Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

from ftp.openbsd.org

This commit is contained in:
christos 2007-12-17 20:15:04 +00:00
parent 6ad9628ae7
commit 636ece08cc
45 changed files with 1954 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
crypto/dist/ssh/atomicio.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: atomicio.c,v 1.1.1.9 2006/09/28 21:14:57 christos Exp $ */
/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
/* $NetBSD: atomicio.c,v 1.1.1.10 2007/12/17 20:15:04 christos Exp $ */
/* $OpenBSD: atomicio.c,v 1.25 2007/06/25 12:02:27 dtucker Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@ -31,7 +31,9 @@
#include <sys/uio.h>
#include <errno.h>
#include <poll.h>
#include <string.h>
#include <unistd.h>
#include "atomicio.h"
@ -44,13 +46,20 @@ atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
char *s = _s;
size_t pos = 0;
ssize_t res;
struct pollfd pfd;
pfd.fd = fd;
pfd.events = f == read ? POLLIN : POLLOUT;
while (n > pos) {
res = (f) (fd, s + pos, n - pos);
switch (res) {
case -1:
if (errno == EINTR || errno == EAGAIN)
if (errno == EINTR)
continue;
if (errno == EAGAIN) {
(void)poll(&pfd, 1, -1);
continue;
}
return 0;
case 0:
errno = EPIPE;
@ -72,6 +81,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
size_t pos = 0, rem;
ssize_t res;
struct iovec iov_array[IOV_MAX], *iov = iov_array;
struct pollfd pfd;
if (iovcnt > IOV_MAX) {
errno = EINVAL;
@ -80,12 +90,18 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
/* Make a copy of the iov array because we may modify it below */
memcpy(iov, _iov, iovcnt * sizeof(*_iov));
pfd.fd = fd;
pfd.events = f == readv ? POLLIN : POLLOUT;
for (; iovcnt > 0 && iov[0].iov_len > 0;) {
res = (f) (fd, iov, iovcnt);
switch (res) {
case -1:
if (errno == EINTR || errno == EAGAIN)
if (errno == EINTR)
continue;
if (errno == EAGAIN) {
(void)poll(&pfd, 1, -1);
continue;
}
return 0;
case 0:
errno = EPIPE;

6
crypto/dist/ssh/auth2.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: auth2.c,v 1.1.1.22 2007/03/10 22:35:29 christos Exp $ */
/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
/* $NetBSD: auth2.c,v 1.1.1.23 2007/12/17 20:15:04 christos Exp $ */
/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -241,8 +241,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
}
}
#define DELIM ","
static char *
authmethods_get(void)
{

8
crypto/dist/ssh/bufbn.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: bufbn.c,v 1.1.1.2 2007/03/10 22:35:30 christos Exp $ */
/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
/* $NetBSD: bufbn.c,v 1.1.1.3 2007/12/17 20:15:07 christos Exp $ */
/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -200,12 +200,14 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
return (-1);
}
if (len > 8 * 1024) {
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
error("buffer_get_bignum2_ret: cannot handle BN of size %d",
len);
xfree(bin);
return (-1);
}
if (BN_bin2bn(bin, len, value) == NULL) {
error("buffer_get_bignum2_ret: BN_bin2bn failed");
xfree(bin);
return (-1);
}
xfree(bin);

8
crypto/dist/ssh/channels.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: channels.c,v 1.1.1.24 2007/03/10 22:35:33 christos Exp $ */
/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
/* $NetBSD: channels.c,v 1.1.1.25 2007/12/17 20:15:09 christos Exp $ */
/* $OpenBSD: channels.c,v 1.270 2007/06/25 08:20:03 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1641,7 +1641,9 @@ channel_check_window(Channel *c)
{
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
c->local_window < c->local_window_max/2 &&
((c->local_window_max - c->local_window >
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
packet_put_int(c->remote_id);

8
crypto/dist/ssh/channels.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: channels.h,v 1.1.1.20 2006/09/28 21:15:05 christos Exp $ */
/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
/* $NetBSD: channels.h,v 1.1.1.21 2007/12/17 20:15:09 christos Exp $ */
/* $OpenBSD: channels.h,v 1.89 2007/06/11 09:14:00 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -122,9 +122,9 @@ struct Channel {
/* default window/packet sizes for tcp/x11-fwd-channel */
#define CHAN_SES_PACKET_DEFAULT (32*1024)
#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
#define CHAN_TCP_PACKET_DEFAULT (32*1024)
#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
#define CHAN_X11_PACKET_DEFAULT (16*1024)
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)

85
crypto/dist/ssh/clientloop.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: clientloop.c,v 1.1.1.24 2007/03/10 22:35:35 christos Exp $ */
/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
/* $NetBSD: clientloop.c,v 1.1.1.25 2007/12/17 20:15:11 christos Exp $ */
/* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -283,19 +283,29 @@ client_x11_get_proto(const char *display, const char *xauth_path,
generated = 1;
}
}
snprintf(cmd, sizeof(cmd),
"%s %s%s list %s 2>" _PATH_DEVNULL,
xauth_path,
generated ? "-f " : "" ,
generated ? xauthfile : "",
display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
/*
* When in untrusted mode, we read the cookie only if it was
* successfully generated as an untrusted one in the step
* above.
*/
if (trusted || generated) {
snprintf(cmd, sizeof(cmd),
"%s %s%s list %s 2>" _PATH_DEVNULL,
xauth_path,
generated ? "-f " : "" ,
generated ? xauthfile : "",
display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
} else
error("Warning: untrusted X11 forwarding setup failed: "
"xauth key data not generated");
}
if (do_unlink) {
@ -928,7 +938,7 @@ process_cmdline(void)
cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
if (s == NULL)
goto out;
while (*s && isspace(*s))
while (isspace(*s))
s++;
if (*s == '-')
s++; /* Skip cmdline '-', if any */
@ -975,9 +985,8 @@ process_cmdline(void)
goto out;
}
s++;
while (*s && isspace(*s))
s++;
while (isspace(*++s))
;
if (delete) {
cancel_port = 0;
@ -1767,6 +1776,44 @@ client_request_agent(const char *request_type, int rchan)
return c;
}
int
client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
{
Channel *c;
int fd;
if (tun_mode == SSH_TUNMODE_NO)
return 0;
if (!compat20) {
error("Tunnel forwarding is not support for protocol 1");
return -1;
}
debug("Requesting tun unit %d in mode %d", local_tun, tun_mode);
/* Open local tunnel device */
if ((fd = tun_open(local_tun, tun_mode)) == -1) {
error("Tunnel device open failed.");
return -1;
}
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("tun@openssh.com");
packet_put_int(c->self);
packet_put_int(c->local_window_max);
packet_put_int(c->local_maxpacket);
packet_put_int(tun_mode);
packet_put_int(remote_tun);
packet_send();
return 0;
}
/* XXXX move to generic input handler */
static void
client_input_channel_open(int type, u_int32_t seq, void *ctxt)

5
crypto/dist/ssh/clientloop.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: clientloop.h,v 1.1.1.8 2006/09/28 21:15:06 christos Exp $ */
/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
/* $NetBSD: clientloop.h,v 1.1.1.9 2007/12/17 20:15:11 christos Exp $ */
/* $OpenBSD: clientloop.h,v 1.17 2007/08/07 07:32:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -45,6 +45,7 @@ void client_x11_get_proto(const char *, const char *, u_int,
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
int, Buffer *, char **, dispatch_fn *);
int client_request_tun_fwd(int, int, int);
/* Multiplexing protocol version */
#define SSHMUX_VER 1

53
crypto/dist/ssh/gss-genr.c vendored
View File

@ -1,8 +1,8 @@
/* $NetBSD: gss-genr.c,v 1.1.1.3 2006/09/28 21:15:07 christos Exp $ */
/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
/* $NetBSD: gss-genr.c,v 1.1.1.4 2007/12/17 20:15:12 christos Exp $ */
/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
/*
* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -104,7 +104,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
/* The GSSAPI error */
do {
gss_display_status(&lmin, ctxt->major,
GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg);
GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg);
buffer_append(&b, msg.value, msg.length);
buffer_put_char(&b, '\n');
@ -115,7 +115,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
/* The mechanism specific error */
do {
gss_display_status(&lmin, ctxt->minor,
GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg);
GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg);
buffer_append(&b, msg.value, msg.length);
buffer_put_char(&b, '\n');
@ -223,39 +223,6 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
return (ctx->major);
}
/* Acquire credentials for a server running on the current host.
* Requires that the context structure contains a valid OID
*/
/* Returns a GSSAPI error code */
OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
{
OM_uint32 status;
char lname[MAXHOSTNAMELEN];
gss_OID_set oidset;
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
if (gethostname(lname, MAXHOSTNAMELEN)) {
gss_release_oid_set(&status, &oidset);
return (-1);
}
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
ssh_gssapi_error(ctx);
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
OM_uint32
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
@ -278,16 +245,6 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
buffer_put_cstring(b, context);
}
OM_uint32
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
{
if (*ctx)
ssh_gssapi_delete_ctx(ctx);
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
return (ssh_gssapi_acquire_cred(*ctx));
}
int
ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
{

52
crypto/dist/ssh/gss-serv.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: gss-serv.c,v 1.1.1.3 2006/09/28 21:15:08 christos Exp $ */
/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
/* $NetBSD: gss-serv.c,v 1.1.1.4 2007/12/17 20:15:12 christos Exp $ */
/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -26,6 +26,7 @@
*/
#include <sys/types.h>
#include <sys/param.h>
#ifdef GSSAPI
@ -61,6 +62,53 @@ ssh_gssapi_mech* supported_mechs[]= {
&gssapi_null_mech,
};
/*
* Acquire credentials for a server running on the current host.
* Requires that the context structure contains a valid OID
*/
/* Returns a GSSAPI error code */
/* Privileged (called from ssh_gssapi_server_ctx) */
static OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
{
OM_uint32 status;
char lname[MAXHOSTNAMELEN];
gss_OID_set oidset;
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
if (gethostname(lname, MAXHOSTNAMELEN)) {
gss_release_oid_set(&status, &oidset);
return (-1);
}
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
ssh_gssapi_error(ctx);
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
/* Privileged */
OM_uint32
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
{
if (*ctx)
ssh_gssapi_delete_ctx(ctx);
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
return (ssh_gssapi_acquire_cred(*ctx));
}
/* Unprivileged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)

23
crypto/dist/ssh/kex.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: kex.c,v 1.1.1.19 2007/03/10 22:35:28 christos Exp $ */
/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
/* $NetBSD: kex.c,v 1.1.1.20 2007/12/17 20:15:12 christos Exp $ */
/* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -79,7 +79,7 @@ static char **
kex_buf2prop(Buffer *raw, int *first_kex_follows)
{
Buffer b;
int i;
u_int i;
char **proposal;
proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
@ -100,7 +100,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
*first_kex_follows = i;
debug2("kex_parse_kexinit: first_kex_follows %d ", i);
i = buffer_get_int(&b);
debug2("kex_parse_kexinit: reserved %d ", i);
debug2("kex_parse_kexinit: reserved %u ", i);
buffer_free(&b);
return proposal;
}
@ -115,6 +115,7 @@ kex_prop_free(char **proposal)
xfree(proposal);
}
/* ARGSUSED */
static void
kex_protocol_error(int type, u_int32_t seq, void *ctxt)
{
@ -186,6 +187,7 @@ kex_send_kexinit(Kex *kex)
kex->flags |= KEX_INIT_SENT;
}
/* ARGSUSED */
void
kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
{
@ -250,7 +252,8 @@ choose_enc(Enc *enc, char *client, char *server)
{
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching cipher found: client %s server %s", client, server);
fatal("no matching cipher found: client %s server %s",
client, server);
if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name);
enc->name = name;
@ -266,8 +269,9 @@ choose_mac(Mac *mac, char *client, char *server)
{
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching mac found: client %s server %s", client, server);
if (mac_init(mac, name) < 0)
fatal("no matching mac found: client %s server %s",
client, server);
if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name);
/* truncate the key */
if (datafellows & SSH_BUG_HMAC)
@ -300,7 +304,7 @@ choose_kex(Kex *k, char *client, char *server)
{
k->name = match_list(client, server, NULL);
if (k->name == NULL)
fatal("no kex alg");
fatal("Unable to negotiate a key exchange method");
if (strcmp(k->name, KEX_DH1) == 0) {
k->kex_type = KEX_DH_GRP1_SHA1;
k->evp_md = EVP_sha1();
@ -378,7 +382,8 @@ kex_choose_conf(Kex *kex)
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = xcalloc(1, sizeof(*newkeys));
kex->newkeys[mode] = newkeys;
ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
ctos = (!kex->server && mode == MODE_OUT) ||
(kex->server && mode == MODE_IN);
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;

10
crypto/dist/ssh/kex.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: kex.h,v 1.1.1.16 2006/09/28 21:15:09 christos Exp $ */
/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
/* $NetBSD: kex.h,v 1.1.1.17 2007/12/17 20:15:13 christos Exp $ */
/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -28,6 +28,7 @@
#define KEX_H
#include <openssl/evp.h>
#include <openssl/hmac.h>
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DH14 "diffie-hellman-group14-sha1"
@ -86,10 +87,13 @@ struct Enc {
struct Mac {
char *name;
int enabled;
const EVP_MD *md;
u_int mac_len;
u_char *key;
u_int key_len;
int type;
const EVP_MD *evp_md;
HMAC_CTX evp_ctx;
struct umac_ctx *umac_ctx;
};
struct Comp {
int type;

6
crypto/dist/ssh/key.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: key.c,v 1.1.1.21 2007/03/10 22:35:38 christos Exp $ */
/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */
/* $NetBSD: key.c,v 1.1.1.22 2007/12/17 20:15:15 christos Exp $ */
/* $OpenBSD: key.c,v 1.69 2007/07/12 05:48:05 ray Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -168,9 +168,7 @@ key_equal(const Key *a, const Key *b)
BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
default:
fatal("key_equal: bad key type %d", a->type);
break;
}
return 0;
}
u_char*

7
crypto/dist/ssh/log.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: log.c,v 1.1.1.11 2006/09/28 21:15:10 christos Exp $ */
/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
/* $NetBSD: log.c,v 1.1.1.12 2007/12/17 20:15:15 christos Exp $ */
/* $OpenBSD: log.c,v 1.40 2007/05/17 07:50:31 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -43,6 +43,7 @@
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
#include <vis.h>
#include "xmalloc.h"
@ -278,6 +279,7 @@ do_log(LogLevel level, const char *fmt, va_list args)
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
int saved_errno = errno;
if (level > log_level)
return;
@ -331,4 +333,5 @@ do_log(LogLevel level, const char *fmt, va_list args)
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
}
errno = saved_errno;
}

131
crypto/dist/ssh/mac.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: mac.c,v 1.1.1.7 2006/09/28 21:15:10 christos Exp $ */
/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
/* $NetBSD: mac.c,v 1.1.1.8 2007/12/17 20:15:16 christos Exp $ */
/* $OpenBSD: mac.c,v 1.14 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -40,63 +40,126 @@
#include "mac.h"
#include "misc.h"
#include "umac.h"
#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
struct {
char *name;
int type;
const EVP_MD * (*mdfunc)(void);
int truncatebits; /* truncate digest if != 0 */
int key_len; /* just for UMAC */
int len; /* just for UMAC */
} macs[] = {
{ "hmac-sha1", EVP_sha1, 0, },
{ "hmac-sha1-96", EVP_sha1, 96 },
{ "hmac-md5", EVP_md5, 0 },
{ "hmac-md5-96", EVP_md5, 96 },
{ "hmac-ripemd160", EVP_ripemd160, 0 },
{ "hmac-ripemd160@openssh.com", EVP_ripemd160, 0 },
{ NULL, NULL, 0 }
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 },
{ "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 },
{ "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 },
{ "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
{ "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
{ "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 },
{ NULL, 0, NULL, 0, -1, -1 }
};
int
mac_init(Mac *mac, char *name)
static void
mac_setup_by_id(Mac *mac, int which)
{
int i, evp_len;
int evp_len;
mac->type = macs[which].type;
if (mac->type == SSH_EVP) {
mac->evp_md = (*macs[which].mdfunc)();
if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
fatal("mac %s len %d", mac->name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
} else {
mac->mac_len = macs[which].len / 8;
mac->key_len = macs[which].key_len / 8;
mac->umac_ctx = NULL;
}
if (macs[which].truncatebits != 0)
mac->mac_len = macs[which].truncatebits / 8;
}
int
mac_setup(Mac *mac, char *name)
{
int i;
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
if (mac != NULL) {
mac->md = (*macs[i].mdfunc)();
if ((evp_len = EVP_MD_size(mac->md)) <= 0)
fatal("mac %s len %d", name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
if (macs[i].truncatebits != 0)
mac->mac_len = macs[i].truncatebits/8;
}
debug2("mac_init: found %s", name);
if (mac != NULL)
mac_setup_by_id(mac, i);
debug2("mac_setup: found %s", name);
return (0);
}
}
debug2("mac_init: unknown %s", name);
debug2("mac_setup: unknown %s", name);
return (-1);
}
int
mac_init(Mac *mac)
{
if (mac->key == NULL)
fatal("mac_init: no key");
switch (mac->type) {
case SSH_EVP:
if (mac->evp_md == NULL)
return -1;
HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
return 0;
case SSH_UMAC:
mac->umac_ctx = umac_new(mac->key);
return 0;
default:
return -1;
}
}
u_char *
mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
{
HMAC_CTX c;
static u_char m[EVP_MAX_MD_SIZE];
u_char b[4];
u_char b[4], nonce[8];
if (mac->key == NULL)
fatal("mac_compute: no key");
if (mac->mac_len > sizeof(m))
fatal("mac_compute: mac too long");
HMAC_Init(&c, mac->key, mac->key_len, mac->md);
put_u32(b, seqno);
HMAC_Update(&c, b, sizeof(b));
HMAC_Update(&c, data, datalen);
HMAC_Final(&c, m, NULL);
HMAC_cleanup(&c);
fatal("mac_compute: mac too long %u %lu",
mac->mac_len, sizeof(m));
switch (mac->type) {
case SSH_EVP:
put_u32(b, seqno);
/* reset HMAC context */
HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
HMAC_Update(&mac->evp_ctx, b, sizeof(b));
HMAC_Update(&mac->evp_ctx, data, datalen);
HMAC_Final(&mac->evp_ctx, m, NULL);
break;
case SSH_UMAC:
put_u64(nonce, seqno);
umac_update(mac->umac_ctx, data, datalen);
umac_final(mac->umac_ctx, m, nonce);
break;
default:
fatal("mac_compute: unknown MAC type");
}
return (m);
}
void
mac_clear(Mac *mac)
{
if (mac->type == SSH_UMAC) {
if (mac->umac_ctx != NULL)
umac_delete(mac->umac_ctx);
} else if (mac->evp_md != NULL)
HMAC_cleanup(&mac->evp_ctx);
mac->evp_md = NULL;
mac->umac_ctx = NULL;
}
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
@ -109,7 +172,7 @@ mac_valid(const char *names)
maclist = cp = xstrdup(names);
for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
(p = strsep(&cp, MAC_SEP))) {
if (mac_init(NULL, p) < 0) {
if (mac_setup(NULL, p) < 0) {
debug("bad mac %s [%s]", p, names);
xfree(maclist);
return (0);

8
crypto/dist/ssh/mac.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: mac.h,v 1.1.1.4 2006/09/28 21:15:10 christos Exp $ */
/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
/* $NetBSD: mac.h,v 1.1.1.5 2007/12/17 20:15:16 christos Exp $ */
/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -25,5 +25,7 @@
*/
int mac_valid(const char *);
int mac_init(Mac *, char *);
int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);

5
crypto/dist/ssh/monitor.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: monitor.c,v 1.1.1.11 2007/03/10 22:35:40 christos Exp $ */
/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
/* $NetBSD: monitor.c,v 1.1.1.12 2007/12/17 20:15:17 christos Exp $ */
/* $OpenBSD: monitor.c,v 1.91 2007/05/17 20:52:13 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -340,6 +340,7 @@ monitor_child_postauth(struct monitor *pmonitor)
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
signal(SIGINT, &monitor_child_handler);
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;

8
crypto/dist/ssh/monitor_wrap.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: monitor_wrap.c,v 1.1.1.9 2007/03/10 22:35:41 christos Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
/* $NetBSD: monitor_wrap.c,v 1.1.1.10 2007/12/17 20:15:18 christos Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.57 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -465,8 +465,8 @@ mm_newkeys_from_blob(u_char *blob, int blen)
/* Mac structure */
mac->name = buffer_get_string(&b, NULL);
if (mac->name == NULL || mac_init(mac, mac->name) == -1)
fatal("%s: can not init mac %s", __func__, mac->name);
if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
fatal("%s: can not setup mac %s", __func__, mac->name);
mac->enabled = buffer_get_int(&b);
mac->key = buffer_get_string(&b, &len);
if (len > mac->key_len)

6
crypto/dist/ssh/myproposal.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: myproposal.h,v 1.1.1.11 2006/09/28 21:15:13 christos Exp $ */
/* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */
/* $NetBSD: myproposal.h,v 1.1.1.12 2007/12/17 20:15:18 christos Exp $ */
/* $OpenBSD: myproposal.h,v 1.22 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -36,7 +36,7 @@
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
"hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \
"hmac-ripemd160@openssh.com," \
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"

12
crypto/dist/ssh/packet.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: packet.c,v 1.1.1.21 2007/03/10 22:35:42 christos Exp $ */
/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
/* $NetBSD: packet.c,v 1.1.1.22 2007/12/17 20:15:19 christos Exp $ */
/* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -621,7 +621,7 @@ set_newkeys(int mode)
enc = &newkeys[mode]->enc;
mac = &newkeys[mode]->mac;
comp = &newkeys[mode]->comp;
memset(mac->key, 0, mac->key_len);
mac_clear(mac);
xfree(enc->name);
xfree(enc->iv);
xfree(enc->key);
@ -636,14 +636,15 @@ set_newkeys(int mode)
enc = &newkeys[mode]->enc;
mac = &newkeys[mode]->mac;
comp = &newkeys[mode]->comp;
if (mac->md != NULL)
if (mac_init(mac) == 0)
mac->enabled = 1;
DBG(debug("cipher_init_context: %d", mode));
cipher_init(cc, enc->cipher, enc->key, enc->key_len,
enc->iv, enc->block_size, crypt_type);
/* Deleting the keys does not gain extra security */
/* memset(enc->iv, 0, enc->block_size);
memset(enc->key, 0, enc->key_len); */
memset(enc->key, 0, enc->key_len);
memset(mac->key, 0, mac->key_len); */
if ((comp->type == COMP_ZLIB ||
(comp->type == COMP_DELAYED && after_authentication)) &&
comp->enabled == 0) {
@ -1227,7 +1228,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
logit("Received disconnect from %s: %.400s",
get_remote_ipaddr(), msg);
cleanup_exit(255);
xfree(msg);
break;
default:
if (type)

6
crypto/dist/ssh/readconf.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: readconf.c,v 1.1.1.20 2007/03/10 22:35:43 christos Exp $ */
/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
/* $NetBSD: readconf.c,v 1.1.1.21 2007/12/17 20:15:20 christos Exp $ */
/* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1220,7 +1220,7 @@ parse_forward(Forward *fwd, const char *fwdspec)
cp = p = xstrdup(fwdspec);
/* skip leading spaces */
while (*cp && isspace(*cp))
while (isspace(*cp))
cp++;
for (i = 0; i < 4; ++i)

8
crypto/dist/ssh/scp.1 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: scp.1,v 1.1.1.12 2006/09/28 21:15:16 christos Exp $
.\" $NetBSD: scp.1,v 1.1.1.13 2007/12/17 20:15:21 christos Exp $
.\" -*- nroff -*-
.\"
.\" scp.1
@ -10,9 +10,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
.\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $
.\" $OpenBSD: scp.1,v 1.42 2007/08/06 19:16:06 sobrado Exp $
.\"
.Dd September 25, 1999
.Dd $Mdocdate: August 6 2007 $
.Dt SCP 1
.Os
.Sh NAME
@ -35,7 +35,7 @@
.Ar host1 No :
.Oc Ns Ar file1
.Sm on
.Op Ar ...
.Ar ...
.Sm off
.Oo
.Op Ar user No @

24
crypto/dist/ssh/scp.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: scp.c,v 1.1.1.21 2007/03/10 22:35:44 christos Exp $ */
/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
/* $NetBSD: scp.c,v 1.1.1.22 2007/12/17 20:15:21 christos Exp $ */
/* $OpenBSD: scp.c,v 1.160 2007/08/06 19:16:06 sobrado Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -91,6 +91,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <vis.h>
#include "xmalloc.h"
#include "atomicio.h"
@ -570,7 +571,7 @@ source(int argc, char **argv)
off_t i, amt, statbytes;
size_t result;
int fd = -1, haderr, indx;
char *last, *name, buf[2048];
char *last, *name, buf[2048], encname[MAXPATHLEN];
int len;
for (indx = 0; indx < argc; ++indx) {
@ -579,17 +580,17 @@ source(int argc, char **argv)
len = strlen(name);
while (len > 1 && name[len-1] == '/')
name[--len] = '\0';
if (strchr(name, '\n') != NULL) {
run_err("%s: skipping, filename contains a newline",
name);
goto next;
}
if ((fd = open(name, O_RDONLY, 0)) < 0)
if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0)
goto syserr;
if (strchr(name, '\n') != NULL) {
strnvis(encname, name, sizeof(encname), VIS_NL);
name = encname;
}
if (fstat(fd, &stb) < 0) {
syserr: run_err("%s: %s", name, strerror(errno));
goto next;
}
unset_nonblock(fd);
switch (stb.st_mode & S_IFMT) {
case S_IFREG:
break;
@ -1009,7 +1010,8 @@ bad: run_err("%s: %s", np, strerror(errno));
wrerr = YES;
wrerrno = errno;
}
if (wrerr == NO && ftruncate(ofd, size) != 0) {
if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) &&
ftruncate(ofd, size) != 0) {
run_err("%s: truncate: %s", np, strerror(errno));
wrerr = DISPLAYED;
}
@ -1096,7 +1098,7 @@ usage(void)
(void) fprintf(stderr,
"usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
" [-l limit] [-o ssh_option] [-P port] [-S program]\n"
" [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
" [[user@]host1:]file1 ... [[user@]host2:]file2\n");
exit(1);
}

9
crypto/dist/ssh/servconf.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: servconf.c,v 1.1.1.22 2007/03/10 22:35:45 christos Exp $ */
/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
/* $NetBSD: servconf.c,v 1.1.1.23 2007/12/17 20:15:22 christos Exp $ */
/* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -556,7 +556,6 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
debug("connection from %.100s matched 'Host "
"%.100s' at line %d", host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
debug("address '%s' arg '%s'", address, arg);
if (!address) {
result = 0;
continue;
@ -1345,8 +1344,4 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
if (bad_options > 0)
fatal("%s: terminating, %d bad configuration options",
filename, bad_options);
/* challenge-response is implemented via keyboard interactive */
if (options->challenge_response_authentication == 1)
options->kbd_interactive_authentication = 1;
}

6
crypto/dist/ssh/sftp-server.8 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: sftp-server.8,v 1.1.1.9 2006/09/28 21:15:21 christos Exp $
.\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $
.\" $NetBSD: sftp-server.8,v 1.1.1.10 2007/12/17 20:15:24 christos Exp $
.\" $OpenBSD: sftp-server.8,v 1.12 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
.\"
@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd August 30, 2000
.Dd $Mdocdate: May 31 2007 $
.Dt SFTP-SERVER 8
.Os
.Sh NAME

36
crypto/dist/ssh/sftp-server.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sftp-server.c,v 1.1.1.18 2007/03/10 22:35:47 christos Exp $ */
/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
/* $NetBSD: sftp-server.c,v 1.1.1.19 2007/12/17 20:15:25 christos Exp $ */
/* $OpenBSD: sftp-server.c,v 1.73 2007/05/17 07:55:29 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@ -315,7 +315,8 @@ handle_log_close(int handle, char *emsg)
logit("%s%sclose \"%s\" bytes read %llu written %llu",
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
handle_to_name(handle),
handle_bytes_read(handle), handle_bytes_write(handle));
(unsigned long long)handle_bytes_read(handle),
(unsigned long long)handle_bytes_write(handle));
} else {
logit("%s%sclosedir \"%s\"",
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
@ -698,7 +699,8 @@ process_setstat(void)
a = get_attrib();
debug("request %u: setstat name \"%s\"", id, name);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
logit("set \"%s\" size %llu", name, a->size);
logit("set \"%s\" size %llu",
name, (unsigned long long)a->size);
ret = truncate(name, a->size);
if (ret == -1)
status = errno_to_portable(errno);
@ -750,7 +752,8 @@ process_fsetstat(void)
char *name = handle_to_name(handle);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
logit("set \"%s\" size %llu", name, a->size);
logit("set \"%s\" size %llu",
name, (unsigned long long)a->size);
ret = ftruncate(fd, a->size);
if (ret == -1)
status = errno_to_portable(errno);
@ -1191,7 +1194,7 @@ main(int argc, char **argv)
int in, out, max, ch, skipargs = 0, log_stderr = 0;
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
char *cp;
char *cp, buf[4*4096];
extern char *optarg;
extern char *__progname;
@ -1269,7 +1272,15 @@ main(int argc, char **argv)
memset(rset, 0, set_size);
memset(wset, 0, set_size);
FD_SET(in, rset);
/*
* Ensure that we can read a full buffer and handle
* the worst-case length packet it can generate,
* otherwise apply backpressure by stopping reads.
*/
if (buffer_check_alloc(&iqueue, sizeof(buf)) &&
buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
FD_SET(in, rset);
olen = buffer_len(&oqueue);
if (olen > 0)
FD_SET(out, wset);
@ -1283,7 +1294,6 @@ main(int argc, char **argv)
/* copy stdin to iqueue */
if (FD_ISSET(in, rset)) {
char buf[4*4096];
len = read(in, buf, sizeof buf);
if (len == 0) {
debug("read eof");
@ -1305,7 +1315,13 @@ main(int argc, char **argv)
buffer_consume(&oqueue, len);
}
}
/* process requests from client */
process();
/*
* Process requests from client if we can fit the results
* into the output buffer, otherwise stop processing input
* and let the output queue drain.
*/
if (buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
process();
}
}

6
crypto/dist/ssh/sftp.1 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: sftp.1,v 1.1.1.17 2006/02/04 22:23:09 christos Exp $
.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
.\" $NetBSD: sftp.1,v 1.1.1.18 2007/12/17 20:15:25 christos Exp $
.\" $OpenBSD: sftp.1,v 1.64 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd February 4, 2001
.Dd $Mdocdate: May 31 2007 $
.Dt SFTP 1
.Os
.Sh NAME

19
crypto/dist/ssh/ssh-add.1 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: ssh-add.1,v 1.1.1.14 2006/02/04 22:23:10 christos Exp $
.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
.\" $NetBSD: ssh-add.1,v 1.1.1.15 2007/12/17 20:15:26 christos Exp $
.\" $OpenBSD: ssh-add.1,v 1.46 2007/06/12 13:41:03 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -38,7 +38,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dd $Mdocdate: June 12 2007 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@ -90,7 +90,18 @@ program, rather than text entered into the requester.
.It Fl D
Deletes all identities from the agent.
.It Fl d
Instead of adding the identity, removes the identity from the agent.
Instead of adding identities, removes identities from the agent.
If
.Nm
has been run without arguments, the keys for the default identities will
be removed.
Otherwise, the argument list will be interpreted as a list of paths to
public key files and matching keys will be removed from the agent.
If no public key is found at a given path,
.Nm
will append
.Pa .pub
and retry.
.It Fl e Ar reader
Remove key in smartcard
.Ar reader .

6
crypto/dist/ssh/ssh-agent.1 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: ssh-agent.1,v 1.1.1.16 2006/09/28 21:15:23 christos Exp $
.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $
.\" $NetBSD: ssh-agent.1,v 1.1.1.17 2007/12/17 20:15:26 christos Exp $
.\" $OpenBSD: ssh-agent.1,v 1.45 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dd $Mdocdate: May 31 2007 $
.Dt SSH-AGENT 1
.Os
.Sh NAME

68
crypto/dist/ssh/ssh-agent.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: ssh-agent.c,v 1.1.1.21 2007/03/10 22:35:49 christos Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
/* $NetBSD: ssh-agent.c,v 1.1.1.22 2007/12/17 20:15:27 christos Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.155 2007/03/19 12:16:42 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -108,6 +108,7 @@ int max_fd = 0;
/* pid of shell == parent of agent */
pid_t parent_pid = -1;
u_int parent_alive_interval = 0;
/* pathname and directory for AUTH_SOCKET */
char socket_name[MAXPATHLEN];
@ -409,10 +410,11 @@ process_remove_all_identities(SocketEntry *e, int version)
buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
}
static void
/* removes expired keys and returns number of seconds until the next expiry */
static u_int
reaper(void)
{
u_int now = time(NULL);
u_int deadline = 0, now = time(NULL);
Identity *id, *nxt;
int version;
Idtab *tab;
@ -421,14 +423,22 @@ reaper(void)
tab = idtab_lookup(version);
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
nxt = TAILQ_NEXT(id, next);
if (id->death != 0 && now >= id->death) {
if (id->death == 0)
continue;
if (now >= id->death) {
debug("expiring key '%s'", id->comment);
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
}
} else
deadline = (deadline == 0) ? id->death :
MIN(deadline, id->death);
}
}
if (deadline == 0 || deadline <= now)
return 0;
else
return (deadline - now);
}
static void
@ -814,10 +824,12 @@ new_socket(sock_type type, int fd)
}
static int
prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
struct timeval **tvpp)
{
u_int i, sz;
u_int i, sz, deadline;
int n = 0;
static struct timeval tv;
for (i = 0; i < sockets_alloc; i++) {
switch (sockets[i].type) {
@ -861,6 +873,17 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
break;
}
}
deadline = reaper();
if (parent_alive_interval != 0)
deadline = (deadline == 0) ? parent_alive_interval :
MIN(deadline, parent_alive_interval);
if (deadline == 0) {
*tvpp = NULL;
} else {
tv.tv_sec = deadline;
tv.tv_usec = 0;
*tvpp = &tv;
}
return (1);
}
@ -968,19 +991,14 @@ cleanup_handler(int sig)
_exit(2);
}
/*ARGSUSED*/
static void
check_parent_exists(int sig)
check_parent_exists(void)
{
int save_errno = errno;
if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
/* printf("Parent has died - Authentication agent exiting.\n"); */
cleanup_handler(sig); /* safe */
cleanup_socket();
_exit(2);
}
signal(SIGALRM, check_parent_exists);
alarm(10);
errno = save_errno;
}
static void
@ -1012,7 +1030,7 @@ main(int ac, char **av)
extern char *optarg;
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
struct timeval tv;
struct timeval *tvp = NULL;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@ -1199,10 +1217,8 @@ main(int ac, char **av)
skip:
new_socket(AUTH_SOCKET, sock);
if (ac > 0) {
signal(SIGALRM, check_parent_exists);
alarm(10);
}
if (ac > 0)
parent_alive_interval = 10;
idtab_init();
if (!d_flag)
signal(SIGINT, SIG_IGN);
@ -1212,12 +1228,12 @@ skip:
nalloc = 0;
while (1) {
tv.tv_sec = 10;
tv.tv_usec = 0;
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
saved_errno = errno;
reaper(); /* remove expired keys */
if (parent_alive_interval != 0)
check_parent_exists();
(void) reaper(); /* remove expired keys */
if (result < 0) {
if (saved_errno == EINTR)
continue;

7
crypto/dist/ssh/ssh-gss.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: ssh-gss.h,v 1.1.1.2 2006/09/28 21:15:24 christos Exp $ */
/* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */
/* $NetBSD: ssh-gss.h,v 1.1.1.3 2007/12/17 20:15:27 christos Exp $ */
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
*
@ -86,7 +86,6 @@ void ssh_gssapi_supported_oids(gss_OID_set *);
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *);
OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *,
@ -97,11 +96,11 @@ char *ssh_gssapi_last_error(Gssctxt *, OM_uint32 *, OM_uint32 *);
void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
/* In the server */
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);

6
crypto/dist/ssh/ssh-keygen.1 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: ssh-keygen.1,v 1.1.1.18 2007/03/10 22:35:50 christos Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
.\" $NetBSD: ssh-keygen.1,v 1.1.1.19 2007/12/17 20:15:27 christos Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.75 2007/05/31 19:20:16 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -38,7 +38,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dd $Mdocdate: May 31 2007 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME

6
crypto/dist/ssh/ssh-keyscan.1 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: ssh-keyscan.1,v 1.1.1.13 2007/03/10 22:35:51 christos Exp $
.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
.\" $NetBSD: ssh-keyscan.1,v 1.1.1.14 2007/12/17 20:15:29 christos Exp $
.\" $OpenBSD: ssh-keyscan.1,v 1.23 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
@ -7,7 +7,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
.Dd January 1, 1996
.Dd $Mdocdate: May 31 2007 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME

6
crypto/dist/ssh/ssh-keysign.8 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: ssh-keysign.8,v 1.1.1.5 2006/09/28 21:15:26 christos Exp $
.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $
.\" $NetBSD: ssh-keysign.8,v 1.1.1.6 2007/12/17 20:15:30 christos Exp $
.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd May 24, 2002
.Dd $Mdocdate: May 31 2007 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME

13
crypto/dist/ssh/ssh.1 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ssh.1,v 1.1.1.22 2007/03/10 22:35:52 christos Exp $
.\" $NetBSD: ssh.1,v 1.1.1.23 2007/12/17 20:15:31 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
.Dd September 25, 1999
.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
.Dd $Mdocdate: June 12 2007 $
.Dt SSH 1
.Os
.Sh NAME
@ -44,7 +44,7 @@
.Nd OpenSSH SSH client (remote login program)
.Sh SYNOPSIS
.Nm ssh
.Op Fl 1246AaCfgkMNnqsTtVvXxY
.Op Fl 1246AaCfgKkMNnqsTtVvXxY
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Oo Fl D\ \&
@ -316,6 +316,9 @@ It is possible to have multiple
.Fl i
options (and multiple identities specified in
configuration files).
.It Fl K
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
credentials to the server.
.It Fl k
Disables forwarding (delegation) of GSSAPI credentials to the server.
.It Fl L Xo
@ -675,7 +678,7 @@ Both protocols support similar authentication methods,
but protocol 2 is preferred since
it provides additional mechanisms for confidentiality
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
Protocol 1 lacks a strong mechanism for ensuring the
integrity of the connection.
.Pp

92
crypto/dist/ssh/ssh.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: ssh.c,v 1.1.1.23 2007/03/10 22:35:53 christos Exp $ */
/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
/* $NetBSD: ssh.c,v 1.1.1.24 2007/12/17 20:15:32 christos Exp $ */
/* $OpenBSD: ssh.c,v 1.301 2007/08/07 07:32:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -178,7 +178,7 @@ static void
usage(void)
{
fprintf(stderr,
"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
"usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
@ -260,7 +260,7 @@ main(int ac, char **av)
again:
while ((opt = getopt(ac, av,
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
switch (opt) {
case '1':
options.protocol = SSH_PROTO_1;
@ -314,6 +314,10 @@ main(int ac, char **av)
case 'k':
options.gss_deleg_creds = 0;
break;
case 'K':
options.gss_authentication = 1;
options.gss_deleg_creds = 1;
break;
case 'i':
if (stat(optarg, &st) < 0) {
fprintf(stderr, "Warning: Identity file %s "
@ -835,6 +839,17 @@ ssh_init_forwarding(void)
"forwarding.");
}
}
/* Initiate tunnel forwarding. */
if (options.tun_open != SSH_TUNMODE_NO) {
if (client_request_tun_fwd(options.tun_open,
options.tun_local, options.tun_remote) == -1) {
if (options.exit_on_forward_failure)
fatal("Could not request tunnel forwarding.");
else
error("Could not request tunnel forwarding.");
}
}
}
static void
@ -1096,28 +1111,6 @@ ssh_session2_setup(int id, void *arg)
packet_send();
}
if (options.tun_open != SSH_TUNMODE_NO) {
Channel *c;
int fd;
debug("Requesting tun.");
if ((fd = tun_open(options.tun_local,
options.tun_open)) >= 0) {
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "tun", 1);
c->datagram = 1;
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("tun@openssh.com");
packet_put_int(c->self);
packet_put_int(c->local_window_max);
packet_put_int(c->local_maxpacket);
packet_put_int(options.tun_open);
packet_put_int(options.tun_remote);
packet_send();
}
}
client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
@ -1177,7 +1170,6 @@ ssh_session2(void)
/* XXX should be pre-session */
ssh_init_forwarding();
ssh_control_listener();
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
id = ssh_session2_open();
@ -1187,6 +1179,9 @@ ssh_session2(void)
options.permit_local_command)
ssh_local_cmd(options.local_command);
/* Start listening for multiplex clients */
ssh_control_listener();
/* If requested, let ssh continue in the background. */
if (fork_after_authentication_flag)
if (daemon(1, 1) < 0)
@ -1283,7 +1278,7 @@ static void
control_client(const char *path)
{
struct sockaddr_un addr;
int i, r, fd, sock, exitval, num_env;
int i, r, fd, sock, exitval[2], num_env;
Buffer m;
char *term;
extern char **environ;
@ -1432,29 +1427,44 @@ control_client(const char *path)
if (tty_flag)
enter_raw_mode();
/* Stick around until the controlee closes the client_fd */
exitval = 0;
for (;!control_client_terminate;) {
r = read(sock, &exitval, sizeof(exitval));
/*
* Stick around until the controlee closes the client_fd.
* Before it does, it is expected to write this process' exit
* value (one int). This process must read the value and wait for
* the closure of the client_fd; if this one closes early, the
* multiplex master will terminate early too (possibly losing data).
*/
exitval[0] = 0;
for (i = 0; !control_client_terminate && i < (int)sizeof(exitval);) {
r = read(sock, (char *)exitval + i, sizeof(exitval) - i);
if (r == 0) {
debug2("Received EOF from master");
break;
}
if (r > 0)
debug2("Received exit status from master %d", exitval);
if (r == -1 && errno != EINTR)
if (r == -1) {
if (errno == EINTR)
continue;
fatal("%s: read %s", __func__, strerror(errno));
}
i += r;
}
if (control_client_terminate)
debug2("Exiting on signal %d", control_client_terminate);
close(sock);
leave_raw_mode();
if (i > (int)sizeof(int))
fatal("%s: master returned too much data (%d > %lu)",
__func__, i, sizeof(int));
if (control_client_terminate) {
debug2("Exiting on signal %d", control_client_terminate);
exitval[0] = 255;
} else if (i < (int)sizeof(int)) {
debug2("Control master terminated unexpectedly");
exitval[0] = 255;
} else
debug2("Received exit status from master %d", exitval[0]);
if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
fprintf(stderr, "Connection to master closed.\r\n");
fprintf(stderr, "Shared connection to %s closed.\r\n", host);
exit(exitval);
exit(exitval[0]);
}

5
crypto/dist/ssh/ssh_config vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: ssh_config,v 1.1.1.11 2006/09/28 21:15:29 christos Exp $
# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
# $NetBSD: ssh_config,v 1.1.1.12 2007/12/17 20:15:32 christos Exp $
# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@ -39,6 +39,7 @@
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any

13
crypto/dist/ssh/ssh_config.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: ssh_config.5,v 1.1.1.8 2007/03/10 22:35:54 christos Exp $
.\" $NetBSD: ssh_config.5,v 1.1.1.9 2007/12/17 20:15:32 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
.Dd September 25, 1999
.\" $OpenBSD: ssh_config.5,v 1.102 2007/08/15 12:13:41 stevesk Exp $
.Dd $Mdocdate: August 15 2007 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -388,7 +388,7 @@ data).
Specifies whether
.Xr ssh 1
should terminate the connection if it cannot set up all requested
dynamic, local, and remote port forwardings.
dynamic, tunnel, local, and remote port forwardings.
The argument must be
.Dq yes
or
@ -642,7 +642,10 @@ The MAC algorithm is used in protocol version 2
for data integrity protection.
Multiple algorithms must be comma-separated.
The default is:
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.Bd -literal -offset indent
hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
.Ed
.It Cm NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across machines.
In this case localhost will refer to a different machine on each of

18
crypto/dist/ssh/sshconnect2.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sshconnect2.c,v 1.1.1.22 2006/09/28 21:15:31 christos Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
/* $NetBSD: sshconnect2.c,v 1.1.1.23 2007/12/17 20:15:34 christos Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -31,6 +31,7 @@
#include <sys/stat.h>
#include <errno.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>
@ -1304,7 +1305,7 @@ userauth_hostbased(Authctxt *authctxt)
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
char *chost, *pkalg, *p;
char *chost, *pkalg, *p, myname[NI_MAXHOST];
const char *service;
u_int blen, slen;
int ok, i, len, found = 0;
@ -1328,7 +1329,16 @@ userauth_hostbased(Authctxt *authctxt)
return 0;
}
/* figure out a name for the client host */
p = get_local_name(packet_get_connection_in());
p = NULL;
if (packet_connection_is_on_socket())
p = get_local_name(packet_get_connection_in());
if (p == NULL) {
if (gethostname(myname, sizeof(myname)) == -1) {
verbose("userauth_hostbased: gethostname: %s",
strerror(errno));
} else
p = xstrdup(myname);
}
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);

36
crypto/dist/ssh/sshd.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: sshd.8,v 1.1.1.23 2006/09/28 21:15:32 christos Exp $
.\" $NetBSD: sshd.8,v 1.1.1.24 2007/12/17 20:15:35 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
.Dd September 25, 1999
.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
.Dd $Mdocdate: June 7 2007 $
.Dt SSHD 8
.Os
.Sh NAME
@ -59,8 +59,11 @@
.Nm
(OpenSSH Daemon) is the daemon program for
.Xr ssh 1 .
Together these programs replace rlogin and rsh, and
provide secure encrypted communications between two untrusted hosts
Together these programs replace
.Xr rlogin 1
and
.Xr rsh 1 ,
and provide secure encrypted communications between two untrusted hosts
over an insecure network.
.Pp
.Nm
@ -118,7 +121,7 @@ Maximum is 3.
When this option is specified,
.Nm
will send the output to the standard error instead of the system log.
.It Fl f Ar configuration_file
.It Fl f Ar config_file
Specifies the name of the configuration file.
The default is
.Pa /etc/ssh/sshd_config .
@ -274,7 +277,7 @@ The client selects the encryption algorithm
to use from those offered by the server.
Additionally, session integrity is provided
through a cryptographic message authentication code
(hmac-sha1 or hmac-md5).
(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
.Pp
Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
@ -733,15 +736,6 @@ This file is used in exactly the same way as
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp
.It /etc/ssh/ssh_known_hosts
Systemwide list of known host keys.
This file should be prepared by the
system administrator to contain the public host keys of all machines in the
organization.
The format of this file is described above.
This file should be writable only by root/the owner and
should be world-readable.
.Pp
.It /etc/ssh/ssh_host_key
.It /etc/ssh/ssh_host_dsa_key
.It /etc/ssh/ssh_host_rsa_key
@ -765,6 +759,15 @@ the user so their contents can be copied to known hosts files.
These files are created using
.Xr ssh-keygen 1 .
.Pp
.It /etc/ssh/ssh_known_hosts
Systemwide list of known host keys.
This file should be prepared by the
system administrator to contain the public host keys of all machines in the
organization.
The format of this file is described above.
This file should be writable only by root/the owner and
should be world-readable.
.Pp
.It /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
@ -801,6 +804,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,

9
crypto/dist/ssh/sshd.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: sshd.c,v 1.1.1.25 2007/03/10 22:35:57 christos Exp $ */
/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
/* $NetBSD: sshd.c,v 1.1.1.26 2007/12/17 20:15:36 christos Exp $ */
/* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -52,7 +52,6 @@
#include <sys/time.h>
#include <errno.h>
#include <signal.h>
#include <fcntl.h>
#include <netdb.h>
#include <paths.h>
@ -1360,6 +1359,10 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
/* set default channel AF */
channel_set_af(options.address_family);

10
crypto/dist/ssh/sshd_config vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: sshd_config,v 1.1.1.15 2006/09/28 21:15:33 christos Exp $
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
# $NetBSD: sshd_config,v 1.1.1.16 2007/12/17 20:15:36 christos Exp $
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@ -10,11 +10,15 @@
# default value.
#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2

11
crypto/dist/ssh/sshd_config.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: sshd_config.5,v 1.1.1.8 2007/03/10 22:35:57 christos Exp $
.\" $NetBSD: sshd_config.5,v 1.1.1.9 2007/12/17 20:15:36 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
.Dd September 25, 1999
.\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $
.Dd $Mdocdate: June 8 2007 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -490,7 +490,10 @@ The MAC algorithm is used in protocol version 2
for data integrity protection.
Multiple algorithms must be comma-separated.
The default is:
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.Bd -literal -offset indent
hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
.Ed
.It Cm Match
Introduces a conditional block.
If all of the criteria on the

1271
crypto/dist/ssh/umac.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

124
crypto/dist/ssh/umac.h vendored Normal file
View File

@ -0,0 +1,124 @@
/* $NetBSD: umac.h,v 1.1.1.1 2007/12/17 20:15:38 christos Exp $ */
/* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */
/* -----------------------------------------------------------------------
*
* umac.h -- C Implementation UMAC Message Authentication
*
* Version 0.93a of rfc4418.txt -- 2006 July 14
*
* For a full description of UMAC message authentication see the UMAC
* world-wide-web page at http://www.cs.ucdavis.edu/~rogaway/umac
* Please report bugs and suggestions to the UMAC webpage.
*
* Copyright (c) 1999-2004 Ted Krovetz
*
* Permission to use, copy, modify, and distribute this software and
* its documentation for any purpose and with or without fee, is hereby
* granted provided that the above copyright notice appears in all copies
* and in supporting documentation, and that the name of the copyright
* holder not be used in advertising or publicity pertaining to
* distribution of the software without specific, written prior permission.
*
* Comments should be directed to Ted Krovetz (tdk@acm.org)
*
* ---------------------------------------------------------------------- */
/* ////////////////////// IMPORTANT NOTES /////////////////////////////////
*
* 1) This version does not work properly on messages larger than 16MB
*
* 2) If you set the switch to use SSE2, then all data must be 16-byte
* aligned
*
* 3) When calling the function umac(), it is assumed that msg is in
* a writable buffer of length divisible by 32 bytes. The message itself
* does not have to fill the entire buffer, but bytes beyond msg may be
* zeroed.
*
* 4) Two free AES implementations are supported by this implementation of
* UMAC. Paulo Barreto's version is in the public domain and can be found
* at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ (search for
* "Barreto"). The only two files needed are rijndael-alg-fst.c and
* rijndael-alg-fst.h.
* Brian Gladman's version is distributed with GNU Public lisence
* and can be found at http://fp.gladman.plus.com/AES/index.htm. It
* includes a fast IA-32 assembly version.
*
/////////////////////////////////////////////////////////////////////// */
#ifndef HEADER_UMAC_H
#define HEADER_UMAC_H
#ifdef __cplusplus
extern "C" {
#endif
struct umac_ctx *umac_new(u_char key[]);
/* Dynamically allocate a umac_ctx struct, initialize variables,
* generate subkeys from key.
*/
#if 0
int umac_reset(struct umac_ctx *ctx);
/* Reset a umac_ctx to begin authenicating a new message */
#endif
int umac_update(struct umac_ctx *ctx, u_char *input, long len);
/* Incorporate len bytes pointed to by input into context ctx */
int umac_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]);
/* Incorporate any pending data and the ctr value, and return tag.
* This function returns error code if ctr < 0.
*/
int umac_delete(struct umac_ctx *ctx);
/* Deallocate the context structure */
#if 0
int umac(struct umac_ctx *ctx, u_char *input,
long len, u_char tag[],
u_char nonce[8]);
/* All-in-one implementation of the functions Reset, Update and Final */
#endif
/* uhash.h */
#if 0
typedef struct uhash_ctx *uhash_ctx_t;
/* The uhash_ctx structure is defined by the implementation of the */
/* UHASH functions. */
uhash_ctx_t uhash_alloc(u_char key[16]);
/* Dynamically allocate a uhash_ctx struct and generate subkeys using */
/* the kdf and kdf_key passed in. If kdf_key_len is 0 then RC6 is */
/* used to generate key with a fixed key. If kdf_key_len > 0 but kdf */
/* is NULL then the first 16 bytes pointed at by kdf_key is used as a */
/* key for an RC6 based KDF. */
int uhash_free(uhash_ctx_t ctx);
int uhash_set_params(uhash_ctx_t ctx,
void *params);
int uhash_reset(uhash_ctx_t ctx);
int uhash_update(uhash_ctx_t ctx,
u_char *input,
long len);
int uhash_final(uhash_ctx_t ctx,
u_char ouput[]);
int uhash(uhash_ctx_t ctx,
u_char *input,
long len,
u_char output[]);
#endif
#ifdef __cplusplus
}
#endif
#endif /* HEADER_UMAC_H */

6
crypto/dist/ssh/version.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: version.h,v 1.1.1.25 2007/03/10 22:35:58 christos Exp $ */
/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */
/* $NetBSD: version.h,v 1.1.1.26 2007/12/17 20:15:38 christos Exp $ */
/* $OpenBSD: version.h,v 1.50 2007/08/15 08:16:49 markus Exp $ */
#define SSH_VERSION "OpenSSH_4.6"
#define SSH_VERSION "OpenSSH_4.7"