Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

merge conflicts

Browse Source
This commit is contained in:
christos 2016-12-25 00:07:46 +00:00
parent 210ad7912c
commit ee85abc417
248 changed files with 2726 additions and 5750 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
crypto/external/bsd/openssh/bin/sshd/Makefile vendored
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.13 2016/01/14 22:30:04 christos Exp $
# $NetBSD: Makefile,v 1.14 2016/12/25 00:07:46 christos Exp $
.include <bsd.own.mk>
@ -7,18 +7,18 @@ MAN= sshd.8 sshd_config.5 moduli.5
BINDIR= /usr/sbin
SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
SRCS= sshd.c auth-rhosts.c auth-passwd.c \
sshpty.c sshlogin.c servconf.c serverloop.c \
auth.c auth1.c auth2.c auth-options.c session.c \
auth-chall.c auth2-chall.c groupaccess.c \
auth-skey.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
auth.c auth2.c auth-options.c session.c \
auth-krb5.c auth2-chall.c groupaccess.c \
auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
auth2-none.c auth2-passwd.c auth2-pubkey.c \
monitor_mm.c monitor.c monitor_wrap.c \
monitor.c monitor_wrap.c \
kexdhs.c kexgexs.c kexecdhs.c sftp-server.c sftp-common.c \
sandbox-rlimit.c pfilter.c
COPTS.auth-options.c= -Wno-pointer-sign
COPTS.ldapauth.c= -Wno-format-nonliteral # XXX: should fix
COPTS.auth-options.c+= -Wno-pointer-sign
COPTS.ldapauth.c+= -Wno-format-nonliteral # XXX: should fix
.if (${USE_PAM} != "no")
SRCS+= auth-pam.c
@ -47,7 +47,7 @@ DPADD+= ${LIBGSSAPI} ${LIBHEIMNTLM}
LDADD+= -lkafs
DPADD+= ${LIBKAFS}
SRCS+= auth-krb5.c auth2-krb5.c
SRCS+= auth2-krb5.c
LDADD+= -lkrb5 -lasn1
DPADD+= ${LIBKRB5} ${LIBASN1}

2
crypto/external/bsd/openssh/dist/LICENCE vendored
View File

@ -204,4 +204,4 @@ OpenSSH contains no GPL code.
------
$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
$NetBSD: LICENCE,v 1.4 2015/04/03 23:58:19 christos Exp $
$NetBSD: LICENCE,v 1.5 2016/12/25 00:07:46 christos Exp $

2
crypto/external/bsd/openssh/dist/OVERVIEW vendored
View File

@ -166,4 +166,4 @@ these programs.
xmalloc.c "safe" malloc routines
$OpenBSD: OVERVIEW,v 1.12 2015/07/08 19:01:15 markus Exp $
$NetBSD: OVERVIEW,v 1.5 2015/08/13 10:33:21 christos Exp $
$NetBSD: OVERVIEW,v 1.6 2016/12/25 00:07:46 christos Exp $

2
crypto/external/bsd/openssh/dist/PROTOCOL vendored
View File

@ -455,4 +455,4 @@ This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
$OpenBSD: PROTOCOL,v 1.30 2016/04/08 06:35:54 djm Exp $
$NetBSD: PROTOCOL,v 1.8 2016/08/02 13:45:12 christos Exp $
$NetBSD: PROTOCOL,v 1.9 2016/12/25 00:07:46 christos Exp $

2
crypto/external/bsd/openssh/dist/PROTOCOL.agent vendored
View File

@ -580,4 +580,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
SSH_AGENT_CONSTRAIN_CONFIRM 2
$OpenBSD: PROTOCOL.agent,v 1.11 2016/05/19 07:45:32 djm Exp $
$NetBSD: PROTOCOL.agent,v 1.7 2016/08/02 13:45:12 christos Exp $
$NetBSD: PROTOCOL.agent,v 1.8 2016/12/25 00:07:46 christos Exp $

2
crypto/external/bsd/openssh/dist/PROTOCOL.certkeys vendored
View File

@ -285,4 +285,4 @@ permit-user-rc empty Flag indicating that execution of
this option is not present.
$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $
$NetBSD: PROTOCOL.certkeys,v 1.6 2016/08/02 13:45:12 christos Exp $
$NetBSD: PROTOCOL.certkeys,v 1.7 2016/12/25 00:07:46 christos Exp $

2
crypto/external/bsd/openssh/dist/PROTOCOL.mux vendored
View File

@ -226,4 +226,4 @@ XXX server->client error/warning notifications
XXX send signals via mux
$OpenBSD: PROTOCOL.mux,v 1.10 2015/07/17 03:04:27 djm Exp $
$NetBSD: PROTOCOL.mux,v 1.8 2015/08/13 10:33:21 christos Exp $
$NetBSD: PROTOCOL.mux,v 1.9 2016/12/25 00:07:46 christos Exp $

2
crypto/external/bsd/openssh/dist/README vendored
View File

@ -25,4 +25,4 @@ for SSH protocol versions 1.5 and 2.0.
See http://www.openssh.com/ for more information.
$OpenBSD: README,v 1.7 2006/04/01 05:37:46 djm Exp $
$NetBSD: README,v 1.4 2015/04/03 23:58:19 christos Exp $
$NetBSD: README,v 1.5 2016/12/25 00:07:46 christos Exp $

10
crypto/external/bsd/openssh/dist/addrmatch.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: addrmatch.c,v 1.9 2015/08/13 10:33:21 christos Exp $ */
/* $OpenBSD: addrmatch.c,v 1.10 2015/07/08 19:04:21 markus Exp $ */
/* $NetBSD: addrmatch.c,v 1.10 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: addrmatch.c,v 1.13 2016/09/21 16:55:42 djm Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@ -18,7 +18,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: addrmatch.c,v 1.9 2015/08/13 10:33:21 christos Exp $");
__RCSID("$NetBSD: addrmatch.c,v 1.10 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
@ -397,8 +397,8 @@ addr_match_list(const char *addr, const char *_list)
/* Prefer CIDR address matching */
r = addr_pton_cidr(cp, &match_addr, &masklen);
if (r == -2) {
error("Inconsistent mask length for "
"network \"%.100s\"", cp);
debug2("%s: inconsistent mask length for "
"match network \"%.100s\"", __func__, cp);
ret = -2;
break;
} else if (r == 0) {

11
crypto/external/bsd/openssh/dist/atomicio.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: atomicio.c,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */
/* $NetBSD: atomicio.c,v 1.7 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@ -28,7 +29,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: atomicio.c,v 1.6 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: atomicio.c,v 1.7 2016/12/25 00:07:46 christos Exp $");
#include <sys/param.h>
#include <sys/uio.h>
@ -102,12 +103,12 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
struct iovec iov_array[IOV_MAX], *iov = iov_array;
struct pollfd pfd;
if (iovcnt > IOV_MAX) {
if (iovcnt < 0 || iovcnt > IOV_MAX) {
errno = EINVAL;
return 0;
}
/* Make a copy of the iov array because we may modify it below */
memcpy(iov, _iov, iovcnt * sizeof(*_iov));
memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov));
pfd.fd = fd;
pfd.events = f == readv ? POLLIN : POLLOUT;

2
crypto/external/bsd/openssh/dist/atomicio.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: atomicio.h,v 1.5 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: atomicio.h,v 1.6 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: atomicio.h,v 1.11 2010/09/22 22:58:51 djm Exp $ */
/*

4
crypto/external/bsd/openssh/dist/auth-bsdauth.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-bsdauth.c,v 1.5 2016/03/11 01:55:00 christos Exp $ */
/* $NetBSD: auth-bsdauth.c,v 1.6 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */
/*
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth-bsdauth.c,v 1.5 2016/03/11 01:55:00 christos Exp $");
__RCSID("$NetBSD: auth-bsdauth.c,v 1.6 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>

103
crypto/external/bsd/openssh/dist/auth-chall.c vendored
View File

@ -1,103 +0,0 @@
/* $NetBSD: auth-chall.c,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $OpenBSD: auth-chall.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
__RCSID("$NetBSD: auth-chall.c,v 1.6 2015/04/03 23:58:19 christos Exp $");
#include <sys/types.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include "xmalloc.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "log.h"
#ifdef USE_PAM
#include "misc.h"
#include "buffer.h"
#include "servconf.h"
extern ServerOptions options;
void remove_kbdint_device(const char *);
#endif
/* limited protocol v1 interface to kbd-interactive authentication */
extern KbdintDevice *devices[];
static KbdintDevice *device;
char *
get_challenge(Authctxt *authctxt)
{
char *challenge, *name, *info, **prompts;
u_int i, numprompts;
u_int *echo_on;
#ifdef USE_PAM
if (!options.use_pam)
remove_kbdint_device("pam");
#endif
device = devices[0]; /* we always use the 1st device for protocol 1 */
if (device == NULL)
return NULL;
if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL)
return NULL;
if (device->query(authctxt->kbdintctxt, &name, &info,
&numprompts, &prompts, &echo_on)) {
device->free_ctx(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
return NULL;
}
if (numprompts < 1)
fatal("get_challenge: numprompts < 1");
challenge = xstrdup(prompts[0]);
for (i = 0; i < numprompts; i++)
free(prompts[i]);
free(prompts);
free(name);
free(echo_on);
free(info);
return (challenge);
}
int
verify_response(Authctxt *authctxt, const char *response)
{
char *resp[1];
int authenticated = 0;
if (device == NULL)
return 0;
if (authctxt->kbdintctxt == NULL)
return 0;
resp[0] = __UNCONST(response);
if (device->respond(authctxt->kbdintctxt, 1, resp) == 0)
authenticated = 1;
device->free_ctx(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
return authenticated;
}

4
crypto/external/bsd/openssh/dist/auth-krb5.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-krb5.c,v 1.9 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: auth-krb5.c,v 1.10 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-krb5.c,v 1.22 2016/05/04 14:22:33 markus Exp $ */
/*
@ -31,7 +31,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth-krb5.c,v 1.9 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth-krb5.c,v 1.10 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>

32
crypto/external/bsd/openssh/dist/auth-options.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: auth-options.c,v 1.13 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */
/* $NetBSD: auth-options.c,v 1.14 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-options.c,v 1.72 2016/11/30 02:57:40 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -12,7 +13,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth-options.c,v 1.13 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth-options.c,v 1.14 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/queue.h>
@ -603,7 +604,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
* options so this must be called after auth_parse_options().
*/
int
auth_cert_options(struct sshkey *k, struct passwd *pw)
auth_cert_options(struct sshkey *k, struct passwd *pw, const char **reason)
{
int cert_no_port_forwarding_flag = 1;
int cert_no_agent_forwarding_flag = 1;
@ -613,6 +614,8 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
char *cert_forced_command = NULL;
int cert_source_address_done = 0;
*reason = "invalid certificate options";
/* Separate options and extensions for v01 certs */
if (parse_option_list(k->cert->critical, pw,
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
@ -634,11 +637,24 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
no_pty_flag |= cert_no_pty_flag;
no_user_rc |= cert_no_user_rc;
/* CA-specified forced command supersedes key option */
if (cert_forced_command != NULL) {
free(forced_command);
/*
* Only permit both CA and key option forced-command if they match.
* Otherwise refuse the certificate.
*/
if (cert_forced_command != NULL && forced_command != NULL) {
if (strcmp(forced_command, cert_forced_command) == 0) {
free(forced_command);
forced_command = cert_forced_command;
} else {
*reason = "certificate and key options forced command "
"do not match";
free(cert_forced_command);
return -1;
}
} else if (cert_forced_command != NULL)
forced_command = cert_forced_command;
}
/* success */
*reason = NULL;
return 0;
}

6
crypto/external/bsd/openssh/dist/auth-options.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: auth-options.h,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $OpenBSD: auth-options.h,v 1.21 2015/01/14 10:30:34 markus Exp $ */
/* $NetBSD: auth-options.h,v 1.7 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-options.h,v 1.22 2016/11/30 02:57:40 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -36,6 +36,6 @@ extern char *authorized_principals;
int auth_parse_options(struct passwd *, const char *, const char *, u_long);
void auth_clear_options(void);
int auth_cert_options(struct sshkey *, struct passwd *);
int auth_cert_options(struct sshkey *, struct passwd *, const char **);
#endif

2
crypto/external/bsd/openssh/dist/auth-pam.c vendored
View File

@ -50,7 +50,7 @@
/*
* NetBSD local changes
*/
__RCSID("$NetBSD: auth-pam.c,v 1.9 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth-pam.c,v 1.10 2016/12/25 00:07:46 christos Exp $");
#undef USE_POSIX_THREADS /* Not yet */
#define HAVE_SECURITY_PAM_APPL_H
#define HAVE_PAM_GETENVLIST

2
crypto/external/bsd/openssh/dist/auth-pam.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-pam.h,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth-pam.h,v 1.5 2016/12/25 00:07:46 christos Exp $ */
/* Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp */
/*

19
crypto/external/bsd/openssh/dist/auth-passwd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-passwd.c,v 1.5 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: auth-passwd.c,v 1.6 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -38,7 +38,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth-passwd.c,v 1.5 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth-passwd.c,v 1.6 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <login_cap.h>
@ -98,18 +98,19 @@ auth_password(Authctxt *authctxt, const char *password)
ok = 0;
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef USE_PAM
if (options.use_pam)
return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret && ok;
/* Fall back to ordinary passwd authentication. */
if (ret == 1 || ret == 0)
return ret && ok;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef USE_PAM
if (options.use_pam)
return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
return (sys_auth_passwd(authctxt, password) && ok);
}

106
crypto/external/bsd/openssh/dist/auth-rh-rsa.c vendored
View File

@ -1,106 +0,0 @@
/* $NetBSD: auth-rh-rsa.c,v 1.7 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: auth-rh-rsa.c,v 1.45 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Rhosts or /etc/hosts.equiv authentication combined with RSA host
* authentication.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
__RCSID("$NetBSD: auth-rh-rsa.c,v 1.7 2016/08/02 13:45:12 christos Exp $");
#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>
#include "packet.h"
#include "uidswap.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
#include "pathnames.h"
#include "auth.h"
#include "canohost.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
/* import */
extern ServerOptions options;
int
auth_rhosts_rsa_key_allowed(struct passwd *pw, const char *cuser,
const char *chost, Key *client_host_key)
{
HostStatus host_status;
if (auth_key_is_revoked(client_host_key))
return 0;
/* Check if we would accept it using rhosts authentication. */
if (!auth_rhosts(pw, cuser))
return 0;
host_status = check_key_in_hostfiles(pw, client_host_key,
chost, _PATH_SSH_SYSTEM_HOSTFILE,
options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
return (host_status == HOST_OK);
}
/*
* Tries to authenticate the user using the .rhosts file and the host using
* its host key. Returns true if authentication succeeds.
*/
int
auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
{
struct ssh *ssh = active_state; /* XXX */
const char *chost;
struct passwd *pw = authctxt->pw;
debug("Trying rhosts with RSA host authentication for client user %.100s",
cuser);
if (!authctxt->valid || client_host_key == NULL ||
client_host_key->rsa == NULL)
return 0;
chost = auth_get_canonical_hostname(ssh, options.use_dns);
debug("Rhosts RSA authentication: canonical host %.900s", chost);
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
return 0;
}
/* A matching host key was found and is known. */
/* Perform the challenge-response dialog with the client for the host key. */
if (!auth_rsa_challenge_dialog(client_host_key)) {
logit("Client on %.800s failed to respond correctly to host authentication.",
chost);
return 0;
}
/*
* We have authenticated the user using .rhosts or /etc/hosts.equiv,
* and the host using RSA. We accept the authentication.
*/
verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
pw->pw_name, cuser, chost);
packet_send_debug("Rhosts with RSA host authentication accepted.");
return 1;
}

28
crypto/external/bsd/openssh/dist/auth-rhosts.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: auth-rhosts.c,v 1.6 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.47 2016/03/07 19:02:43 djm Exp $ */
/* $NetBSD: auth-rhosts.c,v 1.7 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.48 2016/08/13 17:47:41 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -16,7 +17,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth-rhosts.c,v 1.6 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth-rhosts.c,v 1.7 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@ -185,20 +186,8 @@ check_rhosts_file(const char *filename, const char *hostname,
* true if authentication succeeds. If ignore_rhosts is true, only
* /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
*/
int
auth_rhosts(struct passwd *pw, const char *client_user)
{
struct ssh *ssh = active_state; /* XXX */
const char *hostname, *ipaddr;
hostname = auth_get_canonical_hostname(ssh, options.use_dns);
ipaddr = ssh_remote_ipaddr(ssh);
return auth_rhosts2(pw, client_user, hostname, ipaddr);
}
static int
auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
const char *ipaddr)
{
char buf[1024];
@ -334,10 +323,3 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
restore_uid();
return 0;
}
int
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
const char *ipaddr)
{
return auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
}

431
crypto/external/bsd/openssh/dist/auth-rsa.c vendored
View File

@ -1,431 +0,0 @@
/* $NetBSD: auth-rsa.c,v 1.10 2015/04/03 23:58:19 christos Exp $ */
/* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* RSA-based authentication. This code determines whether to admit a login
* based on RSA authentication. This file also contains functions to check
* validity of the host key.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
__RCSID("$NetBSD: auth-rsa.c,v 1.10 2015/04/03 23:58:19 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/rsa.h>
#include <pwd.h>
#include <stdio.h>
#include <string.h>
#include "xmalloc.h"
#include "rsa.h"
#include "packet.h"
#include "ssh1.h"
#include "uidswap.h"
#include "match.h"
#include "buffer.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "auth-options.h"
#include "hostfile.h"
#include "auth.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "ssh.h"
#include "digest.h"
/* import */
extern ServerOptions options;
/*
* Session identifier that is used to bind key exchange and authentication
* responses to a particular session.
*/
extern u_char session_id[16];
/*
* The .ssh/authorized_keys file contains public keys, one per line, in the
* following format:
* options bits e n comment
* where bits, e and n are decimal numbers,
* and comment is any string of characters up to newline. The maximum
* length of a line is SSH_MAX_PUBKEY_BYTES characters. See sshd(8) for a
* description of the options.
*/
BIGNUM *
auth_rsa_generate_challenge(Key *key)
{
BIGNUM *challenge;
BN_CTX *ctx;
if ((challenge = BN_new()) == NULL)
fatal("auth_rsa_generate_challenge: BN_new() failed");
/* Generate a random challenge. */
if (BN_rand(challenge, 256, 0, 0) == 0)
fatal("auth_rsa_generate_challenge: BN_rand failed");
if ((ctx = BN_CTX_new()) == NULL)
fatal("auth_rsa_generate_challenge: BN_CTX_new failed");
if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0)
fatal("auth_rsa_generate_challenge: BN_mod failed");
BN_CTX_free(ctx);
return challenge;
}
int
auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
{
u_char buf[32], mdbuf[16];
struct ssh_digest_ctx *md;
int len;
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("%s: RSA modulus too small: %d < minimum %d bits",
__func__,
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
if (len <= 0 || len > 32)
fatal("%s: bad challenge length %d", __func__, len);
memset(buf, 0, 32);
BN_bn2bin(challenge, buf + 32 - len);
if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
ssh_digest_update(md, buf, 32) < 0 ||
ssh_digest_update(md, session_id, 16) < 0 ||
ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
fatal("%s: md5 failed", __func__);
ssh_digest_free(md);
/* Verify that the response is the original challenge. */
if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
/* Wrong answer. */
return (0);
}
/* Correct answer. */
return (1);
}
/*
* Performs the RSA authentication challenge-response dialog with the client,
* and returns true (non-zero) if the client gave the correct answer to
* our challenge; returns zero if the client gives a wrong answer.
*/
int
auth_rsa_challenge_dialog(Key *key)
{
BIGNUM *challenge, *encrypted_challenge;
u_char response[16];
int i, success;
if ((encrypted_challenge = BN_new()) == NULL)
fatal("auth_rsa_challenge_dialog: BN_new() failed");
challenge = PRIVSEP(auth_rsa_generate_challenge(key));
/* Encrypt the challenge with the public key. */
if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
fatal("%s: rsa_public_encrypt failed", __func__);
/* Send the encrypted challenge to the client. */
packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
packet_put_bignum(encrypted_challenge);
packet_send();
BN_clear_free(encrypted_challenge);
packet_write_wait();
/* Wait for a response. */
packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
for (i = 0; i < 16; i++)
response[i] = (u_char)packet_get_char();
packet_check_eom();
success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
BN_clear_free(challenge);
return (success);
}
static int
rsa_key_allowed_in_file(struct passwd *pw, char *file,
const BIGNUM *client_n, Key **rkey)
{
char *fp, line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0;
u_int bits;
FILE *f;
u_long linenum = 0;
Key *key;
debug("trying public RSA key file %s", file);
if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
return 0;
/*
* Go though the accepted keys, looking for the current key. If
* found, perform a challenge-response dialog to verify that the
* user really has the corresponding private key.
*/
key = key_new(KEY_RSA1);
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp;
char *key_options;
int keybits;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
/*
* Check if there are options for this key, and if so,
* save their starting address and skip the option part
* for now. If there are no options, set the starting
* address to NULL.
*/
if (*cp < '0' || *cp > '9') {
int quoted = 0;
key_options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
else if (*cp == '"')
quoted = !quoted;
}
} else
key_options = NULL;
/* Parse the key from the line. */
if (hostfile_read_key(&cp, &bits, key) == 0) {
debug("%.100s, line %lu: non ssh1 key syntax",
file, linenum);
continue;
}
/* cp now points to the comment part. */
/*
* Check if the we have found the desired key (identified
* by its modulus).
*/
if (BN_cmp(key->rsa->n, client_n) != 0)
continue;
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL)
continue;
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
/* Never accept a revoked key */
if (auth_key_is_revoked(key))
break;
/* We have found the desired key. */
/*
* If our options do not allow this key to be used,
* do not send challenge.
*/
if (!auth_parse_options(pw, key_options, file, linenum))
continue;
if (key_is_cert_authority)
continue;
/* break out, this key is allowed */
allowed = 1;
break;
}
/* Close the file. */
fclose(f);
/* return key if allowed */
if (allowed && rkey != NULL)
*rkey = key;
else
key_free(key);
return allowed;
}
/*
* check if there's user key matching client_n,
* return key if login is allowed, NULL otherwise
*/
int
auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
{
char *file;
u_int i, allowed = 0;
temporarily_use_uid(pw);
#ifdef WITH_LDAP_PUBKEY
if (options.lpk.on) {
u_int bits;
ldap_key_t *k;
/* here is the job */
Key *key = key_new(KEY_RSA1);
debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
for (i = 0 ; i < k->num ; i++) {
char *cp, *xoptions = NULL;
for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
/*
* Check if there are options for this key, and if so,
* save their starting address and skip the option part
* for now. If there are no options, set the starting
* address to NULL.
*/
if (*cp < '0' || *cp > '9') {
int quoted = 0;
xoptions = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
else if (*cp == '"')
quoted = !quoted;
}
} else
xoptions = NULL;
/* Parse the key from the line. */
if (hostfile_read_key(&cp, &bits, key) == 0) {
debug("[LDAP] line %d: non ssh1 key syntax", i);
continue;
}
/* cp now points to the comment part. */
/* Check if the we have found the desired key (identified by its modulus). */
if (BN_cmp(key->rsa->n, client_n) != 0)
continue;
/* check the real bits */
if (bits != (unsigned int)BN_num_bits(key->rsa->n))
logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "
"actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits);
/* We have found the desired key. */
/*
* If our options do not allow this key to be used,
* do not send challenge.
*/
if (!auth_parse_options(pw, xoptions, "[LDAP]", (unsigned long) i))
continue;
/* break out, this key is allowed */
allowed = 1;
/* add the return stuff etc... */
/* Restore the privileged uid. */
restore_uid();
/* return key if allowed */
if (allowed && rkey != NULL)
*rkey = key;
else
key_free(key);
ldap_keys_free(k);
return (allowed);
}
} else {
logit("[LDAP] no keys found for '%s'!", pw->pw_name);
}
} else {
logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
}
}
#endif
for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
continue;
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
free(file);
}
restore_uid();
return allowed;
}
/*
* Performs the RSA authentication dialog with the client. This returns
* 0 if the client could not be authenticated, and 1 if authentication was
* successful. This may exit if there is a serious protocol violation.
*/
int
auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
{
Key *key;
struct passwd *pw = authctxt->pw;
/* no user given */
if (!authctxt->valid)
return 0;
if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {
auth_clear_options();
return (0);
}
/* Perform the challenge-response dialog for this key. */
if (!auth_rsa_challenge_dialog(key)) {
/* Wrong response. */
verbose("Wrong response to RSA authentication challenge.");
packet_send_debug("Wrong response to RSA authentication challenge.");
/*
* Break out of the loop. Otherwise we might send
* another challenge and break the protocol.
*/
key_free(key);
return (0);
}
/*
* Correct response. The client has been successfully
* authenticated. Note that we have not yet processed the
* options; this will be reset if the options cause the
* authentication to be rejected.
*/
pubkey_auth_info(authctxt, key, NULL);
packet_send_debug("RSA authentication accepted.");
return (1);
}

4
crypto/external/bsd/openssh/dist/auth-skey.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-skey.c,v 1.3 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth-skey.c,v 1.4 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -24,7 +24,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
__RCSID("$NetBSD: auth-skey.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: auth-skey.c,v 1.4 2016/12/25 00:07:46 christos Exp $");
#ifdef SKEY

38
crypto/external/bsd/openssh/dist/auth.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: auth.c,v 1.17 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: auth.c,v 1.115 2016/06/15 00:40:40 dtucker Exp $ */
/* $NetBSD: auth.c,v 1.18 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth.c,v 1.119 2016/12/15 21:29:05 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -25,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth.c,v 1.17 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth.c,v 1.18 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
@ -100,6 +101,7 @@ allowed_user(struct passwd * pw)
struct ssh *ssh = active_state; /* XXX */
struct stat st;
const char *hostname = NULL, *ipaddr = NULL;
int r;
u_int i;
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
@ -253,21 +255,31 @@ allowed_user(struct passwd * pw)
/* Return false if user is listed in DenyUsers */
if (options.num_deny_users > 0) {
for (i = 0; i < options.num_deny_users; i++)
if (match_user(pw->pw_name, hostname, ipaddr,
options.deny_users[i])) {
for (i = 0; i < options.num_deny_users; i++) {
r = match_user(pw->pw_name, hostname, ipaddr,
options.deny_users[i]);
if (r < 0) {
fatal("Invalid DenyUsers pattern \"%.100s\"",
options.deny_users[i]);
} else if (r != 0) {
logit("User %.100s from %.100s not allowed "
"because listed in DenyUsers",
pw->pw_name, hostname);
return 0;
}
}
}
/* Return false if AllowUsers isn't empty and user isn't listed there */
if (options.num_allow_users > 0) {
for (i = 0; i < options.num_allow_users; i++)
if (match_user(pw->pw_name, hostname, ipaddr,
options.allow_users[i]))
for (i = 0; i < options.num_allow_users; i++) {
r = match_user(pw->pw_name, hostname, ipaddr,
options.allow_users[i]);
if (r < 0) {
fatal("Invalid AllowUsers pattern \"%.100s\"",
options.allow_users[i]);
} else if (r == 1)
break;
}
/* i < options.num_allow_users iff we break for loop */
if (i >= options.num_allow_users) {
logit("User %.100s from %.100s not allowed because "
@ -354,7 +366,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
else
authmsg = authenticated ? "Accepted" : "Failed";
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
authmsg,
method,
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
@ -362,7 +374,6 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
authctxt->user,
ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh),
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
if (!authctxt->postponed)
@ -377,12 +388,11 @@ auth_maxtries_exceeded(Authctxt *authctxt)
struct ssh *ssh = active_state; /* XXX */
error("maximum authentication attempts exceeded for "
"%s%.100s from %.200s port %d %s",
"%s%.100s from %.200s port %d ssh2",
authctxt->valid ? "" : "invalid user ",
authctxt->user,
ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh),
compat20 ? "ssh2" : "ssh1");
ssh_remote_port(ssh));
packet_disconnect("Too many authentication failures");
/* NOTREACHED */
}

21
crypto/external/bsd/openssh/dist/auth.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: auth.h,v 1.13 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: auth.h,v 1.88 2016/05/04 14:04:40 markus Exp $ */
/* $NetBSD: auth.h,v 1.14 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth.h,v 1.89 2016/08/13 17:47:41 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -119,21 +119,11 @@ struct KbdintDevice
void (*free_ctx)(void *ctx);
};
void disable_forwarding(void);
int auth_rhosts(struct passwd *, const char *);
int
auth_rhosts2(struct passwd *, const char *, const char *, const char *);
int auth_rhosts_rsa(Authctxt *, char *, Key *);
int auth_password(Authctxt *, const char *);
int auth_rsa(Authctxt *, BIGNUM *);
int auth_rsa_challenge_dialog(Key *);
BIGNUM *auth_rsa_generate_challenge(Key *);
int auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int auth_rhosts_rsa_key_allowed(struct passwd *, const char *,
const char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *, int);
void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
@ -166,7 +156,6 @@ int auth_krb5_password(Authctxt *authctxt, const char *password);
void krb5_cleanup_proc(Authctxt *authctxt);
#endif /* KRB5 */
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
void auth_info(Authctxt *authctxt, const char *, ...)
@ -193,9 +182,6 @@ int bsdauth_respond(void *, u_int, char **);
int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
char *get_challenge(Authctxt *);
int verify_response(Authctxt *, const char *);
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@ -215,7 +201,6 @@ Key *get_hostkey_public_by_index(int, struct ssh *);
Key *get_hostkey_public_by_type(int, int, struct ssh *);
Key *get_hostkey_private_by_type(int, int, struct ssh *);
int get_hostkey_index(Key *, int, struct ssh *);
int ssh1_session_key(BIGNUM *);
int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
const u_char *, size_t, const char *, u_int);
@ -224,6 +209,8 @@ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
void auth_debug_send(void);
void auth_debug_reset(void);
void disable_forwarding(void);
struct passwd *fakepw(void);
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"

474
crypto/external/bsd/openssh/dist/auth1.c vendored
View File

@ -1,474 +0,0 @@
/* $NetBSD: auth1.c,v 1.13 2016/01/23 00:03:30 christos Exp $ */
/* $OpenBSD: auth1.c,v 1.82 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
__RCSID("$NetBSD: auth1.c,v 1.13 2016/01/23 00:03:30 christos Exp $");
#include <sys/types.h>
#include <sys/queue.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>
#include "xmalloc.h"
#include "rsa.h"
#include "ssh1.h"
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "compat.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "channels.h"
#include "session.h"
#include "uidswap.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "buffer.h"
#include "pfilter.h"
/* import */
extern ServerOptions options;
extern Buffer loginmsg;
static int auth1_process_password(Authctxt *);
static int auth1_process_rsa(Authctxt *);
static int auth1_process_rhosts_rsa(Authctxt *);
static int auth1_process_tis_challenge(Authctxt *);
static int auth1_process_tis_response(Authctxt *);
#if defined(KRB4) || defined(KRB5)
static int auth1_process_kerberos(Authctxt *);
#endif
struct AuthMethod1 {
int type;
const char *name;
int *enabled;
int (*method)(Authctxt *);
};
const struct AuthMethod1 auth1_methods[] = {
{
SSH_CMSG_AUTH_PASSWORD, "password",
&options.password_authentication, auth1_process_password
},
{
SSH_CMSG_AUTH_RSA, "rsa",
&options.rsa_authentication, auth1_process_rsa
},
{
SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
&options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
},
{
SSH_CMSG_AUTH_TIS, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_challenge
},
{
SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_response
},
#if defined(KRB4) || defined(KRB5)
{
SSH_CMSG_AUTH_KERBEROS, "kerberos",
&options.kerberos_authentication,
auth1_process_kerberos
},
#endif /* KRB4 || KRB5 */
{ -1, NULL, NULL, NULL}
};
static const struct AuthMethod1
*lookup_authmethod1(int type)
{
int i;
for (i = 0; auth1_methods[i].name != NULL; i++)
if (auth1_methods[i].type == type)
return (&(auth1_methods[i]));
return (NULL);
}
static const char *
get_authname(int type)
{
const struct AuthMethod1 *a;
static char buf[64];
if ((a = lookup_authmethod1(type)) != NULL)
return (a->name);
snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
return (buf);
}
/*ARGSUSED*/
static int
auth1_process_password(Authctxt *authctxt)
{
int authenticated = 0;
char *password;
u_int dlen;
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
explicit_bzero(password, dlen);
free(password);
return (authenticated);
}
#if defined(KRB4) || defined(KRB5)
static int
auth1_process_kerberos(Authctxt *authctxt)
{
int authenticated = 0;
u_int dlen;
char *client_user;
char *kdata = packet_get_string(&dlen);
packet_check_eom();
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
#ifdef KRB4
KTEXT_ST tkt, reply;
tkt.length = dlen;
if (tkt.length < MAX_KTXT_LEN)
memcpy(tkt.dat, kdata, tkt.length);
if (PRIVSEP(auth_krb4(authctxt, &tkt, &client_user, &reply))) {
authenticated = 1;
packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)
reply.dat, reply.length);
packet_send();
packet_write_wait();
free(client_user);
}
#endif /* KRB4 */
} else {
#ifdef KRB5
krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) {
authenticated = 1;
/* Send response to client */
packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)reply.data, reply.length);
packet_send();
packet_write_wait();
if (reply.length)
free(reply.data);
free(client_user);
}
#endif /* KRB5 */
}
free(kdata);
return authenticated;
}
#endif /* KRB4 || KRB5 */
/*ARGSUSED*/
static int
auth1_process_rhosts_rsa(Authctxt *authctxt)
{
int keybits, authenticated = 0;
u_int bits;
char *client_user;
Key *client_host_key;
u_int ulen;
/*
* Get client user name. Note that we just have to
* trust the client; root on the client machine can
* claim to be any user.
*/
client_user = packet_get_cstring(&ulen);
/* Get the client host key. */
client_host_key = key_new(KEY_RSA1);
bits = packet_get_int();
packet_get_bignum(client_host_key->rsa->e);
packet_get_bignum(client_host_key->rsa->n);
keybits = BN_num_bits(client_host_key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits) {
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
BN_num_bits(client_host_key->rsa->n), bits);
}
packet_check_eom();
authenticated = auth_rhosts_rsa(authctxt, client_user,
client_host_key);
key_free(client_host_key);
auth_info(authctxt, "ruser %.100s", client_user);
free(client_user);
return (authenticated);
}
/*ARGSUSED*/
static int
auth1_process_rsa(Authctxt *authctxt)
{
int authenticated = 0;
BIGNUM *n;
/* RSA authentication requested. */
if ((n = BN_new()) == NULL)
fatal("do_authloop: BN_new failed");
packet_get_bignum(n);
packet_check_eom();
authenticated = auth_rsa(authctxt, n);
BN_clear_free(n);
return (authenticated);
}
/*ARGSUSED*/
static int
auth1_process_tis_challenge(Authctxt *authctxt)
{
char *challenge;
if ((challenge = get_challenge(authctxt)) == NULL)
return (0);
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
free(challenge);
packet_send();
packet_write_wait();
return (-1);
}
/*ARGSUSED*/
static int
auth1_process_tis_response(Authctxt *authctxt)
{
int authenticated = 0;
char *response;
u_int dlen;
response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
explicit_bzero(response, dlen);
free(response);
return (authenticated);
}
/*
* read packets, try to authenticate the user and
* return only if authentication is successful
*/
static void
do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
int type = 0;
const struct AuthMethod1 *meth;
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
/* If the user has no password, accept authentication immediately. */
if (options.permit_empty_passwd && options.password_authentication &&
#if defined(KRB4) || defined(KRB5)
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
PRIVSEP(auth_password(authctxt, __UNCONST("")))) {
#ifdef USE_PAM
if (options.use_pam && PRIVSEP(do_pam_account()))
#endif
{
auth_log(authctxt, 1, 0, "without authentication",
NULL);
return;
}
return;
}
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
for (;;) {
/* default to fail */
authenticated = 0;
/* Get a packet from the client. */
type = packet_read();
if (authctxt->failures >= options.max_authtries)
goto skip;
if ((meth = lookup_authmethod1(type)) == NULL) {
logit("Unknown message during authentication: "
"type %d", type);
goto skip;
}
if (!*(meth->enabled)) {
verbose("%s authentication disabled.", meth->name);
goto skip;
}
authenticated = meth->method(authctxt);
if (authenticated == -1)
continue; /* "postponed" */
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);
authctxt->as = NULL;
}
#endif
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(meth->name))
authenticated = 0;
#ifdef USE_PAM
if (options.use_pam && authenticated &&
!PRIVSEP(do_pam_account())) {
char *msg;
size_t len;
pfilter_notify(1);
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
buffer_append(&loginmsg, "\0", 1);
msg = (char *)buffer_ptr(&loginmsg);
/* strip trailing newlines */
if (len > 0)
while (len > 0 && msg[--len] == '\n')
msg[len] = '\0';
else
msg = __UNCONST("Access denied.");
packet_disconnect("%s", msg);
}
#endif
skip:
/* Log before sending the reply */
auth_log(authctxt, authenticated, 0, get_authname(type), NULL);
if (authenticated)
return;
if (++authctxt->failures >= options.max_authtries)
auth_maxtries_exceeded(authctxt);
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
}
/*
* Performs authentication of an incoming connection. Session key has already
* been exchanged and encryption is enabled.
*/
void
do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
/* Get the user name. */
user = packet_get_cstring(&ulen);
packet_check_eom();
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
authctxt->user = user;
authctxt->style = style;
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
authctxt->valid = 1;
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
pfilter_notify(1);
}
/* Configuration may have changed as a result of Match */
if (options.num_auth_methods != 0)
fatal("AuthenticationMethods is not supported with SSH "
"protocol 1");
setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
#ifdef USE_PAM
if (options.use_pam)
PRIVSEP(start_pam(authctxt));
#endif
/*
* If we are not running as root, the user must have the same uid as
* the server.
*/
if (!use_privsep && getuid() != 0 && authctxt->pw &&
authctxt->pw->pw_uid != getuid())
packet_disconnect("Cannot change user when server not running as root.");
/*
* Loop until the user has been authenticated or the connection is
* closed, do_authloop() returns only if authentication is successful
*/
do_authloop(authctxt);
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
}

4
crypto/external/bsd/openssh/dist/auth2-chall.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-chall.c,v 1.10 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: auth2-chall.c,v 1.11 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.44 2016/05/02 08:49:03 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-chall.c,v 1.10 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth2-chall.c,v 1.11 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <stdio.h>

4
crypto/external/bsd/openssh/dist/auth2-gss.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-gss.c,v 1.8 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth2-gss.c,v 1.9 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
/*
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-gss.c,v 1.8 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: auth2-gss.c,v 1.9 2016/12/25 00:07:46 christos Exp $");
#ifdef GSSAPI

4
crypto/external/bsd/openssh/dist/auth2-hostbased.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-hostbased.c,v 1.9 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: auth2-hostbased.c,v 1.10 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-hostbased.c,v 1.9 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth2-hostbased.c,v 1.10 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <pwd.h>

4
crypto/external/bsd/openssh/dist/auth2-kbdint.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-kbdint.c,v 1.5 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth2-kbdint.c,v 1.6 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-kbdint.c,v 1.7 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-kbdint.c,v 1.5 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: auth2-kbdint.c,v 1.6 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include "xmalloc.h"

4
crypto/external/bsd/openssh/dist/auth2-krb5.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-krb5.c,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth2-krb5.c,v 1.5 2016/12/25 00:07:46 christos Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
*
@ -24,7 +24,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-krb5.c,v 1.4 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: auth2-krb5.c,v 1.5 2016/12/25 00:07:46 christos Exp $");
#include <krb5.h>
#include <stdio.h>

4
crypto/external/bsd/openssh/dist/auth2-none.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-none.c,v 1.5 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth2-none.c,v 1.6 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-none.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-none.c,v 1.5 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: auth2-none.c,v 1.6 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>

4
crypto/external/bsd/openssh/dist/auth2-passwd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2-passwd.c,v 1.5 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: auth2-passwd.c,v 1.6 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-passwd.c,v 1.12 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-passwd.c,v 1.5 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: auth2-passwd.c,v 1.6 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <string.h>

67
crypto/external/bsd/openssh/dist/auth2-pubkey.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: auth2-pubkey.c,v 1.14 2016/03/11 01:55:00 christos Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
/* $NetBSD: auth2-pubkey.c,v 1.15 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2-pubkey.c,v 1.14 2016/03/11 01:55:00 christos Exp $");
__RCSID("$NetBSD: auth2-pubkey.c,v 1.15 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
@ -569,7 +569,7 @@ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
static int
process_principals(FILE *f, char *file, struct passwd *pw,
struct sshkey_cert *cert)
const struct sshkey_cert *cert)
{
char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
u_long linenum = 0;
@ -638,14 +638,17 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
* returns 1 if the principal is allowed or 0 otherwise.
*/
static int
match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
match_principals_command(struct passwd *user_pw, const struct sshkey *key)
{
const struct sshkey_cert *cert = key->cert;
FILE *f = NULL;
int ok, found_principal = 0;
int r, ok, found_principal = 0;
struct passwd *pw;
int i, ac = 0, uid_swapped = 0;
pid_t pid;
char *tmp, *username = NULL, *command = NULL, **av = NULL;
char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL;
char serial_s[16];
void (*osigchld)(int);
if (options.authorized_principals_command == NULL)
@ -683,10 +686,38 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
command);
goto out;
}
if ((ca_fp = sshkey_fingerprint(cert->signature_key,
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
}
if ((key_fp = sshkey_fingerprint(key,
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
}
if ((r = sshkey_to_base64(cert->signature_key, &catext)) != 0) {
error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
goto out;
}
if ((r = sshkey_to_base64(key, &keytext)) != 0) {
error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
goto out;
}
snprintf(serial_s, sizeof(serial_s), "%llu",
(unsigned long long)cert->serial);
for (i = 1; i < ac; i++) {
tmp = percent_expand(av[i],
"u", user_pw->pw_name,
"h", user_pw->pw_dir,
"t", sshkey_ssh_name(key),
"T", sshkey_ssh_name(cert->signature_key),
"f", key_fp,
"F", ca_fp,
"k", keytext,
"K", catext,
"i", cert->key_id,
"s", serial_s,
(char *)NULL);
if (tmp == NULL)
fatal("%s: percent_expand failed", __func__);
@ -721,6 +752,10 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
restore_uid();
free(command);
free(username);
free(ca_fp);
free(key_fp);
free(catext);
free(keytext);
return found_principal;
}
/*
@ -731,11 +766,9 @@ static int
check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
char line[SSH_MAX_PUBKEY_BYTES];
const char *reason;
int found_key = 0;
u_long linenum = 0;
Key *found;
char *fp;
#ifdef WITH_LDAP_PUBKEY
ldap_key_t * k;
unsigned int i = 0;
@ -786,7 +819,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
auth_parse_options(pw, xoptions, file, linenum) == 1) {
found_key = 1;
debug("[LDAP] matching key found");
fp = sshkey_fingerprint(found, SSH_FP_HASH_DEFAULT, SSH_FP_HEX);
char *fp = sshkey_fingerprint(found, SSH_FP_HASH_DEFAULT, SSH_FP_HEX);
verbose("[LDAP] Found matching %s key: %s", key_type(found), fp);
/* restoring memory */
@ -818,7 +851,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
found = NULL;
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp, *key_options = NULL;
char *cp, *key_options = NULL, *fp = NULL;
const char *reason = NULL;
if (found != NULL)
key_free(found);
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@ -883,10 +918,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
authorized_principals == NULL ? pw->pw_name : NULL,
&reason) != 0)
goto fail_reason;
if (auth_cert_options(key, pw) != 0) {
free(fp);
continue;
}
if (auth_cert_options(key, pw, &reason) != 0)
goto fail_reason;
verbose("Accepted certificate ID \"%s\" (serial %llu) "
"signed by %s CA %s via %s", key->cert->key_id,
(unsigned long long)key->cert->serial,
@ -949,7 +982,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
found_principal = 1;
}
/* Try querying command if specified */
if (!found_principal && match_principals_command(pw, key->cert))
if (!found_principal && match_principals_command(pw, key))
found_principal = 1;
/* If principals file or command is specified, then require a match */
use_authorized_principals = principals_file != NULL ||
@ -964,8 +997,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (key_cert_check_authority(key, 0, 1,
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
goto fail_reason;
if (auth_cert_options(key, pw) != 0)
goto out;
if (auth_cert_options(key, pw, &reason) != 0)
goto fail_reason;
verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
"%s CA %s via %s", key->cert->key_id,

4
crypto/external/bsd/openssh/dist/auth2.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: auth2.c,v 1.12 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: auth2.c,v 1.13 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: auth2.c,v 1.136 2016/05/02 08:49:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: auth2.c,v 1.12 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: auth2.c,v 1.13 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>

4
crypto/external/bsd/openssh/dist/authfd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: authfd.c,v 1.11 2016/03/11 01:55:00 christos Exp $ */
/* $NetBSD: authfd.c,v 1.12 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
/*
@ -38,7 +38,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: authfd.c,v 1.11 2016/03/11 01:55:00 christos Exp $");
__RCSID("$NetBSD: authfd.c,v 1.12 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>

2
crypto/external/bsd/openssh/dist/authfd.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: authfd.h,v 1.6 2016/03/11 01:55:00 christos Exp $ */
/* $NetBSD: authfd.h,v 1.7 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: authfd.h,v 1.39 2015/12/04 16:41:28 markus Exp $ */
/*

21
crypto/external/bsd/openssh/dist/authfile.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: authfile.c,v 1.14 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: authfile.c,v 1.121 2016/04/09 12:39:30 djm Exp $ */
/* $NetBSD: authfile.c,v 1.15 2016/12/25 00:07:46 christos Exp $ */
/* $OpenBSD: authfile.c,v 1.122 2016/11/25 23:24:45 djm Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@ -25,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: authfile.c,v 1.14 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: authfile.c,v 1.15 2016/12/25 00:07:46 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>
@ -100,13 +101,25 @@ sshkey_load_file(int fd, struct sshbuf *blob)
u_char buf[1024];
size_t len;
struct stat st;
int r;
int r, dontmax = 0;
if (fstat(fd, &st) < 0)
return SSH_ERR_SYSTEM_ERROR;
if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
st.st_size > MAX_KEY_FILE_SIZE)
return SSH_ERR_INVALID_FORMAT;
/*
* Pre-allocate the buffer used for the key contents and clamp its
* maximum size. This ensures that key contents are never leaked via
* implicit realloc() in the sshbuf code.
*/
if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
st.st_size = 64*1024; /* 64k should be enough for anyone :) */
dontmax = 1;
}
if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
(dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
return r;
for (;;) {
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
if (errno == EPIPE)

2
crypto/external/bsd/openssh/dist/authfile.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: authfile.h,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: authfile.h,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: authfile.h,v 1.21 2015/01/08 10:14:08 djm Exp $ */
/*

2
crypto/external/bsd/openssh/dist/bcrypt_pbkdf.c vendored
View File

@ -16,7 +16,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: bcrypt_pbkdf.c,v 1.2 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: bcrypt_pbkdf.c,v 1.3 2016/12/25 00:07:47 christos Exp $");
#ifndef HAVE_BCRYPT_PBKDF

4
crypto/external/bsd/openssh/dist/bitmap.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: bitmap.c,v 1.3 2016/03/11 01:55:00 christos Exp $ */
/* $NetBSD: bitmap.c,v 1.4 2016/12/25 00:07:47 christos Exp $ */
/*
* Copyright (c) 2015 Damien Miller <djm@mindrot.org>
*
@ -15,7 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
__RCSID("$NetBSD: bitmap.c,v 1.3 2016/03/11 01:55:00 christos Exp $");
__RCSID("$NetBSD: bitmap.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <string.h>

2
crypto/external/bsd/openssh/dist/bitmap.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: bitmap.h,v 1.2 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: bitmap.h,v 1.3 2016/12/25 00:07:47 christos Exp $ */
/*
* Copyright (c) 2015 Damien Miller <djm@mindrot.org>

2
crypto/external/bsd/openssh/dist/blocks.c vendored
View File

@ -5,7 +5,7 @@
* Copied from nacl-20110221/crypto_hashblocks/sha512/ref/blocks.c
*/
#include "includes.h"
__RCSID("$NetBSD: blocks.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: blocks.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include "crypto_api.h"

2
crypto/external/bsd/openssh/dist/blowfish.c vendored
View File

@ -40,7 +40,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: blowfish.c,v 1.2 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: blowfish.c,v 1.3 2016/12/25 00:07:47 christos Exp $");
#if !defined(HAVE_BCRYPT_PBKDF) && (!defined(HAVE_BLOWFISH_INITSTATE) || \
!defined(HAVE_BLOWFISH_EXPAND0STATE) || !defined(HAVE_BLF_ENC))

4
crypto/external/bsd/openssh/dist/bufaux.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: bufaux.c,v 1.7 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: bufaux.c,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: bufaux.c,v 1.60 2014/04/30 05:29:56 djm Exp $ */
/*
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
@ -17,7 +17,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: bufaux.c,v 1.7 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: bufaux.c,v 1.8 2016/12/25 00:07:47 christos Exp $");
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
#include <sys/types.h>

4
crypto/external/bsd/openssh/dist/bufbn.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: bufbn.c,v 1.6 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: bufbn.c,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: bufbn.c,v 1.12 2014/04/30 05:29:56 djm Exp $ */
/*
@ -18,7 +18,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: bufbn.c,v 1.6 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: bufbn.c,v 1.7 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include "buffer.h"

4
crypto/external/bsd/openssh/dist/bufec.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: bufec.c,v 1.5 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: bufec.c,v 1.6 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: bufec.c,v 1.4 2014/04/30 05:29:56 djm Exp $ */
/*
@ -17,7 +17,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
__RCSID("$NetBSD: bufec.c,v 1.5 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: bufec.c,v 1.6 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */

4
crypto/external/bsd/openssh/dist/buffer.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: buffer.c,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: buffer.c,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: buffer.c,v 1.36 2014/04/30 05:29:56 djm Exp $ */
/*
@ -18,7 +18,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: buffer.c,v 1.6 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: buffer.c,v 1.7 2016/12/25 00:07:47 christos Exp $");
#include <sys/param.h>
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */

2
crypto/external/bsd/openssh/dist/buffer.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: buffer.h,v 1.7 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: buffer.h,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: buffer.h,v 1.25 2014/04/30 05:29:56 djm Exp $ */
/*

4
crypto/external/bsd/openssh/dist/canohost.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: canohost.c,v 1.10 2016/08/02 13:53:44 christos Exp $ */
/* $NetBSD: canohost.c,v 1.11 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: canohost.c,v 1.73 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -14,7 +14,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: canohost.c,v 1.10 2016/08/02 13:53:44 christos Exp $");
__RCSID("$NetBSD: canohost.c,v 1.11 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

2
crypto/external/bsd/openssh/dist/canohost.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: canohost.h,v 1.6 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: canohost.h,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: canohost.h,v 1.12 2016/03/07 19:02:43 djm Exp $ */
/*

2
crypto/external/bsd/openssh/dist/chacha.c vendored
View File

@ -5,7 +5,7 @@ Public domain.
*/
#include "includes.h"
__RCSID("$NetBSD: chacha.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: chacha.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include <stdio.h> /* for NULL */
#include "chacha.h"

475
crypto/external/bsd/openssh/dist/channels.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: channels.c,v 1.16 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: channels.c,v 1.351 2016/07/19 11:38:53 dtucker Exp $ */
/* $NetBSD: channels.c,v 1.17 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: channels.c,v 1.356 2016/10/18 17:32:54 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -41,10 +42,9 @@
*/
#include "includes.h"
__RCSID("$NetBSD: channels.c,v 1.16 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: channels.c,v 1.17 2016/12/25 00:07:47 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/param.h> /* MIN MAX */
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sys/un.h>
@ -70,6 +70,7 @@ __RCSID("$NetBSD: channels.c,v 1.16 2016/08/02 13:45:12 christos Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "ssh2.h"
#include "ssherr.h"
#include "packet.h"
#include "log.h"
#include "misc.h"
@ -123,6 +124,7 @@ typedef struct {
char *listen_host; /* Remote side should listen address. */
char *listen_path; /* Remote side should listen path. */
int listen_port; /* Remote side should listen port. */
Channel *downstream; /* Downstream mux*/
} ForwardPermission;
/* List of all permitted host/port pairs to connect by the user. */
@ -186,6 +188,7 @@ static int IPv4or6 = AF_UNSPEC;
/* helper */
static void port_open_helper(Channel *c, const char *rtype);
static const char *channel_rfwd_bind_host(const char *listen_host);
/* non-blocking connect helpers */
static int connect_next(struct channel_connect *);
@ -210,6 +213,20 @@ channel_by_id(int id)
return c;
}
Channel *
channel_by_remote_id(int remote_id)
{
Channel *c;
u_int i;
for (i = 0; i < channels_alloc; i++) {
c = channels[i];
if (c != NULL && c->remote_id == remote_id)
return c;
}
return NULL;
}
/*
* Returns the channel if it is allowed to receive protocol messages.
* Private channels, like listening sockets, may not receive messages.
@ -232,6 +249,7 @@ channel_lookup(int id)
case SSH_CHANNEL_INPUT_DRAINING:
case SSH_CHANNEL_OUTPUT_DRAINING:
case SSH_CHANNEL_ABANDONED:
case SSH_CHANNEL_MUX_PROXY:
return (c);
}
logit("Non-public channel %d, type %d.", id, c->type);
@ -247,9 +265,9 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
int extusage, int nonblock, int is_tty)
{
/* Update the maximum file descriptor value. */
channel_max_fd = MAX(channel_max_fd, rfd);
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
channel_max_fd = MAXIMUM(channel_max_fd, rfd);
channel_max_fd = MAXIMUM(channel_max_fd, wfd);
channel_max_fd = MAXIMUM(channel_max_fd, efd);
if (rfd != -1)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
@ -373,9 +391,9 @@ channel_find_maxfd(void)
for (i = 0; i < channels_alloc; i++) {
c = channels[i];
if (c != NULL) {
max = MAX(max, c->rfd);
max = MAX(max, c->wfd);
max = MAX(max, c->efd);
max = MAXIMUM(max, c->rfd);
max = MAXIMUM(max, c->wfd);
max = MAXIMUM(max, c->efd);
}
}
return max;
@ -411,14 +429,56 @@ channel_free(Channel *c)
{
char *s;
u_int i, n;
Channel *other;
struct channel_confirm *cc;
for (n = 0, i = 0; i < channels_alloc; i++)
if (channels[i])
for (n = 0, i = 0; i < channels_alloc; i++) {
if ((other = channels[i]) != NULL) {
n++;
/* detach from mux client and prepare for closing */
if (c->type == SSH_CHANNEL_MUX_CLIENT &&
other->type == SSH_CHANNEL_MUX_PROXY &&
other->mux_ctx == c) {
other->mux_ctx = NULL;
other->type = SSH_CHANNEL_OPEN;
other->istate = CHAN_INPUT_CLOSED;
other->ostate = CHAN_OUTPUT_CLOSED;
}
}
}
debug("channel %d: free: %s, nchannels %u", c->self,
c->remote_name ? c->remote_name : "???", n);
/* XXX more MUX cleanup: remove remote forwardings */
if (c->type == SSH_CHANNEL_MUX_CLIENT) {
for (i = 0; i < (u_int)num_permitted_opens; i++) {
if (permitted_opens[i].downstream != c)
continue;
/* cancel on the server, since mux client is gone */
debug("channel %d: cleanup remote forward for %s:%u",
c->self,
permitted_opens[i].listen_host,
permitted_opens[i].listen_port);
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("cancel-tcpip-forward");
packet_put_char(0);
packet_put_cstring(channel_rfwd_bind_host(
permitted_opens[i].listen_host));
packet_put_int(permitted_opens[i].listen_port);
packet_send();
/* unregister */
permitted_opens[i].listen_port = 0;
permitted_opens[i].port_to_connect = 0;
free(permitted_opens[i].host_to_connect);
permitted_opens[i].host_to_connect = NULL;
free(permitted_opens[i].listen_host);
permitted_opens[i].listen_host = NULL;
permitted_opens[i].listen_path = NULL;
permitted_opens[i].downstream = NULL;
}
}
s = channel_open_message();
debug3("channel %d: status: %s", c->self, s);
free(s);
@ -564,6 +624,7 @@ channel_still_open(void)
case SSH_CHANNEL_OPEN:
case SSH_CHANNEL_X11_OPEN:
case SSH_CHANNEL_MUX_CLIENT:
case SSH_CHANNEL_MUX_PROXY:
return 1;
case SSH_CHANNEL_INPUT_DRAINING:
case SSH_CHANNEL_OUTPUT_DRAINING:
@ -597,6 +658,7 @@ channel_find_open(void)
case SSH_CHANNEL_RPORT_LISTENER:
case SSH_CHANNEL_MUX_LISTENER:
case SSH_CHANNEL_MUX_CLIENT:
case SSH_CHANNEL_MUX_PROXY:
case SSH_CHANNEL_OPENING:
case SSH_CHANNEL_CONNECTING:
case SSH_CHANNEL_ZOMBIE:
@ -622,7 +684,6 @@ channel_find_open(void)
return -1;
}
/*
* Returns a message describing the currently open forwarded connections,
* suitable for sending to the client. The message contains crlf pairs for
@ -651,7 +712,6 @@ channel_open_message(void)
case SSH_CHANNEL_AUTH_SOCKET:
case SSH_CHANNEL_ZOMBIE:
case SSH_CHANNEL_ABANDONED:
case SSH_CHANNEL_MUX_CLIENT:
case SSH_CHANNEL_MUX_LISTENER:
case SSH_CHANNEL_UNIX_LISTENER:
case SSH_CHANNEL_RUNIX_LISTENER:
@ -664,6 +724,8 @@ channel_open_message(void)
case SSH_CHANNEL_X11_OPEN:
case SSH_CHANNEL_INPUT_DRAINING:
case SSH_CHANNEL_OUTPUT_DRAINING:
case SSH_CHANNEL_MUX_PROXY:
case SSH_CHANNEL_MUX_CLIENT:
snprintf(buf, sizeof buf,
" #%d %.300s (t%d r%d i%u/%d o%u/%d fd %d/%d cc %d)\r\n",
c->self, c->remote_name,
@ -1914,7 +1976,7 @@ read_mux(Channel *c, u_int need)
if (buffer_len(&c->input) < need) {
rlen = need - buffer_len(&c->input);
len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF));
len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
if (len < 0 && (errno == EINTR || errno == EAGAIN))
return buffer_len(&c->input);
if (len <= 0) {
@ -2217,7 +2279,7 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
{
u_int n, sz, nfdset;
n = MAX(*maxfdp, channel_max_fd);
n = MAXIMUM(*maxfdp, channel_max_fd);
nfdset = howmany(n+1, NFDBITS);
/* Explicitly test here, because xrealloc isn't always called */
@ -2379,6 +2441,284 @@ channel_output_poll(void)
return (packet_length);
}
/* -- mux proxy support */
/*
* When multiplexing channel messages for mux clients we have to deal
* with downstream messages from the mux client and upstream messages
* from the ssh server:
* 1) Handling downstream messages is straightforward and happens
* in channel_proxy_downstream():
* - We forward all messages (mostly) unmodified to the server.
* - However, in order to route messages from upstream to the correct
* downstream client, we have to replace the channel IDs used by the
* mux clients with a unique channel ID because the mux clients might
* use conflicting channel IDs.
* - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
* SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
* SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
* with the newly allocated channel ID.
* 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
* channels and procesed by channel_proxy_upstream(). The local channel ID
* is then translated back to the original mux client ID.
* 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
* messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
* 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
* downstream mux client are removed.
* 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
* requires more work, because they are not addressed to a specific
* channel. E.g. client_request_forwarded_tcpip() needs to figure
* out whether the request is addressed to the local client or a
* specific downstream client based on the listen-address/port.
* 6) Agent and X11-Forwarding have a similar problem and are currenly
* not supported as the matching session/channel cannot be identified
* easily.
*/
/*
* receive packets from downstream mux clients:
* channel callback fired on read from mux client, creates
* SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
* on channel creation.
*/
int
channel_proxy_downstream(Channel *downstream)
{
Channel *c = NULL;
struct ssh *ssh = active_state;
struct sshbuf *original = NULL, *modified = NULL;
const u_char *cp;
char *ctype = NULL, *listen_host = NULL;
u_char type;
size_t have;
int ret = -1, r, idx;
u_int id, remote_id, listen_port;
/* sshbuf_dump(&downstream->input, stderr); */
if ((r = sshbuf_get_string_direct(&downstream->input, &cp, &have))
!= 0) {
error("%s: malformed message: %s", __func__, ssh_err(r));
return -1;
}
if (have < 2) {
error("%s: short message", __func__);
return -1;
}
type = cp[1];
/* skip padlen + type */
cp += 2;
have -= 2;
if (ssh_packet_log_type(type))
debug3("%s: channel %u: down->up: type %u", __func__,
downstream->self, type);
switch (type) {
case SSH2_MSG_CHANNEL_OPEN:
if ((original = sshbuf_from(cp, have)) == NULL ||
(modified = sshbuf_new()) == NULL) {
error("%s: alloc", __func__);
goto out;
}
if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
(r = sshbuf_get_u32(original, &id)) != 0) {
error("%s: parse error %s", __func__, ssh_err(r));
goto out;
}
c = channel_new("mux proxy", SSH_CHANNEL_MUX_PROXY,
-1, -1, -1, 0, 0, 0, ctype, 1);
c->mux_ctx = downstream; /* point to mux client */
c->mux_downstream_id = id; /* original downstream id */
if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
(r = sshbuf_put_u32(modified, c->self)) != 0 ||
(r = sshbuf_putb(modified, original)) != 0) {
error("%s: compose error %s", __func__, ssh_err(r));
channel_free(c);
goto out;
}
break;
case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
/*
* Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
* need to parse 'remote_id' instead of 'ctype'.
*/
if ((original = sshbuf_from(cp, have)) == NULL ||
(modified = sshbuf_new()) == NULL) {
error("%s: alloc", __func__);
goto out;
}
if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
(r = sshbuf_get_u32(original, &id)) != 0) {
error("%s: parse error %s", __func__, ssh_err(r));
goto out;
}
c = channel_new("mux proxy", SSH_CHANNEL_MUX_PROXY,
-1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
c->mux_ctx = downstream; /* point to mux client */
c->mux_downstream_id = id;
c->remote_id = remote_id;
if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
(r = sshbuf_put_u32(modified, c->self)) != 0 ||
(r = sshbuf_putb(modified, original)) != 0) {
error("%s: compose error %s", __func__, ssh_err(r));
channel_free(c);
goto out;
}
break;
case SSH2_MSG_GLOBAL_REQUEST:
if ((original = sshbuf_from(cp, have)) == NULL) {
error("%s: alloc", __func__);
goto out;
}
if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
error("%s: parse error %s", __func__, ssh_err(r));
goto out;
}
if (strcmp(ctype, "tcpip-forward") != 0) {
error("%s: unsupported request %s", __func__, ctype);
goto out;
}
if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
(r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
(r = sshbuf_get_u32(original, &listen_port)) != 0) {
error("%s: parse error %s", __func__, ssh_err(r));
goto out;
}
if (listen_port > 65535) {
error("%s: tcpip-forward for %s: bad port %u",
__func__, listen_host, listen_port);
goto out;
}
/* Record that connection to this host/port is permitted. */
permitted_opens = xreallocarray(permitted_opens,
num_permitted_opens + 1, sizeof(*permitted_opens));
idx = num_permitted_opens++;
permitted_opens[idx].host_to_connect = xstrdup("<mux>");
permitted_opens[idx].port_to_connect = -1;
permitted_opens[idx].listen_host = listen_host;
permitted_opens[idx].listen_port = (int)listen_port;
permitted_opens[idx].downstream = downstream;
listen_host = NULL;
break;
case SSH2_MSG_CHANNEL_CLOSE:
if (have < 4)
break;
remote_id = PEEK_U32(cp);
if ((c = channel_by_remote_id(remote_id)) != NULL) {
if (c->flags & CHAN_CLOSE_RCVD)
channel_free(c);
else
c->flags |= CHAN_CLOSE_SENT;
}
break;
}
if (modified) {
if ((r = sshpkt_start(ssh, type)) != 0 ||
(r = sshpkt_putb(ssh, modified)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
error("%s: send %s", __func__, ssh_err(r));
goto out;
}
} else {
if ((r = sshpkt_start(ssh, type)) != 0 ||
(r = sshpkt_put(ssh, cp, have)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
error("%s: send %s", __func__, ssh_err(r));
goto out;
}
}
ret = 0;
out:
free(ctype);
free(listen_host);
sshbuf_free(original);
sshbuf_free(modified);
return ret;
}
/*
* receive packets from upstream server and de-multiplex packets
* to correct downstream:
* implemented as a helper for channel input handlers,
* replaces local (proxy) channel ID with downstream channel ID.
*/
int
channel_proxy_upstream(Channel *c, int type, u_int32_t seq, void *ctxt)
{
struct ssh *ssh = active_state;
struct sshbuf *b = NULL;
Channel *downstream;
const u_char *cp = NULL;
size_t len;
int r;
/*
* When receiving packets from the peer we need to check whether we
* need to forward the packets to the mux client. In this case we
* restore the orignal channel id and keep track of CLOSE messages,
* so we can cleanup the channel.
*/
if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
return 0;
if ((downstream = c->mux_ctx) == NULL)
return 0;
switch (type) {
case SSH2_MSG_CHANNEL_CLOSE:
case SSH2_MSG_CHANNEL_DATA:
case SSH2_MSG_CHANNEL_EOF:
case SSH2_MSG_CHANNEL_EXTENDED_DATA:
case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
case SSH2_MSG_CHANNEL_OPEN_FAILURE:
case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
case SSH2_MSG_CHANNEL_SUCCESS:
case SSH2_MSG_CHANNEL_FAILURE:
case SSH2_MSG_CHANNEL_REQUEST:
break;
default:
debug2("%s: channel %u: unsupported type %u", __func__,
c->self, type);
return 0;
}
if ((b = sshbuf_new()) == NULL) {
error("%s: alloc reply", __func__);
goto out;
}
/* get remaining payload (after id) */
cp = sshpkt_ptr(ssh, &len);
if (cp == NULL) {
error("%s: no packet", __func__);
goto out;
}
/* translate id and send to muxclient */
if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
(r = sshbuf_put_u8(b, type)) != 0 ||
(r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
(r = sshbuf_put(b, cp, len)) != 0 ||
(r = sshbuf_put_stringb(&downstream->output, b)) != 0) {
error("%s: compose for muxclient %s", __func__, ssh_err(r));
goto out;
}
/* sshbuf_dump(b, stderr); */
if (ssh_packet_log_type(type))
debug3("%s: channel %u: up->down: type %u", __func__, c->self,
type);
out:
/* update state */
switch (type) {
case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
/* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
if (cp && len > 4)
c->remote_id = PEEK_U32(cp);
break;
case SSH2_MSG_CHANNEL_CLOSE:
if (c->flags & CHAN_CLOSE_SENT)
channel_free(c);
else
c->flags |= CHAN_CLOSE_RCVD;
break;
}
sshbuf_free(b);
return 1;
}
/* -- protocol input */
@ -2396,6 +2736,8 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
c = channel_lookup(id);
if (c == NULL)
packet_disconnect("Received data for nonexistent channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
/* Ignore any data for non-open channels (might happen on close) */
if (c->type != SSH_CHANNEL_OPEN &&
@ -2458,6 +2800,8 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
if (c == NULL)
packet_disconnect("Received extended_data for bad channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
if (c->type != SSH_CHANNEL_OPEN) {
logit("channel %d: ext data for non open", id);
return 0;
@ -2503,6 +2847,8 @@ channel_input_ieof(int type, u_int32_t seq, void *ctxt)
c = channel_lookup(id);
if (c == NULL)
packet_disconnect("Received ieof for nonexistent channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
chan_rcvd_ieof(c);
/* XXX force input close */
@ -2527,7 +2873,8 @@ channel_input_close(int type, u_int32_t seq, void *ctxt)
c = channel_lookup(id);
if (c == NULL)
packet_disconnect("Received close for nonexistent channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
/*
* Send a confirmation that we have closed the channel and no more
* data is coming for it.
@ -2562,9 +2909,11 @@ channel_input_oclose(int type, u_int32_t seq, void *ctxt)
int id = packet_get_int();
Channel *c = channel_lookup(id);
packet_check_eom();
if (c == NULL)
packet_disconnect("Received oclose for nonexistent channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
packet_check_eom();
chan_rcvd_oclose(c);
return 0;
}
@ -2576,10 +2925,12 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
int id = packet_get_int();
Channel *c = channel_lookup(id);
packet_check_eom();
if (c == NULL)
packet_disconnect("Received close confirmation for "
"out-of-range channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
packet_check_eom();
if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED)
packet_disconnect("Received close confirmation for "
"non-closed channel %d (type %d).", id, c->type);
@ -2597,7 +2948,12 @@ channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt)
id = packet_get_int();
c = channel_lookup(id);
if (c==NULL || c->type != SSH_CHANNEL_OPENING)
if (c==NULL)
packet_disconnect("Received open confirmation for "
"unknown channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
if (c->type != SSH_CHANNEL_OPENING)
packet_disconnect("Received open confirmation for "
"non-opening channel %d.", id);
remote_id = packet_get_int();
@ -2647,7 +3003,12 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
id = packet_get_int();
c = channel_lookup(id);
if (c==NULL || c->type != SSH_CHANNEL_OPENING)
if (c==NULL)
packet_disconnect("Received open failure for "
"unknown channel %d.", id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
if (c->type != SSH_CHANNEL_OPENING)
packet_disconnect("Received open failure for "
"non-opening channel %d.", id);
if (compat20) {
@ -2691,6 +3052,8 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
logit("Received window adjust for non-open channel %d.", id);
return 0;
}
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
adjust = packet_get_int();
packet_check_eom();
debug2("channel %d: rcvd adjust %u", id, adjust);
@ -2745,14 +3108,15 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
packet_set_alive_timeouts(0);
id = packet_get_int();
packet_check_eom();
debug2("channel_input_status_confirm: type %d id %d", type, id);
if ((c = channel_lookup(id)) == NULL) {
logit("channel_input_status_confirm: %d: unknown", id);
return 0;
}
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
packet_check_eom();
if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
return 0;
cc->cb(type, c, cc->ctx);
@ -3313,6 +3677,7 @@ channel_request_remote_forwarding(struct Forward *fwd)
permitted_opens[idx].listen_path = NULL;
permitted_opens[idx].listen_port = fwd->listen_port;
}
permitted_opens[idx].downstream = NULL;
}
return (idx);
}
@ -3408,6 +3773,7 @@ channel_request_rforward_cancel_tcpip(const char *host, u_short port)
free(permitted_opens[i].listen_host);
permitted_opens[i].listen_host = NULL;
permitted_opens[i].listen_path = NULL;
permitted_opens[i].downstream = NULL;
return 0;
}
@ -3445,6 +3811,7 @@ channel_request_rforward_cancel_streamlocal(const char *path)
permitted_opens[i].listen_host = NULL;
free(permitted_opens[i].listen_path);
permitted_opens[i].listen_path = NULL;
permitted_opens[i].downstream = NULL;
return 0;
}
@ -3464,43 +3831,6 @@ channel_request_rforward_cancel(struct Forward *fwd)
}
}
/*
* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
* listening for the port, and sends back a success reply (or disconnect
* message if there was an error).
*/
int
channel_input_port_forward_request(int is_root, struct ForwardOptions *fwd_opts)
{
int success = 0;
struct Forward fwd;
/* Get arguments from the packet. */
memset(&fwd, 0, sizeof(fwd));
fwd.listen_port = packet_get_int();
fwd.connect_host = packet_get_string(NULL);
fwd.connect_port = packet_get_int();
/*
* Check that an unprivileged user is not trying to forward a
* privileged port.
*/
if (fwd.listen_port < IPPORT_RESERVED && !is_root)
packet_disconnect(
"Requested forwarding of port %d but user is not root.",
fwd.listen_port);
if (fwd.connect_port == 0)
packet_disconnect("Dynamic forwarding denied.");
/* Initiate forwarding */
success = channel_setup_local_fwd_listener(&fwd, fwd_opts);
/* Free the argument string. */
free(fwd.connect_host);
return (success ? 0 : -1);
}
/*
* Permits opening to any host/port if permitted_opens[] is empty. This is
* usually called by the server, because the user could connect to any port
@ -3525,6 +3855,7 @@ channel_add_permitted_opens(char *host, int port)
permitted_opens[num_permitted_opens].listen_host = NULL;
permitted_opens[num_permitted_opens].listen_path = NULL;
permitted_opens[num_permitted_opens].listen_port = 0;
permitted_opens[num_permitted_opens].downstream = NULL;
num_permitted_opens++;
all_opens_permitted = 0;
@ -3656,7 +3987,7 @@ connect_next(struct channel_connect *cctx)
{
int sock, saved_errno;
struct sockaddr_un *sunaddr;
char ntop[NI_MAXHOST], strport[MAX(NI_MAXSERV,sizeof(sunaddr->sun_path))];
char ntop[NI_MAXHOST], strport[MAXIMUM(NI_MAXSERV,sizeof(sunaddr->sun_path))];
for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
switch (cctx->ai->ai_family) {
@ -3787,6 +4118,10 @@ connect_to(const char *name, int port, const char *ctype, const char *rname)
return c;
}
/*
* returns either the newly connected channel or the downstream channel
* that needs to deal with this connection.
*/
Channel *
channel_connect_by_listen_address(const char *listen_host,
u_short listen_port, const char *ctype, char *rname)
@ -3796,6 +4131,8 @@ channel_connect_by_listen_address(const char *listen_host,
for (i = 0; i < num_permitted_opens; i++) {
if (open_listen_match_tcpip(&permitted_opens[i], listen_host,
listen_port, 1)) {
if (permitted_opens[i].downstream)
return permitted_opens[i].downstream;
return connect_to(
permitted_opens[i].host_to_connect,
permitted_opens[i].port_to_connect, ctype, rname);
@ -4214,7 +4551,6 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
char *new_data;
int screen_number;
const char *cp;
u_int32_t rnd = 0;
if (x11_saved_display == NULL)
x11_saved_display = xstrdup(disp);
@ -4235,23 +4571,20 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
if (x11_saved_proto == NULL) {
/* Save protocol name. */
x11_saved_proto = xstrdup(proto);
/*
* Extract real authentication data and generate fake data
* of the same length.
*/
/* Extract real authentication data. */
x11_saved_data = xmalloc(data_len);
x11_fake_data = xmalloc(data_len);
for (i = 0; i < data_len; i++) {
if (sscanf(data + 2 * i, "%2x", &value) != 1)
fatal("x11_request_forwarding: bad "
"authentication data: %.100s", data);
if (i % 4 == 0)
rnd = arc4random();
x11_saved_data[i] = value;
x11_fake_data[i] = rnd & 0xff;
rnd >>= 8;
}
x11_saved_data_len = data_len;
/* Generate fake data of the same length. */
x11_fake_data = xmalloc(data_len);
arc4random_buf(x11_fake_data, data_len);
x11_fake_data_len = data_len;
}

15
crypto/external/bsd/openssh/dist/channels.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: channels.h,v 1.11 2015/07/03 00:59:59 christos Exp $ */
/* $OpenBSD: channels.h,v 1.118 2015/07/01 02:26:31 djm Exp $ */
/* $NetBSD: channels.h,v 1.12 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: channels.h,v 1.120 2016/10/18 17:32:54 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -59,7 +59,8 @@
#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
#define SSH_CHANNEL_UNIX_LISTENER 18 /* Listening on a domain socket. */
#define SSH_CHANNEL_RUNIX_LISTENER 19 /* Listening to a R-style domain socket. */
#define SSH_CHANNEL_MAX_TYPE 20
#define SSH_CHANNEL_MUX_PROXY 20 /* proxy channel for mux-slave */
#define SSH_CHANNEL_MAX_TYPE 21
#define CHANNEL_CANCEL_PORT_STATIC -1
@ -162,6 +163,7 @@ struct Channel {
mux_callback_fn *mux_rcb;
void *mux_ctx;
int mux_pause;
int mux_downstream_id;
};
#define CHAN_EXTENDED_IGNORE 0
@ -211,6 +213,7 @@ struct Channel {
/* channel management */
Channel *channel_by_id(int);
Channel *channel_by_remote_id(int);
Channel *channel_lookup(int);
Channel *channel_new(const char *, int, int, int, int, u_int, u_int, int,
const char *, int);
@ -231,6 +234,11 @@ void channel_cancel_cleanup(int);
int channel_close_fd(int *);
void channel_send_window_changes(void);
/* mux proxy support */
int channel_proxy_downstream(Channel *mc);
int channel_proxy_upstream(Channel *, int, u_int32_t, void *);
/* protocol handler */
int channel_input_close(int, u_int32_t, void *);
@ -270,7 +278,6 @@ void channel_update_permitted_opens(int, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
void channel_print_adm_permitted_opens(void);
int channel_input_port_forward_request(int, struct ForwardOptions *);
Channel *channel_connect_to_port(const char *, u_short, const char *, const char *);
Channel *channel_connect_to_path(const char *, const char *, const char *);
Channel *channel_connect_stdio_fwd(const char*, u_short, int, int);

4
crypto/external/bsd/openssh/dist/cipher-3des1.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cipher-3des1.c,v 1.7 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: cipher-3des1.c,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: cipher-3des1.c,v 1.12 2015/01/14 10:24:42 markus Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
@ -20,7 +20,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: cipher-3des1.c,v 1.7 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: cipher-3des1.c,v 1.8 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <string.h>
#include <openssl/evp.h>

4
crypto/external/bsd/openssh/dist/cipher-bf1.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cipher-bf1.c,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: cipher-bf1.c,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: cipher-bf1.c,v 1.7 2015/01/14 10:24:42 markus Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
@ -20,7 +20,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: cipher-bf1.c,v 1.6 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: cipher-bf1.c,v 1.7 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <string.h>
#include <openssl/evp.h>

8
crypto/external/bsd/openssh/dist/cipher-chachapoly.c vendored
View File

@ -14,10 +14,9 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
/* $OpenBSD: cipher-chachapoly.c,v 1.7 2015/01/14 10:24:42 markus Exp $ */
/* $OpenBSD: cipher-chachapoly.c,v 1.8 2016/08/03 05:41:57 djm Exp $ */
#include "includes.h"
__RCSID("$NetBSD: cipher-chachapoly.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: cipher-chachapoly.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <stdarg.h> /* needed for log.h */
@ -29,7 +28,8 @@ __RCSID("$NetBSD: cipher-chachapoly.c,v 1.3 2015/04/03 23:58:19 christos Exp $")
#include "ssherr.h"
#include "cipher-chachapoly.h"
int chachapoly_init(struct chachapoly_ctx *ctx,
int
chachapoly_init(struct chachapoly_ctx *ctx,
const u_char *key, u_int keylen)
{
if (keylen != (32 + 32)) /* 2 x 256 bit keys */

2
crypto/external/bsd/openssh/dist/cipher-ctr-mt.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cipher-ctr-mt.c,v 1.6 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: cipher-ctr-mt.c,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/*
* OpenSSH Multi-threaded AES-CTR Cipher
*

169
crypto/external/bsd/openssh/dist/cipher.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: cipher.c,v 1.8 2016/03/11 01:55:00 christos Exp $ */
/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */
/* $NetBSD: cipher.c,v 1.9 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: cipher.c,v 1.102 2016/08/03 05:41:57 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -38,7 +38,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: cipher.c,v 1.8 2016/03/11 01:55:00 christos Exp $");
__RCSID("$NetBSD: cipher.c,v 1.9 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <string.h>
@ -57,6 +57,15 @@ extern const EVP_CIPHER *evp_ssh1_3des(void);
extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
#endif
struct sshcipher_ctx {
int plaintext;
int encrypt;
EVP_CIPHER_CTX *evp;
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
struct aesctr_ctx ac_ctx; /* XXX union with evp? */
const struct sshcipher *cipher;
};
struct sshcipher {
const char *name;
int number; /* for ssh1 only */
@ -201,6 +210,18 @@ cipher_is_cbc(const struct sshcipher *c)
return (c->flags & CFLAG_CBC) != 0;
}
u_int
cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
{
return cc->plaintext;
}
u_int
cipher_ctx_get_number(struct sshcipher_ctx *cc)
{
return cc->cipher->number;
}
u_int
cipher_mask_ssh1(int client)
{
@ -294,65 +315,81 @@ cipher_warning_message(const struct sshcipher_ctx *cc)
}
int
cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
#ifdef WITH_OPENSSL
struct sshcipher_ctx *cc = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
#ifdef WITH_OPENSSL
const EVP_CIPHER *type;
int klen;
u_char *junk, *discard;
#endif
*ccp = NULL;
if ((cc = calloc(sizeof(*cc), 1)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (cipher->number == SSH_CIPHER_DES) {
if (keylen > 8)
keylen = 8;
}
#endif
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
cc->encrypt = do_encrypt;
if (keylen < cipher->key_len ||
(iv != NULL && ivlen < cipher_ivlen(cipher)))
return SSH_ERR_INVALID_ARGUMENT;
(iv != NULL && ivlen < cipher_ivlen(cipher))) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
cc->cipher = cipher;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
return chachapoly_init(&cc->cp_ctx, key, keylen);
ret = chachapoly_init(&cc->cp_ctx, key, keylen);
goto out;
}
#ifndef WITH_OPENSSL
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
aesctr_ivsetup(&cc->ac_ctx, iv);
return 0;
ret = 0;
goto out;
}
if ((cc->cipher->flags & CFLAG_NONE) != 0)
return 0;
return SSH_ERR_INVALID_ARGUMENT;
#else
if ((cc->cipher->flags & CFLAG_NONE) != 0) {
ret = 0;
goto out;
}
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
#else /* WITH_OPENSSL */
type = (*cipher->evptype)();
EVP_CIPHER_CTX_init(&cc->evp);
if (EVP_CipherInit(&cc->evp, type, NULL, __UNCONST(iv),
if ((cc->evp = EVP_CIPHER_CTX_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EVP_CipherInit(cc->evp, type, NULL, (const u_char *)iv,
(do_encrypt == CIPHER_ENCRYPT)) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
goto out;
}
if (cipher_authlen(cipher) &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-1, __UNCONST(iv))) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
goto out;
}
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
klen = EVP_CIPHER_CTX_key_length(cc->evp);
if (klen > 0 && keylen != (u_int)klen) {
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
if (EVP_CIPHER_CTX_set_key_length(cc->evp, keylen) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
goto out;
}
}
if (EVP_CipherInit(&cc->evp, NULL, __UNCONST(key), NULL, -1) == 0) {
if (EVP_CipherInit(cc->evp, NULL, __UNCONST(key), NULL, -1) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto bad;
goto out;
}
if (cipher->discard_len > 0) {
@ -360,21 +397,34 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
(discard = malloc(cipher->discard_len)) == NULL) {
free(junk);
ret = SSH_ERR_ALLOC_FAIL;
goto bad;
goto out;
}
ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len);
explicit_bzero(discard, cipher->discard_len);
free(junk);
free(discard);
if (ret != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
bad:
EVP_CIPHER_CTX_cleanup(&cc->evp);
return ret;
goto out;
}
}
#endif
return 0;
ret = 0;
#endif /* WITH_OPENSSL */
out:
if (ret == 0) {
/* success */
*ccp = cc;
} else {
if (cc != NULL) {
#ifdef WITH_OPENSSL
if (cc->evp != NULL)
EVP_CIPHER_CTX_free(cc->evp);
#endif /* WITH_OPENSSL */
explicit_bzero(cc, sizeof(*cc));
free(cc);
}
}
return ret;
}
/*
@ -415,33 +465,33 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
if (authlen != cipher_authlen(cc->cipher))
return SSH_ERR_INVALID_ARGUMENT;
/* increment IV */
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
1, lastiv))
return SSH_ERR_LIBCRYPTO_ERROR;
/* set tag on decyption */
if (!cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
authlen, __UNCONST(src + aadlen + len)))
return SSH_ERR_LIBCRYPTO_ERROR;
}
if (aadlen) {
if (authlen &&
EVP_Cipher(&cc->evp, NULL, (const u_char *)src, aadlen) < 0)
EVP_Cipher(cc->evp, NULL, (const u_char *)src, aadlen) < 0)
return SSH_ERR_LIBCRYPTO_ERROR;
memcpy(dest, src, aadlen);
}
if (len % cc->cipher->block_size)
return SSH_ERR_INVALID_ARGUMENT;
if (EVP_Cipher(&cc->evp, dest + aadlen, (const u_char *)src + aadlen,
if (EVP_Cipher(cc->evp, dest + aadlen, (const u_char *)src + aadlen,
len) < 0)
return SSH_ERR_LIBCRYPTO_ERROR;
if (authlen) {
/* compute tag (on encrypt) or verify tag (on decrypt) */
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
if (EVP_Cipher(cc->evp, NULL, NULL, 0) < 0)
return cc->encrypt ?
SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
if (cc->encrypt &&
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
authlen, dest + aadlen + len))
return SSH_ERR_LIBCRYPTO_ERROR;
}
@ -463,20 +513,23 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
return 0;
}
int
cipher_cleanup(struct sshcipher_ctx *cc)
void
cipher_free(struct sshcipher_ctx *cc)
{
if (cc == NULL || cc->cipher == NULL)
return 0;
if (cc == NULL)
return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
#ifdef WITH_OPENSSL
else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
return SSH_ERR_LIBCRYPTO_ERROR;
if (cc->evp != NULL) {
EVP_CIPHER_CTX_free(cc->evp);
cc->evp = NULL;
}
#endif
return 0;
explicit_bzero(cc, sizeof(*cc));
free(cc);
}
/*
@ -484,8 +537,8 @@ cipher_cleanup(struct sshcipher_ctx *cc)
* passphrase and using the resulting 16 bytes as the key.
*/
int
cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
const char *passphrase, int do_encrypt)
cipher_set_key_string(struct sshcipher_ctx **ccp,
const struct sshcipher *cipher, const char *passphrase, int do_encrypt)
{
u_char digest[16];
int r = SSH_ERR_INTERNAL_ERROR;
@ -495,7 +548,7 @@ cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
digest, sizeof(digest))) != 0)
goto out;
r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
r = cipher_init(ccp, cipher, digest, 16, NULL, 0, do_encrypt);
out:
explicit_bzero(digest, sizeof(digest));
return r;
@ -520,7 +573,7 @@ cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
ivlen = sizeof(cc->ac_ctx.ctr);
#ifdef WITH_OPENSSL
else
ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
ivlen = EVP_CIPHER_CTX_iv_length(cc->evp);
#endif /* WITH_OPENSSL */
return (ivlen);
}
@ -553,7 +606,7 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
if (evplen == 0)
return 0;
else if (evplen < 0)
@ -561,16 +614,16 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
if ((u_int)evplen != len)
return SSH_ERR_INVALID_ARGUMENT;
if (cipher_authlen(c)) {
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
len, iv))
return SSH_ERR_LIBCRYPTO_ERROR;
} else
memcpy(iv, cc->evp.iv, len);
memcpy(iv, cc->evp->iv, len);
break;
#endif
#ifdef WITH_SSH1
case SSH_CIPHER_3DES:
return ssh1_3des_iv(&cc->evp, 0, iv, 24);
return ssh1_3des_iv(cc->evp, 0, iv, 24);
#endif
default:
return SSH_ERR_INVALID_ARGUMENT;
@ -597,21 +650,21 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
evplen = EVP_CIPHER_CTX_iv_length(cc->evp);
if (evplen <= 0)
return SSH_ERR_LIBCRYPTO_ERROR;
if (cipher_authlen(c)) {
/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
if (!EVP_CIPHER_CTX_ctrl(&cc->evp,
if (!EVP_CIPHER_CTX_ctrl(cc->evp,
EVP_CTRL_GCM_SET_IV_FIXED, -1, __UNCONST(iv)))
return SSH_ERR_LIBCRYPTO_ERROR;
} else
memcpy(cc->evp.iv, iv, evplen);
memcpy(cc->evp->iv, iv, evplen);
break;
#endif
#ifdef WITH_SSH1
case SSH_CIPHER_3DES:
return ssh1_3des_iv(&cc->evp, 1, __UNCONST(iv), 24);
return ssh1_3des_iv(cc->evp, 1, __UNCONST(iv), 24);
#endif
default:
return SSH_ERR_INVALID_ARGUMENT;
@ -620,8 +673,8 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
}
#ifdef WITH_OPENSSL
#define EVP_X_STATE(evp) (evp).cipher_data
#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
#define EVP_X_STATE(evp) (evp)->cipher_data
#define EVP_X_STATE_LEN(evp) (evp)->cipher->ctx_size
#endif
int

25
crypto/external/bsd/openssh/dist/cipher.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: cipher.h,v 1.8 2015/08/13 10:33:21 christos Exp $ */
/* $OpenBSD: cipher.h,v 1.48 2015/07/08 19:09:25 markus Exp $ */
/* $NetBSD: cipher.h,v 1.9 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: cipher.h,v 1.49 2016/08/03 05:41:57 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -64,14 +64,7 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
struct sshcipher_ctx {
int plaintext;
int encrypt;
EVP_CIPHER_CTX evp;
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
struct aesctr_ctx ac_ctx; /* XXX union with evp? */
const struct sshcipher *cipher;
};
struct sshcipher_ctx;
u_int cipher_mask_ssh1(int);
const struct sshcipher *cipher_by_name(const char *);
@ -81,15 +74,15 @@ const char *cipher_name(int);
const char *cipher_warning_message(const struct sshcipher_ctx *);
int ciphers_valid(const char *);
char *cipher_alg_list(char, int);
int cipher_init(struct sshcipher_ctx *, const struct sshcipher *,
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
const u_char *, u_int, const u_char *, u_int, int);
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
u_int, u_int, u_int);
int cipher_get_length(struct sshcipher_ctx *, u_int *, u_int,
const u_char *, u_int);
int cipher_cleanup(struct sshcipher_ctx *);
int cipher_set_key_string(struct sshcipher_ctx *, const struct sshcipher *,
const char *, int);
void cipher_free(struct sshcipher_ctx *);
int cipher_set_key_string(struct sshcipher_ctx **,
const struct sshcipher *, const char *, int);
u_int cipher_blocksize(const struct sshcipher *);
u_int cipher_keylen(const struct sshcipher *);
u_int cipher_seclen(const struct sshcipher *);
@ -97,10 +90,14 @@ u_int cipher_authlen(const struct sshcipher *);
u_int cipher_ivlen(const struct sshcipher *);
u_int cipher_is_cbc(const struct sshcipher *);
u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
u_int cipher_ctx_get_number(struct sshcipher_ctx *);
u_int cipher_get_number(const struct sshcipher *);
int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
int cipher_get_keyiv_len(const struct sshcipher_ctx *);
int cipher_get_keycontext(const struct sshcipher_ctx *, u_char *);
void cipher_set_keycontext(struct sshcipher_ctx *, const u_char *);
#endif /* CIPHER_H */

2
crypto/external/bsd/openssh/dist/cleanup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cleanup.c,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: cleanup.c,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: cleanup.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
/*
* Copyright (c) 2003 Markus Friedl <markus@openbsd.org>

78
crypto/external/bsd/openssh/dist/clientloop.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: clientloop.c,v 1.19 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: clientloop.c,v 1.286 2016/07/23 02:54:08 djm Exp $ */
/* $NetBSD: clientloop.c,v 1.20 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: clientloop.c,v 1.289 2016/09/30 09:19:13 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -61,9 +62,8 @@
*/
#include "includes.h"
__RCSID("$NetBSD: clientloop.c,v 1.19 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: clientloop.c,v 1.20 2016/12/25 00:07:47 christos Exp $");
#include <sys/param.h> /* MIN MAX */
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
@ -308,7 +308,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
static char proto[512], data[512];
FILE *f;
int got_data = 0, generated = 0, do_unlink = 0, i, r;
int got_data = 0, generated = 0, do_unlink = 0, r;
struct stat st;
u_int now, x11_timeout_real;
@ -435,17 +435,16 @@ client_x11_get_proto(const char *display, const char *xauth_path,
* for the local connection.
*/
if (!got_data) {
u_int32_t rnd = 0;
u_int8_t rnd[16];
u_int i;
logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
rnd = arc4random();
arc4random_buf(rnd, sizeof(rnd));
for (i = 0; i < sizeof(rnd); i++) {
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
rnd & 0xff);
rnd >>= 8;
rnd[i]);
}
}
@ -671,16 +670,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
server_alive_time = now + options.server_alive_interval;
}
if (options.rekey_interval > 0 && compat20 && !rekeying)
timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout());
timeout_secs = MINIMUM(timeout_secs, packet_get_rekey_timeout());
set_control_persist_exit_time();
if (control_persist_exit_time > 0) {
timeout_secs = MIN(timeout_secs,
timeout_secs = MINIMUM(timeout_secs,
control_persist_exit_time - now);
if (timeout_secs < 0)
timeout_secs = 0;
}
if (minwait_secs != 0)
timeout_secs = MIN(timeout_secs, (int)minwait_secs);
timeout_secs = MINIMUM(timeout_secs, (int)minwait_secs);
if (timeout_secs == INT_MAX)
tvp = NULL;
else {
@ -1551,7 +1550,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
buffer_high = 64 * 1024;
connection_in = packet_get_connection_in();
connection_out = packet_get_connection_out();
max_fd = MAX(connection_in, connection_out);
max_fd = MAXIMUM(connection_in, connection_out);
if (!compat20) {
/* enable nonblocking unless tty */
@ -1561,9 +1560,9 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
set_nonblock(fileno(stdout));
if (!isatty(fileno(stderr)))
set_nonblock(fileno(stderr));
max_fd = MAX(max_fd, fileno(stdin));
max_fd = MAX(max_fd, fileno(stdout));
max_fd = MAX(max_fd, fileno(stderr));
max_fd = MAXIMUM(max_fd, fileno(stdin));
max_fd = MAXIMUM(max_fd, fileno(stdout));
max_fd = MAXIMUM(max_fd, fileno(stderr));
}
quit_pending = 0;
escape_char1 = escape_char_arg;
@ -1883,11 +1882,14 @@ client_input_agent_open(int type, u_int32_t seq, void *ctxt)
}
static Channel *
client_request_forwarded_tcpip(const char *request_type, int rchan)
client_request_forwarded_tcpip(const char *request_type, int rchan,
u_int rwindow, u_int rmaxpack)
{
Channel *c = NULL;
struct sshbuf *b = NULL;
char *listen_address, *originator_address;
u_short listen_port, originator_port;
int r;
/* Get rest of the packet */
listen_address = packet_get_string(NULL);
@ -1902,6 +1904,31 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
c = channel_connect_by_listen_address(listen_address, listen_port,
"forwarded-tcpip", originator_address);
if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) {
if ((b = sshbuf_new()) == NULL) {
error("%s: alloc reply", __func__);
goto out;
}
/* reconstruct and send to muxclient */
if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
(r = sshbuf_put_u8(b, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
(r = sshbuf_put_cstring(b, request_type)) != 0 ||
(r = sshbuf_put_u32(b, rchan)) != 0 ||
(r = sshbuf_put_u32(b, rwindow)) != 0 ||
(r = sshbuf_put_u32(b, rmaxpack)) != 0 ||
(r = sshbuf_put_cstring(b, listen_address)) != 0 ||
(r = sshbuf_put_u32(b, listen_port)) != 0 ||
(r = sshbuf_put_cstring(b, originator_address)) != 0 ||
(r = sshbuf_put_u32(b, originator_port)) != 0 ||
(r = sshbuf_put_stringb(&c->output, b)) != 0) {
error("%s: compose for muxclient %s", __func__,
ssh_err(r));
goto out;
}
}
out:
sshbuf_free(b);
free(originator_address);
free(listen_address);
return c;
@ -2067,7 +2094,8 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
ctype, rchan, rwindow, rmaxpack);
if (strcmp(ctype, "forwarded-tcpip") == 0) {
c = client_request_forwarded_tcpip(ctype, rchan);
c = client_request_forwarded_tcpip(ctype, rchan, rwindow,
rmaxpack);
} else if (strcmp(ctype, "forwarded-streamlocal@openssh.com") == 0) {
c = client_request_forwarded_streamlocal(ctype, rchan);
} else if (strcmp(ctype, "x11") == 0) {
@ -2075,8 +2103,9 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
c = client_request_agent(ctype, rchan);
}
/* XXX duplicate : */
if (c != NULL) {
if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) {
debug3("proxied to downstream: %s", ctype);
} else if (c != NULL) {
debug("confirm %s", ctype);
c->remote_id = rchan;
c->remote_window = rwindow;
@ -2112,6 +2141,9 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
char *rtype;
id = packet_get_int();
c = channel_lookup(id);
if (channel_proxy_upstream(c, type, seq, ctxt))
return 0;
rtype = packet_get_string(NULL);
reply = packet_get_char();
@ -2120,7 +2152,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
if (id == -1) {
error("client_input_channel_req: request for channel -1");
} else if ((c = channel_lookup(id)) == NULL) {
} else if (c == NULL) {
error("client_input_channel_req: channel %d: "
"unknown channel", id);
} else if (strcmp(rtype, "eow@openssh.com") == 0) {

7
crypto/external/bsd/openssh/dist/clientloop.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: clientloop.h,v 1.12 2016/03/11 01:55:00 christos Exp $ */
/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
/* $NetBSD: clientloop.h,v 1.13 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: clientloop.h,v 1.33 2016/09/30 09:19:13 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -72,9 +72,10 @@ void client_expect_confirm(int, const char *, enum confirm_action);
#define SSHMUX_COMMAND_FORWARD 5 /* Forward only, no command */
#define SSHMUX_COMMAND_STOP 6 /* Disable mux but not conn */
#define SSHMUX_COMMAND_CANCEL_FWD 7 /* Cancel forwarding(s) */
#define SSHMUX_COMMAND_PROXY 8 /* Open new connection */
void muxserver_listen(void);
void muxclient(const char *);
int muxclient(const char *);
void mux_exit_message(Channel *, int);
void mux_tty_alloc_failed(Channel *);

4
crypto/external/bsd/openssh/dist/compat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: compat.c,v 1.14 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: compat.c,v 1.15 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: compat.c,v 1.99 2016/05/24 02:31:57 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: compat.c,v 1.14 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: compat.c,v 1.15 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <stdlib.h>

2
crypto/external/bsd/openssh/dist/compat.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: compat.h,v 1.7 2015/07/03 01:00:00 christos Exp $ */
/* $NetBSD: compat.h,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: compat.h,v 1.48 2015/05/26 23:23:40 dtucker Exp $ */
/*

4
crypto/external/bsd/openssh/dist/crc32.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: crc32.c,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: crc32.c,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: crc32.c,v 1.11 2006/04/22 18:29:33 stevesk Exp $ */
/*
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: crc32.c,v 1.4 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: crc32.c,v 1.5 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include "crc32.h"

2
crypto/external/bsd/openssh/dist/crc32.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: crc32.h,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: crc32.h,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: crc32.h,v 1.15 2006/03/25 22:22:43 djm Exp $ */
/*

4
crypto/external/bsd/openssh/dist/deattack.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: deattack.c,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: deattack.c,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: deattack.c,v 1.32 2015/01/20 23:14:00 deraadt Exp $ */
/*
* Cryptographic attack detector for ssh - source code
@ -20,7 +20,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: deattack.c,v 1.4 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: deattack.c,v 1.5 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <string.h>

2
crypto/external/bsd/openssh/dist/deattack.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: deattack.h,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: deattack.h,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: deattack.h,v 1.11 2015/01/19 19:52:16 markus Exp $ */
/*

14
crypto/external/bsd/openssh/dist/dh.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: dh.c,v 1.10 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: dh.c,v 1.60 2016/05/02 10:26:04 djm Exp $ */
/* $NetBSD: dh.c,v 1.11 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: dh.c,v 1.62 2016/12/15 21:20:41 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@ -25,10 +26,9 @@
*/
#include "includes.h"
__RCSID("$NetBSD: dh.c,v 1.10 2016/08/02 13:45:12 christos Exp $");
#include <sys/param.h>
#include <sys/param.h> /* MIN */
__RCSID("$NetBSD: dh.c,v 1.11 2016/12/25 00:07:47 christos Exp $");
#include <sys/param.h> /* MIN */
#include <openssl/bn.h>
#include <openssl/dh.h>
@ -156,7 +156,7 @@ choose_dh(int min, int wantbits, int max)
struct dhgroup dhg;
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
logit("WARNING: could open open %s (%s), using fixed modulus",
logit("WARNING: could not open %s (%s), using fixed modulus",
_PATH_DH_MODULI, strerror(errno));
return (dh_new_group_fallback(max));
}
@ -275,7 +275,7 @@ dh_gen_key(DH *dh, int need)
* Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
* so double requested need here.
*/
dh->length = MIN(need * 2, pbits - 1);
dh->length = MINIMUM(need * 2, pbits - 1);
if (DH_generate_key(dh) == 0 ||
!dh_pub_is_valid(dh, dh->pub_key)) {
BN_clear_free(dh->priv_key);

2
crypto/external/bsd/openssh/dist/dh.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dh.h,v 1.7 2016/08/02 13:45:12 christos Exp $ */
/* $NetBSD: dh.h,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: dh.h,v 1.15 2016/05/02 10:26:04 djm Exp $ */
/*

2
crypto/external/bsd/openssh/dist/digest-libc.c vendored
View File

@ -16,7 +16,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
__RCSID("$NetBSD: digest-libc.c,v 1.4 2015/07/03 01:00:00 christos Exp $");
__RCSID("$NetBSD: digest-libc.c,v 1.5 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <limits.h>

2
crypto/external/bsd/openssh/dist/digest-openssl.c vendored
View File

@ -15,7 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
__RCSID("$NetBSD: digest-openssl.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: digest-openssl.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <limits.h>

4
crypto/external/bsd/openssh/dist/dispatch.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dispatch.c,v 1.6 2015/07/03 01:00:00 christos Exp $ */
/* $NetBSD: dispatch.c,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: dispatch.c,v 1.27 2015/05/01 07:10:01 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: dispatch.c,v 1.6 2015/07/03 01:00:00 christos Exp $");
__RCSID("$NetBSD: dispatch.c,v 1.7 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <signal.h>

2
crypto/external/bsd/openssh/dist/dispatch.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dispatch.h,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: dispatch.h,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: dispatch.h,v 1.12 2015/01/19 20:07:45 markus Exp $ */
/*

4
crypto/external/bsd/openssh/dist/dns.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dns.c,v 1.12 2015/08/21 08:20:59 christos Exp $ */
/* $NetBSD: dns.c,v 1.13 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
/*
@ -27,7 +27,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: dns.c,v 1.12 2015/08/21 08:20:59 christos Exp $");
__RCSID("$NetBSD: dns.c,v 1.13 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>

2
crypto/external/bsd/openssh/dist/dns.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dns.h,v 1.7 2015/07/03 01:00:00 christos Exp $ */
/* $NetBSD: dns.h,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: dns.h,v 1.15 2015/05/08 06:45:13 djm Exp $ */
/*

2
crypto/external/bsd/openssh/dist/ed25519.c vendored
View File

@ -6,7 +6,7 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
*/
#include "includes.h"
__RCSID("$NetBSD: ed25519.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: ed25519.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include "crypto_api.h"

4
crypto/external/bsd/openssh/dist/fatal.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fatal.c,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: fatal.c,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: fatal.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: fatal.c,v 1.4 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: fatal.c,v 1.5 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <stdarg.h>

2
crypto/external/bsd/openssh/dist/fe25519.c vendored
View File

@ -6,7 +6,7 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
*/
#include "includes.h"
__RCSID("$NetBSD: fe25519.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: fe25519.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#define WINDOWSIZE 1 /* Should be 1,2, or 4 */
#define WINDOWMASK ((1<<WINDOWSIZE)-1)

2
crypto/external/bsd/openssh/dist/fmt_scaled.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fmt_scaled.c,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: fmt_scaled.c,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: fmt_scaled.c,v 1.9 2007/03/20 03:42:52 tedu Exp $ */
/*

2
crypto/external/bsd/openssh/dist/fmt_scaled.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fmt_scaled.h,v 1.5 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: fmt_scaled.h,v 1.6 2016/12/25 00:07:47 christos Exp $ */
#ifndef FMT_SCALED_STRSIZE
#define FMT_SCALED_STRSIZE 7
#endif

2
crypto/external/bsd/openssh/dist/ge25519.c vendored
View File

@ -6,7 +6,7 @@
* Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
*/
#include "includes.h"
__RCSID("$NetBSD: ge25519.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: ge25519.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include "fe25519.h"
#include "sc25519.h"

4
crypto/external/bsd/openssh/dist/getpeereid.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: getpeereid.c,v 1.3 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: getpeereid.c,v 1.4 2016/12/25 00:07:47 christos Exp $ */
/*
* Copyright (c) 2002 Damien Miller. All rights reserved.
@ -28,7 +28,7 @@
#include "getpeereid.h"
#include <unistd.h>
__RCSID("$NetBSD: getpeereid.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: getpeereid.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#if defined(SO_PEERCRED)
int

2
crypto/external/bsd/openssh/dist/getpeereid.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: getpeereid.h,v 1.3 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: getpeereid.h,v 1.4 2016/12/25 00:07:47 christos Exp $ */
/* Id: bsd-getpeereid.h,v 1.1 2002/09/12 00:33:02 djm Exp */
#ifndef _BSD_GETPEEREID_H

4
crypto/external/bsd/openssh/dist/getrrsetbyname.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: getrrsetbyname.c,v 1.3 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: getrrsetbyname.c,v 1.4 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
/*
@ -47,7 +47,7 @@
/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
#include "includes.h"
__RCSID("$NetBSD: getrrsetbyname.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: getrrsetbyname.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#ifndef HAVE_GETRRSETBYNAME

2
crypto/external/bsd/openssh/dist/getrrsetbyname.h vendored
View File

@ -1,6 +1,6 @@
/* OPENBSD BASED ON : include/netdb.h */
/* $NetBSD: getrrsetbyname.h,v 1.3 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: getrrsetbyname.h,v 1.4 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: getrrsetbyname.c,v 1.4 2001/08/16 18:16:43 ho Exp $ */
/*

4
crypto/external/bsd/openssh/dist/groupaccess.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: groupaccess.c,v 1.6 2015/07/03 01:00:00 christos Exp $ */
/* $NetBSD: groupaccess.c,v 1.7 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: groupaccess.c,v 1.16 2015/05/04 06:10:48 djm Exp $ */
/*
* Copyright (c) 2001 Kevin Steves. All rights reserved.
@ -25,7 +25,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: groupaccess.c,v 1.6 2015/07/03 01:00:00 christos Exp $");
__RCSID("$NetBSD: groupaccess.c,v 1.7 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <grp.h>

2
crypto/external/bsd/openssh/dist/groupaccess.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: groupaccess.h,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: groupaccess.h,v 1.5 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: groupaccess.h,v 1.8 2008/07/04 03:44:59 djm Exp $ */
/*

5
crypto/external/bsd/openssh/dist/gss-genr.c vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: gss-genr.c,v 1.7 2015/04/03 23:58:19 christos Exp $ */
/* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
/* $NetBSD: gss-genr.c,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */
/*
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -29,7 +29,6 @@
__RCSID("$NetBSD");
#ifdef GSSAPI
#include <sys/param.h>
#include <stdarg.h>
#include <string.h>

4
crypto/external/bsd/openssh/dist/gss-serv-krb5.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: gss-serv-krb5.c,v 1.8 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: gss-serv-krb5.c,v 1.9 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
/*
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: gss-serv-krb5.c,v 1.8 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: gss-serv-krb5.c,v 1.9 2016/12/25 00:07:47 christos Exp $");
#ifdef GSSAPI
#ifdef KRB5

4
crypto/external/bsd/openssh/dist/gss-serv.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: gss-serv.c,v 1.8 2015/07/03 01:00:00 christos Exp $ */
/* $NetBSD: gss-serv.c,v 1.9 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
/*
@ -26,7 +26,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: gss-serv.c,v 1.8 2015/07/03 01:00:00 christos Exp $");
__RCSID("$NetBSD: gss-serv.c,v 1.9 2016/12/25 00:07:47 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>

2
crypto/external/bsd/openssh/dist/hash.c vendored
View File

@ -8,7 +8,7 @@ D. J. Bernstein
Public domain.
*/
#include "includes.h"
__RCSID("$NetBSD: hash.c,v 1.3 2015/04/03 23:58:19 christos Exp $");
__RCSID("$NetBSD: hash.c,v 1.4 2016/12/25 00:07:47 christos Exp $");
#include "crypto_api.h"

2
crypto/external/bsd/openssh/dist/hmac.c vendored
View File

@ -15,7 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
__RCSID("$NetBSD: hmac.c,v 1.4 2015/07/03 01:00:00 christos Exp $");
__RCSID("$NetBSD: hmac.c,v 1.5 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <string.h>

12
crypto/external/bsd/openssh/dist/hostfile.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: hostfile.c,v 1.8 2015/07/03 01:00:00 christos Exp $ */
/* $OpenBSD: hostfile.c,v 1.66 2015/05/04 06:10:48 djm Exp $ */
/* $NetBSD: hostfile.c,v 1.9 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: hostfile.c,v 1.67 2016/09/17 18:00:27 tedu Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -38,7 +39,7 @@
*/
#include "includes.h"
__RCSID("$NetBSD: hostfile.c,v 1.8 2015/07/03 01:00:00 christos Exp $");
__RCSID("$NetBSD: hostfile.c,v 1.9 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@ -124,14 +125,13 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
u_char salt[256], result[256];
char uu_salt[512], uu_result[512];
static char encoded[1024];
u_int i, len;
u_int len;
len = ssh_digest_bytes(SSH_DIGEST_SHA1);
if (name_from_hostfile == NULL) {
/* Create new salt */
for (i = 0; i < len; i++)
salt[i] = arc4random();
arc4random_buf(salt, len);
} else {
/* Extract salt from known host entry */
if (extract_salt(name_from_hostfile, src_len, salt,

2
crypto/external/bsd/openssh/dist/hostfile.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: hostfile.h,v 1.7 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: hostfile.h,v 1.8 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: hostfile.h,v 1.24 2015/02/16 22:08:57 djm Exp $ */
/*

2
crypto/external/bsd/openssh/dist/includes.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: includes.h,v 1.4 2015/04/03 23:58:19 christos Exp $ */
/* $NetBSD: includes.h,v 1.5 2016/12/25 00:07:47 christos Exp $ */
#include <sys/cdefs.h>
#ifndef __OpenBSD__
#define __bounded__(a, b, c)

50
crypto/external/bsd/openssh/dist/kex.c vendored
View File

@ -1,5 +1,6 @@
/* $NetBSD: kex.c,v 1.16 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */
/* $NetBSD: kex.c,v 1.17 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -25,9 +26,9 @@
*/
#include "includes.h"
__RCSID("$NetBSD: kex.c,v 1.16 2016/08/02 13:45:12 christos Exp $");
#include <sys/param.h> /* MAX roundup */
__RCSID("$NetBSD: kex.c,v 1.17 2016/12/25 00:07:47 christos Exp $");
#include <sys/param.h> /* MAX roundup */
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@ -96,6 +97,7 @@ static const struct kexalg kexalgs[] = {
SSH_DIGEST_SHA512 },
#endif
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ NULL, (u_int)-1, -1, -1},
};
@ -326,14 +328,21 @@ static int
kex_send_ext_info(struct ssh *ssh)
{
int r;
char *algs;
if ((algs = sshkey_alg_list(0, 1, ',')) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
(r = sshpkt_put_u32(ssh, 1)) != 0 ||
(r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
(r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||
(r = sshpkt_put_cstring(ssh, algs)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
return r;
return 0;
goto out;
/* success */
r = 0;
out:
free(algs);
return r;
}
int
@ -408,6 +417,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
return r;
kex->done = 1;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
@ -461,6 +472,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
@ -764,10 +776,8 @@ kex_choose_conf(struct ssh *ssh)
char *ext;
ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
if (ext) {
kex->ext_info_c = 1;
free(ext);
}
kex->ext_info_c = (ext != NULL);
free(ext);
}
/* Algorithm Negotiation */
@ -850,14 +860,14 @@ kex_choose_conf(struct ssh *ssh)
need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
need = MAX(need, newkeys->enc.key_len);
need = MAX(need, newkeys->enc.block_size);
need = MAX(need, newkeys->enc.iv_len);
need = MAX(need, newkeys->mac.key_len);
dh_need = MAX(dh_need, cipher_seclen(newkeys->enc.cipher));
dh_need = MAX(dh_need, newkeys->enc.block_size);
dh_need = MAX(dh_need, newkeys->enc.iv_len);
dh_need = MAX(dh_need, newkeys->mac.key_len);
need = MAXIMUM(need, newkeys->enc.key_len);
need = MAXIMUM(need, newkeys->enc.block_size);
need = MAXIMUM(need, newkeys->enc.iv_len);
need = MAXIMUM(need, newkeys->mac.key_len);
dh_need = MAXIMUM(dh_need, cipher_seclen(newkeys->enc.cipher));
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
}
/* XXX need runden? */
kex->we_need = need;
@ -888,7 +898,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
return SSH_ERR_INVALID_ARGUMENT;
if ((digest = calloc(1, roundup(need, mdsz))) == NULL) {
if ((digest = calloc(1, ROUNDUP(need, mdsz))) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}

27
crypto/external/bsd/openssh/dist/kex.h vendored
View File

@ -1,5 +1,5 @@
/* $NetBSD: kex.h,v 1.13 2016/08/02 13:45:12 christos Exp $ */
/* $OpenBSD: kex.h,v 1.78 2016/05/02 10:26:04 djm Exp $ */
/* $NetBSD: kex.h,v 1.14 2016/12/25 00:07:47 christos Exp $ */
/* $OpenBSD: kex.h,v 1.81 2016/09/28 21:44:52 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -37,17 +37,18 @@
#define KEX_COOKIE_LEN 16
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DH14_SHA1 "diffie-hellman-group14-sha1"
#define KEX_DH14_SHA256 "diffie-hellman-group14-sha256"
#define KEX_DH16_SHA512 "diffie-hellman-group16-sha512"
#define KEX_DH18_SHA512 "diffie-hellman-group18-sha512"
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
#define KEX_CURVE25519_SHA256 "curve25519-sha256@libssh.org"
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DH14_SHA1 "diffie-hellman-group14-sha1"
#define KEX_DH14_SHA256 "diffie-hellman-group14-sha256"
#define KEX_DH16_SHA512 "diffie-hellman-group16-sha512"
#define KEX_DH18_SHA512 "diffie-hellman-group18-sha512"
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
#define KEX_CURVE25519_SHA256 "curve25519-sha256"
#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"
#define COMP_NONE 0
#define COMP_ZLIB 1

2
crypto/external/bsd/openssh/dist/kexc25519.c vendored
View File

@ -25,7 +25,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
__RCSID("$NetBSD: kexc25519.c,v 1.5 2016/08/02 13:45:12 christos Exp $");
__RCSID("$NetBSD: kexc25519.c,v 1.6 2016/12/25 00:07:47 christos Exp $");
#include <sys/types.h>

Some files were not shown because too many files have changed in this diff Show More