Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

from ftp.openbsd.org

This commit is contained in:
christos 2012-05-02 02:13:04 +00:00
parent 785b3e18bf
commit ddfd2449b0
47 changed files with 651 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/external/bsd/openssh/dist/PROTOCOL.mux vendored
View File

@ -133,6 +133,7 @@ A client may request the master to close a port forward:
uint32 MUX_C_CLOSE_FWD
uint32 request id
uint32 forwarding type
string listen host
string listen port
string connect host
@ -218,4 +219,4 @@ XXX inject packet (what about replies)
XXX server->client error/warning notifications
XXX send signals via mux
$OpenBSD: PROTOCOL.mux,v 1.7 2011/05/08 12:52:01 djm Exp $
$OpenBSD: PROTOCOL.mux,v 1.8 2011/09/09 00:44:07 djm Exp $

18
crypto/external/bsd/openssh/dist/auth-options.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -339,7 +339,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
goto bad_option;
}
host = cleanhostname(host);
if (p == NULL || (port = a2port(p)) <= 0) {
if (p == NULL || (port = permitopen_port(p)) < 0) {
debug("%.100s, line %lu: Bad permitopen port "
"<%.100s>", file, linenum, p ? p : "");
auth_debug_add("%.100s, line %lu: "
@ -450,10 +450,6 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
buffer_append(&data, data_blob, dlen);
debug3("found certificate option \"%.100s\" len %u",
name, dlen);
if (strlen(name) != nlen) {
error("Certificate constraint name contains \\0");
goto out;
}
found = 0;
if ((which & OPTIONS_EXTENSIONS) != 0) {
if (strcmp(name, "permit-X11-forwarding") == 0) {
@ -483,11 +479,6 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
"corrupt", name);
goto out;
}
if (strlen(command) != clen) {
error("force-command constraint "
"contains \\0");
goto out;
}
if (*cert_forced_command != NULL) {
error("Certificate has multiple "
"force-command options");
@ -504,11 +495,6 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
"\"%s\" corrupt", name);
goto out;
}
if (strlen(allowed) != clen) {
error("source-address constraint "
"contains \\0");
goto out;
}
if ((*cert_source_address_done)++) {
error("Certificate has multiple "
"source-address options");

7
crypto/external/bsd/openssh/dist/auth2-pubkey.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.29 2011/05/23 03:30:07 djm Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.30 2011/09/25 05:44:47 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -237,8 +237,9 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
}
for (i = 0; i < cert->nprincipals; i++) {
if (strcmp(cp, cert->principals[i]) == 0) {
debug3("matched principal from file \"%.100s\"",
cert->principals[i]);
debug3("matched principal \"%.100s\" "
"from file \"%s\" on line %lu",
cert->principals[i], file, linenum);
if (auth_parse_options(pw, line_opts,
file, linenum) != 1)
continue;

4
crypto/external/bsd/openssh/dist/auth2.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -109,7 +109,7 @@ auth2_read_banner(void)
close(fd);
return (NULL);
}
if (st.st_size > 1*1024*1024) {
if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
close(fd);
return (NULL);
}

4
crypto/external/bsd/openssh/dist/authfile.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfile.c,v 1.92 2011/06/14 22:49:18 markus Exp $ */
/* $OpenBSD: authfile.c,v 1.93 2012/01/25 19:36:31 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -329,7 +329,7 @@ key_load_file(int fd, const char *filename, Buffer *blob)
filename == NULL ? "" : " ");
return 0;
}
buffer_init(blob);
buffer_clear(blob);
for (;;) {
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
if (errno == EPIPE)

252
crypto/external/bsd/openssh/dist/channels.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */
/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -121,6 +121,9 @@ static int num_permitted_opens = 0;
/* Number of permitted host/port pair in the array permitted by the admin. */
static int num_adm_permitted_opens = 0;
/* special-case port number meaning allow any port */
#define FWD_PERMIT_ANY_PORT 0
/*
* If this is true, all opens are permitted. This is the case on the server
* on which we have to trust the client anyway, and the user could do
@ -297,6 +300,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
buffer_init(&c->output);
buffer_init(&c->extended);
c->path = NULL;
c->listening_addr = NULL;
c->listening_port = 0;
c->ostate = CHAN_OUTPUT_OPEN;
c->istate = CHAN_INPUT_OPEN;
c->flags = 0;
@ -406,6 +411,10 @@ channel_free(Channel *c)
xfree(c->path);
c->path = NULL;
}
if (c->listening_addr) {
xfree(c->listening_addr);
c->listening_addr = NULL;
}
while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
if (cc->abandon_cb != NULL)
cc->abandon_cb(c, cc->ctx);
@ -2612,6 +2621,46 @@ channel_set_af(int af)
IPv4or6 = af;
}
/*
* Determine whether or not a port forward listens to loopback, the
* specified address or wildcard. On the client, a specified bind
* address will always override gateway_ports. On the server, a
* gateway_ports of 1 (``yes'') will override the client's specification
* and force a wildcard bind, whereas a value of 2 (``clientspecified'')
* will bind to whatever address the client asked for.
*
* Special-case listen_addrs are:
*
* "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
* "" (empty string), "*" -> wildcard v4/v6
* "localhost" -> loopback v4/v6
*/
static const char *
channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
int is_client, int gateway_ports)
{
const char *addr = NULL;
int wildcard = 0;
if (listen_addr == NULL) {
/* No address specified: default to gateway_ports setting */
if (gateway_ports)
wildcard = 1;
} else if (gateway_ports || is_client) {
if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
*listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
(!is_client && gateway_ports == 1))
wildcard = 1;
else if (strcmp(listen_addr, "localhost") != 0)
addr = listen_addr;
}
if (wildcardp != NULL)
*wildcardp = wildcard;
return addr;
}
static int
channel_setup_fwd_listener(int type, const char *listen_addr,
u_short listen_port, int *allocated_listen_port,
@ -2637,36 +2686,9 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
return 0;
}
/*
* Determine whether or not a port forward listens to loopback,
* specified address or wildcard. On the client, a specified bind
* address will always override gateway_ports. On the server, a
* gateway_ports of 1 (``yes'') will override the client's
* specification and force a wildcard bind, whereas a value of 2
* (``clientspecified'') will bind to whatever address the client
* asked for.
*
* Special-case listen_addrs are:
*
* "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
* "" (empty string), "*" -> wildcard v4/v6
* "localhost" -> loopback v4/v6
*/
addr = NULL;
if (listen_addr == NULL) {
/* No address specified: default to gateway_ports setting */
if (gateway_ports)
wildcard = 1;
} else if (gateway_ports || is_client) {
if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
*listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
(!is_client && gateway_ports == 1))
wildcard = 1;
else if (strcmp(listen_addr, "localhost") != 0)
addr = listen_addr;
}
/* Determine the bind address, cf. channel_fwd_bind_addr() comment */
addr = channel_fwd_bind_addr(listen_addr, &wildcard,
is_client, gateway_ports);
debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
type, wildcard, (addr == NULL) ? "NULL" : addr);
@ -2764,7 +2786,12 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
0, "port listener", 1);
c->path = xstrdup(host);
c->host_port = port_to_connect;
c->listening_port = listen_port;
c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
if (listen_port == 0 && allocated_listen_port != NULL &&
!(datafellows & SSH_BUG_DYNAMIC_RPORT))
c->listening_port = *allocated_listen_port;
else
c->listening_port = listen_port;
success = 1;
}
if (success == 0)
@ -2782,9 +2809,44 @@ channel_cancel_rport_listener(const char *host, u_short port)
for (i = 0; i < channels_alloc; i++) {
Channel *c = channels[i];
if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
continue;
if (strcmp(c->path, host) == 0 && c->listening_port == port) {
debug2("%s: close channel %d", __func__, i);
channel_free(c);
found = 1;
}
}
if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
strcmp(c->path, host) == 0 && c->listening_port == port) {
return (found);
}
int
channel_cancel_lport_listener(const char *lhost, u_short lport,
int cport, int gateway_ports)
{
u_int i;
int found = 0;
const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, gateway_ports);
for (i = 0; i < channels_alloc; i++) {
Channel *c = channels[i];
if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
continue;
if (c->listening_port != lport)
continue;
if (cport == CHANNEL_CANCEL_PORT_STATIC) {
/* skip dynamic forwardings */
if (c->host_port == 0)
continue;
} else {
if (c->host_port != cport)
continue;
}
if ((c->listening_addr == NULL && addr != NULL) ||
(c->listening_addr != NULL && addr == NULL))
continue;
if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
debug2("%s: close channel %d", __func__, i);
channel_free(c);
found = 1;
@ -2814,38 +2876,45 @@ channel_setup_remote_fwd_listener(const char *listen_address,
NULL, 0, gateway_ports);
}
/*
* Translate the requested rfwd listen host to something usable for
* this server.
*/
static const char *
channel_rfwd_bind_host(const char *listen_host)
{
if (listen_host == NULL) {
if (datafellows & SSH_BUG_RFWD_ADDR)
return "127.0.0.1";
else
return "localhost";
} else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
if (datafellows & SSH_BUG_RFWD_ADDR)
return "0.0.0.0";
else
return "";
} else
return listen_host;
}
/*
* Initiate forwarding of connections to port "port" on remote host through
* the secure channel to host:port from local side.
* Returns handle (index) for updating the dynamic listen port with
* channel_update_permitted_opens().
*/
int
channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
const char *host_to_connect, u_short port_to_connect)
{
int type, success = 0;
int type, success = 0, idx = -1;
/* Send the forward request to the remote side. */
if (compat20) {
const char *address_to_bind;
if (listen_host == NULL) {
if (datafellows & SSH_BUG_RFWD_ADDR)
address_to_bind = "127.0.0.1";
else
address_to_bind = "localhost";
} else if (*listen_host == '\0' ||
strcmp(listen_host, "*") == 0) {
if (datafellows & SSH_BUG_RFWD_ADDR)
address_to_bind = "0.0.0.0";
else
address_to_bind = "";
} else
address_to_bind = listen_host;
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("tcpip-forward");
packet_put_char(1); /* boolean: want reply */
packet_put_cstring(address_to_bind);
packet_put_char(1); /* boolean: want reply */
packet_put_cstring(channel_rfwd_bind_host(listen_host));
packet_put_int(listen_port);
packet_send();
packet_write_wait();
@ -2877,25 +2946,25 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
/* Record that connection to this host/port is permitted. */
permitted_opens = xrealloc(permitted_opens,
num_permitted_opens + 1, sizeof(*permitted_opens));
permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
permitted_opens[num_permitted_opens].listen_port = listen_port;
num_permitted_opens++;
idx = num_permitted_opens++;
permitted_opens[idx].host_to_connect = xstrdup(host_to_connect);
permitted_opens[idx].port_to_connect = port_to_connect;
permitted_opens[idx].listen_port = listen_port;
}
return (success ? 0 : -1);
return (idx);
}
/*
* Request cancellation of remote forwarding of connection host:port from
* local side.
*/
void
int
channel_request_rforward_cancel(const char *host, u_short port)
{
int i;
if (!compat20)
return;
return -1;
for (i = 0; i < num_permitted_opens; i++) {
if (permitted_opens[i].host_to_connect != NULL &&
@ -2904,12 +2973,12 @@ channel_request_rforward_cancel(const char *host, u_short port)
}
if (i >= num_permitted_opens) {
debug("%s: requested forward not found", __func__);
return;
return -1;
}
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("cancel-tcpip-forward");
packet_put_char(0);
packet_put_cstring(host == NULL ? "" : host);
packet_put_cstring(channel_rfwd_bind_host(host));
packet_put_int(port);
packet_send();
@ -2917,6 +2986,8 @@ channel_request_rforward_cancel(const char *host, u_short port)
permitted_opens[i].port_to_connect = 0;
xfree(permitted_opens[i].host_to_connect);
permitted_opens[i].host_to_connect = NULL;
return 0;
}
/*
@ -2983,6 +3054,35 @@ channel_add_permitted_opens(char *host, int port)
all_opens_permitted = 0;
}
/*
* Update the listen port for a dynamic remote forward, after
* the actual 'newport' has been allocated. If 'newport' < 0 is
* passed then they entry will be invalidated.
*/
void
channel_update_permitted_opens(int idx, int newport)
{
if (idx < 0 || idx >= num_permitted_opens) {
debug("channel_update_permitted_opens: index out of range:"
" %d num_permitted_opens %d", idx, num_permitted_opens);
return;
}
debug("%s allowed port %d for forwarding to host %s port %d",
newport > 0 ? "Updating" : "Removing",
newport,
permitted_opens[idx].host_to_connect,
permitted_opens[idx].port_to_connect);
if (newport >= 0) {
permitted_opens[idx].listen_port =
(datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
} else {
permitted_opens[idx].listen_port = 0;
permitted_opens[idx].port_to_connect = 0;
xfree(permitted_opens[idx].host_to_connect);
permitted_opens[idx].host_to_connect = NULL;
}
}
int
channel_add_adm_permitted_opens(char *host, int port)
{
@ -3043,6 +3143,28 @@ channel_print_adm_permitted_opens(void)
printf("\n");
}
/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
int
permitopen_port(const char *p)
{
int port;
if (strcmp(p, "*") == 0)
return FWD_PERMIT_ANY_PORT;
if ((port = a2port(p)) > 0)
return port;
return -1;
}
static int
port_match(u_short allowedport, u_short requestedport)
{
if (allowedport == FWD_PERMIT_ANY_PORT ||
allowedport == requestedport)
return 1;
return 0;
}
/* Try to start non-blocking connect to next host in cctx list */
static int
connect_next(struct channel_connect *cctx)
@ -3145,7 +3267,7 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
for (i = 0; i < num_permitted_opens; i++) {
if (permitted_opens[i].host_to_connect != NULL &&
permitted_opens[i].listen_port == listen_port) {
port_match(permitted_opens[i].listen_port, listen_port)) {
return connect_to(
permitted_opens[i].host_to_connect,
permitted_opens[i].port_to_connect, ctype, rname);
@ -3166,7 +3288,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
if (!permit) {
for (i = 0; i < num_permitted_opens; i++)
if (permitted_opens[i].host_to_connect != NULL &&
permitted_opens[i].port_to_connect == port &&
port_match(permitted_opens[i].port_to_connect, port) &&
strcmp(permitted_opens[i].host_to_connect, host) == 0)
permit = 1;
}
@ -3175,7 +3297,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
permit_adm = 0;
for (i = 0; i < num_adm_permitted_opens; i++)
if (permitted_adm_opens[i].host_to_connect != NULL &&
permitted_adm_opens[i].port_to_connect == port &&
port_match(permitted_adm_opens[i].port_to_connect, port) &&
strcmp(permitted_adm_opens[i].host_to_connect, host)
== 0)
permit_adm = 1;

10
crypto/external/bsd/openssh/dist/channels.h vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.105 2011/06/22 22:08:42 djm Exp $ */
/* $OpenBSD: channels.h,v 1.109 2011/09/23 07:45:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -57,6 +57,8 @@
#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
#define SSH_CHANNEL_MAX_TYPE 17
#define CHANNEL_CANCEL_PORT_STATIC -1
struct Channel;
typedef struct Channel Channel;
@ -115,6 +117,7 @@ struct Channel {
char *path;
/* path for unix domain sockets, or host name for forwards */
int listening_port; /* port being listened for forwards */
char *listening_addr; /* addr being listened for forwards */
int host_port; /* remote port to connect for forwards */
char *remote_name; /* remote hostname */
@ -249,6 +252,7 @@ void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
int channel_add_adm_permitted_opens(char *, int);
void channel_update_permitted_opens(int, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
void channel_print_adm_permitted_opens(void);
@ -260,9 +264,11 @@ int channel_request_remote_forwarding(const char *, u_short,
const char *, u_short);
int channel_setup_local_fwd_listener(const char *, u_short,
const char *, u_short, int);
void channel_request_rforward_cancel(const char *host, u_short port);
int channel_request_rforward_cancel(const char *host, u_short port);
int channel_setup_remote_fwd_listener(const char *, u_short, int *, int);
int channel_cancel_rport_listener(const char *, u_short);
int channel_cancel_lport_listener(const char *, u_short, int, int);
int permitopen_port(const char *);
/* x11 forwarding */

54
crypto/external/bsd/openssh/dist/clientloop.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.236 2011/06/22 22:08:42 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -273,6 +273,23 @@ set_control_persist_exit_time(void)
/* else we are already counting down to the timeout */
}
#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_"
static int
client_x11_display_valid(const char *display)
{
size_t i, dlen;
dlen = strlen(display);
for (i = 0; i < dlen; i++) {
if (!isalnum(display[i]) &&
strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
debug("Invalid character '%c' in DISPLAY", display[i]);
return 0;
}
}
return 1;
}
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void
client_x11_get_proto(const char *display, const char *xauth_path,
@ -295,6 +312,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
debug("No xauth program.");
} else if (!client_x11_display_valid(display)) {
logit("DISPLAY '%s' invalid, falling back to fake xauth data",
display);
} else {
if (display == NULL) {
debug("x11_get_proto: DISPLAY not set");
@ -830,9 +850,8 @@ process_cmdline(void)
{
void (*handler)(int);
char *s, *cmd, *cancel_host;
int delete = 0;
int local = 0, remote = 0, dynamic = 0;
int cancel_port;
int delete = 0, local = 0, remote = 0, dynamic = 0;
int cancel_port, ok;
Forward fwd;
bzero(&fwd, sizeof(fwd));
@ -858,8 +877,12 @@ process_cmdline(void)
"Request remote forward");
logit(" -D[bind_address:]port "
"Request dynamic forward");
logit(" -KL[bind_address:]port "
"Cancel local forward");
logit(" -KR[bind_address:]port "
"Cancel remote forward");
logit(" -KD[bind_address:]port "
"Cancel dynamic forward");
if (!options.permit_local_command)
goto out;
logit(" !args "
@ -888,11 +911,7 @@ process_cmdline(void)
goto out;
}
if ((local || dynamic) && delete) {
logit("Not supported.");
goto out;
}
if (remote && delete && !compat20) {
if (delete && !compat20) {
logit("Not supported for SSH protocol version 1.");
goto out;
}
@ -915,7 +934,21 @@ process_cmdline(void)
logit("Bad forwarding close port");
goto out;
}
channel_request_rforward_cancel(cancel_host, cancel_port);
if (remote)
ok = channel_request_rforward_cancel(cancel_host,
cancel_port) == 0;
else if (dynamic)
ok = channel_cancel_lport_listener(cancel_host,
cancel_port, 0, options.gateway_ports) > 0;
else
ok = channel_cancel_lport_listener(cancel_host,
cancel_port, CHANNEL_CANCEL_PORT_STATIC,
options.gateway_ports) > 0;
if (!ok) {
logit("Unkown port forwarding.");
goto out;
}
logit("Canceled forwarding.");
} else {
if (!parse_forward(&fwd, s, dynamic, remote)) {
logit("Bad forwarding specification.");
@ -936,7 +969,6 @@ process_cmdline(void)
goto out;
}
}
logit("Forwarding port.");
}

3
crypto/external/bsd/openssh/dist/clientloop.h vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.28 2011/06/22 22:08:42 djm Exp $ */
/* $OpenBSD: clientloop.h,v 1.29 2011/09/09 22:46:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -70,6 +70,7 @@ void client_expect_confirm(int, const char *, enum confirm_action);
#define SSHMUX_COMMAND_STDIO_FWD 4 /* Open stdio fwd (ssh -W) */
#define SSHMUX_COMMAND_FORWARD 5 /* Forward only, no command */
#define SSHMUX_COMMAND_STOP 6 /* Disable mux but not conn */
#define SSHMUX_COMMAND_CANCEL_FWD 7 /* Cancel forwarding(s) */
void muxserver_listen(void);
void muxclient(const char *);

3
crypto/external/bsd/openssh/dist/compat.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.c,v 1.78 2008/09/11 14:22:37 markus Exp $ */
/* $OpenBSD: compat.c,v 1.79 2011/09/23 07:45:05 markus Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@ -90,6 +90,7 @@ compat_datafellows(const char *version)
{ "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR },
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
{ "OpenSSH_4*", 0 },
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
{ "OpenSSH*", SSH_NEW_OPENSSH },
{ "*MindTerm*", 0 },
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|

3
crypto/external/bsd/openssh/dist/compat.h vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.h,v 1.42 2008/09/11 14:22:37 markus Exp $ */
/* $OpenBSD: compat.h,v 1.43 2011/09/23 07:45:05 markus Exp $ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
@ -58,6 +58,7 @@
#define SSH_OLD_FORWARD_ADDR 0x01000000
#define SSH_BUG_RFWD_ADDR 0x02000000
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
void enable_compat13(void);
void enable_compat20(void);

4
crypto/external/bsd/openssh/dist/dh.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */
/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@ -233,6 +233,8 @@ dh_gen_key(DH *dh, int need)
{
int i, bits_set, tries = 0;
if (need < 0)
fatal("dh_gen_key: need < 0");
if (dh->p == NULL)
fatal("dh_gen_key: dh->p == NULL");
if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))

7
crypto/external/bsd/openssh/dist/key.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.c,v 1.97 2011/05/17 07:13:31 djm Exp $ */
/* $OpenBSD: key.c,v 1.98 2011/10/18 04:58:26 djm Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1310,11 +1310,6 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
goto out;
}
if (kidlen != strlen(key->cert->key_id)) {
error("%s: key ID contains \\0 character", __func__);
goto out;
}
/* Signature is left in the buffer so we can calculate this length */
signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);

3
crypto/external/bsd/openssh/dist/mac.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mac.c,v 1.16 2011/08/02 01:22:11 djm Exp $ */
/* $OpenBSD: mac.c,v 1.17 2011/12/02 00:43:57 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -111,6 +111,7 @@ mac_init(Mac *mac)
case SSH_EVP:
if (mac->evp_md == NULL)
return -1;
HMAC_CTX_init(&mac->evp_ctx);
HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
return 0;
case SSH_UMAC:

4
crypto/external/bsd/openssh/dist/misc.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.85 2011/03/29 18:54:17 stevesk Exp $ */
/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@ -920,7 +920,7 @@ static const struct {
{ "af11", IPTOS_DSCP_AF11 },
{ "af12", IPTOS_DSCP_AF12 },
{ "af13", IPTOS_DSCP_AF13 },
{ "af14", IPTOS_DSCP_AF21 },
{ "af21", IPTOS_DSCP_AF21 },
{ "af22", IPTOS_DSCP_AF22 },
{ "af23", IPTOS_DSCP_AF23 },
{ "af31", IPTOS_DSCP_AF31 },

71
crypto/external/bsd/openssh/dist/moduli.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: moduli.c,v 1.22 2010/11/10 01:33:07 djm Exp $ */
/* $OpenBSD: moduli.c,v 1.25 2011/10/19 00:06:10 djm Exp $ */
/*
* Copyright 1994 Phil Karn <karn@qualcomm.com>
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@ -37,16 +37,19 @@
* Second step: test primes' safety (processor intensive)
*/
#include <sys/param.h>
#include <sys/types.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <time.h>
#include <unistd.h>
#include "xmalloc.h"
#include "dh.h"
@ -133,7 +136,7 @@ static u_int32_t largebits, largememory; /* megabytes */
static BIGNUM *largebase;
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *);
/*
* print moduli out in consistent form,
@ -434,6 +437,52 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
return (ret);
}
static void
write_checkpoint(char *cpfile, u_int32_t lineno)
{
FILE *fp;
char tmp[MAXPATHLEN];
int r;
r = snprintf(tmp, sizeof(tmp), "%s.XXXXXXXXXX", cpfile);
if (r == -1 || r >= MAXPATHLEN) {
logit("write_checkpoint: temp pathname too long");
return;
}
if ((r = mkstemp(tmp)) == -1) {
logit("mkstemp(%s): %s", tmp, strerror(errno));
return;
}
if ((fp = fdopen(r, "w")) == NULL) {
logit("write_checkpoint: fdopen: %s", strerror(errno));
close(r);
return;
}
if (fprintf(fp, "%lu\n", (unsigned long)lineno) > 0 && fclose(fp) == 0
&& rename(tmp, cpfile) == 0)
debug3("wrote checkpoint line %lu to '%s'",
(unsigned long)lineno, cpfile);
else
logit("failed to write to checkpoint file '%s': %s", cpfile,
strerror(errno));
}
static unsigned long
read_checkpoint(char *cpfile)
{
FILE *fp;
unsigned long lineno = 0;
if ((fp = fopen(cpfile, "r")) == NULL)
return 0;
if (fscanf(fp, "%lu\n", &lineno) < 1)
logit("Failed to load checkpoint from '%s'", cpfile);
else
logit("Loaded checkpoint from '%s' line %lu", cpfile, lineno);
fclose(fp);
return lineno;
}
/*
* perform a Miller-Rabin primality test
* on the list of candidates
@ -441,13 +490,15 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
* The result is a list of so-call "safe" primes
*/
int
prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
char *checkpoint_file)
{
BIGNUM *q, *p, *a;
BN_CTX *ctx;
char *cp, *lp;
u_int32_t count_in = 0, count_out = 0, count_possible = 0;
u_int32_t generator_known, in_tests, in_tries, in_type, in_size;
unsigned long last_processed = 0;
time_t time_start, time_stop;
int res;
@ -468,10 +519,21 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
debug2("%.24s Final %u Miller-Rabin trials (%x generator)",
ctime(&time_start), trials, generator_wanted);
if (checkpoint_file != NULL)
last_processed = read_checkpoint(checkpoint_file);
res = 0;
lp = xmalloc(QLINESIZE + 1);
while (fgets(lp, QLINESIZE + 1, in) != NULL) {
count_in++;
if (checkpoint_file != NULL) {
if (count_in <= last_processed) {
debug3("skipping line %u, before checkpoint",
count_in);
continue;
}
write_checkpoint(checkpoint_file, count_in);
}
if (strlen(lp) < 14 || *lp == '!' || *lp == '#') {
debug2("%10u: comment or short line", count_in);
continue;
@ -640,6 +702,9 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
BN_free(q);
BN_CTX_free(ctx);
if (checkpoint_file != NULL)
unlink(checkpoint_file);
logit("%.24s Found %u safe primes of %u candidates in %ld seconds",
ctime(&time_stop), count_out, count_possible,
(long) (time_stop - time_start));

3
crypto/external/bsd/openssh/dist/monitor.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.115 2011/06/23 23:35:42 djm Exp $ */
/* $OpenBSD: monitor.c,v 1.116 2012/01/05 00:16:56 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -415,6 +415,7 @@ monitor_read_log(struct monitor *pmonitor)
if (atomicio(read, pmonitor->m_log_recvfd,
buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) {
if (errno == EPIPE) {
buffer_free(&logmsg);
debug("%s: child log fd closed", __func__);
close(pmonitor->m_log_recvfd);
pmonitor->m_log_recvfd = -1;

121
crypto/external/bsd/openssh/dist/mux.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mux.c,v 1.29 2011/06/22 22:08:42 djm Exp $ */
/* $OpenBSD: mux.c,v 1.34 2012/01/07 21:11:36 djm Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@ -324,10 +324,8 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
env_len = 0;
while (buffer_len(m) > 0) {
#define MUX_MAX_ENV_VARS 4096
if ((cp = buffer_get_string_ret(m, &len)) == NULL) {
xfree(cmd);
if ((cp = buffer_get_string_ret(m, &len)) == NULL)
goto malf;
}
if (!env_permitted(cp)) {
xfree(cp);
continue;
@ -584,12 +582,16 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
buffer_put_int(&out, MUX_S_REMOTE_PORT);
buffer_put_int(&out, fctx->rid);
buffer_put_int(&out, rfwd->allocated_port);
channel_update_permitted_opens(rfwd->handle,
rfwd->allocated_port);
} else {
buffer_put_int(&out, MUX_S_OK);
buffer_put_int(&out, fctx->rid);
}
goto out;
} else {
if (rfwd->listen_port == 0)
channel_update_permitted_opens(rfwd->handle, -1);
xasprintf(&failmsg, "remote port forwarding failed for "
"listen port %d", rfwd->listen_port);
}
@ -728,8 +730,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
} else {
struct mux_channel_confirm_ctx *fctx;
if (channel_request_remote_forwarding(fwd.listen_host,
fwd.listen_port, fwd.connect_host, fwd.connect_port) < 0)
fwd.handle = channel_request_remote_forwarding(fwd.listen_host,
fwd.listen_port, fwd.connect_host, fwd.connect_port);
if (fwd.handle < 0)
goto fail;
add_remote_forward(&options, &fwd);
fctx = xcalloc(1, sizeof(*fctx));
@ -760,10 +763,11 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
static int
process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
{
Forward fwd;
Forward fwd, *found_fwd;
char *fwd_desc = NULL;
const char *error_reason = NULL;
u_int ftype;
int ret = 0;
int i, listen_port, ret = 0;
fwd.listen_host = fwd.connect_host = NULL;
if (buffer_get_int_ret(&ftype, m) != 0 ||
@ -785,14 +789,70 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
fwd.connect_host = NULL;
}
debug2("%s: channel %d: request %s", __func__, c->self,
debug2("%s: channel %d: request cancel %s", __func__, c->self,
(fwd_desc = format_forward(ftype, &fwd)));
/* XXX implement this */
buffer_put_int(r, MUX_S_FAILURE);
buffer_put_int(r, rid);
buffer_put_cstring(r, "unimplemented");
/* make sure this has been requested */
found_fwd = NULL;
switch (ftype) {
case MUX_FWD_LOCAL:
case MUX_FWD_DYNAMIC:
for (i = 0; i < options.num_local_forwards; i++) {
if (compare_forward(&fwd,
options.local_forwards + i)) {
found_fwd = options.local_forwards + i;
break;
}
}
break;
case MUX_FWD_REMOTE:
for (i = 0; i < options.num_remote_forwards; i++) {
if (compare_forward(&fwd,
options.remote_forwards + i)) {
found_fwd = options.remote_forwards + i;
break;
}
}
break;
}
if (found_fwd == NULL)
error_reason = "port not forwarded";
else if (ftype == MUX_FWD_REMOTE) {
/*
* This shouldn't fail unless we confused the host/port
* between options.remote_forwards and permitted_opens.
* However, for dynamic allocated listen ports we need
* to lookup the actual listen port.
*/
listen_port = (fwd.listen_port == 0) ?
found_fwd->allocated_port : fwd.listen_port;
if (channel_request_rforward_cancel(fwd.listen_host,
listen_port) == -1)
error_reason = "port not in permitted opens";
} else { /* local and dynamic forwards */
/* Ditto */
if (channel_cancel_lport_listener(fwd.listen_host,
fwd.listen_port, fwd.connect_port,
options.gateway_ports) == -1)
error_reason = "port not found";
}
if (error_reason == NULL) {
buffer_put_int(r, MUX_S_OK);
buffer_put_int(r, rid);
if (found_fwd->listen_host != NULL)
xfree(found_fwd->listen_host);
if (found_fwd->connect_host != NULL)
xfree(found_fwd->connect_host);
found_fwd->listen_host = found_fwd->connect_host = NULL;
found_fwd->listen_port = found_fwd->connect_port = 0;
} else {
buffer_put_int(r, MUX_S_FAILURE);
buffer_put_int(r, rid);
buffer_put_cstring(r, error_reason);
}
out:
if (fwd_desc != NULL)
xfree(fwd_desc);
@ -1513,18 +1573,19 @@ mux_client_request_terminate(int fd)
}
static int
mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
{
Buffer m;
char *e, *fwd_desc;
u_int type, rid;
fwd_desc = format_forward(ftype, fwd);
debug("Requesting %s", fwd_desc);
debug("Requesting %s %s",
cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
xfree(fwd_desc);
buffer_init(&m);
buffer_put_int(&m, MUX_C_OPEN_FWD);
buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
buffer_put_int(&m, muxclient_request_id);
buffer_put_int(&m, ftype);
buffer_put_cstring(&m,
@ -1553,6 +1614,8 @@ mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
case MUX_S_OK:
break;
case MUX_S_REMOTE_PORT:
if (cancel_flag)
fatal("%s: got MUX_S_REMOTE_PORT for cancel", __func__);
fwd->allocated_port = buffer_get_int(&m);
logit("Allocated port %u for remote forward to %s:%d",
fwd->allocated_port,
@ -1582,27 +1645,28 @@ mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
}
static int
mux_client_request_forwards(int fd)
mux_client_forwards(int fd, int cancel_flag)
{
int i;
int i, ret = 0;
debug3("%s: requesting forwardings: %d local, %d remote", __func__,
debug3("%s: %s forwardings: %d local, %d remote", __func__,
cancel_flag ? "cancel" : "request",
options.num_local_forwards, options.num_remote_forwards);
/* XXX ExitOnForwardingFailure */
for (i = 0; i < options.num_local_forwards; i++) {
if (mux_client_request_forward(fd,
if (mux_client_forward(fd, cancel_flag,
options.local_forwards[i].connect_port == 0 ?
MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
options.local_forwards + i) != 0)
return -1;
ret = -1;
}
for (i = 0; i < options.num_remote_forwards; i++) {
if (mux_client_request_forward(fd, MUX_FWD_REMOTE,
if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
options.remote_forwards + i) != 0)
return -1;
ret = -1;
}
return 0;
return ret;
}
static int
@ -1989,11 +2053,11 @@ muxclient(const char *path)
fprintf(stderr, "Exit request sent.\r\n");
exit(0);
case SSHMUX_COMMAND_FORWARD:
if (mux_client_request_forwards(sock) != 0)
if (mux_client_forwards(sock, 0) != 0)
fatal("%s: master forward request failed", __func__);
exit(0);
case SSHMUX_COMMAND_OPEN:
if (mux_client_request_forwards(sock) != 0) {
if (mux_client_forwards(sock, 0) != 0) {
error("%s: master forward request failed", __func__);
return;
}
@ -2006,6 +2070,11 @@ muxclient(const char *path)
mux_client_request_stop_listening(sock);
fprintf(stderr, "Stop listening request sent.\r\n");
exit(0);
case SSHMUX_COMMAND_CANCEL_FWD:
if (mux_client_forwards(sock, 1) != 0)
error("%s: master cancel forward request failed",
__func__);
exit(0);
default:
fatal("unrecognised muxclient_command %d", muxclient_command);
}

16
crypto/external/bsd/openssh/dist/packet.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.173 2011/05/06 21:14:05 djm Exp $ */
/* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -238,7 +238,7 @@ packet_set_connection(int fd_in, int fd_out)
void
packet_set_timeout(int timeout, int count)
{
if (timeout == 0 || count == 0) {
if (timeout <= 0 || count <= 0) {
active_state->packet_timeout_ms = -1;
return;
}
@ -959,8 +959,10 @@ packet_send2(void)
/* during rekeying we can only send key exchange messages */
if (active_state->rekeying) {
if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
(type <= SSH2_MSG_TRANSPORT_MAX))) {
if ((type < SSH2_MSG_TRANSPORT_MIN) ||
(type > SSH2_MSG_TRANSPORT_MAX) ||
(type == SSH2_MSG_SERVICE_REQUEST) ||
(type == SSH2_MSG_SERVICE_ACCEPT)) {
debug("enqueue packet: %u", type);
p = xmalloc(sizeof(*p));
p->type = type;
@ -1434,12 +1436,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
}
}
int
packet_read_poll(void)
{
return packet_read_poll_seqnr(NULL);
}
/*
* Buffers the given amount of input characters. This is intended to be used
* together with packet_read_poll.

3
crypto/external/bsd/openssh/dist/packet.h vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.h,v 1.56 2011/05/06 21:14:05 djm Exp $ */
/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -51,7 +51,6 @@ void packet_send(void);
int packet_read(void);
void packet_read_expect(int type);
int packet_read_poll(void);
void packet_process_incoming(const char *buf, u_int len);
int packet_read_seqnr(u_int32_t *seqnr_p);
int packet_read_poll_seqnr(u_int32_t *seqnr_p);

3
crypto/external/bsd/openssh/dist/readconf.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.194 2011/09/23 07:45:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -290,6 +290,7 @@ add_remote_forward(Options *options, const Forward *newfwd)
fwd->listen_port = newfwd->listen_port;
fwd->connect_host = newfwd->connect_host;
fwd->connect_port = newfwd->connect_port;
fwd->handle = newfwd->handle;
fwd->allocated_port = 0;
}

3
crypto/external/bsd/openssh/dist/readconf.h vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.90 2011/05/24 07:15:47 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.91 2011/09/23 07:45:05 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -24,6 +24,7 @@ typedef struct {
char *connect_host; /* Host to connect. */
int connect_port; /* Port to connect on connect_host. */
int allocated_port; /* Dynamically allocated listen port */
int handle; /* Handle for dynamic listen ports */
} Forward;
/* Data structure for representing option data. */

7
crypto/external/bsd/openssh/dist/roaming.h vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: roaming.h,v 1.5 2009/10/24 11:11:58 andreas Exp $ */
/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@ -18,8 +18,9 @@
#ifndef ROAMING_H
#define ROAMING_H
#define DEFAULT_ROAMBUF 65536
#define ROAMING_REQUEST "roaming@appgate.com"
#define DEFAULT_ROAMBUF 65536
#define MAX_ROAMBUF (2*1024*1024) /* XXX arbitrary */
#define ROAMING_REQUEST "roaming@appgate.com"
extern int roaming_enabled;
extern int resume_in_progress;

4
crypto/external/bsd/openssh/dist/roaming_client.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: roaming_client.c,v 1.3 2010/01/18 01:50:27 dtucker Exp $ */
/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@ -68,7 +68,7 @@ roaming_reply(int type, u_int32_t seq, void *ctxt)
cookie = packet_get_int64();
key1 = oldkey1 = packet_get_int64();
key2 = oldkey2 = packet_get_int64();
set_out_buffer_size(packet_get_int() + get_snd_buf_size());
set_out_buffer_size(packet_get_int() + get_snd_buf_size());
roaming_enabled = 1;
}

4
crypto/external/bsd/openssh/dist/roaming_common.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: roaming_common.c,v 1.8 2010/01/12 00:59:29 djm Exp $ */
/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@ -71,6 +71,8 @@ get_recv_buf_size()
void
set_out_buffer_size(size_t size)
{
if (size == 0 || size > MAX_ROAMBUF)
fatal("%s: bad buffer size %lu", __func__, (u_long)size);
/*
* The buffer size can only be set once and the buffer will live
* as long as the session lives.

8
crypto/external/bsd/openssh/dist/scp.1 vendored
View File

@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
.\" $OpenBSD: scp.1,v 1.56 2010/12/09 14:13:32 jmc Exp $
.\" $OpenBSD: scp.1,v 1.58 2011/09/05 07:01:44 jmc Exp $
.\"
.Dd $Mdocdate: December 9 2010 $
.Dd $Mdocdate: September 5 2011 $
.Dt SCP 1
.Os
.Sh NAME
@ -31,7 +31,7 @@
.Oo
.Op Ar user No @
.Ar host1 No :
.Oc Ns Ar file1
.Oc Ar file1
.Sm on
.Ar ...
.Sm off
@ -140,6 +140,7 @@ For full details of the options listed below, and their possible values, see
.It ConnectTimeout
.It ControlMaster
.It ControlPath
.It ControlPersist
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
.It GSSAPIDelegateCredentials
@ -152,6 +153,7 @@ For full details of the options listed below, and their possible values, see
.It IdentityFile
.It IdentitiesOnly
.It IPQoS
.It KbdInteractiveAuthentication
.It KbdInteractiveDevices
.It KexAlgorithms
.It LogLevel

14
crypto/external/bsd/openssh/dist/scp.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.170 2010/12/09 14:13:33 jmc Exp $ */
/* $OpenBSD: scp.c,v 1.171 2011/09/09 22:37:01 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -580,12 +580,14 @@ toremote(char *targ, int argc, char **argv)
host = cleanhostname(argv[i]);
suser = NULL;
}
xasprintf(&bp, "%s -f -- %s", cmd, src);
xasprintf(&bp, "%s -f %s%s", cmd,
*src == '-' ? "-- " : "", src);
if (do_cmd(host, suser, bp, &remin, &remout) < 0)
exit(1);
(void) xfree(bp);
host = cleanhostname(thost);
xasprintf(&bp, "%s -t -- %s", cmd, targ);
xasprintf(&bp, "%s -t %s%s", cmd,
*targ == '-' ? "-- " : "", targ);
if (do_cmd2(host, tuser, bp, remin, remout) < 0)
exit(1);
(void) xfree(bp);
@ -631,7 +633,8 @@ toremote(char *targ, int argc, char **argv)
errs = 1;
} else { /* local to remote */
if (remin == -1) {
xasprintf(&bp, "%s -t -- %s", cmd, targ);
xasprintf(&bp, "%s -t %s%s", cmd,
*targ == '-' ? "-- " : "", targ);
host = cleanhostname(thost);
if (do_cmd(host, tuser, bp, &remin,
&remout) < 0)
@ -684,7 +687,8 @@ tolocal(int argc, char **argv)
suser = pwd->pw_name;
}
host = cleanhostname(host);
xasprintf(&bp, "%s -f -- %s", cmd, src);
xasprintf(&bp, "%s -f %s%s",
cmd, *src == '-' ? "-- " : "", src);
if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
(void) xfree(bp);
++errs;

4
crypto/external/bsd/openssh/dist/servconf.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -1296,7 +1296,7 @@ process_server_config_line(ServerOptions *options, char *line,
fatal("%s line %d: missing host in PermitOpen",
filename, linenum);
p = cleanhostname(p);
if (arg == NULL || (port = a2port(arg)) <= 0)
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
fatal("%s line %d: bad port number in "
"PermitOpen", filename, linenum);
if (*activep && n == -1)

4
crypto/external/bsd/openssh/dist/session.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.258 2010/11/25 04:10:09 djm Exp $ */
/* $OpenBSD: session.c,v 1.259 2011/10/24 02:13:13 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -1808,7 +1808,7 @@ session_break_req(Session *s)
packet_get_int(); /* ignored */
packet_check_eom();
if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0)
if (s->ptymaster == -1 || tcsendbreak(s->ptymaster, 0) < 0)
return 0;
return 1;
}

18
crypto/external/bsd/openssh/dist/sftp-client.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.c,v 1.94 2010/12/04 00:18:01 djm Exp $ */
/* $OpenBSD: sftp-client.c,v 1.96 2011/09/12 08:46:15 markus Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -455,12 +455,12 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
buffer_put_cstring(&msg, path);
send_msg(conn, &msg);
buffer_clear(&msg);
handle = get_handle(conn, id, &handle_len,
"remote readdir(\"%s\")", path);
if (handle == NULL)
if (handle == NULL) {
buffer_free(&msg);
return -1;
}
if (dir) {
ents = 0;
@ -503,6 +503,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
fx2txt(status));
do_close(conn, handle, handle_len);
xfree(handle);
buffer_free(&msg);
return(status);
}
} else if (type != SSH2_FXP_NAME)
@ -798,15 +799,15 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
Buffer msg;
u_int status, id;
buffer_init(&msg);
/* Send link request */
id = conn->msg_id++;
if ((conn->exts & SFTP_EXT_HARDLINK) == 0) {
error("Server does not support hardlink@openssh.com extension");
return -1;
}
buffer_init(&msg);
/* Send link request */
id = conn->msg_id++;
buffer_put_char(&msg, SSH2_FXP_EXTENDED);
buffer_put_int(&msg, id);
buffer_put_cstring(&msg, "hardlink@openssh.com");
@ -882,6 +883,7 @@ do_readlink(struct sftp_conn *conn, char *path)
u_int status = buffer_get_int(&msg);
error("Couldn't readlink: %s", fx2txt(status));
buffer_free(&msg);
return(NULL);
} else if (type != SSH2_FXP_NAME)
fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",

6
crypto/external/bsd/openssh/dist/sftp-glob.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-glob.c,v 1.22 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: sftp-glob.c,v 1.23 2011/10/04 14:17:32 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -84,7 +84,7 @@ fudge_lstat(const char *path, struct stat *st)
{
Attrib *a;
if (!(a = do_lstat(cur.conn, (char *)path, 0)))
if (!(a = do_lstat(cur.conn, (char *)path, 1)))
return(-1);
attrib_to_stat(a, st);
@ -97,7 +97,7 @@ fudge_stat(const char *path, struct stat *st)
{
Attrib *a;
if (!(a = do_stat(cur.conn, (char *)path, 0)))
if (!(a = do_stat(cur.conn, (char *)path, 1)))
return(-1);
attrib_to_stat(a, st);

6
crypto/external/bsd/openssh/dist/sftp.1 vendored
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sftp.1,v 1.90 2011/08/07 12:55:30 dtucker Exp $
.\" $OpenBSD: sftp.1,v 1.91 2011/09/05 05:56:13 djm Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 7 2011 $
.Dd $Mdocdate: September 5 2011 $
.Dt SFTP 1
.Os
.Sh NAME
@ -194,6 +194,7 @@ For full details of the options listed below, and their possible values, see
.It ConnectTimeout
.It ControlMaster
.It ControlPath
.It ControlPersist
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
.It GSSAPIDelegateCredentials
@ -206,6 +207,7 @@ For full details of the options listed below, and their possible values, see
.It IdentityFile
.It IdentitiesOnly
.It IPQoS
.It KbdInteractiveAuthentication
.It KbdInteractiveDevices
.It KexAlgorithms
.It LogLevel

9
crypto/external/bsd/openssh/dist/sftp.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp.c,v 1.132 2010/12/04 00:18:01 djm Exp $ */
/* $OpenBSD: sftp.c,v 1.134 2011/11/16 12:24:28 oga Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -770,7 +770,8 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
memset(&g, 0, sizeof(g));
if (remote_glob(conn, path,
GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE|GLOB_KEEPSTAT, NULL, &g) ||
GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE|GLOB_KEEPSTAT|GLOB_NOSORT,
NULL, &g) ||
(g.gl_pathc && !g.gl_matchc)) {
if (g.gl_pathc)
globfree(&g);
@ -1606,8 +1607,10 @@ complete_cmd_parse(EditLine *el, char *cmd, int lastarg, char quote,
}
list[count] = NULL;
if (count == 0)
if (count == 0) {
xfree(list);
return 0;
}
/* Complete ambigious command */
tmp = complete_ambiguous(cmd, list, count);

9
crypto/external/bsd/openssh/dist/ssh-add.1 vendored
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-add.1,v 1.55 2010/10/28 18:33:28 jmc Exp $
.\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: October 28 2010 $
.Dd $Mdocdate: October 18 2011 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@ -43,7 +43,7 @@
.Nd adds private key identities to the authentication agent
.Sh SYNOPSIS
.Nm ssh-add
.Op Fl cDdLlXx
.Op Fl cDdkLlXx
.Op Fl t Ar life
.Op Ar
.Nm ssh-add
@ -110,6 +110,9 @@ and retry.
.It Fl e Ar pkcs11
Remove keys provided by the PKCS#11 shared library
.Ar pkcs11 .
.It Fl k
When loading keys into the agent, load plain private keys only and skip
certificates.
.It Fl L
Lists public key parameters of all identities currently represented
by the agent.

32
crypto/external/bsd/openssh/dist/ssh-add.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */
/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -133,11 +133,11 @@ delete_all(AuthenticationConnection *ac)
}
static int
add_file(AuthenticationConnection *ac, const char *filename)
add_file(AuthenticationConnection *ac, const char *filename, int key_only)
{
Key *private, *cert;
char *comment = NULL;
char msg[1024], *certpath;
char msg[1024], *certpath = NULL;
int fd, perms_ok, ret = -1;
Buffer keyblob;
@ -213,6 +213,9 @@ add_file(AuthenticationConnection *ac, const char *filename)
fprintf(stderr, "Could not add identity: %s\n", filename);
}
/* Skip trying to load the cert if requested */
if (key_only)
goto out;
/* Now try to add the certificate flavour too */
xasprintf(&certpath, "%s-cert.pub", filename);
@ -247,7 +250,8 @@ add_file(AuthenticationConnection *ac, const char *filename)
if (confirm != 0)
fprintf(stderr, "The user must confirm each use of the key\n");
out:
xfree(certpath);
if (certpath != NULL)
xfree(certpath);
xfree(comment);
key_free(private);
@ -341,13 +345,13 @@ lock_agent(AuthenticationConnection *ac, int lock)
}
static int
do_file(AuthenticationConnection *ac, int deleting, char *file)
do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file)
{
if (deleting) {
if (delete_file(ac, file) == -1)
return -1;
} else {
if (add_file(ac, file) == -1)
if (add_file(ac, file, key_only) == -1)
return -1;
}
return 0;
@ -360,12 +364,13 @@ usage(void)
fprintf(stderr, "Options:\n");
fprintf(stderr, " -l List fingerprints of all identities.\n");
fprintf(stderr, " -L List public key parameters of all identities.\n");
fprintf(stderr, " -k Load only keys and not certificates.\n");
fprintf(stderr, " -c Require confirmation to sign using identities\n");
fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
fprintf(stderr, " -d Delete identity.\n");
fprintf(stderr, " -D Delete all identities.\n");
fprintf(stderr, " -x Lock agent.\n");
fprintf(stderr, " -X Unlock agent.\n");
fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
fprintf(stderr, " -c Require confirmation to sign using identities\n");
fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
}
@ -377,7 +382,7 @@ main(int argc, char **argv)
extern int optind;
AuthenticationConnection *ac = NULL;
char *pkcs11provider = NULL;
int i, ch, deleting = 0, ret = 0;
int i, ch, deleting = 0, ret = 0, key_only = 0;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@ -391,8 +396,11 @@ main(int argc, char **argv)
"Could not open a connection to your authentication agent.\n");
exit(2);
}
while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
switch (ch) {
case 'k':
key_only = 1;
break;
case 'l':
case 'L':
if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
@ -458,7 +466,7 @@ main(int argc, char **argv)
default_files[i]);
if (stat(buf, &st) < 0)
continue;
if (do_file(ac, deleting, buf) == -1)
if (do_file(ac, deleting, key_only, buf) == -1)
ret = 1;
else
count++;
@ -467,7 +475,7 @@ main(int argc, char **argv)
ret = 1;
} else {
for (i = 0; i < argc; i++) {
if (do_file(ac, deleting, argv[i]) == -1)
if (do_file(ac, deleting, key_only, argv[i]) == -1)
ret = 1;
}
}

3
crypto/external/bsd/openssh/dist/ssh-ecdsa.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-ecdsa.c,v 1.4 2010/09/10 01:04:10 djm Exp $ */
/* $OpenBSD: ssh-ecdsa.c,v 1.5 2012/01/08 13:17:11 miod Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@ -141,6 +141,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
buffer_get_bignum2(&bb, sig->s);
if (buffer_len(&bb) != 0)
fatal("%s: remaining bytes in inner sigblob", __func__);
buffer_free(&bb);
/* clean up */
memset(sigblob, 0, len);

15
crypto/external/bsd/openssh/dist/ssh-keygen.1 vendored
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.108 2011/10/16 11:02:46 dtucker Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: April 13 2011 $
.Dd $Mdocdate: October 16 2011 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@ -104,6 +104,7 @@
.Fl f Ar input_file
.Op Fl v
.Op Fl a Ar num_trials
.Op Fl K Ar checkpt
.Op Fl W Ar generator
.Nm ssh-keygen
.Fl s Ar ca_key
@ -214,7 +215,7 @@ Generally, 2048 bits is considered sufficient.
DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
For ECDSA keys, the
.Fl b
flag determines they key length by selecting from one of three elliptic
flag determines the key length by selecting from one of three elliptic
curve sizes: 256, 384 or 521 bits.
Attempting to use bit lengths other than these three values for ECDSA keys
will fail.
@ -296,6 +297,14 @@ in the format specified by the
.Fl m
option and print an OpenSSH compatible private
(or public) key to stdout.
.It Fl K Ar checkpt
Write the last line processed to the file
.Ar checkpt
while performing DH candidate screening using the
.Fl T
option.
This will be used to skip lines in the input file that have already been
processed if the job is restarted.
This option allows importing keys from other software, including several
commercial SSH implementations.
The default import format is

16
crypto/external/bsd/openssh/dist/ssh-keygen.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.212 2011/10/16 15:02:41 jmc Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -149,7 +149,7 @@ char hostname[MAXHOSTNAMELEN];
/* moduli.c */
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *);
static void
type_bits_valid(int type, u_int32_t *bitsp)
@ -1871,6 +1871,7 @@ usage(void)
fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n");
fprintf(stderr, " -I key_id Key identifier to include in certificate.\n");
fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n");
fprintf(stderr, " -K checkpt Write checkpoints to this file.\n");
fprintf(stderr, " -L Print the contents of a certificate.\n");
fprintf(stderr, " -l Show fingerprint of key file.\n");
fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
@ -1903,6 +1904,7 @@ int
main(int argc, char **argv)
{
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
char *checkpoint = NULL;
char out_file[MAXPATHLEN], *rr_hostname = NULL;
Key *private, *public;
struct passwd *pw;
@ -1935,7 +1937,7 @@ main(int argc, char **argv)
exit(1);
}
while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:"
while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:K:P:m:N:n:"
"O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
switch (opt) {
case 'A':
@ -2086,6 +2088,11 @@ main(int argc, char **argv)
sizeof(out_file))
fatal("Output filename too long");
break;
case 'K':
if (strlen(optarg) >= MAXPATHLEN)
fatal("Checkpoint filename too long");
checkpoint = xstrdup(optarg);
break;
case 'S':
/* XXX - also compare length against bits */
if (BN_hex2bn(&start, optarg) == 0)
@ -2208,7 +2215,8 @@ main(int argc, char **argv)
fatal("Couldn't open moduli file \"%s\": %s",
out_file, strerror(errno));
}
if (prime_test(in, out, trials, generator_wanted) != 0)
if (prime_test(in, out, trials, generator_wanted, checkpoint)
!= 0)
fatal("modulus screening failed");
return (0);
}

4
crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */
/* $OpenBSD: ssh-pkcs11-client.c,v 1.3 2012/01/16 20:34:09 miod Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@ -117,6 +117,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
buffer_put_int(&msg, 0);
xfree(blob);
send_msg(&msg);
buffer_clear(&msg);
if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
signature = buffer_get_string(&msg, &slen);
@ -126,6 +127,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
}
xfree(signature);
}
buffer_free(&msg);
return (ret);
}

24
crypto/external/bsd/openssh/dist/ssh.1 vendored
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.320 2011/08/02 01:22:11 djm Exp $
.Dd $Mdocdate: August 2 2011 $
.\" $OpenBSD: ssh.1,v 1.323 2011/09/11 06:59:05 okan Exp $
.Dd $Mdocdate: September 11 2011 $
.Dt SSH 1
.Os
.Sh NAME
@ -393,6 +393,8 @@ Valid commands are:
(check that the master process is running),
.Dq forward
(request forwardings without command execution),
.Dq cancel
(cancel forwardings),
.Dq exit
(request the master to exit), and
.Dq stop
@ -419,11 +421,13 @@ For full details of the options listed below, and their possible values, see
.It ConnectTimeout
.It ControlMaster
.It ControlPath
.It ControlPersist
.It DynamicForward
.It EscapeChar
.It ExitOnForwardFailure
.It ForwardAgent
.It ForwardX11
.It ForwardX11Timeout
.It ForwardX11Trusted
.It GatewayPorts
.It GlobalKnownHostsFile
@ -438,6 +442,7 @@ For full details of the options listed below, and their possible values, see
.It IdentityFile
.It IdentitiesOnly
.It IPQoS
.It KbdInteractiveAuthentication
.It KbdInteractiveDevices
.It KexAlgorithms
.It LocalCommand
@ -896,11 +901,20 @@ Currently this allows the addition of port forwardings using the
and
.Fl D
options (see above).
It also allows the cancellation of existing remote port-forwardings
using
It also allows the cancellation of existing port-forwardings
with
.Sm off
.Fl KR Oo Ar bind_address : Oc Ar port .
.Fl KL Oo Ar bind_address : Oc Ar port
.Sm on
for local,
.Sm off
.Fl KR Oo Ar bind_address : Oc Ar port
.Sm on
for remote and
.Sm off
.Fl KD Oo Ar bind_address : Oc Ar port
.Sm on
for dynamic port-forwardings.
.Ic !\& Ns Ar command
allows the user to execute a local command if the
.Ic PermitLocalCommand

94
crypto/external/bsd/openssh/dist/ssh.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.364 2011/08/02 23:15:03 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.368 2011/10/24 02:10:46 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -348,6 +348,8 @@ main(int ac, char **av)
muxclient_command = SSHMUX_COMMAND_TERMINATE;
else if (strcmp(optarg, "stop") == 0)
muxclient_command = SSHMUX_COMMAND_STOP;
else if (strcmp(optarg, "cancel") == 0)
muxclient_command = SSHMUX_COMMAND_CANCEL_FWD;
else
fatal("Invalid multiplex command.");
break;
@ -839,11 +841,14 @@ main(int ac, char **av)
* Now that we are back to our own permissions, create ~/.ssh
* directory if it doesn't already exist.
*/
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.", buf);
if (config == NULL) {
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.",
buf);
}
/* load options.identity_files */
load_public_identity_files();
@ -968,11 +973,17 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
debug("remote forward %s for: listen %d, connect %s:%d",
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
if (type == SSH2_MSG_REQUEST_SUCCESS && rfwd->listen_port == 0) {
rfwd->allocated_port = packet_get_int();
logit("Allocated port %u for remote forward to %s:%d",
rfwd->allocated_port,
rfwd->connect_host, rfwd->connect_port);
if (rfwd->listen_port == 0) {
if (type == SSH2_MSG_REQUEST_SUCCESS) {
rfwd->allocated_port = packet_get_int();
logit("Allocated port %u for remote forward to %s:%d",
rfwd->allocated_port,
rfwd->connect_host, rfwd->connect_port);
channel_update_permitted_opens(rfwd->handle,
rfwd->allocated_port);
} else {
channel_update_permitted_opens(rfwd->handle, -1);
}
}
if (type == SSH2_MSG_REQUEST_FAILURE) {
@ -997,25 +1008,26 @@ client_cleanup_stdio_fwd(int id, void *arg)
cleanup_exit(0);
}
static int
client_setup_stdio_fwd(const char *host_to_connect, u_short port_to_connect)
static void
ssh_init_stdio_forwarding(void)
{
Channel *c;
int in, out;
debug3("client_setup_stdio_fwd %s:%d", host_to_connect,
port_to_connect);
if (stdio_forward_host == NULL)
return;
if (!compat20)
fatal("stdio forwarding require Protocol 2");
in = dup(STDIN_FILENO);
out = dup(STDOUT_FILENO);
if (in < 0 || out < 0)
debug3("%s: %s:%d", __func__, stdio_forward_host, stdio_forward_port);
if ((in = dup(STDIN_FILENO)) < 0 ||
(out = dup(STDOUT_FILENO)) < 0)
fatal("channel_connect_stdio_fwd: dup() in/out failed");
if ((c = channel_connect_stdio_fwd(host_to_connect, port_to_connect,
in, out)) == NULL)
return 0;
if ((c = channel_connect_stdio_fwd(stdio_forward_host,
stdio_forward_port, in, out)) == NULL)
fatal("%s: channel_connect_stdio_fwd failed", __func__);
channel_register_cleanup(c->self, client_cleanup_stdio_fwd, 0);
return 1;
}
static void
@ -1024,15 +1036,6 @@ ssh_init_forwarding(void)
int success = 0;
int i;
if (stdio_forward_host != NULL) {
if (!compat20) {
fatal("stdio forwarding require Protocol 2");
}
if (!client_setup_stdio_fwd(stdio_forward_host,
stdio_forward_port))
fatal("Failed to connect in stdio forward mode.");
}
/* Initiate local TCP/IP port forwardings. */
for (i = 0; i < options.num_local_forwards; i++) {
debug("Local connections to %.200s:%d forwarded to remote "
@ -1064,19 +1067,22 @@ ssh_init_forwarding(void)
options.remote_forwards[i].listen_port,
options.remote_forwards[i].connect_host,
options.remote_forwards[i].connect_port);
if (channel_request_remote_forwarding(
options.remote_forwards[i].handle =
channel_request_remote_forwarding(
options.remote_forwards[i].listen_host,
options.remote_forwards[i].listen_port,
options.remote_forwards[i].connect_host,
options.remote_forwards[i].connect_port) < 0) {
options.remote_forwards[i].connect_port);
if (options.remote_forwards[i].handle < 0) {
if (options.exit_on_forward_failure)
fatal("Could not request remote forwarding.");
else
logit("Warning: Could not request remote "
"forwarding.");
} else {
client_register_global_confirm(ssh_confirm_remote_forward,
&options.remote_forwards[i]);
}
client_register_global_confirm(ssh_confirm_remote_forward,
&options.remote_forwards[i]);
}
/* Initiate tunnel forwarding. */
@ -1220,6 +1226,7 @@ ssh_session(void)
}
/* Initiate port forwardings. */
ssh_init_stdio_forwarding();
ssh_init_forwarding();
/* Execute a local command */
@ -1358,15 +1365,18 @@ ssh_session2(void)
int id = -1;
/* XXX should be pre-session */
if (!options.control_persist)
ssh_init_stdio_forwarding();
ssh_init_forwarding();
/* Start listening for multiplex clients */
muxserver_listen();
/*
* If we are in control persist mode, then prepare to background
* ourselves and have a foreground client attach as a control
* slave. NB. we must save copies of the flags that we override for
* If we are in control persist mode and have a working mux listen
* socket, then prepare to background ourselves and have a foreground
* client attach as a control slave.
* NB. we must save copies of the flags that we override for
* the backgrounding, since we defer attachment of the slave until
* after the connection is fully established (in particular,
* async rfwd replies have been received for ExitOnForwardFailure).
@ -1383,6 +1393,12 @@ ssh_session2(void)
need_controlpersist_detach = 1;
fork_after_authentication_flag = 1;
}
/*
* ControlPersist mux listen socket setup failed, attempt the
* stdio forward setup that we skipped earlier.
*/
if (options.control_persist && muxserver_sock == -1)
ssh_init_stdio_forwarding();
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
id = ssh_session2_open();

6
crypto/external/bsd/openssh/dist/ssh_config.5 vendored
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.153 2011/08/02 01:22:11 djm Exp $
.Dd $Mdocdate: August 2 2011 $
.\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $
.Dd $Mdocdate: September 9 2011 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -658,7 +658,7 @@ Accepted values are
.Dq af11 ,
.Dq af12 ,
.Dq af13 ,
.Dq af14 ,
.Dq af21 ,
.Dq af22 ,
.Dq af23 ,
.Dq af31 ,

7
crypto/external/bsd/openssh/dist/sshd.8 vendored
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $
.Dd $Mdocdate: August 2 2011 $
.\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $
.Dd $Mdocdate: September 23 2011 $
.Dt SSHD 8
.Os
.Sh NAME
@ -581,6 +581,9 @@ Multiple
options may be applied separated by commas.
No pattern matching is performed on the specified hostnames,
they must be literal domains or addresses.
A port specification of
.Cm *
matches any port.
.It Cm principals="principals"
On a
.Cm cert-authority

22
crypto/external/bsd/openssh/dist/sshd.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.385 2011/06/23 09:34:13 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.388 2011/09/30 21:22:49 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -222,6 +222,7 @@ int startup_pipe; /* in child */
/* variables used for privilege separation */
int use_privsep = -1;
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
/* global authentication context */
Authctxt *the_authctxt = NULL;
@ -637,10 +638,13 @@ privsep_preauth(Authctxt *authctxt)
/* Wait for the child's exit status */
while (waitpid(pid, &status, 0) < 0) {
if (errno != EINTR)
fatal("%s: waitpid: %s", __func__,
strerror(errno));
if (errno == EINTR)
continue;
pmonitor->m_pid = -1;
fatal("%s: waitpid: %s", __func__, strerror(errno));
}
privsep_is_preauth = 0;
pmonitor->m_pid = -1;
if (WIFEXITED(status)) {
if (WEXITSTATUS(status) != 0)
fatal("%s: preauth child exited with status %d",
@ -2217,7 +2221,15 @@ do_ssh2_kex(void)
void
cleanup_exit(int i)
{
if (the_authctxt)
if (the_authctxt) {
do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
debug("Killing privsep child %d", pmonitor->m_pid);
if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
errno != ESRCH)
error("%s: kill(%d): %s", __func__,
pmonitor->m_pid, strerror(errno));
}
}
_exit(i);
}

6
crypto/external/bsd/openssh/dist/sshd_config.5 vendored
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $
.Dd $Mdocdate: August 2 2011 $
.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
.Dd $Mdocdate: September 9 2011 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -520,7 +520,7 @@ Accepted values are
.Dq af11 ,
.Dq af12 ,
.Dq af13 ,
.Dq af14 ,
.Dq af21 ,
.Dq af22 ,
.Dq af23 ,
.Dq af31 ,

4
crypto/external/bsd/openssh/dist/umac.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: umac.c,v 1.3 2008/05/12 20:52:20 pvalchev Exp $ */
/* $OpenBSD: umac.c,v 1.4 2011/10/19 10:39:48 djm Exp $ */
/* -----------------------------------------------------------------------
*
* umac.c -- C Implementation UMAC Message Authentication
@ -312,7 +312,7 @@ static void pdf_gen_xor(pdf_ctx *pc, UINT8 nonce[8], UINT8 buf[8])
typedef struct {
UINT8 nh_key [L1_KEY_LEN + L1_KEY_SHIFT * (STREAMS - 1)]; /* NH Key */
UINT8 data [HASH_BUF_BYTES]; /* Incomming data buffer */
UINT8 data [HASH_BUF_BYTES]; /* Incoming data buffer */
int next_data_empty; /* Bookeeping variable for data buffer. */
int bytes_hashed; /* Bytes (out of L1_KEY_LEN) incorperated. */
UINT64 state[STREAMS]; /* on-line state */

4
crypto/external/bsd/openssh/dist/version.h vendored
View File

@ -1,3 +1,3 @@
/* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */
/* $OpenBSD: version.h,v 1.64 2012/02/09 20:00:18 markus Exp $ */
#define SSH_VERSION "OpenSSH_5.9"
#define SSH_VERSION "OpenSSH_6.0"