ @@ -1714,12 +1706,12 @@ userauth_hostbased(Authctxt *authctxt) if (p == NULL) { error("userauth_hostbased: cannot get local ipaddr/name"); key_free(private); - xfree(blob); + free(blob); return 0; } xasprintf(&chost, "%s.", p); debug2("userauth_hostbased: chost %s", chost); - xfree(p); + free(p); service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; @@ -1748,9 +1740,9 @@ userauth_hostbased(Authctxt *authctxt) buffer_free(&b); if (ok != 0) { error("key_sign failed"); - xfree(chost); - xfree(pkalg); - xfree(blob); + free(chost); + free(pkalg); + free(blob); return 0; } packet_start(SSH2_MSG_USERAUTH_REQUEST); @@ -1763,10 +1755,10 @@ userauth_hostbased(Authctxt *authctxt) packet_put_cstring(authctxt->local_user); packet_put_string(signature, slen); memset(signature, 's', slen); - xfree(signature); - xfree(chost); - xfree(pkalg); - xfree(blob); + free(signature); + free(chost); + free(pkalg); + free(blob); packet_send(); return 1; @@ -1821,8 +1813,8 @@ userauth_jpake(Authctxt *authctxt) bzero(x1_proof, x1_proof_len); bzero(x2_proof, x2_proof_len); - xfree(x1_proof); - xfree(x2_proof); + free(x1_proof); + free(x2_proof); /* Expect step 1 packet from peer */ dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, @@ -1899,8 +1891,7 @@ authmethod_get(char *authlist) if (supported == NULL || strcmp(authlist, supported) != 0) { debug3("start over, passed a different list %s", authlist); - if (supported != NULL) - xfree(supported); + free(supported); supported = xstrdup(authlist); preferred = options.preferred_authentications; debug3("preferred %s", preferred); @@ -1921,7 +1912,7 @@ authmethod_get(char *authlist) authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); debug("Next authentication method: %s", name); - xfree(name); + free(name); return current; } } diff --git a/sshd.c b/sshd.c index df9d0d61e..069e95ff9 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.401 2013/05/16 09:08:41 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.402 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -973,7 +973,7 @@ recv_rexec_state(int fd, Buffer *conf) cp = buffer_get_string(&m, &len); if (conf != NULL) buffer_append(conf, cp, len + 1); - xfree(cp); + free(cp); if (buffer_get_int(&m)) { if (sensitive_data.server_key != NULL) @@ -1135,7 +1135,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) if (received_sighup) sighup_restart(); if (fdset != NULL) - xfree(fdset); + free(fdset); fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); @@ -1484,7 +1484,7 @@ main(int ac, char **av) if (process_server_config_line(&options, line, "command-line", 0, NULL, NULL) != 0) exit(1); - xfree(line); + free(line); break; case '?': default: @@ -1506,7 +1506,7 @@ main(int ac, char **av) /* If requested, redirect the logs to the specified logfile. */ if (logfile != NULL) { log_redirect_stderr_to(logfile); - xfree(logfile); + free(logfile); } /* * Force logging to stderr until we have loaded the private host @@ -2307,7 +2307,7 @@ do_ssh1_kex(void) MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); MD5_Final(session_key + 16, &md); memset(buf, 0, bytes); - xfree(buf); + free(buf); for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; } diff --git a/umac.c b/umac.c index 0567c37f9..fb66b8097 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -1209,7 +1209,7 @@ int umac_delete(struct umac_ctx *ctx) if (ctx) { if (ALLOC_BOUNDARY) ctx = (struct umac_ctx *)ctx->free_ptr; - xfree(ctx); + free(ctx); } return (1); } diff --git a/uuencode.c b/uuencode.c index 09d80d2fc..294c74304 100644 --- a/uuencode.c +++ b/uuencode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.c,v 1.26 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: uuencode.c,v 1.27 2013/05/17 00:13:14 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -29,6 +29,7 @@ #include #include #include +#include #include "xmalloc.h" #include "uuencode.h" @@ -67,7 +68,7 @@ uudecode(const char *src, u_char *target, size_t targsize) /* and remove trailing whitespace because __b64_pton needs this */ *p = '\0'; len = __b64_pton(encoded, target, targsize); - xfree(encoded); + free(encoded); return len; } @@ -90,5 +91,5 @@ dump_base64(FILE *fp, const u_char *data, u_int len) } if (i % 70 != 69) fprintf(fp, "\n"); - xfree(buf); + free(buf); } diff --git a/xmalloc.c b/xmalloc.c index 9985b4cc2..92f781fd0 100644 --- a/xmalloc.c +++ b/xmalloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: xmalloc.c,v 1.28 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -73,14 +73,6 @@ xrealloc(void *ptr, size_t nmemb, size_t size) return new_ptr; } -void -xfree(void *ptr) -{ - if (ptr == NULL) - fatal("xfree: NULL pointer given as argument"); - free(ptr); -} - char * xstrdup(const char *str) { diff --git a/xmalloc.h b/xmalloc.h index fb217a45c..261dfd612 100644 --- a/xmalloc.h +++ b/xmalloc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: xmalloc.h,v 1.14 2013/05/17 00:13:14 djm Exp $ */ /* * Author: Tatu Ylonen @@ -19,7 +19,6 @@ void *xmalloc(size_t); void *xcalloc(size_t, size_t); void *xrealloc(void *, size_t, size_t); -void xfree(void *); char *xstrdup(const char *); int xasprintf(char **, const char *, ...) __attribute__((__format__ (printf, 2, 3))) -- cgit v1.2.3 From 74836ae0fabcc1a76b9d9eacd1629c88a054b2d0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:32:00 +1000 Subject: - djm@cvs.openbsd.org 2013/05/19 02:38:28 [auth2-pubkey.c] fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 39 +++++++++++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1de8ff835..c08e210be 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,10 @@ ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@ + - djm@cvs.openbsd.org 2013/05/19 02:38:28 + [auth2-pubkey.c] + fix failure to recognise cert-authority keys if a key of a different type + appeared in authorized_keys before it; ok markus@ 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 4c326df7a..45306f839 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.36 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -147,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + pubkey_auth_info(authctxt, key); + /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && @@ -187,6 +189,26 @@ done: return authenticated; } +void +pubkey_auth_info(Authctxt *authctxt, const Key *key) +{ + char *fp; + + if (key_is_cert(key)) { + fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); + auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", + key_type(key), key->cert->key_id, + (unsigned long long)key->cert->serial, + key_type(key->cert->signature_key), fp); + free(fp); + } else { + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + auth_info(authctxt, "%s %s", key_type(key), fp); + free(fp); + } +} + static int match_principals_option(const char *principal_list, struct KeyCert *cert) { @@ -280,11 +302,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) char *fp; found_key = 0; - found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); + found = NULL; while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp, *key_options = NULL; - + if (found != NULL) + key_free(found); + found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); auth_clear_options(); /* Skip leading whitespace, empty and comment lines. */ @@ -362,16 +386,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) if (key_is_cert_authority) continue; found_key = 1; - debug("matching key found: file %s, line %lu", - file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(found), fp); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(found), fp); free(fp); break; } } - key_free(found); + if (found != NULL) + key_free(found); if (!found_key) debug2("key not found"); return found_key; -- cgit v1.2.3 From 0acca3797d53d958d240c69a5f222f2aa8444858 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:41:51 +1000 Subject: - djm@cvs.openbsd.org 2013/05/19 02:42:42 [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@ --- ChangeLog | 9 +++++++++ auth-rsa.c | 16 ++++++++-------- auth.c | 30 ++++++++++++++++++++++++++---- auth.h | 10 +++++++--- auth1.c | 35 ++++++++++++++++------------------- auth2.c | 4 ++-- key.c | 4 ++-- key.h | 4 ++-- monitor.c | 9 ++++----- 9 files changed, 76 insertions(+), 45 deletions(-) diff --git a/ChangeLog b/ChangeLog index c08e210be..d772486f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,15 @@ [auth2-pubkey.c] fix failure to recognise cert-authority keys if a key of a different type appeared in authorized_keys before it; ok markus@ + - djm@cvs.openbsd.org 2013/05/19 02:42:42 + [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] + Standardise logging of supplemental information during userauth. Keys + and ruser is now logged in the auth success/failure message alongside + the local username, remote host/port and protocol in use. Certificates + contents and CA are logged too. + Pushing all logging onto a single line simplifies log analysis as it is + no longer necessary to relate information scattered across multiple log + entries. "I like it" markus@ 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/auth-rsa.c b/auth-rsa.c index 748eaae09..92f0ad75c 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.82 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -164,7 +164,7 @@ static int rsa_key_allowed_in_file(struct passwd *pw, char *file, const BIGNUM *client_n, Key **rkey) { - char line[SSH_MAX_PUBKEY_BYTES]; + char *fp, line[SSH_MAX_PUBKEY_BYTES]; int allowed = 0; u_int bits; FILE *f; @@ -232,6 +232,11 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(key), fp); + free(fp); + /* Never accept a revoked key */ if (auth_key_is_revoked(key)) break; @@ -298,7 +303,6 @@ int auth_rsa(Authctxt *authctxt, BIGNUM *client_n) { Key *key; - char *fp; struct passwd *pw = authctxt->pw; /* no user given */ @@ -328,11 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) * options; this will be reset if the options cause the * authentication to be rejected. */ - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(key), fp); - free(fp); - key_free(key); + pubkey_auth_info(authctxt, key); packet_send_debug("RSA authentication accepted."); return (1); diff --git a/auth.c b/auth.c index ac126e6f3..9a36f1dac 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.102 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -72,6 +72,7 @@ #include "authfile.h" #include "monitor_wrap.h" #include "krl.h" +#include "compat.h" /* import */ extern ServerOptions options; @@ -251,9 +252,26 @@ allowed_user(struct passwd * pw) return 1; } +void +auth_info(Authctxt *authctxt, const char *fmt, ...) +{ + va_list ap; + int i; + + free(authctxt->info); + authctxt->info = NULL; + + va_start(ap, fmt); + i = vasprintf(&authctxt->info, fmt, ap); + va_end(ap); + + if (i < 0 || authctxt->info == NULL) + fatal("vasprintf failed"); +} + void auth_log(Authctxt *authctxt, int authenticated, int partial, - const char *method, const char *submethod, const char *info) + const char *method, const char *submethod) { void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, else authmsg = authenticated ? "Accepted" : "Failed"; - authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", + authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", authmsg, method, submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, @@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, authctxt->user, get_remote_ipaddr(), get_remote_port(), - info); + compat20 ? "ssh2" : "ssh1", + authctxt->info != NULL ? ": " : "", + authctxt->info != NULL ? authctxt->info : ""); + free(authctxt->info); + authctxt->info = NULL; #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && !authctxt->postponed && diff --git a/auth.h b/auth.h index 7ff59f1ba..a406e1393 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.73 2013/03/07 19:27:25 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -60,6 +60,7 @@ struct Authctxt { struct passwd *pw; /* set if 'valid' */ char *style; void *kbdintctxt; + char *info; /* Extra info for next auth_log */ void *jpake_ctx; #ifdef BSD_AUTH auth_session_t *as; @@ -121,6 +122,7 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); +void pubkey_auth_info(Authctxt *, const Key *); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, @@ -148,8 +150,10 @@ void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); -void auth_log(Authctxt *, int, int, const char *, const char *, - const char *); +void auth_info(Authctxt *authctxt, const char *, ...) + __attribute__((__format__ (printf, 2, 3))) + __attribute__((__nonnull__ (2))); +void auth_log(Authctxt *, int, int, const char *, const char *); void userauth_finish(Authctxt *, int, const char *, const char *); int auth_root_allowed(const char *); diff --git a/auth1.c b/auth1.c index 238b3c9c3..3518fb1c6 100644 --- a/auth1.c +++ b/auth1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth1.c,v 1.78 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -45,11 +45,11 @@ extern ServerOptions options; extern Buffer loginmsg; -static int auth1_process_password(Authctxt *, char *, size_t); -static int auth1_process_rsa(Authctxt *, char *, size_t); -static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t); -static int auth1_process_tis_challenge(Authctxt *, char *, size_t); -static int auth1_process_tis_response(Authctxt *, char *, size_t); +static int auth1_process_password(Authctxt *); +static int auth1_process_rsa(Authctxt *); +static int auth1_process_rhosts_rsa(Authctxt *); +static int auth1_process_tis_challenge(Authctxt *); +static int auth1_process_tis_response(Authctxt *); static char *client_user = NULL; /* Used to fill in remote user for PAM */ @@ -57,7 +57,7 @@ struct AuthMethod1 { int type; char *name; int *enabled; - int (*method)(Authctxt *, char *, size_t); ++ int (*method)(Authctxt *); }; const struct AuthMethod1 auth1_methods[] = { @@ -112,7 +112,7 @@ get_authname(int type) /*ARGSUSED*/ static int -auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_password(Authctxt *authctxt) { int authenticated = 0; char *password; @@ -137,7 +137,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_rsa(Authctxt *authctxt) { int authenticated = 0; BIGNUM *n; @@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_rhosts_rsa(Authctxt *authctxt) { int keybits, authenticated = 0; u_int bits; @@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) client_host_key); key_free(client_host_key); - snprintf(info, infolen, " ruser %.100s", client_user); + auth_info(authctxt, "ruser %.100s", client_user); return (authenticated); } /*ARGSUSED*/ static int -auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_tis_challenge(Authctxt *authctxt) { char *challenge; @@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) /*ARGSUSED*/ static int -auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) +auth1_process_tis_response(Authctxt *authctxt) { int authenticated = 0; char *response; @@ -236,7 +236,6 @@ static void do_authloop(Authctxt *authctxt) { int authenticated = 0; - char info[1024]; int prev = 0, type = 0; const struct AuthMethod1 *meth; @@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt) #endif { auth_log(authctxt, 1, 0, "without authentication", - NULL, ""); + NULL); return; } } @@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt) /* default to fail */ authenticated = 0; - info[0] = '\0'; /* Get a packet from the client. */ prev = type; @@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt) goto skip; } - authenticated = meth->method(authctxt, info, sizeof(info)); + authenticated = meth->method(authctxt); if (authenticated == -1) continue; /* "postponed" */ @@ -353,8 +351,7 @@ do_authloop(Authctxt *authctxt) skip: /* Log before sending the reply */ - auth_log(authctxt, authenticated, 0, get_authname(type), - NULL, info); + auth_log(authctxt, authenticated, 0, get_authname(type), NULL); free(client_user); client_user = NULL; diff --git a/auth2.c b/auth2.c index 5f136ce09..f0cab8cc0 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.128 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -326,7 +326,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, } /* Log before sending the reply */ - auth_log(authctxt, authenticated, partial, method, submethod, " ssh2"); + auth_log(authctxt, authenticated, partial, method, submethod); if (authctxt->postponed) return; diff --git a/key.c b/key.c index 8183ec90e..55ee78998 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.103 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -569,7 +569,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) } char * -key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) +key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) { char *retval = NULL; u_char *dgst_raw; diff --git a/key.h b/key.h index f2e058e9e..17358ae1f 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.36 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -95,7 +95,7 @@ void key_free(Key *); Key *key_demote(const Key *); int key_equal_public(const Key *, const Key *); int key_equal(const Key *, const Key *); -char *key_fingerprint(Key *, enum fp_type, enum fp_rep); +char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); const char *key_type(const Key *); const char *key_cert_type(const Key *); diff --git a/monitor.c b/monitor.c index 132f60df9..6acb20259 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.124 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -422,8 +422,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) } if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { auth_log(authctxt, authenticated, partial, - auth_method, auth_submethod, - compat20 ? " ssh2" : ""); + auth_method, auth_submethod); if (!authenticated) authctxt->failures++; } @@ -1168,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m) case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); + pubkey_auth_info(authctxt, key); auth_method = "publickey"; if (options.pubkey_authentication && allowed != 1) auth_clear_options(); @@ -1207,8 +1207,7 @@ mm_answer_keyallowed(int sock, Buffer *m) hostbased_chost = chost; } else { /* Log failed attempt */ - auth_log(authctxt, 0, 0, auth_method, NULL, - compat20 ? " ssh2" : ""); + auth_log(authctxt, 0, 0, auth_method, NULL); free(blob); free(cuser); free(chost); -- cgit v1.2.3 From 55119253c64808b0d3b2ab5d2bc67ee9dac3430b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:43:59 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 [ssh-agent.c] Use time_t where appropriate. ok djm --- ChangeLog | 3 +++ ssh-agent.c | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index d772486f5..5689f03d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@ + - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 + [ssh-agent.c] + Use time_t where appropriate. ok djm 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/ssh-agent.c b/ssh-agent.c index 3f94851eb..0fd9e0bb7 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.174 2013/05/31 12:28:10 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -106,7 +106,7 @@ typedef struct identity { Key *key; char *comment; char *provider; - u_int death; + time_t death; u_int confirm; } Identity; @@ -134,8 +134,8 @@ char *lock_passwd = NULL; extern char *__progname; -/* Default lifetime (0 == forever) */ -static int lifetime = 0; +/* Default lifetime in seconds (0 == forever) */ +static long lifetime = 0; static void close_socket(SocketEntry *e) @@ -428,10 +428,10 @@ process_remove_all_identities(SocketEntry *e, int version) } /* removes expired keys and returns number of seconds until the next expiry */ -static u_int +static time_t reaper(void) { - u_int deadline = 0, now = time(NULL); + time_t deadline = 0, now = time(NULL); Identity *id, *nxt; int version; Idtab *tab; @@ -463,8 +463,9 @@ process_add_identity(SocketEntry *e, int version) { Idtab *tab = idtab_lookup(version); Identity *id; - int type, success = 0, death = 0, confirm = 0; + int type, success = 0, confirm = 0; char *type_name, *comment; + time_t death = 0; Key *k = NULL; #ifdef OPENSSL_HAS_ECC BIGNUM *exponent; @@ -699,7 +700,8 @@ static void process_add_smartcard_key(SocketEntry *e) { char *provider = NULL, *pin; - int i, type, version, count = 0, success = 0, death = 0, confirm = 0; + int i, type, version, count = 0, success = 0, confirm = 0; + time_t death = 0; Key **keys = NULL, *k; Identity *id; Idtab *tab; @@ -926,9 +928,10 @@ static int prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp, struct timeval **tvpp) { - u_int i, sz, deadline; + u_int i, sz; int n = 0; static struct timeval tv; + time_t deadline; for (i = 0; i < sockets_alloc; i++) { switch (sockets[i].type) { -- cgit v1.2.3 From b759c9c2efebe7b416ab81093ca8eb17836b6933 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:46:16 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/01 13:15:52 [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c channels.c sandbox-systrace.c] Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@. --- ChangeLog | 6 ++++++ channels.c | 12 ++++++------ clientloop.c | 14 +++++++------- misc.c | 13 ++++++++++++- misc.h | 3 ++- packet.c | 10 +++++----- progressmeter.c | 6 +++--- sandbox-systrace.c | 3 ++- ssh-agent.c | 12 ++++++------ 9 files changed, 49 insertions(+), 30 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5689f03d4..891db12a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,12 @@ - dtucker@cvs.openbsd.org 2013/05/31 12:28:10 [ssh-agent.c] Use time_t where appropriate. ok djm + - dtucker@cvs.openbsd.org 2013/06/01 13:15:52 + [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c + channels.c sandbox-systrace.c] + Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like + keepalives and rekeying will work properly over clock steps. Suggested by + markus@, "looks good" djm@. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/channels.c b/channels.c index 6031394cc..d50a4a298 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.321 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.322 2013/06/01 13:15:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1335,7 +1335,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) errno != ECONNABORTED) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } set_nodelay(newsock); @@ -1482,7 +1482,7 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) errno != ECONNABORTED) error("accept: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } set_nodelay(newsock); @@ -1518,7 +1518,7 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) error("accept from auth socket: %.100s", strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } nc = channel_new("accepted auth socket", @@ -1922,7 +1922,7 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) &addrlen)) == -1) { error("%s accept: %s", __func__, strerror(errno)); if (errno == EMFILE || errno == ENFILE) - c->notbefore = time(NULL) + 1; + c->notbefore = monotime() + 1; return; } @@ -2085,7 +2085,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, channel_handler_init(); did_init = 1; } - now = time(NULL); + now = monotime(); if (unpause_secs != NULL) *unpause_secs = 0; for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { diff --git a/clientloop.c b/clientloop.c index 22138560b..4b071eb91 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.250 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.251 2013/06/01 13:15:51 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -273,7 +273,7 @@ set_control_persist_exit_time(void) control_persist_exit_time = 0; } else if (control_persist_exit_time <= 0) { /* a client connection has recently closed */ - control_persist_exit_time = time(NULL) + + control_persist_exit_time = monotime() + (time_t)options.control_persist_timeout; debug2("%s: schedule exit in %d seconds", __func__, options.control_persist_timeout); @@ -356,7 +356,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, if (system(cmd) == 0) generated = 1; if (x11_refuse_time == 0) { - now = time(NULL) + 1; + now = monotime() + 1; if (UINT_MAX - timeout < now) x11_refuse_time = UINT_MAX; else @@ -581,7 +581,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, { struct timeval tv, *tvp; int timeout_secs; - time_t minwait_secs = 0, server_alive_time = 0, now = time(NULL); + time_t minwait_secs = 0, server_alive_time = 0, now = monotime(); int ret; /* Add any selections by the channel mechanism. */ @@ -676,7 +676,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, * Timeout. Could have been either keepalive or rekeying. * Keepalive we check here, rekeying is checked in clientloop. */ - if (server_alive_time != 0 && server_alive_time <= time(NULL)) + if (server_alive_time != 0 && server_alive_time <= monotime()) server_alive_check(); } @@ -1650,7 +1650,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) * connections, then quit. */ if (control_persist_exit_time > 0) { - if (time(NULL) >= control_persist_exit_time) { + if (monotime() >= control_persist_exit_time) { debug("ControlPersist timeout expired"); break; } @@ -1868,7 +1868,7 @@ client_request_x11(const char *request_type, int rchan) "malicious server."); return NULL; } - if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) { + if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { verbose("Rejected X11 connection after ForwardX11Timeout " "expired"); return NULL; diff --git a/misc.c b/misc.c index 4aa5fdc8b..cd45e9ecc 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.90 2013/06/01 13:15:52 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -854,6 +854,17 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } +time_t +monotime(void) +{ + struct timespec ts; + + if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) + fatal("clock_gettime: %s", strerror(errno)); + + return (ts.tv_sec); +} + void bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) { diff --git a/misc.h b/misc.h index f3142a95e..fceb30655 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */ +/* $OpenBSD: misc.h,v 1.49 2013/06/01 13:15:52 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -35,6 +35,7 @@ char *tohex(const void *, size_t); void sanitise_stdfd(void); void ms_subtract_diff(struct timeval *, int *); void ms_to_timeval(struct timeval *, int); +time_t monotime(void); void sock_set_v6only(int); struct passwd *pwcopy(struct passwd *); diff --git a/packet.c b/packet.c index 84ebd81d5..b25395d4b 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.186 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.187 2013/06/01 13:15:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1015,7 +1015,7 @@ packet_send2(void) /* after a NEWKEYS message we can send the complete queue */ if (type == SSH2_MSG_NEWKEYS) { active_state->rekeying = 0; - active_state->rekey_time = time(NULL); + active_state->rekey_time = monotime(); while ((p = TAILQ_FIRST(&active_state->outgoing))) { type = p->type; debug("dequeue packet: %u", type); @@ -1942,7 +1942,7 @@ packet_need_rekeying(void) (active_state->max_blocks_in && (active_state->p_read.blocks > active_state->max_blocks_in)) || (active_state->rekey_interval != 0 && active_state->rekey_time + - active_state->rekey_interval <= time(NULL)); + active_state->rekey_interval <= monotime()); } void @@ -1956,7 +1956,7 @@ packet_set_rekey_limits(u_int32_t bytes, time_t seconds) * We set the time here so that in post-auth privsep slave we count * from the completion of the authentication. */ - active_state->rekey_time = time(NULL); + active_state->rekey_time = monotime(); } time_t @@ -1965,7 +1965,7 @@ packet_get_rekey_timeout(void) time_t seconds; seconds = active_state->rekey_time + active_state->rekey_interval - - time(NULL); + monotime(); return (seconds <= 0 ? 1 : seconds); } diff --git a/progressmeter.c b/progressmeter.c index 0f95222d2..0e570e41a 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.38 2013/06/01 13:15:52 dtucker Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -131,7 +131,7 @@ refresh_progress_meter(void) transferred = *counter - cur_pos; cur_pos = *counter; - now = time(NULL); + now = monotime(); bytes_left = end_pos - cur_pos; if (bytes_left > 0) @@ -249,7 +249,7 @@ update_progress_meter(int ignore) void start_progress_meter(char *f, off_t filesize, off_t *ctr) { - start = last_update = time(NULL); + start = last_update = monotime(); file = f; end_pos = filesize; cur_pos = 0; diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 2d16a627f..cc0db46c4 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.6 2012/06/30 14:35:09 markus Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.7 2013/06/01 13:15:52 dtucker Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -57,6 +57,7 @@ static const struct sandbox_policy preauth_policy[] = { { SYS_exit, SYSTR_POLICY_PERMIT }, { SYS_getpid, SYSTR_POLICY_PERMIT }, { SYS_gettimeofday, SYSTR_POLICY_PERMIT }, + { SYS_clock_gettime, SYSTR_POLICY_PERMIT }, { SYS_madvise, SYSTR_POLICY_PERMIT }, { SYS_mmap, SYSTR_POLICY_PERMIT }, { SYS_mprotect, SYSTR_POLICY_PERMIT }, diff --git a/ssh-agent.c b/ssh-agent.c index 0fd9e0bb7..f5e5873ad 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.174 2013/05/31 12:28:10 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.175 2013/06/01 13:15:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -431,7 +431,7 @@ process_remove_all_identities(SocketEntry *e, int version) static time_t reaper(void) { - time_t deadline = 0, now = time(NULL); + time_t deadline = 0, now = monotime(); Identity *id, *nxt; int version; Idtab *tab; @@ -618,7 +618,7 @@ process_add_identity(SocketEntry *e, int version) while (buffer_len(&e->request)) { switch ((type = buffer_get_char(&e->request))) { case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); + death = monotime() + buffer_get_int(&e->request); break; case SSH_AGENT_CONSTRAIN_CONFIRM: confirm = 1; @@ -633,7 +633,7 @@ process_add_identity(SocketEntry *e, int version) } success = 1; if (lifetime && !death) - death = time(NULL) + lifetime; + death = monotime() + lifetime; if ((id = lookup_identity(k, version)) == NULL) { id = xcalloc(1, sizeof(Identity)); id->key = k; @@ -712,7 +712,7 @@ process_add_smartcard_key(SocketEntry *e) while (buffer_len(&e->request)) { switch ((type = buffer_get_char(&e->request))) { case SSH_AGENT_CONSTRAIN_LIFETIME: - death = time(NULL) + buffer_get_int(&e->request); + death = monotime() + buffer_get_int(&e->request); break; case SSH_AGENT_CONSTRAIN_CONFIRM: confirm = 1; @@ -724,7 +724,7 @@ process_add_smartcard_key(SocketEntry *e) } } if (lifetime && !death) - death = time(NULL) + lifetime; + death = monotime() + lifetime; count = pkcs11_add_provider(provider, pin, &keys); for (i = 0; i < count; i++) { -- cgit v1.2.3 From 3750fce6ac6b287f62584ac55a4406df95c71b92 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 07:52:21 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/01 20:59:25 [scp.c sftp-client.c] Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch from Nathan Osman via bz#2113. ok deraadt. (note: corrected bug number from 2085) --- ChangeLog | 4 ++++ scp.c | 4 ++-- sftp-client.c | 4 ++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 891db12a6..c64a40468 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,10 @@ Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like keepalives and rekeying will work properly over clock steps. Suggested by markus@, "looks good" djm@. + - dtucker@cvs.openbsd.org 2013/06/01 20:59:25 + [scp.c sftp-client.c] + Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch + from Nathan Osman via bz#2085. ok deraadt. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/scp.c b/scp.c index 32e9d00b2..b75d97bb9 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.173 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.174 2013/06/01 20:59:25 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -1066,7 +1066,7 @@ sink(int argc, char **argv) continue; } omode = mode; - mode |= S_IWRITE; + mode |= S_IWUSR; if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); continue; diff --git a/sftp-client.c b/sftp-client.c index 038e1c347..fc60dd80d 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.98 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.99 2013/06/01 20:59:25 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1051,7 +1051,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, } local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, - mode | S_IWRITE); + mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); -- cgit v1.2.3 From 12f6533215c0a36ab29d11ff52a853fce45573b4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 08:01:24 +1000 Subject: Remove stray '+' accidentally introduced in sync --- auth1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth1.c b/auth1.c index 3518fb1c6..f1ac59814 100644 --- a/auth1.c +++ b/auth1.c @@ -57,7 +57,7 @@ struct AuthMethod1 { int type; char *name; int *enabled; -+ int (*method)(Authctxt *); + int (*method)(Authctxt *); }; const struct AuthMethod1 auth1_methods[] = { -- cgit v1.2.3 From f60845fde29cead9d75e812db1c04916b4c58ffd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 08:07:31 +1000 Subject: - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c openbsd-compat/port-linux.c] Replace portable-specific instances of xfree with the equivalent calls to free. --- ChangeLog | 6 +++++ auth-chall.c | 10 ++++---- auth-krb5.c | 3 +-- auth-pam.c | 44 ++++++++++++++++-------------------- cipher-aes.c | 2 +- cipher-ctr.c | 2 +- groupaccess.c | 4 ++-- loginrec.c | 2 +- monitor.c | 20 ++++++++-------- monitor_wrap.c | 4 ++-- openbsd-compat/bsd-cygwin_util.c | 2 +- openbsd-compat/getrrsetbyname-ldns.c | 1 - openbsd-compat/port-aix.c | 10 ++++---- openbsd-compat/port-linux.c | 12 ++++------ session.c | 8 +++---- sshd.c | 2 +- sshlogin.c | 2 +- uidswap.c | 6 ++--- 18 files changed, 66 insertions(+), 74 deletions(-) diff --git a/ChangeLog b/ChangeLog index c64a40468..7f4323e07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,12 @@ [scp.c sftp-client.c] Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch from Nathan Osman via bz#2085. ok deraadt. + - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c + groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c + sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c + openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c + openbsd-compat/port-linux.c] Replace portable-specific instances of xfree + with the equivalent calls to free. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/auth-chall.c b/auth-chall.c index bfc51eae6..0005aa88b 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response) authenticated = 1; for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); + free(prompts[i]); + free(prompts); + free(name); + free(echo_on); + free(info); break; } device->free_ctx(authctxt->kbdintctxt); diff --git a/auth-krb5.c b/auth-krb5.c index 922c66c66..ff1462ad1 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -181,8 +181,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) out: restore_uid(); - if (platform_client != NULL) - xfree(platform_client); + free(platform_client); if (problem) { if (ccache) diff --git a/auth-pam.c b/auth-pam.c index 675006e6f..d51318b3a 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); buffer_free(&buffer); return (PAM_CONV_ERR); } @@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } @@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt) /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); - xfree(ctxt); + free(ctxt); return (NULL); } ctxt->pam_psock = socks[0]; @@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt) strerror(errno)); close(socks[0]); close(socks[1]); - xfree(ctxt); + free(ctxt); return (NULL); } cleanup_ctxt = ctxt; @@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info, strlcpy(**prompts + plen, msg, len - plen); plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); - xfree(msg); + free(msg); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: @@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info, plen += mlen; strlcat(**prompts + plen, "\n", len - plen); plen++; - xfree(msg); + free(msg); break; case PAM_ACCT_EXPIRED: sshpam_account_status = 0; @@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; ctxt->pam_done = -1; - xfree(msg); + free(msg); return 0; } /* FALLTHROUGH */ @@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info, debug("PAM: %s", **prompts); buffer_append(&loginmsg, **prompts, strlen(**prompts)); - xfree(**prompts); + free(**prompts); **prompts = NULL; } if (type == PAM_SUCCESS) { @@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info, *num = 0; **echo_on = 0; ctxt->pam_done = 1; - xfree(msg); + free(msg); return (0); } error("PAM: %s for %s%.100s from %.100s", msg, @@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info, default: *num = 0; **echo_on = 0; - xfree(msg); + free(msg); ctxt->pam_done = -1; return (-1); } @@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp) debug3("PAM: %s entering", __func__); sshpam_thread_cleanup(); - xfree(ctxt); + free(ctxt); /* * We don't call sshpam_cleanup() here because we may need the PAM * handle at a later stage, e.g. when setting up a session. It's @@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } @@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value) snprintf(compound, len, "%s=%s", name, value); ret = pam_putenv(sshpam_handle, compound); - xfree(compound); + free(compound); #endif return (ret); @@ -1108,8 +1105,8 @@ free_pam_environment(char **env) return; for (envp = env; *envp; envp++) - xfree(*envp); - xfree(env); + free(*envp); + free(env); } /* @@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, fail: for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); + free(reply[i].resp); } - xfree(reply); + free(reply); return (PAM_CONV_ERR); } diff --git a/cipher-aes.c b/cipher-aes.c index 07ec7aa5d..8b1017272 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -120,7 +120,7 @@ ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/cipher-ctr.c b/cipher-ctr.c index d1fe69f57..ea0f9b3b7 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -104,7 +104,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); } return (1); diff --git a/groupaccess.c b/groupaccess.c index 020deace7..1eab10b19 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -69,7 +69,7 @@ ga_init(const char *user, gid_t base) for (i = 0, j = 0; i < ngroups; i++) if ((gr = getgrgid(groups_bygid[i])) != NULL) groups_byname[j++] = xstrdup(gr->gr_name); - xfree(groups_bygid); + free(groups_bygid); return (ngroups = j); } @@ -125,6 +125,6 @@ ga_free(void) for (i = 0; i < ngroups; i++) free(groups_byname[i]); ngroups = 0; - xfree(groups_byname); + free(groups_byname); } } diff --git a/loginrec.c b/loginrec.c index f9662fa5c..59e8a44ee 100644 --- a/loginrec.c +++ b/loginrec.c @@ -347,7 +347,7 @@ logininfo *login_alloc_entry(pid_t pid, const char *username, void login_free_entry(struct logininfo *li) { - xfree(li); + free(li); } diff --git a/monitor.c b/monitor.c index 6acb20259..7286126f5 100644 --- a/monitor.c +++ b/monitor.c @@ -988,7 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *m) skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); - xfree(response); + free(response); buffer_clear(m); buffer_put_int(m, authok); @@ -1073,19 +1073,17 @@ mm_answer_pam_query(int sock, Buffer *m) buffer_clear(m); buffer_put_int(m, ret); buffer_put_cstring(m, name); - xfree(name); + free(name); buffer_put_cstring(m, info); - xfree(info); + free(info); buffer_put_int(m, num); for (i = 0; i < num; ++i) { buffer_put_cstring(m, prompts[i]); - xfree(prompts[i]); + free(prompts[i]); buffer_put_int(m, echo_on[i]); } - if (prompts != NULL) - xfree(prompts); - if (echo_on != NULL) - xfree(echo_on); + free(prompts); + free(echo_on); auth_method = "keyboard-interactive"; auth_submethod = "pam"; mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); @@ -1108,8 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *m) resp[i] = buffer_get_string(m, NULL); ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); for (i = 0; i < num; ++i) - xfree(resp[i]); - xfree(resp); + free(resp[i]); + free(resp); } else { ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); } @@ -1764,7 +1762,7 @@ mm_answer_audit_command(int socket, Buffer *m) cmd = buffer_get_string(m, &len); /* sanity check command, if so how? */ audit_run_command(cmd); - xfree(cmd); + free(cmd); return (0); } #endif /* SSH_AUDIT_EVENTS */ diff --git a/monitor_wrap.c b/monitor_wrap.c index b1870fcba..88ff68330 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -805,7 +805,7 @@ mm_do_pam_account(void) ret = buffer_get_int(&m); msg = buffer_get_string(&m, NULL); buffer_append(&loginmsg, msg, strlen(msg)); - xfree(msg); + free(msg); buffer_free(&m); @@ -1035,7 +1035,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt, mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); - xfree(challenge); + free(challenge); return (0); } diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index d3d2d913a..267e77a11 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -97,7 +97,7 @@ fetch_windows_environment(void) void free_windows_environment(char **p) { - xfree(p); + free(p); } #endif /* HAVE_CYGWIN */ diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c index 19666346b..343720f10 100644 --- a/openbsd-compat/getrrsetbyname-ldns.c +++ b/openbsd-compat/getrrsetbyname-ldns.c @@ -58,7 +58,6 @@ #define malloc(x) (xmalloc(x)) #define calloc(x, y) (xcalloc((x),(y))) -#define free(x) (xfree(x)) int getrrsetbyname(const char *hostname, unsigned int rdclass, diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 0bdefbf6d..8da367d48 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -86,7 +86,7 @@ aix_usrinfo(struct passwd *pw) fatal("Couldn't set usrinfo: %s", strerror(errno)); debug3("AIX/UsrInfo: set len %d", i); - xfree(cp); + free(cp); } # ifdef WITH_AIXAUTHENTICATE @@ -215,16 +215,14 @@ sys_auth_passwd(Authctxt *ctxt, const char *password) default: /* user can't change(2) or other error (-1) */ logit("Password can't be changed for user %s: %.100s", name, msg); - if (msg) - xfree(msg); + free(msg); authsuccess = 0; } aix_restoreauthdb(); } - if (authmsg != NULL) - xfree(authmsg); + free(authmsg); return authsuccess; } @@ -269,7 +267,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg) if (!permitted) logit("Login restricted for %s: %.100s", pw->pw_name, msg); - xfree(msg); + free(msg); return permitted; } diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index aba75387c..4637a7a3e 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */ +/* $Id: port-linux.c,v 1.18 2013/06/01 22:07:32 dtucker Exp $ */ /* * Copyright (c) 2005 Daniel Walsh @@ -96,10 +96,8 @@ ssh_selinux_getctxbyname(char *pwname) } #ifdef HAVE_GETSEUSERBYNAME - if (sename != NULL) - xfree(sename); - if (lvl != NULL) - xfree(lvl); + free(sename); + free(lvl); #endif return sc; @@ -217,8 +215,8 @@ ssh_selinux_change_context(const char *newname) if (setcon(newctx) < 0) switchlog("%s: setcon %s from %s failed with %s", __func__, newctx, oldctx, strerror(errno)); - xfree(oldctx); - xfree(newctx); + free(oldctx); + free(newctx); } void diff --git a/session.c b/session.c index f47cc1788..1424825ca 100644 --- a/session.c +++ b/session.c @@ -1092,8 +1092,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) umask((mode_t)mask); for (i = 0; tmpenv[i] != NULL; i++) - xfree(tmpenv[i]); - xfree(tmpenv); + free(tmpenv[i]); + free(tmpenv); } #endif /* HAVE_ETC_DEFAULT_LOGIN */ @@ -1109,7 +1109,7 @@ copy_environment(char **source, char ***env, u_int *envsize) for(i = 0; source[i] != NULL; i++) { var_name = xstrdup(source[i]); if ((var_val = strstr(var_name, "=")) == NULL) { - xfree(var_name); + free(var_name); continue; } *var_val++ = '\0'; @@ -1117,7 +1117,7 @@ copy_environment(char **source, char ***env, u_int *envsize) debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); - xfree(var_name); + free(var_name); } } diff --git a/sshd.c b/sshd.c index 069e95ff9..c0ba420a3 100644 --- a/sshd.c +++ b/sshd.c @@ -1616,7 +1616,7 @@ main(int ac, char **av) } else { memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); privsep_pw = pwcopy(privsep_pw); - xfree(privsep_pw->pw_passwd); + free(privsep_pw->pw_passwd); privsep_pw->pw_passwd = xstrdup("*"); } endpwent(); diff --git a/sshlogin.c b/sshlogin.c index 54629f747..2688d8d7b 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -97,7 +97,7 @@ store_lastlog_message(const char *user, uid_t uid) time_string = sys_auth_get_lastlogin_msg(user, uid); if (time_string != NULL) { buffer_append(&loginmsg, time_string, strlen(time_string)); - xfree(time_string); + free(time_string); } # else last_login_time = get_last_login_time(uid, user, hostname, diff --git a/uidswap.c b/uidswap.c index cdd7309e3..26d17f93a 100644 --- a/uidswap.c +++ b/uidswap.c @@ -90,8 +90,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(saved_egroupslen, saved_egroups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* saved_egroupslen == 0 */ - if (saved_egroups != NULL) - xfree(saved_egroups); + free(saved_egroups); } /* set and save the user's groups */ @@ -109,8 +108,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(user_groupslen, user_groups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* user_groupslen == 0 */ - if (user_groups) - xfree(user_groups); + free(user_groups); } } /* Set the effective uid to the given (unprivileged) uid. */ -- cgit v1.2.3 From a710891659202c82545e84725d4e5cd77aef567c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 08:18:31 +1000 Subject: - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall back to time(NULL) if we can't find it anywhere. --- ChangeLog | 2 ++ configure.ac | 7 +++++-- misc.c | 4 ++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f4323e07..50ce1b736 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,8 @@ openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c openbsd-compat/port-linux.c] Replace portable-specific instances of xfree with the equivalent calls to free. + - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall + back to time(NULL) if we can't find it anywhere. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/configure.ac b/configure.ac index d35a19bcc..1b64d11ae 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.527 2013/06/01 21:18:48 dtucker Exp $ +# $Id: configure.ac,v 1.528 2013/06/01 22:18:32 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.527 $) +AC_REVISION($Revision: 1.528 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -1648,6 +1648,9 @@ const char *gai_strerror(int); AC_SEARCH_LIBS([nanosleep], [rt posix4], [AC_DEFINE([HAVE_NANOSLEEP], [1], [Some systems put nanosleep outside of libc])]) +AC_SEARCH_LIBS([clock_gettime], [rt], + [AC_DEFINE([HAVE_CLOCK_GETTIME], [1], [Have clock_gettime])]) + dnl Make sure prototypes are defined for these before using them. AC_CHECK_DECL([getrusage], [AC_CHECK_FUNCS([getrusage])]) AC_CHECK_DECL([strsep], diff --git a/misc.c b/misc.c index cd45e9ecc..fd745444e 100644 --- a/misc.c +++ b/misc.c @@ -857,12 +857,16 @@ ms_to_timeval(struct timeval *tv, int ms) time_t monotime(void) { +#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) fatal("clock_gettime: %s", strerror(errno)); return (ts.tv_sec); +#else + return time(NULL); +#endif } void -- cgit v1.2.3 From c9a1991b95a4c9f04f9dcef299a8110d2ec80d3e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 08:37:05 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/01 22:34:50 [sftp-client.c] Update progressmeter when data is acked, not when it's sent. bz#2108, from Debian via Colin Watson, ok djm@ --- ChangeLog | 4 ++++ sftp-client.c | 10 ++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 50ce1b736..cfb38233d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,10 @@ [scp.c sftp-client.c] Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch from Nathan Osman via bz#2085. ok deraadt. + - dtucker@cvs.openbsd.org 2013/06/01 22:34:50 + [sftp-client.c] + Update progressmeter when data is acked, not when it's sent. bz#2108, from + Debian via Colin Watson, ok djm@ - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c diff --git a/sftp-client.c b/sftp-client.c index fc60dd80d..ab035c713 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.99 2013/06/01 20:59:25 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.100 2013/06/01 22:34:50 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1340,7 +1340,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, int local_fd; int status = SSH2_FX_OK; u_int handle_len, id, type; - off_t offset; + off_t offset, progress_counter; char *handle, *data; Buffer msg; struct stat sb; @@ -1408,9 +1408,10 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, data = xmalloc(conn->transfer_buflen); /* Read from local and write to remote */ - offset = 0; + offset = progress_counter = 0; if (showprogress) - start_progress_meter(local_path, sb.st_size, &offset); + start_progress_meter(local_path, sb.st_size, + &progress_counter); for (;;) { int len; @@ -1481,6 +1482,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, debug3("In write loop, ack for %u %u bytes at %lld", ack->id, ack->len, (long long)ack->offset); ++ackid; + progress_counter += ack->len; free(ack); } offset += len; -- cgit v1.2.3 From 65cf74079a2d563c4ede649116a13ca78c8cc2a4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 09:11:19 +1000 Subject: fix typo --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cfb38233d..3d0129841 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to - using openssl's DES_crpyt function on platorms that don't have a native + using openssl's DES_crypt function on platorms that don't have a native one, eg Android. Based on a patch from Nathan Osman. - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS rather than trying to enumerate the plaforms that don't have them. -- cgit v1.2.3 From e9887d1c37940b9d6c72d55cfad7a40de4c6e28d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 09:17:09 +1000 Subject: - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday. --- ChangeLog | 1 + sandbox-seccomp-filter.c | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3d0129841..1ec48c237 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,7 @@ with the equivalent calls to free. - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall back to time(NULL) if we can't find it anywhere. + - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday. 20130529 - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index e12418399..cc1465305 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -91,6 +91,7 @@ static const struct sock_filter preauth_insns[] = { SC_DENY(open, EACCES), SC_ALLOW(getpid), SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), #ifdef __NR_time /* not defined on EABI ARM */ SC_ALLOW(time), #endif -- cgit v1.2.3 From 86211d1738695e63b2a68f0c3a4f60e1a9d9bda3 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Sat, 1 Jun 2013 18:38:23 -0700 Subject: 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy linking regress/modpipe. --- ChangeLog | 4 ++++ Makefile.in | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1ec48c237..058579f54 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130602 + - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy + linking regress/modpipe. + 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to using openssl's DES_crypt function on platorms that don't have a native diff --git a/Makefile.in b/Makefile.in index 62bacd6fc..438baaca6 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.337 2013/03/22 17:14:33 tim Exp $ +# $Id: Makefile.in,v 1.338 2013/06/02 01:38:23 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -386,7 +386,7 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile $(CC) $(CPPFLAGS) -o $@ $? \ - $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ -- cgit v1.2.3 From 00e1abb1ebe13ab24e812f68715f46e65e7c5271 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 23:46:24 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 [progressmeter.c] Add misc.h for monotime prototype. (id sync only) --- ChangeLog | 4 ++++ progressmeter.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 058579f54..0a66555b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy linking regress/modpipe. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 + [progressmeter.c] + Add misc.h for monotime prototype. (ID sync only). 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/progressmeter.c b/progressmeter.c index 0e570e41a..332bd3c99 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.38 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.39 2013/06/02 13:33:05 dtucker Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * -- cgit v1.2.3 From 073f795bc1c7728c320e5982c0d417376b0907f5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 Jun 2013 23:47:11 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 [ssh-agent.c] Make parent_alive_interval time_t to avoid signed/unsigned comparison --- ChangeLog | 3 +++ ssh-agent.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0a66555b9..03a2e3ad2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ - dtucker@cvs.openbsd.org 2013/06/02 13:33:05 [progressmeter.c] Add misc.h for monotime prototype. (ID sync only). + - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 + [ssh-agent.c] + Make parent_alive_interval time_t to avoid signed/unsigned comparison 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/ssh-agent.c b/ssh-agent.c index f5e5873ad..27df4f475 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.175 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.176 2013/06/02 13:35:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -122,7 +122,7 @@ int max_fd = 0; /* pid of shell == parent of agent */ pid_t parent_pid = -1; -u_int parent_alive_interval = 0; +time_t parent_alive_interval = 0; /* pathname and directory for AUTH_SOCKET */ char socket_name[MAXPATHLEN]; -- cgit v1.2.3 From ef4901c3eb98c7ab1342c3cd8f2638da1f4b0678 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Jun 2013 01:59:13 +1000 Subject: - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms to prevent noise from configure. Patch from Nathan Osman. --- ChangeLog | 2 ++ configure.ac | 10 +++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 03a2e3ad2..aaba117bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ - dtucker@cvs.openbsd.org 2013/06/02 13:35:58 [ssh-agent.c] Make parent_alive_interval time_t to avoid signed/unsigned comparison + - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms + to prevent noise from configure. Patch from Nathan Osman. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index 1b64d11ae..135242721 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.528 2013/06/01 22:18:32 dtucker Exp $ +# $Id: configure.ac,v 1.529 2013/06/02 15:59:13 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.528 $) +AC_REVISION($Revision: 1.529 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -348,7 +348,6 @@ AC_CHECK_HEADERS([ \ sys/sysmacros.h \ sys/time.h \ sys/timers.h \ - sys/un.h \ time.h \ tmpdir.h \ ttyent.h \ @@ -386,6 +385,11 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [ #include ]) +# Android requires sys/socket.h to be included before sys/un.h +AC_CHECK_HEADERS([sys/un.h], [], [], [ +#include +]) + # Messages for features tested for in target-specific section SIA_MSG="no" SPC_MSG="no" -- cgit v1.2.3 From 898ac935e56a7ac5d8b686c590fdb8b7aca27e59 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Jun 2013 02:03:25 +1000 Subject: - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. Patch from Nathan Osman. --- ChangeLog | 4 +++- configure.ac | 8 ++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index aaba117bf..329560a68 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,7 +9,9 @@ [ssh-agent.c] Make parent_alive_interval time_t to avoid signed/unsigned comparison - (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms - to prevent noise from configure. Patch from Nathan Osman. + to prevent noise from configure. Patch from Nathan Osman. (bz#2114). + - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. + Patch from Nathan Osman. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index 135242721..d6c57864c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.529 2013/06/02 15:59:13 dtucker Exp $ +# $Id: configure.ac,v 1.530 2013/06/02 16:03:26 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.529 $) +AC_REVISION($Revision: 1.530 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -491,6 +491,10 @@ case "$host" in AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) AC_DEFINE([PLATFORM_SYS_DIR_UID], 2, [System dirs owned by bin (uid 2)]) ;; +*-*-android*) + AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp]) + AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp]) + ;; *-*-cygwin*) check_for_libcrypt_later=1 LIBS="$LIBS /usr/lib/textreadmode.o" -- cgit v1.2.3 From 5ab9b63468100757479534edeb53f788a61fe08b Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Sun, 2 Jun 2013 14:05:48 -0700 Subject: - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we need a shell that can handle "[ file1 -nt file2 ]". Rather than keep dealing with shell portability issues in regression tests, we let configure find us a capable shell on those platforms with an old /bin/sh. --- ChangeLog | 4 ++++ configure.ac | 10 ++++++---- regress/Makefile | 4 ++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 329560a68..ccbb790b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ to prevent noise from configure. Patch from Nathan Osman. (bz#2114). - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android. Patch from Nathan Osman. + - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we + need a shell that can handle "[ file1 -nt file2 ]". Rather than keep + dealing with shell portability issues in regression tests, we let + configure find us a capable shell on those platforms with an old /bin/sh. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index d6c57864c..b8a610d5c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.530 2013/06/02 16:03:26 dtucker Exp $ +# $Id: configure.ac,v 1.531 2013/06/02 21:05:49 tim Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.530 $) +AC_REVISION($Revision: 1.531 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -812,6 +812,7 @@ mips-sony-bsd|mips-sony-newsos4) SP_MSG="yes" ], ) ], ) + TEST_SHELL=$SHELL # let configure find us a capable shell ;; *-*-sunos4*) CPPFLAGS="$CPPFLAGS -DSUNOS4" @@ -855,6 +856,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SETREGID]) AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd]) AC_DEFINE([LOCKED_PASSWD_STRING], ["*LK*"]) + TEST_SHELL=$SHELL # let configure find us a capable shell ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) @@ -866,10 +868,10 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([BROKEN_SETREUID]) AC_DEFINE([BROKEN_SETREGID]) AC_DEFINE([PASSWD_NEEDS_USERNAME]) + TEST_SHELL=$SHELL # let configure find us a capable shell case "$host" in *-*-sysv5SCO_SV*) # SCO OpenServer 6.x maildir=/var/spool/mail - TEST_SHELL=/u95/bin/sh AC_DEFINE([BROKEN_LIBIAF], [1], [ia_uinfo routines not supported by OS yet]) AC_DEFINE([BROKEN_UPDWTMPX]) @@ -910,7 +912,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([PASSWD_NEEDS_USERNAME]) AC_CHECK_FUNCS([getluid setluid]) MANTYPE=man - TEST_SHELL=ksh + TEST_SHELL=$SHELL # let configure find us a capable shell SKIP_DISABLE_LASTLOG_DEFINE=yes ;; *-*-unicosmk*) diff --git a/regress/Makefile b/regress/Makefile index b19c7ae22..ab2a6ae7b 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -155,14 +155,14 @@ t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ - (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done t-exec-interop: ${INTEROP_TESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ echo "run test $${TEST}" ... 1>&2; \ - (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ done # Not run by default -- cgit v1.2.3 From 01ec0af301f60fefdd0079647f13ef9abadd2db5 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Sun, 2 Jun 2013 14:31:27 -0700 Subject: - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. feedback and ok dtucker --- ChangeLog | 2 ++ aclocal.m4 | 13 ++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ccbb790b4..80f0fb4ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,8 @@ need a shell that can handle "[ file1 -nt file2 ]". Rather than keep dealing with shell portability issues in regression tests, we let configure find us a capable shell on those platforms with an old /bin/sh. + - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. + feedback and ok dtucker 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/aclocal.m4 b/aclocal.m4 index 9bdea5ec2..1b3bed790 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $ +dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ _define_flag="$2" test "x$_define_flag" = "x" && _define_flag="$1" AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], - [ AC_MSG_RESULT([yes]) - CFLAGS="$saved_CFLAGS $_define_flag"], + [ +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" +else + AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag" +fi], [ AC_MSG_RESULT([no]) CFLAGS="$saved_CFLAGS" ] ) -- cgit v1.2.3 From 3f3064c82238c486706471d300217d73dd0f125e Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Sun, 2 Jun 2013 15:13:09 -0700 Subject: - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker --- ChangeLog | 1 + regress/sftp-chroot.sh | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 80f0fb4ee..4345d9956 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,7 @@ configure find us a capable shell on those platforms with an old /bin/sh. - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. feedback and ok dtucker + - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 98a364ebf..03b9bc6d7 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -8,7 +8,8 @@ FILENAME=testdata_${USER} PRIVDATA=${CHROOT}/${FILENAME} if [ -z "$SUDO" ]; then - fatal "need SUDO to create file in /var/run, test won't work without" + echo "skipped: need SUDO to create file in /var/run, test won't work without" + exit 0 fi $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ -- cgit v1.2.3 From 0b43ffe143a5843703c3755fa040b8684fb04134 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Jun 2013 09:30:44 +1000 Subject: - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. --- ChangeLog | 1 + configure.ac | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4345d9956..4b1536bfa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr. feedback and ok dtucker - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker + - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index b8a610d5c..6f82c3fbf 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.531 2013/06/02 21:05:49 tim Exp $ +# $Id: configure.ac,v 1.532 2013/06/02 23:30:45 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.531 $) +AC_REVISION($Revision: 1.532 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -388,6 +388,7 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [ # Android requires sys/socket.h to be included before sys/un.h AC_CHECK_HEADERS([sys/un.h], [], [], [ #include +#include ]) # Messages for features tested for in target-specific section -- cgit v1.2.3 From 16cac190ebb9b5612cccea63a7c22ac33bc9a07a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 4 Jun 2013 12:55:24 +1000 Subject: - (dtucker) [configure.ac] Some other platforms need sys/types.h before sys/socket.h. --- ChangeLog | 2 ++ configure.ac | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4b1536bfa..555fede35 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,8 @@ feedback and ok dtucker - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h. + - (dtucker) [configure.ac] Some other platforms need sys/types.h before + sys/socket.h. 20130601 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to diff --git a/configure.ac b/configure.ac index 6f82c3fbf..2cd910cf9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.532 2013/06/02 23:30:45 dtucker Exp $ +# $Id: configure.ac,v 1.533 2013/06/04 02:55:24 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.532 $) +AC_REVISION($Revision: 1.533 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -387,8 +387,8 @@ AC_CHECK_HEADERS([sys/mount.h], [], [], [ # Android requires sys/socket.h to be included before sys/un.h AC_CHECK_HEADERS([sys/un.h], [], [], [ -#include #include +#include ]) # Messages for features tested for in target-specific section -- cgit v1.2.3 From 2ea9eb77a7fcab3190564ef5a6a5377a600aa391 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 5 Jun 2013 15:04:00 +1000 Subject: - (dtucker) Enable sha256 kex methods based on the presence of the necessary functions, not from the openssl version. --- ChangeLog | 4 ++++ myproposal.h | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 555fede35..ad5b66a78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130605 + - (dtucker) Enable sha256 kex methods based on the presence of the necessary + functions, not from the openssl version. + 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy linking regress/modpipe. diff --git a/myproposal.h b/myproposal.h index 99d093461..f13c74850 100644 --- a/myproposal.h +++ b/myproposal.h @@ -46,7 +46,7 @@ #endif /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L +#ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," #else -- cgit v1.2.3 From b4e00949f01176cd4fae3e0cef5ffa8dea379042 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 5 Jun 2013 22:48:44 +1000 Subject: - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. Patch from cjwatson at debian. --- ChangeLog | 6 ++++-- contrib/ssh-copy-id | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ad5b66a78..00c74c3e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20130605 - - (dtucker) Enable sha256 kex methods based on the presence of the necessary - functions, not from the openssl version. + - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of + the necessary functions, not from the openssl version. + - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. + Patch from cjwatson at debian. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 9f2817b6b..ae88e9958 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -165,7 +165,7 @@ done eval set -- "$SAVEARGS" -if [ $# == 0 ] ; then +if [ $# = 0 ] ; then usage fi if [ $# != 1 ] ; then -- cgit v1.2.3 From 2a22873cd869679415104bc9f6bb154811ee604c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 01:59:13 +1000 Subject: - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the forwarding test is extremely slow copying data on some machines so switch back to copying the much smaller ls binary until we can figure out why this is. --- ChangeLog | 4 ++++ regress/forwarding.sh | 2 ++ 2 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 00c74c3e5..e64bf0e75 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ the necessary functions, not from the openssl version. - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test. Patch from cjwatson at debian. + - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the + forwarding test is extremely slow copying data on some machines so switch + back to copying the much smaller ls binary until we can figure out why + this is. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 2ba140fee..1c408603c 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -3,6 +3,8 @@ tid="local and remote forwarding" +DATA=/bin/ls${EXEEXT} + start_sshd base=33 -- cgit v1.2.3 From dc62edbf121c41e8b5270904091039450206d98a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 05:12:35 +1000 Subject: - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building modpipe in case there's anything in there we need. --- ChangeLog | 2 ++ Makefile.in | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e64bf0e75..6509548bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ forwarding test is extremely slow copying data on some machines so switch back to copying the much smaller ls binary until we can figure out why this is. + - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building + modpipe in case there's anything in there we need. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/Makefile.in b/Makefile.in index 438baaca6..d6f6a7924 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.338 2013/06/02 01:38:23 tim Exp $ +# $Id: Makefile.in,v 1.339 2013/06/05 19:12:35 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -385,7 +385,7 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c [ -d `pwd`/regress ] || mkdir -p `pwd`/regress [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile - $(CC) $(CPPFLAGS) -o $@ $? \ + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) -- cgit v1.2.3 From 5d12b8f05d79ba89d0807910a664fa80f6f3bf8c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:09:10 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 [channels.h] typo in comment --- ChangeLog | 4 ++++ channels.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6509548bc..588fcf6d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ this is. - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building modpipe in case there's anything in there we need. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 + [channels.h] + typo in comment 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/channels.h b/channels.h index d75b800f7..a11b6227b 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.112 2013/06/02 21:01:51 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -110,7 +110,7 @@ struct Channel { * channels are delayed until the first call * to a matching pre-select handler. * this way post-select handlers are not - * accidenly called if a FD gets reused */ + * accidentally called if a FD gets reused */ Buffer input; /* data read from socket, to be sent over * encrypted connection */ Buffer output; /* data received over encrypted connection for -- cgit v1.2.3 From ea8342c248ad6c0a4fe1a70de133f954973bd2b2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:11:40 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/02 23:36:29 [clientloop.h clientloop.c mux.c] No need for the mux cleanup callback to be visible so restore it to static and call it through the detach_user function pointer. ok djm@ --- ChangeLog | 4 ++++ clientloop.c | 6 +++--- clientloop.h | 3 +-- mux.c | 4 ++-- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 588fcf6d3..40b15c144 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ - dtucker@cvs.openbsd.org 2013/06/02 21:01:51 [channels.h] typo in comment + - dtucker@cvs.openbsd.org 2013/06/02 23:36:29 + [clientloop.h clientloop.c mux.c] + No need for the mux cleanup callback to be visible so restore it to static + and call it through the detach_user function pointer. ok djm@ 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/clientloop.c b/clientloop.c index 4b071eb91..6a2963583 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.251 2013/06/01 13:15:51 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.252 2013/06/02 23:36:29 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1109,8 +1109,8 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, if (c && c->ctl_chan != -1) { chan_read_failed(c); chan_write_failed(c); - mux_master_session_cleanup_cb(c->self, - NULL); + if (c->detach_user) + c->detach_user(c->self, NULL); return 0; } else quit_pending = 1; diff --git a/clientloop.h b/clientloop.h index d2baa0324..338d45186 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */ +/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -76,5 +76,4 @@ void muxserver_listen(void); void muxclient(const char *); void mux_exit_message(Channel *, int); void mux_tty_alloc_failed(Channel *); -void mux_master_session_cleanup_cb(int, void *); diff --git a/mux.c b/mux.c index 6c55db981..31566be21 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.41 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.42 2013/06/02 23:36:29 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -184,7 +184,7 @@ static const struct { /* Cleanup callback fired on closure of mux slave _session_ channel */ /* ARGSUSED */ -void +static void mux_master_session_cleanup_cb(int cid, void *unused) { Channel *cc, *c = channel_by_id(cid); -- cgit v1.2.3 From 4ac66af091cf6db5a42c18e43738ca9c41e338e5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:12:37 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/03 00:03:18 [mac.c] force the MAC output to be 64-bit aligned so umac won't see unaligned accesses on strict-alignment architectures. bz#2101, patch from tomas.kuthan at oracle.com, ok djm@ --- ChangeLog | 5 +++++ mac.c | 19 +++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40b15c144..5aa24bd4e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,11 @@ [clientloop.h clientloop.c mux.c] No need for the mux cleanup callback to be visible so restore it to static and call it through the detach_user function pointer. ok djm@ + - dtucker@cvs.openbsd.org 2013/06/03 00:03:18 + [mac.c] + force the MAC output to be 64-bit aligned so umac won't see unaligned + accesses on strict-alignment architectures. bz#2101, patch from + tomas.kuthan at oracle.com, ok djm@ 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/mac.c b/mac.c index 907e19781..c4dfb501d 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.23 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: mac.c,v 1.24 2013/06/03 00:03:18 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -174,12 +174,15 @@ mac_init(Mac *mac) u_char * mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) { - static u_char m[EVP_MAX_MD_SIZE]; + static union { + u_char m[EVP_MAX_MD_SIZE]; + u_int64_t for_align; + } u; u_char b[4], nonce[8]; - if (mac->mac_len > sizeof(m)) + if (mac->mac_len > sizeof(u)) fatal("mac_compute: mac too long %u %lu", - mac->mac_len, (u_long)sizeof(m)); + mac->mac_len, (u_long)sizeof(u)); switch (mac->type) { case SSH_EVP: @@ -188,22 +191,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); HMAC_Update(&mac->evp_ctx, b, sizeof(b)); HMAC_Update(&mac->evp_ctx, data, datalen); - HMAC_Final(&mac->evp_ctx, m, NULL); + HMAC_Final(&mac->evp_ctx, u.m, NULL); break; case SSH_UMAC: put_u64(nonce, seqno); umac_update(mac->umac_ctx, data, datalen); - umac_final(mac->umac_ctx, m, nonce); + umac_final(mac->umac_ctx, u.m, nonce); break; case SSH_UMAC128: put_u64(nonce, seqno); umac128_update(mac->umac_ctx, data, datalen); - umac128_final(mac->umac_ctx, m, nonce); + umac128_final(mac->umac_ctx, u.m, nonce); break; default: fatal("mac_compute: unknown MAC type"); } - return (m); + return (u.m); } void -- cgit v1.2.3 From 194454d7a8f8cb8ac55f2b9d0199ef9445788bee Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:16:04 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 [scp.c] use MAXPATHLEN for buffer size instead of fixed value. ok markus --- ChangeLog | 3 +++ scp.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5aa24bd4e..0e9c26755 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ force the MAC output to be 64-bit aligned so umac won't see unaligned accesses on strict-alignment architectures. bz#2101, patch from tomas.kuthan at oracle.com, ok djm@ + - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 + [scp.c] + use MAXPATHLEN for buffer size instead of fixed value. ok markus 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/scp.c b/scp.c index b75d97bb9..9b5959d44 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.174 2013/06/01 20:59:25 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.175 2013/06/04 19:12:23 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -850,7 +850,7 @@ rsource(char *name, struct stat *statp) { DIR *dirp; struct dirent *dp; - char *last, *vect[1], path[1100]; + char *last, *vect[1], path[MAXPATHLEN]; if (!(dirp = opendir(name))) { run_err("%s: %s", name, strerror(errno)); -- cgit v1.2.3 From ea64721275a81c4788af36294d94bf4f74012e06 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:19:09 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/04 20:42:36 [sftp.c] Make sftp's libedit interface marginally multibyte aware by building up the quoted string by character instead of by byte. Prevents failures when linked against a libedit built with wide character support (bz#1990). "looks ok" djm --- ChangeLog | 6 ++++++ sftp.c | 16 +++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0e9c26755..aab923a71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,12 @@ - dtucker@cvs.openbsd.org 2013/06/04 19:12:23 [scp.c] use MAXPATHLEN for buffer size instead of fixed value. ok markus + - dtucker@cvs.openbsd.org 2013/06/04 20:42:36 + [sftp.c] + Make sftp's libedit interface marginally multibyte aware by building up + the quoted string by character instead of by byte. Prevents failures + when linked against a libedit built with wide character support (bz#1990). + "looks ok" djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/sftp.c b/sftp.c index a723fa643..0c90fd1e4 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.145 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.146 2013/06/04 20:42:36 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -38,6 +38,7 @@ #ifdef HAVE_LIBGEN_H #include #endif +#include #ifdef USE_LIBEDIT #include #else @@ -1701,8 +1702,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, char *file, int remote, int lastarg, char quote, int terminated) { glob_t g; - char *tmp, *tmp2, ins[3]; + char *tmp, *tmp2, ins[8]; u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; + int clen; const LineInfo *lf; /* Glob from "file" location */ @@ -1771,10 +1773,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, tmp2 = tmp + filelen - cesc; len = strlen(tmp2); /* quote argument on way out */ - for (i = 0; i < len; i++) { + for (i = 0; i < len; i += clen) { + if ((clen = mblen(tmp2 + i, len - i)) < 0 || + (size_t)clen > sizeof(ins) - 2) + fatal("invalid multibyte character"); ins[0] = '\\'; - ins[1] = tmp2[i]; - ins[2] = '\0'; + memcpy(ins + 1, tmp2 + i, clen); + ins[clen + 1] = '\0'; switch (tmp2[i]) { case '\'': case '"': @@ -2120,6 +2125,7 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); + setlocale(LC_CTYPE, ""); __progname = ssh_get_progname(argv[0]); memset(&args, '\0', sizeof(args)); -- cgit v1.2.3 From 746e9067bd9b3501876e1c86f38f3c510a12f895 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:20:13 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 02:07:29 [mux.c] fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, ok djm --- ChangeLog | 4 ++++ mux.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aab923a71..70c094e1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,10 @@ the quoted string by character instead of by byte. Prevents failures when linked against a libedit built with wide character support (bz#1990). "looks ok" djm + - dtucker@cvs.openbsd.org 2013/06/05 02:07:29 + [mux.c] + fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, + ok djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/mux.c b/mux.c index 31566be21..314ee8cd2 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.42 2013/06/02 23:36:29 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.43 2013/06/05 02:07:29 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -288,6 +288,7 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) if (name == NULL || value == NULL) { free(name); + free(value); goto malf; } debug2("Unrecognised slave extension \"%s\"", name); @@ -1427,7 +1428,9 @@ mux_client_read_packet(int fd, Buffer *m) buffer_init(&queue); if (mux_client_read(fd, &queue, 4) != 0) { if ((oerrno = errno) == EPIPE) - debug3("%s: read header failed: %s", __func__, strerror(errno)); + debug3("%s: read header failed: %s", __func__, + strerror(errno)); + buffer_free(&queue); errno = oerrno; return -1; } @@ -1435,6 +1438,7 @@ mux_client_read_packet(int fd, Buffer *m) if (mux_client_read(fd, &queue, need) != 0) { oerrno = errno; debug3("%s: read body failed: %s", __func__, strerror(errno)); + buffer_free(&queue); errno = oerrno; return -1; } -- cgit v1.2.3 From 0cca17fa1819d3a0ba06a6db41ab3eaa8d769587 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:21:14 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 02:27:50 [sshd.c] When running sshd -D, close stderr unless we have explicitly requesting logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch so, err, ok dtucker. --- ChangeLog | 5 +++++ sshd.c | 6 ++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 70c094e1c..27f0cfcfa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,11 @@ [mux.c] fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967, ok djm + - dtucker@cvs.openbsd.org 2013/06/05 02:27:50 + [sshd.c] + When running sshd -D, close stderr unless we have explicitly requesting + logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch + so, err, ok dtucker. 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/sshd.c b/sshd.c index c0ba420a3..1306a62a7 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.402 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.403 2013/06/05 02:27:50 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1024,7 +1024,9 @@ server_accept_inetd(int *sock_in, int *sock_out) if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { dup2(fd, STDIN_FILENO); dup2(fd, STDOUT_FILENO); - if (fd > STDOUT_FILENO) + if (!log_stderr) + dup2(fd, STDERR_FILENO); + if (fd > (log_stderr ? STDERR_FILENO : STDOUT_FILENO)) close(fd); } debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); -- cgit v1.2.3 From e52a260f16888ca75390f97de4606943e61785e8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:22:05 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 [sshconnect2.c] Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm --- ChangeLog | 3 +++ sshconnect2.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 27f0cfcfa..43a6e7d16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ When running sshd -D, close stderr unless we have explicitly requesting logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch so, err, ok dtucker. + - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 + [sshconnect2.c] + Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/sshconnect2.c b/sshconnect2.c index 19ed3459f..70e3cd8c9 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.197 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1322,8 +1322,11 @@ load_identity_file(char *filename, int userprovided) return NULL; } private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); - if (!perm_ok) + if (!perm_ok) { + if (private != NULL) + key_free(private); return NULL; + } if (private == NULL) { if (options.batch_mode) return NULL; @@ -1915,6 +1918,7 @@ authmethod_get(char *authlist) free(name); return current; } + free(name); } } -- cgit v1.2.3 From 408eaf3ab716096f8faf30f091bd54a2c7a17a09 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:22:46 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 [readconf.c] plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm --- ChangeLog | 3 +++ readconf.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 43a6e7d16..90ce8610f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - dtucker@cvs.openbsd.org 2013/06/05 12:52:38 [sshconnect2.c] Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm + - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 + [readconf.c] + plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/readconf.c b/readconf.c index 45cf910fe..7c1c795fe 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.202 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.203 2013/06/05 22:00:28 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -820,6 +820,8 @@ parse_int: else if (opcode == oRemoteForward) add_remote_forward(options, &fwd); } + free(fwd.connect_host); + free(fwd.listen_host); break; case oClearAllForwardings: -- cgit v1.2.3 From ae133d4b31af05bb232d797419f498f3ae7e9f2d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 6 Jun 2013 08:30:20 +1000 Subject: - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for platforms that don't have multibyte character support (specifically, mblen). --- ChangeLog | 3 +++ configure.ac | 6 ++++-- openbsd-compat/openbsd-compat.h | 7 ++++++- sftp.c | 4 +++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90ce8610f..66e07fc63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ - dtucker@cvs.openbsd.org 2013/06/05 22:00:28 [readconf.c] plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm + - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for + platforms that don't have multibyte character support (specifically, + mblen). 20130602 - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy diff --git a/configure.ac b/configure.ac index 2cd910cf9..bce5d7b17 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.533 2013/06/04 02:55:24 dtucker Exp $ +# $Id: configure.ac,v 1.534 2013/06/05 22:30:21 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.533 $) +AC_REVISION($Revision: 1.534 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -310,6 +310,7 @@ AC_CHECK_HEADERS([ \ ia.h \ iaf.h \ limits.h \ + locale.h \ login.h \ maillock.h \ ndir.h \ @@ -1563,6 +1564,7 @@ AC_CHECK_FUNCS([ \ inet_ntop \ innetgr \ login_getcapbool \ + mblen \ md5_crypt \ memmove \ mkdtemp \ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 3dbf1f244..392fa38dc 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.57 2013/05/16 10:47:32 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.58 2013/06/05 22:30:21 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -207,6 +207,11 @@ unsigned long long strtoull(const char *, char **, int); long long strtonum(const char *, long long, long long, const char **); #endif +/* multibyte character support */ +#ifndef HAVE_MBLEN +# define mblen(x, y) 1 +#endif + #if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF) # include #endif diff --git a/sftp.c b/sftp.c index 0c90fd1e4..f50a4bb6a 100644 --- a/sftp.c +++ b/sftp.c @@ -38,7 +38,9 @@ #ifdef HAVE_LIBGEN_H #include #endif -#include +#ifdef HAVE_LOCALE_H +# include +#endif #ifdef USE_LIBEDIT #include #else -- cgit v1.2.3 From 36187093ea0b2d2240c043417b8949611687e105 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 Jun 2013 13:07:11 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 [channels.c channels.h clientloop.c] Add an "ABANDONED" channel state and use for mux sessions that are disconnected via the ~. escape sequence. Channels in this state will be able to close if the server responds, but do not count as active channels. This means that if you ~. all of the mux clients when using ControlPersist on a broken network, the backgrounded mux master will exit when the Control Persist time expires rather than hanging around indefinitely. bz#1917, also reported and tested by tedu@. ok djm@ markus@. --- ChangeLog | 12 ++++++++++++ channels.c | 8 ++++++-- channels.h | 5 +++-- clientloop.c | 5 ++++- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 66e07fc63..a9a8cbce1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +20130610 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 + [channels.c channels.h clientloop.c] + Add an "ABANDONED" channel state and use for mux sessions that are + disconnected via the ~. escape sequence. Channels in this state will + be able to close if the server responds, but do not count as active channels. + This means that if you ~. all of the mux clients when using ControlPersist + on a broken network, the backgrounded mux master will exit when the + Control Persist time expires rather than hanging around indefinitely. + bz#1917, also reported and tested by tedu@. ok djm@ markus@. + 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of the necessary functions, not from the openssl version. diff --git a/channels.c b/channels.c index d50a4a298..b48e6aebb 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.322 2013/06/01 13:15:51 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.323 2013/06/07 15:37:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -213,6 +213,7 @@ channel_lookup(int id) case SSH_CHANNEL_OPEN: case SSH_CHANNEL_INPUT_DRAINING: case SSH_CHANNEL_OUTPUT_DRAINING: + case SSH_CHANNEL_ABANDONED: return (c); } logit("Non-public channel %d, type %d.", id, c->type); @@ -530,6 +531,7 @@ channel_still_open(void) case SSH_CHANNEL_DYNAMIC: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: continue; case SSH_CHANNEL_LARVAL: if (!compat20) @@ -575,6 +577,7 @@ channel_find_open(void) case SSH_CHANNEL_OPENING: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: continue; case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_AUTH_SOCKET: @@ -622,6 +625,7 @@ channel_open_message(void) case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: case SSH_CHANNEL_ZOMBIE: + case SSH_CHANNEL_ABANDONED: case SSH_CHANNEL_MUX_CLIENT: case SSH_CHANNEL_MUX_LISTENER: continue; @@ -2491,7 +2495,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) if (c == NULL) packet_disconnect("Received close confirmation for " "out-of-range channel %d.", id); - if (c->type != SSH_CHANNEL_CLOSED) + if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED) packet_disconnect("Received close confirmation for " "non-closed channel %d (type %d).", id, c->type); channel_free(c); diff --git a/channels.h b/channels.h index a11b6227b..ffd580727 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.112 2013/06/02 21:01:51 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -55,7 +55,8 @@ #define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ #define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ #define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ -#define SSH_CHANNEL_MAX_TYPE 17 +#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */ +#define SSH_CHANNEL_MAX_TYPE 18 #define CHANNEL_CANCEL_PORT_STATIC -1 diff --git a/clientloop.c b/clientloop.c index 6a2963583..7c1f8abba 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.252 2013/06/02 23:36:29 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1111,6 +1111,9 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, chan_write_failed(c); if (c->detach_user) c->detach_user(c->self, NULL); + c->type = SSH_CHANNEL_ABANDONED; + buffer_clear(&c->input); + chan_ibuf_empty(c); return 0; } else quit_pending = 1; -- cgit v1.2.3 From 6d8bd57448b45b42809da32857d7804444349ee7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 11 Jun 2013 11:26:10 +1000 Subject: - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. --- ChangeLog | 2 ++ Makefile.in | 9 ++++++--- configure.ac | 24 ++++++++++++++++++++---- fixalgorithms | 26 ++++++++++++++++++++++++++ 4 files changed, 54 insertions(+), 7 deletions(-) create mode 100755 fixalgorithms diff --git a/ChangeLog b/ChangeLog index a9a8cbce1..a7ab9a693 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,8 @@ on a broken network, the backgrounded mux master will exit when the Control Persist time expires rather than hanging around indefinitely. bz#1917, also reported and tested by tedu@. ok djm@ markus@. + - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported + algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/Makefile.in b/Makefile.in index d6f6a7924..92c95a928 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.339 2013/06/05 19:12:35 dtucker Exp $ +# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -121,6 +121,8 @@ PATHSUBS = \ -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' FIXPATHSCMD = $(SED) $(PATHSUBS) +FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ + @UNSUPPORTED_ALGORITHMS@ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) @@ -184,9 +186,10 @@ $(MANPAGES): $(MANPAGES_IN) manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ fi; \ if test "$(MANTYPE)" = "man"; then \ - $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \ + $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ else \ - $(FIXPATHSCMD) $${manpage} > $@; \ + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \ fi $(CONFIGFILES): $(CONFIGFILES_IN) diff --git a/configure.ac b/configure.ac index bce5d7b17..e6ec2768f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.534 2013/06/05 22:30:21 dtucker Exp $ +# $Id: configure.ac,v 1.535 2013/06/11 01:26:10 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.534 $) +AC_REVISION($Revision: 1.535 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2394,6 +2394,8 @@ AC_LINK_IFELSE( ], [ AC_MSG_RESULT([no]) + unsupported_algorithms="$unsupported_cipers \ + aes128-gcm@openssh.com aes256-gcm@openssh.com" ] ) @@ -2434,8 +2436,15 @@ fi AC_CHECK_FUNCS([crypt DES_crypt]) # Search for SHA256 support in libc and/or OpenSSL -AC_CHECK_FUNCS([SHA256_Update EVP_sha256], [TEST_SSH_SHA256=yes], - [TEST_SSH_SHA256=no]) +AC_CHECK_FUNCS([SHA256_Update EVP_sha256], + [TEST_SSH_SHA256=yes], + [TEST_SSH_SHA256=no + unsupported_algorithms="$unsupported_algorithms \ + hmac-sha2-256 hmac-sha2-512 \ + diffie-hellman-group-exchange-sha256 \ + hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" + ] +) AC_SUBST([TEST_SSH_SHA256]) # Check complete ECC support in OpenSSL @@ -2466,6 +2475,12 @@ AC_LINK_IFELSE( AC_MSG_RESULT([no]) TEST_SSH_ECC=no COMMENT_OUT_ECC="#no ecc#" + unsupported_algorithms="$unsupported_algorithms \ + ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \ + ecdsa-sha2-nistp256-cert-v01@openssh.com \ + ecdsa-sha2-nistp384-cert-v01@openssh.com \ + ecdsa-sha2-nistp521-cert-v01@openssh.com \ + ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521" ] ) AC_SUBST([TEST_SSH_ECC]) @@ -4541,6 +4556,7 @@ else fi AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) +AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ diff --git a/fixalgorithms b/fixalgorithms new file mode 100755 index 000000000..115dce81c --- /dev/null +++ b/fixalgorithms @@ -0,0 +1,26 @@ +#!/bin/sh +# +# fixciphers - remove unsupported ciphers from man pages. +# Usage: fixpaths /path/to/sed cipher1 [cipher2] outfile +# +# Author: Darren Tucker (dtucker at zip com.au). Placed in the public domain. + +die() { + echo $* + exit -1 +} + +SED=$1 +shift + +for c in $*; do + subs="$subs -e /.Dq.$c.*$/d" + subs="$subs -e s/$c,//g" +done + +# now remove any entirely empty lines +subs="$subs -e /^$/d" + +${SED} $subs + +exit 0 -- cgit v1.2.3 From 97b62f41adcb0dcbeff142d0540793a7ea17c910 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 11 Jun 2013 11:47:24 +1000 Subject: - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have the required OpenSSL support. Patch from naddy at freebsd. --- ChangeLog | 2 ++ myproposal.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a7ab9a693..6805e8a10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ bz#1917, also reported and tested by tedu@. ok djm@ markus@. - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. + - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have + the required OpenSSL support. Patch from naddy at freebsd. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/myproposal.h b/myproposal.h index f13c74850..276108bf6 100644 --- a/myproposal.h +++ b/myproposal.h @@ -45,6 +45,13 @@ # define HOSTKEY_ECDSA_METHODS #endif +#ifdef OPENSSL_HAVE_EVPGCM +# define AESGCM_CIPHER_MODES \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com," +#else +# define AESGCM_CIPHER_MODES +#endif + /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ @@ -73,7 +80,7 @@ #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ - "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ + AESGCM_CIPHER_MODES \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #ifdef HAVE_EVP_SHA256 -- cgit v1.2.3 From b8ae92d08b91beaef34232c6ef34b9941473fdd6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 11 Jun 2013 12:10:02 +1000 Subject: - (dtucker) [myproposal.h] Make the conditional algorithm support consistent and add some comments so it's clear what goes where. --- ChangeLog | 2 ++ myproposal.h | 17 +++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6805e8a10..526a05102 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have the required OpenSSL support. Patch from naddy at freebsd. + - (dtucker) [myproposal.h] Make the conditional algorithm support consistent + and add some comments so it's clear what goes where. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/myproposal.h b/myproposal.h index 276108bf6..4e913e3ce 100644 --- a/myproposal.h +++ b/myproposal.h @@ -26,6 +26,8 @@ #include +/* conditional algorithm support */ + #ifdef OPENSSL_HAS_ECC # define KEX_ECDH_METHODS \ "ecdh-sha2-nistp256," \ @@ -52,12 +54,15 @@ # define AESGCM_CIPHER_MODES #endif -/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," +#define SHA2_HMAC_MODES \ + "hmac-sha2-256," \ + "hmac-sha2-512," #else # define KEX_SHA256_METHODS +# define SHA2_HMAC_MODES #endif # define KEX_DEFAULT_KEX \ @@ -77,19 +82,15 @@ "ssh-rsa," \ "ssh-dss" +/* the actual algorithms */ + #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ AESGCM_CIPHER_MODES \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" -#ifdef HAVE_EVP_SHA256 -#define SHA2_HMAC_MODES \ - "hmac-sha2-256," \ - "hmac-sha2-512," -#else -# define SHA2_HMAC_MODES -#endif + #define KEX_DEFAULT_MAC \ "hmac-md5-etm@openssh.com," \ "hmac-sha1-etm@openssh.com," \ -- cgit v1.2.3 From b7482cff46e7e76bfb3cda86c365a08f58d4fca0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 2 Jul 2013 20:06:46 +1000 Subject: - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config contrib/cygwin/ssh-user-config] Modernizes and improve readability of the Cygwin README file (which hasn't been updated for ages), drop unsupported OSes from the ssh-host-config help text, and drop an unneeded option from ssh-user-config. Patch from vinschen at redhat com. --- ChangeLog | 7 ++ contrib/cygwin/README | 212 +++++++---------------------------------- contrib/cygwin/ssh-host-config | 4 +- contrib/cygwin/ssh-user-config | 6 -- 4 files changed, 42 insertions(+), 187 deletions(-) diff --git a/ChangeLog b/ChangeLog index 526a05102..54b4677c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20130702 + - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config + contrib/cygwin/ssh-user-config] Modernizes and improve readability of + the Cygwin README file (which hasn't been updated for ages), drop + unsupported OSes from the ssh-host-config help text, and drop an + unneeded option from ssh-user-config. Patch from vinschen at redhat com. + 20130610 - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/06/07 15:37:52 diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 5f911e924..2562b6186 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might not run on older versions. Please check http://cygwin.com/ for information about current Cygwin releases. -Build instructions are at the end of the file. - -=========================================================================== -Important change since 3.7.1p2-2: - -The ssh-host-config file doesn't create the /etc/ssh_config and -/etc/sshd_config files from builtin here-scripts anymore, but it uses -skeleton files installed in /etc/defaults/etc. - -Also it now tries hard to create appropriate permissions on files. -Same applies for ssh-user-config. - -After creating the sshd service with ssh-host-config, it's advisable to -call ssh-user-config for all affected users, also already exising user -configurations. In the latter case, file and directory permissions are -checked and changed, if requireed to match the host configuration. - -Important note for Windows 2003 Server users: ---------------------------------------------- - -2003 Server has a funny new feature. When starting services under SYSTEM -account, these services have nearly all user rights which SYSTEM holds... -except for the "Create a token object" right, which is needed to allow -public key authentication :-( - -There's no way around this, except for creating a substitute account which -has the appropriate privileges. Basically, this account should be member -of the administrators group, plus it should have the following user rights: - - Create a token object - Logon as a service - Replace a process level token - Increase Quota - -The ssh-host-config script asks you, if it should create such an account, -called "sshd_server". If you say "no" here, you're on your own. Please -follow the instruction in ssh-host-config exactly if possible. Note that -ssh-user-config sets the permissions on 2003 Server machines dependent of -whether a sshd_server account exists or not. -=========================================================================== - -=========================================================================== -Important change since 3.4p1-2: - -This version adds privilege separation as default setting, see -/usr/doc/openssh/README.privsep. According to that document the -privsep feature requires a non-privileged account called 'sshd'. - -The new ssh-host-config file which is part of this version asks -to create 'sshd' as local user if you want to use privilege -separation. If you confirm, it creates that NT user and adds -the necessary entry to /etc/passwd. - -On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" -since that feature doesn't make any sense on a system which doesn't -differ between privileged and unprivileged users. - -The new ssh-host-config script also adds the /var/empty directory -needed by privilege separation. When creating the /var/empty directory -by yourself, please note that in contrast to the README.privsep document -the owner sshould not be "root" but the user which is running sshd. So, -in the standard configuration this is SYSTEM. The ssh-host-config script -chowns /var/empty accordingly. -=========================================================================== - -=========================================================================== -Important change since 3.0.1p1-2: - -This version introduces the ability to register sshd as service on -Windows 9x/Me systems. This is done only when the options -D and/or --d are not given. -=========================================================================== - -=========================================================================== -Important change since 2.9p2: - -Since Cygwin is able to switch user context without password beginning -with version 1.3.2, OpenSSH now allows to do so when it's running under -a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to -allow that feature. -=========================================================================== - -=========================================================================== -Important change since 2.3.0p1: - -When using `ntea' or `ntsec' you now have to care for the ownership -and permission bits of your host key files and your private key files. -The host key files have to be owned by the NT account which starts -sshd. The user key files have to be owned by the user. The permission -bits of the private key files (host and user) have to be at least -rw------- (0600)! - -Note that this is forced under `ntsec' only if the files are on a NTFS -filesystem (which is recommended) due to the lack of any basic security -features of the FAT/FAT32 filesystems. -=========================================================================== +================== +Host configuration +================== If you are installing OpenSSH the first time, you can generate global config -files and server keys by running +files and server keys, as well as installing sshd as a service, by running /usr/bin/ssh-host-config Note that this binary archive doesn't contain default config files in /etc. That files are only created if ssh-host-config is started. -If you are updating your installation you may run the above ssh-host-config -as well to move your configuration files to the new location and to -erase the files at the old location. - To support testing and unattended installation ssh-host-config got some options: @@ -123,16 +26,25 @@ Options: --no -n Answer all questions with "no" automatically. --cygwin -c Use "options" as value for CYGWIN environment var. --port -p sshd listens on port n. - --pwd -w Use "pwd" as password for user 'sshd_server'. + --user -u privileged user for service, default 'cyg_server'. + --pwd -w Use "pwd" as password for privileged user. + --privileged On Windows XP, require privileged user + instead of LocalSystem for sshd service. -Additionally ssh-host-config now asks if it should install sshd as a -service when running under NT/W2K. This requires cygrunsrv installed. +Installing sshd as daemon via ssh-host-config is recommended. -You can create the private and public keys for a user now by running +Alternatively you can start sshd via inetd, if you have the inetutils +package installed. Just run ssh-host-config, but answer "no" when asked +to install sshd as service. The ssh-host-config script also adds the +required lines to /etc/inetd.conf and /etc/services. - /usr/bin/ssh-user-config +================== +User configuration +================== + +Any user can simplify creating the own private and public keys by running -under the users account. + /usr/bin/ssh-user-config To support testing and unattended installation ssh-user-config got some options as well: @@ -144,88 +56,30 @@ Options: --no -n Answer all questions with "no" automatically. --passphrase -p word Use "word" as passphrase automatically. -Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd -(results in very slow deamon startup!) or from the command line (recommended -on 9X/ME). - -If you start sshd as deamon via cygrunsrv.exe you MUST give the -"-D" option to sshd. Otherwise the service can't get started at all. - -If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the -following line to your inetd.conf file: - -ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i - -Moreover you'll have to add the following line to your -${SYSTEMROOT}/system32/drivers/etc/services file: - - ssh 22/tcp #SSH daemon - Please note that OpenSSH does never use the value of $HOME to search for the users configuration files! It always uses the value of the pw_dir field in /etc/passwd as the home directory. If no home diretory is set in /etc/passwd, the root directory is used instead! -You may use all features of the CYGWIN=ntsec setting the same -way as they are used by Cygwin's login(1) port: - - The pw_gecos field may contain an additional field, that begins - with (upper case!) "U-", followed by the domain and the username - separated by a backslash. - CAUTION: The SID _must_ remain the _last_ field in pw_gecos! - BTW: The field separator in pw_gecos is the comma. - The username in pw_name itself may be any nice name: - - domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... - - Now you may use `domuser' as your login name with telnet! - This is possible additionally for local users, if you don't like - your NT login name ;-) You only have to leave out the domain: - - locuser::1104:513:John Doe,U-user,S-1-5-21-... - -Note that the CYGWIN=ntsec setting is required for public key authentication. - -SSH2 server and user keys are generated by the `ssh-*-config' scripts -as well. - -If you want to build from source, the following options to -configure are used for the Cygwin binary distribution: - - --prefix=/usr \ - --sysconfdir=/etc \ - --libexecdir='${sbindir}' \ - --localstatedir=/var \ - --datadir='${prefix}/share' \ - --mandir='${datadir}/man' \ - --infodir='${datadir}/info' - --with-tcp-wrappers - --with-libedit - -If you want to create a Cygwin package, equivalent to the one -in the Cygwin binary distribution, install like this: - - mkdir /tmp/cygwin-ssh - cd ${builddir} - make install DESTDIR=/tmp/cygwin-ssh - cd ${srcdir}/contrib/cygwin - make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh - cd /tmp/cygwin-ssh - find * \! -type d | tar cvjfT my-openssh.tar.bz2 - - -You must have installed the following packages to be able to build OpenSSH: - -- zlib -- openssl-devel +================ +Building OpenSSH +================ -If you want to build with --with-tcp-wrappers, you also need the package +Building from source is easy. Just unpack the source archive, cd to that +directory, and call cygport: -- tcp_wrappers + cygport openssh.cygport almostall -If you want to build with --with-libedit, you also need the package +You must have installed the following packages to be able to build OpenSSH +with the aforementioned cygport script: -- libedit-devel + zlib + crypt + openssl-devel + libwrap-devel + libedit-devel + libkrb5-devel Please send requests, error reports etc. to cygwin@cygwin.com. diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 3c9046f5f..c542d5cb6 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -606,9 +606,9 @@ do echo " --no -n Answer all questions with \"no\" automatically." echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." echo " --port -p sshd listens on port n." - echo " --user -u privileged user for service." + echo " --user -u privileged user for service, default 'cyg_server'." echo " --pwd -w Use \"pwd\" as password for privileged user." - echo " --privileged On Windows NT/2k/XP, require privileged user" + echo " --privileged On Windows XP, require privileged user" echo " instead of LocalSystem for sshd service." echo exit 1 diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 027ae6032..8708b7a58 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config @@ -222,10 +222,6 @@ do shift ;; - --privileged ) - csih_FORCE_PRIVILEGED_USER=yes - ;; - *) echo "usage: ${PROGNAME} [OPTION]..." echo @@ -236,8 +232,6 @@ do echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo " --passphrase -p word Use \"word\" as passphrase automatically." - echo " --privileged On Windows NT/2k/XP, assume privileged user" - echo " instead of LocalSystem for sshd service." echo exit 1 ;; -- cgit v1.2.3 From 9a6615542108118582f64b7161ca0e12176e3712 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:09:04 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 [readconf.c] revert 1.203 while we investigate crashes reported by okan@ --- ChangeLog | 6 ++++++ readconf.c | 4 +--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 54b4677c2..a843af0bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130718 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 + [readconf.c] + revert 1.203 while we investigate crashes reported by okan@ + 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config contrib/cygwin/ssh-user-config] Modernizes and improve readability of diff --git a/readconf.c b/readconf.c index 7c1c795fe..1464430a4 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.203 2013/06/05 22:00:28 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -820,8 +820,6 @@ parse_int: else if (opcode == oRemoteForward) add_remote_forward(options, &fwd); } - free(fwd.connect_host); - free(fwd.listen_host); break; case oClearAllForwardings: -- cgit v1.2.3 From 044bd2a7ddb0b6f6b716c87e57261572e2b89028 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:09:25 +1000 Subject: - guenther@cvs.openbsd.org 2013/06/17 04:48:42 [scp.c] Handle time_t values as long long's when formatting them and when parsing them from remote servers. Improve error checking in parsing of 'T' lines. ok dtucker@ deraadt@ --- ChangeLog | 6 ++++++ scp.c | 63 ++++++++++++++++++++++++++++++++++++++------------------------- 2 files changed, 44 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index a843af0bd..111a2f36e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 [readconf.c] revert 1.203 while we investigate crashes reported by okan@ + - guenther@cvs.openbsd.org 2013/06/17 04:48:42 + [scp.c] + Handle time_t values as long long's when formatting them and when + parsing them from remote servers. + Improve error checking in parsing of 'T' lines. + ok dtucker@ deraadt@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.c b/scp.c index 9b5959d44..ca7948f62 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.175 2013/06/04 19:12:23 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.176 2013/06/17 04:48:42 guenther Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -550,6 +550,24 @@ scpio(void *_cnt, size_t s) return 0; } +static int +do_times(int fd, int verb, const struct stat *sb) +{ + /* strlen(2^64) == 20; strlen(10^6) == 7 */ + char buf[(20 + 7 + 2) * 2 + 2]; + + (void)snprintf(buf, sizeof(buf), "T%llu 0 %llu 0\n", + (unsigned long long) (sb->st_mtime < 0 ? 0 : sb->st_mtime), + (unsigned long long) (sb->st_atime < 0 ? 0 : sb->st_atime)); + if (verb) { + fprintf(stderr, "File mtime %lld atime %lld\n", + (long long)sb->st_mtime, (long long)sb->st_atime); + fprintf(stderr, "Sending file timestamps: %s", buf); + } + (void) atomicio(vwrite, fd, buf, strlen(buf)); + return (response()); +} + void toremote(char *targ, int argc, char **argv) { @@ -774,21 +792,7 @@ syserr: run_err("%s: %s", name, strerror(errno)); ++last; curfile = last; if (pflag) { - /* - * Make it compatible with possible future - * versions expecting microseconds. - */ - (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n", - (u_long) (stb.st_mtime < 0 ? 0 : stb.st_mtime), - (u_long) (stb.st_atime < 0 ? 0 : stb.st_atime)); - if (verbose_mode) { - fprintf(stderr, "File mtime %ld atime %ld\n", - (long)stb.st_mtime, (long)stb.st_atime); - fprintf(stderr, "Sending file timestamps: %s", - buf); - } - (void) atomicio(vwrite, remout, buf, strlen(buf)); - if (response() < 0) + if (do_times(remout, verbose_mode, &stb) < 0) goto next; } #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) @@ -862,11 +866,7 @@ rsource(char *name, struct stat *statp) else last++; if (pflag) { - (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n", - (u_long) statp->st_mtime, - (u_long) statp->st_atime); - (void) atomicio(vwrite, remout, path, strlen(path)); - if (response() < 0) { + if (do_times(remout, verbose_mode, statp) < 0) { closedir(dirp); return; } @@ -912,6 +912,7 @@ sink(int argc, char **argv) int amt, exists, first, ofd; mode_t mode, omode, mask; off_t size, statbytes; + unsigned long long ull; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; struct timeval tv[2]; @@ -970,17 +971,29 @@ sink(int argc, char **argv) if (*cp == 'T') { setimes++; cp++; - mtime.tv_sec = strtol(cp, &cp, 10); + if (!isdigit((unsigned char)*cp)) + SCREWUP("mtime.sec not present"); + ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); + if ((time_t)ull < 0 || (time_t)ull != ull) + setimes = 0; /* out of range */ + mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != ' ') + if (!cp || *cp++ != ' ' || mtime.tv_usec < 0 || + mtime.tv_usec > 999999) SCREWUP("mtime.usec not delimited"); - atime.tv_sec = strtol(cp, &cp, 10); + if (!isdigit((unsigned char)*cp)) + SCREWUP("atime.sec not present"); + ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); + if ((time_t)ull < 0 || (time_t)ull != ull) + setimes = 0; /* out of range */ + atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); - if (!cp || *cp++ != '\0') + if (!cp || *cp++ != '\0' || atime.tv_usec < 0 || + atime.tv_usec > 999999) SCREWUP("atime.usec not delimited"); (void) atomicio(vwrite, remout, "", 1); continue; -- cgit v1.2.3 From 3071070b39e6d1722151c754cdc2b26640eaf45e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:09:44 +1000 Subject: - markus@cvs.openbsd.org 2013/06/20 19:15:06 [krl.c] don't leak the rdata blob on errors; ok djm@ --- ChangeLog | 3 +++ krl.c | 19 +++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 111a2f36e..e0781041e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ parsing them from remote servers. Improve error checking in parsing of 'T' lines. ok dtucker@ deraadt@ + - markus@cvs.openbsd.org 2013/06/20 19:15:06 + [krl.c] + don't leak the rdata blob on errors; ok djm@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/krl.c b/krl.c index 7ac6261cb..bd6d37804 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.11 2013/04/05 00:14:00 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.12 2013/06/20 19:15:06 markus Exp $ */ #include "includes.h" @@ -887,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, char timestamp[64]; int ret = -1, r, sig_seen; Key *key = NULL, **ca_used = NULL; - u_char type, *blob; - u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; + u_char type, *blob, *rdata = NULL; + u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used; + nca_used = 0; *krlp = NULL; if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { @@ -1015,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, case KRL_SECTION_EXPLICIT_KEY: case KRL_SECTION_FINGERPRINT_SHA1: while (buffer_len(§) > 0) { - if ((blob = buffer_get_string_ret(§, - &blen)) == NULL) { + if ((rdata = buffer_get_string_ret(§, + &rlen)) == NULL) { error("%s: buffer error", __func__); goto out; } if (type == KRL_SECTION_FINGERPRINT_SHA1 && - blen != 20) { + rlen != 20) { error("%s: bad SHA1 length", __func__); goto out; } if (revoke_blob( type == KRL_SECTION_EXPLICIT_KEY ? &krl->revoked_keys : &krl->revoked_sha1s, - blob, blen) != 0) - goto out; /* revoke_blob frees blob */ + rdata, rlen) != 0) + goto out; + rdata = NULL; /* revoke_blob frees blob */ } break; case KRL_SECTION_SIGNATURE: @@ -1095,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, key_free(ca_used[i]); } free(ca_used); + free(rdata); if (key != NULL) key_free(key); buffer_free(©); -- cgit v1.2.3 From 20bdcd72365e8b3d51261993928cc47c5f0d7c8a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:10:09 +1000 Subject: - djm@cvs.openbsd.org 2013/06/21 00:34:49 [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@ --- ChangeLog | 4 ++++ auth-rsa.c | 4 ++-- auth.h | 5 +++-- auth2-hostbased.c | 6 +++++- auth2-pubkey.c | 28 +++++++++++++++++++++------- monitor.c | 7 +++++-- 6 files changed, 40 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index e0781041e..f8e2c6858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ - markus@cvs.openbsd.org 2013/06/20 19:15:06 [krl.c] don't leak the rdata blob on errors; ok djm@ + - djm@cvs.openbsd.org 2013/06/21 00:34:49 + [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] + for hostbased authentication, print the client host and user on + the auth success/failure line; bz#2064, ok dtucker@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/auth-rsa.c b/auth-rsa.c index 92f0ad75c..b7a03fdc4 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.84 2013/06/21 00:34:49 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -332,7 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) * options; this will be reset if the options cause the * authentication to be rejected. */ - pubkey_auth_info(authctxt, key); + pubkey_auth_info(authctxt, key, NULL); packet_send_debug("RSA authentication accepted."); return (1); diff --git a/auth.h b/auth.h index a406e1393..caf44adc0 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.75 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -122,7 +122,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); -void pubkey_auth_info(Authctxt *, const Key *); +void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) + __attribute__((__format__ (printf, 3, 4))); struct stat; int auth_secure_path(const char *, struct stat *, const char *, uid_t, diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e6d05e261..a344dcc1f 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", cuser, chost); + /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 45306f839..2b3ecb104 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -147,7 +147,7 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif - pubkey_auth_info(authctxt, key); + pubkey_auth_info(authctxt, key, NULL); /* test for correct signature */ authenticated = 0; @@ -190,23 +190,37 @@ done: } void -pubkey_auth_info(Authctxt *authctxt, const Key *key) +pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) { - char *fp; + char *fp, *extra; + va_list ap; + int i; + + extra = NULL; + if (fmt != NULL) { + va_start(ap, fmt); + i = vasprintf(&extra, fmt, ap); + va_end(ap); + if (i < 0 || extra == NULL) + fatal("%s: vasprintf failed", __func__); + } if (key_is_cert(key)) { fp = key_fingerprint(key->cert->signature_key, SSH_FP_MD5, SSH_FP_HEX); - auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", + auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", key_type(key), key->cert->key_id, (unsigned long long)key->cert->serial, - key_type(key->cert->signature_key), fp); + key_type(key->cert->signature_key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); } else { fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - auth_info(authctxt, "%s %s", key_type(key), fp); + auth_info(authctxt, "%s %s%s%s", key_type(key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); } + free(extra); } static int diff --git a/monitor.c b/monitor.c index 7286126f5..0516f60a2 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.126 2013/06/21 00:34:49 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1165,7 +1165,7 @@ mm_answer_keyallowed(int sock, Buffer *m) case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); - pubkey_auth_info(authctxt, key); + pubkey_auth_info(authctxt, key, NULL); auth_method = "publickey"; if (options.pubkey_authentication && allowed != 1) auth_clear_options(); @@ -1174,6 +1174,9 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed = options.hostbased_authentication && hostbased_key_allowed(authctxt->pw, cuser, chost, key); + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", + cuser, chost); auth_method = "hostbased"; break; case MM_RSAHOSTKEY: -- cgit v1.2.3 From 7f2b438ca0b7c3b9684a03d7bf3eaf379da16de9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:10:29 +1000 Subject: - djm@cvs.openbsd.org 2013/06/21 00:37:49 [ssh_config.5] explicitly mention that IdentitiesOnly can be used with IdentityFile to control which keys are offered from an agent. --- ChangeLog | 4 ++++ ssh_config.5 | 13 ++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f8e2c6858..4b8a82591 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@ + - djm@cvs.openbsd.org 2013/06/21 00:37:49 + [ssh_config.5] + explicitly mention that IdentitiesOnly can be used with IdentityFile + to control which keys are offered from an agent. 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh_config.5 b/ssh_config.5 index 003ed68ff..86906a488 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.164 2013/05/16 06:28:45 jmc Exp $ -.Dd $Mdocdate: May 16 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $ +.Dd $Mdocdate: June 21 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -628,7 +628,9 @@ and .Pa ~/.ssh/id_rsa for protocol version 2. Additionally, any identities represented by the authentication agent -will be used for authentication. +will be used for authentication unless +.Cm IdentitiesOnly +is set. .Xr ssh 1 will try to load certificate information from the filename obtained by appending @@ -657,6 +659,11 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.Pp +.Cm IdentityFile +may be used in conjunction with +.Cm IdentitiesOnly +to select which identities in an agent are offered during authentication. .It Cm IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. -- cgit v1.2.3 From bbeb1dac550bad8e6aff9bd27113c6bd5ebb7413 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:10:49 +1000 Subject: - djm@cvs.openbsd.org 2013/06/21 05:42:32 [dh.c] sprinkle in some error() to explain moduli(5) parse failures --- ChangeLog | 3 +++ dh.c | 74 ++++++++++++++++++++++++++++++++++++++++----------------------- 2 files changed, 50 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4b8a82591..10de1077e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ [ssh_config.5] explicitly mention that IdentitiesOnly can be used with IdentityFile to control which keys are offered from an agent. + - djm@cvs.openbsd.org 2013/06/21 05:42:32 + [dh.c] + sprinkle in some error() to explain moduli(5) parse failures 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/dh.c b/dh.c index d943ca1e1..a7d0e3ab4 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.50 2013/06/21 05:42:32 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -48,6 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) const char *errstr = NULL; long long n; + dhg->p = dhg-> g = NULL; cp = line; if ((arg = strdelim(&cp)) == NULL) return 0; @@ -59,66 +60,85 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) /* time */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; arg = strsep(&cp, " "); /* type */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; /* Ensure this is a safe prime */ n = strtonum(arg, 0, 5, &errstr); - if (errstr != NULL || n != MODULI_TYPE_SAFE) + if (errstr != NULL || n != MODULI_TYPE_SAFE) { + error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE); goto fail; + } arg = strsep(&cp, " "); /* tests */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; /* Ensure prime has been tested and is not composite */ n = strtonum(arg, 0, 0x1f, &errstr); if (errstr != NULL || - (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) + (n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) { + error("moduli:%d: invalid moduli tests flag", linenum); goto fail; + } arg = strsep(&cp, " "); /* tries */ if (cp == NULL || *arg == '\0') - goto fail; + goto truncated; n = strtonum(arg, 0, 1<<30, &errstr); - if (errstr != NULL || n == 0) + if (errstr != NULL || n == 0) { + error("moduli:%d: invalid primality trial count", linenum); goto fail; + } strsize = strsep(&cp, " "); /* size */ if (cp == NULL || *strsize == '\0' || (dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 || - errstr) + errstr) { + error("moduli:%d: invalid prime length", linenum); goto fail; + } /* The whole group is one bit larger */ dhg->size++; gen = strsep(&cp, " "); /* gen */ if (cp == NULL || *gen == '\0') - goto fail; + goto truncated; prime = strsep(&cp, " "); /* prime */ - if (cp != NULL || *prime == '\0') + if (cp != NULL || *prime == '\0') { + truncated: + error("moduli:%d: truncated", linenum); goto fail; + } if ((dhg->g = BN_new()) == NULL) fatal("parse_prime: BN_new failed"); if ((dhg->p = BN_new()) == NULL) fatal("parse_prime: BN_new failed"); - if (BN_hex2bn(&dhg->g, gen) == 0) - goto failclean; - - if (BN_hex2bn(&dhg->p, prime) == 0) - goto failclean; - - if (BN_num_bits(dhg->p) != dhg->size) - goto failclean; - - if (BN_is_zero(dhg->g) || BN_is_one(dhg->g)) - goto failclean; + if (BN_hex2bn(&dhg->g, gen) == 0) { + error("moduli:%d: could not parse generator value", linenum); + goto fail; + } + if (BN_hex2bn(&dhg->p, prime) == 0) { + error("moduli:%d: could not parse prime value", linenum); + goto fail; + } + if (BN_num_bits(dhg->p) != dhg->size) { + error("moduli:%d: prime has wrong size: actual %d listed %d", + linenum, BN_num_bits(dhg->p), dhg->size - 1); + goto fail; + } + if (BN_cmp(dhg->g, BN_value_one()) <= 0) { + error("moduli:%d: generator is invalid", linenum); + goto fail; + } - return (1); + return 1; - failclean: - BN_clear_free(dhg->g); - BN_clear_free(dhg->p); fail: + if (dhg->g != NULL) + BN_clear_free(dhg->g); + if (dhg->p != NULL) + BN_clear_free(dhg->p); + dhg->g = dhg->p = NULL; error("Bad prime description in line %d", linenum); - return (0); + return 0; } DH * -- cgit v1.2.3 From 8158441d01ab84f33a7e70e27f87c02cbf67e709 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:11:07 +1000 Subject: - djm@cvs.openbsd.org 2013/06/21 05:43:10 [scp.c] make this -Wsign-compare clean after time_t conversion --- ChangeLog | 3 +++ scp.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 10de1077e..86da2761c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - djm@cvs.openbsd.org 2013/06/21 05:42:32 [dh.c] sprinkle in some error() to explain moduli(5) parse failures + - djm@cvs.openbsd.org 2013/06/21 05:43:10 + [scp.c] + make this -Wsign-compare clean after time_t conversion 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.c b/scp.c index ca7948f62..958faf3fc 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.176 2013/06/17 04:48:42 guenther Exp $ */ +/* $OpenBSD: scp.c,v 1.177 2013/06/21 05:43:10 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -976,7 +976,7 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); - if ((time_t)ull < 0 || (time_t)ull != ull) + if ((time_t)ull < 0 || ull > LLONG_MAX) setimes = 0; /* out of range */ mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); @@ -988,7 +988,7 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); - if ((time_t)ull < 0 || (time_t)ull != ull) + if ((time_t)ull < 0 || ull > LLONG_MAX) setimes = 0; /* out of range */ atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); -- cgit v1.2.3 From bc35d92e78fd53c3f32cbdbdf89d8b1919788c50 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:11:25 +1000 Subject: - djm@cvs.openbsd.org 2013/06/22 06:31:57 [scp.c] improved time_t overflow check suggested by guenther@ --- ChangeLog | 3 +++ scp.c | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 86da2761c..1502ec873 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - djm@cvs.openbsd.org 2013/06/21 05:43:10 [scp.c] make this -Wsign-compare clean after time_t conversion + - djm@cvs.openbsd.org 2013/06/22 06:31:57 + [scp.c] + improved time_t overflow check suggested by guenther@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.c b/scp.c index 958faf3fc..28ded5e9a 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.177 2013/06/21 05:43:10 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.178 2013/06/22 06:31:57 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -976,7 +976,8 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("mtime.sec not delimited"); - if ((time_t)ull < 0 || ull > LLONG_MAX) + if ((time_t)ull < 0 || + (unsigned long long)(time_t)ull != ull) setimes = 0; /* out of range */ mtime.tv_sec = ull; mtime.tv_usec = strtol(cp, &cp, 10); @@ -988,7 +989,8 @@ sink(int argc, char **argv) ull = strtoull(cp, &cp, 10); if (!cp || *cp++ != ' ') SCREWUP("atime.sec not delimited"); - if ((time_t)ull < 0 || ull > LLONG_MAX) + if ((time_t)ull < 0 || + (unsigned long long)(time_t)ull != ull) setimes = 0; /* out of range */ atime.tv_sec = ull; atime.tv_usec = strtol(cp, &cp, 10); -- cgit v1.2.3 From fecfd118d6c90df4fcd3cec7b14e4d3ce69a41d5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:11:50 +1000 Subject: - jmc@cvs.openbsd.org 2013/06/27 14:05:37 [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm --- ChangeLog | 5 +++++ ssh-keygen.1 | 7 +++---- ssh.1 | 12 ++++-------- ssh_config.5 | 14 +++++--------- sshd.8 | 8 +++----- sshd_config.5 | 41 ++++++++++++----------------------------- 6 files changed, 32 insertions(+), 55 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1502ec873..9cabcb46d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,11 @@ - djm@cvs.openbsd.org 2013/06/22 06:31:57 [scp.c] improved time_t overflow check suggested by guenther@ + - jmc@cvs.openbsd.org 2013/06/27 14:05:37 + [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] + do not use Sx for sections outwith the man page - ingo informs me that + stuff like html will render with broken links; + issue reported by Eric S. Raymond, via djm 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7da73e07c..0d55854e9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 19 2013 $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -516,8 +516,7 @@ of two times separated by a colon to indicate an explicit time interval. The start time may be specified as a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. diff --git a/ssh.1 b/ssh.1 index dc7af4864..3cb4254eb 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $ -.Dd $Mdocdate: April 19 2013 $ +.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -754,9 +754,7 @@ implements public key authentication protocol automatically, using one of the DSA, ECDSA or RSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. -The -.Sx HISTORY -section of +The HISTORY section of .Xr ssl 8 contains a brief discussion of the DSA and RSA algorithms. .Pp @@ -812,9 +810,7 @@ instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. -See the -.Sx CERTIFICATES -section of +See the CERTIFICATES section of .Xr ssh-keygen 1 for more information. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 86906a488..5d76c6d2d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $ -.Dd $Mdocdate: June 21 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -474,8 +474,7 @@ option is also enabled. .It Cm ForwardX11Timeout Specify a timeout for untrusted X11 forwarding using the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . X11 connections received by .Xr ssh 1 @@ -964,8 +963,7 @@ and depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The default value for .Cm RekeyLimit @@ -1251,9 +1249,7 @@ The default is .Dq no . Note that this option applies to protocol version 2 only. .Pp -See also -.Sx VERIFYING HOST KEYS -in +See also VERIFYING HOST KEYS in .Xr ssh 1 . .It Cm VisualHostKey If this flag is set to diff --git a/sshd.8 b/sshd.8 index 03b77b04e..b0c7ab6bd 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $ -.Dd $Mdocdate: April 7 2013 $ +.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -567,9 +567,7 @@ is enabled. Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .Pp diff --git a/sshd_config.5 b/sshd_config.5 index 18b1d81a0..3807c0f3c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $ -.Dd $Mdocdate: May 16 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AllowTcpForwarding @@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AuthenticationMethods @@ -205,9 +201,7 @@ Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or -more lines of authorized_keys output (see -.Sx AUTHORIZED_KEYS -in +more lines of authorized_keys output (see AUTHORIZED_KEYS in .Xr sshd 8 ) . If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual @@ -222,7 +216,7 @@ than running authorized keys commands. Specifies the file that contains the public keys that can be used for user authentication. The format is described in the -.Sx AUTHORIZED_KEYS FILE FORMAT +AUTHORIZED_KEYS FILE FORMAT section of .Xr sshd 8 . .Cm AuthorizedKeysFile @@ -246,9 +240,7 @@ When using certificates signed by a key listed in this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described -in -.Sx AUTHORIZED_KEYS FILE FORMAT -in +in AUTHORIZED_KEYS FILE FORMAT in .Xr sshd 8 ) . Empty lines and comments starting with .Ql # @@ -426,9 +418,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm DenyUsers @@ -447,9 +437,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm ForceCommand @@ -761,8 +749,7 @@ and .Cm Address . The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the -.Sx PATTERNS -section of +PATTERNS section of .Xr ssh_config 5 . .Pp The patterns in an @@ -1043,9 +1030,7 @@ be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . -For more information on KRLs, see the -.Sx KEY REVOCATION LISTS -section in +For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together @@ -1134,9 +1119,7 @@ listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using .Cm TrustedUserCAKeys . -For more details on certificates, see the -.Sx CERTIFICATES -section in +For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . .It Cm UseDNS Specifies whether -- cgit v1.2.3 From 0d02c3e10e1ed16d6396748375a133d348127a2a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:12:06 +1000 Subject: - markus@cvs.openbsd.org 2013/07/02 12:31:43 [dh.c] remove extra whitespace --- ChangeLog | 3 +++ dh.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9cabcb46d..5d4855d65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm + - markus@cvs.openbsd.org 2013/07/02 12:31:43 + [dh.c] + remove extra whitespace 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/dh.c b/dh.c index a7d0e3ab4..449dd3858 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.50 2013/06/21 05:42:32 djm Exp $ */ +/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -48,7 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) const char *errstr = NULL; long long n; - dhg->p = dhg-> g = NULL; + dhg->p = dhg->g = NULL; cp = line; if ((arg = strdelim(&cp)) == NULL) return 0; -- cgit v1.2.3 From ce98654674648fb7d58f73edf6aa398656a2dba4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:12:44 +1000 Subject: - djm@cvs.openbsd.org 2013/07/12 00:19:59 [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ --- ChangeLog | 4 ++++ auth-options.c | 8 +++++--- auth-rsa.c | 7 +++---- bufaux.c | 8 ++++---- buffer.h | 4 ++-- channels.c | 7 ++++--- hostfile.c | 17 ++++++++++------- hostfile.h | 4 ++-- mux.c | 19 +++++++++++++------ packet.c | 11 ++++++----- packet.h | 4 ++-- roaming_common.c | 4 ++-- serverloop.c | 5 +++-- 13 files changed, 60 insertions(+), 42 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5d4855d65..aa66e3b0b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,10 @@ - markus@cvs.openbsd.org 2013/07/02 12:31:43 [dh.c] remove extra whitespace + - djm@cvs.openbsd.org 2013/07/12 00:19:59 + [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] + [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] + fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/auth-options.c b/auth-options.c index a8d738ace..80d59ee95 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.58 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -432,7 +432,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, { char *command, *allowed; const char *remote_ip; - u_char *name = NULL, *data_blob = NULL; + char *name = NULL; + u_char *data_blob = NULL; u_int nlen, dlen, clen; Buffer c, data; int ret = -1, found; @@ -550,7 +551,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, buffer_clear(&data); free(name); free(data_blob); - name = data_blob = NULL; + name = NULL; + data_blob = NULL; } /* successfully parsed all options */ ret = 0; diff --git a/auth-rsa.c b/auth-rsa.c index b7a03fdc4..545aa496a 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.84 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -165,8 +165,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, const BIGNUM *client_n, Key **rkey) { char *fp, line[SSH_MAX_PUBKEY_BYTES]; - int allowed = 0; - u_int bits; + int allowed = 0, bits; FILE *f; u_long linenum = 0; Key *key; @@ -227,7 +226,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, /* check the real bits */ keybits = BN_num_bits(key->rsa->n); - if (keybits < 0 || bits != (u_int)keybits) + if (keybits < 0 || bits != keybits) logit("Warning: %s, line %lu: keysize mismatch: " "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); diff --git a/bufaux.c b/bufaux.c index ec8853f8b..de5b3ca1a 100644 --- a/bufaux.c +++ b/bufaux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -285,7 +285,7 @@ buffer_put_cstring(Buffer *buffer, const char *s) * Returns a character from the buffer (0 - 255). */ int -buffer_get_char_ret(char *ret, Buffer *buffer) +buffer_get_char_ret(u_char *ret, Buffer *buffer) { if (buffer_get_ret(buffer, ret, 1) == -1) { error("buffer_get_char_ret: buffer_get_ret failed"); @@ -297,11 +297,11 @@ buffer_get_char_ret(char *ret, Buffer *buffer) int buffer_get_char(Buffer *buffer) { - char ch; + u_char ch; if (buffer_get_char_ret(&ch, buffer) == -1) fatal("buffer_get_char: buffer error"); - return (u_char) ch; + return ch; } /* diff --git a/buffer.h b/buffer.h index e2a9dd100..4fa2ca112 100644 --- a/buffer.h +++ b/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.21 2010/08/31 11:54:45 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.22 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen @@ -84,7 +84,7 @@ int buffer_get_int64_ret(u_int64_t *, Buffer *); void *buffer_get_string_ret(Buffer *, u_int *); char *buffer_get_cstring_ret(Buffer *, u_int *); void *buffer_get_string_ptr_ret(Buffer *, u_int *); -int buffer_get_char_ret(char *, Buffer *); +int buffer_get_char_ret(u_char *, Buffer *); #ifdef OPENSSL_HAS_ECC #include diff --git a/channels.c b/channels.c index b48e6aebb..9e87bfb9e 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.323 2013/06/07 15:37:52 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1139,7 +1139,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) u_int8_t atyp; } s5_req, s5_rsp; u_int16_t dest_port; - u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; + char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; + u_char *p; u_int have, need, i, found, nmethods, addrlen, af; debug2("channel %d: decode socks5", c->self); @@ -1209,7 +1210,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) buffer_consume(&c->input, sizeof(s5_req)); if (s5_req.atyp == SSH_SOCKS5_DOMAIN) buffer_consume(&c->input, 1); /* host string length */ - buffer_get(&c->input, (char *)&dest_addr, addrlen); + buffer_get(&c->input, &dest_addr, addrlen); buffer_get(&c->input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; free(c->path); diff --git a/hostfile.c b/hostfile.c index 69d0d289e..2ff4c48b4 100644 --- a/hostfile.c +++ b/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.51 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -64,7 +64,7 @@ struct hostkeys { }; static int -extract_salt(const char *s, u_int l, char *salt, size_t salt_len) +extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len) { char *p, *b64salt; u_int b64len; @@ -115,7 +115,8 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) { const EVP_MD *md = EVP_sha1(); HMAC_CTX mac_ctx; - char salt[256], result[256], uu_salt[512], uu_result[512]; + u_char salt[256], result[256]; + char uu_salt[512], uu_result[512]; static char encoded[1024]; u_int i, len; @@ -133,7 +134,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) } HMAC_Init(&mac_ctx, salt, len, md); - HMAC_Update(&mac_ctx, host, strlen(host)); + HMAC_Update(&mac_ctx, (u_char *)host, strlen(host)); HMAC_Final(&mac_ctx, result, NULL); HMAC_cleanup(&mac_ctx); @@ -153,7 +154,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len) */ int -hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) +hostfile_read_key(char **cpp, int *bitsp, Key *ret) { char *cp; @@ -170,8 +171,10 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) /* Return results. */ *cpp = cp; - if (bitsp != NULL) - *bitsp = key_size(ret); + if (bitsp != NULL) { + if ((*bitsp = key_size(ret)) <= 0) + return 0; + } return 1; } diff --git a/hostfile.h b/hostfile.h index d84d422ff..679c034f3 100644 --- a/hostfile.h +++ b/hostfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.h,v 1.19 2010/11/29 23:45:51 djm Exp $ */ +/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen @@ -40,7 +40,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, Key *, int lookup_key_in_hostkeys_by_type(struct hostkeys *, int, const struct hostkey_entry **); -int hostfile_read_key(char **, u_int *, Key *); +int hostfile_read_key(char **, int *, Key *); int add_host_to_hostfile(const char *, const char *, const Key *, int); #define HASH_MAGIC "|1|" diff --git a/mux.c b/mux.c index 314ee8cd2..882fa61b5 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.43 2013/06/05 02:07:29 dtucker Exp $ */ +/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -630,19 +630,22 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) Forward fwd; char *fwd_desc = NULL; u_int ftype; + u_int lport, cport; int i, ret = 0, freefwd = 1; fwd.listen_host = fwd.connect_host = NULL; if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.listen_port, m) != 0 || + buffer_get_int_ret(&lport, m) != 0 || (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.connect_port, m) != 0) { + buffer_get_int_ret(&cport, m) != 0 || + lport > 65535 || cport > 65535) { error("%s: malformed message", __func__); ret = -1; goto out; } - + fwd.listen_port = lport; + fwd.connect_port = cport; if (*fwd.listen_host == '\0') { free(fwd.listen_host); fwd.listen_host = NULL; @@ -778,17 +781,21 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) const char *error_reason = NULL; u_int ftype; int i, listen_port, ret = 0; + u_int lport, cport; fwd.listen_host = fwd.connect_host = NULL; if (buffer_get_int_ret(&ftype, m) != 0 || (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.listen_port, m) != 0 || + buffer_get_int_ret(&lport, m) != 0 || (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || - buffer_get_int_ret(&fwd.connect_port, m) != 0) { + buffer_get_int_ret(&cport, m) != 0 || + lport > 65535 || cport > 65535) { error("%s: malformed message", __func__); ret = -1; goto out; } + fwd.listen_port = lport; + fwd.connect_port = cport; if (*fwd.listen_host == '\0') { free(fwd.listen_host); diff --git a/packet.c b/packet.c index b25395d4b..0d27e7592 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.187 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1048,7 +1048,7 @@ packet_send(void) int packet_read_seqnr(u_int32_t *seqnr_p) { - int type, len, ret, ms_remain, cont; + int type, len, ret, cont, ms_remain = 0; fd_set *setp; char buf[8192]; struct timeval timeout, start, *timeoutp = NULL; @@ -1487,6 +1487,8 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) } else { type = packet_read_poll1(); switch (type) { + case SSH_MSG_NONE: + return SSH_MSG_NONE; case SSH_MSG_IGNORE: break; case SSH_MSG_DEBUG: @@ -1501,8 +1503,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) cleanup_exit(255); break; default: - if (type) - DBG(debug("received packet type %d", type)); + DBG(debug("received packet type %d", type)); return type; } } @@ -1739,7 +1740,7 @@ void packet_write_wait(void) { fd_set *setp; - int ret, ms_remain; + int ret, ms_remain = 0; struct timeval start, timeout, *timeoutp = NULL; setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, diff --git a/packet.h b/packet.h index bc548f2b1..f8edf851c 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.58 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */ /* * Author: Tatu Ylonen @@ -71,7 +71,7 @@ void *packet_get_raw(u_int *length_ptr); void *packet_get_string(u_int *length_ptr); char *packet_get_cstring(u_int *length_ptr); void *packet_get_string_ptr(u_int *length_ptr); -void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); +void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2))); void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); void set_newkeys(int mode); diff --git a/roaming_common.c b/roaming_common.c index 8d0b6054a..50d6177d0 100644 --- a/roaming_common.c +++ b/roaming_common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */ +/* $OpenBSD: roaming_common.c,v 1.10 2013/07/12 00:19:59 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -227,7 +227,7 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) { const EVP_MD *md = EVP_sha1(); EVP_MD_CTX ctx; - char hash[EVP_MAX_MD_SIZE]; + u_char hash[EVP_MAX_MD_SIZE]; Buffer b; buffer_init(&b); diff --git a/serverloop.c b/serverloop.c index 7c250b22f..ccbad617d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.167 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.168 2013/07/12 00:19:59 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -823,7 +823,8 @@ void server_loop2(Authctxt *authctxt) { fd_set *readset = NULL, *writeset = NULL; - int rekeying = 0, max_fd, nalloc = 0; + int rekeying = 0, max_fd; + u_int nalloc = 0; u_int64_t rekey_timeout_ms = 0; debug("Entering interactive session for SSH2."); -- cgit v1.2.3 From 746d1a6c524d2e90ebe98cc29e42573a3e1c3c1b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:13:02 +1000 Subject: - djm@cvs.openbsd.org 2013/07/12 00:20:00 [sftp.c ssh-keygen.c ssh-pkcs11.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ --- ChangeLog | 3 +++ sftp.c | 5 +++-- ssh-keygen.c | 7 ++++--- ssh-pkcs11.c | 12 ++++++------ 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa66e3b0b..9db3bb0ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,9 @@ [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c] [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ + - djm@cvs.openbsd.org 2013/07/12 00:20:00 + [sftp.c ssh-keygen.c ssh-pkcs11.c] + fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/sftp.c b/sftp.c index f50a4bb6a..f0daaefa4 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.146 2013/06/04 20:42:36 dtucker Exp $ */ +/* $OpenBSD: sftp.c,v 1.147 2013/07/12 00:20:00 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1830,7 +1830,8 @@ static unsigned char complete(EditLine *el, int ch) { char **argv, *line, quote; - u_int argc, carg, cursor, len, terminated, ret = CC_ERROR; + int argc, carg; + u_int cursor, len, terminated, ret = CC_ERROR; const LineInfo *lf; struct complete_ctx *complete_ctx; diff --git a/ssh-keygen.c b/ssh-keygen.c index f24387475..504ebaf7b 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.227 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.228 2013/07/12 00:20:00 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -524,7 +524,7 @@ do_convert_from_ssh2(struct passwd *pw, Key **k, int *private) fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); encoded[0] = '\0'; while ((blen = get_line(fp, line, sizeof(line))) != -1) { - if (line[blen - 1] == '\\') + if (blen > 0 && line[blen - 1] == '\\') escaped++; if (strncmp(line, "----", 4) == 0 || strstr(line, ": ") != NULL) { @@ -1797,7 +1797,8 @@ add_cert_option(char *opt) static void show_options(const Buffer *optbuf, int v00, int in_critical) { - u_char *name, *data; + char *name; + u_char *data; u_int dlen; Buffer options, option; diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index a17326baa..618c07526 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.7 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.8 2013/07/12 00:20:00 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -263,8 +263,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) - != CKR_OK) { + if ((rv = f->C_Login(si->session, CKU_USER, + (u_char *)pin, strlen(pin))) != CKR_OK) { free(pin); error("C_Login failed: %lu", rv); return (-1); @@ -328,7 +328,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, /* remove trailing spaces */ static void -rmspace(char *buf, size_t len) +rmspace(u_char *buf, size_t len) { size_t i; @@ -366,8 +366,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) return (-1); } if (login_required && pin) { - if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin))) - != CKR_OK) { + if ((rv = f->C_Login(session, CKU_USER, + (u_char *)pin, strlen(pin))) != CKR_OK) { error("C_Login failed: %lu", rv); if ((rv = f->C_CloseSession(session)) != CKR_OK) error("C_CloseSession failed: %lu", rv); -- cgit v1.2.3 From 7313fc9222785d0c54a7ffcaf2067f4db02c8d72 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:13:19 +1000 Subject: - djm@cvs.openbsd.org 2013/07/12 00:43:50 [misc.c] in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when errno == 0. Avoids confusing error message in some broken resolver cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker --- ChangeLog | 5 +++++ misc.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9db3bb0ff..bcb297ee9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,11 @@ - djm@cvs.openbsd.org 2013/07/12 00:20:00 [sftp.c ssh-keygen.c ssh-pkcs11.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ + - djm@cvs.openbsd.org 2013/07/12 00:43:50 + [misc.c] + in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when + errno == 0. Avoids confusing error message in some broken resolver + cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/misc.c b/misc.c index fd745444e..2bdfb6507 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.90 2013/06/01 13:15:52 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.91 2013/07/12 00:43:50 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -127,7 +127,7 @@ unset_nonblock(int fd) const char * ssh_gai_strerror(int gaierr) { - if (gaierr == EAI_SYSTEM) + if (gaierr == EAI_SYSTEM && errno != 0) return strerror(errno); return gai_strerror(gaierr); } -- cgit v1.2.3 From 5bb8833e809d827496dffca0dc2c223052c93931 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:13:37 +1000 Subject: - djm@cvs.openbsd.org 2013/07/12 05:42:03 [ssh-keygen.c] do_print_resource_record() can never be called with a NULL filename, so don't attempt (and bungle) asking for one if it has not been specified bz#2127 ok dtucker@ --- ChangeLog | 5 +++++ ssh-keygen.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bcb297ee9..2c0258265 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,11 @@ in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when errno == 0. Avoids confusing error message in some broken resolver cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker + - djm@cvs.openbsd.org 2013/07/12 05:42:03 + [ssh-keygen.c] + do_print_resource_record() can never be called with a NULL filename, so + don't attempt (and bungle) asking for one if it has not been specified + bz#2127 ok dtucker@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh-keygen.c b/ssh-keygen.c index 504ebaf7b..1edc965d5 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.228 2013/07/12 00:20:00 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.229 2013/07/12 05:42:03 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1301,7 +1301,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname) struct stat st; if (fname == NULL) - ask_filename(pw, "Enter file in which the key is"); + fatal("%s: no filename", __func__); if (stat(fname, &st) < 0) { if (errno == ENOENT) return 0; -- cgit v1.2.3 From 649fe025a409d0ce88c60a068f3f211193c35873 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:13:55 +1000 Subject: - djm@cvs.openbsd.org 2013/07/12 05:48:55 [ssh.c] set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ --- ChangeLog | 3 +++ ssh.c | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2c0258265..21d35b373 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,9 @@ do_print_resource_record() can never be called with a NULL filename, so don't attempt (and bungle) asking for one if it has not been specified bz#2127 ok dtucker@ + - djm@cvs.openbsd.org 2013/07/12 05:48:55 + [ssh.c] + set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh.c b/ssh.c index 0e96c9219..a9b0a7086 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.378 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.379 2013/07/12 05:48:55 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1480,6 +1480,11 @@ ssh_session2(void) if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) id = ssh_session2_open(); + else { + packet_set_interactive( + options.control_master == SSHCTL_MASTER_NO, + options.ip_qos_interactive, options.ip_qos_bulk); + } /* If we don't expect to open a new session, then disallow it */ if (options.control_master == SSHCTL_MASTER_NO && -- cgit v1.2.3 From bf836e535dc3a8050c1756423539bac127ee5098 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:14:13 +1000 Subject: - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] use .Mt for email addresses; from Jan Stary ; ok jmc@ --- ChangeLog | 3 +++ scp.1 | 8 ++++---- sftp-server.8 | 6 +++--- ssh-keyscan.1 | 8 ++++---- ssh-keysign.8 | 6 +++--- ssh-pkcs11-helper.8 | 6 +++--- 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 21d35b373..09d24ce1f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -57,6 +57,9 @@ - djm@cvs.openbsd.org 2013/07/12 05:48:55 [ssh.c] set TCP nodelay for connections started with -N; bz#2124 ok dtucker@ + - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 + [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] + use .Mt for email addresses; from Jan Stary ; ok jmc@ 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/scp.1 b/scp.1 index 734b97bb1..c83012c92 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.59 2013/07/16 00:07:52 schwarze Exp $ .\" -.Dd $Mdocdate: September 5 2011 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SCP 1 .Os .Sh NAME @@ -235,5 +235,5 @@ is based on the program in BSD source code from the Regents of the University of California. .Sh AUTHORS -.An Timo Rinne Aq tri@iki.fi -.An Tatu Ylonen Aq ylo@cs.hut.fi +.An Timo Rinne Aq Mt tri@iki.fi +.An Tatu Ylonen Aq Mt ylo@cs.hut.fi diff --git a/sftp-server.8 b/sftp-server.8 index d35af6840..cc925b96e 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.22 2013/05/06 07:35:12 dtucker Exp $ +.\" $OpenBSD: sftp-server.8,v 1.23 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 6 2013 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SFTP-SERVER 8 .Os .Sh NAME @@ -133,4 +133,4 @@ establish a logging socket inside the chroot directory. first appeared in .Ox 2.8 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index f2b0fc8fa..c35ea05e0 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.30 2012/04/11 13:34:17 djm Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.31 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: April 11 2012 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -164,9 +164,9 @@ $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e .Xr sshd 8 .Sh AUTHORS .An -nosplit -.An David Mazieres Aq dm@lcs.mit.edu +.An David Mazieres Aq Mt dm@lcs.mit.edu wrote the initial version, and -.An Wayne Davison Aq wayned@users.sourceforge.net +.An Wayne Davison Aq Mt wayned@users.sourceforge.net added support for protocol version 2. .Sh BUGS It generates "Connection closed by remote host" messages on the consoles diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 5e09e0271..5e0b2d232 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.12 2010/08/31 11:54:45 djm Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 31 2010 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SSH-KEYSIGN 8 .Os .Sh NAME @@ -88,4 +88,4 @@ information corresponding with the private keys above. first appeared in .Ox 3.2 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org diff --git a/ssh-pkcs11-helper.8 b/ssh-pkcs11-helper.8 index 9bdaadc01..3728c4e4e 100644 --- a/ssh-pkcs11-helper.8 +++ b/ssh-pkcs11-helper.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.3 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-pkcs11-helper.8,v 1.4 2013/07/16 00:07:52 schwarze Exp $ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 10 2010 $ +.Dd $Mdocdate: July 16 2013 $ .Dt SSH-PKCS11-HELPER 8 .Os .Sh NAME @@ -40,4 +40,4 @@ is not intended to be invoked by the user, but from first appeared in .Ox 4.7 . .Sh AUTHORS -.An Markus Friedl Aq markus@openbsd.org +.An Markus Friedl Aq Mt markus@openbsd.org -- cgit v1.2.3 From d93340cbb6bc0fc0dbd4427e0cec6d994a494dd9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:14:34 +1000 Subject: - djm@cvs.openbsd.org 2013/07/18 01:12:26 [ssh.1] be more exact wrt perms for ~/.ssh/config; bz#2078 --- ChangeLog | 3 +++ ssh.1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09d24ce1f..9530ef55f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,9 @@ - schwarze@cvs.openbsd.org 2013/07/16 00:07:52 [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8] use .Mt for email addresses; from Jan Stary ; ok jmc@ + - djm@cvs.openbsd.org 2013/07/18 01:12:26 + [ssh.1] + be more exact wrt perms for ~/.ssh/config; bz#2078 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh.1 b/ssh.1 index 3cb4254eb..62292cc09 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: ssh.1,v 1.334 2013/07/18 01:12:26 djm Exp $ +.Dd $Mdocdate: July 18 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -1337,7 +1337,7 @@ This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . Because of the potential for abuse, this file must have strict permissions: -read/write for the user, and not accessible by others. +read/write for the user, and not writable by others. .Pp .It Pa ~/.ssh/environment Contains additional definitions for environment variables; see -- cgit v1.2.3 From 85b45e09188e7a7fc8f0a900a4c6a0f04a5720a7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 20 Jul 2013 13:21:52 +1000 Subject: - markus@cvs.openbsd.org 2013/07/19 07:37:48 [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] [servconf.h session.c sshd.c sshd_config.5] add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@ --- ChangeLog | 9 +++++++ auth.h | 4 ++- kex.h | 3 ++- kexdhs.c | 10 +++---- kexecdhs.c | 10 +++---- kexgexs.c | 11 +++----- monitor.c | 18 ++++++++++--- servconf.c | 18 +++++++++++-- servconf.h | 3 ++- session.c | 10 ++++++- sshd.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++------ sshd_config.5 | 16 ++++++++++-- 12 files changed, 153 insertions(+), 42 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9530ef55f..fd66fed6d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20130720 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2013/07/19 07:37:48 + [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] + [servconf.h session.c sshd.c sshd_config.5] + add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, + or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 + ok djm@ + 20130718 - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/06/10 19:19:44 diff --git a/auth.h b/auth.h index caf44adc0..80f089869 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.75 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -198,10 +198,12 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *, /* hostkey handling */ Key *get_hostkey_by_index(int); +Key *get_hostkey_public_by_index(int); Key *get_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); +void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff --git a/kex.h b/kex.h index 680264af2..9f1e1adb3 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.55 2013/04/19 01:06:50 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -139,6 +139,7 @@ struct Kex { Key *(*load_host_public_key)(int); Key *(*load_host_private_key)(int); int (*host_key_index)(Key *); + void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Kex *); }; diff --git a/kexdhs.c b/kexdhs.c index 15128632c..269d80900 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexdhs.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexdhs.c,v 1.14 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -80,9 +80,6 @@ kexdh_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); /* key, cert */ if ((dh_client_pub = BN_new()) == NULL) @@ -144,9 +141,8 @@ kexdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/kexecdhs.c b/kexecdhs.c index c42dcf448..3a580aacf 100644 --- a/kexecdhs.c +++ b/kexecdhs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexecdhs.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexecdhs.c,v 1.5 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -78,9 +78,6 @@ kexecdh_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); debug("expecting SSH2_MSG_KEX_ECDH_INIT"); packet_read_expect(SSH2_MSG_KEX_ECDH_INIT); @@ -139,9 +136,8 @@ kexecdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, - hash, hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/kexgexs.c b/kexgexs.c index a543dda82..4e473fc73 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.16 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -68,10 +68,6 @@ kexgex_server(Kex *kex) if (server_host_public == NULL) fatal("Unsupported hostkey type %d", kex->hostkey_type); server_host_private = kex->load_host_private_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); - type = packet_read(); switch (type) { @@ -187,9 +183,8 @@ kexgex_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexgex_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/monitor.c b/monitor.c index 0516f60a2..44dff98c9 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.126 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -97,6 +97,7 @@ #include "ssh2.h" #include "jpake.h" #include "roaming.h" +#include "authfd.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -686,6 +687,8 @@ mm_answer_moduli(int sock, Buffer *m) return (0); } +extern AuthenticationConnection *auth_conn; + int mm_answer_sign(int sock, Buffer *m) { @@ -714,10 +717,16 @@ mm_answer_sign(int sock, Buffer *m) memcpy(session_id2, p, session_id2_len); } - if ((key = get_hostkey_by_index(keyid)) == NULL) + if ((key = get_hostkey_by_index(keyid)) != NULL) { + if (key_sign(key, &signature, &siglen, p, datlen) < 0) + fatal("%s: key_sign failed", __func__); + } else if ((key = get_hostkey_public_by_index(keyid)) != NULL && + auth_conn != NULL) { + if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p, + datlen) < 0) + fatal("%s: ssh_agent_sign failed", __func__); + } else fatal("%s: no hostkey from index %d", __func__, keyid); - if (key_sign(key, &signature, &siglen, p, datlen) < 0) - fatal("%s: key_sign failed", __func__); debug3("%s: signature %p(%u)", __func__, signature, siglen); @@ -1864,6 +1873,7 @@ mm_get_kex(Buffer *m) kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; return (kex); } diff --git a/servconf.c b/servconf.c index 36b8efecf..747edde6c 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.239 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -79,6 +79,7 @@ initialize_server_options(ServerOptions *options) options->address_family = -1; options->num_host_key_files = 0; options->num_host_cert_files = 0; + options->host_key_agent = NULL; options->pid_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; @@ -344,7 +345,7 @@ typedef enum { sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, + sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported } ServerOpCodes; @@ -369,6 +370,7 @@ static struct { { "port", sPort, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ + { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, @@ -978,6 +980,17 @@ process_server_config_line(ServerOptions *options, char *line, } break; + case sHostKeyAgent: + charptr = &options->host_key_agent; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing socket name.", + filename, linenum); + if (*activep && *charptr == NULL) + *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? + xstrdup(arg) : derelativise_path(arg); + break; + case sHostCertificate: intptr = &options->num_host_cert_files; if (*intptr >= MAX_HOSTKEYS) @@ -2011,6 +2024,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sVersionAddendum, o->version_addendum); dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); + dump_cfg_string(sHostKeyAgent, o->host_key_agent); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff --git a/servconf.h b/servconf.h index fc051bd4b..98aad8ba2 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.108 2013/05/16 04:09:14 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.109 2013/07/19 07:37:48 markus Exp $ */ /* * Author: Tatu Ylonen @@ -65,6 +65,7 @@ typedef struct { int num_host_key_files; /* Number of files for host keys. */ char *host_cert_files[MAX_HOSTCERTS]; /* Files containing host certs. */ int num_host_cert_files; /* Number of files for host certs. */ + char *host_key_agent; /* ssh-agent socket for host keys. */ char *pid_file; /* Where to put our pid */ int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time diff --git a/session.c b/session.c index 1424825ca..d4b57bdfb 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.265 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -80,6 +80,7 @@ #include "hostfile.h" #include "auth.h" #include "auth-options.h" +#include "authfd.h" #include "pathnames.h" #include "log.h" #include "servconf.h" @@ -1589,6 +1590,13 @@ launch_login(struct passwd *pw, const char *hostname) static void child_close_fds(void) { + extern AuthenticationConnection *auth_conn; + + if (auth_conn) { + ssh_close_authentication_connection(auth_conn); + auth_conn = NULL; + } + if (packet_get_connection_in() == packet_get_connection_out()) close(packet_get_connection_in()); else { diff --git a/sshd.c b/sshd.c index 1306a62a7..174cc7a42 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.403 2013/06/05 02:27:50 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.404 2013/07/19 07:37:48 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -106,6 +106,7 @@ #include "canohost.h" #include "hostfile.h" #include "auth.h" +#include "authfd.h" #include "misc.h" #include "msg.h" #include "dispatch.h" @@ -194,6 +195,10 @@ char *server_version_string = NULL; /* for rekeying XXX fixme */ Kex *xxx_kex; +/* Daemon's agent connection */ +AuthenticationConnection *auth_conn = NULL; +int have_agent = 0; + /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so @@ -206,6 +211,7 @@ struct { Key *server_key; /* ephemeral server key */ Key *ssh1_host_key; /* ssh1 host key */ Key **host_keys; /* all private host keys */ + Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; int have_ssh2_key; @@ -653,6 +659,8 @@ privsep_preauth(Authctxt *authctxt) debug2("Network child is on pid %ld", (long)pid); pmonitor->m_pid = pid; + if (have_agent) + auth_conn = ssh_get_authentication_connection(); if (box != NULL) ssh_sandbox_parent_preauth(box, pid); monitor_child_preauth(authctxt, pmonitor); @@ -766,6 +774,8 @@ list_hostkey_types(void) buffer_init(&b); for (i = 0; i < options.num_host_key_files; i++) { key = sensitive_data.host_keys[i]; + if (key == NULL) + key = sensitive_data.host_pubkeys[i]; if (key == NULL) continue; switch (key->type) { @@ -819,6 +829,8 @@ get_hostkey_by_type(int type, int need_private) break; default: key = sensitive_data.host_keys[i]; + if (key == NULL && !need_private) + key = sensitive_data.host_pubkeys[i]; break; } if (key != NULL && key->type == type) @@ -848,6 +860,14 @@ get_hostkey_by_index(int ind) return (sensitive_data.host_keys[ind]); } +Key * +get_hostkey_public_by_index(int ind) +{ + if (ind < 0 || ind >= options.num_host_key_files) + return (NULL); + return (sensitive_data.host_pubkeys[ind]); +} + int get_hostkey_index(Key *key) { @@ -860,6 +880,8 @@ get_hostkey_index(Key *key) } else { if (key == sensitive_data.host_keys[i]) return (i); + if (key == sensitive_data.host_pubkeys[i]) + return (i); } } return (-1); @@ -1344,6 +1366,8 @@ main(int ac, char **av) u_int64_t ibytes, obytes; mode_t new_umask; Key *key; + Key *pubkey; + int keytype; Authctxt *authctxt; struct connection_info *connection_info = get_connection_info(0, 0); @@ -1623,22 +1647,45 @@ main(int ac, char **av) } endpwent(); - /* load private host keys */ + /* load host keys */ sensitive_data.host_keys = xcalloc(options.num_host_key_files, sizeof(Key *)); - for (i = 0; i < options.num_host_key_files; i++) + sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files, + sizeof(Key *)); + for (i = 0; i < options.num_host_key_files; i++) { sensitive_data.host_keys[i] = NULL; + sensitive_data.host_pubkeys[i] = NULL; + } + + if (options.host_key_agent) { + if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME)) + setenv(SSH_AUTHSOCKET_ENV_NAME, + options.host_key_agent, 1); + have_agent = ssh_agent_present(); + } for (i = 0; i < options.num_host_key_files; i++) { key = key_load_private(options.host_key_files[i], "", NULL); + pubkey = key_load_public(options.host_key_files[i], NULL); sensitive_data.host_keys[i] = key; - if (key == NULL) { + sensitive_data.host_pubkeys[i] = pubkey; + + if (key == NULL && pubkey != NULL && pubkey->type != KEY_RSA1 && + have_agent) { + debug("will rely on agent for hostkey %s", + options.host_key_files[i]); + keytype = pubkey->type; + } else if (key != NULL) { + keytype = key->type; + } else { error("Could not load host key: %s", options.host_key_files[i]); sensitive_data.host_keys[i] = NULL; + sensitive_data.host_pubkeys[i] = NULL; continue; } - switch (key->type) { + + switch (keytype) { case KEY_RSA1: sensitive_data.ssh1_host_key = key; sensitive_data.have_ssh1_key = 1; @@ -1649,8 +1696,8 @@ main(int ac, char **av) sensitive_data.have_ssh2_key = 1; break; } - debug("private host key: #%d type %d %s", i, key->type, - key_type(key)); + debug("private host key: #%d type %d %s", i, keytype, + key_type(key ? key : pubkey)); } if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); @@ -2020,9 +2067,11 @@ main(int ac, char **av) buffer_init(&loginmsg); auth_debug_reset(); - if (use_privsep) + if (use_privsep) { if (privsep_preauth(authctxt) == 1) goto authenticated; + } else if (compat20 && have_agent) + auth_conn = ssh_get_authentication_connection(); /* perform the key exchange */ /* authenticate user and start session */ @@ -2336,6 +2385,23 @@ do_ssh1_kex(void) packet_write_wait(); } +void +sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen, + u_char *data, u_int dlen) +{ + if (privkey) { + if (PRIVSEP(key_sign(privkey, signature, slen, data, dlen) < 0)) + fatal("%s: key_sign failed", __func__); + } else if (use_privsep) { + if (mm_key_sign(pubkey, signature, slen, data, dlen) < 0) + fatal("%s: pubkey_sign failed", __func__); + } else { + if (ssh_agent_sign(auth_conn, pubkey, signature, slen, data, + dlen)) + fatal("%s: ssh_agent_sign failed", __func__); + } +} + /* * SSH2 key exchange: diffie-hellman-group1-sha1 */ @@ -2386,6 +2452,7 @@ do_ssh2_kex(void) kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; + kex->sign = sshd_hostkey_sign; xxx_kex = kex; diff --git a/sshd_config.5 b/sshd_config.5 index 3807c0f3c..3abac6c10 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $ +.Dd $Mdocdate: July 19 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -546,6 +546,18 @@ keys are used for version 1 and or .Dq rsa are used for version 2 of the SSH protocol. +It is also possible to specify public host key files instead. +In this case operations on the private key will be delegated +to an +.Xr ssh-agent 1 . +.It Cm HostKeyAgent +Identifies the UNIX-domain socket used to communicate +with an agent that has access to the private host keys. +If +.Dq SSH_AUTH_SOCK +is specified, the location of the socket will be read from the +.Ev SSH_AUTH_SOCK +environment variable. .It Cm IgnoreRhosts Specifies that .Pa .rhosts -- cgit v1.2.3 From 32ecfa0f7920db31471ca8c1f4adc20ae38ed9d6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 20 Jul 2013 13:22:13 +1000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:43:46 [umac.c] use a union to ensure correct alignment; ok deraadt --- ChangeLog | 3 +++ umac.c | 16 +++++++++------- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index fd66fed6d..0bc5c6867 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@ + - djm@cvs.openbsd.org 2013/07/20 01:43:46 + [umac.c] + use a union to ensure correct alignment; ok deraadt 20130718 - (djm) OpenBSD CVS Sync diff --git a/umac.c b/umac.c index fb66b8097..60514a24f 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.6 2013/07/20 01:43:46 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -254,19 +254,21 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) #elif (UMAC_OUTPUT_LEN > 8) #define LOW_BIT_MASK 0 #endif - - UINT8 tmp_nonce_lo[4]; + union { + UINT8 tmp_nonce_lo[4]; + UINT32 align; + } t; #if LOW_BIT_MASK != 0 int ndx = nonce[7] & LOW_BIT_MASK; #endif - *(UINT32 *)tmp_nonce_lo = ((UINT32 *)nonce)[1]; - tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ + *(UINT32 *)t.tmp_nonce_lo = ((UINT32 *)nonce)[1]; + t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ - if ( (((UINT32 *)tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || + if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) { ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; - ((UINT32 *)pc->nonce)[1] = ((UINT32 *)tmp_nonce_lo)[0]; + ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0]; aes_encryption(pc->nonce, pc->cache, pc->prf_key); } -- cgit v1.2.3 From 3009d3cbb89316b1294fb5cedb54770b5d114d04 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 20 Jul 2013 13:22:31 +1000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:44:37 [ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- ssh.c | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0bc5c6867..47bfa94ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - djm@cvs.openbsd.org 2013/07/20 01:43:46 [umac.c] use a union to ensure correct alignment; ok deraadt + - djm@cvs.openbsd.org 2013/07/20 01:44:37 + [ssh-keygen.c ssh.c] + More useful error message on missing current user in /etc/passwd 20130718 - (djm) OpenBSD CVS Sync diff --git a/ssh-keygen.c b/ssh-keygen.c index 1edc965d5..03c444d42 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.229 2013/07/12 05:42:03 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.230 2013/07/20 01:44:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2214,7 +2214,7 @@ main(int argc, char **argv) /* we need this for the home * directory. */ pw = getpwuid(getuid()); if (!pw) { - printf("You don't exist, go away!\n"); + printf("No user exists for uid %lu\n", (u_long)getuid()); exit(1); } if (gethostname(hostname, sizeof(hostname)) < 0) { diff --git a/ssh.c b/ssh.c index a9b0a7086..30e65338f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.379 2013/07/12 05:48:55 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.380 2013/07/20 01:44:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -299,7 +299,7 @@ main(int ac, char **av) /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { - logit("You don't exist, go away!"); + logit("No user exists for uid %lu", (u_long)original_real_uid); exit(255); } /* Take a copy of the returned structure. */ -- cgit v1.2.3 From 1f0e86f23fcebb026371c0888402a981df2a61c4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 20 Jul 2013 13:22:49 +1000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:50:20 [ssh-agent.c] call cleanup_handler on SIGINT when in debug mode to ensure sockets are cleaned up on manual exit; bz#2120 --- ChangeLog | 4 ++++ ssh-agent.c | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 47bfa94ef..dc6ea90ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ - djm@cvs.openbsd.org 2013/07/20 01:44:37 [ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd + - djm@cvs.openbsd.org 2013/07/20 01:50:20 + [ssh-agent.c] + call cleanup_handler on SIGINT when in debug mode to ensure sockets + are cleaned up on manual exit; bz#2120 20130718 - (djm) OpenBSD CVS Sync diff --git a/ssh-agent.c b/ssh-agent.c index 27df4f475..c3b11729c 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.176 2013/06/02 13:35:58 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.177 2013/07/20 01:50:20 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1344,9 +1344,8 @@ skip: if (ac > 0) parent_alive_interval = 10; idtab_init(); - if (!d_flag) - signal(SIGINT, SIG_IGN); signal(SIGPIPE, SIG_IGN); + signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); signal(SIGHUP, cleanup_handler); signal(SIGTERM, cleanup_handler); nalloc = 0; -- cgit v1.2.3 From 63ddc899d28cf60045b560891894b9fbf6f822e9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 20 Jul 2013 13:35:45 +1000 Subject: - djm@cvs.openbsd.org 2013/07/20 01:55:13 [auth-krb5.c gss-serv-krb5.c gss-serv.c] fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@ --- ChangeLog | 3 +++ auth-krb5.c | 21 +++++++++++++-------- gss-serv-krb5.c | 44 +++++++++++++++++++++++++------------------- gss-serv.c | 4 ++-- 4 files changed, 43 insertions(+), 29 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc6ea90ef..dc2f73bd9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ [ssh-agent.c] call cleanup_handler on SIGINT when in debug mode to ensure sockets are cleaned up on manual exit; bz#2120 + - djm@cvs.openbsd.org 2013/07/20 01:55:13 + [auth-krb5.c gss-serv-krb5.c gss-serv.c] + fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@ 20130718 - (djm) OpenBSD CVS Sync diff --git a/auth-krb5.c b/auth-krb5.c index ff1462ad1..43ee9272f 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * @@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_ccache ccache = NULL; int len; char *client, *platform_client; + const char *errmsg; /* get platform-specific kerberos client principal name (if it exists) */ platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name); @@ -96,7 +97,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; #ifdef HEIMDAL - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); + problem = krb5_cc_new_unique(authctxt->krb5_ctx, + krb5_mcc_ops.prefix, NULL, &ccache); if (problem) goto out; @@ -115,8 +117,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_new_unique(authctxt->krb5_ctx, + krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache); if (problem) goto out; @@ -187,10 +189,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (ccache) krb5_cc_destroy(authctxt->krb5_ctx, ccache); - if (authctxt->krb5_ctx != NULL && problem!=-1) - debug("Kerberos password authentication failed: %s", - krb5_get_err_text(authctxt->krb5_ctx, problem)); - else + if (authctxt->krb5_ctx != NULL && problem!=-1) { + errmsg = krb5_get_error_message(authctxt->krb5_ctx, + problem); + debug("Kerberos password authentication failed: %s", + errmsg); + krb5_free_error_message(authctxt->krb5_ctx, errmsg); + } else debug("Kerberos password authentication failed: %d", problem); diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 5a625acb8..87f26831a 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -48,12 +48,11 @@ extern ServerOptions options; #ifdef HEIMDAL # include -#else -# ifdef HAVE_GSSAPI_KRB5_H -# include -# elif HAVE_GSSAPI_GSSAPI_KRB5_H -# include -# endif +#endif +#ifdef HAVE_GSSAPI_KRB5_H +# include +#elif HAVE_GSSAPI_GSSAPI_KRB5_H +# include #endif static krb5_context krb_context = NULL; @@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) { krb5_principal princ; int retval; + const char *errmsg; if (ssh_gssapi_krb5_init() == 0) return 0; if ((retval = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { - logit("krb5_parse_name(): %.100s", - krb5_get_err_text(krb_context, retval)); + errmsg = krb5_get_error_message(krb_context, retval); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return 0; } if (krb5_kuserok(krb_context, princ, name)) { @@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_principal princ; OM_uint32 maj_status, min_status; int len; + const char *errmsg; if (client->creds == NULL) { debug("No credentials stored"); @@ -130,30 +132,34 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) return; #ifdef HEIMDAL - if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { - logit("krb5_cc_gen_new(): %.100s", - krb5_get_err_text(krb_context, problem)); + if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix, + NULL, &ccache)) != 0) { + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_cc_new_unique(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } #else if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { - logit("ssh_krb5_cc_gen(): %.100s", - krb5_get_err_text(krb_context, problem)); + errmsg = krb5_get_error_message(krb_context, problem); + logit("ssh_krb5_cc_gen(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } #endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { - logit("krb5_parse_name(): %.100s", - krb5_get_err_text(krb_context, problem)); - krb5_cc_destroy(krb_context, ccache); + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); return; } if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { - logit("krb5_cc_initialize(): %.100s", - krb5_get_err_text(krb_context, problem)); + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_cc_initialize(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); krb5_free_principal(krb_context, princ); krb5_cc_destroy(krb_context, ccache); return; diff --git a/gss-serv.c b/gss-serv.c index c719c1306..95348e251 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -50,7 +50,7 @@ static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; ssh_gssapi_mech gssapi_null_mech = { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; -- cgit v1.2.3 From c8669a8cd24952b3f16a44eac63d2b6ce8a6343a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 11:52:48 +1000 Subject: - djm@cvs.openbsd.org 2013/07/20 22:20:42 [krl.c] fix verification error in (as-yet usused) KRL signature checking path --- ChangeLog | 6 ++++++ krl.c | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc2f73bd9..f6dcc0c0d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20130725 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/07/20 22:20:42 + [krl.c] + fix verification error in (as-yet usused) KRL signature checking path + 20130720 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2013/07/19 07:37:48 diff --git a/krl.c b/krl.c index bd6d37804..b2d0354f2 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.12 2013/06/20 19:15:06 markus Exp $ */ +/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */ #include "includes.h" @@ -973,7 +973,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, } /* Check signature over entire KRL up to this point */ if (key_verify(key, blob, blen, - buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { + buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) { error("bad signaure on KRL"); goto out; } -- cgit v1.2.3 From c331dbd22297ab9bf351abee659893d139c9f28a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 11:55:20 +1000 Subject: - djm@cvs.openbsd.org 2013/07/22 05:00:17 [umac.c] make MAC key, data to be hashed and nonce for final hash const; checked with -Wcast-qual --- ChangeLog | 4 ++++ umac.c | 62 +++++++++++++++++++++++++++++++------------------------------- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/ChangeLog b/ChangeLog index f6dcc0c0d..480c9988f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - djm@cvs.openbsd.org 2013/07/20 22:20:42 [krl.c] fix verification error in (as-yet usused) KRL signature checking path + - djm@cvs.openbsd.org 2013/07/22 05:00:17 + [umac.c] + make MAC key, data to be hashed and nonce for final hash const; + checked with -Wcast-qual 20130720 - (djm) OpenBSD CVS Sync diff --git a/umac.c b/umac.c index 60514a24f..99416a510 100644 --- a/umac.c +++ b/umac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.c,v 1.6 2013/07/20 01:43:46 djm Exp $ */ +/* $OpenBSD: umac.c,v 1.7 2013/07/22 05:00:17 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.c -- C Implementation UMAC Message Authentication @@ -132,13 +132,13 @@ typedef unsigned int UWORD; /* Register */ /* ---------------------------------------------------------------------- */ #if HAVE_SWAP32 -#define LOAD_UINT32_REVERSED(p) (swap32(*(UINT32 *)(p))) +#define LOAD_UINT32_REVERSED(p) (swap32(*(const UINT32 *)(p))) #define STORE_UINT32_REVERSED(p,v) (*(UINT32 *)(p) = swap32(v)) #else /* HAVE_SWAP32 */ -static UINT32 LOAD_UINT32_REVERSED(void *ptr) +static UINT32 LOAD_UINT32_REVERSED(const void *ptr) { - UINT32 temp = *(UINT32 *)ptr; + UINT32 temp = *(const UINT32 *)ptr; temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 ) | ((temp & 0x0000FF00) << 8 ) | (temp << 24); return (UINT32)temp; @@ -159,7 +159,7 @@ static void STORE_UINT32_REVERSED(void *ptr, UINT32 x) */ #if (__LITTLE_ENDIAN__) -#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr)) +#define LOAD_UINT32_LITTLE(ptr) (*(const UINT32 *)(ptr)) #define STORE_UINT32_BIG(ptr,x) STORE_UINT32_REVERSED(ptr,x) #else #define LOAD_UINT32_LITTLE(ptr) LOAD_UINT32_REVERSED(ptr) @@ -184,7 +184,7 @@ typedef AES_KEY aes_int_key[1]; #define aes_encryption(in,out,int_key) \ AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key) #define aes_key_setup(key,int_key) \ - AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key) + AES_set_encrypt_key((const u_char *)(key),UMAC_KEY_LEN*8,int_key) /* The user-supplied UMAC key is stretched using AES in a counter * mode to supply all random bits needed by UMAC. The kdf function takes @@ -240,7 +240,7 @@ static void pdf_init(pdf_ctx *pc, aes_int_key prf_key) aes_encryption(pc->nonce, pc->cache, pc->prf_key); } -static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) +static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8]) { /* 'ndx' indicates that we'll be using the 0th or 1st eight bytes * of the AES output. If last time around we returned the ndx-1st @@ -261,13 +261,13 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8]) #if LOW_BIT_MASK != 0 int ndx = nonce[7] & LOW_BIT_MASK; #endif - *(UINT32 *)t.tmp_nonce_lo = ((UINT32 *)nonce)[1]; + *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1]; t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || - (((UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) + (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) { - ((UINT32 *)pc->nonce)[0] = ((UINT32 *)nonce)[0]; + ((UINT32 *)pc->nonce)[0] = ((const UINT32 *)nonce)[0]; ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0]; aes_encryption(pc->nonce, pc->cache, pc->prf_key); } @@ -335,7 +335,7 @@ typedef struct { #if (UMAC_OUTPUT_LEN == 4) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* NH hashing primitive. Previous (partial) hash result is loaded and * then stored via hp pointer. The length of the data pointed at by "dp", * "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key @@ -345,7 +345,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7; @@ -370,7 +370,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 8) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 16 bytes of hash-state per call. */ @@ -378,7 +378,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11; @@ -417,7 +417,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 12) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 24 bytes of hash-state per call. */ @@ -425,7 +425,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2,h3; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11,k12,k13,k14,k15; @@ -472,7 +472,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) #elif (UMAC_OUTPUT_LEN == 16) -static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) +static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) /* Same as previous nh_aux, but two streams are handled in one pass, * reading and writing 24 bytes of hash-state per call. */ @@ -480,7 +480,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) UINT64 h1,h2,h3,h4; UWORD c = dlen / 32; UINT32 *k = (UINT32 *)kp; - UINT32 *d = (UINT32 *)dp; + const UINT32 *d = (const UINT32 *)dp; UINT32 d0,d1,d2,d3,d4,d5,d6,d7; UINT32 k0,k1,k2,k3,k4,k5,k6,k7, k8,k9,k10,k11,k12,k13,k14,k15, @@ -541,7 +541,7 @@ static void nh_aux(void *kp, void *dp, void *hp, UINT32 dlen) /* ---------------------------------------------------------------------- */ -static void nh_transform(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) +static void nh_transform(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes) /* This function is a wrapper for the primitive NH hash functions. It takes * as argument "hc" the current hash context and a buffer which must be a * multiple of L1_PAD_BOUNDARY. The key passed to nh_aux is offset @@ -616,7 +616,7 @@ static void nh_init(nh_ctx *hc, aes_int_key prf_key) /* ---------------------------------------------------------------------- */ -static void nh_update(nh_ctx *hc, UINT8 *buf, UINT32 nbytes) +static void nh_update(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes) /* Incorporate nbytes of data into a nh_ctx, buffer whatever is not an */ /* even multiple of HASH_BUF_BYTES. */ { @@ -711,7 +711,7 @@ static void nh_final(nh_ctx *hc, UINT8 *result) /* ---------------------------------------------------------------------- */ -static void nh(nh_ctx *hc, UINT8 *buf, UINT32 padded_len, +static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len, UINT32 unpadded_len, UINT8 *result) /* All-in-one nh_update() and nh_final() equivalent. * Assumes that padded_len is divisible by L1_PAD_BOUNDARY and result is @@ -1049,7 +1049,7 @@ static int uhash_free(uhash_ctx_t ctx) #endif /* ---------------------------------------------------------------------- */ -static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) +static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len) /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and * hash each one with NH, calling the polyhash on each NH output. */ @@ -1059,7 +1059,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) UINT8 *nh_result = (UINT8 *)&result_buf; if (ctx->msg_len + len <= L1_KEY_LEN) { - nh_update(&ctx->hash, (UINT8 *)input, len); + nh_update(&ctx->hash, (const UINT8 *)input, len); ctx->msg_len += len; } else { @@ -1074,7 +1074,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* bytes to complete the current nh_block. */ if (bytes_hashed) { bytes_remaining = (L1_KEY_LEN - bytes_hashed); - nh_update(&ctx->hash, (UINT8 *)input, bytes_remaining); + nh_update(&ctx->hash, (const UINT8 *)input, bytes_remaining); nh_final(&ctx->hash, nh_result); ctx->msg_len += bytes_remaining; poly_hash(ctx,(UINT32 *)nh_result); @@ -1084,7 +1084,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* Hash directly from input stream if enough bytes */ while (len >= L1_KEY_LEN) { - nh(&ctx->hash, (UINT8 *)input, L1_KEY_LEN, + nh(&ctx->hash, (const UINT8 *)input, L1_KEY_LEN, L1_KEY_LEN, nh_result); ctx->msg_len += L1_KEY_LEN; len -= L1_KEY_LEN; @@ -1095,7 +1095,7 @@ static int uhash_update(uhash_ctx_t ctx, u_char *input, long len) /* pass remaining < L1_KEY_LEN bytes of input data to NH */ if (len) { - nh_update(&ctx->hash, (UINT8 *)input, len); + nh_update(&ctx->hash, (const UINT8 *)input, len); ctx->msg_len += len; } } @@ -1218,7 +1218,7 @@ int umac_delete(struct umac_ctx *ctx) /* ---------------------------------------------------------------------- */ -struct umac_ctx *umac_new(u_char key[]) +struct umac_ctx *umac_new(const u_char key[]) /* Dynamically allocate a umac_ctx struct, initialize variables, * generate subkeys from key. Align to 16-byte boundary. */ @@ -1235,7 +1235,7 @@ struct umac_ctx *umac_new(u_char key[]) ctx = (struct umac_ctx *)((u_char *)ctx + bytes_to_add); } ctx->free_ptr = octx; - aes_key_setup(key,prf_key); + aes_key_setup(key, prf_key); pdf_init(&ctx->pdf, prf_key); uhash_init(&ctx->hash, prf_key); } @@ -1245,18 +1245,18 @@ struct umac_ctx *umac_new(u_char key[]) /* ---------------------------------------------------------------------- */ -int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]) +int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]) /* Incorporate any pending data, pad, and generate tag */ { uhash_final(&ctx->hash, (u_char *)tag); - pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); + pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag); return (1); } /* ---------------------------------------------------------------------- */ -int umac_update(struct umac_ctx *ctx, u_char *input, long len) +int umac_update(struct umac_ctx *ctx, const u_char *input, long len) /* Given len bytes of data, we parse it into L1_KEY_LEN chunks and */ /* hash each one, calling the PDF on the hashed output whenever the hash- */ /* output buffer is full. */ -- cgit v1.2.3 From 94c9cd34d1590ea1d4bf76919a15b5688fa90ed1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 11:55:39 +1000 Subject: - djm@cvs.openbsd.org 2013/07/22 12:20:02 [umac.h] oops, forgot to commit corresponding header change; spotted by jsg and jasper --- ChangeLog | 4 ++++ umac.h | 14 +++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 480c9988f..c67a10a9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ [umac.c] make MAC key, data to be hashed and nonce for final hash const; checked with -Wcast-qual + - djm@cvs.openbsd.org 2013/07/22 12:20:02 + [umac.h] + oops, forgot to commit corresponding header change; + spotted by jsg and jasper 20130720 - (djm) OpenBSD CVS Sync diff --git a/umac.h b/umac.h index 6795112a3..7fb770f8a 100644 --- a/umac.h +++ b/umac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */ +/* $OpenBSD: umac.h,v 1.3 2013/07/22 12:20:02 djm Exp $ */ /* ----------------------------------------------------------------------- * * umac.h -- C Implementation UMAC Message Authentication @@ -52,7 +52,7 @@ extern "C" { #endif -struct umac_ctx *umac_new(u_char key[]); +struct umac_ctx *umac_new(const u_char key[]); /* Dynamically allocate a umac_ctx struct, initialize variables, * generate subkeys from key. */ @@ -62,10 +62,10 @@ int umac_reset(struct umac_ctx *ctx); /* Reset a umac_ctx to begin authenicating a new message */ #endif -int umac_update(struct umac_ctx *ctx, u_char *input, long len); +int umac_update(struct umac_ctx *ctx, const u_char *input, long len); /* Incorporate len bytes pointed to by input into context ctx */ -int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]); /* Incorporate any pending data and the ctr value, and return tag. * This function returns error code if ctr < 0. */ @@ -117,9 +117,9 @@ int uhash(uhash_ctx_t ctx, #endif /* matching umac-128 API, we reuse umac_ctx, since it's opaque */ -struct umac_ctx *umac128_new(u_char key[]); -int umac128_update(struct umac_ctx *ctx, u_char *input, long len); -int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]); +struct umac_ctx *umac128_new(const u_char key[]); +int umac128_update(struct umac_ctx *ctx, const u_char *input, long len); +int umac128_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8]); int umac128_delete(struct umac_ctx *ctx); #ifdef __cplusplus -- cgit v1.2.3 From 98e27dcf581647b5bbe9780e8f59685d942d8ea3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 11:55:52 +1000 Subject: - djm@cvs.openbsd.org 2013/07/25 00:29:10 [ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging --- ChangeLog | 4 ++++ ssh.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c67a10a9b..f799663fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [umac.h] oops, forgot to commit corresponding header change; spotted by jsg and jasper + - djm@cvs.openbsd.org 2013/07/25 00:29:10 + [ssh.c] + daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure + it is fully detached from its controlling terminal. based on debugging 20130720 - (djm) OpenBSD CVS Sync diff --git a/ssh.c b/ssh.c index 30e65338f..87233bc91 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.380 2013/07/20 01:44:37 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.381 2013/07/25 00:29:10 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1022,6 +1022,7 @@ control_persist_detach(void) if (devnull > STDERR_FILENO) close(devnull); } + daemon(1, 1); setproctitle("%s [mux]", options.control_path); } -- cgit v1.2.3 From 0d032419ee6e1968fc1cb187af63bf3b77b506ea Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 11:56:52 +1000 Subject: - djm@cvs.openbsd.org 2013/07/25 00:56:52 [sftp-client.c sftp-client.h sftp.1 sftp.c] sftp support for resuming partial downloads; patch mostly by Loganaden Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ --- ChangeLog | 4 ++++ sftp-client.c | 75 ++++++++++++++++++++++++++++++++++++++++------------------ sftp-client.h | 6 ++--- sftp.1 | 28 ++++++++++++++++++---- sftp.c | 76 +++++++++++++++++++++++++++++++++++++++-------------------- 5 files changed, 133 insertions(+), 56 deletions(-) diff --git a/ChangeLog b/ChangeLog index f799663fd..9552a9b81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ [ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging + - djm@cvs.openbsd.org 2013/07/25 00:56:52 + [sftp-client.c sftp-client.h sftp.1 sftp.c] + sftp support for resuming partial downloads; patch mostly by Loganaden + Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ 20130720 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index ab035c713..cb4efd3ea 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.100 2013/06/01 22:34:50 dtucker Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -112,7 +112,7 @@ send_msg(struct sftp_conn *conn, Buffer *m) iov[1].iov_len = buffer_len(m); if (atomiciov6(writev, conn->fd_out, iov, 2, - conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != + conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != buffer_len(m) + sizeof(mlen)) fatal("Couldn't send packet: %s", strerror(errno)); @@ -988,16 +988,17 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, int do_download(struct sftp_conn *conn, char *remote_path, char *local_path, - Attrib *a, int pflag) + Attrib *a, int pflag, int resume) { Attrib junk; Buffer msg; char *handle; - int local_fd, status = 0, write_error; - int read_error, write_errno; - u_int64_t offset, size; + int local_fd = -1, status = 0, write_error; + int read_error, write_errno, reordered = 0; + u_int64_t offset = 0, size, highwater; u_int handle_len, mode, type, id, buflen, num_req, max_req; off_t progress_counter; + struct stat st; struct request { u_int id; u_int len; @@ -1050,21 +1051,36 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, + local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? : O_TRUNC), mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); - do_close(conn, handle, handle_len); - buffer_free(&msg); - free(handle); - return(-1); + goto fail; + } + offset = highwater = 0; + if (resume) { + if (fstat(local_fd, &st) == -1) { + error("Unable to stat local file \"%s\": %s", + local_path, strerror(errno)); + goto fail; + } + if ((size_t)st.st_size > size) { + error("Unable to resume download of \"%s\": " + "local file is larger than remote", local_path); + fail: + do_close(conn, handle, handle_len); + buffer_free(&msg); + free(handle); + return -1; + } + offset = highwater = st.st_size; } /* Read from remote and write to local */ - write_error = read_error = write_errno = num_req = offset = 0; + write_error = read_error = write_errno = num_req = 0; max_req = 1; - progress_counter = 0; + progress_counter = offset; if (showprogress && size != 0) start_progress_meter(remote_path, size, &progress_counter); @@ -1139,6 +1155,10 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, write_error = 1; max_req = 0; } + else if (!reordered && req->offset <= highwater) + highwater = req->offset + len; + else if (!reordered && req->offset > highwater) + reordered = 1; progress_counter += len; free(data); @@ -1187,7 +1207,15 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, /* Sanity check */ if (TAILQ_FIRST(&requests) != NULL) fatal("Transfer complete, but requests still in queue"); - + /* Truncate at highest contiguous point to avoid holes on interrupt */ + if (read_error || write_error || interrupted) { + if (reordered && resume) { + error("Unable to resume download of \"%s\": " + "server reordered requests", local_path); + } + debug("truncating at %llu", (unsigned long long)highwater); + ftruncate(local_fd, highwater); + } if (read_error) { error("Couldn't read from remote file \"%s\" : %s", remote_path, fx2txt(status)); @@ -1199,7 +1227,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, do_close(conn, handle, handle_len); } else { status = do_close(conn, handle, handle_len); - + if (interrupted) + status = -1; /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD if (pflag && fchmod(local_fd, mode) == -1) @@ -1227,7 +1256,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, static int download_dir_internal(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag, int depth) + Attrib *dirattrib, int pflag, int printflag, int depth, int resume) { int i, ret = 0; SFTP_DIRENT **dir_entries; @@ -1280,11 +1309,11 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, continue; if (download_dir_internal(conn, new_src, new_dst, &(dir_entries[i]->a), pflag, printflag, - depth + 1) == -1) + depth + 1, resume) == -1) ret = -1; } else if (S_ISREG(dir_entries[i]->a.perm) ) { if (do_download(conn, new_src, new_dst, - &(dir_entries[i]->a), pflag) == -1) { + &(dir_entries[i]->a), pflag, resume) == -1) { error("Download of file %s to %s failed", new_src, new_dst); ret = -1; @@ -1317,7 +1346,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int download_dir(struct sftp_conn *conn, char *src, char *dst, - Attrib *dirattrib, int pflag, int printflag) + Attrib *dirattrib, int pflag, int printflag, int resume) { char *src_canon; int ret; @@ -1328,7 +1357,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst, } ret = download_dir_internal(conn, src_canon, dst, - dirattrib, pflag, printflag, 0); + dirattrib, pflag, printflag, 0, resume); free(src_canon); return ret; } @@ -1553,7 +1582,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, a.perm &= 01777; if (!pflag) a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; - + status = do_mkdir(conn, dst, &a, 0); /* * we lack a portable status for errno EEXIST, @@ -1563,7 +1592,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, if (status != SSH2_FX_OK) { if (status != SSH2_FX_FAILURE) return -1; - if (do_stat(conn, dst, 0) == NULL) + if (do_stat(conn, dst, 0) == NULL) return -1; } @@ -1571,7 +1600,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, error("Failed to open dir \"%s\": %s", src, strerror(errno)); return -1; } - + while (((dp = readdir(dirp)) != NULL) && !interrupted) { if (dp->d_ino == 0) continue; diff --git a/sftp-client.h b/sftp-client.h index aef54ef49..111a998c8 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.20 2010/12/04 00:18:01 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.21 2013/07/25 00:56:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -106,13 +106,13 @@ int do_symlink(struct sftp_conn *, char *, char *); * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ -int do_download(struct sftp_conn *, char *, char *, Attrib *, int); +int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int); /* * Recursively download 'remote_directory' to 'local_directory'. Preserve * times if 'pflag' is set */ -int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); +int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times diff --git a/sftp.1 b/sftp.1 index bcb472144..2577fe875 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.92 2013/07/25 00:56:51 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 5 2011 $ +.Dd $Mdocdate: July 25 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -129,7 +129,7 @@ may be used to indicate standard input. .Nm will abort if any of the following commands fail: -.Ic get , put , rename , ln , +.Ic get , put , reget , rename , ln , .Ic rm , mkdir , chdir , ls , .Ic lchdir , chmod , chown , .Ic chgrp , lpwd , df , symlink , @@ -343,7 +343,7 @@ extension. Quit .Nm sftp . .It Xo Ic get -.Op Fl Ppr +.Op Fl aPpr .Ar remote-path .Op Ar local-path .Xc @@ -363,6 +363,14 @@ is specified, then .Ar local-path must specify a directory. .Pp +If the +.Fl a +flag is specified, then attempt to resume partial transfers of existing files. +Note that resumption assumes that any partial copy of the local file matches +the remote copy. +If the remote file differs from the partial local copy then the resultant file +is likely to be corrupt. +.Pp If either the .Fl P or @@ -503,6 +511,18 @@ Display remote working directory. .It Ic quit Quit .Nm sftp . +.It Xo Ic reget +.Op Fl Ppr +.Ar remote-path +.Op Ar local-path +.Xc +Resume download of +.Ar remote-path . +Equivalent to +.Ic get +with the +.Fl a +flag set. .It Ic rename Ar oldpath Ar newpath Rename remote file from .Ar oldpath diff --git a/sftp.c b/sftp.c index f0daaefa4..969328de4 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.147 2013/07/12 00:20:00 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.148 2013/07/25 00:56:52 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -88,6 +88,9 @@ int showprogress = 1; /* When this option is set, we always recursively download/upload directories */ int global_rflag = 0; +/* When this option is set, we resume download if possible */ +int global_aflag = 0; + /* When this option is set, the file transfers will always preserve times */ int global_pflag = 0; @@ -151,6 +154,7 @@ extern char *__progname; #define I_SYMLINK 21 #define I_VERSION 22 #define I_PROGRESS 23 +#define I_REGET 26 struct CMD { const char *c; @@ -190,6 +194,7 @@ static const struct CMD cmds[] = { { "put", I_PUT, LOCAL }, { "pwd", I_PWD, REMOTE }, { "quit", I_QUIT, NOARGS }, + { "reget", I_REGET, REMOTE }, { "rename", I_RENAME, REMOTE }, { "rm", I_RM, REMOTE }, { "rmdir", I_RMDIR, REMOTE }, @@ -239,6 +244,7 @@ help(void) " filesystem containing 'path'\n" "exit Quit sftp\n" "get [-Ppr] remote [local] Download file\n" + "reget remote [local] Resume download file\n" "help Display this help text\n" "lcd path Change local directory to 'path'\n" "lls [ls-options [path]] Display local directory listing\n" @@ -350,8 +356,8 @@ make_absolute(char *p, char *pwd) } static int -parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, - int *rflag) +parse_getput_flags(const char *cmd, char **argv, int argc, + int *aflag, int *pflag, int *rflag) { extern int opterr, optind, optopt, optreset; int ch; @@ -359,9 +365,12 @@ parse_getput_flags(const char *cmd, char **argv, int argc, int *pflag, optind = optreset = 1; opterr = 0; - *rflag = *pflag = 0; - while ((ch = getopt(argc, argv, "PpRr")) != -1) { + *aflag = *rflag = *pflag = 0; + while ((ch = getopt(argc, argv, "aPpRr")) != -1) { switch (ch) { + case 'a': + *aflag = 1; + break; case 'p': case 'P': *pflag = 1; @@ -519,7 +528,7 @@ pathname_is_dir(char *pathname) static int process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, - int pflag, int rflag) + int pflag, int rflag, int resume) { char *abs_src = NULL; char *abs_dst = NULL; @@ -571,15 +580,18 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, } free(tmp); - if (!quiet) + resume |= global_aflag; + if (!quiet && resume) + printf("Resuming %s to %s\n", g.gl_pathv[i], abs_dst); + else if (!quiet && !resume) printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { - if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag, 1) == -1) + if (download_dir(conn, g.gl_pathv[i], abs_dst, NULL, + pflag || global_pflag, 1, resume) == -1) err = -1; } else { if (do_download(conn, g.gl_pathv[i], abs_dst, NULL, - pflag || global_pflag) == -1) + pflag || global_pflag, resume) == -1) err = -1; } free(abs_dst); @@ -1118,8 +1130,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, } static int -parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, - int *hflag, int *sflag, unsigned long *n_arg, char **path1, char **path2) +parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, + int *pflag, int *rflag, int *sflag, unsigned long *n_arg, + char **path1, char **path2) { const char *cmd, *cp = *cpp; char *cp2, **argv; @@ -1163,14 +1176,15 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, } /* Get arguments and parse flags */ - *lflag = *pflag = *rflag = *hflag = *n_arg = 0; + *aflag = *lflag = *pflag = *rflag = *hflag = *n_arg = 0; *path1 = *path2 = NULL; optidx = 1; switch (cmdnum) { case I_GET: + case I_REGET: case I_PUT: if ((optidx = parse_getput_flags(cmd, argv, argc, - pflag, rflag)) == -1) + aflag, pflag, rflag)) == -1) return -1; /* Get first pathname (mandatory) */ if (argc - optidx < 1) { @@ -1185,6 +1199,11 @@ parse_args(const char **cpp, int *pflag, int *rflag, int *lflag, int *iflag, /* Destination is not globbed */ undo_glob_escape(*path2); } + if (*aflag && cmdnum == I_PUT) { + /* XXX implement resume for uploads */ + error("Resume is not supported for uploads"); + return -1; + } break; case I_LINK: if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) @@ -1293,7 +1312,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, int err_abort) { char *path1, *path2, *tmp; - int pflag = 0, rflag = 0, lflag = 0, iflag = 0, hflag = 0, sflag = 0; + int aflag = 0, hflag = 0, iflag = 0, lflag = 0, pflag = 0; + int rflag = 0, sflag = 0; int cmdnum, i; unsigned long n_arg = 0; Attrib a, *aa; @@ -1302,9 +1322,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, glob_t g; path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &pflag, &rflag, &lflag, &iflag, &hflag, - &sflag, &n_arg, &path1, &path2); - + cmdnum = parse_args(&cmd, &aflag, &hflag, &iflag, &lflag, &pflag, + &rflag, &sflag, &n_arg, &path1, &path2); if (iflag != 0) err_abort = 0; @@ -1319,8 +1338,12 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, /* Unrecognized command */ err = -1; break; + case I_REGET: + aflag = 1; + /* FALLTHROUGH */ case I_GET: - err = process_get(conn, path1, path2, *pwd, pflag, rflag); + err = process_get(conn, path1, path2, *pwd, pflag, + rflag, aflag); break; case I_PUT: err = process_put(conn, path1, path2, *pwd, pflag, rflag); @@ -1949,12 +1972,10 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) } } else { /* XXX this is wrong wrt quoting */ - if (file2 == NULL) - snprintf(cmd, sizeof cmd, "get %s", dir); - else - snprintf(cmd, sizeof cmd, "get %s %s", dir, - file2); - + snprintf(cmd, sizeof cmd, "get%s %s%s%s", + global_aflag ? " -a" : "", dir, + file2 == NULL ? "" : " ", + file2 == NULL ? "" : file2); err = parse_dispatch_command(conn, cmd, &remote_path, 1); free(dir); @@ -2143,7 +2164,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, - "1246hpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { + "1246ahpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case '4': @@ -2183,6 +2204,9 @@ main(int argc, char **argv) case '2': sshver = 2; break; + case 'a': + global_aflag = 1; + break; case 'B': copy_buffer_len = strtol(optarg, &cp, 10); if (copy_buffer_len == 0 || *cp != '\0') -- cgit v1.2.3 From 53435b2d8773a5d7c78359e9f7bf9df2d93b9ef5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 11:57:15 +1000 Subject: - djm@cvs.openbsd.org 2013/07/25 00:57:37 [version.h] openssh-6.3 for release --- ChangeLog | 4 ++++ version.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9552a9b81..2c2197252 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,10 @@ [sftp-client.c sftp-client.h sftp.1 sftp.c] sftp support for resuming partial downloads; patch mostly by Loganaden Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@ + "Just be careful" deraadt@ + - djm@cvs.openbsd.org 2013/07/25 00:57:37 + [version.h] + openssh-6.3 for release 20130720 - (djm) OpenBSD CVS Sync diff --git a/version.h b/version.h index 784f707a6..f6ec0ee3b 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */ +/* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */ -#define SSH_VERSION "OpenSSH_6.2" +#define SSH_VERSION "OpenSSH_6.3" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.3 From fea440639e04cea9f2605375a41d654390369402 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 12:08:07 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 [regress/test-exec.sh] use ssh and sshd as testdata since it needs to be >256k for the rekey test --- ChangeLog | 3 +++ regress/test-exec.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2c2197252..5daedfa43 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - djm@cvs.openbsd.org 2013/07/25 00:57:37 [version.h] openssh-6.3 for release + - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 + [regress/test-exec.sh] + use ssh and sshd as testdata since it needs to be >256k for the rekey test 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 2eab32341..6e1c28c87 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.44 2013/05/17 10:30:07 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.45 2013/05/30 20:12:32 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.3 From 78d47b7c5b182e44552913de2b4b7e0363c8e3cc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 12:08:46 +1000 Subject: - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 [regress/forwarding.sh] Add test for forward config parsing --- ChangeLog | 3 +++ regress/forwarding.sh | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5daedfa43..841988bb6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - dtucker@cvs.openbsd.org 2013/05/30 20:12:32 [regress/test-exec.sh] use ssh and sshd as testdata since it needs to be >256k for the rekey test + - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 + [regress/forwarding.sh] + Add test for forward config parsing 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 1c408603c..ca48b40af 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -104,3 +104,18 @@ for p in 2; do fail "stdio forwarding proto $p" fi done + +echo "LocalForward ${base}01 127.0.0.1:$PORT" >> ssh_config +echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> ssh_config +for p in 1 2; do + trace "config file: start forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 + + trace "config file: transfer over forwarded channels and check result" + ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ + somehost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "failed copy of ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + + wait +done -- cgit v1.2.3 From d1e26cf391de31128b4edde118bff5fed98a90ea Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 12:11:18 +1000 Subject: - djm@cvs.openbsd.org 2013/06/21 02:26:26 [regress/sftp-cmds.sh regress/test-exec.sh] unbreak sftp-cmds for renamed test data (s/ls/data/) --- ChangeLog | 3 +++ regress/sftp-cmds.sh | 10 +++++----- regress/test-exec.sh | 5 +++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 841988bb6..9ba325874 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,9 @@ - dtucker@cvs.openbsd.org 2013/06/10 21:56:43 [regress/forwarding.sh] Add test for forward config parsing + - djm@cvs.openbsd.org 2013/06/21 02:26:26 + [regress/sftp-cmds.sh regress/test-exec.sh] + unbreak sftp-cmds for renamed test data (s/ls/data/) 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index ba5ef066d..aad7fcac2 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.13 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.14 2013/06/21 02:26:26 djm Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -106,7 +106,7 @@ rm -f ${COPY}.dd/* verbose "$tid: get to directory" echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to directory" @@ -120,7 +120,7 @@ rm -f ${COPY}.dd/* verbose "$tid: get to local dir" (echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to local dir" @@ -154,7 +154,7 @@ rm -f ${COPY}.dd/* verbose "$tid: put to directory" echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to directory" @@ -168,7 +168,7 @@ rm -f ${COPY}.dd/* verbose "$tid: put to local dir" (echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to local dir" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 6e1c28c87..eee446264 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.45 2013/05/30 20:12:32 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -167,7 +167,8 @@ SSH="$SSHLOGWRAP" # Some test data. We make a copy because some tests will overwrite it. # The tests may assume that $DATA exists and is writable and $COPY does # not exist. -DATA=$OBJ/data +DATANAME=data +DATA=$OBJ/${DATANAME} cat $SSHD $SSHD $SSHD $SSHD >${DATA} chmod u+w ${DATA} COPY=$OBJ/copy -- cgit v1.2.3 From e9e936d33b4b1d77ffbaace9438cb2f1469c1dc7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 25 Jul 2013 12:34:00 +1000 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Update version numbers --- README | 4 ++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README b/README index 21dc6e1f7..ece2dba19 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-6.2 for the release notes. +See http://www.openssh.com/txt/release-6.3 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.82 2013/02/26 23:48:19 djm Exp $ +$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 196bd7904..b460bfff0 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -16,7 +16,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 -%define version 6.2p1 +%define version 6.3p1 %if %{use_stable} %define cvs %{nil} %define release 1 @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.79 2013/02/26 23:48:20 djm Exp $ +$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 3898c6c99..d1191f4e1 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 6.2p1 +%define ver 6.3p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 960feae07..2866039d1 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 6.2p1 +Version: 6.3p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From ed899eb597a8901ff7322cba809660515ec0d601 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 25 Jul 2013 15:40:00 -0700 Subject: - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on Solaris and UnixWare. Feedback and OK djm@ --- ChangeLog | 2 ++ sftp-client.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9ba325874..741fe7cf5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,8 @@ - djm@cvs.openbsd.org 2013/06/21 02:26:26 [regress/sftp-cmds.sh regress/test-exec.sh] unbreak sftp-cmds for renamed test data (s/ls/data/) + - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on + Solaris and UnixWare. Feedback and OK djm@ 20130720 - (djm) OpenBSD CVS Sync diff --git a/sftp-client.c b/sftp-client.c index cb4efd3ea..f4f1970b6 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1051,7 +1051,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? : O_TRUNC), + local_fd = open(local_path, O_WRONLY | O_CREAT | (resume ? 0 : O_TRUNC), mode | S_IWUSR); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", -- cgit v1.2.3 From 0553ad76ffdff35fb31b9e6df935a71a1cc6daa2 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 25 Jul 2013 16:03:16 -0700 Subject: - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. --- ChangeLog | 1 + regress/forwarding.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 741fe7cf5..5af298a4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,7 @@ unbreak sftp-cmds for renamed test data (s/ls/data/) - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on Solaris and UnixWare. Feedback and OK djm@ + - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. 20130720 - (djm) OpenBSD CVS Sync diff --git a/regress/forwarding.sh b/regress/forwarding.sh index ca48b40af..94873f22c 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -105,8 +105,8 @@ for p in 2; do fi done -echo "LocalForward ${base}01 127.0.0.1:$PORT" >> ssh_config -echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> ssh_config +echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config +echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config for p in 1 2; do trace "config file: start forwarding, fork to background" ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 -- cgit v1.2.3 From 81f7cf1ec5bc2fd202eda05abc2e5361c54633c5 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 25 Jul 2013 18:41:40 -0700 Subject: more correct comment for last commit --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5af298a4d..b7a098127 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,7 +34,7 @@ unbreak sftp-cmds for renamed test data (s/ls/data/) - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on Solaris and UnixWare. Feedback and OK djm@ - - (tim) [regress/forwarding.sh] Fix for building outside read only source tree. + - (tim) [regress/forwarding.sh] Fix for building outside source tree. 20130720 - (djm) OpenBSD CVS Sync -- cgit v1.2.3 From c192a4c4f6da907dc0e67a3ca61d806f9a92c931 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 1 Aug 2013 14:29:20 +1000 Subject: - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- blocking connecting socket will clear any stored errno that might otherwise have been retrievable via getsockopt(). A hack to limit writes to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap it in an #ifdef. Diagnosis and patch from Ivo Raisr. --- ChangeLog | 7 +++++++ channels.c | 3 +++ channels.h | 2 ++ 3 files changed, 12 insertions(+) diff --git a/ChangeLog b/ChangeLog index b7a098127..3b79b5d29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20130801 + - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- + blocking connecting socket will clear any stored errno that might + otherwise have been retrievable via getsockopt(). A hack to limit writes + to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap + it in an #ifdef. Diagnosis and patch from Ivo Raisr. + 20130725 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/07/20 22:20:42 diff --git a/channels.c b/channels.c index 9e87bfb9e..281df3802 100644 --- a/channels.c +++ b/channels.c @@ -248,7 +248,10 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, if ((c->isatty = is_tty) != 0) debug2("channel %d: rfd %d isatty", c->self, c->rfd); +#ifdef _AIX + /* XXX: Later AIX versions can't push as much data to tty */ c->wfd_isatty = is_tty || isatty(c->wfd); +#endif /* enable nonblocking mode */ if (nonblock) { diff --git a/channels.h b/channels.h index ffd580727..4fab9d7c4 100644 --- a/channels.h +++ b/channels.h @@ -103,7 +103,9 @@ struct Channel { int sock; /* sock fd */ int ctl_chan; /* control channel (multiplexed connections) */ int isatty; /* rfd is a tty */ +#ifdef _AIX int wfd_isatty; /* wfd is a tty */ +#endif int client_tty; /* (client) TTY has been requested */ int force_drain; /* force close on iEOF */ time_t notbefore; /* Pause IO until deadline (time_t) */ -- cgit v1.2.3 From ab3575c055adfbce70fa7405345cf0f80b07c827 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 1 Aug 2013 14:34:16 +1000 Subject: - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134 --- ChangeLog | 1 + sshlogin.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3b79b5d29..fdce70566 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ otherwise have been retrievable via getsockopt(). A hack to limit writes to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap it in an #ifdef. Diagnosis and patch from Ivo Raisr. + - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134 20130725 - (djm) OpenBSD CVS Sync diff --git a/sshlogin.h b/sshlogin.h index 500d3fefd..52119a979 100644 --- a/sshlogin.h +++ b/sshlogin.h @@ -15,7 +15,7 @@ void record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *, socklen_t); void record_logout(pid_t, const char *, const char *); -time_t get_last_login_time(uid_t, const char *, char *, u_int); +time_t get_last_login_time(uid_t, const char *, char *, size_t); #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t, const char *, const char *, const char *, -- cgit v1.2.3 From f3ab2c5f9cf4aed44971eded3ac9eeb1344b2be5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 4 Aug 2013 21:48:41 +1000 Subject: - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support for building with older Heimdal versions. ok djm. --- ChangeLog | 4 ++++ auth-krb5.c | 9 +++++++++ configure.ac | 9 +++++++-- openbsd-compat/bsd-misc.h | 10 +++++++++- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fdce70566..997c5b54d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20130804 + - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support + for building with older Heimdal versions. ok djm. + 20130801 - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non- blocking connecting socket will clear any stored errno that might diff --git a/auth-krb5.c b/auth-krb5.c index 43ee9272f..7c83f597f 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -97,8 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; #ifdef HEIMDAL +# ifdef HAVE_KRB5_CC_NEW_UNIQUE problem = krb5_cc_new_unique(authctxt->krb5_ctx, krb5_mcc_ops.prefix, NULL, &ccache); +# else + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); +# endif if (problem) goto out; @@ -117,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; +# ifdef HAVE_KRB5_CC_NEW_UNIQUE problem = krb5_cc_new_unique(authctxt->krb5_ctx, krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache); +# else + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, + &authctxt->krb5_fwd_ccache); +# endif if (problem) goto out; diff --git a/configure.ac b/configure.ac index e6ec2768f..4a1b50331 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.535 2013/06/11 01:26:10 dtucker Exp $ +# $Id: configure.ac,v 1.536 2013/08/04 11:48:41 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.535 $) +AC_REVISION($Revision: 1.536 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -3806,6 +3806,11 @@ AC_ARG_WITH([kerberos5], # include #endif ]]) + saved_LIBS="$LIBS" + LIBS="$LIBS $K5LIBS" + AC_CHECK_FUNCS([krb5_cc_new_unique krb5_get_error_message krb5_free_error_message]) + LIBS="$saved_LIBS" + fi ] ) diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index 9ebd83c3a..65c18ec2f 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.24 2013/05/29 22:29:09 dtucker Exp $ */ +/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller @@ -114,4 +114,12 @@ pid_t getpgid(pid_t); # define endgrent() {} #endif +#ifndef HAVE_KRB5_GET_ERROR_MESSAGE +# define krb5_get_error_message krb5_get_err_text +#endif + +#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE +# define krb5_free_error_message(a,b) while(0) +#endif + #endif /* _BSD_MISC_H */ -- cgit v1.2.3 From a5a3cbfa0fb8ef011d3e7b38910a13f6ebbb8818 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 8 Aug 2013 10:58:49 +1000 Subject: - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, run "make clean" before a complete regress run. ok djm. --- ChangeLog | 5 +++++ regress/Makefile | 2 +- regress/test-exec.sh | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 997c5b54d..3ca13ebe8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130808 + - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt + since some platforms (eg really old FreeBSD) don't have it. Instead, + run "make clean" before a complete regress run. ok djm. + 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support for building with older Heimdal versions. ok djm. diff --git a/regress/Makefile b/regress/Makefile index ab2a6ae7b..3d1b669e8 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec -tests: $(REGRESS_TARGETS) +tests: clean $(REGRESS_TARGETS) # Interop tests are not run by default interop interop-tests: t-exec-interop diff --git a/regress/test-exec.sh b/regress/test-exec.sh index eee446264..9e66f9269 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -368,7 +368,7 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER trace "generate keys" for t in rsa rsa1; do # generate user key - if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then + if [ ! -f $OBJ/$t ]; then rm -f $OBJ/$t ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ fail "ssh-keygen for $t failed" -- cgit v1.2.3 From 94396b7f06f512a0acb230640d7f703fb802a9ee Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 8 Aug 2013 11:52:37 +1000 Subject: - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime( CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the CLOCK_MONOTONIC define but don't actually support it. Found and tested by Kevin Brott, ok djm. --- ChangeLog | 4 ++++ misc.c | 15 ++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3ca13ebe8..2813200a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, run "make clean" before a complete regress run. ok djm. + - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime( + CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the + CLOCK_MONOTONIC define but don't actually support it. Found and tested + by Kevin Brott, ok djm. 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support diff --git a/misc.c b/misc.c index 2bdfb6507..85c404218 100644 --- a/misc.c +++ b/misc.c @@ -854,19 +854,24 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } +#define clock_gettime(a,b) -1 + time_t monotime(void) { #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) struct timespec ts; + static int gettime_failed = 0; - if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) - fatal("clock_gettime: %s", strerror(errno)); + if (!gettime_failed) { + if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) + return (ts.tv_sec); + debug3("clock_gettime: %s", strerror(errno)); + gettime_failed = 1; + } +#endif - return (ts.tv_sec); -#else return time(NULL); -#endif } void -- cgit v1.2.3 From 9542de4547beebf707f3640082d471f1a85534c9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 8 Aug 2013 12:50:06 +1000 Subject: - (dtucker) [misc.c] Remove define added for fallback testing that was mistakenly included in the previous commit. --- ChangeLog | 2 ++ misc.c | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2813200a9..40e1812dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the CLOCK_MONOTONIC define but don't actually support it. Found and tested by Kevin Brott, ok djm. + - (dtucker) [misc.c] Remove define added for fallback testing that was + mistakenly included in the previous commit. 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support diff --git a/misc.c b/misc.c index 85c404218..c3c809943 100644 --- a/misc.c +++ b/misc.c @@ -854,8 +854,6 @@ ms_to_timeval(struct timeval *tv, int ms) tv->tv_usec = (ms % 1000) * 1000; } -#define clock_gettime(a,b) -1 - time_t monotime(void) { -- cgit v1.2.3 From acd2060f750c16d48b87b92a10b5a833227baf9d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 8 Aug 2013 17:02:12 +1000 Subject: - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt removal. The "make clean" removes modpipe which is built by the top-level directory before running the tests. Spotted by tim@ --- ChangeLog | 3 +++ regress/Makefile | 2 +- regress/test-exec.sh | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40e1812dc..12429fd57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ by Kevin Brott, ok djm. - (dtucker) [misc.c] Remove define added for fallback testing that was mistakenly included in the previous commit. + - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt + removal. The "make clean" removes modpipe which is built by the top-level + directory before running the tests. Spotted by tim@ 20130804 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support diff --git a/regress/Makefile b/regress/Makefile index 3d1b669e8..ab2a6ae7b 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec -tests: clean $(REGRESS_TARGETS) +tests: $(REGRESS_TARGETS) # Interop tests are not run by default interop interop-tests: t-exec-interop diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 9e66f9269..eee446264 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -368,7 +368,7 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER trace "generate keys" for t in rsa rsa1; do # generate user key - if [ ! -f $OBJ/$t ]; then + if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then rm -f $OBJ/$t ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ fail "ssh-keygen for $t failed" -- cgit v1.2.3 From 02e878070d0eddad4e11f2c82644b275418eb112 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:38:51 +1000 Subject: - djm@cvs.openbsd.org 2013/08/06 23:03:49 [sftp.c] fix some whitespace at EOL make list of commands an enum rather than a long list of defines add -a to usage() --- ChangeLog | 8 +++++ sftp.c | 106 ++++++++++++++++++++++++++++++++------------------------------ 2 files changed, 62 insertions(+), 52 deletions(-) diff --git a/ChangeLog b/ChangeLog index 12429fd57..913716bbb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20130821 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/08/06 23:03:49 + [sftp.c] + fix some whitespace at EOL + make list of commands an enum rather than a long list of defines + add -a to usage() + 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, diff --git a/sftp.c b/sftp.c index 969328de4..c68fb2cf0 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.148 2013/07/25 00:56:52 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.149 2013/08/06 23:03:49 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -129,32 +129,34 @@ extern char *__progname; #define SORT_FLAGS (LS_NAME_SORT|LS_TIME_SORT|LS_SIZE_SORT) /* Commands for interactive mode */ -#define I_CHDIR 1 -#define I_CHGRP 2 -#define I_CHMOD 3 -#define I_CHOWN 4 -#define I_DF 24 -#define I_GET 5 -#define I_HELP 6 -#define I_LCHDIR 7 -#define I_LINK 25 -#define I_LLS 8 -#define I_LMKDIR 9 -#define I_LPWD 10 -#define I_LS 11 -#define I_LUMASK 12 -#define I_MKDIR 13 -#define I_PUT 14 -#define I_PWD 15 -#define I_QUIT 16 -#define I_RENAME 17 -#define I_RM 18 -#define I_RMDIR 19 -#define I_SHELL 20 -#define I_SYMLINK 21 -#define I_VERSION 22 -#define I_PROGRESS 23 -#define I_REGET 26 +enum sftp_command { + I_CHDIR = 1, + I_CHGRP, + I_CHMOD, + I_CHOWN, + I_DF, + I_GET, + I_HELP, + I_LCHDIR, + I_LINK, + I_LLS, + I_LMKDIR, + I_LPWD, + I_LS, + I_LUMASK, + I_MKDIR, + I_PUT, + I_PWD, + I_QUIT, + I_RENAME, + I_RM, + I_RMDIR, + I_SHELL, + I_SYMLINK, + I_VERSION, + I_PROGRESS, + I_REGET, +}; struct CMD { const char *c; @@ -647,7 +649,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, error("stat %s: %s", g.gl_pathv[i], strerror(errno)); continue; } - + tmp = xstrdup(g.gl_pathv[i]); if ((filename = basename(tmp)) == NULL) { error("basename %s: %s", tmp, strerror(errno)); @@ -975,7 +977,7 @@ undo_glob_escape(char *s) * * If "lastquote" is not NULL, the quoting character used for the last * argument is placed in *lastquote ("\0", "'" or "\""). - * + * * If "terminated" is not NULL, *terminated will be set to 1 when the * last argument's quote has been properly terminated or 0 otherwise. * This parameter is only of use if "sloppy" is set. @@ -1024,7 +1026,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote, state = q; if (lastquote != NULL) *lastquote = arg[i]; - } else if (state == MA_UNQUOTED) + } else if (state == MA_UNQUOTED) state = q; else if (state == q) state = MA_UNQUOTED; @@ -1567,7 +1569,7 @@ complete_display(char **list, u_int len) char *tmp; /* Count entries for sort and find longest */ - for (y = 0; list[y]; y++) + for (y = 0; list[y]; y++) m = MAX(m, strlen(list[y])); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) @@ -1612,8 +1614,8 @@ complete_ambiguous(const char *word, char **list, size_t count) for (y = 1; list[y]; y++) { u_int x; - for (x = 0; x < matchlen; x++) - if (list[0][x] != list[y][x]) + for (x = 0; x < matchlen; x++) + if (list[0][x] != list[y][x]) break; matchlen = x; @@ -1625,7 +1627,7 @@ complete_ambiguous(const char *word, char **list, size_t count) tmp[matchlen] = '\0'; return tmp; } - } + } return xstrdup(word); } @@ -1645,12 +1647,12 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (cmd == NULL) { for (y = 0; cmds[y].c; y++) list[count++] = xstrdup(cmds[y].c); - + list[count] = NULL; complete_display(list, 0); - for (y = 0; list[y] != NULL; y++) - free(list[y]); + for (y = 0; list[y] != NULL; y++) + free(list[y]); free(list); return count; } @@ -1658,7 +1660,7 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, /* Prepare subset of commands that start with "cmd" */ cmdlen = strlen(cmd); for (y = 0; cmds[y].c; y++) { - if (!strncasecmp(cmd, cmds[y].c, cmdlen)) + if (!strncasecmp(cmd, cmds[y].c, cmdlen)) list[count++] = xstrdup(cmds[y].c); } list[count] = NULL; @@ -1673,8 +1675,8 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote, if (count > 1) complete_display(list, 0); - for (y = 0; list[y]; y++) - free(list[y]); + for (y = 0; list[y]; y++) + free(list[y]); free(list); if (tmp != NULL) { @@ -1714,7 +1716,7 @@ complete_is_remote(char *cmd) { return -1; for (i = 0; cmds[i].c; i++) { - if (!strncasecmp(cmd, cmds[i].c, strlen(cmds[i].c))) + if (!strncasecmp(cmd, cmds[i].c, strlen(cmds[i].c))) return cmds[i].t; } @@ -1731,7 +1733,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; int clen; const LineInfo *lf; - + /* Glob from "file" location */ if (file == NULL) tmp = xstrdup("*"); @@ -1745,9 +1747,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (remote != LOCAL) { tmp = make_absolute(tmp, remote_path); remote_glob(conn, tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); - } else + } else glob(tmp, GLOB_DOOFFS|GLOB_MARK, NULL, &g); - + /* Determine length of pwd so we can trim completion display */ for (hadglob = tmplen = pwdlen = 0; tmp[tmplen] != 0; tmplen++) { /* Terminate counting on first unescaped glob metacharacter */ @@ -1763,7 +1765,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, } free(tmp); - if (g.gl_matchc == 0) + if (g.gl_matchc == 0) goto out; if (g.gl_matchc > 1) @@ -1796,7 +1798,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, if (tmplen > (filelen - cesc)) { tmp2 = tmp + filelen - cesc; - len = strlen(tmp2); + len = strlen(tmp2); /* quote argument on way out */ for (i = 0; i < len; i += clen) { if ((clen = mblen(tmp2 + i, len - i)) < 0 || @@ -1852,7 +1854,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, static unsigned char complete(EditLine *el, int ch) { - char **argv, *line, quote; + char **argv, *line, quote; int argc, carg; u_int cursor, len, terminated, ret = CC_ERROR; const LineInfo *lf; @@ -1891,7 +1893,7 @@ complete(EditLine *el, int ch) } else if (carg == 1 && cursor > 0 && line[cursor - 1] != ' ') { /* Handle the command parsing */ if (complete_cmd_parse(el, argv[0], argc == carg, - quote, terminated) != 0) + quote, terminated) != 0) ret = CC_REDISPLAY; } else if (carg >= 1) { /* Handle file parsing */ @@ -1904,11 +1906,11 @@ complete(EditLine *el, int ch) if (remote != 0 && complete_match(el, complete_ctx->conn, *complete_ctx->remote_pathp, filematch, - remote, carg == argc, quote, terminated) != 0) + remote, carg == argc, quote, terminated) != 0) ret = CC_REDISPLAY; } - free(line); + free(line); return ret; } #endif /* USE_LIBEDIT */ @@ -1942,7 +1944,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) el_source(el, NULL); /* Tab Completion */ - el_set(el, EL_ADDFN, "ftp-complete", + el_set(el, EL_ADDFN, "ftp-complete", "Context sensitive argument completion", complete); complete_ctx.conn = conn; complete_ctx.remote_pathp = &remote_path; @@ -2116,7 +2118,7 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-1246Cpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" + "usage: %s [-1246Capqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" " [-D sftp_server_path] [-F ssh_config] " "[-i identity_file] [-l limit]\n" " [-o ssh_option] [-P port] [-R num_requests] " -- cgit v1.2.3 From eec840673bce3f69ad269672fba7ed8ff05f154f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:39:39 +1000 Subject: - djm@cvs.openbsd.org 2013/08/06 23:05:01 [sftp.1] document top-level -a option (the -a option to 'get' was already documented) --- ChangeLog | 4 ++++ sftp.1 | 15 ++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 913716bbb..d7f5a59c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ fix some whitespace at EOL make list of commands an enum rather than a long list of defines add -a to usage() + - djm@cvs.openbsd.org 2013/08/06 23:05:01 + [sftp.1] + document top-level -a option (the -a option to 'get' was already + documented) 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.1 b/sftp.1 index 2577fe875..e75a81a70 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.92 2013/07/25 00:56:51 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.93 2013/08/06 23:05:01 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 25 2013 $ +.Dd $Mdocdate: August 6 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -31,7 +31,7 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl 1246Cpqrv +.Op Fl 1246Capqrv .Op Fl B Ar buffer_size .Op Fl b Ar batchfile .Op Fl c Ar cipher @@ -114,6 +114,11 @@ uses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. +.It Fl a +Attempt to continue interrupted downloads rather than overwriting existing +partial or complete copies of files. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .It Fl b Ar batchfile Batch mode reads a series of commands from an input .Ar batchfile @@ -368,8 +373,8 @@ If the flag is specified, then attempt to resume partial transfers of existing files. Note that resumption assumes that any partial copy of the local file matches the remote copy. -If the remote file differs from the partial local copy then the resultant file -is likely to be corrupt. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .Pp If either the .Fl P -- cgit v1.2.3 From a6d6c1f38ac9b4a5e1bd4df889e1020a8370ed55 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:40:01 +1000 Subject: - djm@cvs.openbsd.org 2013/08/06 23:06:01 [servconf.c] add cast to avoid format warning; from portable --- ChangeLog | 3 +++ servconf.c | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d7f5a59c2..5f753198a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ [sftp.1] document top-level -a option (the -a option to 'get' was already documented) + - djm@cvs.openbsd.org 2013/08/06 23:06:01 + [servconf.c] + add cast to avoid format warning; from portable 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/servconf.c b/servconf.c index 747edde6c..c761ff01c 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.241 2013/08/06 23:06:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2063,7 +2063,8 @@ dump_config(ServerOptions *o) printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); - printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); + printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, + o->rekey_interval); channel_print_adm_permitted_opens(); } -- cgit v1.2.3 From c6895c5c67492144dd28589e5788f783be9152ed Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:40:21 +1000 Subject: - jmc@cvs.openbsd.org 2013/08/07 06:24:51 [sftp.1 sftp.c] sort -a; --- ChangeLog | 3 +++ sftp.1 | 16 ++++++++-------- sftp.c | 4 ++-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5f753198a..295c42abc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - djm@cvs.openbsd.org 2013/08/06 23:06:01 [servconf.c] add cast to avoid format warning; from portable + - jmc@cvs.openbsd.org 2013/08/07 06:24:51 + [sftp.1 sftp.c] + sort -a; 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.1 b/sftp.1 index e75a81a70..85d64a7fc 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.93 2013/08/06 23:05:01 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.94 2013/08/07 06:24:51 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 6 2013 $ +.Dd $Mdocdate: August 7 2013 $ .Dt SFTP 1 .Os .Sh NAME @@ -31,7 +31,7 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl 1246Capqrv +.Op Fl 1246aCpqrv .Op Fl B Ar buffer_size .Op Fl b Ar batchfile .Op Fl c Ar cipher @@ -107,6 +107,11 @@ to use IPv4 addresses only. Forces .Nm to use IPv6 addresses only. +.It Fl a +Attempt to continue interrupted downloads rather than overwriting existing +partial or complete copies of files. +If the remote file contents differ from the partial local copy then the +resultant file is likely to be corrupt. .It Fl B Ar buffer_size Specify the size of the buffer that .Nm @@ -114,11 +119,6 @@ uses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. -.It Fl a -Attempt to continue interrupted downloads rather than overwriting existing -partial or complete copies of files. -If the remote file contents differ from the partial local copy then the -resultant file is likely to be corrupt. .It Fl b Ar batchfile Batch mode reads a series of commands from an input .Ar batchfile diff --git a/sftp.c b/sftp.c index c68fb2cf0..4e1a026f7 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.149 2013/08/06 23:03:49 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.150 2013/08/07 06:24:51 jmc Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2118,7 +2118,7 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-1246Capqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" + "usage: %s [-1246aCpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n" " [-D sftp_server_path] [-F ssh_config] " "[-i identity_file] [-l limit]\n" " [-o ssh_option] [-P port] [-R num_requests] " -- cgit v1.2.3 From 034f27a0c09e69fe3589045b41f03f6e345b63f5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:40:44 +1000 Subject: - djm@cvs.openbsd.org 2013/08/08 04:52:04 [sftp.c] fix two year old regression: symlinking a file would incorrectly canonicalise the target path. bz#2129 report from delphij AT freebsd.org --- ChangeLog | 4 ++++ sftp.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 295c42abc..16bb10b4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - jmc@cvs.openbsd.org 2013/08/07 06:24:51 [sftp.1 sftp.c] sort -a; + - djm@cvs.openbsd.org 2013/08/08 04:52:04 + [sftp.c] + fix two year old regression: symlinking a file would incorrectly + canonicalise the target path. bz#2129 report from delphij AT freebsd.org 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.c b/sftp.c index 4e1a026f7..6f16f7cc6 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.150 2013/08/07 06:24:51 jmc Exp $ */ +/* $OpenBSD: sftp.c,v 1.151 2013/08/08 04:52:04 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -1358,7 +1358,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, case I_SYMLINK: sflag = 1; case I_LINK: - path1 = make_absolute(path1, *pwd); + if (!sflag) + path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); err = (sflag ? do_symlink : do_hardlink)(conn, path1, path2); break; -- cgit v1.2.3 From c7dba12bf95eb1d69711881a153cc286c1987663 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:41:15 +1000 Subject: - djm@cvs.openbsd.org 2013/08/08 05:04:03 [sftp-client.c sftp-client.h sftp.c] add a "-l" flag for the rename command to force it to use the silly standard SSH_FXP_RENAME command instead of the POSIX-rename- like posix-rename@openssh.com extension. intended for use in regress tests, so no documentation. --- ChangeLog | 6 ++++++ sftp-client.c | 12 +++++++----- sftp-client.h | 4 ++-- sftp.c | 35 ++++++++++++++++++++++++++++++++--- 4 files changed, 47 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 16bb10b4f..cd46b83aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,7 +19,13 @@ [sftp.c] fix two year old regression: symlinking a file would incorrectly canonicalise the target path. bz#2129 report from delphij AT freebsd.org + - djm@cvs.openbsd.org 2013/08/08 05:04:03 + [sftp-client.c sftp-client.h sftp.c] + add a "-l" flag for the rename command to force it to use the silly + standard SSH_FXP_RENAME command instead of the POSIX-rename- like + posix-rename@openssh.com extension. + intended for use in regress tests, so no documentation. 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, diff --git a/sftp-client.c b/sftp-client.c index f4f1970b6..0eeb73c8b 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.101 2013/07/25 00:56:51 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.102 2013/08/08 05:04:03 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -768,16 +768,18 @@ do_realpath(struct sftp_conn *conn, char *path) } int -do_rename(struct sftp_conn *conn, char *oldpath, char *newpath) +do_rename(struct sftp_conn *conn, char *oldpath, char *newpath, + int force_legacy) { Buffer msg; u_int status, id; + int use_ext = (conn->exts & SFTP_EXT_POSIX_RENAME) && !force_legacy; buffer_init(&msg); /* Send rename request */ id = conn->msg_id++; - if ((conn->exts & SFTP_EXT_POSIX_RENAME)) { + if (use_ext) { buffer_put_char(&msg, SSH2_FXP_EXTENDED); buffer_put_int(&msg, id); buffer_put_cstring(&msg, "posix-rename@openssh.com"); @@ -789,8 +791,8 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath) buffer_put_cstring(&msg, newpath); send_msg(conn, &msg); debug3("Sent message %s \"%s\" -> \"%s\"", - (conn->exts & SFTP_EXT_POSIX_RENAME) ? "posix-rename@openssh.com" : - "SSH2_FXP_RENAME", oldpath, newpath); + use_ext ? "posix-rename@openssh.com" : "SSH2_FXP_RENAME", + oldpath, newpath); buffer_free(&msg); status = get_status(conn, id); diff --git a/sftp-client.h b/sftp-client.h index 111a998c8..dc54cfe3b 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.h,v 1.21 2013/07/25 00:56:51 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.22 2013/08/08 05:04:03 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller @@ -92,7 +92,7 @@ char *do_realpath(struct sftp_conn *, char *); int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int); /* Rename 'oldpath' to 'newpath' */ -int do_rename(struct sftp_conn *, char *, char *); +int do_rename(struct sftp_conn *, char *, char *m, int force_legacy); /* Link 'oldpath' to 'newpath' */ int do_hardlink(struct sftp_conn *, char *, char *); diff --git a/sftp.c b/sftp.c index 6f16f7cc6..66ab2b0d4 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.151 2013/08/08 04:52:04 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.152 2013/08/08 05:04:03 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -414,6 +414,30 @@ parse_link_flags(const char *cmd, char **argv, int argc, int *sflag) return optind; } +static int +parse_rename_flags(const char *cmd, char **argv, int argc, int *lflag) +{ + extern int opterr, optind, optopt, optreset; + int ch; + + optind = optreset = 1; + opterr = 0; + + *lflag = 0; + while ((ch = getopt(argc, argv, "l")) != -1) { + switch (ch) { + case 'l': + *lflag = 1; + break; + default: + error("%s: Invalid flag -%c", cmd, optopt); + return -1; + } + } + + return optind; +} + static int parse_ls_flags(char **argv, int argc, int *lflag) { @@ -1210,8 +1234,13 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_LINK: if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1) return -1; - case I_SYMLINK: + goto parse_two_paths; case I_RENAME: + if ((optidx = parse_rename_flags(cmd, argv, argc, lflag)) == -1) + return -1; + goto parse_two_paths; + case I_SYMLINK: + parse_two_paths: if (argc - optidx < 2) { error("You must specify two paths after a %s " "command.", cmd); @@ -1353,7 +1382,7 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, case I_RENAME: path1 = make_absolute(path1, *pwd); path2 = make_absolute(path2, *pwd); - err = do_rename(conn, path1, path2); + err = do_rename(conn, path1, path2, lflag); break; case I_SYMLINK: sflag = 1; -- cgit v1.2.3 From 036d30743fc914089f9849ca52d615891d47e616 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:41:46 +1000 Subject: - djm@cvs.openbsd.org 2013/08/09 03:37:25 [sftp.c] do getopt parsing for all sftp commands (with an empty optstring for commands without arguments) to ensure consistent behaviour --- ChangeLog | 5 +++++ sftp.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cd46b83aa..f78dce6ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,11 @@ posix-rename@openssh.com extension. intended for use in regress tests, so no documentation. + - djm@cvs.openbsd.org 2013/08/09 03:37:25 + [sftp.c] + do getopt parsing for all sftp commands (with an empty optstring for + commands without arguments) to ensure consistent behaviour + 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt since some platforms (eg really old FreeBSD) don't have it. Instead, diff --git a/sftp.c b/sftp.c index 66ab2b0d4..1ddfef6b5 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.152 2013/08/08 05:04:03 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.153 2013/08/09 03:37:25 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -518,6 +518,26 @@ parse_df_flags(const char *cmd, char **argv, int argc, int *hflag, int *iflag) return optind; } +static int +parse_no_flags(const char *cmd, char **argv, int argc) +{ + extern int opterr, optind, optopt, optreset; + int ch; + + optind = optreset = 1; + opterr = 0; + + while ((ch = getopt(argc, argv, "")) != -1) { + switch (ch) { + default: + error("%s: Invalid flag -%c", cmd, optopt); + return -1; + } + } + + return optind; +} + static int is_dir(char *path) { @@ -1240,6 +1260,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, return -1; goto parse_two_paths; case I_SYMLINK: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; parse_two_paths: if (argc - optidx < 2) { error("You must specify two paths after a %s " @@ -1258,6 +1280,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_CHDIR: case I_LCHDIR: case I_LMKDIR: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; /* Get pathname (mandatory) */ if (argc - optidx < 1) { error("You must specify a path after a %s command.", @@ -1299,6 +1323,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, base = 8; case I_CHOWN: case I_CHGRP: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; /* Get numeric arg (mandatory) */ if (argc - optidx < 1) goto need_num_arg; @@ -1329,6 +1355,8 @@ parse_args(const char **cpp, int *aflag, int *hflag, int *iflag, int *lflag, case I_HELP: case I_VERSION: case I_PROGRESS: + if ((optidx = parse_no_flags(cmd, argv, argc)) == -1) + return -1; break; default: fatal("Command not implemented"); -- cgit v1.2.3 From fec029f1dc2c338f3fae3fa82aabc988dc07868c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:42:12 +1000 Subject: - djm@cvs.openbsd.org 2013/08/09 03:39:13 [sftp-client.c] two problems found by a to-be-committed regress test: 1) msg_id was not being initialised so was starting at a random value from the heap (harmless, but confusing). 2) some error conditions were not being propagated back to the caller --- ChangeLog | 6 ++++++ sftp-client.c | 8 +++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f78dce6ef..7e4863029 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,12 @@ [sftp.c] do getopt parsing for all sftp commands (with an empty optstring for commands without arguments) to ensure consistent behaviour + - djm@cvs.openbsd.org 2013/08/09 03:39:13 + [sftp-client.c] + two problems found by a to-be-committed regress test: 1) msg_id was not + being initialised so was starting at a random value from the heap + (harmless, but confusing). 2) some error conditions were not being + propagated back to the caller 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp-client.c b/sftp-client.c index 0eeb73c8b..f2ce9deb7 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.102 2013/08/08 05:04:03 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.103 2013/08/09 03:39:13 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -337,7 +337,8 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests, Buffer msg; struct sftp_conn *ret; - ret = xmalloc(sizeof(*ret)); + ret = xcalloc(1, sizeof(*ret)); + ret->msg_id = 1; ret->fd_in = fd_in; ret->fd_out = fd_out; ret->transfer_buflen = transfer_buflen; @@ -1221,6 +1222,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, if (read_error) { error("Couldn't read from remote file \"%s\" : %s", remote_path, fx2txt(status)); + status = -1; do_close(conn, handle, handle_len); } else if (write_error) { error("Couldn't write to \"%s\": %s", local_path, @@ -1229,7 +1231,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, do_close(conn, handle, handle_len); } else { status = do_close(conn, handle, handle_len); - if (interrupted) + if (interrupted || status != SSH2_FX_OK) status = -1; /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD -- cgit v1.2.3 From e0ee727b8281a7c2ae20630ce83f6b200b404059 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:42:35 +1000 Subject: - djm@cvs.openbsd.org 2013/08/09 03:56:42 [sftp.c] enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; matching ksh's relatively recent change. --- ChangeLog | 4 ++++ sftp.c | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7e4863029..2c8b45a31 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,10 @@ being initialised so was starting at a random value from the heap (harmless, but confusing). 2) some error conditions were not being propagated back to the caller + - djm@cvs.openbsd.org 2013/08/09 03:56:42 + [sftp.c] + enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; + matching ksh's relatively recent change. 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/sftp.c b/sftp.c index 1ddfef6b5..e21144064 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.153 2013/08/09 03:37:25 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.154 2013/08/09 03:56:42 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2008,6 +2008,11 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) complete_ctx.remote_pathp = &remote_path; el_set(el, EL_CLIENTDATA, (void*)&complete_ctx); el_set(el, EL_BIND, "^I", "ftp-complete", NULL); + /* enable ctrl-left-arrow and ctrl-right-arrow */ + el_set(el, EL_BIND, "\\e[1;5C", "em-next-word", NULL); + el_set(el, EL_BIND, "\\e[5C", "em-next-word", NULL); + el_set(el, EL_BIND, "\\e[1;5D", "ed-prev-word", NULL); + el_set(el, EL_BIND, "\\e\\e[D", "ed-prev-word", NULL); } #endif /* USE_LIBEDIT */ -- cgit v1.2.3 From d234afb0b3a8de1be78cbeafed5fc86912594c3c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:42:58 +1000 Subject: - djm@cvs.openbsd.org 2013/08/13 18:32:08 [ssh-keygen.c] typo in error message; from Stephan Rickauer --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2c8b45a31..2945ee799 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ [sftp.c] enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; matching ksh's relatively recent change. + - djm@cvs.openbsd.org 2013/08/13 18:32:08 + [ssh-keygen.c] + typo in error message; from Stephan Rickauer 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh-keygen.c b/ssh-keygen.c index 03c444d42..6ba64b73e 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.230 2013/07/20 01:44:37 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.231 2013/08/13 18:32:08 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1963,7 +1963,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, continue; if (strncasecmp(cp, "serial:", 7) == 0) { if (ca == NULL) { - fatal("revoking certificated by serial number " + fatal("revoking certificates by serial number " "requires specification of a CA key"); } cp += 7; -- cgit v1.2.3 From d5d9d7b1fdacf0551de4c747728bd159be40590a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:43:27 +1000 Subject: - djm@cvs.openbsd.org 2013/08/13 18:33:08 [ssh-keygen.c] another of the same typo --- ChangeLog | 3 +++ ssh-keygen.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2945ee799..0199afda4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - djm@cvs.openbsd.org 2013/08/13 18:32:08 [ssh-keygen.c] typo in error message; from Stephan Rickauer + - djm@cvs.openbsd.org 2013/08/13 18:33:08 + [ssh-keygen.c] + another of the same typo 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh-keygen.c b/ssh-keygen.c index 6ba64b73e..6ee8145af 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.231 2013/08/13 18:32:08 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.232 2013/08/13 18:33:08 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2000,7 +2000,7 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, } } else if (strncasecmp(cp, "id:", 3) == 0) { if (ca == NULL) { - fatal("revoking certificated by key ID " + fatal("revoking certificates by key ID " "requires specification of a CA key"); } cp += 3; -- cgit v1.2.3 From b7727df37efde4dbe4f5a33b19cbf42022aabf66 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:43:49 +1000 Subject: - jmc@cvs.openbsd.org 2013/08/14 08:39:27 [scp.1 ssh.1] some Bx/Ox conversion; From: Jan Stary --- ChangeLog | 4 ++++ scp.1 | 9 +++++---- ssh.1 | 11 +++++++---- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0199afda4..a3ac3d537 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,10 @@ - djm@cvs.openbsd.org 2013/08/13 18:33:08 [ssh-keygen.c] another of the same typo + - jmc@cvs.openbsd.org 2013/08/14 08:39:27 + [scp.1 ssh.1] + some Bx/Ox conversion; + From: Jan Stary 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/scp.1 b/scp.1 index c83012c92..595db3260 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.59 2013/07/16 00:07:52 schwarze Exp $ +.\" $OpenBSD: scp.1,v 1.60 2013/08/14 08:39:27 jmc Exp $ .\" -.Dd $Mdocdate: July 16 2013 $ +.Dd $Mdocdate: August 14 2013 $ .Dt SCP 1 .Os .Sh NAME @@ -232,8 +232,9 @@ debugging connection, authentication, and configuration problems. .Nm is based on the .Xr rcp 1 -program in BSD source code from the Regents of the University of -California. +program in +.Bx +source code from the Regents of the University of California. .Sh AUTHORS .An Timo Rinne Aq Mt tri@iki.fi .An Tatu Ylonen Aq Mt ylo@cs.hut.fi diff --git a/ssh.1 b/ssh.1 index 62292cc09..09c9dbcbd 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.334 2013/07/18 01:12:26 djm Exp $ -.Dd $Mdocdate: July 18 2013 $ +.\" $OpenBSD: ssh.1,v 1.335 2013/08/14 08:39:27 jmc Exp $ +.Dd $Mdocdate: August 14 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -827,9 +827,12 @@ text, and prompts for a response. Protocol 2 allows multiple challenges and responses; protocol 1 is restricted to just one challenge/response. Examples of challenge-response authentication include -BSD Authentication (see +.Bx +Authentication (see .Xr login.conf 5 ) -and PAM (some non-OpenBSD systems). +and PAM (some +.Pf non- Ox +systems). .Pp Finally, if other authentication methods fail, .Nm -- cgit v1.2.3 From 1262b6638f7d01ab110fd373dd90d915c882fe1a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:44:24 +1000 Subject: - djm@cvs.openbsd.org 2013/08/20 00:11:38 [readconf.c readconf.h ssh_config.5 sshconnect.c] Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@ --- ChangeLog | 8 ++++ readconf.c | 12 +++++- readconf.h | 4 +- ssh_config.5 | 12 +++++- sshconnect.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++--------- 5 files changed, 137 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index a3ac3d537..6b0afa720 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,14 @@ [scp.1 ssh.1] some Bx/Ox conversion; From: Jan Stary + - djm@cvs.openbsd.org 2013/08/20 00:11:38 + [readconf.c readconf.h ssh_config.5 sshconnect.c] + Add a ssh_config ProxyUseFDPass option that supports the use of + ProxyCommands that establish a connection and then pass a connected + file descriptor back to ssh(1). This allows the ProxyCommand to exit + rather than have to shuffle data back and forth and enables ssh to use + getpeername, etc. to obtain address information just like it does with + regular directly-connected sockets. ok markus@ 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/readconf.c b/readconf.c index 1464430a4..7450081cd 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.205 2013/08/20 00:11:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -137,7 +137,7 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -249,6 +249,7 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "proxyusefdpass", oProxyUseFdpass }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -1072,6 +1073,10 @@ parse_int: charptr = &options->ignored_unknown; goto parse_string; + case oProxyUseFdpass: + intptr = &options->proxy_use_fdpass; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1233,6 +1238,7 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; } @@ -1385,6 +1391,8 @@ fill_default_options(Options * options) options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; + if (options->proxy_use_fdpass == -1) + options->proxy_use_fdpass = 0; /* options->local_command should not be set by default */ /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index 23fc500da..ca4a042ad 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.96 2013/08/20 00:11:38 djm Exp $ */ /* * Author: Tatu Ylonen @@ -138,6 +138,8 @@ typedef struct { int request_tty; + int proxy_use_fdpass; + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/ssh_config.5 b/ssh_config.5 index 5d76c6d2d..e89d694c7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.167 2013/08/20 00:11:38 djm Exp $ +.Dd $Mdocdate: August 20 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -937,6 +937,14 @@ For example, the following directive would connect via an HTTP proxy at .Bd -literal -offset 3n ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed +.It Cm ProxyUseFdpass +Specifies that the a +.Cm ProxyCommand +will pass a connected file descriptor back to +.Nm ssh +instead of continuing to execute and pass data. +The default is +.Dq no . .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be diff --git a/sshconnect.c b/sshconnect.c index 483eb85ac..76bb5cdac 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.239 2013/08/20 00:11:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -59,6 +59,7 @@ #include "misc.h" #include "dns.h" #include "roaming.h" +#include "monitor_fdpass.h" #include "ssh2.h" #include "version.h" @@ -78,16 +79,113 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, Key *); static void warn_changed_key(Key *); +/* Expand a proxy command */ +static char * +expand_proxy_command(const char *proxy_command, const char *user, + const char *host, int port) +{ + char *tmp, *ret, strport[NI_MAXSERV]; + + snprintf(strport, sizeof strport, "%hu", port); + xasprintf(&tmp, "exec %s", proxy_command); + ret = percent_expand(tmp, "h", host, "p", strport, + "r", options.user, (char *)NULL); + free(tmp); + return ret; +} + +/* + * Connect to the given ssh server using a proxy command that passes a + * a connected fd back to us. + */ +static int +ssh_proxy_fdpass_connect(const char *host, u_short port, + const char *proxy_command) +{ + char *command_string; + int sp[2], sock; + pid_t pid; + char *shell; + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) + fatal("Could not create socketpair to communicate with " + "proxy dialer: %.100s", strerror(errno)); + + command_string = expand_proxy_command(proxy_command, options.user, + host, port); + debug("Executing proxy dialer command: %.500s", command_string); + + /* Fork and execute the proxy command. */ + if ((pid = fork()) == 0) { + char *argv[10]; + + /* Child. Permanently give up superuser privileges. */ + permanently_drop_suid(original_real_uid); + + close(sp[1]); + /* Redirect stdin and stdout. */ + if (sp[0] != 0) { + if (dup2(sp[0], 0) < 0) + perror("dup2 stdin"); + } + if (sp[0] != 1) { + if (dup2(sp[0], 1) < 0) + perror("dup2 stdout"); + } + if (sp[0] >= 2) + close(sp[0]); + + /* + * Stderr is left as it is so that error messages get + * printed on the user's terminal. + */ + argv[0] = shell; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + /* + * Execute the proxy command. + * Note that we gave up any extra privileges above. + */ + execv(argv[0], argv); + perror(argv[0]); + exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("fork failed: %.100s", strerror(errno)); + close(sp[0]); + free(command_string); + + if ((sock = mm_receive_fd(sp[1])) == -1) + fatal("proxy dialer did not pass back a connection"); + + while (waitpid(pid, NULL, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + + /* Set the connection file descriptors. */ + packet_set_connection(sock, sock); + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); + + return 0; +} + /* * Connect to the given ssh server using a proxy command. */ static int ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { - char *command_string, *tmp; + char *command_string; int pin[2], pout[2]; pid_t pid; - char *shell, strport[NI_MAXSERV]; + char *shell; if (!strcmp(proxy_command, "-")) { packet_set_connection(STDIN_FILENO, STDOUT_FILENO); @@ -96,29 +194,19 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) return 0; } + if (options.proxy_use_fdpass) + return ssh_proxy_fdpass_connect(host, port, proxy_command); + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; - /* Convert the port number into a string. */ - snprintf(strport, sizeof strport, "%hu", port); - - /* - * Build the final command string in the buffer by making the - * appropriate substitutions to the given proxy command. - * - * Use "exec" to avoid "sh -c" processes on some platforms - * (e.g. Solaris) - */ - xasprintf(&tmp, "exec %s", proxy_command); - command_string = percent_expand(tmp, "h", host, "p", strport, - "r", options.user, (char *)NULL); - free(tmp); - /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) fatal("Could not create pipes to communicate with the proxy: %.100s", strerror(errno)); + command_string = expand_proxy_command(proxy_command, options.user, + host, port); debug("Executing proxy command: %.500s", command_string); /* Fork and execute the proxy command. */ -- cgit v1.2.3 From f2f6c315a920a256937e1b6a3702757f3195a592 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:44:58 +1000 Subject: - jmc@cvs.openbsd.org 2013/08/20 06:56:07 [ssh.1 ssh_config.5] some proxyusefdpass tweaks; --- ChangeLog | 3 +++ ssh.1 | 5 +++-- ssh_config.5 | 6 +++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6b0afa720..e39f68a5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,9 @@ rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@ + - jmc@cvs.openbsd.org 2013/08/20 06:56:07 + [ssh.1 ssh_config.5] + some proxyusefdpass tweaks; 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh.1 b/ssh.1 index 09c9dbcbd..227654016 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.335 2013/08/14 08:39:27 jmc Exp $ -.Dd $Mdocdate: August 14 2013 $ +.\" $OpenBSD: ssh.1,v 1.336 2013/08/20 06:56:07 jmc Exp $ +.Dd $Mdocdate: August 20 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -465,6 +465,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It Protocol .It ProxyCommand +.It ProxyUseFdpass .It PubkeyAuthentication .It RekeyLimit .It RemoteForward diff --git a/ssh_config.5 b/ssh_config.5 index e89d694c7..9ddd6b8a6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.167 2013/08/20 00:11:38 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.168 2013/08/20 06:56:07 jmc Exp $ .Dd $Mdocdate: August 20 2013 $ .Dt SSH_CONFIG 5 .Os @@ -938,10 +938,10 @@ For example, the following directive would connect via an HTTP proxy at ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed .It Cm ProxyUseFdpass -Specifies that the a +Specifies that .Cm ProxyCommand will pass a connected file descriptor back to -.Nm ssh +.Xr ssh 1 instead of continuing to execute and pass data. The default is .Dq no . -- cgit v1.2.3 From 04be8b9e53f8388c94b531ebc5d1bd6e10e930d1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 28 Aug 2013 12:49:43 +1000 Subject: - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future. --- ChangeLog | 5 +++++ openbsd-compat/bsd-snprintf.c | 40 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e39f68a5a..97881822f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130828 + - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the + 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we + start to use them in the future. + 20130821 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/08/06 23:03:49 diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index 41d2be238..308078e0e 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c @@ -160,6 +160,8 @@ #define DP_C_LONG 2 #define DP_C_LDOUBLE 3 #define DP_C_LLONG 4 +#define DP_C_SIZE 5 +#define DP_C_INTMAX 6 #define char_to_int(p) ((p)- '0') #ifndef MAX @@ -182,7 +184,7 @@ static int dopr(char *buffer, size_t maxlen, const char *format, static int fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, int min, int max); static int fmtint(char *buffer, size_t *currlen, size_t maxlen, - LLONG value, int base, int min, int max, int flags); + intmax_t value, int base, int min, int max, int flags); static int fmtfp(char *buffer, size_t *currlen, size_t maxlen, LDOUBLE fvalue, int min, int max, int flags); @@ -190,7 +192,7 @@ static int dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) { char ch; - LLONG value; + intmax_t value; LDOUBLE fvalue; char *strvalue; int min; @@ -287,6 +289,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) cflags = DP_C_SHORT; ch = *format++; break; + case 'j': + cflags = DP_C_INTMAX; + ch = *format++; + break; case 'l': cflags = DP_C_LONG; ch = *format++; @@ -299,6 +305,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) cflags = DP_C_LDOUBLE; ch = *format++; break; + case 'z': + cflags = DP_C_SIZE; + ch = *format++; + break; default: break; } @@ -314,6 +324,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = va_arg (args, long int); else if (cflags == DP_C_LLONG) value = va_arg (args, LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, ssize_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, intmax_t); else value = va_arg (args, int); if (fmtint(buffer, &currlen, maxlen, @@ -328,6 +342,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (long)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -342,6 +360,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (LLONG)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -358,6 +380,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned long int); else if (cflags == DP_C_LLONG) value = (LLONG)va_arg (args, unsigned LLONG); + else if (cflags == DP_C_SIZE) + value = va_arg (args, size_t); + else if (cflags == DP_C_INTMAX) + value = va_arg (args, uintmax_t); else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -416,6 +442,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) (long) strvalue, 16, min, max, flags) == -1) return -1; break; +#if we_dont_want_this_in_openssh case 'n': if (cflags == DP_C_SHORT) { short int *num; @@ -429,12 +456,21 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) LLONG *num; num = va_arg (args, LLONG *); *num = (LLONG)currlen; + } else if (cflags == DP_C_SIZE) { + ssize_t *num; + num = va_arg (args, ssize_t *); + *num = (ssize_t)currlen; + } else if (cflags == DP_C_INTMAX) { + intmax_t *num; + num = va_arg (args, intmax_t *); + *num = (intmax_t)currlen; } else { int *num; num = va_arg (args, int *); *num = currlen; } break; +#endif case '%': DOPR_OUTCH(buffer, currlen, maxlen, ch); break; -- cgit v1.2.3 From 43968a8e66a0aa1afefb11665bf96f86b113f5d9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 28 Aug 2013 14:00:54 +1000 Subject: - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits until we have configure support. --- ChangeLog | 2 ++ openbsd-compat/bsd-snprintf.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 97881822f..0ddb0a351 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future. + - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits + until we have configure support. 20130821 - (djm) OpenBSD CVS Sync diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index 308078e0e..975991e7f 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c @@ -344,8 +344,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (long)va_arg (args, unsigned LLONG); else if (cflags == DP_C_SIZE) value = va_arg (args, size_t); +#ifdef notyet else if (cflags == DP_C_INTMAX) value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -362,8 +364,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (LLONG)va_arg (args, unsigned LLONG); else if (cflags == DP_C_SIZE) value = va_arg (args, size_t); +#ifdef notyet else if (cflags == DP_C_INTMAX) value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, @@ -382,8 +386,10 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) value = (LLONG)va_arg (args, unsigned LLONG); else if (cflags == DP_C_SIZE) value = va_arg (args, size_t); +#ifdef notyet else if (cflags == DP_C_INTMAX) value = va_arg (args, uintmax_t); +#endif else value = (long)va_arg (args, unsigned int); if (fmtint(buffer, &currlen, maxlen, value, -- cgit v1.2.3 From 203eaf49fe1f49540d49f2d5eeb840840abb0270 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 13 Sep 2013 14:26:38 +1000 Subject: - (djm) Release 6.3p1 --- ChangeLog | 72 ++------------------------------------------------------------- 1 file changed, 2 insertions(+), 70 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0ddb0a351..0601f67d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,73 +1,5 @@ -20130828 - - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the - 'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we - start to use them in the future. - - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits - until we have configure support. - -20130821 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2013/08/06 23:03:49 - [sftp.c] - fix some whitespace at EOL - make list of commands an enum rather than a long list of defines - add -a to usage() - - djm@cvs.openbsd.org 2013/08/06 23:05:01 - [sftp.1] - document top-level -a option (the -a option to 'get' was already - documented) - - djm@cvs.openbsd.org 2013/08/06 23:06:01 - [servconf.c] - add cast to avoid format warning; from portable - - jmc@cvs.openbsd.org 2013/08/07 06:24:51 - [sftp.1 sftp.c] - sort -a; - - djm@cvs.openbsd.org 2013/08/08 04:52:04 - [sftp.c] - fix two year old regression: symlinking a file would incorrectly - canonicalise the target path. bz#2129 report from delphij AT freebsd.org - - djm@cvs.openbsd.org 2013/08/08 05:04:03 - [sftp-client.c sftp-client.h sftp.c] - add a "-l" flag for the rename command to force it to use the silly - standard SSH_FXP_RENAME command instead of the POSIX-rename- like - posix-rename@openssh.com extension. - - intended for use in regress tests, so no documentation. - - djm@cvs.openbsd.org 2013/08/09 03:37:25 - [sftp.c] - do getopt parsing for all sftp commands (with an empty optstring for - commands without arguments) to ensure consistent behaviour - - djm@cvs.openbsd.org 2013/08/09 03:39:13 - [sftp-client.c] - two problems found by a to-be-committed regress test: 1) msg_id was not - being initialised so was starting at a random value from the heap - (harmless, but confusing). 2) some error conditions were not being - propagated back to the caller - - djm@cvs.openbsd.org 2013/08/09 03:56:42 - [sftp.c] - enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; - matching ksh's relatively recent change. - - djm@cvs.openbsd.org 2013/08/13 18:32:08 - [ssh-keygen.c] - typo in error message; from Stephan Rickauer - - djm@cvs.openbsd.org 2013/08/13 18:33:08 - [ssh-keygen.c] - another of the same typo - - jmc@cvs.openbsd.org 2013/08/14 08:39:27 - [scp.1 ssh.1] - some Bx/Ox conversion; - From: Jan Stary - - djm@cvs.openbsd.org 2013/08/20 00:11:38 - [readconf.c readconf.h ssh_config.5 sshconnect.c] - Add a ssh_config ProxyUseFDPass option that supports the use of - ProxyCommands that establish a connection and then pass a connected - file descriptor back to ssh(1). This allows the ProxyCommand to exit - rather than have to shuffle data back and forth and enables ssh to use - getpeername, etc. to obtain address information just like it does with - regular directly-connected sockets. ok markus@ - - jmc@cvs.openbsd.org 2013/08/20 06:56:07 - [ssh.1 ssh_config.5] - some proxyusefdpass tweaks; +20130913 + - (djm) Release 6.3p1 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt -- cgit v1.2.3 From eea312e61a381edbb5063b1177f009f085215719 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 13 Sep 2013 16:08:34 +1000 Subject: - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code; ok dtucker@ --- ChangeLog | 2 ++ channels.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0601f67d2..091f0d8e9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ 20130913 + - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code; + ok dtucker@ - (djm) Release 6.3p1 20130808 diff --git a/channels.c b/channels.c index 281df3802..b5144f112 100644 --- a/channels.c +++ b/channels.c @@ -1239,11 +1239,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) s5_rsp.command = SSH_SOCKS5_SUCCESS; s5_rsp.reserved = 0; /* ignored */ s5_rsp.atyp = SSH_SOCKS5_IPV4; - ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; dest_port = 0; /* ignored */ buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); - buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); + buffet_put_int(&c->output, ntohl(INADDR_ANY)); buffer_append(&c->output, &dest_port, sizeof(dest_port)); return 1; } -- cgit v1.2.3 From 4425e64da7dee0b3e81f1ae301f56fa3a83fe221 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 13 Sep 2013 16:19:30 +1000 Subject: - (djm) [channels.c] sigh, typo s/buffet_/buffer_/ --- ChangeLog | 1 + channels.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 091f0d8e9..1a0d2545e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20130913 - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code; ok dtucker@ + - (djm) [channels.c] sigh, typo s/buffet_/buffer_/ - (djm) Release 6.3p1 20130808 diff --git a/channels.c b/channels.c index b5144f112..ac675c742 100644 --- a/channels.c +++ b/channels.c @@ -1242,7 +1242,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) dest_port = 0; /* ignored */ buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); - buffet_put_int(&c->output, ntohl(INADDR_ANY)); + buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */ buffer_append(&c->output, &dest_port, sizeof(dest_port)); return 1; } -- cgit v1.2.3