diff -ruN --exclude CVS ssh-openbsd-2005090100/.#ssh.c.1.243 openssh-4.2p1/.#ssh.c.1.243 --- ssh-openbsd-2005090100/.#ssh.c.1.243 Sat Jun 18 14:23:39 2005 +++ openssh-4.2p1/.#ssh.c.1.243 Thu Jan 1 10:00:00 1970 @@ -1,1362 +0,0 @@ -/* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved - * Ssh client program. This program can be used to log into a remote machine. - * The software supports strong authentication, encryption, and forwarding - * of X11, TCP/IP, and authentication connections. - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - * - * Copyright (c) 1999 Niels Provos. All rights reserved. - * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved. - * - * Modified to work with SSL by Niels Provos - * in Canada (German citizen). - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.243 2005/06/16 03:38:36 djm Exp $"); - -#include -#include - -#include "ssh.h" -#include "ssh1.h" -#include "ssh2.h" -#include "compat.h" -#include "cipher.h" -#include "xmalloc.h" -#include "packet.h" -#include "buffer.h" -#include "bufaux.h" -#include "channels.h" -#include "key.h" -#include "authfd.h" -#include "authfile.h" -#include "pathnames.h" -#include "dispatch.h" -#include "clientloop.h" -#include "log.h" -#include "readconf.h" -#include "sshconnect.h" -#include "misc.h" -#include "kex.h" -#include "mac.h" -#include "sshpty.h" -#include "match.h" -#include "msg.h" -#include "monitor_fdpass.h" -#include "uidswap.h" - -#ifdef SMARTCARD -#include "scard.h" -#endif - -extern char *__progname; - -/* Flag indicating whether debug mode is on. This can be set on the command line. */ -int debug_flag = 0; - -/* Flag indicating whether a tty should be allocated */ -int tty_flag = 0; -int no_tty_flag = 0; -int force_tty_flag = 0; - -/* don't exec a shell */ -int no_shell_flag = 0; - -/* - * Flag indicating that nothing should be read from stdin. This can be set - * on the command line. - */ -int stdin_null_flag = 0; - -/* - * Flag indicating that ssh should fork after authentication. This is useful - * so that the passphrase can be entered manually, and then ssh goes to the - * background. - */ -int fork_after_authentication_flag = 0; - -/* - * General data structure for command line options and options configurable - * in configuration files. See readconf.h. - */ -Options options; - -/* optional user configfile */ -char *config = NULL; - -/* - * Name of the host we are connecting to. This is the name given on the - * command line, or the HostName specified for the user-supplied name in a - * configuration file. - */ -char *host; - -/* socket address the host resolves to */ -struct sockaddr_storage hostaddr; - -/* Private host keys. */ -Sensitive sensitive_data; - -/* Original real UID. */ -uid_t original_real_uid; -uid_t original_effective_uid; - -/* command to be executed */ -Buffer command; - -/* Should we execute a command or invoke a subsystem? */ -int subsystem_flag = 0; - -/* # of replies received for global requests */ -static int client_global_request_id = 0; - -/* pid of proxycommand child process */ -pid_t proxy_command_pid = 0; - -/* fd to control socket */ -int control_fd = -1; - -/* Multiplexing control command */ -static u_int mux_command = 0; - -/* Only used in control client mode */ -volatile sig_atomic_t control_client_terminate = 0; -u_int control_server_pid = 0; - -/* Prints a help message to the user. This function never returns. */ - -static void -usage(void) -{ - fprintf(stderr, -"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" -" [-D port] [-e escape_char] [-F configfile]\n" -" [-i identity_file] [-L [bind_address:]port:host:hostport]\n" -" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" -" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" -" [user@]hostname [command]\n" - ); - exit(1); -} - -static int ssh_session(void); -static int ssh_session2(void); -static void load_public_identity_files(void); -static void control_client(const char *path); - -/* - * Main program for the ssh client. - */ -int -main(int ac, char **av) -{ - int i, opt, exit_status; - char *p, *cp, *line, buf[256]; - struct stat st; - struct passwd *pw; - int dummy; - extern int optind, optreset; - extern char *optarg; - Forward fwd; - - /* - * Save the original real uid. It will be needed later (uid-swapping - * may clobber the real uid). - */ - original_real_uid = getuid(); - original_effective_uid = geteuid(); - - /* - * Use uid-swapping to give up root privileges for the duration of - * option processing. We will re-instantiate the rights when we are - * ready to create the privileged port, and will permanently drop - * them when the port has been created (actually, when the connection - * has been made, as we may need to create the port several times). - */ - PRIV_END; - - /* If we are installed setuid root be careful to not drop core. */ - if (original_real_uid != original_effective_uid) { - struct rlimit rlim; - rlim.rlim_cur = rlim.rlim_max = 0; - if (setrlimit(RLIMIT_CORE, &rlim) < 0) - fatal("setrlimit failed: %.100s", strerror(errno)); - } - /* Get user data. */ - pw = getpwuid(original_real_uid); - if (!pw) { - logit("You don't exist, go away!"); - exit(1); - } - /* Take a copy of the returned structure. */ - pw = pwcopy(pw); - - /* - * Set our umask to something reasonable, as some files are created - * with the default umask. This will make them world-readable but - * writable only by the owner, which is ok for all files for which we - * don't set the modes explicitly. - */ - umask(022); - - /* Initialize option structure to indicate that no values have been set. */ - initialize_options(&options); - - /* Parse command-line arguments. */ - host = NULL; - -again: - while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) { - switch (opt) { - case '1': - options.protocol = SSH_PROTO_1; - break; - case '2': - options.protocol = SSH_PROTO_2; - break; - case '4': - options.address_family = AF_INET; - break; - case '6': - options.address_family = AF_INET6; - break; - case 'n': - stdin_null_flag = 1; - break; - case 'f': - fork_after_authentication_flag = 1; - stdin_null_flag = 1; - break; - case 'x': - options.forward_x11 = 0; - break; - case 'X': - options.forward_x11 = 1; - break; - case 'Y': - options.forward_x11 = 1; - options.forward_x11_trusted = 1; - break; - case 'g': - options.gateway_ports = 1; - break; - case 'O': - if (strcmp(optarg, "check") == 0) - mux_command = SSHMUX_COMMAND_ALIVE_CHECK; - else if (strcmp(optarg, "exit") == 0) - mux_command = SSHMUX_COMMAND_TERMINATE; - else - fatal("Invalid multiplex command."); - break; - case 'P': /* deprecated */ - options.use_privileged_port = 0; - break; - case 'a': - options.forward_agent = 0; - break; - case 'A': - options.forward_agent = 1; - break; - case 'k': - options.gss_deleg_creds = 0; - break; - case 'i': - if (stat(optarg, &st) < 0) { - fprintf(stderr, "Warning: Identity file %s " - "not accessible: %s.\n", optarg, - strerror(errno)); - break; - } - if (options.num_identity_files >= - SSH_MAX_IDENTITY_FILES) - fatal("Too many identity files specified " - "(max %d)", SSH_MAX_IDENTITY_FILES); - options.identity_files[options.num_identity_files++] = - xstrdup(optarg); - break; - case 'I': -#ifdef SMARTCARD - options.smartcard_device = xstrdup(optarg); -#else - fprintf(stderr, "no support for smartcards.\n"); -#endif - break; - case 't': - if (tty_flag) - force_tty_flag = 1; - tty_flag = 1; - break; - case 'v': - if (debug_flag == 0) { - debug_flag = 1; - options.log_level = SYSLOG_LEVEL_DEBUG1; - } else { - if (options.log_level < SYSLOG_LEVEL_DEBUG3) - options.log_level++; - break; - } - /* FALLTHROUGH */ - case 'V': - fprintf(stderr, "%s, %s\n", - SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); - if (opt == 'V') - exit(0); - break; - case 'q': - options.log_level = SYSLOG_LEVEL_QUIET; - break; - case 'e': - if (optarg[0] == '^' && optarg[2] == 0 && - (u_char) optarg[1] >= 64 && - (u_char) optarg[1] < 128) - options.escape_char = (u_char) optarg[1] & 31; - else if (strlen(optarg) == 1) - options.escape_char = (u_char) optarg[0]; - else if (strcmp(optarg, "none") == 0) - options.escape_char = SSH_ESCAPECHAR_NONE; - else { - fprintf(stderr, "Bad escape character '%s'.\n", - optarg); - exit(1); - } - break; - case 'c': - if (ciphers_valid(optarg)) { - /* SSH2 only */ - options.ciphers = xstrdup(optarg); - options.cipher = SSH_CIPHER_INVALID; - } else { - /* SSH1 only */ - options.cipher = cipher_number(optarg); - if (options.cipher == -1) { - fprintf(stderr, - "Unknown cipher type '%s'\n", - optarg); - exit(1); - } - if (options.cipher == SSH_CIPHER_3DES) - options.ciphers = "3des-cbc"; - else if (options.cipher == SSH_CIPHER_BLOWFISH) - options.ciphers = "blowfish-cbc"; - else - options.ciphers = (char *)-1; - } - break; - case 'm': - if (mac_valid(optarg)) - options.macs = xstrdup(optarg); - else { - fprintf(stderr, "Unknown mac type '%s'\n", - optarg); - exit(1); - } - break; - case 'M': - if (options.control_master == SSHCTL_MASTER_YES) - options.control_master = SSHCTL_MASTER_ASK; - else - options.control_master = SSHCTL_MASTER_YES; - break; - case 'p': - options.port = a2port(optarg); - if (options.port == 0) { - fprintf(stderr, "Bad port '%s'\n", optarg); - exit(1); - } - break; - case 'l': - options.user = optarg; - break; - - case 'L': - if (parse_forward(&fwd, optarg)) - add_local_forward(&options, &fwd); - else { - fprintf(stderr, - "Bad local forwarding specification '%s'\n", - optarg); - exit(1); - } - break; - - case 'R': - if (parse_forward(&fwd, optarg)) { - add_remote_forward(&options, &fwd); - } else { - fprintf(stderr, - "Bad remote forwarding specification " - "'%s'\n", optarg); - exit(1); - } - break; - - case 'D': - cp = p = xstrdup(optarg); - memset(&fwd, '\0', sizeof(fwd)); - fwd.connect_host = "socks"; - if ((fwd.listen_host = hpdelim(&cp)) == NULL) { - fprintf(stderr, "Bad dynamic forwarding " - "specification '%.100s'\n", optarg); - exit(1); - } - if (cp != NULL) { - fwd.listen_port = a2port(cp); - fwd.listen_host = cleanhostname(fwd.listen_host); - } else { - fwd.listen_port = a2port(fwd.listen_host); - fwd.listen_host = ""; - } - - if (fwd.listen_port == 0) { - fprintf(stderr, "Bad dynamic port '%s'\n", - optarg); - exit(1); - } - add_local_forward(&options, &fwd); - xfree(p); - break; - - case 'C': - options.compression = 1; - break; - case 'N': - no_shell_flag = 1; - no_tty_flag = 1; - break; - case 'T': - no_tty_flag = 1; - break; - case 'o': - dummy = 1; - line = xstrdup(optarg); - if (process_config_line(&options, host ? host : "", - line, "command-line", 0, &dummy) != 0) - exit(1); - xfree(line); - break; - case 's': - subsystem_flag = 1; - break; - case 'S': - if (options.control_path != NULL) - free(options.control_path); - options.control_path = xstrdup(optarg); - break; - case 'b': - options.bind_address = optarg; - break; - case 'F': - config = optarg; - break; - default: - usage(); - } - } - - ac -= optind; - av += optind; - - if (ac > 0 && !host && **av != '-') { - if (strrchr(*av, '@')) { - p = xstrdup(*av); - cp = strrchr(p, '@'); - if (cp == NULL || cp == p) - usage(); - options.user = p; - *cp = '\0'; - host = ++cp; - } else - host = *av; - if (ac > 1) { - optind = optreset = 1; - goto again; - } - ac--, av++; - } - - /* Check that we got a host name. */ - if (!host) - usage(); - - SSLeay_add_all_algorithms(); - ERR_load_crypto_strings(); - - /* Initialize the command to execute on remote host. */ - buffer_init(&command); - - /* - * Save the command to execute on the remote host in a buffer. There - * is no limit on the length of the command, except by the maximum - * packet size. Also sets the tty flag if there is no command. - */ - if (!ac) { - /* No command specified - execute shell on a tty. */ - tty_flag = 1; - if (subsystem_flag) { - fprintf(stderr, - "You must specify a subsystem to invoke.\n"); - usage(); - } - } else { - /* A command has been specified. Store it into the buffer. */ - for (i = 0; i < ac; i++) { - if (i) - buffer_append(&command, " ", 1); - buffer_append(&command, av[i], strlen(av[i])); - } - } - - /* Cannot fork to background if no command. */ - if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag) - fatal("Cannot fork into background without a command to execute."); - - /* Allocate a tty by default if no command specified. */ - if (buffer_len(&command) == 0) - tty_flag = 1; - - /* Force no tty */ - if (no_tty_flag) - tty_flag = 0; - /* Do not allocate a tty if stdin is not a tty. */ - if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { - if (tty_flag) - logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); - tty_flag = 0; - } - - /* - * Initialize "log" output. Since we are the client all output - * actually goes to stderr. - */ - log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, - SYSLOG_FACILITY_USER, 1); - - /* - * Read per-user configuration file. Ignore the system wide config - * file if the user specifies a config file on the command line. - */ - if (config != NULL) { - if (!read_config_file(config, host, &options, 0)) - fatal("Can't open user config file %.100s: " - "%.100s", config, strerror(errno)); - } else { - snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, - _PATH_SSH_USER_CONFFILE); - (void)read_config_file(buf, host, &options, 1); - - /* Read systemwide configuration file after use config. */ - (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, - &options, 0); - } - - /* Fill configuration defaults. */ - fill_default_options(&options); - - channel_set_af(options.address_family); - - /* reinit */ - log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); - - if (options.user == NULL) - options.user = xstrdup(pw->pw_name); - - if (options.hostname != NULL) - host = options.hostname; - - /* force lowercase for hostkey matching */ - if (options.host_key_alias != NULL) { - for (p = options.host_key_alias; *p; p++) - if (isupper(*p)) - *p = tolower(*p); - } - - if (options.proxy_command != NULL && - strcmp(options.proxy_command, "none") == 0) - options.proxy_command = NULL; - if (options.control_path != NULL && - strcmp(options.control_path, "none") == 0) - options.control_path = NULL; - - if (options.control_path != NULL) { - snprintf(buf, sizeof(buf), "%d", options.port); - cp = tilde_expand_filename(options.control_path, - original_real_uid); - options.control_path = percent_expand(cp, "p", buf, "h", host, - "r", options.user, (char *)NULL); - xfree(cp); - } - if (mux_command != 0 && options.control_path == NULL) - fatal("No ControlPath specified for \"-O\" command"); - if (options.control_path != NULL) - control_client(options.control_path); - - /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, - options.address_family, options.connection_attempts, - original_effective_uid == 0 && options.use_privileged_port, - options.proxy_command) != 0) - exit(1); - - /* - * If we successfully made the connection, load the host private key - * in case we will need it later for combined rsa-rhosts - * authentication. This must be done before releasing extra - * privileges, because the file is only readable by root. - * If we cannot access the private keys, load the public keys - * instead and try to execute the ssh-keysign helper instead. - */ - sensitive_data.nkeys = 0; - sensitive_data.keys = NULL; - sensitive_data.external_keysign = 0; - if (options.rhosts_rsa_authentication || - options.hostbased_authentication) { - sensitive_data.nkeys = 3; - sensitive_data.keys = xmalloc(sensitive_data.nkeys * - sizeof(Key)); - - PRIV_START; - sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, - _PATH_HOST_KEY_FILE, "", NULL); - sensitive_data.keys[1] = key_load_private_type(KEY_DSA, - _PATH_HOST_DSA_KEY_FILE, "", NULL); - sensitive_data.keys[2] = key_load_private_type(KEY_RSA, - _PATH_HOST_RSA_KEY_FILE, "", NULL); - PRIV_END; - - if (options.hostbased_authentication == 1 && - sensitive_data.keys[0] == NULL && - sensitive_data.keys[1] == NULL && - sensitive_data.keys[2] == NULL) { - sensitive_data.keys[1] = key_load_public( - _PATH_HOST_DSA_KEY_FILE, NULL); - sensitive_data.keys[2] = key_load_public( - _PATH_HOST_RSA_KEY_FILE, NULL); - sensitive_data.external_keysign = 1; - } - } - /* - * Get rid of any extra privileges that we may have. We will no - * longer need them. Also, extra privileges could make it very hard - * to read identity files and other non-world-readable files from the - * user's home directory if it happens to be on a NFS volume where - * root is mapped to nobody. - */ - if (original_effective_uid == 0) { - PRIV_START; - permanently_set_uid(pw); - } - - /* - * Now that we are back to our own permissions, create ~/.ssh - * directory if it doesn\'t already exist. - */ - snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); - if (stat(buf, &st) < 0) - if (mkdir(buf, 0700) < 0) - error("Could not create directory '%.200s'.", buf); - - /* load options.identity_files */ - load_public_identity_files(); - - /* Expand ~ in known host file names. */ - /* XXX mem-leaks: */ - options.system_hostfile = - tilde_expand_filename(options.system_hostfile, original_real_uid); - options.user_hostfile = - tilde_expand_filename(options.user_hostfile, original_real_uid); - options.system_hostfile2 = - tilde_expand_filename(options.system_hostfile2, original_real_uid); - options.user_hostfile2 = - tilde_expand_filename(options.user_hostfile2, original_real_uid); - - signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ - - /* Log into the remote system. This never returns if the login fails. */ - ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); - - /* We no longer need the private host keys. Clear them now. */ - if (sensitive_data.nkeys != 0) { - for (i = 0; i < sensitive_data.nkeys; i++) { - if (sensitive_data.keys[i] != NULL) { - /* Destroys contents safely */ - debug3("clear hostkey %d", i); - key_free(sensitive_data.keys[i]); - sensitive_data.keys[i] = NULL; - } - } - xfree(sensitive_data.keys); - } - for (i = 0; i < options.num_identity_files; i++) { - if (options.identity_files[i]) { - xfree(options.identity_files[i]); - options.identity_files[i] = NULL; - } - if (options.identity_keys[i]) { - key_free(options.identity_keys[i]); - options.identity_keys[i] = NULL; - } - } - - exit_status = compat20 ? ssh_session2() : ssh_session(); - packet_close(); - - if (options.control_path != NULL && control_fd != -1) - unlink(options.control_path); - - /* - * Send SIGHUP to proxy command if used. We don't wait() in - * case it hangs and instead rely on init to reap the child - */ - if (proxy_command_pid > 1) - kill(proxy_command_pid, SIGHUP); - - return exit_status; -} - -static void -ssh_init_forwarding(void) -{ - int success = 0; - int i; - - /* Initiate local TCP/IP port forwardings. */ - for (i = 0; i < options.num_local_forwards; i++) { - debug("Local connections to %.200s:%d forwarded to remote " - "address %.200s:%d", - (options.local_forwards[i].listen_host == NULL) ? - (options.gateway_ports ? "*" : "LOCALHOST") : - options.local_forwards[i].listen_host, - options.local_forwards[i].listen_port, - options.local_forwards[i].connect_host, - options.local_forwards[i].connect_port); - success += channel_setup_local_fwd_listener( - options.local_forwards[i].listen_host, - options.local_forwards[i].listen_port, - options.local_forwards[i].connect_host, - options.local_forwards[i].connect_port, - options.gateway_ports); - } - if (i > 0 && success == 0) - error("Could not request local forwarding."); - - /* Initiate remote TCP/IP port forwardings. */ - for (i = 0; i < options.num_remote_forwards; i++) { - debug("Remote connections from %.200s:%d forwarded to " - "local address %.200s:%d", - (options.remote_forwards[i].listen_host == NULL) ? - (options.gateway_ports ? "*" : "LOCALHOST") : - options.remote_forwards[i].listen_host, - options.remote_forwards[i].listen_port, - options.remote_forwards[i].connect_host, - options.remote_forwards[i].connect_port); - channel_request_remote_forwarding( - options.remote_forwards[i].listen_host, - options.remote_forwards[i].listen_port, - options.remote_forwards[i].connect_host, - options.remote_forwards[i].connect_port); - } -} - -static void -check_agent_present(void) -{ - if (options.forward_agent) { - /* Clear agent forwarding if we don\'t have an agent. */ - if (!ssh_agent_present()) - options.forward_agent = 0; - } -} - -static int -ssh_session(void) -{ - int type; - int interactive = 0; - int have_tty = 0; - struct winsize ws; - char *cp; - const char *display; - - /* Enable compression if requested. */ - if (options.compression) { - debug("Requesting compression at level %d.", options.compression_level); - - if (options.compression_level < 1 || options.compression_level > 9) - fatal("Compression level must be from 1 (fast) to 9 (slow, best)."); - - /* Send the request. */ - packet_start(SSH_CMSG_REQUEST_COMPRESSION); - packet_put_int(options.compression_level); - packet_send(); - packet_write_wait(); - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) - packet_start_compression(options.compression_level); - else if (type == SSH_SMSG_FAILURE) - logit("Warning: Remote host refused compression."); - else - packet_disconnect("Protocol error waiting for compression response."); - } - /* Allocate a pseudo tty if appropriate. */ - if (tty_flag) { - debug("Requesting pty."); - - /* Start the packet. */ - packet_start(SSH_CMSG_REQUEST_PTY); - - /* Store TERM in the packet. There is no limit on the - length of the string. */ - cp = getenv("TERM"); - if (!cp) - cp = ""; - packet_put_cstring(cp); - - /* Store window size in the packet. */ - if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0) - memset(&ws, 0, sizeof(ws)); - packet_put_int(ws.ws_row); - packet_put_int(ws.ws_col); - packet_put_int(ws.ws_xpixel); - packet_put_int(ws.ws_ypixel); - - /* Store tty modes in the packet. */ - tty_make_modes(fileno(stdin), NULL); - - /* Send the packet, and wait for it to leave. */ - packet_send(); - packet_write_wait(); - - /* Read response from the server. */ - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) { - interactive = 1; - have_tty = 1; - } else if (type == SSH_SMSG_FAILURE) - logit("Warning: Remote host failed or refused to allocate a pseudo tty."); - else - packet_disconnect("Protocol error waiting for pty request response."); - } - /* Request X11 forwarding if enabled and DISPLAY is set. */ - display = getenv("DISPLAY"); - if (options.forward_x11 && display != NULL) { - char *proto, *data; - /* Get reasonable local authentication information. */ - client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, &proto, &data); - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication spoofing."); - x11_request_forwarding_with_spoofing(0, display, proto, data); - - /* Read response from the server. */ - type = packet_read(); - if (type == SSH_SMSG_SUCCESS) { - interactive = 1; - } else if (type == SSH_SMSG_FAILURE) { - logit("Warning: Remote host denied X11 forwarding."); - } else { - packet_disconnect("Protocol error waiting for X11 forwarding"); - } - } - /* Tell the packet module whether this is an interactive session. */ - packet_set_interactive(interactive); - - /* Request authentication agent forwarding if appropriate. */ - check_agent_present(); - - if (options.forward_agent) { - debug("Requesting authentication agent forwarding."); - auth_request_forwarding(); - - /* Read response from the server. */ - type = packet_read(); - packet_check_eom(); - if (type != SSH_SMSG_SUCCESS) - logit("Warning: Remote host denied authentication agent forwarding."); - } - - /* Initiate port forwardings. */ - ssh_init_forwarding(); - - /* If requested, let ssh continue in the background. */ - if (fork_after_authentication_flag) - if (daemon(1, 1) < 0) - fatal("daemon() failed: %.200s", strerror(errno)); - - /* - * If a command was specified on the command line, execute the - * command now. Otherwise request the server to start a shell. - */ - if (buffer_len(&command) > 0) { - int len = buffer_len(&command); - if (len > 900) - len = 900; - debug("Sending command: %.*s", len, (u_char *)buffer_ptr(&command)); - packet_start(SSH_CMSG_EXEC_CMD); - packet_put_string(buffer_ptr(&command), buffer_len(&command)); - packet_send(); - packet_write_wait(); - } else { - debug("Requesting shell."); - packet_start(SSH_CMSG_EXEC_SHELL); - packet_send(); - packet_write_wait(); - } - - /* Enter the interactive session. */ - return client_loop(have_tty, tty_flag ? - options.escape_char : SSH_ESCAPECHAR_NONE, 0); -} - -static void -ssh_subsystem_reply(int type, u_int32_t seq, void *ctxt) -{ - int id, len; - - id = packet_get_int(); - len = buffer_len(&command); - if (len > 900) - len = 900; - packet_check_eom(); - if (type == SSH2_MSG_CHANNEL_FAILURE) - fatal("Request for subsystem '%.*s' failed on channel %d", - len, (u_char *)buffer_ptr(&command), id); -} - -void -client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt) -{ - int i; - - i = client_global_request_id++; - if (i >= options.num_remote_forwards) - return; - debug("remote forward %s for: listen %d, connect %s:%d", - type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", - options.remote_forwards[i].listen_port, - options.remote_forwards[i].connect_host, - options.remote_forwards[i].connect_port); - if (type == SSH2_MSG_REQUEST_FAILURE) - logit("Warning: remote port forwarding failed for listen " - "port %d", options.remote_forwards[i].listen_port); -} - -static void -ssh_control_listener(void) -{ - struct sockaddr_un addr; - mode_t old_umask; - - if (options.control_path == NULL || - options.control_master == SSHCTL_MASTER_NO) - return; - - debug("setting up multiplex master socket"); - - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; - addr.sun_len = offsetof(struct sockaddr_un, sun_path) + - strlen(options.control_path) + 1; - - if (strlcpy(addr.sun_path, options.control_path, - sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) - fatal("ControlPath too long"); - - if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) - fatal("%s socket(): %s\n", __func__, strerror(errno)); - - old_umask = umask(0177); - if (bind(control_fd, (struct sockaddr*)&addr, addr.sun_len) == -1) { - control_fd = -1; - if (errno == EINVAL || errno == EADDRINUSE) - fatal("ControlSocket %s already exists", - options.control_path); - else - fatal("%s bind(): %s\n", __func__, strerror(errno)); - } - umask(old_umask); - - if (listen(control_fd, 64) == -1) - fatal("%s listen(): %s\n", __func__, strerror(errno)); - - set_nonblock(control_fd); -} - -/* request pty/x11/agent/tcpfwd/shell for channel */ -static void -ssh_session2_setup(int id, void *arg) -{ - extern char **environ; - const char *display; - int interactive = tty_flag; - - display = getenv("DISPLAY"); - if (options.forward_x11 && display != NULL) { - char *proto, *data; - /* Get reasonable local authentication information. */ - client_x11_get_proto(display, options.xauth_location, - options.forward_x11_trusted, &proto, &data); - /* Request forwarding with authentication spoofing. */ - debug("Requesting X11 forwarding with authentication spoofing."); - x11_request_forwarding_with_spoofing(id, display, proto, data); - interactive = 1; - /* XXX wait for reply */ - } - - check_agent_present(); - if (options.forward_agent) { - debug("Requesting authentication agent forwarding."); - channel_request_start(id, "auth-agent-req@openssh.com", 0); - packet_send(); - } - - client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), - NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); - - packet_set_interactive(interactive); -} - -/* open new channel for a session */ -static int -ssh_session2_open(void) -{ - Channel *c; - int window, packetmax, in, out, err; - - if (stdin_null_flag) { - in = open(_PATH_DEVNULL, O_RDONLY); - } else { - in = dup(STDIN_FILENO); - } - out = dup(STDOUT_FILENO); - err = dup(STDERR_FILENO); - - if (in < 0 || out < 0 || err < 0) - fatal("dup() in/out/err failed"); - - /* enable nonblocking unless tty */ - if (!isatty(in)) - set_nonblock(in); - if (!isatty(out)) - set_nonblock(out); - if (!isatty(err)) - set_nonblock(err); - - window = CHAN_SES_WINDOW_DEFAULT; - packetmax = CHAN_SES_PACKET_DEFAULT; - if (tty_flag) { - window >>= 1; - packetmax >>= 1; - } - c = channel_new( - "session", SSH_CHANNEL_OPENING, in, out, err, - window, packetmax, CHAN_EXTENDED_WRITE, - "client-session", /*nonblock*/0); - - debug3("ssh_session2_open: channel_new: %d", c->self); - - channel_send_open(c->self); - if (!no_shell_flag) - channel_register_confirm(c->self, ssh_session2_setup, NULL); - - return c->self; -} - -static int -ssh_session2(void) -{ - int id = -1; - - /* XXX should be pre-session */ - ssh_init_forwarding(); - ssh_control_listener(); - - if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) - id = ssh_session2_open(); - - /* If requested, let ssh continue in the background. */ - if (fork_after_authentication_flag) - if (daemon(1, 1) < 0) - fatal("daemon() failed: %.200s", strerror(errno)); - - return client_loop(tty_flag, tty_flag ? - options.escape_char : SSH_ESCAPECHAR_NONE, id); -} - -static void -load_public_identity_files(void) -{ - char *filename; - int i = 0; - Key *public; -#ifdef SMARTCARD - Key **keys; - - if (options.smartcard_device != NULL && - options.num_identity_files < SSH_MAX_IDENTITY_FILES && - (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { - int count = 0; - for (i = 0; keys[i] != NULL; i++) { - count++; - memmove(&options.identity_files[1], &options.identity_files[0], - sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); - memmove(&options.identity_keys[1], &options.identity_keys[0], - sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); - options.num_identity_files++; - options.identity_keys[0] = keys[i]; - options.identity_files[0] = sc_get_key_label(keys[i]); - } - if (options.num_identity_files > SSH_MAX_IDENTITY_FILES) - options.num_identity_files = SSH_MAX_IDENTITY_FILES; - i = count; - xfree(keys); - } -#endif /* SMARTCARD */ - for (; i < options.num_identity_files; i++) { - filename = tilde_expand_filename(options.identity_files[i], - original_real_uid); - public = key_load_public(filename, NULL); - debug("identity file %s type %d", filename, - public ? public->type : -1); - xfree(options.identity_files[i]); - options.identity_files[i] = filename; - options.identity_keys[i] = public; - } -} - -static void -control_client_sighandler(int signo) -{ - control_client_terminate = signo; -} - -static void -control_client_sigrelay(int signo) -{ - if (control_server_pid > 1) - kill(control_server_pid, signo); -} - -static int -env_permitted(char *env) -{ - int i; - char name[1024], *cp; - - strlcpy(name, env, sizeof(name)); - if ((cp = strchr(name, '=')) == NULL) - return (0); - - *cp = '\0'; - - for (i = 0; i < options.num_send_env; i++) - if (match_pattern(name, options.send_env[i])) - return (1); - - return (0); -} - -static void -control_client(const char *path) -{ - struct sockaddr_un addr; - int i, r, fd, sock, exitval, num_env; - Buffer m; - char *term; - extern char **environ; - u_int flags; - - if (mux_command == 0) - mux_command = SSHMUX_COMMAND_OPEN; - - switch (options.control_master) { - case SSHCTL_MASTER_AUTO: - case SSHCTL_MASTER_AUTO_ASK: - debug("auto-mux: Trying existing master"); - /* FALLTHROUGH */ - case SSHCTL_MASTER_NO: - break; - default: - return; - } - - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; - addr.sun_len = offsetof(struct sockaddr_un, sun_path) + - strlen(path) + 1; - - if (strlcpy(addr.sun_path, path, - sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) - fatal("ControlPath too long"); - - if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) - fatal("%s socket(): %s", __func__, strerror(errno)); - - if (connect(sock, (struct sockaddr*)&addr, addr.sun_len) == -1) { - if (mux_command != SSHMUX_COMMAND_OPEN) { - fatal("Control socket connect(%.100s): %s", path, - strerror(errno)); - } - if (errno == ENOENT) - debug("Control socket \"%.100s\" does not exist", path); - else { - error("Control socket connect(%.100s): %s", path, - strerror(errno)); - } - close(sock); - return; - } - - if (stdin_null_flag) { - if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) - fatal("open(/dev/null): %s", strerror(errno)); - if (dup2(fd, STDIN_FILENO) == -1) - fatal("dup2: %s", strerror(errno)); - if (fd > STDERR_FILENO) - close(fd); - } - - if ((term = getenv("TERM")) == NULL) - term = ""; - - flags = 0; - if (tty_flag) - flags |= SSHMUX_FLAG_TTY; - if (subsystem_flag) - flags |= SSHMUX_FLAG_SUBSYS; - - buffer_init(&m); - - /* Send our command to server */ - buffer_put_int(&m, mux_command); - buffer_put_int(&m, flags); - if (ssh_msg_send(sock, /* version */1, &m) == -1) - fatal("%s: msg_send", __func__); - buffer_clear(&m); - - /* Get authorisation status and PID of controlee */ - if (ssh_msg_recv(sock, &m) == -1) - fatal("%s: msg_recv", __func__); - if (buffer_get_char(&m) != 1) - fatal("%s: wrong version", __func__); - if (buffer_get_int(&m) != 1) - fatal("Connection to master denied"); - control_server_pid = buffer_get_int(&m); - - buffer_clear(&m); - - switch (mux_command) { - case SSHMUX_COMMAND_ALIVE_CHECK: - fprintf(stderr, "Master running (pid=%d)\r\n", - control_server_pid); - exit(0); - case SSHMUX_COMMAND_TERMINATE: - fprintf(stderr, "Exit request sent.\r\n"); - exit(0); - case SSHMUX_COMMAND_OPEN: - /* continue below */ - break; - default: - fatal("silly mux_command %d", mux_command); - } - - /* SSHMUX_COMMAND_OPEN */ - buffer_put_cstring(&m, term); - buffer_append(&command, "\0", 1); - buffer_put_cstring(&m, buffer_ptr(&command)); - - if (options.num_send_env == 0 || environ == NULL) { - buffer_put_int(&m, 0); - } else { - /* Pass environment */ - num_env = 0; - for (i = 0; environ[i] != NULL; i++) - if (env_permitted(environ[i])) - num_env++; /* Count */ - - buffer_put_int(&m, num_env); - - for (i = 0; environ[i] != NULL && num_env >= 0; i++) - if (env_permitted(environ[i])) { - num_env--; - buffer_put_cstring(&m, environ[i]); - } - } - - if (ssh_msg_send(sock, /* version */1, &m) == -1) - fatal("%s: msg_send", __func__); - - mm_send_fd(sock, STDIN_FILENO); - mm_send_fd(sock, STDOUT_FILENO); - mm_send_fd(sock, STDERR_FILENO); - - /* Wait for reply, so master has a chance to gather ttymodes */ - buffer_clear(&m); - if (ssh_msg_recv(sock, &m) == -1) - fatal("%s: msg_recv", __func__); - if (buffer_get_char(&m) != 1) - fatal("%s: wrong version", __func__); - buffer_free(&m); - - signal(SIGHUP, control_client_sighandler); - signal(SIGINT, control_client_sighandler); - signal(SIGTERM, control_client_sighandler); - signal(SIGWINCH, control_client_sigrelay); - - if (tty_flag) - enter_raw_mode(); - - /* Stick around until the controlee closes the client_fd */ - exitval = 0; - for (;!control_client_terminate;) { - r = read(sock, &exitval, sizeof(exitval)); - if (r == 0) { - debug2("Received EOF from master"); - break; - } - if (r > 0) - debug2("Received exit status from master %d", exitval); - if (r == -1 && errno != EINTR) - fatal("%s: read %s", __func__, strerror(errno)); - } - - if (control_client_terminate) - debug2("Exiting on signal %d", control_client_terminate); - - close(sock); - - leave_raw_mode(); - - if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) - fprintf(stderr, "Connection to master closed.\r\n"); - - exit(exitval); -} diff -ruN --exclude CVS ssh-openbsd-2005090100/.cvsignore openssh-4.2p1/.cvsignore --- ssh-openbsd-2005090100/.cvsignore Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/.cvsignore Sun Jun 19 09:10:40 2005 @@ -0,0 +1,28 @@ +ssh +scp +sshd +ssh-add +ssh-keygen +ssh-keyscan +ssh-keysign +ssh-agent +sftp-server +sftp +configure +config.h.in +config.h +config.status +config.cache +config.log +stamp-h.in +Makefile +ssh_prng_cmds +*.out +*.0 +buildit.sh +buildpkg.sh +autom4te.cache +ssh-rand-helper +survey.sh +survey +opensshd.init diff -ruN --exclude CVS ssh-openbsd-2005090100/CREDITS openssh-4.2p1/CREDITS --- ssh-openbsd-2005090100/CREDITS Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/CREDITS Sat Aug 27 06:15:20 2005 @@ -0,0 +1,104 @@ +Tatu Ylonen - Creator of SSH + +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt, and Dug Song - Creators of OpenSSH + +Ahsan Rashid - UnixWare long passwords +Alain St-Denis - Irix fix +Alexandre Oliva - AIX fixes +Andre Lucas - new login code, many fixes +Andreas Steinmetz - Shadow password expiry support +Andrew McGill - SCO fixes +Andrew Morgan - PAM bugfixes +Andrew Stribblehill - Bugfixes +Andy Sloane - bugfixes +Aran Cox - SCO bugfixes +Arkadiusz Miskiewicz - IPv6 compat fixes +Ben Lindstrom - NeXT support +Ben Taylor - Solaris debugging and fixes +Bratislav ILICH - Configure fix +Charles Levert - SunOS 4 & bug fixes +Chip Salzenberg - Assorted patches +Chris Adams - OSF SIA support +Chris Saia - SuSE packaging +Chris, the Young One - Password auth fixes +Christos Zoulas - Autoconf fixes +Chun-Chung Chen - RPM fixes +Corinna Vinschen - Cygwin support +Dan Brosemer - Autoconf support, build fixes +Darren Hall - AIX patches +Darren Tucker - AIX BFF package scripts +David Agraz - Build fixes +David Del Piero - bug fixes +David Hesprich - Configure fixes +David Rankin - libwrap, AIX, NetBSD fixes +Dag-Erling Smørgrav - Challenge-Response PAM code. +Dhiraj Gulati - UnixWare long passwords +Ed Eden - configure fixes +Garrick James - configure fixes +Gary E. Miller - SCO support +Ged Lodder - HPUX fixes and enhancements +Gert Doering - bug and portability fixes +HARUYAMA Seigo - Translations & doc fixes +Hideaki YOSHIFUJI - IPv6 and bug fixes +Hiroshi Takekawa - Configure fixes +Holger Trapp - KRB4/AFS config patch +IWAMURO Motonori - bugfixes +Jani Hakala - Patches +Jarno Huuskonen - Bugfixes +Jim Knoble - Many patches +Jonchen (email unknown) - the original author of PAM support of SSH +Juergen Keil - scp bugfixing +KAMAHARA Junzo - Configure fixes +Kees Cook - scp fixes +Kenji Miyake - Configure fixes +Kevin Cawlfield - AIX fixes. +Kevin O'Connor - RSAless operation +Kevin Steves - HP support, bugfixes, improvements +Kiyokazu SUTO - Bugfixes +Larry Jones - Bugfixes +Lutz Jaenicke - Bugfixes +Marc G. Fournier - Solaris patches +Mark D. Baushke - bug fixes +Martin Johansson - Linux fixes +Mark D. Roth - Features, bug fixes +Mark Miller - Bugfixes +Matt Richards - AIX patches +Michael Steffens - HP-UX fixes +Michael Stone - Irix enhancements +Nakaji Hiroyuki - Sony News-OS patch +Nalin Dahyabhai - PAM environment patch +Nate Itkin - SunOS 4.1.x fixes +Niels Kristian Bech Jensen - Assorted patches +Pavel Kankovsky - Security fixes +Pavel Troller - Bugfixes +Pekka Savola - Bugfixes +Peter Kocks - Makefile fixes +Peter Stuge - mdoc2man.awk script +Phil Hands - Debian scripts, assorted patches +Phil Karn - Autoconf fixes +Philippe WILLEM - Bugfixes +Phill Camp - login code fix +Rip Loomis - Solaris package support, fixes +Robert Dahlem - Reliant Unix fixes +Roumen Petrov - Compile & configure fixes +SAKAI Kiyotaka - Multiple bugfixes +Simon Wilkinson - PAM fixes, Compat with MIT KrbV +Solar Designer - many patches and technical assistance +Svante Signell - Bugfixes +Thomas Neumann - Shadow passwords +Tim Rice - Portability & SCO fixes +Tobias Oetiker - Bugfixes +Tom Bertelson's - AIX auth fixes +Tor-Ake Fransson - AIX support +Tudor Bosman - MD5 password support +Udo Schweigert - ReliantUNIX support +Wendy Palm - Cray support. +Zack Weinberg - GNOME askpass enhancement + +Apologies to anyone I have missed. + +Damien Miller + +$Id: CREDITS,v 1.80 2005/08/26 20:15:20 tim Exp $ + diff -ruN --exclude CVS ssh-openbsd-2005090100/ChangeLog openssh-4.2p1/ChangeLog --- ssh-openbsd-2005090100/ChangeLog Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/ChangeLog Thu Sep 1 19:10:48 2005 @@ -0,0 +1,2992 @@ +20050901 + - (djm) Update RPM spec file versions + +20050831 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/08/30 22:08:05 + [gss-serv.c sshconnect2.c] + destroy credentials if krb5_kuserok() call fails. Stops credentials being + delegated to users who are not authorised for GSSAPIAuthentication when + GSSAPIDeletegateCredentials=yes and another authentication mechanism + succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by + simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@ + - markus@cvs.openbsd.org 2005/08/31 09:28:42 + [version.h] + 4.2 + - (dtucker) [README] Update release note URL to 4.2 + - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c + openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable + libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd(). + Feedback and OK dtucker@ + +20050830 + - (tim) [configure.ac] Back out last change. It needs to be done differently. + +20050829 + - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long + password support to 7.x for now. + +20050826 + - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c + openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h + openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c + openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char) + on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing + by tim@. Feedback and OK dtucker@ + +20050823 + - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully- + qualified sshd pathname since some systems (eg Cygwin) may consider "/foo" + and "//foo" to be different. Spotted by vinschen at redhat.com. + - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements + and OK dtucker@ + - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@ + +20050821 + - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for + LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@ + +20050816 + - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE, + from Jacob Nevins; ok dtucker@ + +20050815 + - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT + - (tim) [configure.ac] corrections to libedit tests. Report and patches + by skeleten AT shillest.net + +20050812 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2005/07/28 17:36:22 + [packet.c] + missing packet_init_compression(); from solar + - djm@cvs.openbsd.org 2005/07/30 01:26:16 + [ssh.c] + fix -D listen_host initialisation, so it picks up gateway_ports setting + correctly + - djm@cvs.openbsd.org 2005/07/30 02:03:47 + [readconf.c] + listen_hosts initialisation here too; spotted greg AT y2005.nest.cx + - dtucker@cvs.openbsd.org 2005/08/06 10:03:12 + [servconf.c] + Unbreak sshd ListenAddress for bare IPv6 addresses. + Report from Janusz Mucka; ok djm@ + - jaredy@cvs.openbsd.org 2005/08/08 13:22:48 + [sftp.c] + sftp prompt enhancements: + - in non-interactive mode, do not print an empty prompt at the end + before finishing + - print newline after EOF in editline mode + - call el_end() in editline mode + ok dtucker djm + +20050810 + - (dtucker) [configure.ac] Test libedit library and headers for compatibility. + Report from skeleten AT shillest.net, ok djm@ + - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c] + Sync current (thread-safe) version of realpath.c from OpenBSD (which is + in turn based on FreeBSD's). ok djm@ + +20050809 + - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@ + Report by skeleten AT shillest.net + +20050803 + - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines + individually and use a value less likely to collide with real values from + netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@ + - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the + latter is specified in the standard. + +20050802 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/07/27 10:39:03 + [scp.c hostfile.c sftp-client.c] + Silence bogus -Wuninitialized warnings; ok djm@ + - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling + with gcc. ok djm@ + - (dtucker) [configure.ac] Add a --with-Werror option to configure for + adding -Werror to CFLAGS when all of the configure tests are done. ok djm@ + +20050726 + - (dtucker) [configure.ac] Update zlib warning message too, pointed out by + tim@. + - (djm) OpenBSD CVS Sync + - otto@cvs.openbsd.org 2005/07/19 15:32:26 + [auth-passwd.c] + auth_usercheck(3) can return NULL, so check for that. Report from + mpech@. ok markus@ + - markus@cvs.openbsd.org 2005/07/25 11:59:40 + [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] + [sshconnect2.c sshd.c sshd_config sshd_config.5] + add a new compression method that delays compression until the user + has been authenticated successfully and set compression to 'delayed' + for sshd. + this breaks older openssh clients (< 3.5) if they insist on + compression, so you have to re-enable compression in sshd_config. + ok djm@ + +20050725 + - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096. + +20050717 +- OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/07/16 01:35:24 + [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c] + [sshconnect.c] + spacing + - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c] + [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL + in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]") + - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line + - djm@cvs.openbsd.org 2005/07/17 06:49:04 + [channels.c channels.h session.c session.h] + Fix a number of X11 forwarding channel leaks: + 1. Refuse multiple X11 forwarding requests on the same session + 2. Clean up all listeners after a single_connection X11 forward, not just + the one that made the single connection + 3. Destroy X11 listeners when the session owning them goes away + testing and ok dtucker@ + - djm@cvs.openbsd.org 2005/07/17 07:17:55 + [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] + [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] + [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] + [sshconnect.c sshconnect2.c] + knf says that a 2nd level indent is four (not three or five) spaces + -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c] + [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too + - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls + +20050716 + - (dtucker) [auth-pam.c] Ensure that only one side of the authentication + socketpair stays open on in both the monitor and PAM process. Patch from + Joerg Sonnenberger. + +20050714 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/07/06 09:33:05 + [ssh.1] + clarify meaning of ssh -b ; with & ok jmc@ + - dtucker@cvs.openbsd.org 2005/07/08 09:26:18 + [misc.c] + Make comment match code; ok djm@ + - markus@cvs.openbsd.org 2005/07/08 09:41:33 + [channels.h] + race when efd gets closed while there is still buffered data: + change CHANNEL_EFD_OUTPUT_ACTIVE() + 1) c->efd must always be valid AND + 2a) no EOF has been seen OR + 2b) there is buffered data + report, initial fix and testing Chuck Cranor + - dtucker@cvs.openbsd.org 2005/07/08 10:20:41 + [ssh_config.5] + change BindAddress to match recent ssh -b change; prompted by markus@ + - jmc@cvs.openbsd.org 2005/07/08 12:53:10 + [ssh_config.5] + new sentence, new line; + - dtucker@cvs.openbsd.org 2005/07/14 04:00:43 + [misc.h] + use __sentinel__ attribute; ok deraadt@ djm@ markus@ + - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the + compiler doesn't understand it to prevent warnings. If any mainstream + compiler versions acquire it we can test for those versions. Based on + discussion with djm@. + +20050707 + - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for + the MIT Kerberos code path into a common function and expand mkstemp + template to be consistent with the rest of OpenSSH. From sxw at + inf.ed.ac.uk, ok djm@ + - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno + in the case where the buffer is insufficient, so always return ENOMEM. + Also pointed out by sxw at inf.ed.ac.uk. + - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove + calls to krb5_init_ets, which has not been required since krb-1.1.x and + most Kerberos versions no longer export in their public API. From sxw + at inf.ed.ac.uk, ok djm@ + +20050706 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2005/07/01 13:19:47 + [channels.c] + don't free() if getaddrinfo() fails; report mpech@ + - djm@cvs.openbsd.org 2005/07/04 00:58:43 + [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] + implement support for X11 and agent forwarding over multiplex slave + connections. Because of protocol limitations, the slave connections inherit + the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding + their own. + ok dtucker@ "put it in" deraadt@ + - jmc@cvs.openbsd.org 2005/07/04 11:29:51 + [ssh_config.5] + fix Xr and a little grammar; + - markus@cvs.openbsd.org 2005/07/04 14:04:11 + [channels.c] + don't forget to set x11_saved_display + +20050626 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/06/17 22:53:47 + [ssh.c sshconnect.c] + Fix ControlPath's %p expanding to "0" for a default port, + spotted dwmw2 AT infradead.org; ok markus@ + - djm@cvs.openbsd.org 2005/06/18 04:30:36 + [ssh.c ssh_config.5] + allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ + - djm@cvs.openbsd.org 2005/06/25 22:47:49 + [ssh.c] + do the default port filling code a few lines earlier, so it really + does fix %p + +20050618 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/05/20 12:57:01; + [auth1.c] split protocol 1 auth methods into separate functions, makes + authloop much more readable; fixes and ok markus@ (portable ok & + polish dtucker@) + - djm@cvs.openbsd.org 2005/06/17 02:44:33 + [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@ + - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable, + tested and fixes tim@ + +20050617 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/06/16 03:38:36 + [channels.c channels.h clientloop.c clientloop.h ssh.c] + move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd + easier later; ok deraadt@ + - markus@cvs.openbsd.org 2005/06/16 08:00:00 + [canohost.c channels.c sshd.c] + don't exit if getpeername fails for forwarded ports; bugzilla #1054; + ok djm + - djm@cvs.openbsd.org 2005/06/17 02:44:33 + [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c] + [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c] + [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c] + [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c] + [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c] + make this -Wsign-compare clean; ok avsm@ markus@ + NB. auth1.c changes not committed yet (conflicts with uncommitted sync) + NB2. more work may be needed to make portable Wsign-compare clean + - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h + openbsd-compat/openssl-compat.c] only include openssl compat stuff where + it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by + and ok tim@ + +20050616 + - (djm) OpenBSD CVS Sync + - jaredy@cvs.openbsd.org 2005/06/07 13:25:23 + [progressmeter.c] + catch SIGWINCH and resize progress meter accordingly; ok markus dtucker + - djm@cvs.openbsd.org 2005/06/06 11:20:36 + [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] + introduce a generic %foo expansion function. replace existing % expansion + and add expansion to ControlPath; ok markus@ + - djm@cvs.openbsd.org 2005/06/08 03:50:00 + [ssh-keygen.1 ssh-keygen.c sshd.8] + increase default rsa/dsa key length from 1024 to 2048 bits; + ok markus@ deraadt@ + - djm@cvs.openbsd.org 2005/06/08 11:25:09 + [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] + add ControlMaster=auto/autoask options to support opportunistic + multiplexing; tested avsm@ and jakob@, ok markus@ + - dtucker@cvs.openbsd.org 2005/06/09 13:43:49 + [cipher.c] + Correctly initialize end of array sentinel; ok djm@ + (Id sync only, change already in portable) + +20050609 + - (dtucker) [cipher.c openbsd-compat/Makefile.in + openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}] + Move compatibility code for supporting older OpenSSL versions to the + compat layer. Suggested by and "no objection" djm@ + +20050607 + - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX: + in today's episode we attempt to coax it from limits.h where it may be + hiding, failing that we take the DIY approach. Tested by tim@ + +20050603 + - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't + defined, and check that it helps before keeping it in CFLAGS. Some old + gcc's don't set an error code when encountering an unknown value in -std. + Found and tested by tim@. + - (dtucker) [configure.ac] Point configure's reporting address at the + openssh-unix-dev list. ok tim@ djm@ + +20050602 + - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h. + Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms + to skip builtin standard includes tests. (first AC_CHECK_HEADERS test + must be run on all platforms) Add missing ;; to case statement. OK dtucker@ + +20050601 + - (dtucker) [configure.ac] Look for _getshort and _getlong in + arpa/nameser.h. + - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c] + Add strtoll to the compat library, from OpenBSD. + - (dtucker) OpenBSD CVS Sync + - avsm@cvs.openbsd.org 2005/05/26 02:08:05 + [scp.c] + If copying multiple files to a target file (which normally fails, as it + must be a target directory), kill the spawned ssh child before exiting. + This stops it trying to authenticate and spewing lots of output. + deraadt@ ok + - dtucker@cvs.openbsd.org 2005/05/26 09:08:12 + [ssh-keygen.c] + uint32_t -> u_int32_t for consistency; ok djm@ + - djm@cvs.openbsd.org 2005/05/27 08:30:37 + [ssh.c] + fix -O for cases where no ControlPath has been specified or socket at + ControlPath is not contactable; spotted by and ok avsm@ + - (tim) [config.guess config.sub] Update to '2005-05-27' version. + - (tim) [configure.ac] set TEST_SHELL for OpenServer 6 + +20050531 + - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at + vintela.com. + - (dtucker) [mdoc2man.awk] Teach it to understand .Ox. + +20050530 + - (dtucker) [README] Link to new release notes. Beter late than never... + +20050529 + - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the + argument to passwdexpired to be initialized to NULL. Suggested by tim@ + While at it, initialize the other arguments to auth functions in case they + ever acquire this behaviour. + - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there. + - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message, + spotted by tim@. + +20050528 + - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have + one entry per line to make it easier to merge changes. ok djm@ + - (dtucker) [configure.ac] strsep() may be defined in string.h, so check + for its presence and include it in the strsep check. + - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for + its presence before doing AC_FUNC_GETPGRP. + - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor + version-specific variations as required. + - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as + per the autoconf man page. Configure should always define them but it + doesn't hurt to check. + +20050527 + - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by + David Leach; ok dtucker@ + - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c + openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo. + Required changes from Bernhard Simon, integrated by me. ok djm@ + +20050525 + - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not + been used for a while + - (djm) OpenBSD CVS Sync + - otto@cvs.openbsd.org 2005/04/05 13:45:31 + [ssh-keygen.c] + - djm@cvs.openbsd.org 2005/04/06 09:43:59 + [sshd.c] + avoid harmless logspam by not performing setsockopt() on non-socket; + ok markus@ + - dtucker@cvs.openbsd.org 2005/04/06 12:26:06 + [ssh.c] + Fix debug call for port forwards; patch from pete at seebeyond.com, + ok djm@ (ID sync only - change already in portable) + - djm@cvs.openbsd.org 2005/04/09 04:32:54 + [misc.c misc.h tildexpand.c Makefile.in] + replace tilde_expand_filename with a simpler implementation, ahead of + more whacking; ok deraadt@ + - jmc@cvs.openbsd.org 2005/04/14 12:30:30 + [ssh.1] + arg to -b is an address, not if_name; + ok markus@ + - jakob@cvs.openbsd.org 2005/04/20 10:05:45 + [dns.c] + do not try to look up SSHFP for numerical hostname. ok djm@ + - djm@cvs.openbsd.org 2005/04/21 06:17:50 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] + [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment + variable, so don't say that we do (bz #623); ok deraadt@ + - djm@cvs.openbsd.org 2005/04/21 11:47:19 + [ssh.c] + don't allocate a pty when -n flag (/dev/null stdin) is set, patch from + ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@ + - dtucker@cvs.openbsd.org 2005/04/23 23:43:47 + [readpass.c] + Add debug message if read_passphrase can't open /dev/tty; bz #471; + ok djm@ + - jmc@cvs.openbsd.org 2005/04/26 12:59:02 + [sftp-client.h] + spelling correction in comment from wiz@netbsd; + - jakob@cvs.openbsd.org 2005/04/26 13:08:37 + [ssh.c ssh_config.5] + fallback gracefully if client cannot connect to ControlPath. ok djm@ + - moritz@cvs.openbsd.org 2005/04/28 10:17:56 + [progressmeter.c ssh-keyscan.c] + add snprintf checks. ok djm@ markus@ + - markus@cvs.openbsd.org 2005/05/02 21:13:22 + [readpass.c] + missing {} + - djm@cvs.openbsd.org 2005/05/10 10:28:11 + [ssh.c] + print nice error message for EADDRINUSE as well (ID sync only) + - djm@cvs.openbsd.org 2005/05/10 10:30:43 + [ssh.c] + report real errors on fallback from ControlMaster=no to normal connect + - markus@cvs.openbsd.org 2005/05/16 15:30:51 + [readconf.c servconf.c] + check return value from strdelim() for NULL (AddressFamily); mpech + - djm@cvs.openbsd.org 2005/05/19 02:39:55 + [sshd_config.5] + sort config options, from grunk AT pestilenz.org; ok jmc@ + - djm@cvs.openbsd.org 2005/05/19 02:40:52 + [sshd_config] + whitespace nit, from grunk AT pestilenz.org + - djm@cvs.openbsd.org 2005/05/19 02:42:26 + [includes.h] + fix cast, from grunk AT pestilenz.org + - djm@cvs.openbsd.org 2005/05/20 10:50:55 + [ssh_config.5] + give a ProxyCommand example using nc(1), with and ok jmc@ + - jmc@cvs.openbsd.org 2005/05/20 11:23:32 + [ssh_config.5] + oops - article and spacing; + - avsm@cvs.openbsd.org 2005/05/23 22:44:01 + [moduli.c ssh-keygen.c] + - removes signed/unsigned comparisons in moduli generation + - use strtonum instead of atoi where its easier + - check some strlcpy overflow and fatal instead of truncate + - djm@cvs.openbsd.org 2005/05/23 23:32:46 + [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] + add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; + ok markus@ + - avsm@cvs.openbsd.org 2005/05/24 02:05:09 + [ssh-keygen.c] + some style nits from dmiller@, and use a fatal() instead of a printf()/exit + - avsm@cvs.openbsd.org 2005/05/24 17:32:44 + [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c] + [ssh-keyscan.c sshconnect.c] + Switch atomicio to use a simpler interface; it now returns a size_t + (containing number of bytes read/written), and indicates error by + returning 0. EOF is signalled by errno==EPIPE. + Typical use now becomes: + + if (atomicio(read, ..., len) != len) + err(1,"read"); + + ok deraadt@, cloder@, djm@ + - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on + Cygwin. + - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux: + warning: dereferencing type-punned pointer will break strict-aliasing rules + warning: passing arg 3 of `pam_get_item' from incompatible pointer type + The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@ + - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide + templates for _getshort and _getlong if missing to prevent compiler warnings + on Linux. + - (djm) [configure.ac openbsd-compat/Makefile.in] + [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c] + Add strtonum(3) from OpenBSD libc, new code needs it. + Unfortunately Linux forces us to do a bizarre dance with compiler + options to get LLONG_MIN/MAX; Spotted by and ok dtucker@ + +20050524 + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update spec file versions to 4.1p1 + - (dtucker) [auth-pam.c] Since people don't seem to be getting the message + that USE_POSIX_THREADS is unsupported, not recommended and generally a bad + idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use + USE_POSIX_THREADS will now generate an error so we don't silently change + behaviour. ok djm@ + - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory + allocation when retrieving core Windows environment. Add CYGWIN variable + to propagated variables. Patch from vinschen at redhat.com, ok djm@ + - Release 4.1p1 + +20050524 + - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure + terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz; + "looks ok" dtucker@ + +20050512 + - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script + hard link section. Bug 1038. + +20050509 + - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a + user-mode mounts in Cygwin installation. Patch from vinschen at redhat.com. + +20050504 + - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used + unix domain socket, so catch that too; from jakob@ ok dtucker@ + +20050503 + - (dtucker) [canohost.c] normalise socket addresses returned by + get_remote_hostname(). This means that IPv4 addresses in log messages + on IPv6 enabled machines will no longer be prefixed by "::ffff:" and + AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style + addresses only for 4-in-6 mapped connections, regardless of whether + or not the machine is IPv6 enabled. ok djm@ + +20050425 + - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the + existence of a process since it's more portable. Found by jbasney at + ncsa.uiuc.edu; ok tim@ + - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh + will clean up anyway. From tim@ + - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running + "make tests" works even if you're building on a filesystem that doesn't + support sockets. From deengert at anl.gov, ok djm@ + +20050424 + - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or + 1.2.1.2 or higher. With tim@, ok djm@ + +20050423 + - (tim) [config.guess] Add support for OpenServer 6. + +20050421 + - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if + UseLogin is set as PAM is not used to establish credentials in that + case. Found by Michael Selvesteen, ok djm@ + +20050419 + - (dtucker) [INSTALL] Reference README.privsep for the privilege separation + requirements. Pointed out by Bengt Svensson. + - (dtucker) [INSTALL] Put the s/key text and URL back together. + - (dtucker) [INSTALL] Fix s/key text too. + +20050411 + - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME + +20050405 + - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it. ok djm@ + - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on + Tru64. Patch from cmadams at hiwaay.net. + - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of + sys_auth_passwd, pointed out by cmadams at hiwaay.net. + +20050403 + - (djm) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2005/03/31 18:39:21 + [scp.c] + copy argv[] element instead of smashing the one that ps will see; ok otto + - djm@cvs.openbsd.org 2005/04/02 12:41:16 + [scp.c] + since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror + build + - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read + will free as needed. ok tim@ djm@ + +20050331 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/03/16 11:10:38 + [ssh_config.5] + get the syntax right for {Local,Remote}Forward; + based on a diff from markus; + problem report from ponraj; + ok dtucker@ markus@ deraadt@ + - markus@cvs.openbsd.org 2005/03/16 21:17:39 + [version.h] + 4.1 + - jmc@cvs.openbsd.org 2005/03/18 17:05:00 + [sshd_config.5] + typo; + - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in + handling of password expiry messages returned by AIX's authentication + routines, originally reported by robvdwal at sara.nl. + - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug + message on some platforms. Patch from pete at seebeyond.com via djm. + - (dtucker) [monitor.c] Remaining part of fix for bug #1006. + +20050329 + - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're + interested in which is much faster in large (eg LDAP or NIS) environments. + Patch from dleonard at vintela.com. + +20050321 + - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes + and -Lyes to CFLAGS and LIBS. Pointed out by peter at slagheap.net, + with & ok tim@ + - (dtucker) [configure.ac] Make configure error out if the user specifies + --with-libedit but the required libs can't be found, rather than silently + ignoring and continuing. ok tim@ + - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions + of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se. + +20050317 + - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional. + Make --without-opensc work. + - (tim) [configure.ac] portability changes on test statements. Some shells + have problems with -a operator. + - (tim) [configure.ac] make some configure options a little more error proof. + - (tim) [configure.ac] remove trailing white space. + +20050314 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/03/10 10:15:02 + [readconf.c] + Check listen addresses for null, prevents xfree from dying during + ClearAllForwardings (bz #996). From Craig Leres, ok markus@ + - deraadt@cvs.openbsd.org 2005/03/10 22:01:05 + [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c + monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c + readconf.c bufaux.c sftp.c] + spacing + - deraadt@cvs.openbsd.org 2005/03/10 22:40:38 + [auth-options.c] + spacing + - markus@cvs.openbsd.org 2005/03/11 14:59:06 + [ssh-keygen.c] + typo, missing \n; mpech + - jmc@cvs.openbsd.org 2005/03/12 11:55:03 + [ssh_config.5] + escape `.' at eol to avoid double spacing issues; + - dtucker@cvs.openbsd.org 2005/03/14 10:09:03 + [ssh-keygen.1] + Correct description of -H (bz #997); ok markus@, punctuation jmc@ + - dtucker@cvs.openbsd.org 2005/03/14 11:44:42 + [auth.c] + Populate host for log message for logins denied by AllowUsers and + DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com) + - markus@cvs.openbsd.org 2005/03/14 11:46:56 + [buffer.c buffer.h channels.c] + limit input buffer size for channels; bugzilla #896; with and ok dtucker@ + - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed + with a rpm -F + +20050313 + - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the + localized name of the local administrators group more reliable. From + vinschen at redhat.com. + +20050312 + - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug + output ends up in the client's output, causing regress failures. Found + by Corinna Vinschen. + +20050309 + - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64 + so that regress tests behave. From Chris Adams. + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/03/07 23:41:54 + [ssh.1 ssh_config.5] + more macro simplification; + - djm@cvs.openbsd.org 2005/03/08 23:49:48 + [version.h] + OpenSSH 4.0 + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update spec file versions + - (djm) [log.c] Fix dumb syntax error; ok dtucker@ + - (djm) Release OpenSSH 4.0p1 + +20050307 + - (dtucker) [configure.ac] Disable gettext search when configuring with + BSM audit support for the time being. ok djm@ + - (dtucker) OpenBSD CVS Sync (regress/) + - fgsch@cvs.openbsd.org 2004/12/10 01:31:30 + [Makefile sftp-glob.sh] + some globbing regress; prompted and ok djm@ + - david@cvs.openbsd.org 2005/01/14 04:21:18 + [Makefile test-exec.sh] + pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@ + - dtucker@cvs.openbsd.org 2005/02/27 11:33:30 + [multiplex.sh test-exec.sh sshd-log-wrapper.sh] + Add optional capability to log output from regress commands; ok markus@ + Use with: make TEST_SSH_LOGFILE=/tmp/regress.log + - djm@cvs.openbsd.org 2005/02/27 23:13:36 + [login-timeout.sh] + avoid nameservice lookups in regress test; ok dtucker@ + - djm@cvs.openbsd.org 2005/03/04 08:48:46 + [Makefile envpass.sh] + regress test for SendEnv config parsing bug; ok dtucker@ + - (dtucker) [regress/test-exec.sh] Put SUDO in the right place. + - (tim) [configure.ac] SCO 3.2v4.2 no longer supported. + +20050306 + - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor + when attempting to audit disconnect events. Reported by Phil Dibowitz. + - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit + events earlier, prevents mm_request_send errors reported by Matt Goebel. + +20050305 + - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch + from vinschen at redhat.com + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/03/02 11:45:01 + [ssh.1] + missing word; + - djm@cvs.openbsd.org 2005/03/04 08:48:06 + [readconf.c] + fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@ + +20050302 + - (djm) OpenBSD CVS sync: + - jmc@cvs.openbsd.org 2005/03/01 14:47:58 + [ssh.1] + remove some unneccesary macros; + do not mark up punctuation; + - jmc@cvs.openbsd.org 2005/03/01 14:55:23 + [ssh_config.5] + do not mark up punctuation; + whitespace; + - jmc@cvs.openbsd.org 2005/03/01 14:59:49 + [sshd.8] + new sentence, new line; + whitespace; + - jmc@cvs.openbsd.org 2005/03/01 15:05:00 + [ssh-keygen.1] + whitespace; + - jmc@cvs.openbsd.org 2005/03/01 15:47:14 + [ssh-keyscan.1 ssh-keyscan.c] + sort options and sync usage(); + - jmc@cvs.openbsd.org 2005/03/01 17:19:35 + [scp.1 sftp.1] + add HashKnownHosts to -o list; + ok markus@ + - jmc@cvs.openbsd.org 2005/03/01 17:22:06 + [ssh.c] + sync usage() w/ man SYNOPSIS; + ok markus@ + - jmc@cvs.openbsd.org 2005/03/01 17:32:19 + [ssh-add.1] + sort options; + - jmc@cvs.openbsd.org 2005/03/01 18:15:56 + [ssh-keygen.1] + sort options (no attempt made at synopsis clean up though); + spelling (occurance -> occurrence); + use prompt before examples; + grammar; + - djm@cvs.openbsd.org 2005/03/02 01:00:06 + [sshconnect.c] + fix addition of new hashed hostnames when CheckHostIP=yes; + found and ok dtucker@ + - djm@cvs.openbsd.org 2005/03/02 01:27:41 + [ssh-keygen.c] + ignore hostnames with metachars when hashing; ok deraadt@ + - djm@cvs.openbsd.org 2005/03/02 02:21:07 + [ssh.1] + bz#987: mention ForwardX11Trusted in ssh.1, + reported by andrew.benham AT thus.net; ok deraadt@ + - (tim) [regress/agent-ptrace.sh] add another possible gdb error. + +20050301 + - (djm) OpenBSD CVS sync: + - otto@cvs.openbsd.org 2005/02/16 09:56:44 + [ssh.c] + Better diagnostic if an identity file is not accesible. ok markus@ djm@ + - djm@cvs.openbsd.org 2005/02/18 03:05:53 + [canohost.c] + better error messages for getnameinfo failures; ok dtucker@ + - djm@cvs.openbsd.org 2005/02/20 22:59:06 + [sftp.c] + turn on ssh batch mode when in sftp batch mode, patch from + jdmossh AT nand.net; + ok markus@ + - jmc@cvs.openbsd.org 2005/02/25 10:55:13 + [sshd.8] + add /etc/motd and $HOME/.hushlogin to FILES; + from michael knudsen; + - djm@cvs.openbsd.org 2005/02/28 00:54:10 + [ssh_config.5] + bz#849: document timeout on untrusted x11 forwarding sessions. Reported by + orion AT cora.nwra.com; ok markus@ + - djm@cvs.openbsd.org 2005/03/01 10:09:52 + [auth-options.c channels.c channels.h clientloop.c compat.c compat.h] + [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5] + [sshd_config.5] + bz#413: allow optional specification of bind address for port forwardings. + Patch originally by Dan Astorian, but worked on by several people + Adds GatewayPorts=clientspecified option on server to allow remote + forwards to bind to client-specified ports. + - djm@cvs.openbsd.org 2005/03/01 10:40:27 + [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5] + [sshconnect.c sshd.8] + add support for hashing host names and addresses added to known_hosts + files, to improve privacy of which hosts user have been visiting; ok + markus@ deraadt@ + - djm@cvs.openbsd.org 2005/03/01 10:41:28 + [ssh-keyscan.1 ssh-keyscan.c] + option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@ + - djm@cvs.openbsd.org 2005/03/01 10:42:49 + [ssh-keygen.1 ssh-keygen.c ssh_config.5] + add tools for managing known_hosts files with hashed hostnames, including + hashing existing files and deleting hosts by name; ok markus@ deraadt@ + +20050226 + - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c] + Remove two obsolete Cygwin #ifdefs. Patch from vinschen at redhat.com. + - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}] + Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any + more. Patch from vinschen at redhat.com. + - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the + binaries without the config files. Primarily useful for packaging. + Patch from phil at usc.edu. ok djm@ + +20050224 + - (djm) [configure.ac] in_addr_t test needs sys/types.h too + +20050222 + - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from + vinschen at redhat.com. + +20050220 + - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac + defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure + --with-audit=bsm to enable. Patch originally from Sun Microsystems, + parts by John R. Jackson. ok djm@ + - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes + unrelated platforms to be configured incorrectly. + +20050216 + - (djm) write seed to temporary file and atomically rename into place; + ok dtucker@ + - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called + via mkstemp in some configurations. ok djm@ + - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined + by the system headers. + - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant + Unix; prevents problems relating to the location of -lresolv in the + link order. + - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic + authentication early enough to be available to PAM session modules when + privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam + Hartman and similar to Debian's ssh-krb5 package. + - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more + compiler warnings on AIX. + +20050215 + - (dtucker) [config.sh.in] Collect oslevel -r too. + - (dtucker) [README.platform auth.c configure.ac loginrec.c + openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6 + on AIX where possible (see README.platform for details) and work around + a misfeature of AIX's getnameinfo. ok djm@ + - (dtucker) [loginrec.c] Add missing #include. + +20050211 + - (dtucker) [configure.ac] Tidy up configure --help output. + - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too. + +20050210 + - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the + --disable-etc-default-login configure option. + +20050209 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/01/28 09:45:53 + [ssh_config] + Make it clear that the example entries in ssh_config are only some of the + commonly-used options and refer the user to ssh_config(5) for more + details; ok djm@ + - jmc@cvs.openbsd.org 2005/01/28 15:05:43 + [ssh_config.5] + grammar; + - jmc@cvs.openbsd.org 2005/01/28 18:14:09 + [ssh_config.5] + wording; + ok markus@ + - dtucker@cvs.openbsd.org 2005/01/30 11:18:08 + [monitor.c] + Make code match intent; ok djm@ + - dtucker@cvs.openbsd.org 2005/02/08 22:24:57 + [sshd.c] + Provide reason in error message if getnameinfo fails; ok markus@ + - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call + disable_forwarding() from compat library. Prevent linker errrors trying + to resolve it for binaries other than sshd. ok djm@ + - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir + paths. ok djm@ + - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require + the username to be passed to the passwd command when changing expired + passwords. ok djm@ + +20050208 + - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the + regress tests so newer versions of GNU head(1) behave themselves. Patch + by djm, so ok me. + - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. + - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c + monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit + defines and enums with SSH_ to prevent namespace collisions on some + platforms (eg AIX). + +20050204 + - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. + - (dtucker) [auth.c] Fix parens in audit log check. + +20050202 + - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath + rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@ + - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}] + Make record_failed_login() call provide hostname rather than having the + implementations having to do lookups themselves. Only affects AIX and + UNICOS (the latter only uses the "user" parameter anyway). ok djm@ + - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child + the process. Since we also unset KRB5CCNAME at startup, if it's set after + authentication it must have been set by the platform's native auth system. + This was already done for AIX; this enables it for the general case. + - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c] + Bug #974: Teach sshd to write failed login records to btmp for failed auth + attempts (currently only for password, kbdint and C/R, only on Linux and + HP-UX), based on code from login.c from util-linux. With ashok_kovai at + hotmail.com, ok djm@ + - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c + monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: + (first stage) Add audit instrumentation to sshd, currently disabled by + default. with suggestions from and ok djm@ + +20050201 + - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some + platforms syslog will revert to its default values. This may result in + messages from external libraries (eg libwrap) being sent to a different + facility. + - (dtucker) [sshd_config.5] Bug #701: remove warning about + keyboard-interactive since this is no longer the case. + +20050124 + - (dtucker) OpenBSD CVS Sync + - otto@cvs.openbsd.org 2005/01/21 08:32:02 + [auth-passwd.c sshd.c] + Warn in advance for password and account expiry; initialize loginmsg + buffer earlier and clear it after privsep fork. ok and help dtucker@ + markus@ + - dtucker@cvs.openbsd.org 2005/01/22 08:17:59 + [auth.c] + Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and + DenyGroups. bz #909, ok djm@ + - djm@cvs.openbsd.org 2005/01/23 10:18:12 + [cipher.c] + config option "Ciphers" should be case-sensitive; ok dtucker@ + - dtucker@cvs.openbsd.org 2005/01/24 10:22:06 + [scp.c sftp.c] + Have scp and sftp wait for the spawned ssh to exit before they exit + themselves. This prevents ssh from being unable to restore terminal + modes (not normally a problem on OpenBSD but common with -Portable + on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950); + ok djm@ markus@ + - dtucker@cvs.openbsd.org 2005/01/24 10:29:06 + [moduli] + Import new moduli; requested by deraadt@ a week ago + - dtucker@cvs.openbsd.org 2005/01/24 11:47:13 + [auth-passwd.c] + #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@ + +20050120 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/12/23 17:35:48 + [session.c] + check for NULL; from mpech + - markus@cvs.openbsd.org 2004/12/23 17:38:07 + [ssh-keygen.c] + leak; from mpech + - djm@cvs.openbsd.org 2004/12/23 23:11:00 + [servconf.c servconf.h sshd.c sshd_config sshd_config.5] + bz #898: support AddressFamily in sshd_config. from + peak@argo.troja.mff.cuni.cz; ok deraadt@ + - markus@cvs.openbsd.org 2005/01/05 08:51:32 + [sshconnect.c] + remove dead code, log connect() failures with level error, ok djm@ + - jmc@cvs.openbsd.org 2005/01/08 00:41:19 + [sshd_config.5] + `login'(n) -> `log in'(v); + - dtucker@cvs.openbsd.org 2005/01/17 03:25:46 + [moduli.c] + Correct spelling: SCHNOOR->SCHNORR; ok djm@ + - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 + [sshd.c] + Make debugging output continue after reexec; ok djm@ + - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 + [auth-bsdauth.c auth2-chall.c] + Have keyboard-interactive code call the drivers even for responses for + invalid logins. This allows the drivers themselves to decide how to + handle them and prevent leaking information where possible. Existing + behaviour for bsdauth is maintained by checking authctxt->valid in the + bsdauth driver. Note that any third-party kbdint drivers will now need + to be able to handle responses for invalid logins. ok markus@ + - djm@cvs.openbsd.org 2004/12/22 02:13:19 + [cipher-ctr.c cipher.c] + remove fallback AES support for old OpenSSL, as OpenBSD has had it for + many years now; ok deraadt@ + (Id sync only: Portable will continue to support older OpenSSLs) + - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user + existence via keyboard-interactive/pam, in conjunction with previous + auth2-chall.c change; with Colin Watson and djm. + - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128 + bytes to prevent errors from login_init_entry() when the username is + exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@ + - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from + the list of available kbdint devices if UsePAM=no. ok djm@ + +20050118 + - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement + "make survey" and "make send-survey". This will provide data on the + configure parameters, platform and platform features to the development + team, which will allow (among other things) better targetting of testing. + It's entirely voluntary and is off be default. ok djm@ + - (dtucker) [survey.sh.in] Remove any blank lines from the output of + ccver-v and ccver-V. + +20041220 + - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading + from prngd is enabled at compile time but fails at run time, eg because + prngd is not running. Note that if you have prngd running when OpenSSH is + built, OpenSSL will consider itself internally seeded and rand-helper won't + be built at all unless explicitly enabled via --with-rand-helper. ok djm@ + - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since + on some wacky platforms (eg old AIXes), dd will refuse to create an output + file if it doesn't exist. + +20041213 + - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from + amarendra.godbole at ge com. + +20041211 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/12/06 16:00:43 + [bufaux.c] + use 0x00 not \0 since buf[] is a bignum + - fgsch@cvs.openbsd.org 2004/12/10 03:10:42 + [sftp.c] + - fix globbed ls for paths the same lenght as the globbed path when + we have a unique matching. + - fix globbed ls in case of a directory when we have a unique matching. + - as a side effect, if the path does not exist error (used to silently + ignore). + - don't do extra do_lstat() if we only have one matching file. + djm@ ok + - dtucker@cvs.openbsd.org 2004/12/11 01:48:56 + [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h] + Fix debug call in error path of authorized_keys processing and fix related + warnings; ok djm@ + +20041208 + - (tim) [configure.ac] Comment some non obvious platforms in the + target-specific case statement. Suggested and OK by dtucker@ + +20041207 + - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test. + +20041206 + - (dtucker) [TODO WARNING.RNG] Update to reflect current reality. ok djm@ + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/11/25 22:22:14 + [sftp-client.c sftp.c] + leak; from mpech + - jmc@cvs.openbsd.org 2004/11/29 00:05:17 + [sftp.1] + missing full stop; + - djm@cvs.openbsd.org 2004/11/29 07:41:24 + [sftp-client.h sftp.c] + Some small fixes from moritz@jodeit.org. ok deraadt@ + - jaredy@cvs.openbsd.org 2004/12/05 23:55:07 + [sftp.1] + - explain that patterns can be used as arguments in get/put/ls/etc + commands (prodded by Michael Knudsen) + - describe ls flags as a list + - other minor improvements + ok jmc, djm + - dtucker@cvs.openbsd.org 2004/12/06 11:41:03 + [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8] + Discard over-length authorized_keys entries rather than complaining when + they don't decode. bz #884, with & ok djm@ + - (dtucker) OpenBSD CVS Sync (regress/) + - djm@cvs.openbsd.org 2004/06/26 06:16:07 + [reexec.sh] + don't change the name of the copied sshd for the reexec fallback test, + makes life simpler for portable + - dtucker@cvs.openbsd.org 2004/07/08 12:59:35 + [scp.sh] + Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@ + - david@cvs.openbsd.org 2004/07/09 19:45:43 + [Makefile] + add a missing CLEANFILES used in the re-exec test + - djm@cvs.openbsd.org 2004/10/08 02:01:50 + [reexec.sh] + shrink and tidy; ok dtucker@ + - djm@cvs.openbsd.org 2004/10/29 23:59:22 + [Makefile added brokenkeys.sh] + regression test for handling of corrupt keys in authorized_keys file + - djm@cvs.openbsd.org 2004/11/07 00:32:41 + [multiplex.sh] + regression tests for new multiplex commands + - dtucker@cvs.openbsd.org 2004/11/25 09:39:27 + [test-exec.sh] + Remove obsolete RhostsAuthentication from test config; ok markus@ + - dtucker@cvs.openbsd.org 2004/12/06 10:49:56 + [test-exec.sh] + Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@ + +20041203 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2004/11/07 17:42:36 + [ssh.1] + options sort, and whitespace; + - jmc@cvs.openbsd.org 2004/11/07 17:57:30 + [ssh.c] + usage(): + - add -O + - sync -S w/ manpage + - remove -h + - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is + subsequently denied by the PAM auth stack, send the PAM message to the + user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). + ok djm@ + +20041107 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/11/05 12:19:56 + [sftp.c] + command editing and history support via libedit; ok markus@ + thanks to hshoexer@ and many testers on tech@ too + - djm@cvs.openbsd.org 2004/11/07 00:01:46 + [clientloop.c clientloop.h ssh.1 ssh.c] + add basic control of a running multiplex master connection; including the + ability to check its status and request it to exit; ok markus@ + - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure + option and supporting makefile bits and documentation. + +20041105 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/08/30 09:18:08 + [LICENCE] + s/keygen/keyscan/ + - jmc@cvs.openbsd.org 2004/08/30 21:22:49 + [ssh-add.1 ssh.1] + .Xsession -> .xsession; + originally from a pr from f at obiit dot org, but missed by myself; + ok markus@ matthieu@ + - djm@cvs.openbsd.org 2004/09/07 23:41:30 + [clientloop.c ssh.c] + cleanup multiplex control socket on SIGHUP too, spotted by sturm@ + ok markus@ deraadt@ + - deraadt@cvs.openbsd.org 2004/09/15 00:46:01 + [ssh.c] + /* fallthrough */ is something a programmer understands. But + /* FALLTHROUGH */ is also understood by lint, so that is better. + - jaredy@cvs.openbsd.org 2004/09/15 03:25:41 + [sshd_config.5] + mention PrintLastLog only prints last login time for interactive + sessions, like PrintMotd mentions. + From Michael Knudsen, with wording changed slightly to match the + PrintMotd description. + ok djm + - mickey@cvs.openbsd.org 2004/09/15 18:42:27 + [sshd.c] + use less doubles in daemons; markus@ ok + - deraadt@cvs.openbsd.org 2004/09/15 18:46:04 + [scp.c] + scratch that do { } while (0) wrapper in this case + - djm@cvs.openbsd.org 2004/09/23 13:00:04 + [ssh.c] + correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@ + - djm@cvs.openbsd.org 2004/09/25 03:45:14 + [sshd.c] + these printf args are no longer double; ok deraadt@ markus@ + - djm@cvs.openbsd.org 2004/10/07 10:10:24 + [scp.1 sftp.1 ssh.1 ssh_config.5] + document KbdInteractiveDevices; ok markus@ + - djm@cvs.openbsd.org 2004/10/07 10:12:36 + [ssh-agent.c] + don't unlink agent socket when bind() fails, spotted by rich AT + rich-paul.net, ok markus@ + - markus@cvs.openbsd.org 2004/10/20 11:48:53 + [packet.c ssh1.h] + disconnect for invalid (out of range) message types. + - djm@cvs.openbsd.org 2004/10/29 21:47:15 + [channels.c channels.h clientloop.c] + fix some window size change bugs for multiplexed connections: windows sizes + were not being updated if they had changed after ~^Z suspends and SIGWINCH + was not being processed unless the first connection had requested a tty; + ok markus + - djm@cvs.openbsd.org 2004/10/29 22:53:56 + [clientloop.c misc.h readpass.c ssh-agent.c] + factor out common permission-asking code to separate function; ok markus@ + - djm@cvs.openbsd.org 2004/10/29 23:56:17 + [bufaux.c bufaux.h buffer.c buffer.h] + introduce a new buffer API that returns an error rather than fatal()ing + when presented with bad data; ok markus@ + - djm@cvs.openbsd.org 2004/10/29 23:57:05 + [key.c] + use new buffer API to avoid fatal errors on corrupt keys in authorized_keys + files; ok markus@ + +20041102 + - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX + 10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__ + only if a conflict is detected. + +20041019 + - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or + on Cygwin. Cygwin parts from vinschen at redhat com; ok djm@ + +20041016 + - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations; + ok dtucker@ + +20041006 + - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode + and other PAM platforms. + - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants + to void * to appease picky compilers (eg Tru64's "cc -std1"). + +20040930 + - (dtucker) [configure.ac] Set AC_PACKAGE_NAME. ok djm@ + +20040923 + - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one, + which could have caused the justification to be wrong. ok djm@ + +20040921 + - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too. + ok djm@ + - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin + install process. Patch from vinschen at redhat.com. + +20040912 + - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file. + No change in resultant binary + - (djm) [loginrec.c] __func__ifiy + - (djm) [loginrec.c] xmalloc + - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol + banner. Suggested by deraadt@, ok mouring@, dtucker@ + - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile. + Partly by & ok djm@. + +20040911 + - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@ + - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from + failing PAM session modules to user then exit, similar to the way + /etc/nologin is handled. ok djm@ + - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. + - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] + Make cygwin code more consistent with that which surrounds it + - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] + Bug #892: Send messages from failing PAM account modules to the client via + SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with + SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ + - (dtucker) [session.c] Bug #927: make .hushlogin silent again. ok djm@ + - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure. + Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me. ok djm@ + - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM. From deengert + at anl.gov, ok djm@ + +20040830 + - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only + copy required environment variables on Cygwin. Patch from vinschen at + redhat.com, ok djm@ + - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too. Patch from + vinschen at redhat.com. + - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability + of shell constructs. Patch from cjwatson at debian.org. + +20040829 + - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from + failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL. + From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@ + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/08/23 11:48:09 + [authfile.c] + fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus + - djm@cvs.openbsd.org 2004/08/23 11:48:47 + [channels.c] + typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus + - dtucker@cvs.openbsd.org 2004/08/23 14:26:38 + [ssh-keysign.c ssh.c] + Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches + change in Portable; ok markus@ (CVS ID sync only) + - dtucker@cvs.openbsd.org 2004/08/23 14:29:23 + [ssh-keysign.c] + Remove duplicate getuid(), suggested by & ok markus@ + - markus@cvs.openbsd.org 2004/08/26 16:00:55 + [ssh.1 sshd.8] + get rid of references to rhosts authentication; with jmc@ + - djm@cvs.openbsd.org 2004/08/28 01:01:48 + [sshd.c] + don't erroneously close stdin for !reexec case, from Dave Johnson; + ok markus@ + - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check, + fixes configure warning on Solaris reported by wknox at mitre.org. + - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not + support FD passing since multiplex requires it. Noted by tim@ + - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn + down, needed on some platforms, should be harmless on others. Patch from + jason at devrandom.org. + - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like + files ending in .exe that aren't binaries; patch from vinschen at redhat.com. + - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree + builds too, from vinschen at redhat.com. + - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64 + too; patch from cmadams at hiwaay.net. + - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo. + - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for + accounts with authentication configs that sshd can't support (ie + SYSTEM=NONE and AUTH1=something). + +20040828 + - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from + vinschen at redhat.com. + +20040823 + - (djm) [ssh-rand-helper.c] Typo. Found by + Martin.Kraemer AT Fujitsu-Siemens.com + - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by + Martin.Kraemer AT Fujitsu-Siemens.com + +20040817 + - (dtucker) [regress/README.regress] Note compatibility issues with GNU head. + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/08/16 08:17:01 + [version.h] + 3.9 + - (djm) Crank RPM spec version numbers + - (djm) Release 3.9p1 + +20040816 + - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root + to convince Solaris PAM to honour password complexity rules. ok djm@ + +20040815 + - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since + it does the right thing on all platforms. ok djm@ + - (djm) [acconfig.h configure.ac openbsd-compat/Makefile.in + openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-misc.c + openbsd-compat/bsd-misc.h openbsd-compat/openbsd-compat.h] Use smarter + closefrom() replacement from sudo; ok dtucker@ + - (djm) [loginrec.c] Check that seek succeeded here too; ok dtucker + - (dtucker) [Makefile.in] Fix typo. + +20040814 + - (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c] + Explicitly set umask for mkstemp; ok djm@ + - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise + prot.h and shadow.h provide conflicting declarations of getspnam. ok djm@ + - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Plug AIX login recording into login_write so logins will be recorded for + all auth types. + +20040813 + - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at + redhat.com +- (dtucker) OpenBSD CVS Sync + - avsm@cvs.openbsd.org 2004/08/11 21:43:05 + [channels.c channels.h clientloop.c misc.c misc.h serverloop.c ssh-agent.c] + some signed/unsigned int comparison cleanups; markus@ ok + - avsm@cvs.openbsd.org 2004/08/11 21:44:32 + [authfd.c scp.c ssh-keyscan.c] + use atomicio instead of homegrown equivalents or read/write. + markus@ ok + - djm@cvs.openbsd.org 2004/08/12 09:18:24 + [sshlogin.c] + typo in error message, spotted by moritz AT jodeit.org (Id sync only) + - jakob@cvs.openbsd.org 2004/08/12 21:41:13 + [ssh-keygen.1 ssh.1] + improve SSHFP documentation; ok deraadt@ + - jmc@cvs.openbsd.org 2004/08/13 00:01:43 + [ssh-keygen.1] + kill whitespace at eol; + - djm@cvs.openbsd.org 2004/08/13 02:51:48 + [monitor_fdpass.c] + extra check for no message case; ok markus, deraadt, hshoexer, henning + - dtucker@cvs.openbsd.org 2004/08/13 11:09:24 + [servconf.c] + Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr + ok markus@, djm@ + +20040812 + - (dtucker) [sshd.c] Remove duplicate variable imported during sync. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/07/28 08:56:22 + [sshd.c] + call setsid() _before_ re-exec + - markus@cvs.openbsd.org 2004/07/28 09:40:29 + [auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c + sshconnect1.c] + more s/illegal/invalid/ + - djm@cvs.openbsd.org 2004/08/04 10:37:52 + [dh.c] + return group14 when no primes found - fixes hang on empty /etc/moduli; + ok markus@ + - dtucker@cvs.openbsd.org 2004/08/11 11:09:54 + [servconf.c] + Fix minor leak; "looks right" deraadt@ + - dtucker@cvs.openbsd.org 2004/08/11 11:50:09 + [sshd.c] + Don't try to close startup_pipe if it's not open; ok djm@ + - djm@cvs.openbsd.org 2004/08/11 11:59:22 + [sshlogin.c] + check that lseek went were we told it to; ok markus@ + (Id sync only, but similar changes are needed in loginrec.c) + - djm@cvs.openbsd.org 2004/08/11 12:01:16 + [sshlogin.c] + make store_lastlog_message() static to appease -Wall; ok markus + - (dtucker) [sshd.c] Clear loginmsg in postauth monitor, prevents doubling + messages generated before the postauth privsep split. + +20040720 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/07/21 08:56:12 + [auth.c] + s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, + miod, ... + - djm@cvs.openbsd.org 2004/07/21 10:33:31 + [auth1.c auth2.c] + bz#899: Don't display invalid usernames in setproctitle + from peak AT argo.troja.mff.cuni.cz; ok markus@ + - djm@cvs.openbsd.org 2004/07/21 10:36:23 + [gss-serv-krb5.c] + fix function declaration + - djm@cvs.openbsd.org 2004/07/21 11:51:29 + [canohost.c] + bz#902: cache remote port so we don't fatal() in auth_log when remote + connection goes away quickly. from peak AT argo.troja.mff.cuni.cz; + ok markus@ + - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid + usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; + +20040720 + - (djm) [log.c] bz #111: Escape more control characters when sending data + to syslog; from peak AT argo.troja.mff.cuni.cz + - (djm) [contrib/redhat/sshd.pam] bz #903: Remove redundant entries; from + peak AT argo.troja.mff.cuni.cz + - (djm) [regress/README.regress] Remove caveat regarding TCP wrappers, now + that sshd is fixed to behave better; suggested by tim + +20040719 + - (djm) [openbsd-compat/bsd-arc4random.c] Discard early keystream, like OpenBSD + ok dtucker@ + - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function, + instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@ + - (tim) [configure.ac] updwtmpx() on OpenServer seems to add duplicate entry. + Report by rac AT tenzing.org + +20040717 + - (dtucker) [logintest.c scp.c sftp-server.c sftp.c ssh-add.c ssh-agent.c + ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c ssh.c sshd.c + openbsd-compat/bsd-misc.c] Move "char *__progname" to bsd-misc.c. Reduces + diff vs OpenBSD; ok mouring@, tested by tim@ too. + - (dtucker) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2004/07/11 17:48:47 + [channels.c cipher.c clientloop.c clientloop.h compat.h moduli.c + readconf.c nchan.c pathnames.h progressmeter.c readconf.h servconf.c + session.c sftp-client.c sftp.c ssh-agent.1 ssh-keygen.c ssh.c ssh1.h + sshd.c ttymodes.h] + spaces + - brad@cvs.openbsd.org 2004/07/12 23:34:25 + [ssh-keyscan.1] + Fix incorrect macro, .I -> .Em + From: Eric S. Raymond + ok jmc@ + - dtucker@cvs.openbsd.org 2004/07/17 05:31:41 + [monitor.c monitor_wrap.c session.c session.h sshd.c sshlogin.c] + Move "Last logged in at.." message generation to the monitor, right + before recording the new login. Fixes missing lastlog message when + /var/log/lastlog is not world-readable and incorrect datestamp when + multiple sessions are used (bz #463); much assistance & ok markus@ + +20040711 + - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows + the monitor to properly clean up the PAM thread (Debian bug #252676). + +20040709 + - (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from + vinschen AT redhat.com + +20040708 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2004/07/03 05:11:33 + [sshlogin.c] (RCSID sync only, the corresponding code is not in Portable) + Use '\0' not 0 for string; ok djm@, deraadt@ + - dtucker@cvs.openbsd.org 2004/07/03 11:02:25 + [monitor_wrap.c] + Put s/key functions inside #ifdef SKEY same as monitor.c, + from des@freebsd via bz #330, ok markus@ + - dtucker@cvs.openbsd.org 2004/07/08 12:47:21 + [scp.c] + Prevent scp from skipping the file following a double-error. + bz #863, ok markus@ + +20040702 + - (dtucker) [mdoc2man.awk] Teach it to ignore .Bk -words, reported by + strube at physik3.gwdg.de a long time ago. + +20040701 + - (dtucker) [session.c] Call display_loginmsg again after do_pam_session. + Ensures messages from PAM modules are displayed when privsep=no. + - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes + warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@ + - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK + to pam_authenticate for challenge-response auth too. Originally from + fcusack at fcusack.com, ok djm@ + - (tim) [buildpkg.sh.in] Add $REV to bump the package revision within + the same version. Handle the case where someone uses --with-privsep-user= + and the user name does not match the group name. ok dtucker@ + +20040630 + - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL + appdata_ptr to the conversation function. ok djm@ + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2004/06/26 09:03:21 + [ssh.1] + - remove double word + - rearrange .Bk to keep SYNOPSIS nice + - -M before -m in options description + - jmc@cvs.openbsd.org 2004/06/26 09:11:14 + [ssh_config.5] + punctuation and grammar fixes. also, keep the options in order. + - jmc@cvs.openbsd.org 2004/06/26 09:14:40 + [sshd_config.5] + new sentence, new line; + - avsm@cvs.openbsd.org 2004/06/26 20:07:16 + [sshd.c] + initialise some fd variables to -1, djm@ ok + - djm@cvs.openbsd.org 2004/06/30 08:36:59 + [session.c] + unbreak TTY break, diagnosed by darren AT dazwin.com; ok markus@ + +20040627 + - (tim) update README files. + - (dtucker) [mdoc2man.awk] Bug #883: correctly recognise .Pa and .Ev macros. + - (dtucker) [regress/README.regress] Document new variables. + - (dtucker) [acconfig.h configure.ac sftp-server.c] Bug #823: add sftp + rename handling for Linux which returns EPERM for link() on (at least some) + filesystems that do not support hard links. sftp-server will fall back to + stat+rename() in such cases. + - (dtucker) [openbsd-compat/port-aix.c] Missing __func__. + +20040626 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/06/25 18:43:36 + [sshd.c] + fix broken fd handling in the re-exec fallback path, particularly when + /dev/crypto is in use; ok deraadt@ markus@ + - djm@cvs.openbsd.org 2004/06/25 23:21:38 + [sftp.c] + bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de + +20040625 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/06/24 19:30:54 + [servconf.c servconf.h sshd.c] + re-exec sshd on accept(); initial work, final debugging and ok markus@ + - djm@cvs.openbsd.org 2004/06/25 01:16:09 + [sshd.c] + only perform tcp wrappers checks when the incoming connection is on a + socket. silences useless warnings from regress tests that use + proxycommand="sshd -i". prompted by david@ ok markus@ + - djm@cvs.openbsd.org 2004/06/24 19:32:00 + [regress/Makefile regress/test-exec.sh, added regress/reexec.sh] + regress test for re-exec corner cases + - djm@cvs.openbsd.org 2004/06/25 01:25:12 + [regress/test-exec.sh] + clean reexec-specific junk out of text-exec.sh and simplify; idea markus@ + - dtucker@cvs.openbsd.org 2004/06/25 05:38:48 + [sftp-server.c] + Fall back to stat+rename if filesystem doesn't doesn't support hard + links. bz#823, ok djm@ + - (dtucker) [configure.ac openbsd-compat/misc.c [openbsd-compat/misc.h] + Add closefrom() for platforms that don't have it. + - (dtucker) [sshd.c] add line missing from reexec sync. + +20040623 + - (dtucker) [auth1.c] Ensure do_pam_account is called for Protocol 1 + connections with empty passwords. Patch from davidwu at nbttech.com, + ok djm@ + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2004/06/22 22:42:02 + [regress/envpass.sh] + Add quoting for test -z; ok markus@ + - dtucker@cvs.openbsd.org 2004/06/22 22:45:52 + [regress/test-exec.sh] + Add TEST_SSH_SSHD_CONFOPTS and TEST_SSH_SSH_CONFOPTS to allow adding + arbitary options to sshd_config and ssh_config during tests. ok markus@ + - dtucker@cvs.openbsd.org 2004/06/22 22:55:56 + [regress/dynamic-forward.sh regress/test-exec.sh] + Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@ + - mouring@cvs.openbsd.org 2004/06/23 00:39:38 + [rijndael.c] + -Wshadow fix up s/encrypt/do_encrypt/. OK djm@, markus@ + - dtucker@cvs.openbsd.org 2004/06/23 14:31:01 + [ssh.c] + Fix counting in master/slave when passing environment variables; ok djm@ + - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match + -Wshadow change. + - (bal) [Makefile.in] Remove opensshd.init on 'make distclean' + - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Move loginrestrictions test to port-aix.c, replace with a generic hook. + - (tim) [regress/try-ciphers.sh] "if ! some_command" is not portable. + - (bal) [contrib/README] Removed "mdoc2man.pl" reference and added + reference to "findssl.sh" + +20040622 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/06/20 17:36:59 + [ssh.c] + filter passed env vars at slave in connection sharing case; ok markus@ + - djm@cvs.openbsd.org 2004/06/20 18:53:39 + [sftp.c] + make "ls -l" listings print user/group names, add "ls -n" to show uid/gid + (like /bin/ls); idea & ok markus@ + - djm@cvs.openbsd.org 2004/06/20 19:28:12 + [sftp.1] + mention new -n flag + - avsm@cvs.openbsd.org 2004/06/21 17:36:31 + [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c + cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c + monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c + ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c + sshpty.c] + make ssh -Wshadow clean, no functional changes + markus@ ok + - djm@cvs.openbsd.org 2004/06/21 17:53:03 + [session.c] + fix fd leak for multiple subsystem connections; with markus@ + - djm@cvs.openbsd.org 2004/06/21 22:02:58 + [log.h] + mark fatal and cleanup exit as __dead; ok markus@ + - djm@cvs.openbsd.org 2004/06/21 22:04:50 + [sftp.c] + introduce sorting for ls, same options as /bin/ls; ok markus@ + - djm@cvs.openbsd.org 2004/06/21 22:30:45 + [sftp.c] + prefix ls option flags with LS_ + - djm@cvs.openbsd.org 2004/06/21 22:41:31 + [sftp.1] + document sort options + - djm@cvs.openbsd.org 2004/06/22 01:16:39 + [sftp.c] + don't show .files by default in ls, add -a option to turn them back on; + ok markus + - markus@cvs.openbsd.org 2004/06/22 03:12:13 + [regress/envpass.sh regress/multiplex.sh] + more portable env passing tests + - dtucker@cvs.openbsd.org 2004/06/22 05:05:45 + [monitor.c monitor_wrap.c] + Change login->username, will prevent -Wshadow errors in Portable; + ok markus@ + - (dtucker) [monitor.c] Fix Portable-specific -Wshadow warnings on "socket". + - (dtucker) [defines.h] Define __dead if not already defined. + - (bal) [auth-passwd.c auth1.c] Clean up unused variables. + +20040620 + - (tim) [configure.ac Makefile.in] Only change TEST_SHELL on broken platforms. + +20040619 + - (dtucker) [auth-pam.c] Don't use PAM namespace for + pam_password_change_required either. + - (tim) [configure.ac buildpkg.sh.in contrib/solaris/README] move opensshd + init script to top level directory. Add opensshd.init.in. + Remove contrib/solaris/buildpkg.sh, contrib/solaris/opensshd.in + +20040618 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/06/17 14:52:48 + [clientloop.c clientloop.h ssh.c] + support environment passing over shared connections; ok markus@ + - djm@cvs.openbsd.org 2004/06/17 15:10:14 + [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5] + Add option for confirmation (ControlMaster=ask) via ssh-askpass before + opening shared connections; ok markus@ + - djm@cvs.openbsd.org 2004/06/17 14:53:27 + [regress/multiplex.sh] + shared connection env passing regress test + - (dtucker) [regress/README.regress] Add detail on how to run a single + test from the top-level Makefile. + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/06/17 23:56:57 + [ssh.1 ssh.c] + sync usage() and SYNPOSIS with connection sharing changes + - dtucker@cvs.openbsd.org 2004/06/18 06:13:25 + [sftp.c] + Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@ + - dtucker@cvs.openbsd.org 2004/06/18 06:15:51 + [multiplex.sh] + Use -S for scp/sftp to force the use of the ssh being tested. + ok djm@,markus@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/06/18 10:40:19 + [ssh.c] + delay signal handler setup until we have finished talking to the master. + allow interrupting of setup (e.g. if master is stuck); ok markus@ + - markus@cvs.openbsd.org 2004/06/18 10:55:43 + [ssh.1 ssh.c] + trim synopsis for -S, allow -S and -oControlMaster, -MM means 'ask'; + ok djm + - djm@cvs.openbsd.org 2004/06/18 11:11:54 + [channels.c clientloop.c] + Don't explode in clientloop when we receive a bogus channel id, but + also don't generate them to begin with; ok markus@ + +20040617 + - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some + platforms), so test if diff understands it. Pointed out by tim@, ok djm@ + - (dtucker) OpenBSD CVS Sync regress/ + - dtucker@cvs.openbsd.org 2004/06/17 05:51:59 + [regress/multiplex.sh] + Remove datafile between and after tests, kill sshd rather than wait; + ok djm@ + - dtucker@cvs.openbsd.org 2004/06/17 06:00:05 + [regress/multiplex.sh] + Use DATA and COPY for test data rather than hard-coded paths; ok djm@ + - dtucker@cvs.openbsd.org 2004/06/17 06:19:06 + [regress/multiplex.sh] + Add small description of failing test to failure message; ok djm@ + - (dtucker) [regress/multiplex.sh] add EXEEXT for those platforms that need + it. + - (dtucker) [regress/multiplex.sh] Increase sleep time to 120 sec (60 is not + enough for slow systems, especially if they don't have a kernel RNG). + +20040616 + - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No + code changes. + - (dtucker) OpenBSD CVS Sync regress/ + - djm@cvs.openbsd.org 2004/04/27 09:47:30 + [regress/Makefile regress/test-exec.sh, added regress/envpass.sh] + regress test for environment passing, SendEnv & AcceptEnv options; + ok markus@ + - dtucker@cvs.openbsd.org 2004/06/13 13:51:02 + [regress/Makefile regress/test-exec.sh, added regress/scp-ssh-wrapper.sh + regress/scp.sh] + Add scp regression test; with & ok markus@ + - djm@cvs.openbsd.org 2004/06/13 15:04:08 + [regress/Makefile regress/test-exec.sh, added regress/envpass.sh] + regress test for client multiplexing; ok markus@ + - djm@cvs.openbsd.org 2004/06/13 15:16:54 + [regress/test-exec.sh] + remove duplicate setting of $SCP; spotted by markus@ + - dtucker@cvs.openbsd.org 2004/06/16 13:15:09 + [regress/scp.sh] + Make scp -r tests use diff -rN not cmp (which won't do dirs. ok markus@ + - dtucker@cvs.openbsd.org 2004/06/16 13:16:40 + [regress/multiplex.sh] + Silence multiplex sftp and scp tests. ok markus@ + - (dtucker) [regress/test-exec.sh] + Move Portable-only StrictModes to top of list to make syncs easier. + - (dtucker) [regress/README.regress] + Add $TEST_SHELL to readme. + +20040615 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/05/26 08:59:57 + [sftp.c] + exit -> _exit in forked child on error; from andrushock AT korovino.net + - markus@cvs.openbsd.org 2004/05/26 23:02:39 + [channels.c] + missing freeaddrinfo; Andrey Matveev + - dtucker@cvs.openbsd.org 2004/05/27 00:50:13 + [readconf.c] + Kill dead code after fatal(); ok djm@ + - dtucker@cvs.openbsd.org 2004/06/01 14:20:45 + [auth2-chall.c] + Remove redundant #include; ok markus@ + - pedro@cvs.openbsd.org 2004/06/03 12:22:20 + [sftp-client.c sftp.c] + initialize pointers, ok markus@ + - djm@cvs.openbsd.org 2004/06/13 12:53:24 + [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h] + [ssh-keyscan.c sshconnect2.c sshd.c] + implement diffie-hellman-group14-sha1 kex method (trivial extension to + existing diffie-hellman-group1-sha1); ok markus@ + - dtucker@cvs.openbsd.org 2004/06/13 14:01:42 + [ssh.1 ssh_config.5 sshd_config.5] + List supported ciphers in man pages, tidy up ssh -c; + "looks fine" jmc@, ok markus@ + - djm@cvs.openbsd.org 2004/06/13 15:03:02 + [channels.c channels.h clientloop.c clientloop.h includes.h readconf.c] + [readconf.h scp.1 sftp.1 ssh.1 ssh.c ssh_config.5] + implement session multiplexing in the client (the server has supported + this since 2.0); ok markus@ + - djm@cvs.openbsd.org 2004/06/14 01:44:39 + [channels.c clientloop.c misc.c misc.h packet.c ssh-agent.c ssh-keyscan.c] + [sshd.c] + set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@ + - djm@cvs.openbsd.org 2004/06/15 05:45:04 + [clientloop.c] + missed one unset_nonblock; spotted by Tim Rice + - (djm) Fix Makefile.in for connection sharing changes + - (djm) [ssh.c] Use separate var for address length + +20040603 + - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions. + ok djm@ + +20040601 + - (djm) [auth-pam.c] Add copyright for local changes + +20040530 + - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM + support for PasswordAuthentication=yes. ok djm@ + - (dtucker) [auth-pam.c] Use an invalid password for root if + PermitRootLogin != yes or the login is invalid, to prevent leaking + information. Based on Openwall's owl-always-auth patch. ok djm@ + - (tim) [configure.ac Makefile.in] Add support for "make package" ok djm@ + - (tim) [buildpkg.sh.in] New file. A more flexible version of + contrib/solaris/buildpkg.sh used for "make package". + - (tim) [buildpkg.sh.in] Last minute fix didn't make it in the .in file. + +20040527 + - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec + contrib/README CREDITS INSTALL] Bug #873: Correct URLs for x11-ssh-askpass + and Jim Knoble's email address , from Jim himself. + +20040524 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/05/19 12:17:33 + [sftp-client.c sftp.c] + gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while + waiting for a command; ok markus@ + - dtucker@cvs.openbsd.org 2004/05/20 10:58:05 + [clientloop.c] + Trivial type fix 0 -> '\0'; ok markus@ + - markus@cvs.openbsd.org 2004/05/21 08:43:03 + [kex.h moduli.c tildexpand.c] + add prototypes for -Wall; ok djm + - djm@cvs.openbsd.org 2004/05/21 11:33:11 + [channels.c channels.h clientloop.c serverloop.c ssh.1] + bz #756: add support for the cancel-tcpip-forward request for the server + and the client (through the ~C commandline). reported by z3p AT + twistedmatrix.com; ok markus@ + - djm@cvs.openbsd.org 2004/05/22 06:32:12 + [clientloop.c ssh.1] + use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@ + - jmc@cvs.openbsd.org 2004/05/22 16:01:05 + [ssh.1] + kill whitespace at eol; + - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 + [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config + sshd_config.5] + Add MaxAuthTries sshd config option; ok markus@ + - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread" + is terminated if the privsep slave exits during keyboard-interactive + authentication. ok djm@ + - (dtucker) [sshd.c] Fix typo in comment. + +20040523 + - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in + sshd_config; ok dtucker@ + - (djm) [configure.ac] Warn if the system has no known way of figuring out + which user is on the other end of a Unix domain socket; ok dtucker@ + - (bal) [openbsd-compat/sys-queue.h] Reintroduce machinary to handle + old/broken/incomplete . + +20040513 + - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in + libresolv, fixes problems detecting it on some platforms + (eg Linux/x86-64). From Kurt Roeckx via Debian, ok mouring@ + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2004/05/04 18:36:07 + [scp.1] + SendEnv here too; + - jmc@cvs.openbsd.org 2004/05/06 11:24:23 + [ssh_config.5] + typo from John Cosimano (PR 3770); + - deraadt@cvs.openbsd.org 2004/05/08 00:01:37 + [auth.c clientloop.c misc.h servconf.c ssh.c sshpty.h sshtty.c + tildexpand.c], removed: sshtty.h tildexpand.h + make two tiny header files go away; djm ok + - djm@cvs.openbsd.org 2004/05/08 00:21:31 + [clientloop.c misc.h readpass.c scard.c ssh-add.c ssh-agent.c ssh-keygen.c + sshconnect.c sshconnect1.c sshconnect2.c] removed: readpass.h + kill a tiny header; ok deraadt@ + - djm@cvs.openbsd.org 2004/05/09 00:06:47 + [moduli.c ssh-keygen.c] removed: moduli.h + zap another tiny header; ok deraadt@ + - djm@cvs.openbsd.org 2004/05/09 01:19:28 + [OVERVIEW auth-rsa.c auth1.c kex.c monitor.c session.c sshconnect1.c + sshd.c] removed: mpaux.c mpaux.h + kill some more tiny files; ok deraadt@ + - djm@cvs.openbsd.org 2004/05/09 01:26:48 + [kex.c] + don't overwrite what we are trying to compute + - deraadt@cvs.openbsd.org 2004/05/11 19:01:43 + [auth.c auth2-none.c authfile.c channels.c monitor.c monitor_mm.c + packet.c packet.h progressmeter.c session.c openbsd-compat/xmmap.c] + improve some code lint did not like; djm millert ok + - dtucker@cvs.openbsd.org 2004/05/13 02:47:50 + [ssh-agent.1] + Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@ + - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to + UsePAM section. Parts from djm@ and jmc@. + - (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses + readpass.h, grep says scard-opensc.c does too. Replace with misc.h. + - (dtucker) [openbsd-compat/getrrsetbyname.c] Check that HAVE_DECL_H_ERROR + is defined before using. + - (dtucker) [openbsd-compat/getrrsetbyname.c] Fix typo too: HAVE_DECL_H_ERROR + -> HAVE_DECL_H_ERRNO. + +20040502 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/04/22 11:56:57 + [moduli.c] + Bugzilla #850: Sophie Germain is the correct name of the French + mathematician, "Sophie Germaine" isn't; from Luc.Maisonobe@c-s.fr + - djm@cvs.openbsd.org 2004/04/27 09:46:37 + [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c + ssh_config.5 sshd_config.5] + bz #815: implement ability to pass specified environment variables from + the client to the server; ok markus@ + - djm@cvs.openbsd.org 2004/04/28 05:17:10 + [ssh_config.5 sshd_config.5] + manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu) + - jmc@cvs.openbsd.org 2004/04/28 07:02:56 + [sshd_config.5] + remove unnecessary .Pp; + - jmc@cvs.openbsd.org 2004/04/28 07:13:42 + [sftp.1 ssh.1] + add SendEnv to -o list; + - dtucker@cvs.openbsd.org 2004/05/02 11:54:31 + [sshd.8] + Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk + via Debian; ok djm@ + - dtucker@cvs.openbsd.org 2004/05/02 11:57:52 + [ssh.1] + ConnectionTimeout -> ConnectTimeout, from m.a.ellis at ncl.ac.uk via + Debian. ok djm@ + - dtucker@cvs.openbsd.org 2004/05/02 23:02:17 + [sftp.1] + ConnectionTimeout -> ConnectTimeout here too, pointed out by jmc@ + - dtucker@cvs.openbsd.org 2004/05/02 23:17:51 + [scp.1] + ConnectionTimeout -> ConnectTimeout for scp.1 too. + +20040423 + - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno + as extern int if not already declared. Fixes compile errors on old SCO + platforms. ok tim@ + - (dtucker) [README.platform] List prereqs for building on Cygwin. + +20040421 + - (djm) Update config.guess and config.sub to autoconf-2.59 versions; ok tim@ + +20040420 + - (djm) OpenBSD CVS Sync + - henning@cvs.openbsd.org 2004/04/08 16:08:21 + [sshconnect2.c] + swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what + FreeBSD and NetBSD do. + ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@ + - djm@cvs.openbsd.org 2004/04/18 23:10:26 + [readconf.c readconf.h ssh-keysign.c ssh.c] + perform strict ownership and modes checks for ~/.ssh/config files, + as these can be used to execute arbitrary programs; ok markus@ + NB. ssh will now exit when it detects a config with poor permissions + - djm@cvs.openbsd.org 2004/04/19 13:02:40 + [ssh.1 ssh_config.5] + document strict permission checks on ~/.ssh/config; prompted by, + with & ok jmc@ + - jmc@cvs.openbsd.org 2004/04/19 16:12:14 + [ssh_config.5] + kill whitespace at eol; + - djm@cvs.openbsd.org 2004/04/19 21:51:49 + [ssh.c] + fix idiot typo that i introduced in my last commit; + spotted by cschneid AT cschneid.com + - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for + above change + - (djm) [configure.ac] Check whether libroken is required when building + with Heimdal + +20040419 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2004/02/29 22:04:45 + [regress/login-timeout.sh] + Use sudo when restarting daemon during test. ok markus@ + - dtucker@cvs.openbsd.org 2004/03/08 10:17:12 + [regress/login-timeout.sh] + Missing OBJ, from tim@. ok markus@ (Already fixed, ID sync only) + - djm@cvs.openbsd.org 2004/03/30 12:41:56 + [sftp-client.c] + sync comment with reality + - djm@cvs.openbsd.org 2004/03/31 21:58:47 + [canohost.c] + don't skip ip options check when UseDNS=no; ok markus@ (ID sync only) + - markus@cvs.openbsd.org 2004/04/01 12:19:57 + [scp.c] + limit trust between local and remote rcp/scp process, + noticed by lcamtuf; ok deraadt@, djm@ + +20040418 + - (dtucker) [auth-pam.c] Log username and source host for failed PAM + authentication attempts. With & ok djm@ + - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow + change of user context without a password, so relax auth method + restrictions; from vinschen AT redhat.com; ok dtucker@ + +20040416 + - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since + FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com + - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache + file using FILE: method, fixes problems on Mac OSX. + Patch from simon@sxw.org.uk; ok dtucker@ + - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and + BROKEN_SETREGID for SCO OpenServer 3 + +20040412 + - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning + from bug #701 (text from jfh at cise.ufl.edu). + - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg + skeychallenge(), eg on NetBSD. ok mouring@ + - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly + 4-arg, with compatibility for 3-arg versions. From djm@, ok me. + - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@ + +20040408 + - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating + pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org. + - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers + back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple) + - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and + simplify loginrec.c. ok tim@ + - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested + limiting scope and dtucker@ agreed. + +20040407 + - (dtucker) [session.c] Flush stdout after displaying loginmsg. From + f_mohr at yahoo.de. + - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see + if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X) + are starting to restrict it as internal since it is not needed by + developers any more. (Patch based on Apple tree) + - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since + krb5 on MacOS/X conflicts. There may be a better solution, but this will + work for now. + +20040406 + - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use + updwtmpx() on IRIX since it seems to clobber utmp. ok djm@ + - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect + broken getaddrinfo and friends on HP-UX. ok djm@ + +20040330 + - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on + Linuxes, since that's what many use. ok djm@ + - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c + to reduce potential confusion with the one in sshd.c. ok djm@ + - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection; + with & ok dtucker@ + +20040327 + - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent + duplicate login messages for mutli-session logins. ok djm@ + +20040322 + - (djm) [sshd.c] Drop supplemental groups if started as root + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/03/09 22:11:05 + [ssh.c] + increase x11 cookie lifetime to 20 minutes; ok djm + - markus@cvs.openbsd.org 2004/03/10 09:45:06 + [ssh.c] + trim usage to match ssh(1) and look more like unix. ok djm@ + - markus@cvs.openbsd.org 2004/03/11 08:36:26 + [sshd.c] + trim usage; ok deraadt + - markus@cvs.openbsd.org 2004/03/11 10:21:17 + [ssh.c sshd.c] + ssh, sshd: sync version output, ok djm + - markus@cvs.openbsd.org 2004/03/20 10:40:59 + [version.h] + 3.8.1 + - (djm) Crank RPM spec versions + +20040311 + - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker + +20040310 + - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo + before redefining it, silences warnings on Tru64. + +20040308 + - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some + platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@ + - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h + openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being + inherited by the child. ok djm@ + - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c + monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized + even if keyboard-interactive is not used by the client. Prevents + segfaults in some cases where the user's password is expired (note this + is not considered a security exposure). ok djm@ + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/03/03 06:47:52 + [sshd.c] + change proctiltle after accept(2); ok henning, deraadt, djm + - djm@cvs.openbsd.org 2004/03/03 09:30:42 + [sftp-client.c] + Don't print duplicate messages when progressmeter is off + Spotted by job317 AT mailvault.com; ok markus@ + - djm@cvs.openbsd.org 2004/03/03 09:31:20 + [sftp.c] + Fix initialisation of progress meter; ok markus@ + - markus@cvs.openbsd.org 2004/03/05 10:53:58 + [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c] + add IdentitiesOnly; ok djm@, pb@ + - djm@cvs.openbsd.org 2004/03/08 09:38:05 + [ssh-keyscan.c] + explicitly initialise remote_major and remote_minor. + from cjwatson AT debian.org; ok markus@ + - dtucker@cvs.openbsd.org 2004/03/08 10:18:57 + [sshd_config.5] + Document KerberosGetAFSToken; ok markus@ + - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal + +20040307 + - (tim) [regress/login-timeout.sh] fix building outside of source tree. + +20040304 + - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with + -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@ + - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread, + prevent hanging during PAM keyboard-interactive authentications. ok djm@ + - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h + openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when + configured --with-osfsia. ok djm@ + +20040303 + - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent + ok dtucker + +20040229 + - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188 + +20040229 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/02/25 00:22:45 + [sshd.c] + typo in comment + - dtucker@cvs.openbsd.org 2004/02/27 22:42:47 + [dh.c] + Prevent sshd from sending DH groups with a primitive generator of zero or + one, even if they are listed in /etc/moduli. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/27 22:44:56 + [dh.c] + Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone + ever uses one. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/27 22:49:27 + [dh.c] + Reset bit counter at the right time, fixes debug output in the case where + the DH group is rejected. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/17 08:23:20 + [regress/Makefile regress/login-timeout.sh] + Add regression test for LoginGraceTime; ok markus@ + - markus@cvs.openbsd.org 2004/02/24 16:56:30 + [regress/test-exec.sh] + allow arguments in ${TEST_SSH_XXX} + - markus@cvs.openbsd.org 2004/02/24 17:06:52 + [regress/ssh-com-client.sh regress/ssh-com-keygen.sh + regress/ssh-com-sftp.sh regress/ssh-com.sh] + test against recent ssh.com releases + - dtucker@cvs.openbsd.org 2004/02/28 12:16:57 + [regress/dynamic-forward.sh] + Make dynamic-forward understand nc's new output. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/28 13:44:45 + [regress/try-ciphers.sh] + Test acss too; ok markus@ + - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we + built with openssl < 0.9.7) + +20040226 + - (bal) KNF our sshlogin.c even if the code looks nothing like upstream + code due to diversity issues. + +20040225 + - (djm) Trim ChangeLog + - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora + +20040224 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/02/19 21:15:04 + [sftp-server.c] + switch to new license.template + - markus@cvs.openbsd.org 2004/02/23 12:02:33 + [sshd.c] + backout revision 1.279; set listen socket to non-block; ok henning. + - markus@cvs.openbsd.org 2004/02/23 15:12:46 + [bufaux.c] + encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka + and drop support for negative BNs; ok otto@ + - markus@cvs.openbsd.org 2004/02/23 15:16:46 + [version.h] + enter 3.8 + - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found + with krb5-config, hunt down gssapi.h and friends. Based partially on patch + from deengert at anl.gov. ok djm@ + - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime + using sysconf() if available Based on patches from + holger AT van-lengerich.de and openssh_bugzilla AT hockin.org + - (dtucker) [uidswap.c] Minor KNF. ok djm@ + - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ + - (djm) Crank RPM spec versions + - (dtucker) [README] Add pointer to release notes. ok djm@ + - (dtucker) {README.platform] Add platform-specific notes. + - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot + - (djm) Release 3.8p1 + +20040223 + - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the + non-interactive path. ok djm@ + +20040222 + - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test + to auth-shadow.c, no functional change. ok djm@ + - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or + password expiry. ok djm@ + - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents + multiple warnings if a wrong password is entered. + - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path + too. + +20040220 + - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ + +20040218 + - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a + path with a "-" in it. From Sergio.Gelato at astro.su.se. + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/02/17 07:17:29 + [sftp-glob.c sftp.c] + Remove useless headers; ok deraadt@ + - djm@cvs.openbsd.org 2004/02/17 11:03:08 + [sftp.c] + sftp.c and sftp-int.c, together at last; ok markus@ + - jmc@cvs.openbsd.org 2004/02/17 19:35:21 + [sshd_config.5] + remove cruft left over from RhostsAuthentication removal; + ok markus@ + - (djm) [log.c] Correct use of HAVE_OPENLOG_R + - (djm) [log.c] Tighten openlog_r tests + +20040217 + - (djm) Simplify the license on code I have written. No code changes. + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/02/17 05:39:51 + [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] + [sftp-int.h sftp.c] + switch to license.template for code written by me (belated, I know...) + - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from + stadal@suse.cz and simon@sxw.org.uk + - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@ + - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for + display after login. Should fix problems like pam_motd not displaying + anything, noticed by cjwatson at debian.org. ok djm@ + +20040212 + - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] + Portablity fixes. Data sftp transfers needs to be world readable. Some + older shells hang on while loops when doing sh -n some_script. OK dtucker@ + - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3. + ok mouring@ + +20040211 + - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check + if HAS_SHADOW_EXPIRY is set. + - (tim) [configure.ac] Fix comment to match code changes in ver 1.117 + +20040210 + - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h + defines.h] Bug #14: Use do_pwchange to support password expiry and force + change for platforms using /etc/shadow. ok djm@ + - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat + functions to avoid conflicts with Heimdal's libroken. ok djm@ + - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to + change expired PAM passwords for SSHv1 connections without privsep. + pam_chauthtok is still used when privsep is disabled. ok djm@ + - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move + include from port-aix.h to port-aix.c and remove unnecessary function + definition. Fixes build errors on AIX. + - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms + that support it. from & ok mouring@ + - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x. + ok djm@ + +20040207 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 + [cipher-ctr.c] + Use EVP_CIPHER_CTX_key_length for key length. ok markus@ + (This will fix builds with OpenSSL 0.9.5) + - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5. + ok djm@, markus@ + +20040206 + - (dtucker) [acss.c acss.h] Fix $Id tags. + - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with + OpenSSL >= 0.9.7. ok djm@ + - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root + user, since some modules might fail due to lack of privilege. ok djm@ + - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO + for HP-UX 11.11. If there are known-good configs where this is not + required, please report them. ok djm@ + - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent + accidentally inheriting from root's environment. ok djm@ + - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796: + Restore previous authdb setting after auth calls. Fixes problems with + setpcred failing on accounts that use AFS or NIS password registries. + - (dtucker) [configure.ac includes.h] Include if present, + required on Solaris 2.5.1 for queue_t, which is used by . + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/01/30 09:48:57 + [auth-passwd.c auth.h pathnames.h session.c] + support for password change; ok dtucker@ + (set password-dead=1w in login.conf to use this). + In -Portable, this is currently only platforms using bsdauth. + - dtucker@cvs.openbsd.org 2004/02/05 05:37:17 + [monitor.c sshd.c] + Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@ + - markus@cvs.openbsd.org 2004/02/05 15:33:33 + [progressmeter.c] + fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@ + +20040129 + - (dtucker) OpenBSD CVS Sync regress/ + - dtucker@cvs.openbsd.org 2003/10/11 11:49:49 + [Makefile banner.sh] + Test missing banner file, suppression of banner with ssh -q, check return + code from ssh. ok markus@ + - jmc@cvs.openbsd.org 2003/11/07 10:16:44 + [ssh-com.sh] + adress -> address, and a few more; all from Jonathon Gray; + - djm@cvs.openbsd.org 2004/01/13 09:49:06 + [sftp-batch.sh] + - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from + tim@, ok several + - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h] + Bug #775: Cray fixes from wendy at cray.com + +20040128 + - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ + - (dtucker) [moduli] Import new moduli file from OpenBSD. + +20040127 + - (djm) OpenBSD CVS Sync + - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03 + [cipher.c] + enable acss for ssh + ok deraadt@ markus@ + - mouring@cvs.openbsd.org 2004/01/23 17:57:48 + [sftp-int.c] + Fix issue pointed out with ls not handling large directories + with embeded paths correctly. OK damien@ + - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33 + [cipher.c] + rename acss@opebsd.org to acss@openssh.org + ok deraadt@ + - djm@cvs.openbsd.org 2004/01/25 03:49:09 + [sshconnect.c] + reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785) + from jclonguet AT free.fr; ok millert@ + - djm@cvs.openbsd.org 2004/01/27 10:08:10 + [sftp.c] + reorder parsing so user:skey@host:file works (bugzilla #777) + patch from admorten AT umich.edu; ok markus@ + - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS + if libcrypto lacks it + +20040126 + - (tim) Typo in regress/README.regress + - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. + - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG + - (tim) [configure.ac includes.h] add for grantpt() and friends. + - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ + and T_SIG to getrrsetbyname.h + +20040124 + - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com + +20040123 + - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from + ralf.hack AT pipex.net; ok dtucker@ + - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect + Kerberos location (and thus work with Fedora Core 1); + from jason AT devrandom.org + - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for + zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ + - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options. + Patch from vinschen at redhat.com. + - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] + Change AFS symbol to USE_AFS to prevent namespace collisions, do not + include kafs.h unless necessary. From deengert at anl.gov. + - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and + -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \ + CPPFLAGS="-I/usr/local/include" ./configure if needed. + +20040122 + - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ + GSSAPI detection, libs and includes. ok djm@ + - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not + just HEIMDAL. + - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of + /usr/local being a symbolic link. Fixes problem reported by Henry Grebler. + +20040121 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/01/13 09:25:05 + [sftp-int.c sftp.1 sftp.c] + Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and + enable use of "-b -" to accept batchfile from stdin; ok markus@ + - jmc@cvs.openbsd.org 2004/01/13 12:17:33 + [sftp.1] + remove unnecessary Ic's; + kill whitespace at EOL; + ok djm@ + - markus@cvs.openbsd.org 2004/01/13 19:23:15 + [compress.c session.c] + -Wall; ok henning + - markus@cvs.openbsd.org 2004/01/13 19:45:15 + [compress.c] + cast for portability; millert@ + - markus@cvs.openbsd.org 2004/01/19 09:24:21 + [channels.c] + fake consumption for half closed channels since the peer is waiting for + window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@ + reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo' + - markus@cvs.openbsd.org 2004/01/19 21:25:15 + [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c] + fix mem leaks; some fixes from Pete Flugstad; tested dtucker@ + - djm@cvs.openbsd.org 2004/01/21 03:07:59 + [sftp.c] + initialise infile in main, rather than statically - from portable + - deraadt@cvs.openbsd.org 2004/01/11 21:55:06 + [sshpty.c] + for pty opening, only use the openpty() path. the other stuff only needs + to be in openssh-p; markus ok + - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an + openpty() replacement + +20040114 + - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits + unexpectedly. with & ok djm@ + - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add + test for case where cleanup has already run. + - (dtucker) [auth-pam.c] Add minor debugging. + +20040113 + - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No + functional changes. + +20040108 + - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and + only define if not already. From des at freebsd.org. + - (dtucker) [configure.ac] Remove extra (typo) comma. + +20040105 + - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from + cjwatson at debian.org. + - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] + Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@ + +20040102 + - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from + jakob@ + - (djm) Remove useless DNS support configure summary message. from jakob@ + - (djm) OSX/Darwin put the PAM headers in a different place, detect this. + Report from jakob@ + +20031231 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/12/22 09:16:58 + [moduli.c ssh-keygen.1 ssh-keygen.c] + tidy up moduli generation debugging, add -v (verbose/debug) option to + ssh-keygen; ok markus@ + - markus@cvs.openbsd.org 2003/12/22 20:29:55 + [cipher-3des1.c] + EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr + - jakob@cvs.openbsd.org 2003/12/23 16:12:10 + [servconf.c servconf.h session.c sshd_config] + implement KerberosGetAFSToken server option. ok markus@, beck@ + - millert@cvs.openbsd.org 2003/12/29 16:39:50 + [sshd_config] + KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK + - dtucker@cvs.openbsd.org 2003/12/31 00:24:50 + [auth2-passwd.c] + Ignore password change request during password auth (which we currently + don't support) and discard proposed new password. corrections/ok markus@ + - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist. + +20031219 + - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we + typedef size_t ourselves. + +20031218 + - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. + - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive + authentication. Partially fixes bug #423. Feedback & ok djm@ + +20031217 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/12/09 15:28:43 + [serverloop.c] + make ClientKeepAlive work for ssh -N, too (no login shell requested). + 1) send a bogus channel request if we find a channel + 2) send a bogus global request if we don't have a channel + ok + test beck@ + - markus@cvs.openbsd.org 2003/12/09 17:29:04 + [sshd.c] + fix -o and HUP; ok henning@ + - markus@cvs.openbsd.org 2003/12/09 17:30:05 + [ssh.c] + don't modify argv for ssh -o; similar to sshd.c 1.283 + - markus@cvs.openbsd.org 2003/12/09 21:53:37 + [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1] + [ssh_config.5 sshconnect.c sshd.c sshd_config.5] + rename keepalive to tcpkeepalive; the old name causes too much + confusion; ok djm, dtucker; with help from jmc@ + - dtucker@cvs.openbsd.org 2003/12/09 23:45:32 + [clientloop.c] + Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@ + - markus@cvs.openbsd.org 2003/12/14 12:37:21 + [ssh_config.5] + we don't support GSS KEX; from Simon Wilkinson + - markus@cvs.openbsd.org 2003/12/16 15:49:51 + [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1] + [ssh.c ssh_config.5] + application layer keep alive (ServerAliveInterval ServerAliveCountMax) + for ssh(1), similar to the sshd(8) option; ok beck@; with help from + jmc and dtucker@ + - markus@cvs.openbsd.org 2003/12/16 15:51:54 + [dh.c] + use <= instead of < in dh_estimate; ok provos/hshoexer; + do not return < DH_GRP_MIN + - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for + setres[ug]id() present but not implemented (eg some Linux/glibc + combinations). + - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are + using a real 'signal()' (Noticed by a NeXT Compile) + +20031209 + - (dtucker) OpenBSD CVS Sync + - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 + [ssh-add.1] + ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@. + - djm@cvs.openbsd.org 2003/11/26 21:44:29 + [cipher-aes.c] + fix #ifdef before #define; ok markus@ + (RCS ID sync only, Portable already had this) + - markus@cvs.openbsd.org 2003/12/02 12:15:10 + [progressmeter.c] + improvments from andreas@: + * saner speed estimate for transfers that takes less than a second by + rounding the time to 1 second. + * when the transfer is finished calculate the actual total speed + rather than the current speed which is given during the transfer + - markus@cvs.openbsd.org 2003/12/02 17:01:15 + [channels.c session.c ssh-agent.c ssh.h sshd.c] + use SSH_LISTEN_BACKLOG (=128) in listen(2). + - djm@cvs.openbsd.org 2003/12/07 06:34:18 + [moduli.c] + remove unused debugging #define templates + - markus@cvs.openbsd.org 2003/12/08 11:00:47 + [kexgexc.c] + print requested group size in debug; ok djm + - dtucker@cvs.openbsd.org 2003/12/09 13:52:55 + [moduli.c] + Prevent ssh-keygen -T from outputting moduli with a generator of 0, since + they can't be used for Diffie-Hellman. Assistance and ok djm@ + - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below. + +20031208 + - (tim) [configure.ac] Bug 770. Fix --without-rpath. + +20031123 + - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own + function and call it unconditionally + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/11/23 23:17:34 + [ssh-keyscan.c] + from portable - use sysconf to detect fd limit; ok markus@ + (tidy diff by adding SSH_SSFDMAX macro to defines.h) + - djm@cvs.openbsd.org 2003/11/23 23:18:45 + [ssh-keygen.c] + consistency PATH_MAX -> MAXPATHLEN; ok markus@ + (RCS ID sync only) + - djm@cvs.openbsd.org 2003/11/23 23:21:21 + [scp.c] + from portable: rename clashing variable limit-> limit_rate; ok markus@ + (RCS ID sync only) + - dtucker@cvs.openbsd.org 2003/11/24 00:16:35 + [ssh.1 ssh.c] + Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@ + - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original + source file path (in OpenBSD tree). + +20031122 + - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ + - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Move AIX specific password authentication code to port-aix.c, call + authenticate() until reenter flag is clear. + - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net. + Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA + is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ + - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch + - (djm) [sftp-int.c] Remove duplicated code from bogus sync + - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code + +20031121 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/11/20 11:39:28 + [progressmeter.c] + fix rounding errors; from andreas@ + - djm@cvs.openbsd.org 2003/11/21 11:57:03 + [everything] + unexpand and delete whitespace at EOL; ok markus@ + (done locally and RCS IDs synced) + +20031118 + - (djm) Fix early exit for root auth success when UsePAM=yes and + PermitRootLogin=no + - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, + and use it for do_pam_session. Fixes problems like pam_motd not + displaying anything. ok djm@ + - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@ + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2003/11/18 00:40:05 + [serverloop.c] + Correct check for authctxt->valid. ok djm@ + - djm@cvs.openbsd.org 2003/11/18 10:53:07 + [monitor.c] + unbreak fake authloop for non-existent users (my screwup). Spotted and + tested by dtucker@; ok markus@ + +20031117 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/11/03 09:03:37 + [auth-chall.c] + make this a little more idiot-proof; ok markus@ + (includes portable-specific changes) + - jakob@cvs.openbsd.org 2003/11/03 09:09:41 + [sshconnect.c] + move changed key warning into warn_changed_key(). ok markus@ + - jakob@cvs.openbsd.org 2003/11/03 09:37:32 + [sshconnect.c] + do not free static type pointer in warn_changed_key() + - djm@cvs.openbsd.org 2003/11/04 08:54:09 + [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c] + [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c] + [session.c] + standardise arguments to auth methods - they should all take authctxt. + check authctxt->valid rather then pw != NULL; ok markus@ + - jakob@cvs.openbsd.org 2003/11/08 16:02:40 + [auth1.c] + remove unused variable (pw). ok djm@ + (id sync only - still used in portable) + - jmc@cvs.openbsd.org 2003/11/08 19:17:29 + [sftp-int.c] + typos from Jonathon Gray; + - jakob@cvs.openbsd.org 2003/11/10 16:23:41 + [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c] + [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c] + [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h] + constify. ok markus@ & djm@ + - dtucker@cvs.openbsd.org 2003/11/12 10:12:15 + [scp.c] + When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@ + - jakob@cvs.openbsd.org 2003/11/12 16:39:58 + [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] + update SSHFP validation. ok markus@ + - jmc@cvs.openbsd.org 2003/11/12 20:14:51 + [ssh_config.5] + make verb agree with subject, and kill some whitespace; + - markus@cvs.openbsd.org 2003/11/14 13:19:09 + [sshconnect2.c] + cleanup and minor fixes for the client code; from Simon Wilkinson + - djm@cvs.openbsd.org 2003/11/17 09:45:39 + [msg.c msg.h sshconnect2.c ssh-keysign.c] + return error on msg send/receive failure (rather than fatal); ok markus@ + - markus@cvs.openbsd.org 2003/11/17 11:06:07 + [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] + [monitor_wrap.h sshconnect2.c ssh-gss.h] + replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; + test + ok jakob. + - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int + conversation function + - (djm) Export environment variables from authentication subprocess to + parent. Part of Bug #717 + +20031115 + - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and + HP-UX, skip test on AIX. + +20031113 + - (dtucker) [auth-pam.c] Append newlines to lines output by the + pam_chauthtok_conv(). + - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All + contrib/cygwin). Major update from vinschen at redhat.com. + - Makefile provides a `cygwin-postinstall' target to run right after + `make install'. + - Better support for Windows 2003 Server. + - Try to get permissions as correct as possible. + - New command line options to allow full automated host configuration. + - Create configs from skeletons in /etc/defaults/etc. + - Use /bin/bash, allows reading user input with readline support. + - Remove really old configs from /usr/local. + - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and + PAM_ERROR_MSG messages. + +20031106 + - (djm) Clarify UsePAM consequences a little more + +20031103 + - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services + are created correctly with CRLF line terminations. Patch from vinschen at + redhat.com. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/10/15 09:48:45 + [monitor_wrap.c] + check pmonitor != NULL + - markus@cvs.openbsd.org 2003/10/21 09:50:06 + [auth2-gss.c] + make sure the doid is larger than 2 + - avsm@cvs.openbsd.org 2003/10/26 16:57:43 + [sshconnect2.c] + rename 'supported' static var in userauth_gssapi() to 'gss_supported' + to avoid shadowing the global version. markus@ ok + - markus@cvs.openbsd.org 2003/10/28 09:08:06 + [misc.c] + error->debug for getsockopt+TCP_NODELAY; several requests + - markus@cvs.openbsd.org 2003/11/02 11:01:03 + [auth2-gss.c compat.c compat.h sshconnect2.c] + remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk + - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid. + +20031021 + - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords + directly. Noted by Darren.Moffat at sun.com. + - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set, + make agent setgid during test. + +20031017 + - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with + MD5 passwords even if PAM support is enabled. From steev at detritus.net. + +20031015 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/10/08 08:27:36 + [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8] + scp and sftp: add options list and sort options. options list requested + by deraadt@ + sshd: use same format as ssh + ssh: remove wrong option from list + sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) + ok deraadt@ markus@ + - markus@cvs.openbsd.org 2003/10/08 15:21:24 + [readconf.c ssh_config.5] + default GSS API to no in client, too; ok jakob, deraadt@ + - markus@cvs.openbsd.org 2003/10/11 08:24:08 + [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] + remote x11 clients are now untrusted by default, uses xauth(8) to generate + untrusted cookies; ForwardX11Trusted=yes restores old behaviour. + ok deraadt; feedback and ok djm/fries + - markus@cvs.openbsd.org 2003/10/11 08:26:43 + [sshconnect2.c] + search keys in reverse order; fixes #684 + - markus@cvs.openbsd.org 2003/10/11 11:36:23 + [monitor_wrap.c] + return NULL for missing banner; ok djm@ + - jmc@cvs.openbsd.org 2003/10/12 13:12:13 + [ssh_config.5] + note that EnableSSHKeySign should be in the non-hostspecific section; + remove unnecessary .Pp; + ok markus@ + - markus@cvs.openbsd.org 2003/10/13 08:22:25 + [scp.1 sftp.1] + don't refer to options related to forwarding; ok jmc@ + - jakob@cvs.openbsd.org 2003/10/14 19:42:10 + [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] + include SSHFP lookup code (not enabled by default). ok markus@ + - jakob@cvs.openbsd.org 2003/10/14 19:43:23 + [README.dns] + update + - markus@cvs.openbsd.org 2003/10/14 19:54:39 + [session.c ssh-agent.c] + 10X for mkdtemp; djm@ + - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c + openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always + compiled in but disabled in config. + - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. + - (tim) [regress/banner.sh] portability fix. + +20031009 + - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ + +20031008 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 + [sshconnect2.c] + Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & + #707. ok markus@ + - djm@cvs.openbsd.org 2003/10/07 07:04:16 + [sftp-int.c] + sftp quoting fix from admorten AT umich.edu; ok markus@ + - deraadt@cvs.openbsd.org 2003/10/07 21:58:28 + [sshconnect2.c] + set ptr to NULL after free + - dtucker@cvs.openbsd.org 2003/10/07 01:52:13 + [regress/Makefile regress/banner.sh] + Test SSH2 banner. ok markus@ + - djm@cvs.openbsd.org 2003/10/07 07:04:52 + [regress/sftp-cmds.sh] + more sftp quoting regress tests; ok markus + +20031007 + - (djm) Delete autom4te.cache after autoreconf + - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static + cleanup functions. With & ok djm@ + - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a + run-time switch, always build --with-md5-passwords. + - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c] + Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ + - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID + on Reliant Unix. Patch from Robert.Dahlem at siemens.com. + - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on + Reliant Unix. Based on patch from Robert.Dahlem at siemens.com. + +20031003 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/10/02 10:41:59 + [sshd.c] + print openssl version, too, several requests; ok henning/djm. + - markus@cvs.openbsd.org 2003/10/02 08:26:53 + [ssh-gss.h] + missing $OpenBSD:; dtucker + - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default + option. + +20031002 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/09/23 20:17:11 + [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c + cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h + monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h + ssh-agent.c sshd.c] + replace fatal_cleanup() and linked list of fatal callbacks with static + cleanup_exit() function. re-refine cleanup_exit() where appropriate, + allocate sshd's authctxt eary to allow simpler cleanup in sshd. + tested by many, ok deraadt@ + - markus@cvs.openbsd.org 2003/09/23 20:18:52 + [progressmeter.c] + don't print trailing \0; bug #709; Robert.Dahlem@siemens.com + ok millert/deraadt@ + - markus@cvs.openbsd.org 2003/09/23 20:41:11 + [channels.c channels.h clientloop.c] + move client only agent code to clientloop.c + - markus@cvs.openbsd.org 2003/09/26 08:19:29 + [sshd.c] + no need to set the listen sockets to non-block; ok deraadt@ + - jmc@cvs.openbsd.org 2003/09/29 11:40:51 + [ssh.1] + - add list of options to -o and .Xr ssh_config(5) + - some other cleanup + requested by deraadt@; + ok deraadt@ markus@ + - markus@cvs.openbsd.org 2003/09/29 20:19:57 + [servconf.c sshd_config] + GSSAPICleanupCreds -> GSSAPICleanupCredentials + - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring + --with-pam. ok djm@ + - (dtucker) [ssh-gss.h] Prototype change missed in sync. + - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations. + Based on patches by Matthias Koeppe and Thomas Baden. ok djm@ + +20030930 + - (bal) Fix issues in openbsd-compat/realpath.c + +20030925 + - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove + DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from + michael_steffens at hp.com, ok djm@ + - (tim) [sshd_config] UsePAM defaults to no. + +20030924 + - (djm) Update version.h and spec files for HEAD + - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6. + +20030923 + - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree + builds. Portability corrections from tim@. + - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X. + Patch from max at quendi.de. + - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi. + - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. + - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS. + Patch from david.haughton at ncr.com + - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6. + Part of patch supplied by bugzilla-openssh at thewrittenword.com + - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c + openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with + where gai_strerror is defined as "const char *". Part of patch supplied + by bugzilla-openssh at thewrittenword.com + - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update + ssh-host-config to match current defaults, bump README version. Patch from + vinschen at redhat.com. + - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the + OS does not support permanently dropping privileges. Patch from + vinschen at redhat.com. + - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h, + add canohost.h to stop warning. Based on patch from openssh-unix-dev at + thewrittenword.com + - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or + higher. + - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ + - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN. + Report by distler AT golem ph utexas edu. + - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from + article by genty at austin.ibm.com, included with the author's permission. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/09/18 07:52:54 + [sshconnect.c] + missing {}; bug #656; jclonguet at free.fr + - markus@cvs.openbsd.org 2003/09/18 07:54:48 + [buffer.c] + protect against double free; #660; zardoz at users.sf.net + - markus@cvs.openbsd.org 2003/09/18 07:56:05 + [authfile.c] + missing buffer_free(&encrypted); #662; zardoz at users.sf.net + - markus@cvs.openbsd.org 2003/09/18 08:49:45 + [deattack.c misc.c session.c ssh-agent.c] + more buffer allocation fixes; from Solar Designer; CAN-2003-0682; + ok millert@ + - miod@cvs.openbsd.org 2003/09/18 13:02:21 + [authfd.c bufaux.c dh.c mac.c ssh-keygen.c] + A few signedness fixes for harmless situations; markus@ ok + - markus@cvs.openbsd.org 2003/09/19 09:02:02 + [packet.c] + buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471 + - markus@cvs.openbsd.org 2003/09/19 09:03:00 + [buffer.c] + sign fix in buffer_dump; Jedi/Sector One; pr 3473 + - markus@cvs.openbsd.org 2003/09/19 11:29:40 + [ssh-agent.c] + provide a ssh-agent specific fatal() function; ok deraadt + - markus@cvs.openbsd.org 2003/09/19 11:30:39 + [ssh-keyscan.c] + avoid fatal_cleanup, just call exit(); ok deraadt + - markus@cvs.openbsd.org 2003/09/19 11:31:33 + [channels.c] + do not call channel_free_all on fatal; ok deraadt + - markus@cvs.openbsd.org 2003/09/19 11:33:09 + [packet.c sshd.c] + do not call packet_close on fatal; ok deraadt + - markus@cvs.openbsd.org 2003/09/19 17:40:20 + [scp.c] + error handling for remote-remote copy; #638; report Harald Koenig; + ok millert, fgs, henning, deraadt + - markus@cvs.openbsd.org 2003/09/19 17:43:35 + [clientloop.c sshtty.c sshtty.h] + remove fatal callbacks from client code; ok deraadt + - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john + on #unixhelp@efnet + - (tim) [configure.ac] add --disable-etc-default-login option. ok djm + - (djm) Sync with V_3_7 branch: + - (djm) Fix SSH1 challenge kludge + - (djm) Bug #671: Fix builds on OpenBSD + - (djm) Bug #676: Fix PAM stack corruption + - (djm) Fix bad free() in PAM code + - (djm) Don't call pam_end before pam_init + - (djm) Enable build with old OpenSSL again + - (djm) Trim deprecated options from INSTALL. Mention UsePAM + - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu + +$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/INSTALL openssh-4.2p1/INSTALL --- ssh-openbsd-2005090100/INSTALL Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/INSTALL Sun Apr 24 17:52:23 2005 @@ -0,0 +1,228 @@ +1. Prerequisites +---------------- + +You will need working installations of Zlib and OpenSSL. + +Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): +http://www.gzip.org/zlib/ + +OpenSSL 0.9.6 or greater: +http://www.openssl.org/ + +(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 +Blowfish) do not work correctly.) + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system +supports it. PAM is standard on Redhat and Debian Linux, Solaris and +HP-UX 11. + +NB. If you operating system supports /dev/random, you should configure +OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of +/dev/random. If you don't you will have to rely on ssh-rand-helper, which +is inferior to a good kernel-based solution. + +PAM: +http://www.kernel.org/pub/linux/libs/pam/ + +If you wish to build the GNOME passphrase requester, you will need the GNOME +libraries and headers. + +GNOME: +http://www.gnome.org/ + +Alternatively, Jim Knoble has written an excellent X11 +passphrase requester. This is maintained separately at: + +http://www.jmknoble.net/software/x11-ssh-askpass/ + +PRNGD: + +If your system lacks Kernel based random collection, the use of Lutz +Jaenicke's PRNGd is recommended. + +http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html + +EGD: + +The Entropy Gathering Daemon (EGD) is supported if you have a system which +lacks /dev/random and don't want to use OpenSSH's internal entropy collection. + +http://www.lothar.com/tech/crypto/ + +S/Key Libraries: + +If you wish to use --with-skey then you will need the library below +installed. No other S/Key library is currently known to be supported. + +http://www.sparc.spb.su/solaris/skey/ + +LibEdit: +sftp now supports command-line editing via NetBSD's libedit. If your +platform has it available natively you can use that, alternatively +you might try these multi-platform ports: + +http://www.thrysoee.dk/editline/ +http://sourceforge.net/projects/libedit/ + +2. Building / Installation +-------------------------- + +To install OpenSSH with default options: + +./configure +make +make install + +This will install the OpenSSH binaries in /usr/local/bin, configuration files +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different +installation prefix, use the --prefix option to configure: + +./configure --prefix=/opt +make +make install + +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +specific paths, for example: + +./configure --prefix=/opt --sysconfdir=/etc/ssh +make +make install + +This will install the binaries in /opt/{bin,lib,sbin}, but will place the +configuration files in /etc/ssh. + +If you are using Privilege Separation (which is enabled by default) +then you will also need to create the user, group and directory used by +sshd for privilege separation. See README.privsep for details. + +If you are using PAM, you may need to manually install a PAM control +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep +them). Note that the service name used to start PAM is __progname, +which is the basename of the path of your sshd (e.g., the service name +for /usr/sbin/osshd will be osshd). If you have renamed your sshd +executable, your PAM configuration may need to be modified. + +A generic PAM configuration is included as "contrib/sshd.pam.generic", +you may need to edit it before using it on your system. If you are +using a recent version of Red Hat Linux, the config file in +contrib/redhat/sshd.pam should be more useful. Failure to install a +valid PAM file may result in an inability to use password +authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf +configuration will work with sshd (sshd will match the other service +name). + +There are a few other options to the configure script: + +--with-pam enables PAM support. If PAM support is compiled in, it must +also be enabled in sshd_config (refer to the UsePAM directive). + +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD +support and to specify a PRNGd socket. Use this if your Unix lacks +/dev/random and you don't want to use OpenSSH's builtin entropy +collection support. + +--with-prngd-port=portnum allows you to enable EGD or PRNGD support +and to specify a EGD localhost TCP port. Use this if your Unix lacks +/dev/random and you don't want to use OpenSSH's builtin entropy +collection support. + +--with-lastlog=FILE will specify the location of the lastlog file. +./configure searches a few locations for lastlog, but may not find +it if lastlog is installed in a different place. + +--without-lastlog will disable lastlog support entirely. + +--with-osfsia, --without-osfsia will enable or disable OSF1's Security +Integration Architecture. The default for OSF1 machines is enable. + +--with-skey=PATH will enable S/Key one time password support. You will +need the S/Key libraries and header files installed for this to work. + +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) +support. You will need libwrap.a and tcpd.h installed. + +--with-md5-passwords will enable the use of MD5 passwords. Enable this +if your operating system uses MD5 passwords and the system crypt() does +not support them directly (see the crypt(3/3c) man page). If enabled, the +resulting binary will support both MD5 and traditional crypt passwords. + +--with-utmpx enables utmpx support. utmpx support is automatic for +some platforms. + +--without-shadow disables shadow password support. + +--with-ipaddr-display forces the use of a numeric IP address in the +$DISPLAY environment variable. Some broken systems need this. + +--with-default-path=PATH allows you to specify a default $PATH for sessions +started by sshd. This replaces the standard path entirely. + +--with-pid-dir=PATH specifies the directory in which the ssh.pid file is +created. + +--with-xauth=PATH specifies the location of the xauth binary + +--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries +are installed. + +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to +real (AF_INET) IPv4 addresses. Works around some quirks on Linux. + +--with-opensc=DIR +--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to +be used with OpenSSH. See 'README.smartcard' for more details. + +If you need to pass special options to the compiler or linker, you +can specify these as environment variables before running ./configure. +For example: + +CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure + +3. Configuration +---------------- + +The runtime configuration files are installed by in ${prefix}/etc or +whatever you specified as your --sysconfdir (/usr/local/etc by default). + +The default configuration should be instantly usable, though you should +review it to ensure that it matches your security requirements. + +To generate a host key, run "make host-key". Alternately you can do so +manually using the following commands: + + ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" + ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" + ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" + +Replacing /etc/ssh with the correct path to the configuration directory. +(${prefix}/etc or whatever you specified with --sysconfdir during +configuration) + +If you have configured OpenSSH with EGD support, ensure that EGD is +running and has collected some Entropy. + +For more information on configuration, please refer to the manual pages +for sshd, ssh and ssh-agent. + +4. (Optional) Send survey +------------------------- + +$ make survey +[check the contents and make sure there's no sensitive information] +$ make send-survey + +This will send configuration information for the currently configured +host to a survey address. This will help determine which configurations +are actually in use, and what valid combinations of configure options +exist. The raw data is available only to the OpenSSH developers, however +summary data may be published. + +5. Problems? +------------ + +If you experience problems compiling, installing or running OpenSSH. +Please refer to the "reporting bugs" section of the webpage at +http://www.openssh.com/ + + +$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/LICENCE openssh-4.2p1/LICENCE --- ssh-openbsd-2005090100/LICENCE Sat Jul 16 11:30:57 2005 +++ openssh-4.2p1/LICENCE Sat Aug 27 06:15:20 2005 @@ -182,6 +182,30 @@ Nils Nordman Simon Wilkinson + Portable OpenSSH additionally includes code from the following copyright + holders, also under the 2-term BSD license: + + Ben Lindstrom + Tim Rice + Andre Lucas + Chris Adams + Corinna Vinschen + Cray Inc. + Denis Parker + Gert Doering + Jakob Schlyter + Jason Downs + Juha Yrjölä + Michael Stone + Networks Associates Technology, Inc. + Solar Designer + Todd C. Miller + Wayne Schroeder + William Jones + Darren Tucker + Sun Microsystems + The SCO Group + * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -201,6 +225,111 @@ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +8) Portable OpenSSH contains the following additional licenses: + + a) md5crypt.c, md5crypt.h + + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this + * notice you can do whatever you want with this stuff. If we meet + * some day, and you think this stuff is worth it, you can buy me a + * beer in return. Poul-Henning Kamp + + b) snprintf replacement + + * Copyright Patrick Powell 1995 + * This code is based on code written by Patrick Powell + * (papowell@astart.com) It may be used for any purpose as long as this + * notice remains intact on all source code distributions + + c) Compatibility code (openbsd-compat) + + Apart from the previously mentioned licenses, various pieces of code + in the openbsd-compat/ subdirectory are licensed as follows: + + Some code is licensed under a 3-term BSD license, to the following + copyright holders: + + Todd C. Miller + Theo de Raadt + Damien Miller + Eric P. Allman + The Regents of the University of California + Constantin S. Svintsoff + + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + + Some code is licensed under an ISC-style license, to the following + copyright holders: + + Internet Software Consortium. + Todd C. Miller + + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL + * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + Some code is licensed under a MIT-style license to the following + copyright holders: + + Free Software Foundation, Inc. + + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * + * "Software"), to deal in the Software without restriction, including * + * without limitation the rights to use, copy, modify, merge, publish, * + * distribute, distribute with modifications, sublicense, and/or sell * + * copies of the Software, and to permit persons to whom the Software is * + * furnished to do so, subject to the following conditions: * + * * + * The above copyright notice and this permission notice shall be included * + * in all copies or substantial portions of the Software. * + * * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * + * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * + * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * + * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * + * THE USE OR OTHER DEALINGS IN THE SOFTWARE. * + * * + * Except as contained in this notice, the name(s) of the above copyright * + * holders shall not be used in advertising or otherwise to promote the * + * sale, use or other dealings in this Software without prior written * + * authorization. * + ****************************************************************************/ + ------ $OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/Makefile openssh-4.2p1/Makefile --- ssh-openbsd-2005090100/Makefile Sat Jul 16 11:30:57 2005 +++ openssh-4.2p1/Makefile Thu Jan 1 10:00:00 1970 @@ -1,14 +0,0 @@ -# $OpenBSD: Makefile,v 1.12 2003/12/01 15:47:20 grange Exp $ - -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \ - ssh-keysign ssh-keyscan sftp scard - -distribution: - ${INSTALL} -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ - ${DESTDIR}/etc/ssh/ssh_config - ${INSTALL} -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ - ${DESTDIR}/etc/ssh/sshd_config - -.include diff -ruN --exclude CVS ssh-openbsd-2005090100/Makefile.in openssh-4.2p1/Makefile.in --- ssh-openbsd-2005090100/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/Makefile.in Sun May 29 17:22:29 2005 @@ -0,0 +1,431 @@ +# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $ + +# uncomment if you run a non bourne compatable shell. Ie. csh +#SHELL = @SH@ + +AUTORECONF=autoreconf + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libexecdir=@libexecdir@ +datadir=@datadir@ +mandir=@mandir@ +mansubdir=@mansubdir@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +DESTDIR= +VPATH=@srcdir@ +SSH_PROGRAM=@bindir@/ssh +ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass +SFTP_SERVER=$(libexecdir)/sftp-server +SSH_KEYSIGN=$(libexecdir)/ssh-keysign +RAND_HELPER=$(libexecdir)/ssh-rand-helper +PRIVSEP_PATH=@PRIVSEP_PATH@ +SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +STRIP_OPT=@STRIP_OPT@ + +PATHS= -DSSHDIR=\"$(sysconfdir)\" \ + -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ + -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ + -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ + -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ + -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ + -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ + -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" + +CC=@CC@ +LD=@LD@ +CFLAGS=@CFLAGS@ +CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ +LIBS=@LIBS@ +LIBEDIT=@LIBEDIT@ +LIBPAM=@LIBPAM@ +LIBWRAP=@LIBWRAP@ +AR=@AR@ +AWK=@AWK@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +PERL=@PERL@ +SED=@SED@ +ENT=@ENT@ +XAUTH_PATH=@XAUTH_PATH@ +LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ +EXEEXT=@EXEEXT@ + +INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ +INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ + +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) + +LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \ + canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ + cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ + compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ + log.o match.o moduli.o nchan.o packet.o \ + readpass.o rsa.o ttymodes.o xmalloc.o \ + atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ + kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ + entropy.o scard-opensc.o gss-genr.o + +SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ + sshconnect.o sshconnect1.o sshconnect2.o + +SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sshpty.o sshlogin.o servconf.o serverloop.o \ + auth.o auth1.o auth2.o auth-options.o session.o \ + auth-chall.o auth2-chall.o groupaccess.o \ + auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o \ + monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ + auth-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + audit.o audit-bsm.o + +MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out +MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 +MANTYPE = @MANTYPE@ + +CONFIGFILES=sshd_config.out ssh_config.out moduli.out +CONFIGFILES_IN=sshd_config ssh_config moduli + +PATHSUBS = \ + -e 's|/etc/ssh/ssh_prng_cmds|$(sysconfdir)/ssh_prng_cmds|g' \ + -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ + -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ + -e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \ + -e 's|/usr/libexec|$(libexecdir)|g' \ + -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \ + -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ + -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ + -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ + -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ + -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ + -e 's|/etc/sshrc|$(sysconfdir)/sshrc|g' \ + -e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \ + -e 's|/var/empty|$(PRIVSEP_PATH)|g' \ + -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' + +FIXPATHSCMD = $(SED) $(PATHSUBS) + +all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) + +$(LIBSSH_OBJS): Makefile.in config.h +$(SSHOBJS): Makefile.in config.h +$(SSHDOBJS): Makefile.in config.h + +.c.o: + $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + +LIBCOMPAT=openbsd-compat/libopenbsd-compat.a +$(LIBCOMPAT): always + (cd openbsd-compat && $(MAKE)) +always: + +libssh.a: $(LIBSSH_OBJS) + $(AR) rv $@ $(LIBSSH_OBJS) + $(RANLIB) $@ + +ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) + +scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o + $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o + $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o + $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) + +ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o + $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +# test driver for the loginrec code - not built by default +logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o + $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) + +$(MANPAGES): $(MANPAGES_IN) + if test "$(MANTYPE)" = "cat"; then \ + manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \ + else \ + manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ + fi; \ + if test "$(MANTYPE)" = "man"; then \ + $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \ + else \ + $(FIXPATHSCMD) $${manpage} > $@; \ + fi + +$(CONFIGFILES): $(CONFIGFILES_IN) + conffile=`echo $@ | sed 's/.out$$//'`; \ + $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ + +ssh_prng_cmds.out: ssh_prng_cmds + if test ! -z "$(INSTALL_SSH_PRNG_CMDS)"; then \ + $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ + fi + +# fake rule to stop make trying to compile moduli.o into a binary "moduli.o" +moduli: + echo + +clean: regressclean + rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.out core survey + (cd openbsd-compat && $(MAKE) clean) + +distclean: regressclean + rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.out core opensshd.init + rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds survey.sh *~ + rm -rf autom4te.cache + (cd openbsd-compat && $(MAKE) distclean) + (cd scard && $(MAKE) distclean) + if test -d pkg ; then \ + rm -fr pkg ; \ + fi + +veryclean: distclean + rm -f configure config.h.in *.0 + +mrproper: veryclean + +realclean: veryclean + +catman-do: + @for f in $(MANPAGES_IN) ; do \ + base=`echo $$f | sed 's/\..*$$//'` ; \ + echo "$$f -> $$base.0" ; \ + nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + >$$base.0 ; \ + done + +distprep: catman-do + $(AUTORECONF) + -rm -rf autom4te.cache + (cd scard && $(MAKE) -f Makefile.in distprep) + +install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config +install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf +install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files + +check-config: + -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config + +scard-install: + (cd scard && $(MAKE) DESTDIR=$(DESTDIR) install) + +install-files: scard-install + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(datadir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 + $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) + (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh + $(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan + $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd + if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ + fi + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 + $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ + $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ + fi + $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + +install-sysconf: + if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ + $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ + fi + @if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \ + $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \ + fi + @if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ + $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \ + fi + @if [ -f ssh_prng_cmds ] && [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ + if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \ + $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \ + fi ; \ + fi + @if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \ + if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \ + echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ + mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \ + else \ + $(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \ + fi ; \ + else \ + echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ + fi + +host-key: ssh-keygen$(EXEEXT) + @if [ -z "$(DESTDIR)" ] ; then \ + if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ + fi ; \ + if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + fi ; \ + if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ; \ + fi ; \ + fi ; + +host-key-force: ssh-keygen$(EXEEXT) + ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" + ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" + ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" + +uninstallall: uninstall + -rm -f $(DESTDIR)$(sysconfdir)/ssh_config + -rm -f $(DESTDIR)$(sysconfdir)/sshd_config + -rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds + -rmdir $(DESTDIR)$(sysconfdir) + -rmdir $(DESTDIR)$(bindir) + -rmdir $(DESTDIR)$(sbindir) + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)1 + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)8 + -rmdir $(DESTDIR)$(mandir) + -rmdir $(DESTDIR)$(libexecdir) + +uninstall: + -rm -f $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) + -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + -rm -f $(DESTDIR)$(RAND_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + +tests: $(TARGETS) + BUILDDIR=`pwd`; \ + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ + TEST_SHELL="@TEST_SHELL@"; \ + TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ + TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ + TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ + TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \ + TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \ + TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \ + TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \ + TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \ + cd $(srcdir)/regress || exit $$?; \ + $(MAKE) \ + .OBJDIR="$${BUILDDIR}/regress" \ + .CURDIR="`pwd`" \ + BUILDDIR="$${BUILDDIR}" \ + OBJ="$${BUILDDIR}/regress/" \ + PATH="$${BUILDDIR}:$${PATH}" \ + TEST_SHELL="$${TEST_SHELL}" \ + TEST_SSH_SSH="$${TEST_SSH_SSH}" \ + TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ + TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \ + TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \ + TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \ + TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \ + TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \ + TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \ + EXEEXT="$(EXEEXT)" \ + $@ + +regressclean: + if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \ + (cd regress && $(MAKE) clean) \ + fi + +survey: survey.sh ssh + @$(SHELL) ./survey.sh > survey + @echo 'The survey results have been placed in the file "survey" in the' + @echo 'current directory. Please review the file then send with' + @echo '"make send-survey".' + +send-survey: survey + mail portable-survey@mindrot.org - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif diff -ruN --exclude CVS ssh-openbsd-2005090100/README openssh-4.2p1/README --- ssh-openbsd-2005090100/README Sat Jul 16 11:30:57 2005 +++ openssh-4.2p1/README Thu Sep 1 00:05:57 2005 @@ -1,25 +1,65 @@ -This release of OpenSSH is for OpenBSD systems only. +See http://www.openssh.com/txt/release-4.2 for the release notes. -Please read - http://www.openssh.com/portable.html -if you want to install OpenSSH on other operating systems. +- A Japanese translation of this document and of the OpenSSH FAQ is +- available at http://www.unixuser.org/~haruyama/security/openssh/index.html +- Thanks to HARUYAMA Seigo -To extract and install this release on your OpenBSD system use: +This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other +Unices. - # cd /usr/src/usr.bin - # tar xvfz .../openssh-x.y.tgz - # cd ssh - # make obj - # make cleandir - # make depend - # make - # make install - # cp ssh_config sshd_config /etc/ssh +OpenSSH is based on the last free version of Tatu Ylonen's sample +implementation with all patent-encumbered algorithms removed (to +external libraries), all known security bugs fixed, new features +reintroduced and many other clean-ups. OpenSSH has been created by +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, +and Dug Song. It has a homepage at http://www.openssh.com/ -OpenSSH is a derivative of the original and free ssh 1.2.12 release -by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels -Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer -features and created OpenSSH. Markus Friedl contributed the support -for SSH protocol versions 1.5 and 2.0. +This port consists of the re-introduction of autoconf support, PAM +support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library +functions that are (regrettably) absent from other unices. This port +has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X, +NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare. -See http://www.openssh.com/ for more information. +This version actively tracks changes in the OpenBSD CVS repository. + +The PAM support is now more functional than the popular packages of +commercial ssh-1.2.x. It checks "account" and "session" modules for +all logins, not just when using password authentication. + +OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5]. + +There is now several mailing lists for this port of OpenSSH. Please +refer to http://www.openssh.com/list.html for details on how to join. + +Please send bug reports and patches to the mailing list +openssh-unix-dev@mindrot.org. The list is open to posting by +unsubscribed users.Code contribution are welcomed, but please follow the +OpenBSD style guidelines[6]. + +Please refer to the INSTALL document for information on how to install +OpenSSH on your system. There are a number of differences between this +port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7] +for details and general tips. + +Damien Miller + +Miscellania - + +This version of OpenSSH is based upon code retrieved from the OpenBSD +CVS repository which in turn was based on the last free sample +implementation released by Tatu Ylonen. + +References - + +[0] http://www.openssh.com/faq.html +[1] http://www.lothar.com/tech/crypto/ +[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html +[3] http://www.gzip.org/zlib/ +[4] http://www.openssl.org/ +[5] http://www.openpam.org + http://www.kernel.org/pub/linux/libs/pam/ + (PAM also is standard on Solaris and HP-UX 11) +[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 +[7] http://www.openssh.com/faq.html + +$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/README.platform openssh-4.2p1/README.platform --- ssh-openbsd-2005090100/README.platform Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/README.platform Sun Feb 20 21:01:49 2005 @@ -0,0 +1,48 @@ +This file contains notes about OpenSSH on specific platforms. + +AIX +--- +As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry +settings, where previously it did not. Because of this, it's possible for +sites that have used OpenSSH's sshd exclusively to have accounts which +have passwords expired longer than the inactive time (ie the "Weeks between +password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired +chuser attribute). + +Accounts in this state must have their passwords reset manually by the +administrator. As a precaution, it is recommended that the administrative +passwords be reset before upgrading from OpenSSH <3.8. + +As of OpenSSH 4.0, configure will attempt to detect if your version +and maintenance level of AIX has a working getaddrinfo, and will use it +if found. This will enable IPv6 support. If for some reason configure +gets it wrong, or if you want to build binaries to work on earlier MLs +than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS +to force the previous IPv4-only behaviour. + +IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 +IPv6 known broken: 4.3.3ML11 5.1ML4 + +Cygwin +------ +To build on Cygwin, OpenSSH requires the following packages: +gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl, +openssl-devel, zlib, minres, minires-devel. + + +Solaris +------- +If you enable BSM auditing on Solaris, you need to update audit_event(4) +for praudit(1m) to give sensible output. The following line needs to be +added to /etc/security/audit_event: + + 32800:AUE_openssh:OpenSSH login:lo + +The BSM audit event range available for third party TCB applications is +32768 - 65535. Event number 32800 has been choosen for AUE_openssh. +There is no official registry of 3rd party event numbers, so if this +number is already in use on your system, you may change it at build time +by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. + + +$Id: README.platform,v 1.5 2005/02/20 10:01:49 dtucker Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/README.privsep openssh-4.2p1/README.privsep --- ssh-openbsd-2005090100/README.privsep Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/README.privsep Sun Jun 5 09:21:41 2005 @@ -0,0 +1,63 @@ +Privilege separation, or privsep, is method in OpenSSH by which +operations that require root privilege are performed by a separate +privileged monitor process. Its purpose is to prevent privilege +escalation by containing corruption to an unprivileged process. +More information is available at: + http://www.citi.umich.edu/u/provos/ssh/privsep.html + +Privilege separation is now enabled by default; see the +UsePrivilegeSeparation option in sshd_config(5). + +On systems which lack mmap or anonymous (MAP_ANON) memory mapping, +compression must be disabled in order for privilege separation to +function. + +When privsep is enabled, during the pre-authentication phase sshd will +chroot(2) to "/var/empty" and change its privileges to the "sshd" user +and its primary group. sshd is a pseudo-account that should not be +used by other daemons, and must be locked and should contain a +"nologin" or invalid shell. + +You should do something like the following to prepare the privsep +preauth environment: + + # mkdir /var/empty + # chown root:sys /var/empty + # chmod 755 /var/empty + # groupadd sshd + # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd + +/var/empty should not contain any files. + +configure supports the following options to change the default +privsep user and chroot directory: + + --with-privsep-path=xxx Path for privilege separation chroot + --with-privsep-user=user Specify non-privileged user for privilege separation + +Privsep requires operating system support for file descriptor passing. +Compression will be disabled on systems without a working mmap MAP_ANON. + +PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, +HP-UX (including Trusted Mode), Linux, NetBSD and Solaris. + +On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication +part of privsep is supported. Post-authentication privsep is disabled +automatically (so you won't see the additional process mentioned below). + +Note that for a normal interactive login with a shell, enabling privsep +will require 1 additional process per login session. + +Given the following process listing (from HP-UX): + + UID PID PPID C STIME TTY TIME COMMAND + root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 + root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] + stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk@2 + stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash + +process 1005 is the sshd process listening for new connections. +process 6917 is the privileged monitor process, 6919 is the user owned +sshd process and 6921 is the shell process. + +$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/README.smartcard openssh-4.2p1/README.smartcard --- ssh-openbsd-2005090100/README.smartcard Sat Jul 16 11:30:57 2005 +++ openssh-4.2p1/README.smartcard Fri Nov 21 23:48:55 2003 @@ -1,16 +1,16 @@ How to use smartcards with OpenSSH? OpenSSH contains experimental support for authentication using -Cyberflex smartcards and TODOS card readers. To enable this you +Cyberflex smartcards and TODOS card readers, in addition to the cards +with PKCS#15 structure supported by OpenSC. To enable this you need to: -(1) enable SMARTCARD support in OpenSSH: +Using libsectok: - $ vi /usr/src/usr.bin/ssh/Makefile.inc - and uncomment - CFLAGS+= -DSMARTCARD - LDADD+= -lsectok +(1) enable sectok support in OpenSSH: + $ ./configure --with-sectok + (2) If you have used a previous version of ssh with your card, you must remove the old applet and keys. @@ -46,15 +46,7 @@ In spite of the name, this does not generate a key. It just loads an already existing key on to the card. -(5) tell the ssh client to use the card reader: - - $ ssh -I 1 otherhost - -(6) or tell the agent (don't forget to restart) to use the smartcard: - - $ ssh-add -s 1 - -(7) Optional: If you don't want to use a card passphrase, change the +(5) Optional: If you don't want to use a card passphrase, change the acl on the private key file: $ sectok @@ -66,6 +58,34 @@ If you do this, anyone who has access to your card can assume your identity. This is not recommended. + + +Using OpenSC: + +(1) install OpenSC: + + Sources and instructions are available from + http://www.opensc.org/ + +(2) enable OpenSC support in OpenSSH: + + $ ./configure --with-opensc[=/path/to/opensc] [options] + +(3) load a RSA key to the card: + + Not supported yet. + + +Common operations: + +(1) tell the ssh client to use the card reader: + + $ ssh -I 1 otherhost + +(2) or tell the agent (don't forget to restart) to use the smartcard: + + $ ssh-add -s 1 + -markus, Tue Jul 17 23:54:51 CEST 2001 diff -ruN --exclude CVS ssh-openbsd-2005090100/RFC.nroff openssh-4.2p1/RFC.nroff --- ssh-openbsd-2005090100/RFC.nroff Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/RFC.nroff Fri Nov 21 23:48:55 2003 @@ -0,0 +1,1780 @@ +.\" -*- nroff -*- +.\" +.\" $OpenBSD: RFC.nroff,v 1.2 2000/10/16 09:38:44 djm Exp $ +.\" +.pl 10.0i +.po 0 +.ll 7.2i +.lt 7.2i +.nr LL 7.2i +.nr LT 7.2i +.ds LF Ylonen +.ds RF FORMFEED[Page %] +.ds CF +.ds LH Internet-Draft +.ds RH 15 November 1995 +.ds CH SSH (Secure Shell) Remote Login Protocol +.na +.hy 0 +.in 0 +Network Working Group T. Ylonen +Internet-Draft Helsinki University of Technology +draft-ylonen-ssh-protocol-00.txt 15 November 1995 +Expires: 15 May 1996 + +.in 3 + +.ce +The SSH (Secure Shell) Remote Login Protocol + +.ti 0 +Status of This Memo + +This document is an Internet-Draft. Internet-Drafts are working +documents of the Internet Engineering Task Force (IETF), its areas, +and its working groups. Note that other groups may also distribute +working documents as Internet-Drafts. + +Internet-Drafts are draft documents valid for a maximum of six +months and may be updated, replaced, or obsoleted by other docu- +ments at any time. It is inappropriate to use Internet-Drafts as +reference material or to cite them other than as ``work in pro- +gress.'' + +To learn the current status of any Internet-Draft, please check the +``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow +Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), +munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or +ftp.isi.edu (US West Coast). + +The distribution of this memo is unlimited. + +.ti 0 +Introduction + +SSH (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure networks. Its features include +the following: +.IP o +Closes several security holes (e.g., IP, routing, and DNS spoofing). +New authentication methods: .rhosts together with RSA [RSA] based host +authentication, and pure RSA authentication. +.IP o +All communications are automatically and transparently encrypted. +Encryption is also used to protect integrity. +.IP o +X11 connection forwarding provides secure X11 sessions. +.IP o +Arbitrary TCP/IP ports can be redirected over the encrypted channel +in both directions. +.IP o +Client RSA-authenticates the server machine in the beginning of every +connection to prevent trojan horses (by routing or DNS spoofing) and +man-in-the-middle attacks, and the server RSA-authenticates the client +machine before accepting .rhosts or /etc/hosts.equiv authentication +(to prevent DNS, routing, or IP spoofing). +.IP o +An authentication agent, running in the user's local workstation or +laptop, can be used to hold the user's RSA authentication keys. +.RT + +The goal has been to make the software as easy to use as possible for +ordinary users. The protocol has been designed to be as secure as +possible while making it possible to create implementations that +are easy to use and install. The sample implementation has a number +of convenient features that are not described in this document as they +are not relevant for the protocol. + + +.ti 0 +Overview of the Protocol + +The software consists of a server program running on a server machine, +and a client program running on a client machine (plus a few auxiliary +programs). The machines are connected by an insecure IP [RFC0791] +network (that can be monitored, tampered with, and spoofed by hostile +parties). + +A connection is always initiated by the client side. The server +listens on a specific port waiting for connections. Many clients may +connect to the same server machine. + +The client and the server are connected via a TCP/IP [RFC0793] socket +that is used for bidirectional communication. Other types of +transport can be used but are currently not defined. + +When the client connects the server, the server accepts the connection +and responds by sending back its version identification string. The +client parses the server's identification, and sends its own +identification. The purpose of the identification strings is to +validate that the connection was to the correct port, declare the +protocol version number used, and to declare the software version used +on each side (for debugging purposes). The identification strings are +human-readable. If either side fails to understand or support the +other side's version, it closes the connection. + +After the protocol identification phase, both sides switch to a packet +based binary protocol. The server starts by sending its host key +(every host has an RSA key used to authenticate the host), server key +(an RSA key regenerated every hour), and other information to the +client. The client then generates a 256 bit session key, encrypts it +using both RSA keys (see below for details), and sends the encrypted +session key and selected cipher type to the server. Both sides then +turn on encryption using the selected algorithm and key. The server +sends an encrypted confirmation message to the client. + +The client then authenticates itself using any of a number of +authentication methods. The currently supported authentication +methods are .rhosts or /etc/hosts.equiv authentication (disabled by +default), the same with RSA-based host authentication, RSA +authentication, and password authentication. + +After successful authentication, the client makes a number of requests +to prepare for the session. Typical requests include allocating a +pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting +authentication agent forwarding, and executing the shell or a command. + +When a shell or command is executed, the connection enters interactive +session mode. In this mode, data is passed in both directions, +new forwarded connections may be opened, etc. The interactive session +normally terminates when the server sends the exit status of the +program to the client. + + +The protocol makes several reservations for future extensibility. +First of all, the initial protocol identification messages include the +protocol version number. Second, the first packet by both sides +includes a protocol flags field, which can be used to agree on +extensions in a compatible manner. Third, the authentication and +session preparation phases work so that the client sends requests to +the server, and the server responds with success or failure. If the +client sends a request that the server does not support, the server +simply returns failure for it. This permits compatible addition of +new authentication methods and preparation operations. The +interactive session phase, on the other hand, works asynchronously and +does not permit the use of any extensions (because there is no easy +and reliable way to signal rejection to the other side and problems +would be hard to debug). Any compatible extensions to this phase must +be agreed upon during any of the earlier phases. + +.ti 0 +The Binary Packet Protocol + +After the protocol identification strings, both sides only send +specially formatted packets. The packet layout is as follows: +.IP o +Packet length: 32 bit unsigned integer, coded as four 8-bit bytes, msb +first. Gives the length of the packet, not including the length field +and padding. The maximum length of a packet (not including the length +field and padding) is 262144 bytes. +.IP o +Padding: 1-8 bytes of random data (or zeroes if not encrypting). The +amount of padding is (8 - (length % 8)) bytes (where % stands for the +modulo operator). The rationale for always having some random padding +at the beginning of each packet is to make known plaintext attacks +more difficult. +.IP o +Packet type: 8-bit unsigned byte. The value 255 is reserved for +future extension. +.IP o +Data: binary data bytes, depending on the packet type. The number of +data bytes is the "length" field minus 5. +.IP o +Check bytes: 32-bit crc, four 8-bit bytes, msb first. The crc is the +Cyclic Redundancy Check, with the polynomial 0xedb88320, of the +Padding, Packet type, and Data fields. The crc is computed before +any encryption. +.RT + +The packet, except for the length field, may be encrypted using any of +a number of algorithms. The length of the encrypted part (Padding + +Type + Data + Check) is always a multiple of 8 bytes. Typically the +cipher is used in a chained mode, with all packets chained together as +if it was a single data stream (the length field is never included in +the encryption process). Details of encryption are described below. + +When the session starts, encryption is turned off. Encryption is +enabled after the client has sent the session key. The encryption +algorithm to use is selected by the client. + + +.ti 0 +Packet Compression + +If compression is supported (it is an optional feature, see +SSH_CMSG_REQUEST_COMPRESSION below), the packet type and data fields +of the packet are compressed using the gzip deflate algorithm [GZIP]. +If compression is in effect, the packet length field indicates the +length of the compressed data, plus 4 for the crc. The amount of +padding is computed from the compressed data, so that the amount of +data to be encrypted becomes a multiple of 8 bytes. + +When compressing, the packets (type + data portions) in each direction +are compressed as if they formed a continuous data stream, with only the +current compression block flushed between packets. This corresponds +to the GNU ZLIB library Z_PARTIAL_FLUSH option. The compression +dictionary is not flushed between packets. The two directions are +compressed independently of each other. + + +.ti 0 +Packet Encryption + +The protocol supports several encryption methods. During session +initialization, the server sends a bitmask of all encryption methods +that it supports, and the client selects one of these methods. The +client also generates a 256-bit random session key (32 8-bit bytes) and +sends it to the server. + +The encryption methods supported by the current implementation, and +their codes are: +.TS +center; +l r l. +SSH_CIPHER_NONE 0 No encryption +SSH_CIPHER_IDEA 1 IDEA in CFB mode +SSH_CIPHER_DES 2 DES in CBC mode +SSH_CIPHER_3DES 3 Triple-DES in CBC mode +SSH_CIPHER_TSS 4 An experimental stream cipher +SSH_CIPHER_RC4 5 RC4 +.TE + +All implementations are required to support SSH_CIPHER_DES and +SSH_CIPHER_3DES. Supporting SSH_CIPHER_IDEA, SSH_CIPHER_RC4, and +SSH_CIPHER_NONE is recommended. Support for SSH_CIPHER_TSS is +optional (and it is not described in this document). Other ciphers +may be added at a later time; support for them is optional. + +For encryption, the encrypted portion of the packet is considered a +linear byte stream. The length of the stream is always a multiple of +8. The encrypted portions of consecutive packets (in the same +direction) are encrypted as if they were a continuous buffer (that is, +any initialization vectors are passed from the previous packet to the +next packet). Data in each direction is encrypted independently. +.IP SSH_CIPHER_DES +The key is taken from the first 8 bytes of the session key. The least +significant bit of each byte is ignored. This results in 56 bits of +key data. DES [DES] is used in CBC mode. The iv (initialization vector) is +initialized to all zeroes. +.IP SSH_CIPHER_3DES +The variant of triple-DES used here works as follows: there are three +independent DES-CBC ciphers, with independent initialization vectors. +The data (the whole encrypted data stream) is first encrypted with the +first cipher, then decrypted with the second cipher, and finally +encrypted with the third cipher. All these operations are performed +in CBC mode. + +The key for the first cipher is taken from the first 8 bytes of the +session key; the key for the next cipher from the next 8 bytes, and +the key for the third cipher from the following 8 bytes. All three +initialization vectors are initialized to zero. + +(Note: the variant of 3DES used here differs from some other +descriptions.) +.IP SSH_CIPHER_IDEA +The key is taken from the first 16 bytes of the session key. IDEA +[IDEA] is used in CFB mode. The initialization vector is initialized +to all zeroes. +.IP SSH_CIPHER_TSS +All 32 bytes of the session key are used as the key. + +There is no reference available for the TSS algorithm; it is currently +only documented in the sample implementation source code. The +security of this cipher is unknown (but it is quite fast). The cipher +is basically a stream cipher that uses MD5 as a random number +generator and takes feedback from the data. +.IP SSH_CIPHER_RC4 +The first 16 bytes of the session key are used as the key for the +server to client direction. The remaining 16 bytes are used as the +key for the client to server direction. This gives independent +128-bit keys for each direction. + +This algorithm is the alleged RC4 cipher posted to the Usenet in 1995. +It is widely believed to be equivalent with the original RSADSI RC4 +cipher. This is a very fast algorithm. +.RT + + +.ti 0 +Data Type Encodings + +The Data field of each packet contains data encoded as described in +this section. There may be several data items; each item is coded as +described here, and their representations are concatenated together +(without any alignment or padding). + +Each data type is stored as follows: +.IP "8-bit byte" +The byte is stored directly as a single byte. +.IP "32-bit unsigned integer" +Stored in 4 bytes, msb first. +.IP "Arbitrary length binary string" +First 4 bytes are the length of the string, msb first (not including +the length itself). The following "length" bytes are the string +value. There are no terminating null characters. +.IP "Multiple-precision integer" +First 2 bytes are the number of bits in the integer, msb first (for +example, the value 0x00012345 would have 17 bits). The value zero has +zero bits. It is permissible that the number of bits be larger than the +real number of bits. + +The number of bits is followed by (bits + 7) / 8 bytes of binary data, +msb first, giving the value of the integer. +.RT + + +.ti 0 +TCP/IP Port Number and Other Options + +The server listens for connections on TCP/IP port 22. + +The client may connect the server from any port. However, if the +client wishes to use any form of .rhosts or /etc/hosts.equiv +authentication, it must connect from a privileged port (less than +1024). + +For the IP Type of Service field [RFC0791], it is recommended that +interactive sessions (those having a user terminal or forwarding X11 +connections) use the IPTOS_LOWDELAY, and non-interactive connections +use IPTOS_THROUGHPUT. + +It is recommended that keepalives are used, because otherwise programs +on the server may never notice if the other end of the connection is +rebooted. + + +.ti 0 +Protocol Version Identification + +After the socket is opened, the server sends an identification string, +which is of the form +"SSH-.-\\n", where + and are integers and specify the +protocol version number (not software distribution version). + is server side software version string (max 40 characters); +it is not interpreted by the remote side but may be useful for +debugging. + +The client parses the server's string, and sends a corresponding +string with its own information in response. If the server has lower +version number, and the client contains special code to emulate it, +the client responds with the lower number; otherwise it responds with +its own number. The server then compares the version number the +client sent with its own, and determines whether they can work +together. The server either disconnects, or sends the first packet +using the binary packet protocol and both sides start working +according to the lower of the protocol versions. + +By convention, changes which keep the protocol compatible with +previous versions keep the same major protocol version; changes that +are not compatible increment the major version (which will hopefully +never happen). The version described in this document is 1.3. + +The client will + +.ti 0 +Key Exchange and Server Host Authentication + +The first message sent by the server using the packet protocol is +SSH_SMSG_PUBLIC_KEY. It declares the server's host key, server public +key, supported ciphers, supported authentication methods, and flags +for protocol extensions. It also contains a 64-bit random number +(cookie) that must be returned in the client's reply (to make IP +spoofing more difficult). No encryption is used for this message. + +Both sides compute a session id as follows. The modulus of the server +key is interpreted as a byte string (without explicit length field, +with minimum length able to hold the whole value), most significant +byte first. This string is concatenated with the server host key +interpreted the same way. Additionally, the cookie is concatenated +with this. Both sides compute MD5 of the resulting string. The +resulting 16 bytes (128 bits) are stored by both parties and are +called the session id. + +The client responds with a SSH_CMSG_SESSION_KEY message, which +contains the selected cipher type, a copy of the 64-bit cookie sent by +the server, client's protocol flags, and a session key encrypted +with both the server's host key and server key. No encryption is used +for this message. + +The session key is 32 8-bit bytes (a total of 256 random bits +generated by the client). The client first xors the 16 bytes of the +session id with the first 16 bytes of the session key. The resulting +string is then encrypted using the smaller key (one with smaller +modulus), and the result is then encrypted using the other key. The +number of bits in the public modulus of the two keys must differ by at +least 128 bits. + +At each encryption step, a multiple-precision integer is constructed +from the data to be encrypted as follows (the integer is here +interpreted as a sequence of bytes, msb first; the number of bytes is +the number of bytes needed to represent the modulus). + +The most significant byte (which is only partial as the value must be +less than the public modulus, which is never a power of two) is zero. + +The next byte contains the value 2 (which stands for public-key +encrypted data in the PKCS standard [PKCS#1]). Then, there are +non-zero random bytes to fill any unused space, a zero byte, and the +data to be encrypted in the least significant bytes, the last byte of +the data in the least significant byte. + +This algorithm is used twice. First, it is used to encrypt the 32 +random bytes generated by the client to be used as the session key +(xored by the session id). This value is converted to an integer as +described above, and encrypted with RSA using the key with the smaller +modulus. The resulting integer is converted to a byte stream, msb +first. This byte stream is padded and encrypted identically using the +key with the larger modulus. + +After the client has sent the session key, it starts to use the +selected algorithm and key for decrypting any received packets, and +for encrypting any sent packets. Separate ciphers are used for +different directions (that is, both directions have separate +initialization vectors or other state for the ciphers). + +When the server has received the session key message, and has turned +on encryption, it sends a SSH_SMSG_SUCCESS message to the client. + +The recommended size of the host key is 1024 bits, and 768 bits for +the server key. The minimum size is 512 bits for the smaller key. + + +.ti 0 +Declaring the User Name + +The client then sends a SSH_CMSG_USER message to the server. This +message specifies the user name to log in as. + +The server validates that such a user exists, checks whether +authentication is needed, and responds with either SSH_SMSG_SUCCESS or +SSH_SMSG_FAILURE. SSH_SMSG_SUCCESS indicates that no authentication +is needed for this user (no password), and authentication phase has +now been completed. SSH_SMSG_FAILURE indicates that authentication is +needed (or the user does not exist). + +If the user does not exist, it is recommended that this returns +failure, but the server keeps reading messages from the client, and +responds to any messages (except SSH_MSG_DISCONNECT, SSH_MSG_IGNORE, +and SSH_MSG_DEBUG) with SSH_SMSG_FAILURE. This way the client cannot +be certain whether the user exists. + + +.ti 0 +Authentication Phase + +Provided the server didn't immediately accept the login, an +authentication exchange begins. The client sends messages to the +server requesting different types of authentication in arbitrary order as +many times as desired (however, the server may close the connection +after a timeout). The server always responds with SSH_SMSG_SUCCESS if +it has accepted the authentication, and with SSH_SMSG_FAILURE if it has +denied authentication with the requested method or it does not +recognize the message. Some authentication methods cause an exchange +of further messages before the final result is sent. The +authentication phase ends when the server responds with success. + +The recommended value for the authentication timeout (timeout before +disconnecting if no successful authentication has been made) is 5 +minutes. + +The following authentication methods are currently supported: +.TS +center; +l r l. +SSH_AUTH_RHOSTS 1 .rhosts or /etc/hosts.equiv +SSH_AUTH_RSA 2 pure RSA authentication +SSH_AUTH_PASSWORD 3 password authentication +SSH_AUTH_RHOSTS_RSA 4 .rhosts with RSA host authentication +.TE +.IP SSH_AUTH_RHOSTS + +This is the authentication method used by rlogin and rsh [RFC1282]. + +The client sends SSH_CMSG_AUTH_RHOSTS with the client-side user name +as an argument. + +The server checks whether to permit authentication. On UNIX systems, +this is usually done by checking /etc/hosts.equiv, and .rhosts in the +user's home directory. The connection must come from a privileged +port. + +It is recommended that the server checks that there are no IP options +(such as source routing) specified for the socket before accepting +this type of authentication. The client host name should be +reverse-mapped and then forward mapped to ensure that it has the +proper IP-address. + +This authentication method trusts the remote host (root on the remote +host can pretend to be any other user on that host), the name +services, and partially the network: anyone who can see packets coming +out from the server machine can do IP-spoofing and pretend to be any +machine; however, the protocol prevents blind IP-spoofing (which used +to be possible with rlogin). + +Many sites probably want to disable this authentication method because +of the fundamental insecurity of conventional .rhosts or +/etc/hosts.equiv authentication when faced with spoofing. It is +recommended that this method not be supported by the server by +default. +.IP SSH_AUTH_RHOSTS_RSA + +In addition to conventional .rhosts and hosts.equiv authentication, +this method additionally requires that the client host be +authenticated using RSA. + +The client sends SSH_CMSG_AUTH_RHOSTS_RSA specifying the client-side +user name, and the public host key of the client host. + +The server first checks if normal .rhosts or /etc/hosts.equiv +authentication would be accepted, and if not, responds with +SSH_SMSG_FAILURE. Otherwise, it checks whether it knows the host key +for the client machine (using the same name for the host that was used +for checking the .rhosts and /etc/hosts.equiv files). If it does not +know the RSA key for the client, access is denied and SSH_SMSG_FAILURE +is sent. + +If the server knows the host key of the client machine, it verifies +that the given host key matches that known for the client. If not, +access is denied and SSH_SMSG_FAILURE is sent. + +The server then sends a SSH_SMSG_AUTH_RSA_CHALLENGE message containing +an encrypted challenge for the client. The challenge is 32 8-bit +random bytes (256 bits). When encrypted, the highest (partial) byte +is left as zero, the next byte contains the value 2, the following are +non-zero random bytes, followed by a zero byte, and the challenge put +in the remaining bytes. This is then encrypted using RSA with the +client host's public key. (The padding and encryption algorithm is +the same as that used for the session key.) + +The client decrypts the challenge using its private host key, +concatenates this with the session id, and computes an MD5 checksum +of the resulting 48 bytes. The MD5 output is returned as 16 bytes in +a SSH_CMSG_AUTH_RSA_RESPONSE message. (MD5 is used to deter chosen +plaintext attacks against RSA; the session id binds it to a specific +session). + +The server verifies that the MD5 of the decrypted challenge returned by +the client matches that of the original value, and sends SSH_SMSG_SUCCESS if +so. Otherwise it sends SSH_SMSG_FAILURE and refuses the +authentication attempt. + +This authentication method trusts the client side machine in that root +on that machine can pretend to be any user on that machine. +Additionally, it trusts the client host key. The name and/or IP +address of the client host is only used to select the public host key. +The same host name is used when scanning .rhosts or /etc/hosts.equiv +and when selecting the host key. It would in principle be possible to +eliminate the host name entirely and substitute it directly by the +host key. IP and/or DNS [RFC1034] spoofing can only be used +to pretend to be a host for which the attacker has the private host +key. +.IP SSH_AUTH_RSA + +The idea behind RSA authentication is that the server recognizes the +public key offered by the client, generates a random challenge, and +encrypts the challenge with the public key. The client must then +prove that it has the corresponding private key by decrypting the +challenge. + +The client sends SSH_CMSG_AUTH_RSA with public key modulus (n) as an +argument. + +The server may respond immediately with SSH_SMSG_FAILURE if it does +not permit authentication with this key. Otherwise it generates a +challenge, encrypts it using the user's public key (stored on the +server and identified using the modulus), and sends +SSH_SMSG_AUTH_RSA_CHALLENGE with the challenge (mp-int) as an +argument. + +The challenge is 32 8-bit random bytes (256 bits). When encrypted, +the highest (partial) byte is left as zero, the next byte contains the +value 2, the following are non-zero random bytes, followed by a zero +byte, and the challenge put in the remaining bytes. This is then +encrypted with the public key. (The padding and encryption algorithm +is the same as that used for the session key.) + +The client decrypts the challenge using its private key, concatenates +it with the session id, and computes an MD5 checksum of the resulting +48 bytes. The MD5 output is returned as 16 bytes in a +SSH_CMSG_AUTH_RSA_RESPONSE message. (Note that the MD5 is necessary +to avoid chosen plaintext attacks against RSA; the session id binds it +to a specific session.) + +The server verifies that the MD5 of the decrypted challenge returned +by the client matches that of the original value, and sends +SSH_SMSG_SUCCESS if so. Otherwise it sends SSH_SMSG_FAILURE and +refuses the authentication attempt. + +This authentication method does not trust the remote host, the +network, name services, or anything else. Authentication is based +solely on the possession of the private identification keys. Anyone +in possession of the private keys can log in, but nobody else. + +The server may have additional requirements for a successful +authentiation. For example, to limit damage due to a compromised RSA +key, a server might restrict access to a limited set of hosts. +.IP SSH_AUTH_PASSWORD + +The client sends a SSH_CMSG_AUTH_PASSWORD message with the plain text +password. (Note that even though the password is plain text inside +the message, it is normally encrypted by the packet mechanism.) + +The server verifies the password, and sends SSH_SMSG_SUCCESS if +authentication was accepted and SSH_SMSG_FAILURE otherwise. + +Note that the password is read from the user by the client; the user +never interacts with a login program. + +This authentication method does not trust the remote host, the +network, name services or anything else. Authentication is based +solely on the possession of the password. Anyone in possession of the +password can log in, but nobody else. +.RT + +.ti 0 +Preparatory Operations + +After successful authentication, the server waits for a request from +the client, processes the request, and responds with SSH_SMSG_SUCCESS +whenever a request has been successfully processed. If it receives a +message that it does not recognize or it fails to honor a request, it +returns SSH_SMSG_FAILURE. It is expected that new message types might +be added to this phase in future. + +The following messages are currently defined for this phase. +.IP SSH_CMSG_REQUEST_COMPRESSION +Requests that compression be enabled for this session. A +gzip-compatible compression level (1-9) is passed as an argument. +.IP SSH_CMSG_REQUEST_PTY +Requests that a pseudo terminal device be allocated for this session. +The user terminal type and terminal modes are supplied as arguments. +.IP SSH_CMSG_X11_REQUEST_FORWARDING +Requests forwarding of X11 connections from the remote machine to the +local machine over the secure channel. Causes an internet-domain +socket to be allocated and the DISPLAY variable to be set on the server. +X11 authentication data is automatically passed to the server, and the +client may implement spoofing of authentication data for added +security. The authentication data is passed as arguments. +.IP SSH_CMSG_PORT_FORWARD_REQUEST +Requests forwarding of a TCP/IP port on the server host over the +secure channel. What happens is that whenever a connection is made to +the port on the server, a connection will be made from the client end +to the specified host/port. Any user can forward unprivileged ports; +only the root can forward privileged ports (as determined by +authentication done earlier). +.IP SSH_CMSG_AGENT_REQUEST_FORWARDING +Requests forwarding of the connection to the authentication agent. +.IP SSH_CMSG_EXEC_SHELL +Starts a shell (command interpreter) for the user, and moves into +interactive session mode. +.IP SSH_CMSG_EXEC_CMD +Executes the given command (actually " -c " or +equivalent) for the user, and moves into interactive session mode. +.RT + + +.ti 0 +Interactive Session and Exchange of Data + +During the interactive session, any data written by the shell or +command running on the server machine is forwarded to stdin or +stderr on the client machine, and any input available from stdin on +the client machine is forwarded to the program on the server machine. + +All exchange is asynchronous; either side can send at any time, and +there are no acknowledgements (TCP/IP already provides reliable +transport, and the packet protocol protects against tampering or IP +spoofing). + +When the client receives EOF from its standard input, it will send +SSH_CMSG_EOF; however, this in no way terminates the exchange. The +exchange terminates and interactive mode is left when the server sends +SSH_SMSG_EXITSTATUS to indicate that the client program has +terminated. Alternatively, either side may disconnect at any time by +sending SSH_MSG_DISCONNECT or closing the connection. + +The server may send any of the following messages: +.IP SSH_SMSG_STDOUT_DATA +Data written to stdout by the program running on the server. The data +is passed as a string argument. The client writes this data to +stdout. +.IP SSH_SMSG_STDERR_DATA +Data written to stderr by the program running on the server. The data +is passed as a string argument. The client writes this data to +stderr. (Note that if the program is running on a tty, it is not +possible to separate stdout and stderr data, and all data will be sent +as stdout data.) +.IP SSH_SMSG_EXITSTATUS +Indicates that the shell or command has exited. Exit status is passed +as an integer argument. This message causes termination of the +interactive session. +.IP SSH_SMSG_AGENT_OPEN +Indicates that someone on the server side is requesting a connection +to the authentication agent. The server-side channel number is passed +as an argument. The client must respond with either +SSH_CHANNEL_OPEN_CONFIRMATION or SSH_CHANNEL_OPEN_FAILURE. +.IP SSH_SMSG_X11_OPEN +Indicates that a connection has been made to the X11 socket on the +server side and should be forwarded to the real X server. An integer +argument indicates the channel number allocated for this connection on +the server side. The client should send back either +SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with +the same server side channel number. +.IP SSH_MSG_PORT_OPEN +Indicates that a connection has been made to a port on the server side +for which forwarding has been requested. Arguments are server side +channel number, host name to connect to, and port to connect to. The +client should send back either +SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with +the same server side channel number. +.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION +This is sent by the server to indicate that it has opened a connection +as requested in a previous message. The first argument indicates the +client side channel number, and the second argument is the channel number +that the server has allocated for this connection. +.IP SSH_MSG_CHANNEL_OPEN_FAILURE +This is sent by the server to indicate that it failed to open a +connection as requested in a previous message. The client-side +channel number is passed as an argument. The client will close the +descriptor associated with the channel and free the channel. +.IP SSH_MSG_CHANNEL_DATA +This packet contains data for a channel from the server. The first +argument is the client-side channel number, and the second argument (a +string) is the data. +.IP SSH_MSG_CHANNEL_CLOSE +This is sent by the server to indicate that whoever was in the other +end of the channel has closed it. The argument is the client side channel +number. The client will let all buffered data in the channel to +drain, and when ready, will close the socket, free the channel, and +send the server a SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the +channel. +.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION +This is send by the server to indicate that a channel previously +closed by the client has now been closed on the server side as well. +The argument indicates the client channel number. The client frees +the channel. +.RT + +The client may send any of the following messages: +.IP SSH_CMSG_STDIN_DATA +This is data to be sent as input to the program running on the server. +The data is passed as a string. +.IP SSH_CMSG_EOF +Indicates that the client has encountered EOF while reading standard +input. The server will allow any buffered input data to drain, and +will then close the input to the program. +.IP SSH_CMSG_WINDOW_SIZE +Indicates that window size on the client has been changed. The server +updates the window size of the tty and causes SIGWINCH to be sent to +the program. The new window size is passed as four integer arguments: +row, col, xpixel, ypixel. +.IP SSH_MSG_PORT_OPEN +Indicates that a connection has been made to a port on the client side +for which forwarding has been requested. Arguments are client side +channel number, host name to connect to, and port to connect to. The +server should send back either SSH_MSG_CHANNEL_OPEN_CONFIRMATION or +SSH_MSG_CHANNEL_OPEN_FAILURE with the same client side channel number. +.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION +This is sent by the client to indicate that it has opened a connection +as requested in a previous message. The first argument indicates the +server side channel number, and the second argument is the channel +number that the client has allocated for this connection. +.IP SSH_MSG_CHANNEL_OPEN_FAILURE +This is sent by the client to indicate that it failed to open a +connection as requested in a previous message. The server side +channel number is passed as an argument. The server will close the +descriptor associated with the channel and free the channel. +.IP SSH_MSG_CHANNEL_DATA +This packet contains data for a channel from the client. The first +argument is the server side channel number, and the second argument (a +string) is the data. +.IP SSH_MSG_CHANNEL_CLOSE +This is sent by the client to indicate that whoever was in the other +end of the channel has closed it. The argument is the server channel +number. The server will allow buffered data to drain, and when ready, +will close the socket, free the channel, and send the client a +SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the channel. +.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION +This is send by the client to indicate that a channel previously +closed by the server has now been closed on the client side as well. +The argument indicates the server channel number. The server frees +the channel. +.RT + +Any unsupported messages during interactive mode cause the connection +to be terminated with SSH_MSG_DISCONNECT and an error message. +Compatible protocol upgrades should agree about any extensions during +the preparation phase or earlier. + + +.ti 0 +Termination of the Connection + +Normal termination of the connection is always initiated by the server +by sending SSH_SMSG_EXITSTATUS after the program has exited. The +client responds to this message by sending SSH_CMSG_EXIT_CONFIRMATION +and closes the socket; the server then closes the socket. There are +two purposes for the confirmation: some systems may lose previously +sent data when the socket is closed, and closing the client side first +causes any TCP/IP TIME_WAIT [RFC0793] waits to occur on the client side, not +consuming server resources. + +If the program terminates due to a signal, the server will send +SSH_MSG_DISCONNECT with an appropriate message. If the connection is +closed, all file descriptors to the program will be closed and the +server will exit. If the program runs on a tty, the kernel sends it +the SIGHUP signal when the pty master side is closed. + +.ti 0 +Protocol Flags + +Both the server and the client pass 32 bits of protocol flags to the +other side. The flags are intended for compatible protocol extension; +the server first announces which added capabilities it supports, and +the client then sends the capabilities that it supports. + +The following flags are currently defined (the values are bit masks): +.IP "1 SSH_PROTOFLAG_SCREEN_NUMBER" +This flag can only be sent by the client. It indicates that the X11 +forwarding requests it sends will include the screen number. +.IP "2 SSH_PROTOFLAG_HOST_IN_FWD_OPEN" +If both sides specify this flag, SSH_SMSG_X11_OPEN and +SSH_MSG_PORT_OPEN messages will contain an additional field containing +a description of the host at the other end of the connection. +.RT + +.ti 0 +Detailed Description of Packet Types and Formats + +The supported packet types and the corresponding message numbers are +given in the following table. Messages with _MSG_ in their name may +be sent by either side. Messages with _CMSG_ are only sent by the +client, and messages with _SMSG_ only by the server. + +A packet may contain additional data after the arguments specified +below. Any such data should be ignored by the receiver. However, it +is recommended that no such data be stored without good reason. (This +helps build compatible extensions.) +.IP "0 SSH_MSG_NONE" +This code is reserved. This message type is never sent. +.IP "1 SSH_MSG_DISCONNECT" +.TS +; +l l. +string Cause of disconnection +.TE +This message may be sent by either party at any time. It causes the +immediate disconnection of the connection. The message is intended to +be displayed to a human, and describes the reason for disconnection. +.IP "2 SSH_SMSG_PUBLIC_KEY" +.TS +; +l l. +8 bytes anti_spoofing_cookie +32-bit int server_key_bits +mp-int server_key_public_exponent +mp-int server_key_public_modulus +32-bit int host_key_bits +mp-int host_key_public_exponent +mp-int host_key_public_modulus +32-bit int protocol_flags +32-bit int supported_ciphers_mask +32-bit int supported_authentications_mask +.TE +Sent as the first message by the server. This message gives the +server's host key, server key, protocol flags (intended for compatible +protocol extension), supported_ciphers_mask (which is the +bitwise or of (1 << cipher_number), where << is the left shift +operator, for all supported ciphers), and +supported_authentications_mask (which is the bitwise or of (1 << +authentication_type) for all supported authentication types). The +anti_spoofing_cookie is 64 random bytes, and must be sent back +verbatim by the client in its reply. It is used to make IP-spoofing +more difficult (encryption and host keys are the real defense against +spoofing). +.IP "3 SSH_CMSG_SESSION_KEY" +.TS +; +l l. +1 byte cipher_type (must be one of the supported values) +8 bytes anti_spoofing_cookie (must match data sent by the server) +mp-int double-encrypted session key +32-bit int protocol_flags +.TE +Sent by the client as the first message in the session. Selects the +cipher to use, and sends the encrypted session key to the server. The +anti_spoofing_cookie must be the same bytes that were sent by the +server. Protocol_flags is intended for negotiating compatible +protocol extensions. +.IP "4 SSH_CMSG_USER" +.TS +; +l l. +string user login name on server +.TE +Sent by the client to begin authentication. Specifies the user name +on the server to log in as. The server responds with SSH_SMSG_SUCCESS +if no authentication is needed for this user, or SSH_SMSG_FAILURE if +authentication is needed (or the user does not exist). [Note to the +implementator: the user name is of arbitrary size. The implementation +must be careful not to overflow internal buffers.] +.IP "5 SSH_CMSG_AUTH_RHOSTS" +.TS +; +l l. +string client-side user name +.TE +Requests authentication using /etc/hosts.equiv and .rhosts (or +equivalent mechanisms). This authentication method is normally +disabled in the server because it is not secure (but this is the +method used by rsh and rlogin). The server responds with +SSH_SMSG_SUCCESS if authentication was successful, and +SSH_SMSG_FAILURE if access was not granted. The server should check +that the client side port number is less than 1024 (a privileged +port), and immediately reject authentication if it is not. Supporting +this authentication method is optional. This method should normally +not be enabled in the server because it is not safe. (However, not +enabling this only helps if rlogind and rshd are disabled.) +.IP "6 SSH_CMSG_AUTH_RSA" +.TS +; +l l. +mp-int identity_public_modulus +.TE +Requests authentication using pure RSA authentication. The server +checks if the given key is permitted to log in, and if so, responds +with SSH_SMSG_AUTH_RSA_CHALLENGE. Otherwise, it responds with +SSH_SMSG_FAILURE. The client often tries several different keys in +sequence until one supported by the server is found. Authentication +is accepted if the client gives the correct response to the challenge. +The server is free to add other criteria for authentication, such as a +requirement that the connection must come from a certain host. Such +additions are not visible at the protocol level. Supporting this +authentication method is optional but recommended. +.IP "7 SSH_SMSG_AUTH_RSA_CHALLENGE" +.TS +; +l l. +mp-int encrypted challenge +.TE +Presents an RSA authentication challenge to the client. The challenge +is a 256-bit random value encrypted as described elsewhere in this +document. The client must decrypt the challenge using the RSA private +key, compute MD5 of the challenge plus session id, and send back the +resulting 16 bytes using SSH_CMSG_AUTH_RSA_RESPONSE. +.IP "8 SSH_CMSG_AUTH_RSA_RESPONSE" +.TS +; +l l. +16 bytes MD5 of decrypted challenge +.TE +This message is sent by the client in response to an RSA challenge. +The MD5 checksum is returned instead of the decrypted challenge to +deter known-plaintext attacks against the RSA key. The server +responds to this message with either SSH_SMSG_SUCCESS or +SSH_SMSG_FAILURE. +.IP "9 SSH_CMSG_AUTH_PASSWORD" +.TS +; +l l. +string plain text password +.TE +Requests password authentication using the given password. Note that +even though the password is plain text inside the packet, the whole +packet is normally encrypted by the packet layer. It would not be +possible for the client to perform password encryption/hashing, +because it cannot know which kind of encryption/hashing, if any, the +server uses. The server responds to this message with +SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE. +.IP "10 SSH_CMSG_REQUEST_PTY" +.TS +; +l l. +string TERM environment variable value (e.g. vt100) +32-bit int terminal height, rows (e.g., 24) +32-bit int terminal width, columns (e.g., 80) +32-bit int terminal width, pixels (0 if no graphics) (e.g., 480) +32-bit int terminal height, pixels (0 if no graphics) (e.g., 640) +n bytes tty modes encoded in binary +.TE +Requests a pseudo-terminal to be allocated for this command. This +message can be used regardless of whether the session will later +execute the shell or a command. If a pty has been requested with this +message, the shell or command will run on a pty. Otherwise it will +communicate with the server using pipes, sockets or some other similar +mechanism. + +The terminal type gives the type of the user's terminal. In the UNIX +environment it is passed to the shell or command in the TERM +environment variable. + +The width and height values give the initial size of the user's +terminal or window. All values can be zero if not supported by the +operating system. The server will pass these values to the kernel if +supported. + +Terminal modes are encoded into a byte stream in a portable format. +The exact format is described later in this document. + +The server responds to the request with either SSH_SMSG_SUCCESS or +SSH_SMSG_FAILURE. If the server does not have the concept of pseudo +terminals, it should return success if it is possible to execute a +shell or a command so that it looks to the client as if it was running +on a pseudo terminal. +.IP "11 SSH_CMSG_WINDOW_SIZE" +.TS +; +l l. +32-bit int terminal height, rows +32-bit int terminal width, columns +32-bit int terminal width, pixels +32-bit int terminal height, pixels +.TE +This message can only be sent by the client during the interactive +session. This indicates that the size of the user's window has +changed, and provides the new size. The server will update the +kernel's notion of the window size, and a SIGWINCH signal or +equivalent will be sent to the shell or command (if supported by the +operating system). +.IP "12 SSH_CMSG_EXEC_SHELL" + +(no arguments) + +Starts a shell (command interpreter), and enters interactive session +mode. +.IP "13 SSH_CMSG_EXEC_CMD" +.TS +; +l l. +string command to execute +.TE +Starts executing the given command, and enters interactive session +mode. On UNIX, the command is run as " -c ", where + is the user's login shell. +.IP "14 SSH_SMSG_SUCCESS" + +(no arguments) + +This message is sent by the server in response to the session key, a +successful authentication request, and a successfully completed +preparatory operation. +.IP "15 SSH_SMSG_FAILURE" + +(no arguments) + +This message is sent by the server in response to a failed +authentication operation to indicate that the user has not yet been +successfully authenticated, and in response to a failed preparatory +operation. This is also sent in response to an authentication or +preparatory operation request that is not recognized or supported. +.IP "16 SSH_CMSG_STDIN_DATA" +.TS +; +l l. +string data +.TE +Delivers data from the client to be supplied as input to the shell or +program running on the server side. This message can only be used in +the interactive session mode. No acknowledgement is sent for this +message. +.IP "17 SSH_SMSG_STDOUT_DATA" +.TS +; +l l. +string data +.TE +Delivers data from the server that was read from the standard output of +the shell or program running on the server side. This message can +only be used in the interactive session mode. No acknowledgement is +sent for this message. +.IP "18 SSH_SMSG_STDERR_DATA" +.TS +; +l l. +string data +.TE +Delivers data from the server that was read from the standard error of +the shell or program running on the server side. This message can +only be used in the interactive session mode. No acknowledgement is +sent for this message. +.IP "19 SSH_CMSG_EOF" + +(no arguments) + +This message is sent by the client to indicate that EOF has been +reached on the input. Upon receiving this message, and after all +buffered input data has been sent to the shell or program, the server +will close the input file descriptor to the program. This message can +only be used in the interactive session mode. No acknowledgement is +sent for this message. +.IP "20 SSH_SMSG_EXITSTATUS" +.TS +; +l l. +32-bit int exit status of the command +.TE +Returns the exit status of the shell or program after it has exited. +The client should respond with SSH_CMSG_EXIT_CONFIRMATION when it has +received this message. This will be the last message sent by the +server. If the program being executed dies with a signal instead of +exiting normally, the server should terminate the session with +SSH_MSG_DISCONNECT (which can be used to pass a human-readable string +indicating that the program died due to a signal) instead of using +this message. +.IP "21 SSH_MSG_CHANNEL_OPEN_CONFIRMATION" +.TS +; +l l. +32-bit int remote_channel +32-bit int local_channel +.TE +This is sent in response to any channel open request if the channel +has been successfully opened. Remote_channel is the channel number +received in the initial open request; local_channel is the channel +number the side sending this message has allocated for the channel. +Data can be transmitted on the channel after this message. +.IP "22 SSH_MSG_CHANNEL_OPEN_FAILURE" +.TS +; +l l. +32-bit int remote_channel +.TE +This message indicates that an earlier channel open request by the +other side has failed or has been denied. Remote_channel is the +channel number given in the original request. +.IP "23 SSH_MSG_CHANNEL_DATA" +.TS +; +l l. +32-bit int remote_channel +string data +.TE +Data is transmitted in a channel in these messages. A channel is +bidirectional, and both sides can send these messages. There is no +acknowledgement for these messages. It is possible that either side +receives these messages after it has sent SSH_MSG_CHANNEL_CLOSE for +the channel. These messages cannot be received after the party has +sent or received SSH_MSG_CHANNEL_CLOSE_CONFIRMATION. +.IP "24 SSH_MSG_CHANNEL_CLOSE" +.TS +; +l l. +32-bit int remote_channel +.TE +When a channel is closed at one end of the connection, that side sends +this message. Upon receiving this message, the channel should be +closed. When this message is received, if the channel is already +closed (the receiving side has sent this message for the same channel +earlier), the channel is freed and no further action is taken; +otherwise the channel is freed and SSH_MSG_CHANNEL_CLOSE_CONFIRMATION +is sent in response. (It is possible that the channel is closed +simultaneously at both ends.) +.IP "25 SSH_MSG_CHANNEL_CLOSE_CONFIRMATION" +.TS +; +l l. +32-bit int remote_channel +.TE +This message is sent in response to SSH_MSG_CHANNEL_CLOSE unless the +channel was already closed. When this message is sent or received, +the channel is freed. +.IP "26 (OBSOLETED; was unix-domain X11 forwarding) +.IP "27 SSH_SMSG_X11_OPEN" +.TS +; +l l. +32-bit int local_channel +string originator_string (see below) +.TE +This message can be sent by the server during the interactive session +mode to indicate that a client has connected the fake X server. +Local_channel is the channel number that the server has allocated for +the connection. The client should try to open a connection to the +real X server, and respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or +SSH_MSG_CHANNEL_OPEN_FAILURE. + +The field originator_string is present if both sides +specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags. It +contains a description of the host originating the connection. +.IP "28 SSH_CMSG_PORT_FORWARD_REQUEST" +.TS +; +l l. +32-bit int server_port +string host_to_connect +32-bit int port_to_connect +.TE +Sent by the client in the preparatory phase, this message requests +that server_port on the server machine be forwarded over the secure +channel to the client machine, and from there to the specified host +and port. The server should start listening on the port, and send +SSH_MSG_PORT_OPEN whenever a connection is made to it. Supporting +this message is optional, and the server is free to reject any forward +request. For example, it is highly recommended that unless the user +has been authenticated as root, forwarding any privileged port numbers +(below 1024) is denied. +.IP "29 SSH_MSG_PORT_OPEN" +.TS +; +l l. +32-bit int local_channel +string host_name +32-bit int port +string originator_string (see below) +.TE +Sent by either party in interactive session mode, this message +indicates that a connection has been opened to a forwarded TCP/IP +port. Local_channel is the channel number that the sending party has +allocated for the connection. Host_name is the host the connection +should be be forwarded to, and the port is the port on that host to +connect. The receiving party should open the connection, and respond +with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or +SSH_MSG_CHANNEL_OPEN_FAILURE. It is recommended that the receiving +side check the host_name and port for validity to avoid compromising +local security by compromised remote side software. Particularly, it +is recommended that the client permit connections only to those ports +for which it has requested forwarding with SSH_CMSG_PORT_FORWARD_REQUEST. + +The field originator_string is present if both sides +specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags. It +contains a description of the host originating the connection. +.IP "30 SSH_CMSG_AGENT_REQUEST_FORWARDING" + +(no arguments) + +Requests that the connection to the authentication agent be forwarded +over the secure channel. The method used by clients to contact the +authentication agent within each machine is implementation and machine +dependent. If the server accepts this request, it should arrange that +any clients run from this session will actually contact the server +program when they try to contact the authentication agent. The server +should then send a SSH_SMSG_AGENT_OPEN to open a channel to the agent, +and the client should forward the connection to the real +authentication agent. Supporting this message is optional. +.IP "31 SSH_SMSG_AGENT_OPEN" +.TS +; +l l. +32-bit int local_channel +.TE +Sent by the server in interactive session mode, this message requests +opening a channel to the authentication agent. The client should open +a channel, and respond with either SSH_MSG_CHANNEL_OPEN_CONFIRMATION +or SSH_MSG_CHANNEL_OPEN_FAILURE. +.IP "32 SSH_MSG_IGNORE" +.TS +; +l l. +string data +.TE +Either party may send this message at any time. This message, and the +argument string, is silently ignored. This message might be used in +some implementations to make traffic analysis more difficult. This +message is not currently sent by the implementation, but all +implementations are required to recognize and ignore it. +.IP "33 SSH_CMSG_EXIT_CONFIRMATION" + +(no arguments) + +Sent by the client in response to SSH_SMSG_EXITSTATUS. This is the +last message sent by the client. +.IP "34 SSH_CMSG_X11_REQUEST_FORWARDING" +.TS +; +l l. +string x11_authentication_protocol +string x11_authentication_data +32-bit int screen number (if SSH_PROTOFLAG_SCREEN_NUMBER) +.TE +Sent by the client during the preparatory phase, this message requests +that the server create a fake X11 display and set the DISPLAY +environment variable accordingly. An internet-domain display is +preferable. The given authentication protocol and the associated data +should be recorded by the server so that it is used as authentication +on connections (e.g., in .Xauthority). The authentication protocol +must be one of the supported X11 authentication protocols, e.g., +"MIT-MAGIC-COOKIE-1". Authentication data must be a lowercase hex +string of even length. Its interpretation is protocol dependent. +The data is in a format that can be used with e.g. the xauth program. +Supporting this message is optional. + +The client is permitted (and recommended) to generate fake +authentication information and send fake information to the server. +This way, a corrupt server will not have access to the user's terminal +after the connection has terminated. The correct authorization codes +will also not be left hanging around in files on the server (many +users keep the same X session for months, thus protecting the +authorization data becomes important). + +X11 authentication spoofing works by initially sending fake (random) +authentication data to the server, and interpreting the first packet +sent by the X11 client after the connection has been opened. The +first packet contains the client's authentication. If the packet +contains the correct fake data, it is replaced by the client by the +correct authentication data, and then sent to the X server. +.IP "35 SSH_CMSG_AUTH_RHOSTS_RSA" +.TS +; +l l. +string clint-side user name +32-bit int client_host_key_bits +mp-int client_host_key_public_exponent +mp-int client_host_key_public_modulus +.TE +Requests authentication using /etc/hosts.equiv and .rhosts (or +equivalent) together with RSA host authentication. The server should +check that the client side port number is less than 1024 (a privileged +port), and immediately reject authentication if it is not. The server +responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_RSA_CHALLENGE. The +client must respond to the challenge with the proper +SSH_CMSG_AUTH_RSA_RESPONSE. The server then responds with success if +access was granted, or failure if the client gave a wrong response. +Supporting this authentication method is optional but recommended in +most environments. +.IP "36 SSH_MSG_DEBUG" +.TS +; +l l. +string debugging message sent to the other side +.TE +This message may be sent by either party at any time. It is used to +send debugging messages that may be informative to the user in +solving various problems. For example, if authentication fails +because of some configuration error (e.g., incorrect permissions for +some file), it can be very helpful for the user to make the cause of +failure available. On the other hand, one should not make too much +information available for security reasons. It is recommended that +the client provides an option to display the debugging information +sent by the sender (the user probably does not want to see it by default). +The server can log debugging data sent by the client (if any). Either +party is free to ignore any received debugging data. Every +implementation must be able to receive this message, but no +implementation is required to send these. +.IP "37 SSH_CMSG_REQUEST_COMPRESSION" +.TS +; +l l. +32-bit int gzip compression level (1-9) +.TE +This message can be sent by the client in the preparatory operations +phase. The server responds with SSH_SMSG_FAILURE if it does not +support compression or does not want to compress; it responds with +SSH_SMSG_SUCCESS if it accepted the compression request. In the +latter case the response to this packet will still be uncompressed, +but all further packets in either direction will be compressed by gzip. +.RT + + +.ti 0 +Encoding of Terminal Modes + +Terminal modes (as passed in SSH_CMSG_REQUEST_PTY) are encoded into a +byte stream. It is intended that the coding be portable across +different environments. + +The tty mode description is a stream of bytes. The stream consists of +opcode-argument pairs. It is terminated by opcode TTY_OP_END (0). +Opcodes 1-127 have one-byte arguments. Opcodes 128-159 have 32-bit +integer arguments (stored msb first). Opcodes 160-255 are not yet +defined, and cause parsing to stop (they should only be used after any +other data). + +The client puts in the stream any modes it knows about, and the server +ignores any modes it does not know about. This allows some degree of +machine-independence, at least between systems that use a POSIX-like +[POSIX] tty interface. The protocol can support other systems as +well, but the client may need to fill reasonable values for a number +of parameters so the server pty gets set to a reasonable mode (the +server leaves all unspecified mode bits in their default values, and +only some combinations make sense). + +The following opcodes have been defined. The naming of opcodes mostly +follows the POSIX terminal mode flags. +.IP "0 TTY_OP_END" +Indicates end of options. +.IP "1 VINTR" +Interrupt character; 255 if none. Similarly for the other characters. +Not all of these characters are supported on all systems. +.IP "2 VQUIT" +The quit character (sends SIGQUIT signal on UNIX systems). +.IP "3 VERASE" +Erase the character to left of the cursor. +.IP "4 VKILL" +Kill the current input line. +.IP "5 VEOF " +End-of-file character (sends EOF from the terminal). +.IP "6 VEOL " +End-of-line character in addition to carriage return and/or linefeed. +.IP "7 VEOL2" +Additional end-of-line character. +.IP "8 VSTART" +Continues paused output (normally ^Q). +.IP "9 VSTOP" +Pauses output (^S). +.IP "10 VSUSP" +Suspends the current program. +.IP "11 VDSUSP" +Another suspend character. +.IP "12 VREPRINT" +Reprints the current input line. +.IP "13 VWERASE" +Erases a word left of cursor. +.IP "14 VLNEXT" +More special input characters; these are probably not supported on +most systems. +.IP "15 VFLUSH" +.IP "16 VSWTCH" +.IP "17 VSTATUS" +.IP "18 VDISCARD" + +.IP "30 IGNPAR" +The ignore parity flag. The next byte should be 0 if this flag is not +set, and 1 if it is set. +.IP "31 PARMRK" +More flags. The exact definitions can be found in the POSIX standard. +.IP "32 INPCK" +.IP "33 ISTRIP" +.IP "34 INLCR" +.IP "35 IGNCR" +.IP "36 ICRNL" +.IP "37 IUCLC" +.IP "38 IXON" +.IP "39 IXANY" +.IP "40 IXOFF" +.IP "41 IMAXBEL" + +.IP "50 ISIG" +.IP "51 ICANON" +.IP "52 XCASE" +.IP "53 ECHO" +.IP "54 ECHOE" +.IP "55 ECHOK" +.IP "56 ECHONL" +.IP "57 NOFLSH" +.IP "58 TOSTOP" +.IP "59 IEXTEN" +.IP "60 ECHOCTL" +.IP "61 ECHOKE" +.IP "62 PENDIN" + +.IP "70 OPOST" +.IP "71 OLCUC" +.IP "72 ONLCR" +.IP "73 OCRNL" +.IP "74 ONOCR" +.IP "75 ONLRET" + +.IP "90 CS7" +.IP "91 CS8" +.IP "92 PARENB" +.IP "93 PARODD" + +.IP "192 TTY_OP_ISPEED" +Specifies the input baud rate in bits per second. +.IP "193 TTY_OP_OSPEED" +Specifies the output baud rate in bits per second. +.RT + + +.ti 0 +The Authentication Agent Protocol + +The authentication agent is a program that can be used to hold RSA +authentication keys for the user (in future, it might hold data for +other authentication types as well). An authorized program can send +requests to the agent to generate a proper response to an RSA +challenge. How the connection is made to the agent (or its +representative) inside a host and how access control is done inside a +host is implementation-dependent; however, how it is forwarded and how +one interacts with it is specified in this protocol. The connection +to the agent is normally automatically forwarded over the secure +channel. + +A program that wishes to use the agent first opens a connection to its +local representative (typically, the agent itself or an SSH server). +It then writes a request to the connection, and waits for response. +It is recommended that at least five minutes of timeout are provided +waiting for the agent to respond to an authentication challenge (this +gives sufficient time for the user to cut-and-paste the challenge to a +separate machine, perform the computation there, and cut-and-paste the +result back if so desired). + +Messages sent to and by the agent are in the following format: +.TS +; +l l. +4 bytes Length, msb first. Does not include length itself. +1 byte Packet type. The value 255 is reserved for future extensions. +data Any data, depending on packet type. Encoding as in the ssh packet +protocol. +.TE + +The following message types are currently defined: +.IP "1 SSH_AGENTC_REQUEST_RSA_IDENTITIES" + +(no arguments) + +Requests the agent to send a list of all RSA keys for which it can +answer a challenge. +.IP "2 SSH_AGENT_RSA_IDENTITIES_ANSWER" +.TS +; +l l. +32-bit int howmany +howmany times: +32-bit int bits +mp-int public exponent +mp-int public modulus +string comment +.TE +The agent sends this message in response to the to +SSH_AGENTC_REQUEST_RSA_IDENTITIES. The answer lists all RSA keys for +which the agent can answer a challenge. The comment field is intended +to help identify each key; it may be printed by an application to +indicate which key is being used. If the agent is not holding any +keys, howmany will be zero. +.IP "3 SSH_AGENTC_RSA_CHALLENGE +.TS +; +l l. +32-bit int bits +mp-int public exponent +mp-int public modulus +mp-int challenge +16 bytes session_id +32-bit int response_type +.TE +Requests RSA decryption of random challenge to authenticate the other +side. The challenge will be decrypted with the RSA private key +corresponding to the given public key. + +The decrypted challenge must contain a zero in the highest (partial) +byte, 2 in the next byte, followed by non-zero random bytes, a zero +byte, and then the real challenge value in the lowermost bytes. The +real challenge must be 32 8-bit bytes (256 bits). + +Response_type indicates the format of the response to be returned. +Currently the only supported value is 1, which means to compute MD5 of +the real challenge plus session id, and return the resulting 16 bytes +in a SSH_AGENT_RSA_RESPONSE message. +.IP "4 SSH_AGENT_RSA_RESPONSE" +.TS +; +l l. +16 bytes MD5 of decrypted challenge +.TE +Answers an RSA authentication challenge. The response is 16 bytes: +the MD5 checksum of the 32-byte challenge. +.IP "5 SSH_AGENT_FAILURE" + +(no arguments) + +This message is sent whenever the agent fails to answer a request +properly. For example, if the agent cannot answer a challenge (e.g., +no longer has the proper key), it can respond with this. The agent +also responds with this message if it receives a message it does not +recognize. +.IP "6 SSH_AGENT_SUCCESS" + +(no arguments) + +This message is sent by the agent as a response to certain requests +that do not otherwise cause a message be sent. Currently, this is +only sent in response to SSH_AGENTC_ADD_RSA_IDENTITY and +SSH_AGENTC_REMOVE_RSA_IDENTITY. +.IP "7 SSH_AGENTC_ADD_RSA_IDENTITY" +.TS +; +l l. +32-bit int bits +mp-int public modulus +mp-int public exponent +mp-int private exponent +mp-int multiplicative inverse of p mod q +mp-int p +mp-int q +string comment +.TE +Registers an RSA key with the agent. After this request, the agent can +use this RSA key to answer requests. The agent responds with +SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE. +.IP "8 SSH_AGENT_REMOVE_RSA_IDENTITY" +.TS +; +l l. +32-bit int bits +mp-int public exponent +mp-int public modulus +.TE +Removes an RSA key from the agent. The agent will no longer accept +challenges for this key and will not list it as a supported identity. +The agent responds with SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE. +.RT + +If the agent receives a message that it does not understand, it +responds with SSH_AGENT_FAILURE. This permits compatible future +extensions. + +It is possible that several clients have a connection open to the +authentication agent simultaneously. Each client will use a separate +connection (thus, any SSH connection can have multiple agent +connections active simultaneously). + + +.ti 0 +References + +.IP "[DES] " +FIPS PUB 46-1: Data Encryption Standard. National Bureau of +Standards, January 1988. FIPS PUB 81: DES Modes of Operation. +National Bureau of Standards, December 1980. Bruce Schneier: Applied +Cryptography. John Wiley & Sons, 1994. J. Seberry and J. Pieprzyk: +Cryptography: An Introduction to Computer Security. Prentice-Hall, +1989. +.IP "[GZIP] " +The GNU GZIP program; available for anonymous ftp at prep.ai.mit.edu. +Please let me know if you know a paper describing the algorithm. +.IP "[IDEA] " +Xuejia Lai: On the Design and Security of Block Ciphers, ETH Series in +Information Processing, vol. 1, Hartung-Gorre Verlag, Konstanz, +Switzerland, 1992. Bruce Schneier: Applied Cryptography, John Wiley & +Sons, 1994. See also the following patents: PCT/CH91/00117, EP 0 482 +154 B1, US Pat. 5,214,703. +.IP [PKCS#1] +PKCS #1: RSA Encryption Standard. Version 1.5, RSA Laboratories, +November 1993. Available for anonymous ftp at ftp.rsa.com. +.IP [POSIX] +Portable Operating System Interface (POSIX) - Part 1: Application +Program Interface (API) [C language], ISO/IEC 9945-1, IEEE Std 1003.1, +1990. +.IP [RFC0791] +J. Postel: Internet Protocol, RFC 791, USC/ISI, September 1981. +.IP [RFC0793] +J. Postel: Transmission Control Protocol, RFC 793, USC/ISI, September +1981. +.IP [RFC1034] +P. Mockapetris: Domain Names - Concepts and Facilities, RFC 1034, +USC/ISI, November 1987. +.IP [RFC1282] +B. Kantor: BSD Rlogin, RFC 1258, UCSD, December 1991. +.IP "[RSA] " +Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1994. See +also R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic +Communications System and Method. US Patent 4,405,829, 1983. +.IP "[X11] " +R. Scheifler: X Window System Protocol, X Consortium Standard, Version +11, Release 6. Massachusetts Institute of Technology, Laboratory of +Computer Science, 1994. +.RT + + +.ti 0 +Security Considerations + +This protocol deals with the very issue of user authentication and +security. + +First of all, as an implementation issue, the server program will have +to run as root (or equivalent) on the server machine. This is because +the server program will need be able to change to an arbitrary user +id. The server must also be able to create a privileged TCP/IP port. + +The client program will need to run as root if any variant of .rhosts +authentication is to be used. This is because the client program will +need to create a privileged port. The client host key is also usually +stored in a file which is readable by root only. The client needs the +host key in .rhosts authentication only. Root privileges can be +dropped as soon as the privileged port has been created and the host +key has been read. + +The SSH protocol offers major security advantages over existing telnet +and rlogin protocols. +.IP o +IP spoofing is restricted to closing a connection (by encryption, host +keys, and the special random cookie). If encryption is not used, IP +spoofing is possible for those who can hear packets going out from the +server. +.IP o +DNS spoofing is made ineffective (by host keys). +.IP o +Routing spoofing is made ineffective (by host keys). +.IP o +All data is encrypted with strong algorithms to make eavesdropping as +difficult as possible. This includes encrypting any authentication +information such as passwords. The information for decrypting session +keys is destroyed every hour. +.IP o +Strong authentication methods: .rhosts combined with RSA host +authentication, and pure RSA authentication. +.IP o +X11 connections and arbitrary TCP/IP ports can be forwarded securely. +.IP o +Man-in-the-middle attacks are deterred by using the server host key to +encrypt the session key. +.IP o +Trojan horses to catch a password by routing manipulation are deterred +by checking that the host key of the server machine matches that +stored on the client host. +.RT + +The security of SSH against man-in-the-middle attacks and the security +of the new form of .rhosts authentication, as well as server host +validation, depends on the integrity of the host key and the files +containing known host keys. + +The host key is normally stored in a root-readable file. If the host +key is compromised, it permits attackers to use IP, DNS and routing +spoofing as with current rlogin and rsh. It should never be any worse +than the current situation. + +The files containing known host keys are not sensitive. However, if an +attacker gets to modify the known host key files, it has the same +consequences as a compromised host key, because the attacker can then +change the recorded host key. + +The security improvements obtained by this protocol for X11 are of +particular significance. Previously, there has been no way to protect +data communicated between an X server and a client running on a remote +machine. By creating a fake display on the server, and forwarding all +X11 requests over the secure channel, SSH can be used to run any X11 +applications securely without any cooperation with the vendors of the +X server or the application. + +Finally, the security of this program relies on the strength of the +underlying cryptographic algorithms. The RSA algorithm is used for +authentication key exchange. It is widely believed to be secure. Of +the algorithms used to encrypt the session, DES has a rather small key +these days, probably permitting governments and organized criminals to +break it in very short time with specialized hardware. 3DES is +probably safe (but slower). IDEA is widely believed to be secure. +People have varying degrees of confidence in the other algorithms. +This program is not secure if used with no encryption at all. + + +.ti 0 +Additional Information + +Additional information (especially on the implementation and mailing +lists) is available via WWW at http://www.cs.hut.fi/ssh. + +Comments should be sent to Tatu Ylonen or the SSH +Mailing List . + +.ti 0 +Author's Address + +.TS +; +l. +Tatu Ylonen +Helsinki University of Technology +Otakaari 1 +FIN-02150 Espoo, Finland + +Phone: +358-0-451-3374 +Fax: +358-0-451-3293 +EMail: ylo@cs.hut.fi +.TE diff -ruN --exclude CVS ssh-openbsd-2005090100/TODO openssh-4.2p1/TODO --- ssh-openbsd-2005090100/TODO Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/TODO Mon Dec 6 22:40:11 2004 @@ -0,0 +1,86 @@ +Documentation: + +- Update the docs + - Update README + - Update INSTALL + - Merge INSTALL & README.privsep + +- Install FAQ? + +- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it + would be best to use them. + +- Create a Documentation/ directory? + +Programming: + +- Grep for 'XXX' comments and fix + +- Link order is incorrect for some systems using Kerberos 4 and AFS. Result + is multiple inclusion of DES symbols. Holger Trapp + reports that changing the configure + generated link order from: + -lresolv -lkrb -lz -lnsl -lutil -lkafs -lkrb -ldes -lcrypto + to: + -lresolv -lkrb -lz -lnsl -lutil -lcrypto -lkafs -lkrb -ldes + fixing the problem. + +- Write a test program that calls stat() to search for EGD/PRNGd socket + rather than use the (non-portable) "test -S". + +- More platforms for for setproctitle() emulation (testing needed) + +- Improve PAM ChallengeResponseAuthentication + - Informational messages + - Use different PAM service name for kbdint vs regular auth (suggest from + Solar Designer) + - Ability to select which ChallengeResponseAuthentications may be used + and order to try them in e.g. "ChallengeResponseAuthentication skey, pam" + +- Complete Tru64 SIA support + - It looks like we could merge it into the password auth code to cut down + on diff size. Maybe PAM password auth too? + +- Finish integrating kernel-level auditing code for IRIX and SOLARIS + (Gilbert.r.loomis@saic.com) + +- 64-bit builds on HP-UX 11.X (stevesk@pobox.com): + - utmp/wtmp get corrupted (something in loginrec?) + - can't build with PAM (no 64-bit libpam yet) + +Clean up configure/makefiles: +- Clean up configure.ac - There are a few double #defined variables + left to do. HAVE_LOGIN is one of them. Consider NOT looking for + information in wtmpx or utmpx or any of that stuff if it's not detected + from the start + +- Replace the whole u_intXX_t evilness in acconfig.h with something better??? + - Do it in configure.ac + +- Consider splitting the u_intXX_t test for sys/bitype.h into seperate test + to allow people to (right/wrongfully) link against Bind directly. + +- Consider splitting configure.ac into seperate files which do logically + similar tests. E.g move all the type detection stuff into one file, + entropy related stuff into another. + +Packaging: +- HP-UX: Provide DEPOT package scripts. + (gilbert.r.loomis@saic.com) + +PrivSep Issues: +- mmap() issues. + + /dev/zero solution (Solaris) + + No/broken MAP_ANON (Irix) + + broken /dev/zero parse (Linux) +- PAM + + See above PAM notes +- AIX + + usrinfo() does not set TTY, but only required for legacy systems. Works + with PrivSep. +- OSF + + SIA is broken +- Cygwin + + Privsep for Pre-auth only (no fd passing) + +$Id: TODO,v 1.58 2004/12/06 11:40:11 dtucker Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/WARNING.RNG openssh-4.2p1/WARNING.RNG --- ssh-openbsd-2005090100/WARNING.RNG Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/WARNING.RNG Thu May 26 11:47:54 2005 @@ -0,0 +1,95 @@ +This document contains a description of portable OpenSSH's random +number collection code. An alternate reading of this text could +well be titled "Why I should pressure my system vendor to supply +/dev/random in their OS". + +Why is this important? OpenSSH depends on good, unpredictable numbers +for generating keys, performing digital signatures and forming +cryptographic challenges. If the random numbers that it uses are +predictable, then the strength of the whole system is compromised. + +A particularly pernicious problem arises with DSA keys (used by the +ssh2 protocol). Performing a DSA signature (which is required for +authentication), entails the use of a 160 bit random number. If an +attacker can predict this number, then they can deduce your *private* +key and impersonate you or your hosts. + +If you are using the builtin random number support (configure will +tell you if this is the case), then read this document in its entirety. +Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which +collects random numbers and makes them available by a socket. + +Please also request that your OS vendor provides a kernel-based random +number collector (/dev/random) in future versions of your operating +systems by default. + +On to the description... + +The portable OpenSSH contains random number collection support for +systems which lack a kernel entropy pool (/dev/random). + +This collector (as of 3.1 and beyond) comes as an external application +that allows the local admin to decide on how to implement entropy +collection. + +The default entropy collector operates by executing the programs listed +in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the +PRNG supplied by OpenSSL (which is hash-based). It also stirs in the +output of several system calls and timings from the execution of the +programs that it runs. + +The ssh_prng_cmds file also specifies a 'rate' for each program. This +represents the number of bits of randomness per byte of output from +the specified program. + +The random number code will also read and save a seed file to +~/.ssh/prng_seed. This contents of this file are added to the random +number generator at startup. The goal here is to maintain as much +randomness between sessions as possible. + +The default entropy collection code has two main problems: + +1. It is slow. + +Executing each program in the list can take a large amount of time, +especially on slower machines. Additionally some program can take a +disproportionate time to execute. + +Tuning the random helper can be done by running ./ssh-random-helper in +very verbose mode ("-vvv") and identifying the commands that are taking +excessive amounts of time or hanging altogher. Any problem commands can +be modified or removed from ssh_prng_cmds. + +The default entropy collector will timeout programs which take too long +to execute, the actual timeout used can be adjusted with the +--with-entropy-timeout configure option. OpenSSH will not try to +re-execute programs which have not been found, have had a non-zero +exit status or have timed out more than a couple of times. + +2. Estimating the real 'rate' of program outputs is non-trivial + +The shear volume of the task is problematic: there are currently +around 50 commands in the ssh_prng_cmds list, portable OpenSSH +supports at least 12 different OSs. That is already 600 sets of data +to be analysed, without taking into account the numerous differences +between versions of each OS. + +On top of this, the different commands can produce varying amounts of +usable data depending on how busy the machine is, how long it has been +up and various other factors. + +To make matters even more complex, some of the commands are reporting +largely the same data as other commands (eg. the various "ps" calls). + + +How to avoid the default entropy code? + +The best way is to read the OpenSSL documentation and recompile OpenSSL +to use prngd or egd. Some platforms (like earily solaris) have 3rd +party /dev/random devices that can be also used for this task. + +If you are forced to use ssh-rand-helper consider still downloading +prngd/egd and configure OpenSSH using --with-prngd-port=xx or +--with-prngd-socket=xx (refer to INSTALL for more information). + +$Id: WARNING.RNG,v 1.8 2005/05/26 01:47:54 djm Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/acconfig.h openssh-4.2p1/acconfig.h --- ssh-openbsd-2005090100/acconfig.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/acconfig.h Thu Jul 7 20:33:36 2005 @@ -0,0 +1,458 @@ +/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */ + +/* + * Copyright (c) 1999-2003 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _CONFIG_H +#define _CONFIG_H + +/* Generated automatically from acconfig.h by autoheader. */ +/* Please make your changes there */ + +@TOP@ + +/* Define if your platform breaks doing a seteuid before a setuid */ +#undef SETEUID_BREAKS_SETUID + +/* Define if your setreuid() is broken */ +#undef BROKEN_SETREUID + +/* Define if your setregid() is broken */ +#undef BROKEN_SETREGID + +/* Define if your setresuid() is broken */ +#undef BROKEN_SETRESUID + +/* Define if your setresgid() is broken */ +#undef BROKEN_SETRESGID + +/* Define to a Set Process Title type if your system is */ +/* supported by bsd-setproctitle.c */ +#undef SPT_TYPE +#undef SPT_PADCHAR + +/* SCO workaround */ +#undef BROKEN_SYS_TERMIO_H + +/* Define if you have SecureWare-based protected password database */ +#undef HAVE_SECUREWARE + +/* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ +/* from environment and PATH */ +#undef LOGIN_PROGRAM_FALLBACK + +/* Full path of your "passwd" program */ +#undef _PATH_PASSWD_PROG + +/* Define if your password has a pw_class field */ +#undef HAVE_PW_CLASS_IN_PASSWD + +/* Define if your password has a pw_expire field */ +#undef HAVE_PW_EXPIRE_IN_PASSWD + +/* Define if your password has a pw_change field */ +#undef HAVE_PW_CHANGE_IN_PASSWD + +/* Define if your system uses access rights style file descriptor passing */ +#undef HAVE_ACCRIGHTS_IN_MSGHDR + +/* Define if your system uses ancillary data style file descriptor passing */ +#undef HAVE_CONTROL_IN_MSGHDR + +/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */ +#undef BROKEN_INET_NTOA + +/* Define if your system defines sys_errlist[] */ +#undef HAVE_SYS_ERRLIST + +/* Define if your system defines sys_nerr */ +#undef HAVE_SYS_NERR + +/* Define if your system choked on IP TOS setting */ +#undef IP_TOS_IS_BROKEN + +/* Define if you have the getuserattr function. */ +#undef HAVE_GETUSERATTR + +/* Define if you have the basename function. */ +#undef HAVE_BASENAME + +/* Work around problematic Linux PAM modules handling of PAM_TTY */ +#undef PAM_TTY_KLUDGE + +/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */ +#undef SSHPAM_CHAUTHTOK_NEEDS_RUID + +/* Use PIPES instead of a socketpair() */ +#undef USE_PIPES + +/* Define if your snprintf is busted */ +#undef BROKEN_SNPRINTF + +/* Define if you are on Cygwin */ +#undef HAVE_CYGWIN + +/* Define if you have a broken realpath. */ +#undef BROKEN_REALPATH + +/* Define if you are on NeXT */ +#undef HAVE_NEXT + +/* Define if you want to enable PAM support */ +#undef USE_PAM + +/* Define if you want to enable AIX4's authenticate function */ +#undef WITH_AIXAUTHENTICATE + +/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ +#undef AIX_LOGINFAILED_4ARG + +/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */ +#undef SKEYCHALLENGE_4ARG + +/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ +#undef WITH_IRIX_ARRAY + +/* Define if you want IRIX project management */ +#undef WITH_IRIX_PROJECT + +/* Define if you want IRIX audit trails */ +#undef WITH_IRIX_AUDIT + +/* Define if you want IRIX kernel jobs */ +#undef WITH_IRIX_JOBS + +/* Location of PRNGD/EGD random number socket */ +#undef PRNGD_SOCKET + +/* Port number of PRNGD/EGD random number socket */ +#undef PRNGD_PORT + +/* Builtin PRNG command timeout */ +#undef ENTROPY_TIMEOUT_MSEC + +/* non-privileged user for privilege separation */ +#undef SSH_PRIVSEP_USER + +/* Define if you want to install preformatted manpages.*/ +#undef MANTYPE + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define if you are linking against RSAref. Used only to print the right + * message at run-time. */ +#undef RSAREF + +/* struct timeval */ +#undef HAVE_STRUCT_TIMEVAL + +/* struct utmp and struct utmpx fields */ +#undef HAVE_HOST_IN_UTMP +#undef HAVE_HOST_IN_UTMPX +#undef HAVE_ADDR_IN_UTMP +#undef HAVE_ADDR_IN_UTMPX +#undef HAVE_ADDR_V6_IN_UTMP +#undef HAVE_ADDR_V6_IN_UTMPX +#undef HAVE_SYSLEN_IN_UTMPX +#undef HAVE_PID_IN_UTMP +#undef HAVE_TYPE_IN_UTMP +#undef HAVE_TYPE_IN_UTMPX +#undef HAVE_TV_IN_UTMP +#undef HAVE_TV_IN_UTMPX +#undef HAVE_ID_IN_UTMP +#undef HAVE_ID_IN_UTMPX +#undef HAVE_EXIT_IN_UTMP +#undef HAVE_TIME_IN_UTMP +#undef HAVE_TIME_IN_UTMPX + +/* Define if you don't want to use your system's login() call */ +#undef DISABLE_LOGIN + +/* Define if you don't want to use pututline() etc. to write [uw]tmp */ +#undef DISABLE_PUTUTLINE + +/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */ +#undef DISABLE_PUTUTXLINE + +/* Define if you don't want to use lastlog */ +#undef DISABLE_LASTLOG + +/* Define if you don't want to use lastlog in session.c */ +#undef NO_SSH_LASTLOG + +/* Define if you don't want to use utmp */ +#undef DISABLE_UTMP + +/* Define if you don't want to use utmpx */ +#undef DISABLE_UTMPX + +/* Define if you don't want to use wtmp */ +#undef DISABLE_WTMP + +/* Define if you don't want to use wtmpx */ +#undef DISABLE_WTMPX + +/* Some systems need a utmpx entry for /bin/login to work */ +#undef LOGIN_NEEDS_UTMPX + +/* Some versions of /bin/login need the TERM supplied on the commandline */ +#undef LOGIN_NEEDS_TERM + +/* Define if your login program cannot handle end of options ("--") */ +#undef LOGIN_NO_ENDOPT + +/* Define if you want to specify the path to your lastlog file */ +#undef CONF_LASTLOG_FILE + +/* Define if you want to specify the path to your utmp file */ +#undef CONF_UTMP_FILE + +/* Define if you want to specify the path to your wtmp file */ +#undef CONF_WTMP_FILE + +/* Define if you want to specify the path to your utmpx file */ +#undef CONF_UTMPX_FILE + +/* Define if you want to specify the path to your wtmpx file */ +#undef CONF_WTMPX_FILE + +/* Define if you want external askpass support */ +#undef USE_EXTERNAL_ASKPASS + +/* Define if libc defines __progname */ +#undef HAVE___PROGNAME + +/* Define if compiler implements __FUNCTION__ */ +#undef HAVE___FUNCTION__ + +/* Define if compiler implements __func__ */ +#undef HAVE___func__ + +/* Define this is you want GSSAPI support in the version 2 protocol */ +#undef GSSAPI + +/* Define if you want Kerberos 5 support */ +#undef KRB5 + +/* Define this if you are using the Heimdal version of Kerberos V5 */ +#undef HEIMDAL + +/* Define this if you want to use libkafs' AFS support */ +#undef USE_AFS + +/* Define if you want S/Key support */ +#undef SKEY + +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + +/* Define if your libraries define login() */ +#undef HAVE_LOGIN + +/* Define if your libraries define daemon() */ +#undef HAVE_DAEMON + +/* Define if your libraries define getpagesize() */ +#undef HAVE_GETPAGESIZE + +/* Define if xauth is found in your path */ +#undef XAUTH_PATH + +/* Define if you want to allow MD5 passwords */ +#undef HAVE_MD5_PASSWORDS + +/* Define if you want to disable shadow passwords */ +#undef DISABLE_SHADOW + +/* Define if you want to use shadow password expire field */ +#undef HAS_SHADOW_EXPIRE + +/* Define if you have Digital Unix Security Integration Architecture */ +#undef HAVE_OSF_SIA + +/* Define if you have getpwanam(3) [SunOS 4.x] */ +#undef HAVE_GETPWANAM + +/* Define if you have an old version of PAM which takes only one argument */ +/* to pam_strerror */ +#undef HAVE_OLD_PAM + +/* Define if you are using Solaris-derived PAM which passes pam_messages */ +/* to the conversation function with an extra level of indirection */ +#undef PAM_SUN_CODEBASE + +/* Set this to your mail directory if you don't have maillock.h */ +#undef MAIL_DIRECTORY + +/* Data types */ +#undef HAVE_U_INT +#undef HAVE_INTXX_T +#undef HAVE_U_INTXX_T +#undef HAVE_UINTXX_T +#undef HAVE_INT64_T +#undef HAVE_U_INT64_T +#undef HAVE_U_CHAR +#undef HAVE_SIZE_T +#undef HAVE_SSIZE_T +#undef HAVE_CLOCK_T +#undef HAVE_MODE_T +#undef HAVE_PID_T +#undef HAVE_SA_FAMILY_T +#undef HAVE_STRUCT_SOCKADDR_STORAGE +#undef HAVE_STRUCT_ADDRINFO +#undef HAVE_STRUCT_IN6_ADDR +#undef HAVE_STRUCT_SOCKADDR_IN6 + +/* Fields in struct sockaddr_storage */ +#undef HAVE_SS_FAMILY_IN_SS +#undef HAVE___SS_FAMILY_IN_SS + +/* Define if you have /dev/ptmx */ +#undef HAVE_DEV_PTMX + +/* Define if you have /dev/ptc */ +#undef HAVE_DEV_PTS_AND_PTC + +/* Define if you need to use IP address instead of hostname in $DISPLAY */ +#undef IPADDR_IN_DISPLAY + +/* Specify default $PATH */ +#undef USER_PATH + +/* Specify location of ssh.pid */ +#undef _PATH_SSH_PIDDIR + +/* getaddrinfo is broken (if present) */ +#undef BROKEN_GETADDRINFO + +/* updwtmpx is broken (if present) */ +#undef BROKEN_UPDWTMPX + +/* Workaround more Linux IPv6 quirks */ +#undef DONT_TRY_OTHER_AF + +/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ +#undef IPV4_IN_IPV6 + +/* Define if you have BSD auth support */ +#undef BSD_AUTH + +/* Define if X11 doesn't support AF_UNIX sockets on that system */ +#undef NO_X11_UNIX_SOCKETS + +/* Define if the concept of ports only accessible to superusers isn't known */ +#undef NO_IPPORT_RESERVED_CONCEPT + +/* Needed for SCO and NeXT */ +#undef BROKEN_SAVED_UIDS + +/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ +#undef GLOB_HAS_ALTDIRFUNC + +/* Define if your system glob() function has gl_matchc options in glob_t */ +#undef GLOB_HAS_GL_MATCHC + +/* Define in your struct dirent expects you to allocate extra space for d_name */ +#undef BROKEN_ONE_BYTE_DIRENT_D_NAME + +/* Define if your system has /etc/default/login */ +#undef HAVE_ETC_DEFAULT_LOGIN + +/* Define if your getopt(3) defines and uses optreset */ +#undef HAVE_GETOPT_OPTRESET + +/* Define on *nto-qnx systems */ +#undef MISSING_NFDBITS + +/* Define on *nto-qnx systems */ +#undef MISSING_HOWMANY + +/* Define on *nto-qnx systems */ +#undef MISSING_FD_MASK + +/* Define if you want smartcard support */ +#undef SMARTCARD + +/* Define if you want smartcard support using sectok */ +#undef USE_SECTOK + +/* Define if you want smartcard support using OpenSC */ +#undef USE_OPENSC + +/* Define if you want to use OpenSSL's internally seeded PRNG only */ +#undef OPENSSL_PRNG_ONLY + +/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */ +#undef WITH_ABBREV_NO_TTY + +/* Define if you want a different $PATH for the superuser */ +#undef SUPERUSER_PATH + +/* Path that unprivileged child will chroot() to in privep mode */ +#undef PRIVSEP_PATH + +/* Define if your platform needs to skip post auth file descriptor passing */ +#undef DISABLE_FD_PASSING + +/* Silly mkstemp() */ +#undef HAVE_STRICT_MKSTEMP + +/* Some systems put this outside of libc */ +#undef HAVE_NANOSLEEP + +/* Define if sshd somehow reacquires a controlling TTY after setsid() */ +#undef SSHD_ACQUIRES_CTTY + +/* Define if cmsg_type is not passed correctly */ +#undef BROKEN_CMSG_TYPE + +/* + * Define to whatever link() returns for "not supported" if it doesn't + * return EOPNOTSUPP. + */ +#undef LINK_OPNOTSUPP_ERRNO + +/* Strings used in /etc/passwd to denote locked account */ +#undef LOCKED_PASSWD_STRING +#undef LOCKED_PASSWD_PREFIX +#undef LOCKED_PASSWD_SUBSTR + +/* Define if getrrsetbyname() exists */ +#undef HAVE_GETRRSETBYNAME + +/* Define if HEADER.ad exists in arpa/nameser.h */ +#undef HAVE_HEADER_AD + +/* Define if your resolver libs need this for getrrsetbyname */ +#undef BIND_8_COMPAT + +/* Define if you have /proc/$pid/fd */ +#undef HAVE_PROC_PID + +@BOTTOM@ + +/* ******************* Shouldn't need to edit below this line ************** */ + +#endif /* _CONFIG_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/aclocal.m4 openssh-4.2p1/aclocal.m4 --- ssh-openbsd-2005090100/aclocal.m4 Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/aclocal.m4 Mon Oct 22 10:53:59 2001 @@ -0,0 +1,86 @@ +dnl $Id: aclocal.m4,v 1.5 2001/10/22 00:53:59 tim Exp $ +dnl +dnl OpenSSH-specific autoconf macros +dnl + + +dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) +dnl Does AC_EGREP_HEADER on 'header' for the string 'field' +dnl If found, set 'symbol' to be defined. Cache the result. +dnl TODO: This is not foolproof, better to compile and read from there +AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [ +# look for field '$1' in header '$2' + dnl This strips characters illegal to m4 from the header filename + ossh_safe=`echo "$2" | sed 'y%./+-%__p_%'` + dnl + ossh_varname="ossh_cv_$ossh_safe""_has_"$1 + AC_MSG_CHECKING(for $1 field in $2) + AC_CACHE_VAL($ossh_varname, [ + AC_EGREP_HEADER($1, $2, [ dnl + eval "$ossh_varname=yes" dnl + ], [ dnl + eval "$ossh_varname=no" dnl + ]) dnl + ]) + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + AC_MSG_RESULT($ossh_result) + if test "x$ossh_result" = "xyes"; then + AC_DEFINE($3) + fi + else + AC_MSG_RESULT(no) + fi +]) + +dnl OSSH_PATH_ENTROPY_PROG(variablename, command): +dnl Tidiness function, sets 'undef' if not found, and does the AC_SUBST +AC_DEFUN(OSSH_PATH_ENTROPY_PROG, [ + AC_PATH_PROG($1, $2) + if test -z "[$]$1" ; then + $1="undef" + fi + AC_SUBST($1) +]) + +dnl Check for socklen_t: historically on BSD it is an int, and in +dnl POSIX 1g it is a type of its own, but some platforms use different +dnl types for the argument to getsockopt, getpeername, etc. So we +dnl have to test to find something that will work. +AC_DEFUN([TYPE_SOCKLEN_T], +[ + AC_CHECK_TYPE([socklen_t], ,[ + AC_MSG_CHECKING([for socklen_t equivalent]) + AC_CACHE_VAL([curl_cv_socklen_t_equiv], + [ + # Systems have either "struct sockaddr *" or + # "void *" as the second argument to getpeername + curl_cv_socklen_t_equiv= + for arg2 in "struct sockaddr" void; do + for t in int size_t unsigned long "unsigned long"; do + AC_TRY_COMPILE([ + #include + #include + + int getpeername (int, $arg2 *, $t *); + ],[ + $t len; + getpeername(0,0,&len); + ],[ + curl_cv_socklen_t_equiv="$t" + break + ]) + done + done + + if test "x$curl_cv_socklen_t_equiv" = x; then + AC_MSG_ERROR([Cannot find a type to use in place of socklen_t]) + fi + ]) + AC_MSG_RESULT($curl_cv_socklen_t_equiv) + AC_DEFINE_UNQUOTED(socklen_t, $curl_cv_socklen_t_equiv, + [type to use in place of socklen_t if not defined])], + [#include +#include ]) +]) + diff -ruN --exclude CVS ssh-openbsd-2005090100/acss.c openssh-4.2p1/acss.c --- ssh-openbsd-2005090100/acss.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/acss.c Sun Jul 17 17:04:47 2005 @@ -0,0 +1,264 @@ +/* $Id: acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $ */ +/* + * Copyright (c) 2004 The OpenBSD project + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include + +#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L) + +#include "acss.h" + +/* decryption sbox */ +static unsigned char sboxdec[] = { + 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76, + 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b, + 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96, + 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b, + 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12, + 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f, + 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90, + 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91, + 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74, + 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75, + 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94, + 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95, + 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10, + 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11, + 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92, + 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f, + 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16, + 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b, + 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6, + 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb, + 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72, + 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f, + 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0, + 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1, + 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14, + 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15, + 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4, + 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5, + 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70, + 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71, + 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2, + 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff +}; + +/* encryption sbox */ +static unsigned char sboxenc[] = { + 0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75, + 0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b, + 0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21, + 0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f, + 0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5, + 0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab, + 0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0, + 0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2, + 0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74, + 0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76, + 0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20, + 0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22, + 0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4, + 0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6, + 0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1, + 0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf, + 0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25, + 0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b, + 0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71, + 0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f, + 0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5, + 0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb, + 0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0, + 0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2, + 0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24, + 0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26, + 0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70, + 0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72, + 0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4, + 0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6, + 0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1, + 0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff +}; + +static unsigned char reverse[] = { + 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, + 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, + 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, + 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, + 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, + 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, + 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, + 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, + 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, + 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, + 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, + 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, + 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, + 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, + 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, + 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, + 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, + 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, + 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, + 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, + 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, + 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, + 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, + 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, + 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, + 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, + 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, + 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, + 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, + 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, + 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, + 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff +}; + +/* + * Two linear feedback shift registers are used: + * + * lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier) + * x^15 + x + 1 + * lfsr25: polynomial of degree 25, not know if primitive modulo 2 + * x^13 + x^5 + x^4 + x^1 + 1 + * + * Output bits are discarded, instead the feedback bits are added to produce + * the cipher stream. Depending on the mode, feedback bytes may be inverted + * bit-wise before addition. + * + * The lfsrs are seeded with bytes from the raw key: + * + * lfsr17: byte 0[0:7] at bit 9 + * byte 1[0:7] at bit 0 + * + * lfsr25: byte 2[0:4] at bit 16 + * byte 2[5:7] at bit 22 + * byte 3[0:7] at bit 8 + * byte 4[0:7] at bit 0 + * + * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in + * lfsr25. + * + */ + +int +acss(ACSS_KEY *key, unsigned long len, const unsigned char *in, + unsigned char *out) +{ + unsigned long i; + unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp; + + lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0; + + /* keystream is sum of lfsrs */ + for (i = 0; i < len; i++) { + lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14); + key->lfsr17 = (key->lfsr17 >> 8) + ^ (lfsr17tmp << 9) + ^ (lfsr17tmp << 12) + ^ (lfsr17tmp << 15); + key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */ + + lfsr25tmp = key->lfsr25 + ^ (key->lfsr25 >> 3) + ^ (key->lfsr25 >> 4) + ^ (key->lfsr25 >> 12); + key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17); + key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */ + + lfsrsumtmp = key->lfsrsum; + + /* addition */ + switch (key->mode) { + case ACSS_AUTHENTICATE: + case ACSS_DATA: + key->lfsrsum = 0xff & ~(key->lfsr17 >> 9); + key->lfsrsum += key->lfsr25 >> 17; + break; + case ACSS_SESSIONKEY: + key->lfsrsum = key->lfsr17 >> 9; + key->lfsrsum += key->lfsr25 >> 17; + break; + case ACSS_TITLEKEY: + key->lfsrsum = key->lfsr17 >> 9; + key->lfsrsum += 0xff & ~(key->lfsr25 >> 17); + break; + default: + return 1; + } + key->lfsrsum += (lfsrsumtmp >> 8); + + if (key->encrypt) { + out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff]; + } else { + out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff; + } + } + + return 0; +} + +static void +acss_seed(ACSS_KEY *key) +{ + int i; + + /* if available, mangle with subkey */ + if (key->subkey_avilable) { + for (i = 0; i < ACSS_KEYSIZE; i++) + key->seed[i] = reverse[key->data[i] ^ key->subkey[i]]; + } else { + for (i = 0; i < ACSS_KEYSIZE; i++) + key->seed[i] = reverse[key->data[i]]; + } + + /* seed lfsrs */ + key->lfsr17 = key->seed[1] + | (key->seed[0] << 9) + | (1 << 8); /* inject 1 at bit 9 */ + key->lfsr25 = key->seed[4] + | (key->seed[3] << 8) + | ((key->seed[2] & 0x1f) << 16) + | ((key->seed[2] & 0xe0) << 17) + | (1 << 21); /* inject 1 at bit 22 */ + + key->lfsrsum = 0; +} + +void +acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode) +{ + memcpy(key->data, data, sizeof(key->data)); + memset(key->subkey, 0, sizeof(key->subkey)); + + if (enc != -1) + key->encrypt = enc; + key->mode = mode; + key->subkey_avilable = 0; + + acss_seed(key); +} + +void +acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey) +{ + memcpy(key->subkey, subkey, sizeof(key->subkey)); + key->subkey_avilable = 1; + acss_seed(key); +} +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/acss.h openssh-4.2p1/acss.h --- ssh-openbsd-2005090100/acss.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/acss.h Fri Feb 6 15:22:43 2004 @@ -0,0 +1,47 @@ +/* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */ +/* + * Copyright (c) 2004 The OpenBSD project + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _ACSS_H_ +#define _ACSS_H_ + +/* 40bit key */ +#define ACSS_KEYSIZE 5 + +/* modes of acss */ +#define ACSS_AUTHENTICATE 0 +#define ACSS_SESSIONKEY 1 +#define ACSS_TITLEKEY 2 +#define ACSS_DATA 3 + +typedef struct acss_key_st { + unsigned int lfsr17; /* current state of lfsrs */ + unsigned int lfsr25; + unsigned int lfsrsum; + unsigned char seed[ACSS_KEYSIZE]; + unsigned char data[ACSS_KEYSIZE]; + unsigned char subkey[ACSS_KEYSIZE]; + int encrypt; /* XXX make these bit flags? */ + int mode; + int seeded; + int subkey_avilable; +} ACSS_KEY; + +void acss_setkey(ACSS_KEY *, const unsigned char *, int, int); +void acss_setsubkey(ACSS_KEY *, const unsigned char *); +int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *); + +#endif /* ifndef _ACSS_H_ */ diff -ruN --exclude CVS ssh-openbsd-2005090100/atomicio.c openssh-4.2p1/atomicio.c --- ssh-openbsd-2005090100/atomicio.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/atomicio.c Thu May 26 12:23:44 2005 @@ -47,7 +47,11 @@ res = (f) (fd, s + pos, n - pos); switch (res) { case -1: +#ifdef EWOULDBLOCK + if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK) +#else if (errno == EINTR || errno == EAGAIN) +#endif continue; return 0; case 0: diff -ruN --exclude CVS ssh-openbsd-2005090100/audit-bsm.c openssh-4.2p1/audit-bsm.c --- ssh-openbsd-2005090100/audit-bsm.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/audit-bsm.c Sun Feb 20 21:08:00 2005 @@ -0,0 +1,329 @@ +/* $Id: audit-bsm.c,v 1.1 2005/02/20 10:08:00 dtucker Exp $ */ + +/* + * TODO + * + * - deal with overlap between this and sys_auth_allowed_user + * sys_auth_record_login and record_failed_login. + */ + +/* + * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ + +#include "includes.h" +#if defined(USE_BSM_AUDIT) + +#include "ssh.h" +#include "log.h" +#include "auth.h" +#include "xmalloc.h" + +#ifndef AUE_openssh +# define AUE_openssh 32800 +#endif +#include +#include +#include +#include +#include + +#if defined(HAVE_GETAUDIT_ADDR) +#define AuditInfoStruct auditinfo_addr +#define AuditInfoTermID au_tid_addr_t +#define GetAuditFunc(a,b) getaudit_addr((a),(b)) +#define GetAuditFuncText "getaudit_addr" +#define SetAuditFunc(a,b) setaudit_addr((a),(b)) +#define SetAuditFuncText "setaudit_addr" +#define AUToSubjectFunc au_to_subject_ex +#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) +#else +#define AuditInfoStruct auditinfo +#define AuditInfoTermID au_tid_t +#define GetAuditFunc(a,b) getaudit(a) +#define GetAuditFuncText "getaudit" +#define SetAuditFunc(a,b) setaudit(a) +#define SetAuditFuncText "setaudit" +#define AUToSubjectFunc au_to_subject +#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) +#endif + +extern int cannot_audit(int); +extern void aug_init(void); +extern dev_t aug_get_port(void); +extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); +extern void aug_save_auid(au_id_t); +extern void aug_save_uid(uid_t); +extern void aug_save_euid(uid_t); +extern void aug_save_gid(gid_t); +extern void aug_save_egid(gid_t); +extern void aug_save_pid(pid_t); +extern void aug_save_asid(au_asid_t); +extern void aug_save_tid(dev_t, unsigned int); +extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); +extern int aug_save_me(void); +extern int aug_save_namask(void); +extern void aug_save_event(au_event_t); +extern void aug_save_sorf(int); +extern void aug_save_text(char *); +extern void aug_save_text1(char *); +extern void aug_save_text2(char *); +extern void aug_save_na(int); +extern void aug_save_user(char *); +extern void aug_save_path(char *); +extern int aug_save_policy(void); +extern void aug_save_afunc(int (*)(int)); +extern int aug_audit(void); +extern int aug_na_selected(void); +extern int aug_selected(void); +extern int aug_daemon_session(void); + +#ifndef HAVE_GETTEXT +# define gettext(a) (a) +#endif + +extern Authctxt *the_authctxt; +static AuditInfoTermID ssh_bsm_tid; + +/* Below is the low-level BSM interface code */ + +/* + * Check if the specified event is selected (enabled) for auditing. + * Returns 1 if the event is selected, 0 if not and -1 on failure. + */ +static int +selected(char *username, uid_t uid, au_event_t event, int sf) +{ + int rc, sorf; + char naflags[512]; + struct au_mask mask; + + mask.am_success = mask.am_failure = 0; + if (uid < 0) { + /* get flags for non-attributable (to a real user) events */ + rc = getacna(naflags, sizeof(naflags)); + if (rc == 0) + (void) getauditflagsbin(naflags, &mask); + } else + rc = au_user_mask(username, &mask); + + sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; + return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); +} + +static void +bsm_audit_record(int typ, char *string, au_event_t event_no) +{ + int ad, rc, sel; + uid_t uid = -1; + gid_t gid = -1; + pid_t pid = getpid(); + AuditInfoTermID tid = ssh_bsm_tid; + + if (the_authctxt != NULL && the_authctxt->valid) { + uid = the_authctxt->pw->pw_uid; + gid = the_authctxt->pw->pw_gid; + } + + rc = (typ == 0) ? 0 : -1; + sel = selected(the_authctxt->user, uid, event_no, rc); + debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); + if (!sel) + return; /* audit event does not match mask, do not write */ + + debug3("BSM audit: writing audit new record"); + ad = au_open(); + + (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, + pid, pid, &tid)); + (void) au_write(ad, au_to_text(string)); + (void) au_write(ad, AUToReturnFunc(typ, rc)); + + rc = au_close(ad, AU_TO_WRITE, event_no); + if (rc < 0) + error("BSM audit: %s failed to write \"%s\" record: %s", + __func__, string, strerror(errno)); +} + +static void +bsm_audit_session_setup(void) +{ + int rc; + struct AuditInfoStruct info; + au_mask_t mask; + + if (the_authctxt == NULL) { + error("BSM audit: session setup internal error (NULL ctxt)"); + return; + } + + if (the_authctxt->valid) + info.ai_auid = the_authctxt->pw->pw_uid; + else + info.ai_auid = -1; + info.ai_asid = getpid(); + mask.am_success = 0; + mask.am_failure = 0; + + (void) au_user_mask(the_authctxt->user, &mask); + + info.ai_mask.am_success = mask.am_success; + info.ai_mask.am_failure = mask.am_failure; + + info.ai_termid = ssh_bsm_tid; + + rc = SetAuditFunc(&info, sizeof(info)); + if (rc < 0) + error("BSM audit: %s: %s failed: %s", __func__, + SetAuditFuncText, strerror(errno)); +} + +static void +bsm_audit_bad_login(const char *what) +{ + char textbuf[BSM_TEXTBUFSZ]; + + if (the_authctxt->valid) { + (void) snprintf(textbuf, sizeof (textbuf), + gettext("invalid %s for user %s"), + what, the_authctxt->user); + bsm_audit_record(4, textbuf, AUE_openssh); + } else { + (void) snprintf(textbuf, sizeof (textbuf), + gettext("invalid user name \"%s\""), + the_authctxt->user); + bsm_audit_record(3, textbuf, AUE_openssh); + } +} + +/* Below is the sshd audit API code */ + +void +audit_connection_from(const char *host, int port) +{ + AuditInfoTermID *tid = &ssh_bsm_tid; + char buf[1024]; + + if (cannot_audit(0)) + return; + debug3("BSM audit: connection from %.100s port %d", host, port); + + /* populate our terminal id structure */ +#if defined(HAVE_GETAUDIT_ADDR) + tid->at_port = (dev_t)port; + aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type)); + snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0], + tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]); + debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf); +#else + /* this is used on IPv4-only machines */ + tid->port = (dev_t)port; + tid->machine = inet_addr(host); + snprintf(buf, sizeof(buf), "%08x", tid->machine); + debug3("BSM audit: machine ID %s", buf); +#endif +} + +void +audit_run_command(const char *command) +{ + /* not implemented */ +} + +void +audit_session_open(const char *ttyn) +{ + /* not implemented */ +} + +void +audit_session_close(const char *ttyn) +{ + /* not implemented */ +} + +void +audit_event(ssh_audit_event_t event) +{ + char textbuf[BSM_TEXTBUFSZ]; + static int logged_in = 0; + const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; + + if (cannot_audit(0)) + return; + + switch(event) { + case SSH_AUTH_SUCCESS: + logged_in = 1; + bsm_audit_session_setup(); + snprintf(textbuf, sizeof(textbuf), + gettext("successful login %s"), user); + bsm_audit_record(0, textbuf, AUE_openssh); + break; + + case SSH_CONNECTION_CLOSE: + /* + * We can also get a close event if the user attempted auth + * but never succeeded. + */ + if (logged_in) { + snprintf(textbuf, sizeof(textbuf), + gettext("sshd logout %s"), the_authctxt->user); + bsm_audit_record(0, textbuf, AUE_logout); + } else { + debug("%s: connection closed without authentication", + __func__); + } + break; + + case SSH_NOLOGIN: + bsm_audit_record(1, + gettext("logins disabled by /etc/nologin"), AUE_openssh); + break; + + case SSH_LOGIN_EXCEED_MAXTRIES: + snprintf(textbuf, sizeof(textbuf), + gettext("too many tries for user %s"), the_authctxt->user); + bsm_audit_record(1, textbuf, AUE_openssh); + break; + + case SSH_LOGIN_ROOT_DENIED: + bsm_audit_record(2, gettext("not_console"), AUE_openssh); + break; + + case SSH_AUTH_FAIL_PASSWD: + bsm_audit_bad_login("password"); + break; + + case SSH_AUTH_FAIL_KBDINT: + bsm_audit_bad_login("interactive password entry"); + break; + + default: + debug("%s: unhandled event %d", __func__, event); + } +} +#endif /* BSM */ diff -ruN --exclude CVS ssh-openbsd-2005090100/audit.c openssh-4.2p1/audit.c --- ssh-openbsd-2005090100/audit.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/audit.c Sun Jul 17 17:26:44 2005 @@ -0,0 +1,181 @@ +/* $Id: audit.c,v 1.3 2005/07/17 07:26:44 djm Exp $ */ + +/* + * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef SSH_AUDIT_EVENTS + +#include "audit.h" +#include "log.h" +#include "auth.h" + +/* + * Care must be taken when using this since it WILL NOT be initialized when + * audit_connection_from() is called and MAY NOT be initialized when + * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using. + */ +extern Authctxt *the_authctxt; + +/* Maybe add the audit class to struct Authmethod? */ +ssh_audit_event_t +audit_classify_auth(const char *method) +{ + if (strcmp(method, "none") == 0) + return SSH_AUTH_FAIL_NONE; + else if (strcmp(method, "password") == 0) + return SSH_AUTH_FAIL_PASSWD; + else if (strcmp(method, "publickey") == 0 || + strcmp(method, "rsa") == 0) + return SSH_AUTH_FAIL_PUBKEY; + else if (strncmp(method, "keyboard-interactive", 20) == 0 || + strcmp(method, "challenge-response") == 0) + return SSH_AUTH_FAIL_KBDINT; + else if (strcmp(method, "hostbased") == 0 || + strcmp(method, "rhosts-rsa") == 0) + return SSH_AUTH_FAIL_HOSTBASED; + else if (strcmp(method, "gssapi-with-mic") == 0) + return SSH_AUTH_FAIL_GSSAPI; + else + return SSH_AUDIT_UNKNOWN; +} + +/* helper to return supplied username */ +const char * +audit_username(void) +{ + static const char unknownuser[] = "(unknown user)"; + static const char invaliduser[] = "(invalid user)"; + + if (the_authctxt == NULL || the_authctxt->user == NULL) + return (unknownuser); + if (!the_authctxt->valid) + return (invaliduser); + return (the_authctxt->user); +} + +const char * +audit_event_lookup(ssh_audit_event_t ev) +{ + int i; + static struct event_lookup_struct { + ssh_audit_event_t event; + const char *name; + } event_lookup[] = { + {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, + {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, + {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, + {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, + {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, + {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, + {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, + {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, + {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, + {SSH_INVALID_USER, "INVALID_USER"}, + {SSH_NOLOGIN, "NOLOGIN"}, + {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, + {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, + {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} + }; + + for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) + if (event_lookup[i].event == ev) + break; + return(event_lookup[i].name); +} + +# ifndef CUSTOM_SSH_AUDIT_EVENTS +/* + * Null implementations of audit functions. + * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. + */ + +/* + * Called after a connection has been accepted but before any authentication + * has been attempted. + */ +void +audit_connection_from(const char *host, int port) +{ + debug("audit connection from %s port %d euid %d", host, port, + (int)geteuid()); +} + +/* + * Called when various events occur (see audit.h for a list of possible + * events and what they mean). + */ +void +audit_event(ssh_audit_event_t event) +{ + debug("audit event euid %d user %s event %d (%s)", geteuid(), + audit_username(), event, audit_event_lookup(event)); +} + +/* + * Called when a user session is started. Argument is the tty allocated to + * the session, or NULL if no tty was allocated. + * + * Note that this may be called multiple times if multiple sessions are used + * within a single connection. + */ +void +audit_session_open(const char *ttyn) +{ + const char *t = ttyn ? ttyn : "(no tty)"; + + debug("audit session open euid %d user %s tty name %s", geteuid(), + audit_username(), t); +} + +/* + * Called when a user session is closed. Argument is the tty allocated to + * the session, or NULL if no tty was allocated. + * + * Note that this may be called multiple times if multiple sessions are used + * within a single connection. + */ +void +audit_session_close(const char *ttyn) +{ + const char *t = ttyn ? ttyn : "(no tty)"; + + debug("audit session close euid %d user %s tty name %s", geteuid(), + audit_username(), t); +} + +/* + * This will be called when a user runs a non-interactive command. Note that + * it may be called multiple times for a single connection since SSH2 allows + * multiple sessions within a single connection. + */ +void +audit_run_command(const char *command) +{ + debug("audit run command euid %d user %s command '%.200s'", geteuid(), + audit_username(), command); +} +# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */ diff -ruN --exclude CVS ssh-openbsd-2005090100/audit.h openssh-4.2p1/audit.h --- ssh-openbsd-2005090100/audit.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/audit.h Tue Feb 8 21:52:48 2005 @@ -0,0 +1,56 @@ +/* $Id: audit.h,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */ + +/* + * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "auth.h" + +#ifndef _SSH_AUDIT_H +# define _SSH_AUDIT_H +enum ssh_audit_event_type { + SSH_LOGIN_EXCEED_MAXTRIES, + SSH_LOGIN_ROOT_DENIED, + SSH_AUTH_SUCCESS, + SSH_AUTH_FAIL_NONE, + SSH_AUTH_FAIL_PASSWD, + SSH_AUTH_FAIL_KBDINT, /* keyboard-interactive or challenge-response */ + SSH_AUTH_FAIL_PUBKEY, /* ssh2 pubkey or ssh1 rsa */ + SSH_AUTH_FAIL_HOSTBASED, /* ssh2 hostbased or ssh1 rhostsrsa */ + SSH_AUTH_FAIL_GSSAPI, + SSH_INVALID_USER, + SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ + SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ + SSH_CONNECTION_ABANDON, /* closed without completing auth */ + SSH_AUDIT_UNKNOWN +}; +typedef enum ssh_audit_event_type ssh_audit_event_t; + +void audit_connection_from(const char *, int); +void audit_event(ssh_audit_event_t); +void audit_session_open(const char *); +void audit_session_close(const char *); +void audit_run_command(const char *); +ssh_audit_event_t audit_classify_auth(const char *); + +#endif /* _SSH_AUDIT_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-chall.c openssh-4.2p1/auth-chall.c --- ssh-openbsd-2005090100/auth-chall.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth-chall.c Thu Jan 20 22:20:51 2005 @@ -28,11 +28,13 @@ #include "auth.h" #include "log.h" #include "xmalloc.h" +#include "servconf.h" /* limited protocol v1 interface to kbd-interactive authentication */ extern KbdintDevice *devices[]; static KbdintDevice *device; +extern ServerOptions options; char * get_challenge(Authctxt *authctxt) @@ -41,6 +43,11 @@ u_int i, numprompts; u_int *echo_on; +#ifdef USE_PAM + if (!options.use_pam) + remove_kbdint_device("pam"); +#endif + device = devices[0]; /* we always use the 1st device for protocol 1 */ if (device == NULL) return NULL; @@ -67,7 +74,8 @@ int verify_response(Authctxt *authctxt, const char *response) { - char *resp[1]; + char *resp[1], *name, *info, **prompts; + u_int i, numprompts, *echo_on; int authenticated = 0; if (device == NULL) @@ -75,9 +83,35 @@ if (authctxt->kbdintctxt == NULL) return 0; resp[0] = (char *)response; - if (device->respond(authctxt->kbdintctxt, 1, resp) == 0) + switch (device->respond(authctxt->kbdintctxt, 1, resp)) { + case 0: /* Success */ authenticated = 1; + break; + case 1: /* Postponed - retry with empty query for PAM */ + if ((device->query(authctxt->kbdintctxt, &name, &info, + &numprompts, &prompts, &echo_on)) != 0) + break; + if (numprompts == 0 && + device->respond(authctxt->kbdintctxt, 0, resp) == 0) + authenticated = 1; + + for (i = 0; i < numprompts; i++) + xfree(prompts[i]); + xfree(prompts); + xfree(name); + xfree(echo_on); + xfree(info); + break; + } device->free_ctx(authctxt->kbdintctxt); authctxt->kbdintctxt = NULL; return authenticated; +} +void +abandon_challenge_response(Authctxt *authctxt) +{ + if (authctxt->kbdintctxt != NULL) { + device->free_ctx(authctxt->kbdintctxt); + authctxt->kbdintctxt = NULL; + } } diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-krb5.c openssh-4.2p1/auth-krb5.c --- ssh-openbsd-2005090100/auth-krb5.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth-krb5.c Thu Jul 7 20:33:36 2005 @@ -54,7 +54,6 @@ problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); - krb5_init_ets(authctxt->krb5_ctx); } return (0); } @@ -62,8 +61,13 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { +#ifndef HEIMDAL + krb5_creds creds; + krb5_principal server; +#endif krb5_error_code problem; krb5_ccache ccache = NULL; + int len; if (!authctxt->valid) return (0); @@ -79,6 +83,7 @@ if (problem) goto out; +#ifdef HEIMDAL problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); if (problem) goto out; @@ -110,9 +115,58 @@ if (problem) goto out; - authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, - authctxt->krb5_fwd_ccache); +#else + problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, + authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL); + if (problem) + goto out; + problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, + KRB5_NT_SRV_HST, &server); + if (problem) + goto out; + + restore_uid(); + problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, + NULL, NULL, NULL); + krb5_free_principal(authctxt->krb5_ctx, server); + temporarily_use_uid(authctxt->pw); + if (problem) + goto out; + + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, + authctxt->pw->pw_name)) { + problem = -1; + goto out; + } + + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); + if (problem) + goto out; + + problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, + authctxt->krb5_user); + if (problem) + goto out; + + problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, + &creds); + if (problem) + goto out; +#endif + + authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); + snprintf(authctxt->krb5_ccname, len, "FILE:%s", + authctxt->krb5_ticket_file); + +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); +#endif + out: restore_uid(); @@ -120,7 +174,7 @@ if (ccache) krb5_cc_destroy(authctxt->krb5_ctx, ccache); - if (authctxt->krb5_ctx != NULL) + if (authctxt->krb5_ctx != NULL && problem!=-1) debug("Kerberos password authentication failed: %s", krb5_get_err_text(authctxt->krb5_ctx, problem)); else @@ -155,4 +209,34 @@ } } +#ifndef HEIMDAL +krb5_error_code +ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + int tmpfd, ret; + char ccname[40]; + mode_t old_umask; + + ret = snprintf(ccname, sizeof(ccname), + "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); + if (ret == -1 || ret >= sizeof(ccname)) + return ENOMEM; + + old_umask = umask(0177); + tmpfd = mkstemp(ccname + strlen("FILE:")); + umask(old_umask); + if (tmpfd == -1) { + logit("mkstemp(): %.100s", strerror(errno)); + return errno; + } + + if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { + logit("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + return errno; + } + close(tmpfd); + + return (krb5_cc_resolve(ctx, ccname, ccache)); +} +#endif /* !HEIMDAL */ #endif /* KRB5 */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-pam.c openssh-4.2p1/auth-pam.c --- ssh-openbsd-2005090100/auth-pam.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/auth-pam.c Sun Jul 17 17:18:50 2005 @@ -0,0 +1,1169 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* + * Copyright (c) 2003,2004 Damien Miller + * Copyright (c) 2003,2004 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ +#include "includes.h" +RCSID("$Id: auth-pam.c,v 1.126 2005/07/17 07:18:50 djm Exp $"); + +#ifdef USE_PAM +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + +/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */ +#ifdef PAM_SUN_CODEBASE +# define sshpam_const /* Solaris, HP-UX, AIX */ +#else +# define sshpam_const const /* LinuxPAM, OpenPAM */ +#endif + +#include "auth.h" +#include "auth-pam.h" +#include "buffer.h" +#include "bufaux.h" +#include "canohost.h" +#include "log.h" +#include "monitor_wrap.h" +#include "msg.h" +#include "packet.h" +#include "misc.h" +#include "servconf.h" +#include "ssh2.h" +#include "xmalloc.h" +#include "auth-options.h" + +extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; +extern u_int utmp_len; + +/* so we don't silently change behaviour */ +#ifdef USE_POSIX_THREADS +# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK" +#endif + +/* + * Formerly known as USE_POSIX_THREADS, using this is completely unsupported + * and generally a bad idea. Use at own risk and do not expect support if + * this breaks. + */ +#ifdef UNSUPPORTED_POSIX_THREADS_HACK +#include +/* + * Avoid namespace clash when *not* using pthreads for systems *with* + * pthreads, which unconditionally define pthread_t via sys/types.h + * (e.g. Linux) + */ +typedef pthread_t sp_pthread_t; +#else +typedef pid_t sp_pthread_t; +#endif + +struct pam_ctxt { + sp_pthread_t pam_thread; + int pam_psock; + int pam_csock; + int pam_done; +}; + +static void sshpam_free_ctx(void *); +static struct pam_ctxt *cleanup_ctxt; + +#ifndef UNSUPPORTED_POSIX_THREADS_HACK +/* + * Simulate threads with processes. + */ + +static int sshpam_thread_status = -1; +static mysig_t sshpam_oldsig; + +static void +sshpam_sigchld_handler(int sig) +{ + signal(SIGCHLD, SIG_DFL); + if (cleanup_ctxt == NULL) + return; /* handler called after PAM cleanup, shouldn't happen */ + if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG) + <= 0) { + /* PAM thread has not exitted, privsep slave must have */ + kill(cleanup_ctxt->pam_thread, SIGTERM); + if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) + <= 0) + return; /* could not wait */ + } + if (WIFSIGNALED(sshpam_thread_status) && + WTERMSIG(sshpam_thread_status) == SIGTERM) + return; /* terminated by pthread_cancel */ + if (!WIFEXITED(sshpam_thread_status)) + fatal("PAM: authentication thread exited unexpectedly"); + if (WEXITSTATUS(sshpam_thread_status) != 0) + fatal("PAM: authentication thread exited uncleanly"); +} + +static void +pthread_exit(void *value __unused) +{ + _exit(0); +} + +static int +pthread_create(sp_pthread_t *thread, const void *attr __unused, + void *(*thread_start)(void *), void *arg) +{ + pid_t pid; + struct pam_ctxt *ctx = arg; + + sshpam_thread_status = -1; + switch ((pid = fork())) { + case -1: + error("fork(): %s", strerror(errno)); + return (-1); + case 0: + close(ctx->pam_psock); + ctx->pam_psock = -1; + thread_start(arg); + _exit(1); + default: + *thread = pid; + close(ctx->pam_csock); + ctx->pam_csock = -1; + sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler); + return (0); + } +} + +static int +pthread_cancel(sp_pthread_t thread) +{ + signal(SIGCHLD, sshpam_oldsig); + return (kill(thread, SIGTERM)); +} + +static int +pthread_join(sp_pthread_t thread, void **value __unused) +{ + int status; + + if (sshpam_thread_status != -1) + return (sshpam_thread_status); + signal(SIGCHLD, sshpam_oldsig); + waitpid(thread, &status, 0); + return (status); +} +#endif + + +static pam_handle_t *sshpam_handle = NULL; +static int sshpam_err = 0; +static int sshpam_authenticated = 0; +static int sshpam_session_open = 0; +static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; +static char **sshpam_env = NULL; +static Authctxt *sshpam_authctxt = NULL; +static const char *sshpam_password = NULL; +static char badpw[] = "\b\n\r\177INCORRECT"; + +/* Some PAM implementations don't implement this */ +#ifndef HAVE_PAM_GETENVLIST +static char ** +pam_getenvlist(pam_handle_t *pamh) +{ + /* + * XXX - If necessary, we can still support envrionment passing + * for platforms without pam_getenvlist by searching for known + * env vars (e.g. KRB5CCNAME) from the PAM environment. + */ + return NULL; +} +#endif + +/* + * Some platforms, notably Solaris, do not enforce password complexity + * rules during pam_chauthtok() if the real uid of the calling process + * is 0, on the assumption that it's being called by "passwd" run by root. + * This wraps pam_chauthtok and sets/restore the real uid so PAM will do + * the right thing. + */ +#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID +static int +sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) +{ + int result; + + if (sshpam_authctxt == NULL) + fatal("PAM: sshpam_authctxt not initialized"); + if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + result = pam_chauthtok(pamh, flags); + if (setreuid(0, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + return result; +} +# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) +#endif + +void +sshpam_password_change_required(int reqd) +{ + debug3("%s %d", __func__, reqd); + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + sshpam_authctxt->force_pwchange = reqd; + if (reqd) { + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } else { + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + } +} + +/* Import regular and PAM environment from subprocess */ +static void +import_environments(Buffer *b) +{ + char *env; + u_int i, num_env; + int err; + + debug3("PAM: %s entering", __func__); + +#ifndef UNSUPPORTED_POSIX_THREADS_HACK + /* Import variables set by do_pam_account */ + sshpam_account_status = buffer_get_int(b); + sshpam_password_change_required(buffer_get_int(b)); + + /* Import environment from subprocess */ + num_env = buffer_get_int(b); + sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); + debug3("PAM: num env strings %d", num_env); + for(i = 0; i < num_env; i++) + sshpam_env[i] = buffer_get_string(b, NULL); + + sshpam_env[num_env] = NULL; + + /* Import PAM environment from subprocess */ + num_env = buffer_get_int(b); + debug("PAM: num PAM env strings %d", num_env); + for(i = 0; i < num_env; i++) { + env = buffer_get_string(b, NULL); + +#ifdef HAVE_PAM_PUTENV + /* Errors are not fatal here */ + if ((err = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) { + error("PAM: pam_putenv: %s", + pam_strerror(sshpam_handle, sshpam_err)); + } +#endif + } +#endif +} + +/* + * Conversation function for authentication thread. + */ +static int +sshpam_thread_conv(int n, sshpam_const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + Buffer buffer; + struct pam_ctxt *ctxt; + struct pam_response *reply; + int i; + + debug3("PAM: %s entering, %d messages", __func__, n); + *resp = NULL; + + if (data == NULL) { + error("PAM: conversation function passed a null context"); + return (PAM_CONV_ERR); + } + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + buffer_init(&buffer); + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_PROMPT_ECHO_OFF: + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; + if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) + goto fail; + if (buffer_get_char(&buffer) != PAM_AUTHTOK) + goto fail; + reply[i].resp = buffer_get_string(&buffer, NULL); + break; + case PAM_PROMPT_ECHO_ON: + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; + if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) + goto fail; + if (buffer_get_char(&buffer) != PAM_AUTHTOK) + goto fail; + reply[i].resp = buffer_get_string(&buffer, NULL); + break; + case PAM_ERROR_MSG: + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; + break; + case PAM_TEXT_INFO: + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; + break; + default: + goto fail; + } + buffer_clear(&buffer); + } + buffer_free(&buffer); + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + buffer_free(&buffer); + return (PAM_CONV_ERR); +} + +/* + * Authentication thread. + */ +static void * +sshpam_thread(void *ctxtp) +{ + struct pam_ctxt *ctxt = ctxtp; + Buffer buffer; + struct pam_conv sshpam_conv; + int flags = (options.permit_empty_passwd == 0 ? + PAM_DISALLOW_NULL_AUTHTOK : 0); +#ifndef UNSUPPORTED_POSIX_THREADS_HACK + extern char **environ; + char **env_from_pam; + u_int i; + const char *pam_user; + const char **ptr_pam_user = &pam_user; + + pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user); + environ[0] = NULL; + + if (sshpam_authctxt != NULL) { + setproctitle("%s [pam]", + sshpam_authctxt->valid ? pam_user : "unknown"); + } +#endif + + sshpam_conv.conv = sshpam_thread_conv; + sshpam_conv.appdata_ptr = ctxt; + + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + + buffer_init(&buffer); + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&sshpam_conv); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_err = pam_authenticate(sshpam_handle, flags); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + + if (compat20) { + if (!do_pam_account()) + goto auth_fail; + if (sshpam_authctxt->force_pwchange) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_password_change_required(0); + } + } + + buffer_put_cstring(&buffer, "OK"); + +#ifndef UNSUPPORTED_POSIX_THREADS_HACK + /* Export variables set by do_pam_account */ + buffer_put_int(&buffer, sshpam_account_status); + buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); + + /* Export any environment strings set in child */ + for(i = 0; environ[i] != NULL; i++) + ; /* Count */ + buffer_put_int(&buffer, i); + for(i = 0; environ[i] != NULL; i++) + buffer_put_cstring(&buffer, environ[i]); + + /* Export any environment strings set by PAM in child */ + env_from_pam = pam_getenvlist(sshpam_handle); + for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) + ; /* Count */ + buffer_put_int(&buffer, i); + for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) + buffer_put_cstring(&buffer, env_from_pam[i]); +#endif /* UNSUPPORTED_POSIX_THREADS_HACK */ + + /* XXX - can't do much about an error here */ + ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); + buffer_free(&buffer); + pthread_exit(NULL); + + auth_fail: + buffer_put_cstring(&buffer, + pam_strerror(sshpam_handle, sshpam_err)); + /* XXX - can't do much about an error here */ + ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); + buffer_free(&buffer); + pthread_exit(NULL); + + return (NULL); /* Avoid warning for non-pthread case */ +} + +void +sshpam_thread_cleanup(void) +{ + struct pam_ctxt *ctxt = cleanup_ctxt; + + debug3("PAM: %s entering", __func__); + if (ctxt != NULL && ctxt->pam_thread != 0) { + pthread_cancel(ctxt->pam_thread); + pthread_join(ctxt->pam_thread, NULL); + close(ctxt->pam_psock); + close(ctxt->pam_csock); + memset(ctxt, 0, sizeof(*ctxt)); + cleanup_ctxt = NULL; + } +} + +static int +sshpam_null_conv(int n, sshpam_const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + debug3("PAM: %s entering, %d messages", __func__, n); + return (PAM_CONV_ERR); +} + +static struct pam_conv null_conv = { sshpam_null_conv, NULL }; + +static int +sshpam_store_conv(int n, sshpam_const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + struct pam_response *reply; + int i; + size_t len; + + debug3("PAM: %s called with %d messages", __func__, n); + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + len = strlen(PAM_MSG_MEMBER(msg, i, msg)); + buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); + buffer_append(&loginmsg, "\n", 1 ); + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv store_conv = { sshpam_store_conv, NULL }; + +void +sshpam_cleanup(void) +{ + debug("PAM: cleanup"); + if (sshpam_handle == NULL) + return; + pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (sshpam_session_open) { + pam_close_session(sshpam_handle, PAM_SILENT); + sshpam_session_open = 0; + } + sshpam_authenticated = 0; + pam_end(sshpam_handle, sshpam_err); + sshpam_handle = NULL; +} + +static int +sshpam_init(Authctxt *authctxt) +{ + extern char *__progname; + const char *pam_rhost, *pam_user, *user = authctxt->user; + const char **ptr_pam_user = &pam_user; + + if (sshpam_handle != NULL) { + /* We already have a PAM context; check if the user matches */ + sshpam_err = pam_get_item(sshpam_handle, + PAM_USER, (sshpam_const void **)ptr_pam_user); + if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) + return (0); + pam_end(sshpam_handle, sshpam_err); + sshpam_handle = NULL; + } + debug("PAM: initializing for \"%s\"", user); + sshpam_err = + pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); + sshpam_authctxt = authctxt; + + if (sshpam_err != PAM_SUCCESS) { + pam_end(sshpam_handle, sshpam_err); + sshpam_handle = NULL; + return (-1); + } + pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns); + debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); + sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); + if (sshpam_err != PAM_SUCCESS) { + pam_end(sshpam_handle, sshpam_err); + sshpam_handle = NULL; + return (-1); + } +#ifdef PAM_TTY_KLUDGE + /* + * Some silly PAM modules (e.g. pam_time) require a TTY to operate. + * sshd doesn't set the tty until too late in the auth process and + * may not even set one (for tty-less connections) + */ + debug("PAM: setting PAM_TTY to \"ssh\""); + sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); + if (sshpam_err != PAM_SUCCESS) { + pam_end(sshpam_handle, sshpam_err); + sshpam_handle = NULL; + return (-1); + } +#endif + return (0); +} + +static void * +sshpam_init_ctx(Authctxt *authctxt) +{ + struct pam_ctxt *ctxt; + int socks[2]; + + debug3("PAM: %s entering", __func__); + /* Refuse to start if we don't have PAM enabled */ + if (!options.use_pam) + return NULL; + + /* Initialize PAM */ + if (sshpam_init(authctxt) == -1) { + error("PAM: initialization failed"); + return (NULL); + } + + ctxt = xmalloc(sizeof *ctxt); + memset(ctxt, 0, sizeof(*ctxt)); + + /* Start the authentication thread */ + if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { + error("PAM: failed create sockets: %s", strerror(errno)); + xfree(ctxt); + return (NULL); + } + ctxt->pam_psock = socks[0]; + ctxt->pam_csock = socks[1]; + if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) { + error("PAM: failed to start authentication thread: %s", + strerror(errno)); + close(socks[0]); + close(socks[1]); + xfree(ctxt); + return (NULL); + } + cleanup_ctxt = ctxt; + return (ctxt); +} + +static int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + Buffer buffer; + struct pam_ctxt *ctxt = ctx; + size_t plen; + u_char type; + char *msg; + size_t len, mlen; + + debug3("PAM: %s entering", __func__); + buffer_init(&buffer); + *name = xstrdup(""); + *info = xstrdup(""); + *prompts = xmalloc(sizeof(char *)); + **prompts = NULL; + plen = 0; + *echo_on = xmalloc(sizeof(u_int)); + while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) { + type = buffer_get_char(&buffer); + msg = buffer_get_string(&buffer, NULL); + mlen = strlen(msg); + switch (type) { + case PAM_PROMPT_ECHO_ON: + case PAM_PROMPT_ECHO_OFF: + *num = 1; + len = plen + mlen + 1; + **prompts = xrealloc(**prompts, len); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; + **echo_on = (type == PAM_PROMPT_ECHO_ON); + xfree(msg); + return (0); + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + /* accumulate messages */ + len = plen + mlen + 2; + **prompts = xrealloc(**prompts, len); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; + strlcat(**prompts + plen, "\n", len - plen); + plen++; + xfree(msg); + break; + case PAM_SUCCESS: + case PAM_AUTH_ERR: + if (**prompts != NULL) { + /* drain any accumulated messages */ + debug("PAM: %s", **prompts); + buffer_append(&loginmsg, **prompts, + strlen(**prompts)); + xfree(**prompts); + **prompts = NULL; + } + if (type == PAM_SUCCESS) { + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); + import_environments(&buffer); + *num = 0; + **echo_on = 0; + ctxt->pam_done = 1; + xfree(msg); + return (0); + } + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, + get_remote_name_or_ip(utmp_len, options.use_dns)); + /* FALLTHROUGH */ + default: + *num = 0; + **echo_on = 0; + xfree(msg); + ctxt->pam_done = -1; + return (-1); + } + } + return (-1); +} + +/* XXX - see also comment in auth-chall.c:verify_response */ +static int +sshpam_respond(void *ctx, u_int num, char **resp) +{ + Buffer buffer; + struct pam_ctxt *ctxt = ctx; + + debug2("PAM: %s entering, %d responses", __func__, num); + switch (ctxt->pam_done) { + case 1: + sshpam_authenticated = 1; + return (0); + case 0: + break; + default: + return (-1); + } + if (num != 1) { + error("PAM: expected one response, got %u", num); + return (-1); + } + buffer_init(&buffer); + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + buffer_put_cstring(&buffer, *resp); + else + buffer_put_cstring(&buffer, badpw); + if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { + buffer_free(&buffer); + return (-1); + } + buffer_free(&buffer); + return (1); +} + +static void +sshpam_free_ctx(void *ctxtp) +{ + struct pam_ctxt *ctxt = ctxtp; + + debug3("PAM: %s entering", __func__); + sshpam_thread_cleanup(); + xfree(ctxt); + /* + * We don't call sshpam_cleanup() here because we may need the PAM + * handle at a later stage, e.g. when setting up a session. It's + * still on the cleanup list, so pam_end() *will* be called before + * the server process terminates. + */ +} + +KbdintDevice sshpam_device = { + "pam", + sshpam_init_ctx, + sshpam_query, + sshpam_respond, + sshpam_free_ctx +}; + +KbdintDevice mm_sshpam_device = { + "pam", + mm_sshpam_init_ctx, + mm_sshpam_query, + mm_sshpam_respond, + mm_sshpam_free_ctx +}; + +/* + * This replaces auth-pam.c + */ +void +start_pam(Authctxt *authctxt) +{ + if (!options.use_pam) + fatal("PAM: initialisation requested when UsePAM=no"); + + if (sshpam_init(authctxt) == -1) + fatal("PAM: initialisation failed"); +} + +void +finish_pam(void) +{ + sshpam_cleanup(); +} + +u_int +do_pam_account(void) +{ + debug("%s: called", __func__); + if (sshpam_account_status != -1) + return (sshpam_account_status); + + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); + debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, + pam_strerror(sshpam_handle, sshpam_err)); + + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); + } + + if (sshpam_err == PAM_NEW_AUTHTOK_REQD) + sshpam_password_change_required(1); + + sshpam_account_status = 1; + return (sshpam_account_status); +} + +void +do_pam_set_tty(const char *tty) +{ + if (tty != NULL) { + debug("PAM: setting PAM_TTY to \"%s\"", tty); + sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_TTY: %s", + pam_strerror(sshpam_handle, sshpam_err)); + } +} + +void +do_pam_setcred(int init) +{ + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&store_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + if (init) { + debug("PAM: establishing credentials"); + sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); + } else { + debug("PAM: reinitializing credentials"); + sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED); + } + if (sshpam_err == PAM_SUCCESS) { + sshpam_cred_established = 1; + return; + } + if (sshpam_authenticated) + fatal("PAM: pam_setcred(): %s", + pam_strerror(sshpam_handle, sshpam_err)); + else + debug("PAM: pam_setcred(): %s", + pam_strerror(sshpam_handle, sshpam_err)); +} + +static int +sshpam_tty_conv(int n, sshpam_const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + char input[PAM_MAX_MSG_SIZE]; + struct pam_response *reply; + int i; + + debug3("PAM: %s called with %d messages", __func__, n); + + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_PROMPT_ECHO_OFF: + reply[i].resp = + read_passphrase(PAM_MSG_MEMBER(msg, i, msg), + RP_ALLOW_STDIN); + reply[i].resp_retcode = PAM_SUCCESS; + break; + case PAM_PROMPT_ECHO_ON: + fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); + fgets(input, sizeof input, stdin); + if ((reply[i].resp = strdup(input)) == NULL) + goto fail; + reply[i].resp_retcode = PAM_SUCCESS; + break; + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv tty_conv = { sshpam_tty_conv, NULL }; + +/* + * XXX this should be done in the authentication phase, but ssh1 doesn't + * support that + */ +void +do_pam_chauthtok(void) +{ + if (use_privsep) + fatal("Password expired (unable to change with privsep)"); + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&tty_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + debug("PAM: changing password"); + sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: pam_chauthtok(): %s", + pam_strerror(sshpam_handle, sshpam_err)); +} + +void +do_pam_session(void) +{ + debug3("PAM: opening session"); + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&store_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_err = pam_open_session(sshpam_handle, 0); + if (sshpam_err == PAM_SUCCESS) + sshpam_session_open = 1; + else { + sshpam_session_open = 0; + disable_forwarding(); + error("PAM: pam_open_session(): %s", + pam_strerror(sshpam_handle, sshpam_err)); + } + +} + +int +is_pam_session_open(void) +{ + return sshpam_session_open; +} + +/* + * Set a PAM environment string. We need to do this so that the session + * modules can handle things like Kerberos/GSI credentials that appear + * during the ssh authentication process. + */ +int +do_pam_putenv(char *name, char *value) +{ + int ret = 1; +#ifdef HAVE_PAM_PUTENV + char *compound; + size_t len; + + len = strlen(name) + strlen(value) + 2; + compound = xmalloc(len); + + snprintf(compound, len, "%s=%s", name, value); + ret = pam_putenv(sshpam_handle, compound); + xfree(compound); +#endif + + return (ret); +} + +char ** +fetch_pam_child_environment(void) +{ + return sshpam_env; +} + +char ** +fetch_pam_environment(void) +{ + return (pam_getenvlist(sshpam_handle)); +} + +void +free_pam_environment(char **env) +{ + char **envp; + + if (env == NULL) + return; + + for (envp = env; *envp; envp++) + xfree(*envp); + xfree(env); +} + +/* + * "Blind" conversation function for password authentication. Assumes that + * echo-off prompts are for the password and stores messages for later + * display. + */ +static int +sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + struct pam_response *reply; + int i; + size_t len; + + debug3("PAM: %s called with %d messages", __func__, n); + + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_PROMPT_ECHO_OFF: + if (sshpam_password == NULL) + goto fail; + if ((reply[i].resp = strdup(sshpam_password)) == NULL) + goto fail; + reply[i].resp_retcode = PAM_SUCCESS; + break; + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + len = strlen(PAM_MSG_MEMBER(msg, i, msg)); + if (len > 0) { + buffer_append(&loginmsg, + PAM_MSG_MEMBER(msg, i, msg), len); + buffer_append(&loginmsg, "\n", 1); + } + if ((reply[i].resp = strdup("")) == NULL) + goto fail; + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv passwd_conv = { sshpam_passwd_conv, NULL }; + +/* + * Attempt password authentication via PAM + */ +int +sshpam_auth_passwd(Authctxt *authctxt, const char *password) +{ + int flags = (options.permit_empty_passwd == 0 ? + PAM_DISALLOW_NULL_AUTHTOK : 0); + + if (!options.use_pam || sshpam_handle == NULL) + fatal("PAM: %s called when PAM disabled or failed to " + "initialise.", __func__); + + sshpam_password = password; + sshpam_authctxt = authctxt; + + /* + * If the user logging in is invalid, or is root but is not permitted + * by PermitRootLogin, use an invalid password to prevent leaking + * information via timing (eg if the PAM config has a delay on fail). + */ + if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + sshpam_password = badpw; + + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&passwd_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: %s: failed to set PAM_CONV: %s", __func__, + pam_strerror(sshpam_handle, sshpam_err)); + + sshpam_err = pam_authenticate(sshpam_handle, flags); + sshpam_password = NULL; + if (sshpam_err == PAM_SUCCESS && authctxt->valid) { + debug("PAM: password authentication accepted for %.100s", + authctxt->user); + return 1; + } else { + debug("PAM: password authentication failed for %.100s: %s", + authctxt->valid ? authctxt->user : "an illegal user", + pam_strerror(sshpam_handle, sshpam_err)); + return 0; + } +} +#endif /* USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-pam.h openssh-4.2p1/auth-pam.h --- ssh-openbsd-2005090100/auth-pam.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/auth-pam.h Sat Sep 11 22:17:26 2004 @@ -0,0 +1,50 @@ +/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */ + +/* + * Copyright (c) 2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +#ifdef USE_PAM + +#if !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE __progname +#endif + +void start_pam(Authctxt *); +void finish_pam(void); +u_int do_pam_account(void); +void do_pam_session(void); +void do_pam_set_tty(const char *); +void do_pam_setcred(int ); +void do_pam_chauthtok(void); +int do_pam_putenv(char *, char *); +char ** fetch_pam_environment(void); +char ** fetch_pam_child_environment(void); +void free_pam_environment(char **); +void sshpam_thread_cleanup(void); +void sshpam_cleanup(void); +int sshpam_auth_passwd(Authctxt *, const char *); +int is_pam_session_open(void); + +#endif /* USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-passwd.c openssh-4.2p1/auth-passwd.c --- ssh-openbsd-2005090100/auth-passwd.c Tue Jul 26 21:48:33 2005 +++ openssh-4.2p1/auth-passwd.c Tue Jul 26 21:54:12 2005 @@ -47,7 +47,6 @@ extern Buffer loginmsg; extern ServerOptions options; -int sys_auth_passwd(Authctxt *, const char *); #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; @@ -57,7 +56,7 @@ #define DAY (24L * 60 * 60) /* 1 day in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ -static void +void disable_forwarding(void) { no_port_forwarding_flag = 1; @@ -73,12 +72,18 @@ auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; - int ok = authctxt->valid; + int result, ok = authctxt->valid; +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + static int expire_checked = 0; +#endif +#ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; +#endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; + #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); @@ -87,7 +92,31 @@ /* Fall back to ordinary passwd authentication. */ } #endif - return (sys_auth_passwd(authctxt, password) && ok); +#ifdef HAVE_CYGWIN + if (is_winnt) { + HANDLE hToken = cygwin_logon_user(pw, password); + + if (hToken == INVALID_HANDLE_VALUE) + return 0; + cygwin_set_impersonation_token(hToken); + return ok; + } +#endif +#ifdef USE_PAM + if (options.use_pam) + return (sshpam_auth_passwd(authctxt, password) && ok); +#endif +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + if (!expire_checked) { + expire_checked = 1; + if (auth_shadow_pwexpired(authctxt)) + authctxt->force_pwchange = 1; + } +#endif + result = sys_auth_passwd(authctxt, password); + if (authctxt->force_pwchange) + disable_forwarding(); + return (result && ok); } #ifdef BSD_AUTH @@ -149,26 +178,28 @@ return (auth_close(as)); } } -#else +#elif !defined(CUSTOM_SYS_AUTH_PASSWD) int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; char *encrypted_password; + /* Just use the supplied fake password if authctxt is invalid */ + char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; + /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) + if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return (1); /* Encrypt the candidate password using the proper salt. */ - encrypted_password = crypt(password, - (pw->pw_passwd[0] && pw->pw_passwd[1]) ? - pw->pw_passwd : "xx"); + encrypted_password = xcrypt(password, + (pw_password[0] && pw_password[1]) ? pw_password : "xx"); /* * Authentication is accepted if the encrypted passwords * are identical. */ - return (strcmp(encrypted_password, pw->pw_passwd) == 0); + return (strcmp(encrypted_password, pw_password) == 0); } #endif diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-shadow.c openssh-4.2p1/auth-shadow.c --- ssh-openbsd-2005090100/auth-shadow.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/auth-shadow.c Sun Jul 17 17:04:47 2005 @@ -0,0 +1,138 @@ +/* + * Copyright (c) 2004 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$Id: auth-shadow.c,v 1.7 2005/07/17 07:04:47 djm Exp $"); + +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) +#include + +#include "auth.h" +#include "buffer.h" +#include "log.h" + +#ifdef DAY +# undef DAY +#endif +#define DAY (24L * 60 * 60) /* 1 day in seconds */ + +extern Buffer loginmsg; + +/* + * For the account and password expiration functions, we assume the expiry + * occurs the day after the day specified. + */ + +/* + * Check if specified account is expired. Returns 1 if account is expired, + * 0 otherwise. + */ +int +auth_shadow_acctexpired(struct spwd *spw) +{ + time_t today; + int daysleft; + char buf[256]; + + today = time(NULL) / DAY; + daysleft = spw->sp_expire - today; + debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today, + (int)spw->sp_expire, daysleft); + + if (spw->sp_expire == -1) { + debug3("account expiration disabled"); + } else if (daysleft < 0) { + logit("Account %.100s has expired", spw->sp_namp); + return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("account will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your account will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } + + return 0; +} + +/* + * Checks password expiry for platforms that use shadow passwd files. + * Returns: 1 = password expired, 0 = password not expired + */ +int +auth_shadow_pwexpired(Authctxt *ctxt) +{ + struct spwd *spw = NULL; + const char *user = ctxt->pw->pw_name; + char buf[256]; + time_t today; + int daysleft, disabled = 0; + + if ((spw = getspnam((char *)user)) == NULL) { + error("Could not get shadow information for %.100s", user); + return 0; + } + + today = time(NULL) / DAY; + debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, + (int)spw->sp_lstchg, (int)spw->sp_max); + +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec()) { + struct pr_passwd *pr; + + pr = getprpwnam((char *)user); + + /* Test for Trusted Mode expiry disabled */ + if (pr != NULL && pr->ufld.fd_min == 0 && + pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 && + pr->ufld.fd_pw_expire_warning == 0 && + pr->ufld.fd_schange != 0) + disabled = 1; + } +#endif + + /* TODO: check sp_inact */ + daysleft = spw->sp_lstchg + spw->sp_max - today; + if (disabled) { + debug3("password expiration disabled"); + } else if (spw->sp_lstchg == 0) { + logit("User %.100s password has expired (root forced)", user); + return 1; + } else if (spw->sp_max == -1) { + debug3("password expiration disabled"); + } else if (daysleft < 0) { + logit("User %.100s password has expired (password aged)", user); + return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("password will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your password will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); + } + + return 0; +} +#endif /* USE_SHADOW && HAS_SHADOW_EXPIRE */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-sia.c openssh-4.2p1/auth-sia.c --- ssh-openbsd-2005090100/auth-sia.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/auth-sia.c Tue Apr 5 20:58:38 2005 @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2002 Chris Adams. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef HAVE_OSF_SIA +#include "ssh.h" +#include "auth.h" +#include "auth-sia.h" +#include "log.h" +#include "servconf.h" +#include "canohost.h" +#include "uidswap.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +extern ServerOptions options; +extern int saved_argc; +extern char **saved_argv; + +int +sys_auth_passwd(Authctxt *authctxt, const char *pass) +{ + int ret; + SIAENTITY *ent = NULL; + const char *host; + + host = get_canonical_hostname(options.use_dns); + + if (!authctxt->user || pass == NULL || pass[0] == '\0') + return (0); + + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, + NULL, 0, NULL) != SIASUCCESS) + return (0); + + if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { + error("Couldn't authenticate %s from %s", + authctxt->user, host); + if (ret & SIASTOP) + sia_ses_release(&ent); + + return (0); + } + + sia_ses_release(&ent); + + return (1); +} + +void +session_setup_sia(struct passwd *pw, char *tty) +{ + SIAENTITY *ent = NULL; + const char *host; + + host = get_canonical_hostname(options.use_dns); + + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, + tty, 0, NULL) != SIASUCCESS) + fatal("sia_ses_init failed"); + + if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { + sia_ses_release(&ent); + fatal("sia_make_entity_pwd failed"); + } + + ent->authtype = SIA_A_NONE; + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't establish session for %s from %s", + pw->pw_name, host); + + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't launch session for %s from %s", + pw->pw_name, host); + + sia_ses_release(&ent); + + setuid(0); + permanently_set_uid(pw); +} + +#endif /* HAVE_OSF_SIA */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-sia.h openssh-4.2p1/auth-sia.h --- ssh-openbsd-2005090100/auth-sia.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/auth-sia.h Tue Apr 5 21:00:48 2005 @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2002 Chris Adams. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef HAVE_OSF_SIA + +void session_setup_sia(struct passwd *, char *); + +#endif /* HAVE_OSF_SIA */ diff -ruN --exclude CVS ssh-openbsd-2005090100/auth-skey.c openssh-4.2p1/auth-skey.c --- ssh-openbsd-2005090100/auth-skey.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth-skey.c Sun Jul 17 17:04:47 2005 @@ -47,7 +47,8 @@ int len; struct skey skey; - if (skeychallenge(&skey, authctxt->user, challenge) == -1) + if (_compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) == -1) return -1; *name = xstrdup(""); diff -ruN --exclude CVS ssh-openbsd-2005090100/auth.c openssh-4.2p1/auth.c --- ssh-openbsd-2005090100/auth.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth.c Thu Sep 1 02:59:49 2005 @@ -25,7 +25,16 @@ #include "includes.h" RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $"); +#ifdef HAVE_LOGIN_H +#include +#endif +#ifdef USE_SHADOW +#include +#endif + +#ifdef HAVE_LIBGEN_H #include +#endif #include "xmalloc.h" #include "match.h" @@ -41,9 +50,12 @@ #include "misc.h" #include "bufaux.h" #include "packet.h" +#include "loginrec.h" +#include "monitor_wrap.h" /* import */ extern ServerOptions options; +extern Buffer loginmsg; /* Debugging messages */ Buffer auth_debug; @@ -62,14 +74,65 @@ allowed_user(struct passwd * pw) { struct stat st; - const char *hostname = NULL, *ipaddr = NULL; + const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; char *shell; u_int i; +#ifdef USE_SHADOW + struct spwd *spw = NULL; +#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; +#ifdef USE_SHADOW + if (!options.use_pam) + spw = getspnam(pw->pw_name); +#ifdef HAS_SHADOW_EXPIRE + if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) + return 0; +#endif /* HAS_SHADOW_EXPIRE */ +#endif /* USE_SHADOW */ + + /* grab passwd field for locked account check */ +#ifdef USE_SHADOW + if (spw != NULL) +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) + passwd = get_iaf_password(pw); +#else + passwd = spw->sp_pwdp; +#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ +#else + passwd = pw->pw_passwd; +#endif + + /* check for locked account */ + if (!options.use_pam && passwd && *passwd) { + int locked = 0; + +#ifdef LOCKED_PASSWD_STRING + if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_PREFIX + if (strncmp(passwd, LOCKED_PASSWD_PREFIX, + strlen(LOCKED_PASSWD_PREFIX)) == 0) + locked = 1; +#endif +#ifdef LOCKED_PASSWD_SUBSTR + if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) + locked = 1; +#endif +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) + free(passwd); +#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ + if (locked) { + logit("User %.100s not allowed because account is locked", + pw->pw_name); + return 0; + } + } + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. @@ -152,6 +215,12 @@ } ga_free(); } + +#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER + if (!sys_auth_allowed_user(pw, &loginmsg)) + return 0; +#endif + /* We found no reason not to let this user try to log on... */ return 1; } @@ -182,6 +251,53 @@ get_remote_ipaddr(), get_remote_port(), info); + +#ifdef CUSTOM_FAILED_LOGIN + if (authenticated == 0 && !authctxt->postponed && + (strcmp(method, "password") == 0 || + strncmp(method, "keyboard-interactive", 20) == 0 || + strcmp(method, "challenge-response") == 0)) + record_failed_login(authctxt->user, + get_canonical_hostname(options.use_dns), "ssh"); +#endif +#ifdef SSH_AUDIT_EVENTS + if (authenticated == 0 && !authctxt->postponed) { + ssh_audit_event_t event; + + debug3("audit failed auth attempt, method %s euid %d", + method, (int)geteuid()); + /* + * Because the auth loop is used in both monitor and slave, + * we must be careful to send each event only once and with + * enough privs to write the event. + */ + event = audit_classify_auth(method); + switch(event) { + case SSH_AUTH_FAIL_NONE: + case SSH_AUTH_FAIL_PASSWD: + case SSH_AUTH_FAIL_KBDINT: + if (geteuid() == 0) + audit_event(event); + break; + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: + /* + * This is required to handle the case where privsep + * is enabled but it's root logging in, since + * use_privsep won't be cleared until after a + * successful login. + */ + if (geteuid() == 0) + audit_event(event); + else + PRIVSEP(audit_event(event)); + break; + default: + error("unknown authentication audit event %d", event); + } + } +#endif } /* @@ -380,6 +496,13 @@ if (pw == NULL) { logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); +#ifdef CUSTOM_FAILED_LOGIN + record_failed_login(user, + get_canonical_hostname(options.use_dns), "ssh"); +#endif +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_INVALID_USER); +#endif /* SSH_AUDIT_EVENTS */ return (NULL); } if (!allowed_user(pw)) @@ -456,7 +579,9 @@ fake.pw_gecos = "NOUSER"; fake.pw_uid = (uid_t)-1; fake.pw_gid = (gid_t)-1; +#ifdef HAVE_PW_CLASS_IN_PASSWD fake.pw_class = ""; +#endif fake.pw_dir = "/nonexist"; fake.pw_shell = "/nonexist"; diff -ruN --exclude CVS ssh-openbsd-2005090100/auth.h openssh-4.2p1/auth.h --- ssh-openbsd-2005090100/auth.h Sat Jul 16 11:30:57 2005 +++ openssh-4.2p1/auth.h Thu Jul 7 11:50:20 2005 @@ -30,6 +30,7 @@ #include "key.h" #include "hostfile.h" +#include "buffer.h" #include #ifdef HAVE_LOGIN_CAP @@ -66,7 +67,9 @@ krb5_ccache krb5_fwd_ccache; krb5_principal krb5_user; char *krb5_ticket_file; + char *krb5_ccname; #endif + Buffer *loginmsg; void *methoddata; }; /* @@ -122,11 +125,24 @@ void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) +#include +int auth_shadow_acctexpired(struct spwd *); +int auth_shadow_pwexpired(Authctxt *); +#endif + +#include "auth-pam.h" +#include "audit.h" +void remove_kbdint_device(const char *); + +void disable_forwarding(void); + void do_authentication(Authctxt *); void do_authentication2(Authctxt *); void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); +void userauth_send_banner(const char *); int auth_root_allowed(char *); char *auth2_read_banner(void); @@ -145,6 +161,7 @@ char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); +void abandon_challenge_response(Authctxt *); char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); @@ -169,7 +186,14 @@ struct passwd *fakepw(void); +int sys_auth_passwd(Authctxt *, const char *); + #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define SKEY_PROMPT "\nS/Key Password: " + +#if defined(KRB5) && !defined(HEIMDAL) +#include +krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); +#endif #endif diff -ruN --exclude CVS ssh-openbsd-2005090100/auth1.c openssh-4.2p1/auth1.c --- ssh-openbsd-2005090100/auth1.c Sat Jul 16 11:35:24 2005 +++ openssh-4.2p1/auth1.c Sun Jul 17 17:26:44 2005 @@ -25,9 +25,11 @@ #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include "buffer.h" /* import */ extern ServerOptions options; +extern Buffer loginmsg; static int auth1_process_password(Authctxt *, char *, size_t); static int auth1_process_rsa(Authctxt *, char *, size_t); @@ -35,6 +37,8 @@ static int auth1_process_tis_challenge(Authctxt *, char *, size_t); static int auth1_process_tis_response(Authctxt *, char *, size_t); +static char *client_user = NULL; /* Used to fill in remote user for PAM */ + struct AuthMethod1 { int type; char *name; @@ -138,7 +142,6 @@ { int keybits, authenticated = 0; u_int bits; - char *client_user; Key *client_host_key; u_int ulen; @@ -168,7 +171,6 @@ key_free(client_host_key); snprintf(info, infolen, " ruser %.100s", client_user); - xfree(client_user); return (authenticated); } @@ -216,7 +218,7 @@ { int authenticated = 0; char info[1024]; - int type = 0; + int prev = 0, type = 0; const struct AuthMethod1 *meth; debug("Attempting authentication for %s%.100s.", @@ -228,8 +230,13 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { - auth_log(authctxt, 1, "without authentication", ""); - return; +#ifdef USE_PAM + if (options.use_pam && (PRIVSEP(do_pam_account()))) +#endif + { + auth_log(authctxt, 1, "without authentication", ""); + return; + } } /* Indicate that authentication is needed. */ @@ -244,7 +251,20 @@ info[0] = '\0'; /* Get a packet from the client. */ + prev = type; type = packet_read(); + + /* + * If we started challenge-response authentication but the + * next packet is not a response to our challenge, release + * the resources allocated by get_challenge() (which would + * normally have been released by verify_response() had we + * received such a response) + */ + if (prev == SSH_CMSG_AUTH_TIS && + type != SSH_CMSG_AUTH_TIS_RESPONSE) + abandon_challenge_response(authctxt); + if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); @@ -270,20 +290,71 @@ fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +#ifdef _UNICOS + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + +#ifdef HAVE_CYGWIN + if (authenticated && + !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, + authctxt->pw)) { + packet_disconnect("Authentication rejected for uid %d.", + authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid); + authenticated = 0; + } +#else /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && - !auth_root_allowed(meth->name)) - authenticated = 0; + !auth_root_allowed(meth->name)) { + authenticated = 0; +# ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); +# endif + } +#endif +#ifdef USE_PAM + if (options.use_pam && authenticated && + !PRIVSEP(do_pam_account())) { + char *msg; + size_t len; + + error("Access denied for user %s by PAM account " + "configuration", authctxt->user); + len = buffer_len(&loginmsg); + buffer_append(&loginmsg, "\0", 1); + msg = buffer_ptr(&loginmsg); + /* strip trailing newlines */ + if (len > 0) + while (len > 0 && msg[--len] == '\n') + msg[len] = '\0'; + else + msg = "Access denied."; + packet_disconnect(msg); + } +#endif + skip: /* Log before sending the reply */ auth_log(authctxt, authenticated, get_authname(type), info); + if (client_user != NULL) { + xfree(client_user); + client_user = NULL; + } + if (authenticated) return; - if (authctxt->failures++ > options.max_authtries) + if (authctxt->failures++ > options.max_authtries) { +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); +#endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } packet_start(SSH_SMSG_FAILURE); packet_send(); @@ -325,13 +396,20 @@ setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); +#ifdef USE_PAM + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); +#endif + /* * If we are not running as root, the user must have the same uid as * the server. */ +#ifndef HAVE_CYGWIN if (!use_privsep && getuid() != 0 && authctxt->pw && authctxt->pw->pw_uid != getuid()) packet_disconnect("Cannot change user when server not running as root."); +#endif /* * Loop until the user has been authenticated or the connection is diff -ruN --exclude CVS ssh-openbsd-2005090100/auth2-chall.c openssh-4.2p1/auth2-chall.c --- ssh-openbsd-2005090100/auth2-chall.c Sun Jul 17 17:17:54 2005 +++ openssh-4.2p1/auth2-chall.c Sun Jul 17 17:22:45 2005 @@ -32,7 +32,11 @@ #include "xmalloc.h" #include "dispatch.h" #include "log.h" +#include "servconf.h" +/* import */ +extern ServerOptions options; + static int auth2_challenge_start(Authctxt *); static int send_userauth_info_request(Authctxt *); static void input_userauth_info_response(int, u_int32_t, void *); @@ -40,6 +44,9 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; #else +#ifdef USE_PAM +extern KbdintDevice sshpam_device; +#endif #ifdef SKEY extern KbdintDevice skey_device; #endif @@ -49,6 +56,9 @@ #ifdef BSD_AUTH &bsdauth_device, #else +#ifdef USE_PAM + &sshpam_device, +#endif #ifdef SKEY &skey_device, #endif @@ -65,6 +75,21 @@ u_int nreq; }; +#ifdef USE_PAM +void +remove_kbdint_device(const char *devname) +{ + int i, j; + + for (i = 0; devices[i] != NULL; i++) + if (strcmp(devices[i]->name, devname) == 0) { + for (j = i; devices[j] != NULL; j++) + devices[j] = devices[j+1]; + i--; + } +} +#endif + static KbdintAuthctxt * kbdint_alloc(const char *devs) { @@ -72,6 +97,11 @@ Buffer b; int i; +#ifdef USE_PAM + if (!options.use_pam) + remove_kbdint_device("pam"); +#endif + kbdintctxt = xmalloc(sizeof(KbdintAuthctxt)); if (strcmp(devs, "") == 0) { buffer_init(&b); @@ -313,18 +343,27 @@ void privsep_challenge_enable(void) { +#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY) + int n = 0; +#endif #ifdef BSD_AUTH extern KbdintDevice mm_bsdauth_device; #endif +#ifdef USE_PAM + extern KbdintDevice mm_sshpam_device; +#endif #ifdef SKEY extern KbdintDevice mm_skey_device; #endif - /* As long as SSHv1 has devices[0] hard coded this is fine */ + #ifdef BSD_AUTH - devices[0] = &mm_bsdauth_device; + devices[n++] = &mm_bsdauth_device; #else +#ifdef USE_PAM + devices[n++] = &mm_sshpam_device; +#endif #ifdef SKEY - devices[0] = &mm_skey_device; + devices[n++] = &mm_skey_device; #endif #endif } diff -ruN --exclude CVS ssh-openbsd-2005090100/auth2-kbdint.c openssh-4.2p1/auth2-kbdint.c --- ssh-openbsd-2005090100/auth2-kbdint.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth2-kbdint.c Sat Sep 11 22:42:09 2004 @@ -51,6 +51,10 @@ xfree(devs); xfree(lang); +#ifdef HAVE_CYGWIN + if (check_nt_auth(0, authctxt->pw) == 0) + authenticated = 0; +#endif return authenticated; } diff -ruN --exclude CVS ssh-openbsd-2005090100/auth2-none.c openssh-4.2p1/auth2-none.c --- ssh-openbsd-2005090100/auth2-none.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth2-none.c Sat Sep 11 23:07:03 2004 @@ -74,6 +74,19 @@ return (banner); } +void +userauth_send_banner(const char *msg) +{ + if (datafellows & SSH_BUG_BANNER) + return; + + packet_start(SSH2_MSG_USERAUTH_BANNER); + packet_put_cstring(msg); + packet_put_cstring(""); /* language, unused */ + packet_send(); + debug("%s: sent", __func__); +} + static void userauth_banner(void) { @@ -84,12 +97,8 @@ if ((banner = PRIVSEP(auth2_read_banner())) == NULL) goto done; + userauth_send_banner(banner); - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(banner); - packet_put_cstring(""); /* language, unused */ - packet_send(); - debug("userauth_banner: sent"); done: if (banner) xfree(banner); @@ -101,6 +110,10 @@ none_enabled = 0; packet_check_eom(); userauth_banner(); +#ifdef HAVE_CYGWIN + if (check_nt_auth(1, authctxt->pw) == 0) + return (0); +#endif if (options.password_authentication) return (PRIVSEP(auth_password(authctxt, ""))); return (0); diff -ruN --exclude CVS ssh-openbsd-2005090100/auth2-passwd.c openssh-4.2p1/auth2-passwd.c --- ssh-openbsd-2005090100/auth2-passwd.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth2-passwd.c Sat Sep 11 22:42:09 2004 @@ -57,6 +57,10 @@ logit("password change not supported"); else if (PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; +#ifdef HAVE_CYGWIN + if (check_nt_auth(1, authctxt->pw) == 0) + authenticated = 0; +#endif memset(password, 0, len); xfree(password); return authenticated; diff -ruN --exclude CVS ssh-openbsd-2005090100/auth2-pubkey.c openssh-4.2p1/auth2-pubkey.c --- ssh-openbsd-2005090100/auth2-pubkey.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth2-pubkey.c Sat Dec 11 13:39:50 2004 @@ -158,6 +158,10 @@ key_free(key); xfree(pkalg); xfree(pkblob); +#ifdef HAVE_CYGWIN + if (check_nt_auth(0, authctxt->pw) == 0) + authenticated = 0; +#endif return authenticated; } diff -ruN --exclude CVS ssh-openbsd-2005090100/auth2.c openssh-4.2p1/auth2.c --- ssh-openbsd-2005090100/auth2.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/auth2.c Sun Jul 17 17:26:44 2005 @@ -35,6 +35,7 @@ #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -44,6 +45,7 @@ extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +extern Buffer loginmsg; /* methods */ @@ -150,16 +152,27 @@ if (authctxt->attempt++ == 0) { /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); +#ifdef USE_PAM + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); +#endif } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); +#ifdef USE_PAM + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); +#endif +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); +#endif } setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); - authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; if (use_privsep) @@ -204,9 +217,35 @@ /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && - !auth_root_allowed(method)) + !auth_root_allowed(method)) { authenticated = 0; +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); +#endif + } +#ifdef USE_PAM + if (options.use_pam && authenticated) { + if (!PRIVSEP(do_pam_account())) { + /* if PAM returned a message, send it to the user */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + userauth_send_banner(buffer_ptr(&loginmsg)); + packet_write_wait(); + } + fatal("Access denied for user %s by PAM account " + "configuration", authctxt->user); + } + } +#endif + +#ifdef _UNICOS + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -223,8 +262,12 @@ /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > options.max_authtries) + if (authctxt->failures++ > options.max_authtries) { +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); +#endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); diff -ruN --exclude CVS ssh-openbsd-2005090100/authfile.c openssh-4.2p1/authfile.c --- ssh-openbsd-2005090100/authfile.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/authfile.c Fri Jun 17 12:59:35 2005 @@ -519,6 +519,9 @@ * permissions of the file. if the key owned by a different user, * then we don't care. */ +#ifdef HAVE_CYGWIN + if (check_ntsec(filename)) +#endif if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); diff -ruN --exclude CVS ssh-openbsd-2005090100/buildpkg.sh.in openssh-4.2p1/buildpkg.sh.in --- ssh-openbsd-2005090100/buildpkg.sh.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/buildpkg.sh.in Fri May 13 03:32:20 2005 @@ -0,0 +1,562 @@ +#!/bin/sh +# +# Fake Root Solaris/SVR4/SVR5 Build System - Prototype +# +# The following code has been provide under Public Domain License. I really +# don't care what you use it for. Just as long as you don't complain to me +# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org) +# +umask 022 +# +# Options for building the package +# You can create a openssh-config.local with your customized options +# +REMOVE_FAKE_ROOT_WHEN_DONE=yes +# +# uncommenting TEST_DIR and using +# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty +# and +# PKGNAME=tOpenSSH should allow testing a package without interfering +# with a real OpenSSH package on a system. This is not needed on systems +# that support the -R option to pkgadd. +#TEST_DIR=/var/tmp # leave commented out for production build +PKGNAME=OpenSSH +# revisions within the same version (REV=a) +#REV= +SYSVINIT_NAME=opensshd +MAKE=${MAKE:="make"} +SSHDUID=67 # Default privsep uid +SSHDGID=67 # Default privsep gid +# uncomment these next three as needed +#PERMIT_ROOT_LOGIN=no +#X11_FORWARDING=yes +#USR_LOCAL_IS_SYMLINK=yes +# System V init run levels +SYSVINITSTART=S98 +SYSVINITSTOPT=K30 +# We will source these if they exist +POST_MAKE_INSTALL_FIXES=./pkg_post_make_install_fixes.sh +POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh +# We'll be one level deeper looking for these +PKG_PREINSTALL_LOCAL=../pkg-preinstall.local +PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local +PKG_PREREMOVE_LOCAL=../pkg-preremove.local +PKG_POSTREMOVE_LOCAL=../pkg-postremove.local +PKG_REQUEST_LOCAL=../pkg-request.local +# end of sourced files +# +OPENSSHD=opensshd.init + +PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@ +PATH_USERADD_PROG=@PATH_USERADD_PROG@ +PATH_PASSWD_PROG=@PATH_PASSWD_PROG@ +# +# list of system directories we do NOT want to change owner/group/perms +# when installing our package +SYSTEM_DIR="/etc \ +/etc/init.d \ +/etc/rcS.d \ +/etc/rc0.d \ +/etc/rc1.d \ +/etc/rc2.d \ +/etc/opt \ +/opt \ +/opt/bin \ +/usr \ +/usr/bin \ +/usr/lib \ +/usr/sbin \ +/usr/share \ +/usr/share/man \ +/usr/share/man/man1 \ +/usr/share/man/man8 \ +/usr/local \ +/usr/local/bin \ +/usr/local/etc \ +/usr/local/libexec \ +/usr/local/man \ +/usr/local/man/man1 \ +/usr/local/man/man8 \ +/usr/local/sbin \ +/usr/local/share \ +/var \ +/var/opt \ +/var/run \ +/var/tmp \ +/tmp" + +# We may need to build as root so we make sure PATH is set up +# only set the path if it's not set already +[ -d /opt/bin ] && { + echo $PATH | grep ":/opt/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/opt/bin +} +[ -d /usr/local/bin ] && { + echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/usr/local/bin +} +[ -d /usr/ccs/bin ] && { + echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin +} +export PATH +# + +[ -f Makefile ] || { + echo "Please run this script from your build directory" + exit 1 +} + +# we will look for openssh-config.local to override the above options +[ -s ./openssh-config.local ] && . ./openssh-config.local + +START=`pwd` +FAKE_ROOT=$START/pkg + +## Fill in some details, like prefix and sysconfdir +for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir +do + eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` +done + + +## Collect value of privsep user +for confvar in SSH_PRIVSEP_USER +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` +done + +## Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi + +## Extract common info requires for the 'info' part of the package. +VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` + +ARCH=`uname -m` +DEF_MSG="\n" +OS_VER=`uname -v` +SCRIPT_SHELL=/sbin/sh +UNAME_S=`uname -s` +case ${UNAME_S} in + SunOS) UNAME_S=Solaris + ARCH=`uname -p` + RCS_D=yes + DEF_MSG="(default: n)" + ;; + SCO_SV) UNAME_S=OpenServer + OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'` + SCRIPT_SHELL=/bin/sh + RC1_D=no + DEF_MSG="(default: n)" + ;; +esac + +case `basename $0` in + buildpkg.sh) +## Start by faking root install +echo "Faking root install..." +[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT +mkdir $FAKE_ROOT +${MAKE} install-nokeys DESTDIR=$FAKE_ROOT +if [ $? -gt 0 ] +then + echo "Fake root install failed, stopping." + exit 1 +fi + +## Setup our run level stuff while we are at it. +mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d + +cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} +chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} + +[ "${PERMIT_ROOT_LOGIN}" = no ] && \ + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +[ "${X11_FORWARDING}" = yes ] && \ + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +# fix PrintMotd +perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config + +# We don't want to overwrite config files on multiple installs +mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default +mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default +[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \ +mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default + +# local tweeks here +[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES} + +cd $FAKE_ROOT + +## Ok, this is outright wrong, but it will work. I'm tired of pkgmk +## whining. +for i in *; do + PROTO_ARGS="$PROTO_ARGS $i=/$i"; +done + +## Build info file +echo "Building pkginfo file..." +cat > pkginfo << _EOF +PKG=$PKGNAME +NAME="OpenSSH Portable for ${UNAME_S}" +DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh." +VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html" +ARCH=$ARCH +VERSION=$VERSION$REV +CATEGORY="Security,application" +BASEDIR=/ +CLASSES="none" +PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`" +_EOF + +## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS +echo "Building depend file..." +touch depend + +## Build space file +echo "Building space file..." +cat > space << _EOF +# extra space required by start/stop links added by installf in postinstall +$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1 +$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1 +_EOF +[ "$RC1_D" = no ] || \ +echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space +[ "$RCS_D" = yes ] && \ +echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space + +## Build preinstall file +echo "Building preinstall file..." +cat > preinstall << _EOF +#! ${SCRIPT_SHELL} +# +_EOF + +# local preinstall changes here +[ -s "${PKG_PREINSTALL_LOCAL}" ] && . ${PKG_PREINSTALL_LOCAL} + +cat >> preinstall << _EOF +# +[ "\${PRE_INS_STOP}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop +exit 0 +_EOF + +## Build postinstall file +echo "Building postinstall file..." +cat > postinstall << _EOF +#! ${SCRIPT_SHELL} +# +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ] && { + [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds +} + +# make rc?.d dirs only if we are doing a test install +[ -n "${TEST_DIR}" ] && { + [ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d + mkdir -p ${TEST_DIR}/etc/rc0.d + [ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d + mkdir -p ${TEST_DIR}/etc/rc2.d +} + +if [ "\${USE_SYM_LINKS}" = yes ] +then + [ "$RCS_D" = yes ] && \ +installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + [ "$RC1_D" = no ] || \ + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s +else + [ "$RCS_D" = yes ] && \ +installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + [ "$RC1_D" = no ] || \ + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l +fi + +# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) +[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys + +_EOF + +# local postinstall changes here +[ -s "${PKG_POSTINSTALL_LOCAL}" ] && . ${PKG_POSTINSTALL_LOCAL} + +cat >> postinstall << _EOF +installf -f ${PKGNAME} + +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi +# If this is a test build, we will skip the groupadd/useradd/passwd commands +if [ ! -z "${TEST_DIR}" ] +then + chroot=echo +fi + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null +then + echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" + echo "or group." +else + echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." + + # user required? + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\` + SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\` + else + DO_PASSWD=yes + fi + [ -z "\$SSH_PRIVSEP_GROUP" ] && SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER + + # group required? + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null + then + echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists." + else + DO_GROUP=yes + fi + + # create group if required + [ "\$DO_GROUP" = yes ] && { + # Use gid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshdgid="-g $SSHDGID" + fi + echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP." + \$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP + } + + # Create user if required + [ "\$DO_PASSWD" = yes ] && { + # Use uid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshduid="-u $SSHDUID" + fi + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + \$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + \$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER + } +fi + +[ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start +exit 0 +_EOF + +## Build preremove file +echo "Building preremove file..." +cat > preremove << _EOF +#! ${SCRIPT_SHELL} +# +${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop +_EOF + +# local preremove changes here +[ -s "${PKG_PREREMOVE_LOCAL}" ] && . ${PKG_PREREMOVE_LOCAL} + +cat >> preremove << _EOF +exit 0 +_EOF + +## Build postremove file +echo "Building postremove file..." +cat > postremove << _EOF +#! ${SCRIPT_SHELL} +# +_EOF + +# local postremove changes here +[ -s "${PKG_POSTREMOVE_LOCAL}" ] && . ${PKG_POSTREMOVE_LOCAL} + +cat >> postremove << _EOF +exit 0 +_EOF + +## Build request file +echo "Building request file..." +cat > request << _EOF +trap 'exit 3' 15 + +_EOF + +[ -x /usr/bin/ckyorn ] || cat >> request << _EOF + +ckyorn() { +# for some strange reason OpenServer has no ckyorn +# We build a striped down version here + +DEFAULT=n +PROMPT="Yes or No [yes,no,?,quit]" +HELP_PROMPT=" Enter y or yes if your answer is yes; n or no if your answer is no." +USAGE="usage: ckyorn [options] +where options may include: + -d default + -h help + -p prompt +" + +if [ \$# != 0 ] +then + while getopts d:p:h: c + do + case \$c in + h) HELP_PROMPT="\$OPTARG" ;; + d) DEFAULT=\$OPTARG ;; + p) PROMPT=\$OPTARG ;; + \\?) echo "\$USAGE" 1>&2 + exit 1 ;; + esac + done + shift \`expr \$OPTIND - 1\` +fi + +while true +do + echo "\${PROMPT}\\c " 1>&2 + read key + [ -z "\$key" ] && key=\$DEFAULT + case \$key in + [n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S]) echo "\${key}\\c" + exit 0 ;; + \\?) echo \$HELP_PROMPT 1>&2 ;; + q|quit) echo "q\\c" 1>&2 + exit 3 ;; + esac +done + +} + +_EOF + +cat >> request << _EOF +USE_SYM_LINKS=no +PRE_INS_STOP=no +POST_INS_START=no +# Use symbolic links? +ans=\`ckyorn -d n \ +-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? +case \$ans in + [y,Y]*) USE_SYM_LINKS=yes ;; +esac + +# determine if should restart the daemon +if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] +then + ans=\`ckyorn -d n \ +-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) PRE_INS_STOP=yes + POST_INS_START=yes + ;; + esac + +else + +# determine if we should start sshd + ans=\`ckyorn -d n \ +-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) POST_INS_START=yes ;; + esac +fi + +# make parameters available to installation service, +# and so to any other packaging scripts +cat >\$1 <> request << _EOF +exit 0 + +_EOF + +## Next Build our prototype +echo "Building prototype file..." +cat >mk-proto.awk << _EOF + BEGIN { print "i pkginfo"; print "i depend"; \\ + print "i preinstall"; print "i postinstall"; \\ + print "i preremove"; print "i postremove"; \\ + print "i request"; print "i space"; \\ + split("$SYSTEM_DIR",sys_files); } + { + for (dir in sys_files) { if ( \$3 != sys_files[dir] ) + { if ( \$1 == "s" ) + { \$5=""; \$6=""; } + else + { \$5="root"; \$6="sys"; } + } + else + { \$4="?"; \$5="?"; \$6="?"; break;} + } } + { print; } +_EOF + +find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \ + pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype + +# /usr/local is a symlink on some systems +[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && { + grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new + mv prototype.new prototype +} + +## Step back a directory and now build the package. +cd .. +# local prototype tweeks here +[ -s "${POST_PROTOTYPE_EDITS}" ] && . ${POST_PROTOTYPE_EDITS} + +echo "Building package.." +pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o +echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg + ;; + + justpkg.sh) +rm -fr ${FAKE_ROOT}/${PKGNAME} +grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp +mv $$tmp $FAKE_ROOT/pkginfo +cat >> $FAKE_ROOT/pkginfo << _EOF +PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`" +_EOF +pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o +echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg + ;; + +esac + +[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ] && rm -rf $FAKE_ROOT +exit 0 + diff -ruN --exclude CVS ssh-openbsd-2005090100/canohost.c openssh-4.2p1/canohost.c --- ssh-openbsd-2005090100/canohost.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/canohost.c Sun Jul 17 17:04:47 2005 @@ -46,6 +46,11 @@ if (from.ss_family == AF_INET) check_ip_options(sock, ntop); + ipv64_normalise_mapped(&from, &fromlen); + + if (from.ss_family == AF_INET6) + fromlen = sizeof(struct sockaddr_in6); + if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); @@ -134,6 +139,7 @@ static void check_ip_options(int sock, char *ipaddr) { +#ifdef IP_OPTIONS u_char options[200]; char text[sizeof(options) * 3 + 1]; socklen_t option_size; @@ -157,8 +163,34 @@ packet_disconnect("Connection from %.100s with IP options:%.800s", ipaddr, text); } +#endif /* IP_OPTIONS */ } +void +ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) +{ + struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; + struct sockaddr_in *a4 = (struct sockaddr_in *)addr; + struct in_addr inaddr; + u_int16_t port; + + if (addr->ss_family != AF_INET6 || + !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) + return; + + debug3("Normalising mapped IPv4 in IPv6 address"); + + memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); + port = a6->sin6_port; + + memset(addr, 0, sizeof(*a4)); + + a4->sin_family = AF_INET; + *len = sizeof(*a4); + memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); + a4->sin_port = port; +} + /* * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this @@ -215,6 +247,13 @@ < 0) return NULL; } + + /* Work around Linux IPv6 weirdness */ + if (addr.ss_family == AF_INET6) + addrlen = sizeof(struct sockaddr_in6); + + ipv64_normalise_mapped(&addr, &addrlen); + /* Get the address in ascii. */ if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), NULL, 0, flags)) != 0) { @@ -311,6 +350,11 @@ return -1; } } + + /* Work around Linux IPv6 weirdness */ + if (from.ss_family == AF_INET6) + fromlen = sizeof(struct sockaddr_in6); + /* Return port number. */ if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, strport, sizeof(strport), NI_NUMERICSERV)) != 0) diff -ruN --exclude CVS ssh-openbsd-2005090100/canohost.h openssh-4.2p1/canohost.h --- ssh-openbsd-2005090100/canohost.h Sat Jul 16 11:30:58 2005 +++ openssh-4.2p1/canohost.h Wed Feb 2 23:30:25 2005 @@ -23,3 +23,5 @@ int get_remote_port(void); int get_local_port(void); + +void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); diff -ruN --exclude CVS ssh-openbsd-2005090100/channels.c openssh-4.2p1/channels.c --- ssh-openbsd-2005090100/channels.c Sun Jul 17 17:17:54 2005 +++ openssh-4.2p1/channels.c Sun Jul 17 17:22:45 2005 @@ -192,6 +192,7 @@ } else { c->isatty = 0; } + c->wfd_isatty = isatty(c->wfd); /* enable nonblocking mode */ if (nonblock) { @@ -1417,6 +1418,11 @@ buffer_len(&c->output) > 0) { data = buffer_ptr(&c->output); dlen = buffer_len(&c->output); +#ifdef _AIX + /* XXX: Later AIX versions can't push as much data to tty */ + if (compat20 && c->wfd_isatty) + dlen = MIN(dlen, 8*1024); +#endif len = write(c->wfd, data, dlen); if (len < 0 && (errno == EINTR || errno == EAGAIN)) return 1; @@ -2282,7 +2288,11 @@ /* Bind the socket to the address. */ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { /* address can be in use ipv6 address is already bound */ - verbose("bind: %.100s", strerror(errno)); + if (!ai->ai_next) + error("bind: %.100s", strerror(errno)); + else + verbose("bind: %.100s", strerror(errno)); + close(sock); continue; } @@ -2464,6 +2474,7 @@ hostname = packet_get_string(NULL); host_port = packet_get_int(); +#ifndef HAVE_CYGWIN /* * Check that an unprivileged user is not trying to forward a * privileged port. @@ -2474,6 +2485,7 @@ port); if (host_port == 0) packet_disconnect("Dynamic forwarding denied."); +#endif /* Initiate forwarding */ channel_setup_local_fwd_listener(NULL, port, hostname, @@ -2675,10 +2687,23 @@ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (sock < 0) { - error("socket: %.100s", strerror(errno)); - freeaddrinfo(aitop); - return -1; + if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { + error("socket: %.100s", strerror(errno)); + freeaddrinfo(aitop); + return -1; + } else { + debug("x11_create_display_inet: Socket family %d not supported", + ai->ai_family); + continue; + } } +#ifdef IPV6_V6ONLY + if (ai->ai_family == AF_INET6) { + int on = 1; + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) + error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); + } +#endif if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { debug2("bind port %d: %.100s", port, strerror(errno)); close(sock); @@ -2693,8 +2718,17 @@ break; } socks[num_socks++] = sock; +#ifndef DONT_TRY_OTHER_AF if (num_socks == NUM_SOCKS) break; +#else + if (x11_use_localhost) { + if (num_socks == NUM_SOCKS) + break; + } else { + break; + } +#endif } freeaddrinfo(aitop); if (num_socks > 0) diff -ruN --exclude CVS ssh-openbsd-2005090100/channels.h openssh-4.2p1/channels.h --- ssh-openbsd-2005090100/channels.h Sun Jul 17 16:58:20 2005 +++ openssh-4.2p1/channels.h Sun Jul 17 17:19:25 2005 @@ -78,6 +78,7 @@ int sock; /* sock fd */ int ctl_fd; /* control fd (client sharing) */ int isatty; /* rfd is a tty */ + int wfd_isatty; /* wfd is a tty */ int client_tty; /* (client) TTY has been requested */ int force_drain; /* force close on iEOF */ int delayed; /* fdset hack */ diff -ruN --exclude CVS ssh-openbsd-2005090100/cipher-3des1.c openssh-4.2p1/cipher-3des1.c --- ssh-openbsd-2005090100/cipher-3des1.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/cipher-3des1.c Wed Dec 31 11:36:00 2003 @@ -29,6 +29,10 @@ #include "xmalloc.h" #include "log.h" +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + /* * This is used by SSH1: * @@ -77,6 +81,11 @@ EVP_CIPHER_CTX_init(&c->k1); EVP_CIPHER_CTX_init(&c->k2); EVP_CIPHER_CTX_init(&c->k3); +#ifdef SSH_OLD_EVP + EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc); + EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc); + EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc); +#else if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 || EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 || EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) { @@ -85,6 +94,7 @@ EVP_CIPHER_CTX_set_app_data(ctx, NULL); return (0); } +#endif return (1); } @@ -97,10 +107,16 @@ error("ssh1_3des_cbc: no context"); return (0); } +#ifdef SSH_OLD_EVP + EVP_Cipher(&c->k1, dest, (u_char *)src, len); + EVP_Cipher(&c->k2, dest, dest, len); + EVP_Cipher(&c->k3, dest, dest, len); +#else if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 || EVP_Cipher(&c->k2, dest, dest, len) == 0 || EVP_Cipher(&c->k3, dest, dest, len) == 0) return (0); +#endif return (1); } @@ -155,6 +171,8 @@ ssh1_3des.init = ssh1_3des_init; ssh1_3des.cleanup = ssh1_3des_cleanup; ssh1_3des.do_cipher = ssh1_3des_cbc; +#ifndef SSH_OLD_EVP ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH; +#endif return (&ssh1_3des); } diff -ruN --exclude CVS ssh-openbsd-2005090100/cipher-acss.c openssh-4.2p1/cipher-acss.c --- ssh-openbsd-2005090100/cipher-acss.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/cipher-acss.c Sun Jul 17 17:04:47 2005 @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2004 The OpenBSD project + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include + +RCSID("$Id: cipher-acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $"); + +#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) + +#include "acss.h" + +#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data) + +typedef struct { + ACSS_KEY ks; +} EVP_ACSS_KEY; + +#define EVP_CTRL_SET_ACSS_MODE 0xff06 +#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07 + +static int +acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA); + return 1; +} + +static int +acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, + unsigned int inl) +{ + acss(&data(ctx)->ks,inl,in,out); + return 1; +} + +static int +acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) +{ + switch(type) { + case EVP_CTRL_SET_ACSS_MODE: + data(ctx)->ks.mode = arg; + return 1; + case EVP_CTRL_SET_ACSS_SUBKEY: + acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr); + return 1; + default: + return -1; + } +} + +const EVP_CIPHER * +evp_acss(void) +{ + static EVP_CIPHER acss_cipher; + + memset(&acss_cipher, 0, sizeof(EVP_CIPHER)); + + acss_cipher.nid = NID_undef; + acss_cipher.block_size = 1; + acss_cipher.key_len = 5; + acss_cipher.init = acss_init_key; + acss_cipher.do_cipher = acss_ciph; + acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY); + acss_cipher.ctrl = acss_ctrl; + + return (&acss_cipher); +} +#endif + diff -ruN --exclude CVS ssh-openbsd-2005090100/cipher-aes.c openssh-4.2p1/cipher-aes.c --- ssh-openbsd-2005090100/cipher-aes.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/cipher-aes.c Tue Dec 9 19:05:43 2003 @@ -0,0 +1,160 @@ +/* + * Copyright (c) 2003 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +#if OPENSSL_VERSION_NUMBER < 0x00907000L +RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); + +#include +#include "rijndael.h" +#include "xmalloc.h" +#include "log.h" + +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + +#define RIJNDAEL_BLOCKSIZE 16 +struct ssh_rijndael_ctx +{ + rijndael_ctx r_ctx; + u_char r_iv[RIJNDAEL_BLOCKSIZE]; +}; + +const EVP_CIPHER * evp_rijndael(void); +void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); + +static int +ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + int enc) +{ + struct ssh_rijndael_ctx *c; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + c = xmalloc(sizeof(*c)); + EVP_CIPHER_CTX_set_app_data(ctx, c); + } + if (key != NULL) { + if (enc == -1) + enc = ctx->encrypt; + rijndael_set_key(&c->r_ctx, (u_char *)key, + 8*EVP_CIPHER_CTX_key_length(ctx), enc); + } + if (iv != NULL) + memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE); + return (1); +} + +static int +ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + u_int len) +{ + struct ssh_rijndael_ctx *c; + u_char buf[RIJNDAEL_BLOCKSIZE]; + u_char *cprev, *cnow, *plain, *ivp; + int i, j, blocks = len / RIJNDAEL_BLOCKSIZE; + + if (len == 0) + return (1); + if (len % RIJNDAEL_BLOCKSIZE) + fatal("ssh_rijndael_cbc: bad len %d", len); + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + error("ssh_rijndael_cbc: no context"); + return (0); + } + if (ctx->encrypt) { + cnow = dest; + plain = (u_char *)src; + cprev = c->r_iv; + for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE, + cnow+=RIJNDAEL_BLOCKSIZE) { + for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) + buf[j] = plain[j] ^ cprev[j]; + rijndael_encrypt(&c->r_ctx, buf, cnow); + cprev = cnow; + } + memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE); + } else { + cnow = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE); + plain = dest+len-RIJNDAEL_BLOCKSIZE; + + memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE); + for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE, + plain-=RIJNDAEL_BLOCKSIZE) { + rijndael_decrypt(&c->r_ctx, cnow, plain); + ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE; + for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++) + plain[j] ^= ivp[j]; + } + memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE); + } + return (1); +} + +static int +ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx) +{ + struct ssh_rijndael_ctx *c; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + memset(c, 0, sizeof(*c)); + xfree(c); + EVP_CIPHER_CTX_set_app_data(ctx, NULL); + } + return (1); +} + +void +ssh_rijndael_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len) +{ + struct ssh_rijndael_ctx *c; + + if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL) + fatal("ssh_rijndael_iv: no context"); + if (doset) + memcpy(c->r_iv, iv, len); + else + memcpy(iv, c->r_iv, len); +} + +const EVP_CIPHER * +evp_rijndael(void) +{ + static EVP_CIPHER rijndal_cbc; + + memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER)); + rijndal_cbc.nid = NID_undef; + rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE; + rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE; + rijndal_cbc.key_len = 16; + rijndal_cbc.init = ssh_rijndael_init; + rijndal_cbc.cleanup = ssh_rijndael_cleanup; + rijndal_cbc.do_cipher = ssh_rijndael_cbc; +#ifndef SSH_OLD_EVP + rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; +#endif + return (&rijndal_cbc); +} +#endif /* OPENSSL_VERSION_NUMBER */ diff -ruN --exclude CVS ssh-openbsd-2005090100/cipher-bf1.c openssh-4.2p1/cipher-bf1.c --- ssh-openbsd-2005090100/cipher-bf1.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/cipher-bf1.c Tue Sep 23 22:12:38 2003 @@ -28,6 +28,11 @@ #include #include "xmalloc.h" #include "log.h" + +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + /* * SSH1 uses a variation on Blowfish, all bytes must be swapped before * and after encryption/decryption. Thus the swap_bytes stuff (yuk). @@ -54,6 +59,19 @@ } } +#ifdef SSH_OLD_EVP +static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + if (iv != NULL) + memcpy (&(ctx->oiv[0]), iv, 8); + memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8); + if (key != NULL) + BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx), + key); +} +#endif + static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL; static int @@ -75,6 +93,9 @@ memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER)); orig_bf = ssh1_bf.do_cipher; ssh1_bf.nid = NID_undef; +#ifdef SSH_OLD_EVP + ssh1_bf.init = bf_ssh1_init; +#endif ssh1_bf.do_cipher = bf_ssh1_cipher; ssh1_bf.key_len = 32; return (&ssh1_bf); diff -ruN --exclude CVS ssh-openbsd-2005090100/cipher-ctr.c openssh-4.2p1/cipher-ctr.c --- ssh-openbsd-2005090100/cipher-ctr.c Sun Jul 17 17:17:55 2005 +++ openssh-4.2p1/cipher-ctr.c Sun Jul 17 17:22:45 2005 @@ -17,11 +17,24 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $"); #include -#include #include "log.h" #include "xmalloc.h" +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#include "rijndael.h" +#define AES_KEY rijndael_ctx +#define AES_BLOCK_SIZE 16 +#define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b) +#define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1) +#else +#include +#endif + const EVP_CIPHER *evp_aes_128_ctr(void); void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); @@ -127,7 +140,9 @@ aes_ctr.init = ssh_aes_ctr_init; aes_ctr.cleanup = ssh_aes_ctr_cleanup; aes_ctr.do_cipher = ssh_aes_ctr; +#ifndef SSH_OLD_EVP aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; +#endif return (&aes_ctr); } diff -ruN --exclude CVS ssh-openbsd-2005090100/cipher.c openssh-4.2p1/cipher.c --- ssh-openbsd-2005090100/cipher.c Sat Jul 16 11:35:24 2005 +++ openssh-4.2p1/cipher.c Sun Jul 17 17:02:10 2005 @@ -43,6 +43,9 @@ #include +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" + extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); @@ -76,8 +79,9 @@ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr }, { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr }, { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr }, +#ifdef USE_CIPHER_ACSS { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss }, - +#endif { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL } }; @@ -190,8 +194,12 @@ int do_encrypt) { static int dowarn = 1; +#ifdef SSH_OLD_EVP + EVP_CIPHER *type; +#else const EVP_CIPHER *type; int klen; +#endif u_char *junk, *discard; if (cipher->number == SSH_CIPHER_DES) { @@ -216,6 +224,15 @@ type = (*cipher->evptype)(); EVP_CIPHER_CTX_init(&cc->evp); +#ifdef SSH_OLD_EVP + if (type->key_len > 0 && type->key_len != keylen) { + debug("cipher_init: set keylen (%d -> %d)", + type->key_len, keylen); + type->key_len = keylen; + } + EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv, + (do_encrypt == CIPHER_ENCRYPT)); +#else if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv, (do_encrypt == CIPHER_ENCRYPT)) == 0) fatal("cipher_init: EVP_CipherInit failed for %s", @@ -230,6 +247,7 @@ if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) fatal("cipher_init: EVP_CipherInit: set key failed for %s", cipher->name); +#endif if (cipher->discard_len > 0) { junk = xmalloc(cipher->discard_len); @@ -316,6 +334,11 @@ if ((u_int)evplen != len) fatal("%s: wrong iv length %d != %d", __func__, evplen, len); +#if OPENSSL_VERSION_NUMBER < 0x00907000L + if (c->evptype == evp_rijndael) + ssh_rijndael_iv(&cc->evp, 0, iv, len); + else +#endif if (c->evptype == evp_aes_128_ctr) ssh_aes_ctr_iv(&cc->evp, 0, iv, len); else @@ -342,6 +365,11 @@ evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); if (evplen == 0) return; +#if OPENSSL_VERSION_NUMBER < 0x00907000L + if (c->evptype == evp_rijndael) + ssh_rijndael_iv(&cc->evp, 1, iv, evplen); + else +#endif if (c->evptype == evp_aes_128_ctr) ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen); else @@ -355,8 +383,13 @@ } } +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#define EVP_X_STATE(evp) &(evp).c +#define EVP_X_STATE_LEN(evp) sizeof((evp).c) +#else #define EVP_X_STATE(evp) (evp).cipher_data #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size +#endif int cipher_get_keycontext(const CipherContext *cc, u_char *dat) diff -ruN --exclude CVS ssh-openbsd-2005090100/config.guess openssh-4.2p1/config.guess --- ssh-openbsd-2005090100/config.guess Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/config.guess Thu Jun 2 12:57:45 2005 @@ -0,0 +1,1499 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. + +timestamp='2005-05-27' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + + +# Originally written by Per Bothner . +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. +# +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. +# +# The plan is that this can be called by configure scripts if you +# don't specify an explicit build system type. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of the system \`$me' is run on. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.guess ($timestamp) + +Originally written by Per Bothner. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 +Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +trap 'exit 1' 1 2 15 + +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. + +# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still +# use `HOST_CC' if defined, but it is deprecated. + +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then + CC_FOR_BUILD="$c"; break ; + fi ; + done ; + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found ; + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; +esac ;' + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 1994-08-24) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + esac + # The Operating System including object format, if it has switched + # to ELF recently, or will in the future. + case "${UNAME_MACHINE_ARCH}" in + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + eval $set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep __ELF__ >/dev/null + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + ;; + *) + os=netbsd + ;; + esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + echo "${machine}-${os}${release}" + exit ;; + amd64:OpenBSD:*:*) + echo x86_64-unknown-openbsd${UNAME_RELEASE} + exit ;; + amiga:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit ;; + cats:OpenBSD:*:*) + echo arm-unknown-openbsd${UNAME_RELEASE} + exit ;; + hp300:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit ;; + luna88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit ;; + mac68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit ;; + macppc:OpenBSD:*:*) + echo powerpc-unknown-openbsd${UNAME_RELEASE} + exit ;; + mvme68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit ;; + mvme88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit ;; + mvmeppc:OpenBSD:*:*) + echo powerpc-unknown-openbsd${UNAME_RELEASE} + exit ;; + sgi:OpenBSD:*:*) + echo mips64-unknown-openbsd${UNAME_RELEASE} + exit ;; + sun3:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit ;; + *:OpenBSD:*:*) + echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} + exit ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit ;; + macppc:MirBSD:*:*) + echo powerppc-unknown-mirbsd${UNAME_RELEASE} + exit ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit ;; + alpha:OSF1:*:*) + case $UNAME_RELEASE in + *4.0) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + exit ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-unknown-sysv4 + exit ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit ;; + *:[Mm]orph[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-morphos + exit ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit ;; + *:z/VM:*:*) + echo s390-ibm-zvmoe + exit ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit ;; + arm:riscos:*:*|arm:RISCOS:*:*) + echo arm-unknown-riscos + exit ;; + SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit ;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7; exit ;; + esac ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + i86pc:SunOS:5.*:*) + echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} + exit ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && + dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`$dummy $dummyarg` && + { echo "$SYSTEM_NAME"; exit; } + echo mips-mips-riscos${UNAME_RELEASE} + exit ;; + Motorola:PowerMAX_OS:*:*) + echo powerpc-motorola-powermax + exit ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i*86:AIX:*:*) + echo i386-ibm-aix + exit ;; + ia64:AIX:*:*) + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + exit ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + then + echo "$SYSTEM_NAME" + else + echo rs6000-ibm-aix3.2.5 + fi + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit ;; + *:AIX:*:[45]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit ;; + 9000/[34678]??:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; + '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + esac ;; + esac + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + # avoid double evaluation of $set_cc_for_build + test -n "$CC_FOR_BUILD" || eval $set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + grep __LP64__ >/dev/null + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit ;; + ia64:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux${HPUX_REV} + exit ;; + 3050*:HI-UX:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + echo unknown-hitachi-hiuxwe2 + exit ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit ;; + *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit ;; + i*86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ + -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*T3E:*:*:*) + echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*SV1:*:*:*) + echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:FreeBSD:*:*) + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit ;; + i*:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 + exit ;; + i*:PW*:*) + echo ${UNAME_MACHINE}-pc-pw32 + exit ;; + x86:Interix*:[34]*) + echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' + exit ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i586-pc-interix + exit ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit ;; + amd64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + *:GNU:*:*) + # the GNU system + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + exit ;; + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; + arm*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + cris:Linux:*:*) + echo cris-axis-linux-gnu + exit ;; + crisv32:Linux:*:*) + echo crisv32-axis-linux-gnu + exit ;; + frv:Linux:*:*) + echo frv-unknown-linux-gnu + exit ;; + ia64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m68*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + mips:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips + #undef mipsel + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mipsel + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips64 + #undef mips64el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mips64el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips64 + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-gnu + exit ;; + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-gnu + exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + exit ;; + parisc:Linux:*:* | hppa:Linux:*:*) + # Look for CPU level + case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in + PA7*) echo hppa1.1-unknown-linux-gnu ;; + PA8*) echo hppa2.0-unknown-linux-gnu ;; + *) echo hppa-unknown-linux-gnu ;; + esac + exit ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-gnu + exit ;; + s390:Linux:*:* | s390x:Linux:*:*) + echo ${UNAME_MACHINE}-ibm-linux + exit ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sh*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sparc:Linux:*:* | sparc64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + x86_64:Linux:*:*) + echo x86_64-unknown-linux-gnu + exit ;; + i*86:Linux:*:*) + # The BFD linker knows what the default object file format is, so + # first see if it will tell us. cd to the root directory to prevent + # problems with other programs or directories called `ld' in the path. + # Set LC_ALL=C to ensure ld outputs messages in English. + ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ + | sed -ne '/supported targets:/!d + s/[ ][ ]*/ /g + s/.*supported targets: *// + s/ .*// + p'` + case "$ld_supported_targets" in + elf32-i386) + TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" + ;; + a.out-i386-linux) + echo "${UNAME_MACHINE}-pc-linux-gnuaout" + exit ;; + coff-i386) + echo "${UNAME_MACHINE}-pc-linux-gnucoff" + exit ;; + "") + # Either a pre-BFD a.out linker (linux-gnuoldld) or + # one that does not give us useful --help. + echo "${UNAME_MACHINE}-pc-linux-gnuoldld" + exit ;; + esac + # Determine whether the default compiler is a.out or elf + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + #ifdef __ELF__ + # ifdef __GLIBC__ + # if __GLIBC__ >= 2 + LIBC=gnu + # else + LIBC=gnulibc1 + # endif + # else + LIBC=gnulibc1 + # endif + #else + #ifdef __INTEL_COMPILER + LIBC=gnu + #else + LIBC=gnuaout + #endif + #endif + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` + test x"${LIBC}" != x && { + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit + } + test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; } + ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. + # earlier versions are messed up and put the nodename in both + # sysname and nodename. + echo i386-sequent-sysv4 + exit ;; + i*86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit ;; + i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; + *Pent*|*Celeron) UNAME_MACHINE=i686 ;; + esac + echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + exit ;; + i*86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i386. + echo i386-pc-msdosdjgpp + exit ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit ;; + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; + m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit ;; + rs6000:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit ;; + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) + echo powerpc-unknown-lynxos${UNAME_RELEASE} + exit ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit ;; + *:VOS:*:*) + # From Paul.Green@stratus.com. + echo hppa1.1-stratus-vos + exit ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit ;; + news*:NEWS-OS:6*:*) + echo mips-sony-newsos6 + exit ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Darwin:*:*) + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + case $UNAME_PROCESSOR in + *86) UNAME_PROCESSOR=i686 ;; + unknown) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + exit ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = "x86"; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + exit ;; + *:QNX:*:4*) + echo i386-pc-qnx + exit ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; + NSR-?:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk${UNAME_RELEASE} + exit ;; + *:NonStop-UX:*:*) + echo mips-compaq-nonstopux + exit ;; + BS2000:POSIX*:*:*) + echo bs2000-siemens-sysv + exit ;; + DS/*:UNIX_System_V:*:*) + echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + exit ;; + *:Plan9:*:*) + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. + if test "$cputype" = "386"; then + UNAME_MACHINE=i386 + else + UNAME_MACHINE="$cputype" + fi + echo ${UNAME_MACHINE}-unknown-plan9 + exit ;; + *:TOPS-10:*:*) + echo pdp10-unknown-tops10 + exit ;; + *:TENEX:*:*) + echo pdp10-unknown-tenex + exit ;; + KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) + echo pdp10-dec-tops20 + exit ;; + XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) + echo pdp10-xkl-tops20 + exit ;; + *:TOPS-20:*:*) + echo pdp10-unknown-tops20 + exit ;; + *:ITS:*:*) + echo pdp10-unknown-its + exit ;; + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} + exit ;; + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms ; exit ;; + I*) echo ia64-dec-vms ; exit ;; + V*) echo vax-dec-vms ; exit ;; + esac ;; + *:XENIX:*:SysV) + echo i386-pc-xenix + exit ;; + i*86:skyos:*:*) + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + exit ;; +esac + +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + +eval $set_cc_for_build +cat >$dummy.c < +# include +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (__arm) && defined (__acorn) && defined (__unix) + printf ("arm-acorn-riscix\n"); exit (0); +#endif + +#if defined (hp300) && !defined (hpux) + printf ("m68k-hp-bsd\n"); exit (0); +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); + +#endif + +#if defined (vax) +# if !defined (ultrix) +# include +# if defined (BSD) +# if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +# else +# if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +# else + printf ("vax-dec-bsd\n"); exit (0); +# endif +# endif +# else + printf ("vax-dec-bsd\n"); exit (0); +# endif +# else + printf ("vax-dec-ultrix\n"); exit (0); +# endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. + +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } + +# Convex versions that predate uname can use getsysinfo(1) + +if [ -x /usr/convex/getsysinfo ] +then + case `getsysinfo -f cpu_type` in + c1*) + echo c1-convex-bsd + exit ;; + c2*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + c34*) + echo c34-convex-bsd + exit ;; + c38*) + echo c38-convex-bsd + exit ;; + c4*) + echo c4-convex-bsd + exit ;; + esac +fi + +cat >&2 < in order to provide the needed +information to handle your system. + +config.guess timestamp = $timestamp + +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = ${UNAME_MACHINE} +UNAME_RELEASE = ${UNAME_RELEASE} +UNAME_SYSTEM = ${UNAME_SYSTEM} +UNAME_VERSION = ${UNAME_VERSION} +EOF + +exit 1 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff -ruN --exclude CVS ssh-openbsd-2005090100/config.sub openssh-4.2p1/config.sub --- ssh-openbsd-2005090100/config.sub Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/config.sub Thu Jun 2 12:57:45 2005 @@ -0,0 +1,1570 @@ +#! /bin/sh +# Configuration validation subroutine script. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. + +timestamp='2005-05-12' + +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + + +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS + $0 [OPTION] ALIAS + +Canonicalize a configuration name. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.sub ($timestamp) + +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 +Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo $1 + exit ;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \ + kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple | -axis | -knuth | -cray) + os= + basic_machine=$1 + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -chorusos*) + os=-chorusos + basic_machine=$1 + ;; + -chorusrdb) + os=-chorusrdb + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; + -mint | -mint[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ + | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ + | bfin \ + | c4x | clipper \ + | d10v | d30v | dlx | dsp16xx \ + | fr30 | frv \ + | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | i370 | i860 | i960 | ia64 \ + | ip2k | iq2000 \ + | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64vr | mips64vrel \ + | mips64orion | mips64orionel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ + | mn10200 | mn10300 \ + | msp430 \ + | ns16k | ns32k \ + | openrisc | or32 \ + | pdp10 | pdp11 | pj | pjl \ + | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ + | pyramid \ + | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b \ + | strongarm \ + | tahoe | thumb | tic4x | tic80 | tron \ + | v850 | v850e \ + | we32k \ + | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \ + | z8k) + basic_machine=$basic_machine-unknown + ;; + m6811 | m68hc11 | m6812 | m68hc12) + # Motorola 68HC11/12. + basic_machine=$basic_machine-unknown + os=-none + ;; + m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) + ;; + + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i*86 | x86_64) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + 580-* \ + | a29k-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ + | elxsi-* \ + | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ + | h8300-* | h8500-* \ + | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | i*86-* | i860-* | i960-* | ia64-* \ + | ip2k-* | iq2000-* \ + | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ + | m88110-* | m88k-* | maxq-* | mcore-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | msp430-* \ + | none-* | np1-* | ns16k-* | ns32k-* \ + | orion-* \ + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ + | pyramid-* \ + | romp-* | rs6000-* \ + | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \ + | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ + | tahoe-* | thumb-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tron-* \ + | v850-* | v850e-* | vax-* \ + | we32k-* \ + | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \ + | xstormy16-* | xtensa-* \ + | ymp-* \ + | z8k-*) + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + abacus) + basic_machine=abacus-unknown + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-unknown + ;; + amigaos | amigados) + basic_machine=m68k-unknown + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | j90) + basic_machine=j90-cray + os=-unicos + ;; + craynv) + basic_machine=craynv-cray + os=-unicosmp + ;; + cr16c) + basic_machine=cr16c-unknown + os=-elf + ;; + crds | unos) + basic_machine=m68k-crds + ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; + cris | cris-* | etrax*) + basic_machine=cris-axis + ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + decsystem10* | dec10*) + basic_machine=pdp10-dec + os=-tops10 + ;; + decsystem20* | dec20*) + basic_machine=pdp10-dec + os=-tops20 + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + djgpp) + basic_machine=i586-pc + os=-msdosdjgpp + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + go32) + basic_machine=i386-pc + os=-go32 + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; +# I'm not sure what "Sysv32" means. Should this be sysv3.2? + i*86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i*86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i*86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i*86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + mingw32) + basic_machine=i386-pc + os=-mingw32 + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + morphos) + basic_machine=powerpc-unknown + os=-morphos + ;; + msdos) + basic_machine=i386-pc + os=-msdos + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + nonstopux) + basic_machine=mips-compaq + os=-nonstopux + ;; + np1) + basic_machine=np1-gould + ;; + nsr-tandem) + basic_machine=nsr-tandem + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + or32 | or32-*) + basic_machine=or32-unknown + os=-coff + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pentium | p5 | k5 | k6 | nexgen | viac3) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86 | athlon | athlon_*) + basic_machine=i686-pc + ;; + pentiumii | pentium2 | pentiumiii | pentium3) + basic_machine=i686-pc + ;; + pentium4) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-* | athlon-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=power-ibm + ;; + ppc) basic_machine=powerpc-unknown + ;; + ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64) basic_machine=powerpc64-unknown + ;; + ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64le | powerpc64little | ppc64-le | powerpc64-little) + basic_machine=powerpc64le-unknown + ;; + ppc64le-* | powerpc64little-*) + basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + pw32) + basic_machine=i586-unknown + os=-pw32 + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + s390 | s390-*) + basic_machine=s390-ibm + ;; + s390x | s390x-*) + basic_machine=s390x-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sh64) + basic_machine=sh64-unknown + ;; + sparclite-wrs | simso-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + sv1) + basic_machine=sv1-cray + os=-unicos + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray + os=-unicos + ;; + tic54x | c54x*) + basic_machine=tic54x-unknown + os=-coff + ;; + tic55x | c55x*) + basic_machine=tic55x-unknown + os=-coff + ;; + tic6x | c6x*) + basic_machine=tic6x-unknown + os=-coff + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + toad1) + basic_machine=pdp10-xkl + os=-tops20 + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xbox) + basic_machine=i686-pc + os=-mingw32 + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + ymp) + basic_machine=ymp-cray + os=-unicos + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + romp) + basic_machine=romp-ibm + ;; + mmix) + basic_machine=mmix-knuth + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp10) + # there are many clones, so DEC is not a safe bet + basic_machine=pdp10-unknown + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) + basic_machine=sh-unknown + ;; + sh64) + basic_machine=sh64-unknown + ;; + sparc | sparcv8 | sparcv9 | sparcv9b) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + *-unknown) + # Make sure to match an already-canonicalized machine name. + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -chorusos* | -chorusrdb* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ + | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ + | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* | -skyos*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -qnx*) + case $basic_machine in + x86-* | i*86-*) + ;; + *) + os=-nto$os + ;; + esac + ;; + -nto-qnx*) + ;; + -nto*) + os=`echo $os | sed -e 's|nto|nto-qnx|'` + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ + | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -os400*) + os=-os400 + ;; + -wince*) + os=-wince + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -atheos*) + os=-atheos + ;; + -syllable*) + os=-syllable + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -nova*) + os=-rtmk-nova + ;; + -ns2 ) + os=-nextstep2 + ;; + -nsk*) + os=-nsk + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -tpf*) + os=-tpf + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos + ;; + -zvmoe) + os=-zvmoe + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + *-acorn) + os=-riscix1.2 + ;; + arm*-rebel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + c4x-* | tic4x-*) + os=-coff + ;; + # This must come before the *-dec entry. + pdp10-*) + os=-tops20 + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + # This also exists in the configure program, but was not the + # default. + # os=-sunos4 + ;; + m68*-cisco) + os=-aout + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + or32-*) + os=-coff + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + *-be) + os=-beos + ;; + *-ibm) + os=-aix + ;; + *-knuth) + os=-mmixware + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f30[01]-fujitsu | f700-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -os400*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + vendor=atari + ;; + -vos*) + vendor=stratus + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os +exit + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff -ruN --exclude CVS ssh-openbsd-2005090100/configure.ac openssh-4.2p1/configure.ac --- ssh-openbsd-2005090100/configure.ac Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/configure.ac Thu Sep 1 02:59:49 2005 @@ -0,0 +1,3512 @@ +# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $ +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) +AC_CONFIG_SRCDIR([ssh.c]) + +AC_CONFIG_HEADER(config.h) +AC_PROG_CC +AC_CANONICAL_HOST +AC_C_BIGENDIAN + +# Checks for programs. +AC_PROG_AWK +AC_PROG_CPP +AC_PROG_RANLIB +AC_PROG_INSTALL +AC_PATH_PROG(AR, ar) +AC_PATH_PROG(CAT, cat) +AC_PATH_PROG(KILL, kill) +AC_PATH_PROGS(PERL, perl5 perl) +AC_PATH_PROG(SED, sed) +AC_SUBST(PERL) +AC_PATH_PROG(ENT, ent) +AC_SUBST(ENT) +AC_PATH_PROG(TEST_MINUS_S_SH, bash) +AC_PATH_PROG(TEST_MINUS_S_SH, ksh) +AC_PATH_PROG(TEST_MINUS_S_SH, sh) +AC_PATH_PROG(SH, sh) +AC_SUBST(TEST_SHELL,sh) + +dnl for buildpkg.sh +AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd, + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd, + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no) + +# System features +AC_SYS_LARGEFILE + +if test -z "$AR" ; then + AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***]) +fi + +# Use LOGIN_PROGRAM from environment if possible +if test ! -z "$LOGIN_PROGRAM" ; then + AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM") +else + # Search for login + AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login) + if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then + AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM_FALLBACK") + fi +fi + +AC_PATH_PROG(PATH_PASSWD_PROG, passwd) +if test ! -z "$PATH_PASSWD_PROG" ; then + AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG") +fi + +if test -z "$LD" ; then + LD=$CC +fi +AC_SUBST(LD) + +AC_C_INLINE + +AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include ]) + +if test "$GCC" = "yes" || test "$GCC" = "egcs"; then + CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" + GCC_VER=`$CC --version` + case $GCC_VER in + 1.*) ;; + 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; + 2.*) ;; + *) CFLAGS="$CFLAGS -Wsign-compare" ;; + esac + + if test -z "$have_llong_max"; then + # retry LLONG_MAX with -std=gnu99, needed on some Linuxes + unset ac_cv_have_decl_LLONG_MAX + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -std=gnu99" + AC_CHECK_DECL(LLONG_MAX, + [have_llong_max=1], + [CFLAGS="$saved_CFLAGS"], + [#include ] + ) + fi +fi + +if test -z "$have_llong_max"; then + AC_MSG_CHECKING([for max value of long long]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +/* Why is this so damn hard? */ +#ifdef __GNUC__ +# undef __GNUC__ +#endif +#define __USE_ISOC99 +#include +#define DATA "conftest.llminmax" +int main(void) { + FILE *f; + long long i, llmin, llmax = 0; + + if((f = fopen(DATA,"w")) == NULL) + exit(1); + +#if defined(LLONG_MIN) && defined(LLONG_MAX) + fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n"); + llmin = LLONG_MIN; + llmax = LLONG_MAX; +#else + fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n"); + /* This will work on one's complement and two's complement */ + for (i = 1; i > llmax; i <<= 1, i++) + llmax = i; + llmin = llmax + 1LL; /* wrap */ +#endif + + /* Sanity check */ + if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax + || llmax - 1 > llmax) { + fprintf(f, "unknown unknown\n"); + exit(2); + } + + if (fprintf(f ,"%lld %lld", llmin, llmax) < 0) + exit(3); + + exit(0); +} + ]])], + [ + llong_min=`$AWK '{print $1}' conftest.llminmax` + llong_max=`$AWK '{print $2}' conftest.llminmax` + AC_MSG_RESULT($llong_max) + AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL], + [max value of long long calculated by configure]) + AC_MSG_CHECKING([for min value of long long]) + AC_MSG_RESULT($llong_min) + AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL], + [min value of long long calculated by configure]) + ], + [ + AC_MSG_RESULT(not found) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] + ) +fi + +AC_ARG_WITH(rpath, + [ --without-rpath Disable auto-added -R linker paths], + [ + if test "x$withval" = "xno" ; then + need_dash_r="" + fi + if test "x$withval" = "xyes" ; then + need_dash_r=1 + fi + ] +) + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) + if (test -z "$blibpath"); then + blibpath="/usr/lib:/lib" + fi + saved_LDFLAGS="$LDFLAGS" + for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do + if (test -z "$blibflags"); then + LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" + AC_TRY_LINK([], [], [blibflags=$tryflags]) + fi + done + if (test -z "$blibflags"); then + AC_MSG_RESULT(not found) + AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log]) + else + AC_MSG_RESULT($blibflags) + fi + LDFLAGS="$saved_LDFLAGS" + dnl Check for authenticate. Might be in libs.a on older AIXes + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], + [AC_CHECK_LIB(s,authenticate, + [ AC_DEFINE(WITH_AIXAUTHENTICATE) + LIBS="$LIBS -ls" + ]) + ]) + dnl Check for various auth function declarations in headers. + AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, + passwdexpired, setauthdb], , , [#include ]) + dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) + AC_CHECK_DECLS(loginfailed, + [AC_MSG_CHECKING(if loginfailed takes 4 arguments) + AC_TRY_COMPILE( + [#include ], + [(void)loginfailed("user","host","tty",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(AIX_LOGINFAILED_4ARG)], + [AC_MSG_RESULT(no)] + )], + [], + [#include ] + ) + AC_CHECK_FUNCS(setauthdb) + check_for_aix_broken_getaddrinfo=1 + AC_DEFINE(BROKEN_REALPATH) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + dnl AIX handles lastlog as part of its login message + AC_DEFINE(DISABLE_LASTLOG) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) + ;; +*-*-cygwin*) + check_for_libcrypt_later=1 + LIBS="$LIBS /usr/lib/textmode.o" + AC_DEFINE(HAVE_CYGWIN) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) + AC_DEFINE(DISABLE_FD_PASSING) + ;; +*-*-dgux*) + AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; +*-*-darwin*) + AC_MSG_CHECKING(if we have working getaddrinfo) + AC_TRY_RUN([#include +main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + exit(0); + else + exit(1); +}], [AC_MSG_RESULT(working)], + [AC_MSG_RESULT(buggy) + AC_DEFINE(BROKEN_GETADDRINFO)], + [AC_MSG_RESULT(assume it is working)]) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1) + ;; +*-*-hpux*) + # first we define all of the options common to all HP-UX releases + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" + IPADDR_IN_DISPLAY=yes + AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NO_ENDOPT) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOCKED_PASSWD_STRING, "*") + AC_DEFINE(SPT_TYPE,SPT_PSTAT) + LIBS="$LIBS -lsec" + AC_CHECK_LIB(xnet, t_error, , + AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) + + # next, we define all of the options specific to major releases + case "$host" in + *-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + ;; + *-*-hpux11*) + AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) + check_for_hpux_broken_getaddrinfo=1 + check_for_conflicting_getspnam=1 + ;; + esac + + # lastly, we define options specific to minor releases + case "$host" in + *-*-hpux10.26) + AC_DEFINE(HAVE_SECUREWARE) + disable_ptmx_check=yes + LIBS="$LIBS -lsecpw" + ;; + esac + ;; +*-*-irix5*) + PATH="$PATH:/usr/etc" + AC_DEFINE(BROKEN_INET_NTOA) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; +*-*-irix6*) + PATH="$PATH:/usr/etc" + AC_DEFINE(WITH_IRIX_ARRAY) + AC_DEFINE(WITH_IRIX_PROJECT) + AC_DEFINE(WITH_IRIX_AUDIT) + AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) + AC_DEFINE(BROKEN_INET_NTOA) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_UPDWTMPX) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + ;; +*-*-linux*) + no_dev_ptmx=1 + check_for_libcrypt_later=1 + check_for_openpty_ctty_bug=1 + AC_DEFINE(DONT_TRY_OTHER_AF) + AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") + AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) + AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM) + AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) + AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) + AC_DEFINE(BROKEN_CMSG_TYPE) + ;; + esac + ;; +mips-sony-bsd|mips-sony-newsos4) + AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty]) + SONY=1 + ;; +*-*-netbsd*) + check_for_libcrypt_before=1 + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + ;; +*-*-freebsd*) + check_for_libcrypt_later=1 + ;; +*-*-bsdi*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; +*-next-*) + conf_lastlog_location="/usr/adm/lastlog" + conf_utmp_location=/etc/utmp + conf_wtmp_location=/usr/adm/wtmp + MAIL=/usr/spool/mail + AC_DEFINE(HAVE_NEXT) + AC_DEFINE(BROKEN_REALPATH) + AC_DEFINE(USE_PIPES) + AC_DEFINE(BROKEN_SAVED_UIDS) + ;; +*-*-openbsd*) + AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel]) + ;; +*-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi + AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOGIN_NEEDS_TERM) + AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID) + AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") + # Pushing STREAMS modules will cause sshd to acquire a controlling tty. + AC_DEFINE(SSHD_ACQUIRES_CTTY) + external_path_file=/etc/default/login + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/var/adm/lastlog" + AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) + sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` + if test "$sol2ver" -ge 8; then + AC_MSG_RESULT(yes) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(DISABLE_WTMP) + else + AC_MSG_RESULT(no) + fi + ;; +*-*-sunos4*) + CPPFLAGS="$CPPFLAGS -DSUNOS4" + AC_CHECK_FUNCS(getpwanam) + AC_DEFINE(PAM_SUN_CODEBASE) + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + AC_DEFINE(USE_PIPES) + ;; +*-ncr-sysv*) + LIBS="$LIBS -lc89" + AC_DEFINE(USE_PIPES) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; +*-sni-sysv*) + # /usr/ucblib MUST NOT be searched on ReliantUNIX + AC_CHECK_LIB(dl, dlsym, ,) + # -lresolv needs to be at then end of LIBS or DNS lookups break + AC_CHECK_LIB(res_query, resolv, [ LIBS="$LIBS -lresolv" ]) + IPADDR_IN_DISPLAY=yes + AC_DEFINE(USE_PIPES) + AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + external_path_file=/etc/default/login + # /usr/ucblib/libucb.a no longer needed on ReliantUNIX + # Attention: always take care to bind libsocket and libnsl before libc, + # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog + ;; +# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. +*-*-sysv4.2*) + AC_DEFINE(USE_PIPES) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) + ;; +# UnixWare 7.x, OpenUNIX 8 +*-*-sysv5*) + check_for_libcrypt_later=1 + AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars]) + AC_DEFINE(USE_PIPES) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) + case "$host" in + *-*-sysv5SCO_SV*) # SCO OpenServer 6.x + TEST_SHELL=/u95/bin/sh + AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet]) + ;; + esac + ;; +*-*-sysv*) + ;; +# SCO UNIX and OEM versions of SCO UNIX +*-*-sco3.2v4*) + AC_MSG_ERROR("This Platform is no longer supported.") + ;; +# SCO OpenServer 5.x +*-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi + LIBS="$LIBS -lprot -lx -ltinfo -lm" + no_dev_ptmx=1 + AC_DEFINE(USE_PIPES) + AC_DEFINE(HAVE_SECUREWARE) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(BROKEN_UPDWTMPX) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) + AC_CHECK_FUNCS(getluid setluid) + MANTYPE=man + TEST_SHELL=ksh + ;; +*-*-unicosmk*) + AC_DEFINE(NO_SSH_LASTLOG) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_FD_PASSING) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-*-unicosmp*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_FD_PASSING) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lgen -lacid -ldb" + MANTYPE=cat + ;; +*-*-unicos*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(USE_PIPES) + AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE(NO_SSH_LASTLOG) + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" + LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" + MANTYPE=cat + ;; +*-dec-osf*) + AC_MSG_CHECKING(for Digital Unix SIA) + no_osfsia="" + AC_ARG_WITH(osfsia, + [ --with-osfsia Enable Digital Unix SIA], + [ + if test "x$withval" = "xno" ; then + AC_MSG_RESULT(disabled) + no_osfsia=1 + fi + ], + ) + if test -z "$no_osfsia" ; then + if test -f /etc/sia/matrix.conf; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_OSF_SIA) + AC_DEFINE(DISABLE_LOGIN) + AC_DEFINE(DISABLE_FD_PASSING) + LIBS="$LIBS -lsecurity -ldb -lm -laud" + else + AC_MSG_RESULT(no) + AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") + fi + fi + AC_DEFINE(BROKEN_GETADDRINFO) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; + +*-*-nto-qnx) + AC_DEFINE(USE_PIPES) + AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(MISSING_NFDBITS) + AC_DEFINE(MISSING_HOWMANY) + AC_DEFINE(MISSING_FD_MASK) + ;; + +*-*-ultrix*) + AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1]) + AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files]) + AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty]) + AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix]) + ;; + +*-*-lynxos) + CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" + AC_DEFINE(MISSING_HOWMANY) + AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation]) + ;; +esac + +# Allow user to specify flags +AC_ARG_WITH(cflags, + [ --with-cflags Specify additional flags to pass to compiler], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CFLAGS="$CFLAGS $withval" + fi + ] +) +AC_ARG_WITH(cppflags, + [ --with-cppflags Specify additional flags to pass to preprocessor] , + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + CPPFLAGS="$CPPFLAGS $withval" + fi + ] +) +AC_ARG_WITH(ldflags, + [ --with-ldflags Specify additional flags to pass to linker], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LDFLAGS="$LDFLAGS $withval" + fi + ] +) +AC_ARG_WITH(libs, + [ --with-libs Specify additional libraries to link with], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + LIBS="$LIBS $withval" + fi + ] +) +AC_ARG_WITH(Werror, + [ --with-Werror Build main code with -Werror], + [ + if test -n "$withval" && test "x$withval" != "xno"; then + werror_flags="-Werror" + if "x${withval}" != "xyes"; then + werror_flags="$withval" + fi + fi + ] +) + +AC_MSG_CHECKING(compiler and flags for sanity) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include +int main(){exit(0);} + ])], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***]) + ], + [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ] +) + +dnl Checks for header files. +AC_CHECK_HEADERS( \ + bstring.h \ + crypt.h \ + dirent.h \ + endian.h \ + features.h \ + floatingpoint.h \ + getopt.h \ + glob.h \ + ia.h \ + iaf.h \ + lastlog.h \ + limits.h \ + login.h \ + login_cap.h \ + maillock.h \ + ndir.h \ + netdb.h \ + netgroup.h \ + netinet/in_systm.h \ + pam/pam_appl.h \ + paths.h \ + pty.h \ + readpassphrase.h \ + rpc/types.h \ + security/pam_appl.h \ + shadow.h \ + stddef.h \ + stdint.h \ + string.h \ + strings.h \ + sys/audit.h \ + sys/bitypes.h \ + sys/bsdtty.h \ + sys/cdefs.h \ + sys/dir.h \ + sys/mman.h \ + sys/ndir.h \ + sys/prctl.h \ + sys/pstat.h \ + sys/select.h \ + sys/stat.h \ + sys/stream.h \ + sys/stropts.h \ + sys/strtio.h \ + sys/sysmacros.h \ + sys/time.h \ + sys/timers.h \ + sys/un.h \ + time.h \ + tmpdir.h \ + ttyent.h \ + unistd.h \ + usersec.h \ + util.h \ + utime.h \ + utmp.h \ + utmpx.h \ + vis.h \ +) + +# sys/ptms.h requires sys/stream.h to be included first on Solaris +AC_CHECK_HEADERS(sys/ptms.h, [], [], [ +#ifdef HAVE_SYS_STREAM_H +# include +#endif +]) + +# Checks for libraries. +AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) +AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) + +dnl IRIX and Solaris 2.5.1 have dirname() in libgen +AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ + AC_CHECK_LIB(gen, dirname,[ + AC_CACHE_CHECK([for broken dirname], + ac_cv_have_broken_dirname, [ + save_LIBS="$LIBS" + LIBS="$LIBS -lgen" + AC_TRY_RUN( + [ +#include +#include + +int main(int argc, char **argv) { + char *s, buf[32]; + + strncpy(buf,"/etc", 32); + s = dirname(buf); + if (!s || strncmp(s, "/", 32) != 0) { + exit(1); + } else { + exit(0); + } +} + ], + [ ac_cv_have_broken_dirname="no" ], + [ ac_cv_have_broken_dirname="yes" ] + ) + LIBS="$save_LIBS" + ]) + if test "x$ac_cv_have_broken_dirname" = "xno" ; then + LIBS="$LIBS -lgen" + AC_DEFINE(HAVE_DIRNAME) + AC_CHECK_HEADERS(libgen.h) + fi + ]) +]) + +AC_CHECK_FUNC(getspnam, , + AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) + +dnl zlib is required +AC_ARG_WITH(zlib, + [ --with-zlib=PATH Use zlib in PATH], + [ if test "x$withval" = "xno" ; then + AC_MSG_ERROR([*** zlib is required ***]) + elif test "x$withval" != "xyes"; then + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi ] +) + +AC_CHECK_LIB(z, deflate, , + [ + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" + save_LIBS="$LIBS" + dnl Check default zlib install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" + LIBS="$LIBS -lz" + AC_TRY_LINK_FUNC(deflate, AC_DEFINE(HAVE_LIBZ), + [ + AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]) + ] + ) + ] +) +AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])) + +AC_ARG_WITH(zlib-version-check, + [ --without-zlib-version-check Disable zlib version check], + [ if test "x$withval" = "xno" ; then + zlib_check_nonfatal=1 + fi + ] +) + +AC_MSG_CHECKING(for possibly buggy zlib) +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main() +{ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) + exit(1); + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) + exit(0); + + /* 1.2.3 and up are OK */ + if (v >= 1020300) + exit(0); + + exit(2); +} + ]])], + AC_MSG_RESULT(no), + [ AC_MSG_RESULT(yes) + if test -z "$zlib_check_nonfatal" ; then + AC_MSG_ERROR([*** zlib too old - check config.log *** +Your reported zlib version has known security problems. It's possible your +vendor has fixed these problems without changing the version number. If you +are sure this is the case, you can disable the check by running +"./configure --without-zlib-version-check". +If you are in doubt, upgrade zlib to version 1.2.3 or greater. +See http://www.gzip.org/zlib/ for details.]) + else + AC_MSG_WARN([zlib version may have security problems]) + fi + ], + [ AC_MSG_WARN([cross compiling: not checking zlib version]) ] +) + +dnl UnixWare 2.x +AC_CHECK_FUNC(strcasecmp, + [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] +) +AC_CHECK_FUNC(utimes, + [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) + LIBS="$LIBS -lc89"]) ] +) + +dnl Checks for libutil functions +AC_CHECK_HEADERS(libutil.h) +AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN)]) +AC_CHECK_FUNCS(logout updwtmp logwtmp) + +AC_FUNC_STRFTIME + +# Check for ALTDIRFUNC glob() extension +AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support) +AC_EGREP_CPP(FOUNDIT, + [ + #include + #ifdef GLOB_ALTDIRFUNC + FOUNDIT + #endif + ], + [ + AC_DEFINE(GLOB_HAS_ALTDIRFUNC) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +# Check for g.gl_matchc glob() extension +AC_MSG_CHECKING(for gl_matchc field in glob_t) +AC_EGREP_CPP(FOUNDIT, + [ + #include + int main(void){glob_t g; g.gl_matchc = 1;} + ], + [ + AC_DEFINE(GLOB_HAS_GL_MATCHC) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} + ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) + ], + [ + AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) + ] +) + +AC_MSG_CHECKING([for /proc/pid/fd directory]) +if test -d "/proc/$$/fd" ; then + AC_DEFINE(HAVE_PROC_PID) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi + +# Check whether user wants S/Key support +SKEY_MSG="no" +AC_ARG_WITH(skey, + [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(SKEY) + LIBS="-lskey $LIBS" + SKEY_MSG="yes" + + AC_MSG_CHECKING([for s/key support]) + AC_TRY_RUN( + [ +#include +#include +int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } + ], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) + ]) + AC_MSG_CHECKING(if skeychallenge takes 4 arguments) + AC_TRY_COMPILE( + [#include + #include ], + [(void)skeychallenge(NULL,"name","",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(SKEYCHALLENGE_4ARG)], + [AC_MSG_RESULT(no)] + ) + fi + ] +) + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH(tcp-wrappers, + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBWRAP="-lwrap" + LIBS="$LIBWRAP $LIBS" + AC_MSG_CHECKING(for libwrap) + AC_TRY_LINK( + [ +#include +#include +#include +#include + int deny_severity = 0, allow_severity = 0; + ], + [hosts_access(0);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + AC_SUBST(LIBWRAP) + TCPW_MSG="yes" + ], + [ + AC_MSG_ERROR([*** libwrap missing]) + ] + ) + LIBS="$saved_LIBS" + fi + ] +) + +# Check whether user wants libedit support +LIBEDIT_MSG="no" +AC_ARG_WITH(libedit, + [ --with-libedit[[=PATH]] Enable libedit support for sftp], + [ if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include" + LDFLAGS="$LDFLAGS -L$withval/lib" + fi + AC_CHECK_LIB(edit, el_init, + [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp]) + LIBEDIT="-ledit -lcurses" + LIBEDIT_MSG="yes" + AC_SUBST(LIBEDIT) + ], + [ AC_MSG_ERROR(libedit not found) ], + [ -lcurses ] + ) + AC_MSG_CHECKING(if libedit version is compatible) + AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void) +{ + int i = H_SETSIZE; + el_init("", NULL, NULL, NULL); + exit(0); +} + ]])], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + AC_MSG_ERROR(libedit version is not compatible) ] + ) + fi ] +) + +AUDIT_MODULE=none +AC_ARG_WITH(audit, + [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], + [ + AC_MSG_CHECKING(for supported audit module) + case "$withval" in + bsm) + AC_MSG_RESULT(bsm) + AUDIT_MODULE=bsm + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS(bsm/audit.h, [], + [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)]) + AC_CHECK_LIB(bsm, getaudit, [], + [AC_MSG_ERROR(BSM enabled and required library not found)]) + AC_CHECK_FUNCS(getaudit, [], + [AC_MSG_ERROR(BSM enabled and required function not found)]) + # These are optional + AC_CHECK_FUNCS(getaudit_addr) + AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM audit module]) + ;; + debug) + AUDIT_MODULE=debug + AC_MSG_RESULT(debug) + AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module) + ;; + no) + AC_MSG_RESULT(no) + ;; + *) + AC_MSG_ERROR([Unknown audit module $withval]) + ;; + esac ] +) + +dnl Checks for library functions. Please keep in alphabetical order +AC_CHECK_FUNCS( \ + arc4random \ + b64_ntop \ + __b64_ntop \ + b64_pton \ + __b64_pton \ + bcopy \ + bindresvport_sa \ + clock \ + closefrom \ + dirfd \ + fchmod \ + fchown \ + freeaddrinfo \ + futimes \ + getaddrinfo \ + getcwd \ + getgrouplist \ + getnameinfo \ + getopt \ + getpeereid \ + _getpty \ + getrlimit \ + getttyent \ + glob \ + inet_aton \ + inet_ntoa \ + inet_ntop \ + innetgr \ + login_getcapbool \ + md5_crypt \ + memmove \ + mkdtemp \ + mmap \ + ngetaddrinfo \ + nsleep \ + ogetaddrinfo \ + openlog_r \ + openpty \ + prctl \ + pstat \ + readpassphrase \ + realpath \ + recvmsg \ + rresvport_af \ + sendmsg \ + setdtablesize \ + setegid \ + setenv \ + seteuid \ + setgroups \ + setlogin \ + setpcred \ + setproctitle \ + setregid \ + setreuid \ + setrlimit \ + setsid \ + setvbuf \ + sigaction \ + sigvec \ + snprintf \ + socketpair \ + strdup \ + strerror \ + strlcat \ + strlcpy \ + strmode \ + strnvis \ + strtonum \ + strtoll \ + strtoul \ + sysconf \ + tcgetpgrp \ + truncate \ + unsetenv \ + updwtmpx \ + utimes \ + vhangup \ + vsnprintf \ + waitpid \ +) + +# IRIX has a const char return value for gai_strerror() +AC_CHECK_FUNCS(gai_strerror,[ + AC_DEFINE(HAVE_GAI_STRERROR) + AC_TRY_COMPILE([ +#include +#include +#include + +const char *gai_strerror(int);],[ +char *str; + +str = gai_strerror(0);],[ + AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, + [Define if gai_strerror() returns const char *])])]) + +AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) + +dnl Make sure prototypes are defined for these before using them. +AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)]) +AC_CHECK_DECL(strsep, + [AC_CHECK_FUNCS(strsep)], + [], + [ +#ifdef HAVE_STRING_H +# include +#endif + ]) + +dnl tcsendbreak might be a macro +AC_CHECK_DECL(tcsendbreak, + [AC_DEFINE(HAVE_TCSENDBREAK)], + [AC_CHECK_FUNCS(tcsendbreak)], + [#include ] +) + +AC_CHECK_DECLS(h_errno, , ,[#include ]) + +AC_CHECK_FUNCS(setresuid, [ + dnl Some platorms have setresuid that isn't implemented, test for this + AC_MSG_CHECKING(if setresuid seems to work) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} + ]])], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESUID) + AC_MSG_RESULT(not implemented)], + [AC_MSG_WARN([cross compiling: not checking setresuid])] + ) +]) + +AC_CHECK_FUNCS(setresgid, [ + dnl Some platorms have setresgid that isn't implemented, test for this + AC_MSG_CHECKING(if setresgid seems to work) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} + ]])], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESGID) + AC_MSG_RESULT(not implemented)], + [AC_MSG_WARN([cross compiling: not checking setresuid])] + ) +]) + +dnl Checks for time functions +AC_CHECK_FUNCS(gettimeofday time) +dnl Checks for utmp functions +AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent) +AC_CHECK_FUNCS(utmpname) +dnl Checks for utmpx functions +AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) +AC_CHECK_FUNCS(setutxent utmpxname) + +AC_CHECK_FUNC(daemon, + [AC_DEFINE(HAVE_DAEMON)], + [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] +) + +AC_CHECK_FUNC(getpagesize, + [AC_DEFINE(HAVE_GETPAGESIZE)], + [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] +) + +# Check for broken snprintf +if test "x$ac_cv_func_snprintf" = "xyes" ; then + AC_MSG_CHECKING([whether snprintf correctly terminates long strings]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} + ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_SNPRINTF) + AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ], + [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] + ) +fi + +# Check for missing getpeereid (or equiv) support +NO_PEERCHECK="" +if test "x$ac_cv_func_getpeereid" != "xyes" ; then + AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) + AC_TRY_COMPILE( + [#include + #include ], + [int i = SO_PEERCRED;], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option]) + ], + [AC_MSG_RESULT(no) + NO_PEERCHECK=1] + ) +fi + +dnl see whether mkstemp() requires XXXXXX +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +AC_MSG_CHECKING([for (overly) strict mkstemp]) +AC_TRY_RUN( + [ +#include +main() { char template[]="conftest.mkstemp-test"; +if (mkstemp(template) == -1) + exit(1); +unlink(template); exit(0); +} + ], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_STRICT_MKSTEMP) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_STRICT_MKSTEMP) + ] +) +fi + +dnl make sure that openpty does not reacquire controlling terminal +if test ! -z "$check_for_openpty_ctty_bug"; then + AC_MSG_CHECKING(if openpty correctly handles controlling tty) + AC_TRY_RUN( + [ +#include +#include +#include +#include + +int +main() +{ + pid_t pid; + int fd, ptyfd, ttyfd, status; + + pid = fork(); + if (pid < 0) { /* failed */ + exit(1); + } else if (pid > 0) { /* parent */ + waitpid(pid, &status, 0); + if (WIFEXITED(status)) + exit(WEXITSTATUS(status)); + else + exit(2); + } else { /* child */ + close(0); close(1); close(2); + setsid(); + openpty(&ptyfd, &ttyfd, NULL, NULL, NULL); + fd = open("/dev/tty", O_RDWR | O_NOCTTY); + if (fd >= 0) + exit(3); /* Acquired ctty: broken */ + else + exit(0); /* Did not acquire ctty: OK */ + } +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(SSHD_ACQUIRES_CTTY) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_aix_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); + exit(2); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(AIX_GETNAMEINFO_HACK, [], +[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address]) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + +if test "x$check_for_conflicting_getspnam" = "x1"; then + AC_MSG_CHECKING(for conflicting getspnam in shadow.h) + AC_COMPILE_IFELSE( + [ +#include +int main(void) {exit(0);} + ], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(GETSPNAM_CONFLICTING_DEFS, 1, + [Conflicting defs for getspnam]) + ] + ) +fi + +AC_FUNC_GETPGRP + +# Check for PAM libs +PAM_MSG="no" +AC_ARG_WITH(pam, + [ --with-pam Enable PAM support ], + [ + if test "x$withval" != "xno" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ + test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then + AC_MSG_ERROR([PAM headers not found]) + fi + + AC_CHECK_LIB(dl, dlopen, , ) + AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) + AC_CHECK_FUNCS(pam_getenvlist) + AC_CHECK_FUNCS(pam_putenv) + + PAM_MSG="yes" + + AC_DEFINE(USE_PAM) + if test $ac_cv_lib_dl_dlopen = yes; then + LIBPAM="-lpam -ldl" + else + LIBPAM="-lpam" + fi + AC_SUBST(LIBPAM) + fi + ] +) + +# Check for older PAM +if test "x$PAM_MSG" = "xyes" ; then + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_TRY_COMPILE( + [ +#include +#if defined(HAVE_SECURITY_PAM_APPL_H) +#include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], + [AC_MSG_RESULT(no)], + [ + AC_DEFINE(HAVE_OLD_PAM) + AC_MSG_RESULT(yes) + PAM_MSG="yes (old library)" + ] + ) +fi + +# Search for OpenSSL +saved_CPPFLAGS="$CPPFLAGS" +saved_LDFLAGS="$LDFLAGS" +AC_ARG_WITH(ssl-dir, + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "xno" ; then + case "$withval" in + # Relative paths + ./*|../*) withval="`pwd`/$withval" + esac + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + ] +) +LIBS="-lcrypto $LIBS" +AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), + [ + dnl Check default openssl install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" + AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), + [ + AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) + ] + ) + ] +) + +# Determine OpenSSL header version +AC_MSG_CHECKING([OpenSSL header version]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#define DATA "conftest.sslincver" +int main(void) { + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) + exit(1); + + exit(0); +} + ]])], + [ + ssl_header_ver=`cat conftest.sslincver` + AC_MSG_RESULT($ssl_header_ver) + ], + [ + AC_MSG_RESULT(not found) + AC_MSG_ERROR(OpenSSL version header not found.) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +# Determine OpenSSL library version +AC_MSG_CHECKING([OpenSSL library version]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include +#define DATA "conftest.ssllibver" +int main(void) { + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) + exit(1); + + exit(0); +} + ]])], + [ + ssl_library_ver=`cat conftest.ssllibver` + AC_MSG_RESULT($ssl_library_ver) + ], + [ + AC_MSG_RESULT(not found) + AC_MSG_ERROR(OpenSSL library not found.) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +# Sanity check OpenSSL headers +AC_MSG_CHECKING([whether OpenSSL's headers match the library]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([Your OpenSSL headers do not match your library. +Check config.log for details. +Also see contrib/findssl.sh for help identifying header/library mismatches.]) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) + ] +) + +# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, +# because the system crypt() is more featureful. +if test "x$check_for_libcrypt_before" = "x1"; then + AC_CHECK_LIB(crypt, crypt) +fi + +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# version in OpenSSL. +if test "x$check_for_libcrypt_later" = "x1"; then + AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") +fi + +AC_CHECK_LIB(iaf, ia_openinfo) + +### Configure cryptographic random number support + +# Check wheter OpenSSL seeds itself +AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { exit(RAND_status() == 1 ? 0 : 1); } + ]])], + [ + OPENSSL_SEEDS_ITSELF=yes + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + # Default to use of the rand helper if OpenSSL doesn't + # seed itself + USE_RAND_HELPER=yes + ], + [ + AC_MSG_WARN([cross compiling: assuming yes]) + # This is safe, since all recent OpenSSL versions will + # complain at runtime if not seeded correctly. + OPENSSL_SEEDS_ITSELF=yes + ] +) + + +# Do we want to force the use of the rand helper? +AC_ARG_WITH(rand-helper, + [ --with-rand-helper Use subprocess to gather strong randomness ], + [ + if test "x$withval" = "xno" ; then + # Force use of OpenSSL's internal RNG, even if + # the previous test showed it to be unseeded. + if test -z "$OPENSSL_SEEDS_ITSELF" ; then + AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG]) + OPENSSL_SEEDS_ITSELF=yes + USE_RAND_HELPER="" + fi + else + USE_RAND_HELPER=yes + fi + ], +) + +# Which randomness source do we use? +if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then + # OpenSSL only + AC_DEFINE(OPENSSL_PRNG_ONLY) + RAND_MSG="OpenSSL internal ONLY" + INSTALL_SSH_RAND_HELPER="" +elif test ! -z "$USE_RAND_HELPER" ; then + # install rand helper + RAND_MSG="ssh-rand-helper" + INSTALL_SSH_RAND_HELPER="yes" +fi +AC_SUBST(INSTALL_SSH_RAND_HELPER) + +### Configuration of ssh-rand-helper + +# PRNGD TCP socket +AC_ARG_WITH(prngd-port, + [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT], + [ + case "$withval" in + no) + withval="" + ;; + [[0-9]]*) + ;; + *) + AC_MSG_ERROR(You must specify a numeric port number for --with-prngd-port) + ;; + esac + if test ! -z "$withval" ; then + PRNGD_PORT="$withval" + AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) + fi + ] +) + +# PRNGD Unix domain socket +AC_ARG_WITH(prngd-socket, + [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], + [ + case "$withval" in + yes) + withval="/var/run/egd-pool" + ;; + no) + withval="" + ;; + /*) + ;; + *) + AC_MSG_ERROR(You must specify an absolute path to the entropy socket) + ;; + esac + + if test ! -z "$withval" ; then + if test ! -z "$PRNGD_PORT" ; then + AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket) + fi + if test ! -r "$withval" ; then + AC_MSG_WARN(Entropy socket is not readable) + fi + PRNGD_SOCKET="$withval" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") + fi + ], + [ + # Check for existing socket only if we don't have a random device already + if test "$USE_RAND_HELPER" = yes ; then + AC_MSG_CHECKING(for PRNGD/EGD socket) + # Insert other locations here + for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") + break; + fi + done + if test ! -z "$PRNGD_SOCKET" ; then + AC_MSG_RESULT($PRNGD_SOCKET) + else + AC_MSG_RESULT(not found) + fi + fi + ] +) + +# Change default command timeout for hashing entropy source +entropy_timeout=200 +AC_ARG_WITH(entropy-timeout, + [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + entropy_timeout=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) + +SSH_PRIVSEP_USER=sshd +AC_ARG_WITH(privsep-user, + [ --with-privsep-user=user Specify non-privileged user for privilege separation], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + SSH_PRIVSEP_USER=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER") +AC_SUBST(SSH_PRIVSEP_USER) + +# We do this little dance with the search path to insure +# that programs that we select for use by installed programs +# (which may be run by the super-user) come from trusted +# locations before they come from the user's private area. +# This should help avoid accidentally configuring some +# random version of a program in someone's personal bin. + +OPATH=$PATH +PATH=/bin:/usr/bin +test -h /bin 2> /dev/null && PATH=/usr/bin +test -d /sbin && PATH=$PATH:/sbin +test -d /usr/sbin && PATH=$PATH:/usr/sbin +PATH=$PATH:/etc:$OPATH + +# These programs are used by the command hashing source to gather entropy +OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) +OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) +OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) +OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) +OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) +OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) +OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar) +OSSH_PATH_ENTROPY_PROG(PROG_W, w) +OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) +OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) +OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) +OSSH_PATH_ENTROPY_PROG(PROG_DF, df) +OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) +OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) +OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) +OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) +# restore PATH +PATH=$OPATH + +# Where does ssh-rand-helper get its randomness from? +INSTALL_SSH_PRNG_CMDS="" +if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then + if test ! -z "$PRNGD_PORT" ; then + RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT" + elif test ! -z "$PRNGD_SOCKET" ; then + RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\"" + else + RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)" + RAND_HELPER_CMDHASH=yes + INSTALL_SSH_PRNG_CMDS="yes" + fi +fi +AC_SUBST(INSTALL_SSH_PRNG_CMDS) + + +# Cheap hack to ensure NEWS-OS libraries are arranged right. +if test ! -z "$SONY" ; then + LIBS="$LIBS -liberty"; +fi + +# Checks for data types +AC_CHECK_SIZEOF(char, 1) +AC_CHECK_SIZEOF(short int, 2) +AC_CHECK_SIZEOF(int, 4) +AC_CHECK_SIZEOF(long int, 4) +AC_CHECK_SIZEOF(long long int, 8) + +# Sanity check long long for some platforms (AIX) +if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then + ac_cv_sizeof_long_long_int=0 +fi + +# More checks for data types +AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int a; a = 1;], + [ ac_cv_have_u_int="yes" ], + [ ac_cv_have_u_int="no" ] + ) +]) +if test "x$ac_cv_have_u_int" = "xyes" ; then + AC_DEFINE(HAVE_U_INT) + have_u_int=1 +fi + +AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [ + AC_TRY_COMPILE( + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ ac_cv_have_intxx_t="yes" ], + [ ac_cv_have_intxx_t="no" ] + ) +]) +if test "x$ac_cv_have_intxx_t" = "xyes" ; then + AC_DEFINE(HAVE_INTXX_T) + have_intxx_t=1 +fi + +if (test -z "$have_intxx_t" && \ + test "x$ac_cv_header_stdint_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t types in stdint.h]) + AC_TRY_COMPILE( + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [ + AC_TRY_COMPILE( + [ +#include +#ifdef HAVE_STDINT_H +# include +#endif +#include +#ifdef HAVE_SYS_BITYPES_H +# include +#endif + ], + [ int64_t a; a = 1;], + [ ac_cv_have_int64_t="yes" ], + [ ac_cv_have_int64_t="no" ] + ) +]) +if test "x$ac_cv_have_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_INT64_T) +fi + +AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ ac_cv_have_u_intxx_t="yes" ], + [ ac_cv_have_u_intxx_t="no" ] + ) +]) +if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INTXX_T) + have_u_intxx_t=1 +fi + +if test -z "$have_u_intxx_t" ; then + AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h]) + AC_TRY_COMPILE( + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int64_t a; a = 1;], + [ ac_cv_have_u_int64_t="yes" ], + [ ac_cv_have_u_int64_t="no" ] + ) +]) +if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INT64_T) + have_u_int64_t=1 +fi + +if test -z "$have_u_int64_t" ; then + AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) + AC_TRY_COMPILE( + [ #include ], + [ u_int64_t a; a = 1], + [ + AC_DEFINE(HAVE_U_INT64_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +if test -z "$have_u_intxx_t" ; then + AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ], + [ ac_cv_have_uintxx_t="yes" ], + [ ac_cv_have_uintxx_t="no" ] + ) + ]) + if test "x$ac_cv_have_uintxx_t" = "xyes" ; then + AC_DEFINE(HAVE_UINTXX_T) + fi +fi + +if test -z "$have_uintxx_t" ; then + AC_MSG_CHECKING([for uintXX_t types in stdint.h]) + AC_TRY_COMPILE( + [ #include ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_UINTXX_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + +if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) + AC_TRY_COMPILE( + [ +#include + ], + [ + int8_t a; int16_t b; int32_t c; + u_int8_t e; u_int16_t f; u_int32_t g; + a = b = c = e = f = g = 1; + ], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) +fi + + +AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [ + AC_TRY_COMPILE( + [ +#include + ], + [ u_char foo; foo = 125; ], + [ ac_cv_have_u_char="yes" ], + [ ac_cv_have_u_char="no" ] + ) +]) +if test "x$ac_cv_have_u_char" = "xyes" ; then + AC_DEFINE(HAVE_U_CHAR) +fi + +TYPE_SOCKLEN_T + +AC_CHECK_TYPES(sig_atomic_t,,,[#include ]) + +AC_CHECK_TYPES(in_addr_t,,, +[#include +#include ]) + +AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ size_t foo; foo = 1235; ], + [ ac_cv_have_size_t="yes" ], + [ ac_cv_have_size_t="no" ] + ) +]) +if test "x$ac_cv_have_size_t" = "xyes" ; then + AC_DEFINE(HAVE_SIZE_T) +fi + +AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ ssize_t foo; foo = 1235; ], + [ ac_cv_have_ssize_t="yes" ], + [ ac_cv_have_ssize_t="no" ] + ) +]) +if test "x$ac_cv_have_ssize_t" = "xyes" ; then + AC_DEFINE(HAVE_SSIZE_T) +fi + +AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ clock_t foo; foo = 1235; ], + [ ac_cv_have_clock_t="yes" ], + [ ac_cv_have_clock_t="no" ] + ) +]) +if test "x$ac_cv_have_clock_t" = "xyes" ; then + AC_DEFINE(HAVE_CLOCK_T) +fi + +AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ sa_family_t foo; foo = 1235; ], + [ ac_cv_have_sa_family_t="yes" ], + [ AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ sa_family_t foo; foo = 1235; ], + [ ac_cv_have_sa_family_t="yes" ], + + [ ac_cv_have_sa_family_t="no" ] + )] + ) +]) +if test "x$ac_cv_have_sa_family_t" = "xyes" ; then + AC_DEFINE(HAVE_SA_FAMILY_T) +fi + +AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ pid_t foo; foo = 1235; ], + [ ac_cv_have_pid_t="yes" ], + [ ac_cv_have_pid_t="no" ] + ) +]) +if test "x$ac_cv_have_pid_t" = "xyes" ; then + AC_DEFINE(HAVE_PID_T) +fi + +AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ mode_t foo; foo = 1235; ], + [ ac_cv_have_mode_t="yes" ], + [ ac_cv_have_mode_t="no" ] + ) +]) +if test "x$ac_cv_have_mode_t" = "xyes" ; then + AC_DEFINE(HAVE_MODE_T) +fi + + +AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; ], + [ ac_cv_have_struct_sockaddr_storage="yes" ], + [ ac_cv_have_struct_sockaddr_storage="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) +fi + +AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_in6 s; s.sin6_family = 0; ], + [ ac_cv_have_struct_sockaddr_in6="yes" ], + [ ac_cv_have_struct_sockaddr_in6="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6) +fi + +AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct in6_addr s; s.s6_addr[0] = 0; ], + [ ac_cv_have_struct_in6_addr="yes" ], + [ ac_cv_have_struct_in6_addr="no" ] + ) +]) +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_IN6_ADDR) +fi + +AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ + AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ struct addrinfo s; s.ai_flags = AI_PASSIVE; ], + [ ac_cv_have_struct_addrinfo="yes" ], + [ ac_cv_have_struct_addrinfo="no" ] + ) +]) +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_ADDRINFO) +fi + +AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ + AC_TRY_COMPILE( + [ #include ], + [ struct timeval tv; tv.tv_sec = 1;], + [ ac_cv_have_struct_timeval="yes" ], + [ ac_cv_have_struct_timeval="no" ] + ) +]) +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_TIMEVAL) + have_struct_timeval=1 +fi + +AC_CHECK_TYPES(struct timespec) + +# We need int64_t or else certian parts of the compile will fail. +if test "x$ac_cv_have_int64_t" = "xno" && \ + test "x$ac_cv_sizeof_long_int" != "x8" && \ + test "x$ac_cv_sizeof_long_long_int" = "x0" ; then + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; +else +dnl test snprintf (broken on SCO w/gcc) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffffll; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + ]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ], + AC_MSG_WARN([cross compiling: Assuming working snprintf()]) + ) +fi + +dnl Checks for structure members +OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmpx.h, HAVE_HOST_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_pid, utmp.h, HAVE_PID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmp.h, HAVE_TYPE_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmpx.h, HAVE_ID_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmpx.h, HAVE_ADDR_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmp.h, HAVE_ADDR_V6_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmpx.h, HAVE_ADDR_V6_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_exit, utmp.h, HAVE_EXIT_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmp.h, HAVE_TIME_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) + +AC_CHECK_MEMBERS([struct stat.st_blksize]) + +AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], + ac_cv_have_ss_family_in_struct_ss, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; s.ss_family = 1; ], + [ ac_cv_have_ss_family_in_struct_ss="yes" ], + [ ac_cv_have_ss_family_in_struct_ss="no" ], + ) +]) +if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE(HAVE_SS_FAMILY_IN_SS) +fi + +AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], + ac_cv_have___ss_family_in_struct_ss, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; s.__ss_family = 1; ], + [ ac_cv_have___ss_family_in_struct_ss="yes" ], + [ ac_cv_have___ss_family_in_struct_ss="no" ] + ) +]) +if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE(HAVE___SS_FAMILY_IN_SS) +fi + +AC_CACHE_CHECK([for pw_class field in struct passwd], + ac_cv_have_pw_class_in_struct_passwd, [ + AC_TRY_COMPILE( + [ +#include + ], + [ struct passwd p; p.pw_class = 0; ], + [ ac_cv_have_pw_class_in_struct_passwd="yes" ], + [ ac_cv_have_pw_class_in_struct_passwd="no" ] + ) +]) +if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then + AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD) +fi + +AC_CACHE_CHECK([for pw_expire field in struct passwd], + ac_cv_have_pw_expire_in_struct_passwd, [ + AC_TRY_COMPILE( + [ +#include + ], + [ struct passwd p; p.pw_expire = 0; ], + [ ac_cv_have_pw_expire_in_struct_passwd="yes" ], + [ ac_cv_have_pw_expire_in_struct_passwd="no" ] + ) +]) +if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then + AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD) +fi + +AC_CACHE_CHECK([for pw_change field in struct passwd], + ac_cv_have_pw_change_in_struct_passwd, [ + AC_TRY_COMPILE( + [ +#include + ], + [ struct passwd p; p.pw_change = 0; ], + [ ac_cv_have_pw_change_in_struct_passwd="yes" ], + [ ac_cv_have_pw_change_in_struct_passwd="no" ] + ) +]) +if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then + AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD) +fi + +dnl make sure we're using the real structure members and not defines +AC_CACHE_CHECK([for msg_accrights field in struct msghdr], + ac_cv_have_accrights_in_msghdr, [ + AC_COMPILE_IFELSE( + [ +#include +#include +#include +int main() { +#ifdef msg_accrights +#error "msg_accrights is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_accrights = 0; +exit(0); +} + ], + [ ac_cv_have_accrights_in_msghdr="yes" ], + [ ac_cv_have_accrights_in_msghdr="no" ] + ) +]) +if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then + AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR) +fi + +AC_CACHE_CHECK([for msg_control field in struct msghdr], + ac_cv_have_control_in_msghdr, [ + AC_COMPILE_IFELSE( + [ +#include +#include +#include +int main() { +#ifdef msg_control +#error "msg_control is a macro" +exit(1); +#endif +struct msghdr m; +m.msg_control = 0; +exit(0); +} + ], + [ ac_cv_have_control_in_msghdr="yes" ], + [ ac_cv_have_control_in_msghdr="no" ] + ) +]) +if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then + AC_DEFINE(HAVE_CONTROL_IN_MSGHDR) +fi + +AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ + AC_TRY_LINK([], + [ extern char *__progname; printf("%s", __progname); ], + [ ac_cv_libc_defines___progname="yes" ], + [ ac_cv_libc_defines___progname="no" ] + ) +]) +if test "x$ac_cv_libc_defines___progname" = "xyes" ; then + AC_DEFINE(HAVE___PROGNAME) +fi + +AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ + AC_TRY_LINK([ +#include +], + [ printf("%s", __FUNCTION__); ], + [ ac_cv_cc_implements___FUNCTION__="yes" ], + [ ac_cv_cc_implements___FUNCTION__="no" ] + ) +]) +if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then + AC_DEFINE(HAVE___FUNCTION__) +fi + +AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [ + AC_TRY_LINK([ +#include +], + [ printf("%s", __func__); ], + [ ac_cv_cc_implements___func__="yes" ], + [ ac_cv_cc_implements___func__="no" ] + ) +]) +if test "x$ac_cv_cc_implements___func__" = "xyes" ; then + AC_DEFINE(HAVE___func__) +fi + +AC_CACHE_CHECK([whether getopt has optreset support], + ac_cv_have_getopt_optreset, [ + AC_TRY_LINK( + [ +#include + ], + [ extern int optreset; optreset = 0; ], + [ ac_cv_have_getopt_optreset="yes" ], + [ ac_cv_have_getopt_optreset="no" ] + ) +]) +if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then + AC_DEFINE(HAVE_GETOPT_OPTRESET) +fi + +AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ + AC_TRY_LINK([], + [ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);], + [ ac_cv_libc_defines_sys_errlist="yes" ], + [ ac_cv_libc_defines_sys_errlist="no" ] + ) +]) +if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then + AC_DEFINE(HAVE_SYS_ERRLIST) +fi + + +AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [ + AC_TRY_LINK([], + [ extern int sys_nerr; printf("%i", sys_nerr);], + [ ac_cv_libc_defines_sys_nerr="yes" ], + [ ac_cv_libc_defines_sys_nerr="no" ] + ) +]) +if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then + AC_DEFINE(HAVE_SYS_NERR) +fi + +SCARD_MSG="no" +# Check whether user wants sectok support +AC_ARG_WITH(sectok, + [ --with-sectok Enable smartcard support using libsectok], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}" + LDFLAGS="$LDFLAGS -L${withval}" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}" + fi + fi + AC_CHECK_HEADERS(sectok.h) + if test "$ac_cv_header_sectok_h" != yes; then + AC_MSG_ERROR(Can't find sectok.h) + fi + AC_CHECK_LIB(sectok, sectok_open) + if test "$ac_cv_lib_sectok_sectok_open" != yes; then + AC_MSG_ERROR(Can't find libsectok) + fi + AC_DEFINE(SMARTCARD) + AC_DEFINE(USE_SECTOK) + SCARD_MSG="yes, using sectok" + fi + ] +) + +# Check whether user wants OpenSC support +OPENSC_CONFIG="no" +AC_ARG_WITH(opensc, + [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + OPENSC_CONFIG=$withval/bin/opensc-config + else + AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) + fi + if test "$OPENSC_CONFIG" != "no"; then + LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` + LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` + CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" + LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" + AC_DEFINE(SMARTCARD) + AC_DEFINE(USE_OPENSC) + SCARD_MSG="yes, using OpenSC" + fi + fi + ] +) + +# Check libraries needed by DNS fingerprint support +AC_SEARCH_LIBS(getrrsetbyname, resolv, + [AC_DEFINE(HAVE_GETRRSETBYNAME)], + [ + # Needed by our getrrsetbyname() + AC_SEARCH_LIBS(res_query, resolv) + AC_SEARCH_LIBS(dn_expand, resolv) + AC_MSG_CHECKING(if res_query will link) + AC_TRY_LINK_FUNC(res_query, AC_MSG_RESULT(yes), + [AC_MSG_RESULT(no) + saved_LIBS="$LIBS" + LIBS="$LIBS -lresolv" + AC_MSG_CHECKING(for res_query in -lresolv) + AC_LINK_IFELSE([ +#include +int main() +{ + res_query (0, 0, 0, 0, 0); + return 0; +} + ], + [LIBS="$LIBS -lresolv" + AC_MSG_RESULT(yes)], + [LIBS="$saved_LIBS" + AC_MSG_RESULT(no)]) + ]) + AC_CHECK_FUNCS(_getshort _getlong) + AC_CHECK_DECLS([_getshort, _getlong], , , + [#include + #include ]) + AC_CHECK_MEMBER(HEADER.ad, + [AC_DEFINE(HAVE_HEADER_AD)],, + [#include ]) + ]) + +# Check whether user wants Kerberos 5 support +KRB5_MSG="no" +AC_ARG_WITH(kerberos5, + [ --with-kerberos5=PATH Enable Kerberos 5 support], + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi + + AC_DEFINE(KRB5) + KRB5_MSG="yes" + + AC_MSG_CHECKING(for krb5-config) + if test -x $KRB5ROOT/bin/krb5-config ; then + KRB5CONF=$KRB5ROOT/bin/krb5-config + AC_MSG_RESULT($KRB5CONF) + + AC_MSG_CHECKING(for gssapi support) + if $KRB5CONF | grep gssapi >/dev/null ; then + AC_MSG_RESULT(yes) + AC_DEFINE(GSSAPI) + k5confopts=gssapi + else + AC_MSG_RESULT(no) + k5confopts="" + fi + K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" + K5LIBS="`$KRB5CONF --libs $k5confopts`" + CPPFLAGS="$CPPFLAGS $K5CFLAGS" + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) ], + AC_MSG_RESULT(no) + ) + else + AC_MSG_RESULT(no) + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) + K5LIBS="-lkrb5 -ldes" + K5LIBS="$K5LIBS -lcom_err -lasn1" + AC_CHECK_LIB(roken, net_write, + [K5LIBS="$K5LIBS -lroken"]) + ], + [ AC_MSG_RESULT(no) + K5LIBS="-lkrb5 -lk5crypto -lcom_err" + ] + ) + AC_SEARCH_LIBS(dn_expand, resolv) + + AC_CHECK_LIB(gssapi,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi $K5LIBS" ], + [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi_krb5 $K5LIBS" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), + $K5LIBS) + ], + $K5LIBS) + + AC_CHECK_HEADER(gssapi.h, , + [ unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADERS(gssapi.h, , + AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) + ) + ] + ) + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADER(gssapi_krb5.h, , + [ CPPFLAGS="$oldCPP" ]) + + fi + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi + fi + + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) + AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) + + LIBS="$LIBS $K5LIBS" + AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) + ] +) + +# Looking for programs, paths and files + +PRIVSEP_PATH=/var/empty +AC_ARG_WITH(privsep-path, + [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + PRIVSEP_PATH=$withval + fi + ] +) +AC_SUBST(PRIVSEP_PATH) + +AC_ARG_WITH(xauth, + [ --with-xauth=PATH Specify path to xauth program ], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + xauth_path=$withval + fi + ], + [ + TestPath="$PATH" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin" + TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin" + AC_PATH_PROG(xauth_path, xauth, , $TestPath) + if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then + xauth_path="/usr/openwin/bin/xauth" + fi + ] +) + +STRIP_OPT=-s +AC_ARG_ENABLE(strip, + [ --disable-strip Disable calling strip(1) on install], + [ + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + ] +) +AC_SUBST(STRIP_OPT) + +if test -z "$xauth_path" ; then + XAUTH_PATH="undefined" + AC_SUBST(XAUTH_PATH) +else + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") + XAUTH_PATH=$xauth_path + AC_SUBST(XAUTH_PATH) +fi + +# Check for mail directory (last resort if we cannot get it from headers) +if test ! -z "$MAIL" ; then + maildir=`dirname $MAIL` + AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") +fi + +if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +fi +if test -z "$no_dev_ptmx" ; then + if test "x$disable_ptmx_check" != "xyes" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + ] + ) + fi +fi + +if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then + AC_CHECK_FILE("/dev/ptc", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 + ] + ) +else + AC_MSG_WARN([cross compiling: Disabling /dev/ptc test]) +fi + +# Options from here on. Some of these are preset by platform above +AC_ARG_WITH(mantype, + [ --with-mantype=man|cat|doc Set man page type], + [ + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + AC_MSG_ERROR(invalid man type: $withval) + ;; + esac + ] +) +if test -z "$MANTYPE"; then + TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb" + AC_PATH_PROGS(NROFF, nroff awf, /bin/false, $TestPath) + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi +AC_SUBST(MANTYPE) +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi +AC_SUBST(mansubdir) + +# Check whether to enable MD5 passwords +MD5_MSG="no" +AC_ARG_WITH(md5-passwords, + [ --with-md5-passwords Enable use of MD5 passwords], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_MD5_PASSWORDS) + MD5_MSG="yes" + fi + ] +) + +# Whether to disable shadow password support +AC_ARG_WITH(shadow, + [ --without-shadow Disable shadow password support], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_SHADOW) + disable_shadow=yes + fi + ] +) + +if test -z "$disable_shadow" ; then + AC_MSG_CHECKING([if the systems has expire shadow information]) + AC_TRY_COMPILE( + [ +#include +#include + struct spwd sp; + ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ], + [ sp_expire_available=yes ], [] + ) + + if test "x$sp_expire_available" = "xyes" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAS_SHADOW_EXPIRE) + else + AC_MSG_RESULT(no) + fi +fi + +# Use ip address instead of hostname in $DISPLAY +if test ! -z "$IPADDR_IN_DISPLAY" ; then + DISPLAY_HACK_MSG="yes" + AC_DEFINE(IPADDR_IN_DISPLAY) +else + DISPLAY_HACK_MSG="no" + AC_ARG_WITH(ipaddr-display, + [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(IPADDR_IN_DISPLAY) + DISPLAY_HACK_MSG="yes" + fi + ] + ) +fi + +# check for /etc/default/login and use it if present. +AC_ARG_ENABLE(etc-default-login, + [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]], + [ if test "x$enableval" = "xno"; then + AC_MSG_NOTICE([/etc/default/login handling disabled]) + etc_default_login=no + else + etc_default_login=yes + fi ], + [ etc_default_login=yes ] +) + +if test "x$etc_default_login" != "xno"; then + AC_CHECK_FILE("/etc/default/login", + [ external_path_file=/etc/default/login ]) + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; + then + AC_MSG_WARN([cross compiling: Disabling /etc/default/login test]) + elif test "x$external_path_file" = "x/etc/default/login"; then + AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN) + fi +fi + +dnl BSD systems use /etc/login.conf so --with-default-path= has no effect +if test $ac_cv_func_login_getcapbool = "yes" && \ + test $ac_cv_header_login_cap_h = "yes" ; then + external_path_file=/etc/login.conf +fi + +# Whether to mess with the default path +SERVER_PATH_MSG="(default)" +AC_ARG_WITH(default-path, + [ --with-default-path= Specify default \$PATH environment for server], + [ + if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([ +--with-default-path=PATH has no effect on this system. +Edit /etc/login.conf instead.]) + elif test "x$withval" != "xno" ; then + if test ! -z "$external_path_file" ; then + AC_MSG_WARN([ +--with-default-path=PATH will only be used if PATH is not defined in +$external_path_file .]) + fi + user_path="$withval" + SERVER_PATH_MSG="$withval" + fi + ], + [ if test "x$external_path_file" = "x/etc/login.conf" ; then + AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) + else + if test ! -z "$external_path_file" ; then + AC_MSG_WARN([ +If PATH is defined in $external_path_file, ensure the path to scp is included, +otherwise scp will not work.]) + fi + AC_TRY_RUN( + [ +/* find out what STDPATH is */ +#include +#ifdef HAVE_PATHS_H +# include +#endif +#ifndef _PATH_STDPATH +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif +#endif +#include +#include +#include +#define DATA "conftest.stdpath" + +main() +{ + FILE *fd; + int rc; + + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) + exit(1); + + exit(0); +} + ], [ user_path=`cat conftest.stdpath` ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] + ) +# make sure $bindir is in USER_PATH so scp will work + t_bindir=`eval echo ${bindir}` + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;; + esac + case $t_bindir in + NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;; + esac + echo $user_path | grep ":$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 + if test $? -ne 0 ; then + user_path=$user_path:$t_bindir + AC_MSG_RESULT(Adding $t_bindir to USER_PATH so scp will work) + fi + fi + fi ] +) +if test "x$external_path_file" != "x/etc/login.conf" ; then + AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") + AC_SUBST(user_path) +fi + +# Set superuser path separately to user path +AC_ARG_WITH(superuser-path, + [ --with-superuser-path= Specify different path for super-user], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval") + superuser_path=$withval + fi + ] +) + + +AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) +IPV4_IN6_HACK_MSG="no" +AC_ARG_WITH(4in6, + [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(IPV4_IN_IPV6) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT(no) + fi + ],[ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE(IPV4_IN_IPV6) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT([no (default)]) + fi + ] +) + +# Whether to enable BSD auth support +BSD_AUTH_MSG=no +AC_ARG_WITH(bsd-auth, + [ --with-bsd-auth Enable BSD auth support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(BSD_AUTH) + BSD_AUTH_MSG=yes + fi + ] +) + +# Where to place sshd.pid +piddir=/var/run +# make sure the directory exists +if test ! -d $piddir ; then + piddir=`eval echo ${sysconfdir}` + case $piddir in + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + esac +fi + +AC_ARG_WITH(pid-dir, + [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then + piddir=$withval + if test ! -d $piddir ; then + AC_MSG_WARN([** no $piddir directory on this system **]) + fi + fi + ] +) + +AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir") +AC_SUBST(piddir) + +dnl allow user to disable some login recording features +AC_ARG_ENABLE(lastlog, + [ --disable-lastlog disable use of lastlog even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + fi + ] +) +AC_ARG_ENABLE(utmp, + [ --disable-utmp disable use of utmp even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_UTMP) + fi + ] +) +AC_ARG_ENABLE(utmpx, + [ --disable-utmpx disable use of utmpx even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_UTMPX) + fi + ] +) +AC_ARG_ENABLE(wtmp, + [ --disable-wtmp disable use of wtmp even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_WTMP) + fi + ] +) +AC_ARG_ENABLE(wtmpx, + [ --disable-wtmpx disable use of wtmpx even if detected [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_WTMPX) + fi + ] +) +AC_ARG_ENABLE(libutil, + [ --disable-libutil disable use of libutil (login() etc.) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_LOGIN) + fi + ] +) +AC_ARG_ENABLE(pututline, + [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_PUTUTLINE) + fi + ] +) +AC_ARG_ENABLE(pututxline, + [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], + [ + if test "x$enableval" = "xno" ; then + AC_DEFINE(DISABLE_PUTUTXLINE) + fi + ] +) +AC_ARG_WITH(lastlog, + [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + elif test -n "$withval" && test "x${withval}" != "xyes"; then + conf_lastlog_location=$withval + fi + ] +) + +dnl lastlog, [uw]tmpx? detection +dnl NOTE: set the paths in the platform section to avoid the +dnl need for command-line parameters +dnl lastlog and [uw]tmp are subject to a file search if all else fails + +dnl lastlog detection +dnl NOTE: the code itself will detect if lastlog is a directory +AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + ], + [ char *lastlog = LASTLOG_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *lastlog = _PATH_LASTLOG; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + system_lastlog_path=no + ]) + ] +) + +if test -z "$conf_lastlog_location"; then + if test x"$system_lastlog_path" = x"no" ; then + for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if (test -d "$f" || test -f "$f") ; then + conf_lastlog_location=$f + fi + done + if test -z "$conf_lastlog_location"; then + AC_MSG_WARN([** Cannot find lastlog **]) + dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx + fi + fi +fi + +if test -n "$conf_lastlog_location"; then + AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") +fi + +dnl utmp detection +AC_MSG_CHECKING([if your system defines UTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmp = UTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmp_path=no ] +) +if test -z "$conf_utmp_location"; then + if test x"$system_utmp_path" = x"no" ; then + for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do + if test -f $f ; then + conf_utmp_location=$f + fi + done + if test -z "$conf_utmp_location"; then + AC_DEFINE(DISABLE_UTMP) + fi + fi +fi +if test -n "$conf_utmp_location"; then + AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") +fi + +dnl wtmp detection +AC_MSG_CHECKING([if your system defines WTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmp = WTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmp_path=no ] +) +if test -z "$conf_wtmp_location"; then + if test x"$system_wtmp_path" = x"no" ; then + for f in /usr/adm/wtmp /var/log/wtmp; do + if test -f $f ; then + conf_wtmp_location=$f + fi + done + if test -z "$conf_wtmp_location"; then + AC_DEFINE(DISABLE_WTMP) + fi + fi +fi +if test -n "$conf_wtmp_location"; then + AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") +fi + + +dnl utmpx detection - I don't know any system so perverse as to require +dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out +dnl there, though. +AC_MSG_CHECKING([if your system defines UTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmpx = UTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmpx_path=no ] +) +if test -z "$conf_utmpx_location"; then + if test x"$system_utmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_UTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") +fi + +dnl wtmpx detection +AC_MSG_CHECKING([if your system defines WTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmpx = WTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmpx_path=no ] +) +if test -z "$conf_wtmpx_location"; then + if test x"$system_wtmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_WTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") +fi + + +if test ! -z "$blibpath" ; then + LDFLAGS="$LDFLAGS $blibflags$blibpath" + AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) +fi + +dnl remove pam and dl because they are in $LIBPAM +if test "$PAM_MSG" = yes ; then + LIBS=`echo $LIBS | sed 's/-lpam //'` +fi +if test "$ac_cv_lib_pam_pam_set_item" = yes ; then + LIBS=`echo $LIBS | sed 's/-ldl //'` +fi + +dnl Adding -Werror to CFLAGS early prevents configure tests from running. +dnl Add now. +CFLAGS="$CFLAGS $werror_flags" + +AC_EXEEXT +AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \ + scard/Makefile ssh_prng_cmds survey.sh]) +AC_OUTPUT + +# Print summary of options + +# Someone please show me a better way :) +A=`eval echo ${prefix}` ; A=`eval echo ${A}` +B=`eval echo ${bindir}` ; B=`eval echo ${B}` +C=`eval echo ${sbindir}` ; C=`eval echo ${C}` +D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` +E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` +F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` +G=`eval echo ${piddir}` ; G=`eval echo ${G}` +H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}` +I=`eval echo ${user_path}` ; I=`eval echo ${I}` +J=`eval echo ${superuser_path}` ; J=`eval echo ${J}` + +echo "" +echo "OpenSSH has been configured with the following options:" +echo " User binaries: $B" +echo " System binaries: $C" +echo " Configuration files: $D" +echo " Askpass program: $E" +echo " Manual pages: $F" +echo " PID file: $G" +echo " Privilege separation chroot path: $H" +if test "x$external_path_file" = "x/etc/login.conf" ; then +echo " At runtime, sshd will use the path defined in $external_path_file" +echo " Make sure the path to scp is present, otherwise scp will not work" +else +echo " sshd default user PATH: $I" + if test ! -z "$external_path_file"; then +echo " (If PATH is set in $external_path_file it will be used instead. If" +echo " used, ensure the path to scp is present, otherwise scp will not work.)" + fi +fi +if test ! -z "$superuser_path" ; then +echo " sshd superuser user PATH: $J" +fi +echo " Manpage format: $MANTYPE" +echo " PAM support: $PAM_MSG" +echo " KerberosV support: $KRB5_MSG" +echo " Smartcard support: $SCARD_MSG" +echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" +echo " MD5 password support: $MD5_MSG" +echo " libedit support: $LIBEDIT_MSG" +echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" +echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +echo " BSD Auth support: $BSD_AUTH_MSG" +echo " Random number source: $RAND_MSG" +if test ! -z "$USE_RAND_HELPER" ; then +echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" +fi + +echo "" + +echo " Host: ${host}" +echo " Compiler: ${CC}" +echo " Compiler flags: ${CFLAGS}" +echo "Preprocessor flags: ${CPPFLAGS}" +echo " Linker flags: ${LDFLAGS}" +echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}" + +echo "" + +if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then + echo "SVR4 style packages are supported with \"make package\"" + echo "" +fi + +if test "x$PAM_MSG" = "xyes" ; then + echo "PAM is enabled. You may need to install a PAM control file " + echo "for sshd, otherwise password authentication may fail. " + echo "Example PAM control files can be found in the contrib/ " + echo "subdirectory" + echo "" +fi + +if test ! -z "$RAND_HELPER_CMDHASH" ; then + echo "WARNING: you are using the builtin random number collection " + echo "service. Please read WARNING.RNG and request that your OS " + echo "vendor includes kernel-based random number collection in " + echo "future versions of your OS." + echo "" +fi + +if test ! -z "$NO_PEERCHECK" ; then + echo "WARNING: the operating system that you are using does not " + echo "appear to support either the getpeereid() API nor the " + echo "SO_PEERCRED getsockopt() option. These facilities are used to " + echo "enforce security checks to prevent unauthorised connections to " + echo "ssh-agent. Their absence increases the risk that a malicious " + echo "user can connect to your agent. " + echo "" +fi + +if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/Makefile openssh-4.2p1/contrib/Makefile --- ssh-openbsd-2005090100/contrib/Makefile Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/Makefile Mon Sep 30 10:44:40 2002 @@ -0,0 +1,15 @@ +all: + @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" + +gnome-ssh-askpass1: gnome-ssh-askpass1.c + $(CC) `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \ + `gnome-config --libs gnome gnomeui` + +gnome-ssh-askpass2: gnome-ssh-askpass2.c + $(CC) `pkg-config --cflags gtk+-2.0` \ + gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ + `pkg-config --libs gtk+-2.0` + +clean: + rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/README openssh-4.2p1/contrib/README --- ssh-openbsd-2005090100/contrib/README Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/README Mon Jun 28 13:50:36 2004 @@ -0,0 +1,70 @@ +Other patches and addons for OpenSSH. Please send submissions to +djm@mindrot.org + +Externally maintained +--------------------- + +SSH Proxy Command -- connect.c + +Shun-ichi GOTO has written a very useful ProxyCommand +which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or +https CONNECT style proxy server. His page for connect.c has extensive +documentation on its use as well as compiled versions for Win32. + +http://www.taiyo.co.jp/~gotoh/ssh/connect.html + + +X11 SSH Askpass: + +Jim Knoble has written an excellent X11 +passphrase requester. This is highly recommended: + +http://www.jmknoble.net/software/x11-ssh-askpass/ + + +In this directory +----------------- + +ssh-copy-id: + +Phil Hands' shell script to automate the process of adding +your public key to a remote machine's ~/.ssh/authorized_keys file. + +gnome-ssh-askpass[12]: + +A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or +"make gnome-ssh-askpass2" to build. + +sshd.pam.generic: + +A generic PAM config file which may be useful on your system. YMMV + +sshd.pam.freebsd: + +A PAM config file which works with FreeBSD's PAM port. Contributed by +Dominik Brettnacher + +findssl.sh: + +Search for all instances of OpenSSL headers and libraries and print their +versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not +match your library" errors. + +aix: + Files to build an AIX native (installp or SMIT installable) package. + +caldera: + RPM spec file and scripts for building Caldera OpenLinuix packages + +cygwin: + Support files for Cygwin + +hpux: + Support files for HP-UX + +redhat: + RPM spec file and scripts for building Redhat packages + +suse: + RPM spec file and scripts for building SuSE packages + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/aix/README openssh-4.2p1/contrib/aix/README --- ssh-openbsd-2005090100/contrib/aix/README Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/aix/README Mon Aug 25 15:01:04 2003 @@ -0,0 +1,50 @@ +Overview: + +This directory contains files to build an AIX native (installp or SMIT +installable) openssh package. + + +Directions: + +(optional) create config.local in your build dir +./configure [options] +contrib/aix/buildbff.sh + +The file config.local or the environment is read to set the following options +(default first): +PERMIT_ROOT_LOGIN=[no|yes] +X11_FORWARDING=[no|yes] +AIX_SRC=[no|yes] + +Acknowledgements: + +The contents of this directory are based on Ben Lindstrom's Solaris +buildpkg.sh. Ben also supplied inventory.sh. + +Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's +and for comparison with the output from this script, however no code +from lppbuild is included and it is not required for operation. + +SRC support based on examples provided by Sandor Sklar and Maarten Kreuger. +PrivSep account handling fixes contributed by W. Earl Allen. + + +Other notes: + +The script treats all packages as USR packages (not ROOT+USR when +appropriate). It seems to work, though...... + +If there are any patches to this that have not yet been integrated they +may be found at http://www.zip.com.au/~dtucker/openssh/. + + +Disclaimer: + +It is hoped that it is useful but there is no warranty. If it breaks +you get to keep both pieces. + + + - Darren Tucker (dtucker at zip dot com dot au) + 2002/03/01 + +$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/aix/buildbff.sh openssh-4.2p1/contrib/aix/buildbff.sh --- ssh-openbsd-2005090100/contrib/aix/buildbff.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/aix/buildbff.sh Tue Mar 29 23:24:12 2005 @@ -0,0 +1,383 @@ +#!/bin/sh +# +# buildbff.sh: Create AIX SMIT-installable OpenSSH packages +# $Id: buildbff.sh,v 1.8 2005/03/29 13:24:12 dtucker Exp $ +# +# Author: Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain and comes with absolutely +# no warranty. +# +# Based originally on Ben Lindstrom's buildpkg.sh for Solaris +# + +# +# Tunable configuration settings +# create a "config.local" in your build directory or set +# environment variables to override these. +# +[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no +[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no +[ -z "$AIX_SRC" ] && AIX_SRC=no + +umask 022 + +startdir=`pwd` + +# Path to inventory.sh: same place as buildbff.sh +if echo $0 | egrep '^/' +then + inventory=`dirname $0`/inventory.sh # absolute path +else + inventory=`pwd`/`dirname $0`/inventory.sh # relative path +fi + +# +# We still support running from contrib/aix, but this is deprecated +# +if pwd | egrep 'contrib/aix$' +then + echo "Changing directory to `pwd`/../.." + echo "Please run buildbff.sh from your build directory in future." + cd ../.. + contribaix=1 +fi + +if [ ! -f Makefile ] +then + echo "Makefile not found (did you run configure?)" + exit 1 +fi + +# +# Directories used during build: +# current dir = $objdir directory you ran ./configure in. +# $objdir/$PKGDIR/ directory package files are constructed in +# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT) +# +objdir=`pwd` +PKGNAME=openssh +PKGDIR=package + +# +# Collect local configuration settings to override defaults +# +if [ -s ./config.local ] +then + echo Reading local settings from config.local + . ./config.local +fi + +# +# Fill in some details from Makefile, like prefix and sysconfdir +# the eval also expands variables like sysconfdir=${prefix}/etc +# provided they are eval'ed in the correct order +# +for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir +do + eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2` +done + +# +# Collect values of privsep user and privsep path +# currently only found in config.h +# +for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h` +done + +# Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi +if [ -z "$PRIVSEP_PATH" ] +then + PRIVSEP_PATH=/var/empty +fi + +# Clean package build directory +rm -rf $objdir/$PKGDIR +FAKE_ROOT=$objdir/$PKGDIR/root +mkdir -p $FAKE_ROOT + +# Start by faking root install +echo "Faking root install..." +cd $objdir +make install-nokeys DESTDIR=$FAKE_ROOT + +if [ $? -gt 0 ] +then + echo "Fake root install failed, stopping." + exit 1 +fi + +# +# Copy informational files to include in package +# +cp $srcdir/LICENCE $objdir/$PKGDIR/ +cp $srcdir/README* $objdir/$PKGDIR/ + +# +# Extract common info requires for the 'info' part of the package. +# AIX requires 4-part version numbers +# +VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _` +MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .` +MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .` +PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .` +PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'` +[ "$PATCH" = "" ] && PATCH=0 +[ "$PORTABLE" = "" ] && PORTABLE=0 +BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE` + +echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)" + +# +# Set ssh and sshd parameters as per config.local +# +if [ "${PERMIT_ROOT_LOGIN}" = no ] +then + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +fi +if [ "${X11_FORWARDING}" = yes ] +then + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +fi + + +# Rename config files; postinstall script will copy them if necessary +for cfgfile in ssh_config sshd_config ssh_prng_cmds +do + mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default +done + +# +# Generate lpp control files. +# working dir is $FAKE_ROOT but files are generated in dir above +# and moved into place just before creation of .bff +# +cd $FAKE_ROOT +echo Generating LPP control files +find . ! -name . -print >../openssh.al +$inventory >../openssh.inventory + +cat <../openssh.copyright +This software is distributed under a BSD-style license. +For the full text of the license, see /usr/lpp/openssh/LICENCE +EOD + +# +# openssh.size file allows filesystem expansion as required +# generate list of directories containing files +# then calculate disk usage for each directory and store in openssh.size +# +files=`find . -type f -print` +dirs=`for file in $files; do dirname $file; done | sort -u` +for dir in $dirs +do + du $dir +done > ../openssh.size + +# +# Create postinstall script +# +cat <>../openssh.post_i +#!/bin/sh + +echo Creating configs from defaults if necessary. +for cfgfile in ssh_config sshd_config ssh_prng_cmds +do + if [ ! -f $sysconfdir/\$cfgfile ] + then + echo "Creating \$cfgfile from default" + cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile + else + echo "\$cfgfile already exists." + fi +done +echo + +# Create PrivSep user if PrivSep not disabled in config +echo Creating PrivSep prereqs if required. +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +then + echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user," + echo "group or chroot directory." +else + echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." + + # create group if required + if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep group $SSH_PRIVSEP_USER already exists." + else + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + mkgroup -A $SSH_PRIVSEP_USER + fi + + # Create user if required + if lsuser "$SSH_PRIVSEP_USER" >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + else + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER + fi + + # create chroot directory if required + if [ -d $PRIVSEP_PATH ] + then + echo "PrivSep chroot directory $PRIVSEP_PATH already exists." + else + echo "Creating PrivSep chroot directory $PRIVSEP_PATH." + mkdir $PRIVSEP_PATH + chown 0 $PRIVSEP_PATH + chgrp 0 $PRIVSEP_PATH + chmod 755 $PRIVSEP_PATH + fi +fi +echo + +# Generate keys unless they already exist +echo Creating host keys if required. +if [ -f "$sysconfdir/ssh_host_key" ] ; then + echo "$sysconfdir/ssh_host_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" +fi +if [ -f $sysconfdir/ssh_host_dsa_key ] ; then + echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." +else + $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" +fi +if [ -f $sysconfdir/ssh_host_rsa_key ] ; then + echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" +fi +echo + +# Set startup command depending on SRC support +if [ "$AIX_SRC" = "yes" ] +then + echo Creating SRC sshd subsystem. + rmssys -s sshd 2>&1 >/dev/null + mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip + startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\"" + oldstartcmd="$sbindir/sshd" +else + startupcmd="$sbindir/sshd" + oldstartcmd="start $sbindir/sshd \\\"$src_running\\\"" +fi + +# If migrating to or from SRC, change previous startup command +# otherwise add to rc.tcpip +if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null +then + if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new + then + chmod 0755 /etc/rc.tcpip.new + mv /etc/rc.tcpip /etc/rc.tcpip.old && \ + mv /etc/rc.tcpip.new /etc/rc.tcpip + else + echo "Updating /etc/rc.tcpip failed, please check." + fi +else + # Add to system startup if required + if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null + then + echo "sshd found in rc.tcpip, not adding." + else + echo "Adding sshd to rc.tcpip" + echo >>/etc/rc.tcpip + echo "# Start sshd" >>/etc/rc.tcpip + echo "\$startupcmd" >>/etc/rc.tcpip + fi +fi +EOF + +# +# Create liblpp.a and move control files into it +# +echo Creating liblpp.a +( + cd .. + for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README* + do + ar -r liblpp.a $i + rm $i + done +) + +# +# Create lpp_name +# +# This will end up looking something like: +# 4 R I OpenSSH { +# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX +# [ +# % +# /usr/local/bin 8073 +# /usr/local/etc 189 +# /usr/local/libexec 185 +# /usr/local/man/man1 145 +# /usr/local/man/man8 83 +# /usr/local/sbin 2105 +# /usr/local/share 3 +# % +# ] +# } + +echo Creating lpp_name +cat <../lpp_name +4 R I $PKGNAME { +$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX +[ +% +EOF + +for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh +do + # get size in 512 byte blocks + if [ -d $FAKE_ROOT/$i ] + then + size=`du $FAKE_ROOT/$i | awk '{print $1}'` + echo "$i $size" >>../lpp_name + fi +done + +echo '%' >>../lpp_name +echo ']' >>../lpp_name +echo '}' >>../lpp_name + +# +# Move pieces into place +# +mkdir -p usr/lpp/openssh +mv ../liblpp.a usr/lpp/openssh +mv ../lpp_name . + +# +# Now invoke backup to create .bff file +# note: lpp_name needs to be the first file so we generate the +# file list on the fly and feed it to backup using -i +# +echo Creating $PKGNAME-$VERSION.bff with backup... +rm -f $PKGNAME-$VERSION.bff +( + echo "./lpp_name" + find . ! -name lpp_name -a ! -name . -print +) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist + +# +# Move package into final location and clean up +# +mv ../$PKGNAME-$VERSION.bff $startdir +cd $startdir +rm -rf $objdir/$PKGDIR + +echo $0: done. + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/aix/inventory.sh openssh-4.2p1/contrib/aix/inventory.sh --- ssh-openbsd-2005090100/contrib/aix/inventory.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/aix/inventory.sh Fri Nov 21 23:48:56 2003 @@ -0,0 +1,63 @@ +#!/bin/sh +# +# inventory.sh +# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $ +# +# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl +# This file is placed into the public domain. +# +# This will produce an AIX package inventory file, which looks like: +# +# /usr/local/bin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=755 +# type=DIRECTORY +# /usr/local/bin/slogin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=777 +# type=SYMLINK +# target=ssh +# /usr/local/share/Ssh.bin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=644 +# type=FILE +# size=VOLATILE +# checksum=VOLATILE + +find . ! -name . -print | perl -ne '{ + chomp; + if ( -l $_ ) { + ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat; + } else { + ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat; + } + + # Start to display inventory information + $name = $_; + $name =~ s|^.||; # Strip leading dot from path + print "$name:\n"; + print "\tclass=apply,inventory,openssh\n"; + print "\towner=root\n"; + print "\tgroup=system\n"; + printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits + + if ( -l $_ ) { + # Entry is SymLink + print "\ttype=SYMLINK\n"; + printf "\ttarget=%s\n", readlink($_); + } elsif ( -f $_ ) { + # Entry is File + print "\ttype=FILE\n"; + print "\tsize=$sz\n"; + print "\tchecksum=VOLATILE\n"; + } elsif ( -d $_ ) { + # Entry is Directory + print "\ttype=DIRECTORY\n"; + } +}' diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/aix/pam.conf openssh-4.2p1/contrib/aix/pam.conf --- ssh-openbsd-2005090100/contrib/aix/pam.conf Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/aix/pam.conf Tue May 31 16:51:07 2005 @@ -0,0 +1,20 @@ +# +# PAM configuration file /etc/pam.conf +# Example for OpenSSH on AIX 5.2 +# + +# Authentication Management +sshd auth required /usr/lib/security/pam_aix +OTHER auth required /usr/lib/security/pam_aix + +# Account Management +sshd account required /usr/lib/security/pam_aix +OTHER account required /usr/lib/security/pam_aix + +# Password Management +sshd password required /usr/lib/security/pam_aix +OTHER password required /usr/lib/security/pam_aix + +# Session Management +sshd session required /usr/lib/security/pam_aix +OTHER session required /usr/lib/security/pam_aix diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/caldera/openssh.spec openssh-4.2p1/contrib/caldera/openssh.spec --- ssh-openbsd-2005090100/contrib/caldera/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/caldera/openssh.spec Thu Sep 1 19:10:49 2005 @@ -0,0 +1,360 @@ + +# Some of this will need re-evaluation post-LSB. The SVIdir is there +# because the link appeared broken. The rest is for easy compilation, +# the tradeoff open to discussion. (LC957) + +%define SVIdir /etc/rc.d/init.d +%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages} +%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons} + +%define _mandir %{_prefix}/share/man/en +%define _sysconfdir /etc/ssh +%define _libexecdir %{_libdir}/ssh + +# Do we want to disable root_login? (1=yes 0=no) +%define no_root_login 0 + +#old cvs stuff. please update before use. may be deprecated. +%define use_stable 1 +%if %{use_stable} + %define version 4.2p1 + %define cvs %{nil} + %define release 1 +%else + %define version 4.1p1 + %define cvs cvs20050315 + %define release 0r1 +%endif +%define xsa x11-ssh-askpass +%define askpass %{xsa}-1.2.4.1 + +# OpenSSH privilege separation requires a user & group ID +%define sshd_uid 67 +%define sshd_gid 67 + +Name : openssh +Version : %{version}%{cvs} +Release : %{release} +Group : System/Network + +Summary : OpenSSH free Secure Shell (SSH) implementation. +Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH). +Summary(es) : OpenSSH implementación libre de Secure Shell (SSH). +Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH). +Summary(it) : Implementazione gratuita OpenSSH della Secure Shell. +Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH). +Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH). + +Copyright : BSD +Packager : Raymund Will +URL : http://www.openssh.com/ + +Obsoletes : ssh, ssh-clients, openssh-clients + +BuildRoot : /tmp/%{name}-%{version} +BuildRequires : XFree86-imake + +# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable +# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs +Source0: see-above:/.../openssh-%{version}.tar.gz +%if %{use_stable} +Source1: see-above:/.../openssh-%{version}.tar.gz.sig +%endif +Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz +Source3: http://www.openssh.com/faq.html + +%Package server +Group : System/Network +Requires : openssh = %{version} +Obsoletes : ssh-server + +Summary : OpenSSH Secure Shell protocol server (sshd). +Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd). +Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd). +Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd). +Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd). +Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd). +Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd). + + +%Package askpass +Group : System/Network +Requires : openssh = %{version} +URL : http://www.jmknoble.net/software/x11-ssh-askpass/ +Obsoletes : ssh-extras + +Summary : OpenSSH X11 pass-phrase dialog. +Summary(de) : OpenSSH X11 Passwort-Dialog. +Summary(es) : Aplicación de petición de frase clave OpenSSH X11. +Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH. +Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH. +Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH. +Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH. + + +%Description +OpenSSH (Secure Shell) provides access to a remote system. It replaces +telnet, rlogin, rexec, and rsh, and provides secure encrypted +communications between two untrusted hosts over an insecure network. +X11 connections and arbitrary TCP/IP ports can also be forwarded over +the secure channel. + +%Description -l de +OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt +telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte +Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres +Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso +über den sicheren Channel weitergeleitet werden. + +%Description -l es +OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a +telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas +entre dos equipos entre los que no se ha establecido confianza a través de una +red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden +ser canalizadas sobre el canal seguro. + +%Description -l fr +OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace +telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées +securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des +connexions X11 et des ports TCP/IP arbitraires peuvent également être +transmis sur le canal sécurisé. + +%Description -l it +OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto. +Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure +e crittate tra due host non fidati su una rete non sicura. Le connessioni +X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso +un canale sicuro. + +%Description -l pt +OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados +pelo canal seguro. + +%Description -l pt_BR +O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas +pelo canal seguro. + +%Description server +This package installs the sshd, the server portion of OpenSSH. + +%Description -l de server +Dieses Paket installiert den sshd, den Server-Teil der OpenSSH. + +%Description -l es server +Este paquete instala sshd, la parte servidor de OpenSSH. + +%Description -l fr server +Ce paquetage installe le 'sshd', partie serveur de OpenSSH. + +%Description -l it server +Questo pacchetto installa sshd, il server di OpenSSH. + +%Description -l pt server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description -l pt_BR server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description askpass +This package contains an X11-based pass-phrase dialog used per +default by ssh-add(1). It is based on %{askpass} +by Jim Knoble . + + +%Prep +%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2 +%if ! %{use_stable} + autoreconf +%endif + + +%Build +CFLAGS="$RPM_OPT_FLAGS" \ +%configure \ + --with-pam \ + --with-tcp-wrappers \ + --with-privsep-path=%{_var}/empty/sshd \ + #leave this line for easy edits. + +%__make CFLAGS="$RPM_OPT_FLAGS" + +cd %{askpass} +%configure \ + #leave this line for easy edits. + +xmkmf +%__make includes +%__make + + +%Install +[ %{buildroot} != "/" ] && rm -rf %{buildroot} + +make install DESTDIR=%{buildroot} +%makeinstall -C %{askpass} \ + BINDIR=%{_libexecdir} \ + MANPATH=%{_mandir} \ + DESTDIR=%{buildroot} + +# OpenLinux specific configuration +mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}} +mkdir -p %{buildroot}%{_var}/empty/sshd + +# enabling X11 forwarding on the server is convenient and okay, +# on the client side it's a potential security risk! +%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \ + %{buildroot}%{_sysconfdir}/sshd_config + +%if %{no_root_login} +%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \ + %{buildroot}%{_sysconfdir}/sshd_config +%endif + +install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd +# FIXME: disabled, find out why this doesn't work with nis +%__perl -pi -e 's:(.*pam_limits.*):#$1:' \ + %{buildroot}/etc/pam.d/sshd + +install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd + +# the last one is needless, but more future-proof +find %{buildroot}%{SVIdir} -type f -exec \ + %__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\ + s:\@sysconfdir\@:%{_sysconfdir}:g; \ + s:/usr/sbin:%{_sbindir}:g'\ + \{\} \; + +cat <<-EoD > %{buildroot}%{SVIcdir}/sshd + IDENT=sshd + DESCRIPTIVE="OpenSSH secure shell daemon" + # This service will be marked as 'skipped' on boot if there + # is no host key. Use ssh-host-keygen to generate one + ONBOOT="yes" + OPTIONS="" +EoD + +SKG=%{buildroot}%{_sbindir}/ssh-host-keygen +install -m 0755 contrib/caldera/ssh-host-keygen $SKG +# Fix up some path names in the keygen toy^Hol + %__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \ + s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \ + %{buildroot}%{_sbindir}/ssh-host-keygen + +# This looks terrible. Expect it to change. +# install remaining docs +DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" +mkdir -p $DocD/%{askpass} +cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD +install -p -m 0444 %{SOURCE3} $DocD/faq.html +cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} +%if %{use_stable} + cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1 +%else + cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1 + ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1 +%endif + +find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf +rm %{buildroot}%{_mandir}/man1/slogin.1 && \ + ln -s %{_mandir}/man1/ssh.1.gz \ + %{buildroot}%{_mandir}/man1/slogin.1.gz + + +%Clean +#%{rmDESTDIR} +[ %{buildroot} != "/" ] && rm -rf %{buildroot} + +%Post +# Generate host key when none is present to get up and running, +# both client and server require this for host-based auth! +# ssh-host-keygen checks for existing keys. +/usr/sbin/ssh-host-keygen +: # to protect the rpm database + +%pre server +%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || : +%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ + -c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || : +: # to protect the rpm database + +%Post server +if [ -x %{LSBinit}-install ]; then + %{LSBinit}-install sshd +else + lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6 +fi + +! %{SVIdir}/sshd status || %{SVIdir}/sshd restart +: # to protect the rpm database + + +%PreUn server +[ "$1" = 0 ] || exit 0 +! %{SVIdir}/sshd status || %{SVIdir}/sshd stop +if [ -x %{LSBinit}-remove ]; then + %{LSBinit}-remove sshd +else + lisa --SysV-init remove sshd $1 +fi +: # to protect the rpm database + +%Files +%defattr(-,root,root) +%dir %{_sysconfdir} +%config %{_sysconfdir}/ssh_config +%{_bindir}/scp +%{_bindir}/sftp +%{_bindir}/ssh +%{_bindir}/slogin +%{_bindir}/ssh-add +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%{_bindir}/ssh-keygen +%{_bindir}/ssh-keyscan +%dir %{_libexecdir} +%attr(4711,root,root) %{_libexecdir}/ssh-keysign +%{_sbindir}/ssh-host-keygen +%dir %{_defaultdocdir}/%{name}-%{version} +%{_defaultdocdir}/%{name}-%{version}/CREDITS +%{_defaultdocdir}/%{name}-%{version}/ChangeLog +%{_defaultdocdir}/%{name}-%{version}/LICENCE +%{_defaultdocdir}/%{name}-%{version}/OVERVIEW +%{_defaultdocdir}/%{name}-%{version}/README* +%{_defaultdocdir}/%{name}-%{version}/TODO +%{_defaultdocdir}/%{name}-%{version}/faq.html +%{_mandir}/man1/* +%{_mandir}/man8/ssh-keysign.8.gz +%{_mandir}/man5/ssh_config.5.gz + +%Files server +%defattr(-,root,root) +%dir %{_var}/empty/sshd +%config %{SVIdir}/sshd +%config /etc/pam.d/sshd +%config %{_sysconfdir}/moduli +%config %{_sysconfdir}/sshd_config +%config %{SVIcdir}/sshd +%{_libexecdir}/sftp-server +%{_sbindir}/sshd +%{_mandir}/man5/sshd_config.5.gz +%{_mandir}/man8/sftp-server.8.gz +%{_mandir}/man8/sshd.8.gz + +%Files askpass +%defattr(-,root,root) +%{_libexecdir}/ssh-askpass +%{_libexecdir}/x11-ssh-askpass +%{_defaultdocdir}/%{name}-%{version}/%{askpass} + + +%ChangeLog +* Mon Jan 01 1998 ... +Template Version: 1.31 + +$Id: openssh.spec,v 1.55 2005/09/01 09:10:49 djm Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/caldera/ssh-host-keygen openssh-4.2p1/contrib/caldera/ssh-host-keygen --- ssh-openbsd-2005090100/contrib/caldera/ssh-host-keygen Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/caldera/ssh-host-keygen Fri Nov 21 23:48:57 2003 @@ -0,0 +1,36 @@ +#! /bin/sh +# +# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ +# +# This script is normally run only *once* for a given host +# (in a given period of time) -- on updates/upgrades/recovery +# the ssh_host_key* files _should_ be retained! Otherwise false +# "man-in-the-middle-attack" alerts will frighten unsuspecting +# clients... + +keydir=@sysconfdir@ +keygen=@sshkeygen@ + +if [ -f $keydir/ssh_host_key -o \ + -f $keydir/ssh_host_key.pub ]; then + echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." +else + echo "Generating 1024 bit SSH1 RSA host key." + $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N '' +fi + +if [ -f $keydir/ssh_host_rsa_key -o \ + -f $keydir/ssh_host_rsa_key.pub ]; then + echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." +else + echo "Generating 1024 bit SSH2 RSA host key." + $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' +fi + +if [ -f $keydir/ssh_host_dsa_key -o \ + -f $keydir/ssh_host_dsa_key.pub ]; then + echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key." +else + echo "Generating SSH2 DSA host key." + $keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N '' +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/caldera/sshd.init openssh-4.2p1/contrib/caldera/sshd.init --- ssh-openbsd-2005090100/contrib/caldera/sshd.init Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/caldera/sshd.init Fri Nov 21 23:48:57 2003 @@ -0,0 +1,125 @@ +#! /bin/bash +# +# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $ +# +### BEGIN INIT INFO +# Provides: +# Required-Start: $network +# Required-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Description: sshd +# Bring up/down the OpenSSH secure shell daemon. +### END INIT INFO +# +# Written by Miquel van Smoorenburg . +# Modified for Debian GNU/Linux by Ian Murdock . +# Modified for OpenLinux by Raymund Will + +NAME=sshd +DAEMON=/usr/sbin/$NAME +# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem +# created by recent OpenSSH daemon/ssd combinations. See Caldera internal +# PR [linux/8278] for details... +PIDF=/var/run/$NAME.pid +NAME=$DAEMON + +_status() { + [ -z "$1" ] || local pidf="$1" + local ret=-1 + local pid + if [ -n "$pidf" ] && [ -r "$pidf" ]; then + pid=$(head -1 $pidf) + else + pid=$(pidof $NAME) + fi + + if [ ! -e $SVIlock ]; then + # no lock-file => not started == stopped? + ret=3 + elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then + # pid-file given but not present or no pid => died, but was not stopped + ret=2 + elif [ -r /proc/$pid/cmdline ] && + echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then + # pid-file given and present or pid found => check process... + # but don't compare exe, as this will fail after an update! + # compares OK => all's well, that ends well... + ret=0 + else + # no such process or exe does not match => stale pid-file or process died + # just recently... + ret=1 + fi + return $ret +} + +# Source function library (and set vital variables). +. @SVIdir@/functions + +case "$1" in + start) + [ ! -e $SVIlock ] || exit 0 + [ -x $DAEMON ] || exit 5 + SVIemptyConfig @sysconfdir@/sshd_config && exit 6 + + if [ ! \( -f @sysconfdir@/ssh_host_key -a \ + -f @sysconfdir@/ssh_host_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ + -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ + -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then + + echo "$SVIsubsys: host key not initialized: skipped!" + echo "$SVIsubsys: use ssh-host-keygen to generate one!" + exit 6 + fi + + echo -n "Starting $SVIsubsys services: " + ssd -S -x $DAEMON -n $NAME -- $OPTIONS + ret=$? + + echo "." + touch $SVIlock + ;; + + stop) + [ -e $SVIlock ] || exit 0 + + echo -n "Stopping $SVIsubsys services: " + ssd -K -p $PIDF -n $NAME + ret=$? + + echo "." + rm -f $SVIlock + ;; + + force-reload|reload) + [ -e $SVIlock ] || exit 0 + + echo "Reloading $SVIsubsys configuration files: " + ssd -K --signal 1 -q -p $PIDF -n $NAME + ret=$? + echo "done." + ;; + + restart) + $0 stop + $0 start + ret=$? + ;; + + status) + _status $PIDF + ret=$? + ;; + + *) + echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}" + ret=2 + ;; + +esac + +exit $ret + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/caldera/sshd.pam openssh-4.2p1/contrib/caldera/sshd.pam --- ssh-openbsd-2005090100/contrib/caldera/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/caldera/sshd.pam Fri Jan 5 09:54:51 2001 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/cygwin/Makefile openssh-4.2p1/contrib/cygwin/Makefile --- ssh-openbsd-2005090100/contrib/cygwin/Makefile Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/cygwin/Makefile Thu Nov 13 11:28:49 2003 @@ -0,0 +1,56 @@ +srcdir=../.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-sshdoc: + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff + $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG + +install-cygwindoc: README + $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts + @echo "Cygwin specific configuration finished." diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/cygwin/README openssh-4.2p1/contrib/cygwin/README --- ssh-openbsd-2005090100/contrib/cygwin/README Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/cygwin/README Sat Mar 5 11:20:40 2005 @@ -0,0 +1,233 @@ +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +Build instructions are at the end of the file. + +=========================================================================== +Important change since 3.7.1p2-2: + +The ssh-host-config file doesn't create the /etc/ssh_config and +/etc/sshd_config files from builtin here-scripts anymore, but it uses +skeleton files installed in /etc/defaults/etc. + +Also it now tries hard to create appropriate permissions on files. +Same applies for ssh-user-config. + +After creating the sshd service with ssh-host-config, it's advisable to +call ssh-user-config for all affected users, also already exising user +configurations. In the latter case, file and directory permissions are +checked and changed, if requireed to match the host configuration. + +Important note for Windows 2003 Server users: +--------------------------------------------- + +2003 Server has a funny new feature. When starting services under SYSTEM +account, these services have nearly all user rights which SYSTEM holds... +except for the "Create a token object" right, which is needed to allow +public key authentication :-( + +There's no way around this, except for creating a substitute account which +has the appropriate privileges. Basically, this account should be member +of the administrators group, plus it should have the following user rights: + + Create a token object + Logon as a service + Replace a process level token + Increase Quota + +The ssh-host-config script asks you, if it should create such an account, +called "sshd_server". If you say "no" here, you're on your own. Please +follow the instruction in ssh-host-config exactly if possible. Note that +ssh-user-config sets the permissions on 2003 Server machines dependent of +whether a sshd_server account exists or not. +=========================================================================== + +=========================================================================== +Important change since 3.4p1-2: + +This version adds privilege separation as default setting, see +/usr/doc/openssh/README.privsep. According to that document the +privsep feature requires a non-privileged account called 'sshd'. + +The new ssh-host-config file which is part of this version asks +to create 'sshd' as local user if you want to use privilege +separation. If you confirm, it creates that NT user and adds +the necessary entry to /etc/passwd. + +On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" +since that feature doesn't make any sense on a system which doesn't +differ between privileged and unprivileged users. + +The new ssh-host-config script also adds the /var/empty directory +needed by privilege separation. When creating the /var/empty directory +by yourself, please note that in contrast to the README.privsep document +the owner sshould not be "root" but the user which is running sshd. So, +in the standard configuration this is SYSTEM. The ssh-host-config script +chowns /var/empty accordingly. +=========================================================================== + +=========================================================================== +Important change since 3.0.1p1-2: + +This version introduces the ability to register sshd as service on +Windows 9x/Me systems. This is done only when the options -D and/or +-d are not given. +=========================================================================== + +=========================================================================== +Important change since 2.9p2: + +Since Cygwin is able to switch user context without password beginning +with version 1.3.2, OpenSSH now allows to do so when it's running under +a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to +allow that feature. +=========================================================================== + +=========================================================================== +Important change since 2.3.0p1: + +When using `ntea' or `ntsec' you now have to care for the ownership +and permission bits of your host key files and your private key files. +The host key files have to be owned by the NT account which starts +sshd. The user key files have to be owned by the user. The permission +bits of the private key files (host and user) have to be at least +rw------- (0600)! + +Note that this is forced under `ntsec' only if the files are on a NTFS +filesystem (which is recommended) due to the lack of any basic security +features of the FAT/FAT32 filesystems. +=========================================================================== + +If you are installing OpenSSH the first time, you can generate global config +files and server keys by running + + /usr/bin/ssh-host-config + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-host-config is started. + +If you are updating your installation you may run the above ssh-host-config +as well to move your configuration files to the new location and to +erase the files at the old location. + +To support testing and unattended installation ssh-host-config got +some options: + +usage: ssh-host-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --cygwin -c Use "options" as value for CYGWIN environment var. + --port -p sshd listens on port n. + --pwd -w Use "pwd" as password for user 'sshd_server'. + +Additionally ssh-host-config now asks if it should install sshd as a +service when running under NT/W2K. This requires cygrunsrv installed. + +You can create the private and public keys for a user now by running + + /usr/bin/ssh-user-config + +under the users account. + +To support testing and unattended installation ssh-user-config got +some options as well: + +usage: ssh-user-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --passphrase -p word Use "word" as passphrase automatically. + +Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd +(results in very slow deamon startup!) or from the command line (recommended +on 9X/ME). + +If you start sshd as deamon via cygrunsrv.exe you MUST give the +"-D" option to sshd. Otherwise the service can't get started at all. + +If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the +following line to your inetd.conf file: + +ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i + +Moreover you'll have to add the following line to your +${SYSTEMROOT}/system32/drivers/etc/services file: + + ssh 22/tcp #SSH daemon + +Please note that OpenSSH does never use the value of $HOME to +search for the users configuration files! It always uses the +value of the pw_dir field in /etc/passwd as the home directory. +If no home diretory is set in /etc/passwd, the root directory +is used instead! + +You may use all features of the CYGWIN=ntsec setting the same +way as they are used by Cygwin's login(1) port: + + The pw_gecos field may contain an additional field, that begins + with (upper case!) "U-", followed by the domain and the username + separated by a backslash. + CAUTION: The SID _must_ remain the _last_ field in pw_gecos! + BTW: The field separator in pw_gecos is the comma. + The username in pw_name itself may be any nice name: + + domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... + + Now you may use `domuser' as your login name with telnet! + This is possible additionally for local users, if you don't like + your NT login name ;-) You only have to leave out the domain: + + locuser::1104:513:John Doe,U-user,S-1-5-21-... + +Note that the CYGWIN=ntsec setting is required for public key authentication. + +SSH2 server and user keys are generated by the `ssh-*-config' scripts +as well. + +If you want to build from source, the following options to +configure are used for the Cygwin binary distribution: + + --prefix=/usr \ + --sysconfdir=/etc \ + --libexecdir='${sbindir}' \ + --localstatedir=/var \ + --datadir='${prefix}/share' \ + --mandir='${datadir}/man' \ + --infodir='${datadir}/info' + --with-tcp-wrappers + +If you want to create a Cygwin package, equivalent to the one +in the Cygwin binary distribution, install like this: + + mkdir /tmp/cygwin-ssh + cd ${builddir} + make install DESTDIR=/tmp/cygwin-ssh + cd ${srcdir}/contrib/cygwin + make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh + cd /tmp/cygwin-ssh + find * \! -type d | tar cvjfT my-openssh.tar.bz2 - + +You must have installed the following packages to be able to build OpenSSH: + +- zlib +- openssl-devel +- minires-devel + +If you want to build with --with-tcp-wrappers, you also need the package + +- tcp_wrappers + +Please send requests, error reports etc. to cygwin@cygwin.com. + + +Have fun, + +Corinna Vinschen +Cygwin Developer +Red Hat Inc. diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/cygwin/ssh-host-config openssh-4.2p1/contrib/cygwin/ssh-host-config --- ssh-openbsd-2005090100/contrib/cygwin/ssh-host-config Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/cygwin/ssh-host-config Mon May 9 23:48:17 2005 @@ -0,0 +1,600 @@ +#!/bin/bash +# +# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc +LOCALSTATEDIR=/var + +progname=$0 +auto_answer="" +port_number=22 + +privsep_configured=no +privsep_used=yes +sshd_in_passwd=no +sshd_in_sam=no + +request() +{ + if [ "${auto_answer}" = "yes" ] + then + echo "$1 (yes/no) yes" + return 0 + elif [ "${auto_answer}" = "no" ] + then + echo "$1 (yes/no) no" + return 1 + fi + + answer="" + while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] + do + echo -n "$1 (yes/no) " + read -e answer + done + if [ "X${answer}" = "Xyes" ] + then + return 0 + else + return 1 + fi +} + +# Check options + +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "${option}" in + -d | --debug ) + set -x + ;; + + -y | --yes ) + auto_answer=yes + ;; + + -n | --no ) + auto_answer=no + ;; + + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + + -p | --port ) + port_number=$1 + shift + ;; + + -w | --pwd ) + password_value="$1" + shift + ;; + + *) + echo "usage: ${progname} [OPTION]..." + echo + echo "This script creates an OpenSSH host configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --port -p sshd listens on port n." + echo " --pwd -w Use \"pwd\" as password for user 'sshd_server'." + echo + exit 1 + ;; + + esac +done + +# Check if running on NT +_sys="`uname`" +_nt=`expr "${_sys}" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ ${_nt} -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + +# Check for running ssh/sshd processes first. Refuse to do anything while +# some ssh processes are still running + +if ps -ef | grep -v grep | grep -q ssh +then + echo + echo "There are still ssh processes running. Please shut them down first." + echo + exit 1 +fi + +# Check for ${SYSCONFDIR} directory + +if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] +then + echo + echo "${SYSCONFDIR} is existant but not a directory." + echo "Cannot create global configuration files." + echo + exit 1 +fi + +# Create it if necessary + +if [ ! -e "${SYSCONFDIR}" ] +then + mkdir "${SYSCONFDIR}" + if [ ! -e "${SYSCONFDIR}" ] + then + echo + echo "Creating ${SYSCONFDIR} directory failed" + echo + exit 1 + fi +fi + +# Create /var/log and /var/log/lastlog if not already existing + +if [ -f ${LOCALSTATEDIR}/log ] +then + echo "Creating ${LOCALSTATEDIR}/log failed!" +else + if [ ! -d ${LOCALSTATEDIR}/log ] + then + mkdir -p ${LOCALSTATEDIR}/log + fi + if [ -d ${LOCALSTATEDIR}/log/lastlog ] + then + chmod 777 ${LOCALSTATEDIR}/log/lastlog + elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] + then + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 666 ${LOCALSTATEDIR}/log/lastlog + fi +fi + +# Create /var/empty file used as chroot jail for privilege separation +if [ -f ${LOCALSTATEDIR}/empty ] +then + echo "Creating ${LOCALSTATEDIR}/empty failed!" +else + mkdir -p ${LOCALSTATEDIR}/empty + if [ ${_nt} -gt 0 ] + then + chmod 755 ${LOCALSTATEDIR}/empty + fi +fi + +# First generate host keys if not already existing + +if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_key" + ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null +fi + +if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" + ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null +fi + +if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" + ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null +fi + +# Check if ssh_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/ssh_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" + then + rm -f "${SYSCONFDIR}/ssh_config" + if [ -f "${SYSCONFDIR}/ssh_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." + fi + fi +fi + +# Create default ssh_config from skeleton file in /etc/defaults/etc + +if [ ! -f "${SYSCONFDIR}/ssh_config" ] +then + echo "Generating ${SYSCONFDIR}/ssh_config file" + cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config + if [ "${port_number}" != "22" ] + then + echo "Host localhost" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config + fi +fi + +# Check if sshd_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/sshd_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" + then + rm -f "${SYSCONFDIR}/sshd_config" + if [ -f "${SYSCONFDIR}/sshd_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." + fi + else + grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes + fi +fi + +# Prior to creating or modifying sshd_config, care for privilege separation + +if [ "${privsep_configured}" != "yes" ] +then + if [ ${_nt} -gt 0 ] + then + echo "Privilege separation is set to yes by default since OpenSSH 3.3." + echo "However, this requires a non-privileged account called 'sshd'." + echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." + echo + if request "Should privilege separation be used?" + then + privsep_used=yes + grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes + net user sshd >/dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_passwd}" != "yes" ] + then + if [ "${sshd_in_sam}" != "yes" ] + then + echo "Warning: The following function requires administrator privileges!" + if request "Should this script create a local user 'sshd' on this machine?" + then + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_sam}" != "yes" ] + then + echo "Warning: Creating the user 'sshd' failed!" + fi + fi + fi + if [ "${sshd_in_sam}" != "yes" ] + then + echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" + echo " Privilege separation set to 'no' again!" + echo " Check your ${SYSCONFDIR}/sshd_config file!" + privsep_used=no + else + mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + else + privsep_used=no + fi + else + # On 9x don't use privilege separation. Since security isn't + # available it just adds useless additional processes. + privsep_used=no + fi +fi + +# Create default sshd_config from skeleton files in /etc/defaults/etc or +# modify to add the missing privsep configuration option + +if [ ! -f "${SYSCONFDIR}/sshd_config" ] +then + echo "Generating ${SYSCONFDIR}/sshd_config file" + sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/defaults/etc/sshd_config \ + > ${SYSCONFDIR}/sshd_config +elif [ "${privsep_configured}" != "yes" ] +then + echo >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config +fi + +# Care for services file +_my_etcdir="/ssh-host-config.$$" +if [ ${_nt} -gt 0 ] +then + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" + # On NT, 27 spaces, no space after the hash + _spaces=" #" +else + _win_etcdir="${WINDIR}" + _services="${_my_etcdir}/SERVICES" + # On 9x, 18 spaces (95 is very touchy), a space after the hash + _spaces=" # " +fi +_serv_tmp="${_my_etcdir}/srv.out.$$" + +mount -t -f "${_win_etcdir}" "${_my_etcdir}" + +# Depends on the above mount +_wservices=`cygpath -w "${_services}"` + +# Remove sshd 22/port from services +if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] +then + grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" + if [ -f "${_serv_tmp}" ] + then + if mv "${_serv_tmp}" "${_services}" + then + echo "Removing sshd from ${_wservices}" + else + echo "Removing sshd from ${_wservices} failed!" + fi + rm -f "${_serv_tmp}" + else + echo "Removing sshd from ${_wservices} failed!" + fi +fi + +# Add ssh 22/tcp and ssh 22/udp to services +if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] +then + if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" + then + if mv "${_serv_tmp}" "${_services}" + then + echo "Added ssh to ${_wservices}" + else + echo "Adding ssh to ${_wservices} failed!" + fi + rm -f "${_serv_tmp}" + else + echo "WARNING: Adding ssh to ${_wservices} failed!" + fi +fi + +umount "${_my_etcdir}" + +# Care for inetd.conf file +_inetcnf="${SYSCONFDIR}/inetd.conf" +_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" + +if [ -f "${_inetcnf}" ] +then + # Check if ssh service is already in use as sshd + with_comment=1 + grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 + # Remove sshd line from inetd.conf + if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + then + grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then + echo "Removed sshd from ${_inetcnf}" + else + echo "Removing sshd from ${_inetcnf} failed!" + fi + rm -f "${_inetcnf_tmp}" + else + echo "Removing sshd from ${_inetcnf} failed!" + fi + fi + + # Add ssh line to inetd.conf + if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + then + if [ "${with_comment}" -eq 0 ] + then + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + else + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + fi + echo "Added ssh to ${_inetcnf}" + fi +fi + +# On NT ask if sshd should be installed as service +if [ ${_nt} -gt 0 ] +then + # But only if it is not already installed + if ! cygrunsrv -Q sshd > /dev/null 2>&1 + then + echo + echo + echo "Warning: The following functions require administrator privileges!" + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" + then + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes + if [ "${sshd_server_in_passwd}" = "yes" ] + then + # Drop sshd_server from passwd since it could have wrong settings + grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ + rm -f ${SYSCONFDIR}/passwd + mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd + chmod g-w,o-w ${SYSCONFDIR}/passwd + fi + net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo + echo "You appear to be running Windows 2003 Server or later. On 2003 and" + echo "later systems, it's not possible to use the LocalSystem account" + echo "if sshd should allow passwordless logon (e. g. public key authentication)." + echo "If you want to enable that functionality, it's required to create a new" + echo "account 'sshd_server' with special privileges, which is then used to run" + echo "the sshd service under." + echo + echo "Should this script create a new local account 'sshd_server' which has" + if request "the required privileges?" + then + _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ` + if [ -z "${_admingroup}" ] + then + echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)." + exit 1 + fi + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + while [ "${sshd_server_in_sam}" != "yes" ] + do + if [ -n "${password_value}" ] + then + _password="${password_value}" + # Allow to ask for password if first try fails + password_value="" + else + echo + echo "Please enter a password for new user 'sshd_server'. Please be sure that" + echo "this password matches the password rules given on your system." + echo -n "Entering no password will exit the configuration. PASSWORD=" + read -e _password + if [ -z "${_password}" ] + then + echo + echo "Exiting configuration. No user sshd_server has been created," + echo "no sshd service installed." + exit 1 + fi + fi + net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo "Creating the user 'sshd_server' failed! Reason:" + cat /tmp/nu.$$ + rm /tmp/nu.$$ + fi + done + net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes + if [ "${sshd_server_in_admingroup}" != "yes" ] + then + echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" + echo "Please add sshd_server to local group ${_admingroup} before" + echo "starting the sshd service!" + echo + fi + passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` + if [ "${passwd_has_expiry_flags}" != "yes" ] + then + echo + echo "WARNING: User sshd_server has password expiry set to system default." + echo "Please check that password never expires or set it to your needs." + elif ! passwd -e sshd_server + then + echo + echo "WARNING: Setting password expiry for user sshd_server failed!" + echo "Please check that password never expires or set it to your needs." + fi + editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && + editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeDenyInteractiveLogonRight -u sshd_server && + editrights -a SeDenyNetworkLogonRight -u sshd_server && + editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && + editrights -a SeIncreaseQuotaPrivilege -u sshd_server && + editrights -a SeServiceLogonRight -u sshd_server && + sshd_server_got_all_rights="yes" + if [ "${sshd_server_got_all_rights}" != "yes" ] + then + echo + echo "Assigning the appropriate privileges to user 'sshd_server' failed!" + echo "Can't create sshd service!" + exit 1 + fi + echo + echo "User 'sshd_server' has been created with password '${_password}'." + echo "If you change the password, please keep in mind to change the password" + echo "for the sshd service, too." + echo + echo "Also keep in mind that the user sshd_server needs read permissions on all" + echo "users' .ssh/authorized_keys file to allow public key authentication for" + echo "these users!. (Re-)running ssh-user-config for each user will set the" + echo "required permissions correctly." + echo + fi + fi + if [ "${sshd_server_in_sam}" = "yes" ] + then + mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + if [ -n "${cygwin_value}" ] + then + _cygwin="${cygwin_value}" + else + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"ntsec\". CYGWIN=" + read -e _cygwin + fi + [ -z "${_cygwin}" ] && _cygwin="ntsec" + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under sshd_server account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + else + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under LocalSystem account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + fi + fi + # Now check if sshd has been successfully installed. This allows to + # set the ownership of the affected files correctly. + if cygrunsrv -Q sshd > /dev/null 2>&1 + then + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + _user="sshd_server" + else + _user="system" + fi + chown "${_user}" ${SYSCONFDIR}/ssh* + chown "${_user}".544 ${LOCALSTATEDIR}/empty + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log + fi + fi + if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' ) + then + echo + echo "Warning: It appears that you have user mode mounts (\"Just me\"" + echo "chosen during install.) Any daemons installed as services will" + echo "fail to function unless system mounts are used. To change this," + echo "re-run setup.exe and choose \"All users\"." + echo + echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33" + fi + fi +fi + +echo +echo "Host configuration finished. Have fun!" diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/cygwin/ssh-user-config openssh-4.2p1/contrib/cygwin/ssh-user-config --- ssh-openbsd-2005090100/contrib/cygwin/ssh-user-config Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/cygwin/ssh-user-config Thu Nov 13 11:28:49 2003 @@ -0,0 +1,250 @@ +#!/bin/sh +# +# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. + +# Directory where the config files are stored +SYSCONFDIR=/etc + +progname=$0 +auto_answer="" +auto_passphrase="no" +passphrase="" + +request() +{ + if [ "${auto_answer}" = "yes" ] + then + return 0 + elif [ "${auto_answer}" = "no" ] + then + return 1 + fi + + answer="" + while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] + do + echo -n "$1 (yes/no) " + read answer + done + if [ "X${answer}" = "Xyes" ] + then + return 0 + else + return 1 + fi +} + +# Check if running on NT +_sys="`uname -a`" +_nt=`expr "$_sys" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ $_nt -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + +# Check options + +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "$option" in + -d | --debug ) + set -x + ;; + + -y | --yes ) + auto_answer=yes + ;; + + -n | --no ) + auto_answer=no + ;; + + -p | --passphrase ) + with_passphrase="yes" + passphrase=$1 + shift + ;; + + *) + echo "usage: ${progname} [OPTION]..." + echo + echo "This script creates an OpenSSH user configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --passphrase -p word Use \"word\" as passphrase automatically." + echo + exit 1 + ;; + + esac +done + +# Ask user if user identity should be generated + +if [ ! -f ${SYSCONFDIR}/passwd ] +then + echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" + echo 'first using mkpasswd. Check if it contains an entry for you and' + echo 'please care for the home directory in your entry as well.' + exit 1 +fi + +uid=`id -u` +pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` + +if [ "X${pwdhome}" = "X" ] +then + echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." + echo 'Setting $HOME is not sufficient!' + exit 1 +fi + +if [ ! -d "${pwdhome}" ] +then + echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" + echo 'but it is not a valid directory. Cannot create user identity files.' + exit 1 +fi + +# If home is the root dir, set home to empty string to avoid error messages +# in subsequent parts of that script. +if [ "X${pwdhome}" = "X/" ] +then + # But first raise a warning! + echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" + if request "Would you like to proceed anyway?" + then + pwdhome='' + else + exit 1 + fi +fi + +if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] +then + echo + echo 'WARNING: group and other have been revoked write permission to your home' + echo " directory ${pwdhome}." + echo ' This is required by OpenSSH to allow public key authentication using' + echo ' the key files stored in your .ssh subdirectory.' + echo ' Revert this change ONLY if you know what you are doing!' + echo +fi + +if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] +then + echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." + exit 1 +fi + +if [ ! -e "${pwdhome}/.ssh" ] +then + mkdir "${pwdhome}/.ssh" + if [ ! -e "${pwdhome}/.ssh" ] + then + echo "Creating users ${pwdhome}/.ssh directory failed" + exit 1 + fi +fi + +if [ $_nt -gt 0 ] +then + _user="system" + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" + fi + if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" + then + echo "${pwdhome}/.ssh couldn't be given the correct permissions." + echo "Please try to solve this problem first." + exit 1 + fi +fi + +if [ ! -f "${pwdhome}/.ssh/identity" ] +then + if request "Shall I create an SSH1 RSA identity file for you?" + then + echo "Generating ${pwdhome}/.ssh/identity" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null + else + ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null + fi + if request "Do you want to use this identity to login to this machine?" + then + echo "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi +fi + +if [ ! -f "${pwdhome}/.ssh/id_rsa" ] +then + if request "Shall I create an SSH2 RSA identity file for you? (yes/no) " + then + echo "Generating ${pwdhome}/.ssh/id_rsa" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null + else + ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null + fi + if request "Do you want to use this identity to login to this machine?" + then + echo "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi +fi + +if [ ! -f "${pwdhome}/.ssh/id_dsa" ] +then + if request "Shall I create an SSH2 DSA identity file for you? (yes/no) " + then + echo "Generating ${pwdhome}/.ssh/id_dsa" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null + else + ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null + fi + if request "Do you want to use this identity to login to this machine?" + then + echo "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi +fi + +if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] +then + if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" + then + echo + echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + echo "failed. Please care for the correct permissions. The minimum requirement" + echo "is, the owner and ${_user} both need read permissions." + echo + fi +fi + +echo +echo "Configuration finished. Have fun!" diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/findssl.sh openssh-4.2p1/contrib/findssl.sh --- ssh-openbsd-2005090100/contrib/findssl.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/findssl.sh Mon Dec 13 18:08:33 2004 @@ -0,0 +1,167 @@ +#!/bin/sh +# +# $Id: findssl.sh,v 1.3 2004/12/13 07:08:33 dtucker Exp $ +# +# findssl.sh +# Search for all instances of OpenSSL headers and libraries +# and print their versions. +# Intended to help diagnose OpenSSH's "OpenSSL headers do not +# match your library" errors. +# +# Written by Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain. +# +# Release history: +# 2002-07-27: Initial release. +# 2002-08-04: Added public domain notice. +# 2003-06-24: Incorporated readme, set library paths. First cvs version. +# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole. +# +# "OpenSSL headers do not match your library" are usually caused by +# OpenSSH's configure picking up an older version of OpenSSL headers +# or libraries. You can use the following # procedure to help identify +# the cause. +# +# The output of configure will tell you the versions of the OpenSSL +# headers and libraries that were picked up, for example: +# +# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) +# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) +# checking whether OpenSSL's headers match the library... no +# configure: error: Your OpenSSL headers do not match your library +# +# Now run findssl.sh. This should identify the headers and libraries +# present and their versions. You should be able to identify the +# libraries and headers used and adjust your CFLAGS or remove incorrect +# versions. The output will show OpenSSL's internal version identifier +# and should look something like: + +# $ ./findssl.sh +# Searching for OpenSSL header files. +# 0x0090604fL /usr/include/openssl/opensslv.h +# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h +# +# Searching for OpenSSL shared library files. +# 0x0090602fL /lib/libcrypto.so.0.9.6b +# 0x0090602fL /lib/libcrypto.so.2 +# 0x0090581fL /usr/lib/libcrypto.so.0 +# 0x0090602fL /usr/lib/libcrypto.so +# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a +# 0x0090600fL /usr/lib/libcrypto.so.0.9.6 +# 0x0090600fL /usr/lib/libcrypto.so.1 +# +# Searching for OpenSSL static library files. +# 0x0090602fL /usr/lib/libcrypto.a +# 0x0090604fL /usr/local/ssl/lib/libcrypto.a +# +# In this example, I gave configure no extra flags, so it's picking up +# the OpenSSL header from /usr/include/openssl (90604f) and the library +# from /usr/lib/ (90602f). + +# +# Adjust these to suit your compiler. +# You may also need to set the *LIB*PATH environment variables if +# DEFAULT_LIBPATH is not correct for your system. +# +CC=gcc +STATIC=-static + +# +# Cleanup on interrupt +# +trap 'rm -f conftest.c' INT HUP TERM + +# +# Set up conftest C source +# +rm -f findssl.log +cat >conftest.c < +int main(){printf("0x%08xL\n", SSLeay());} +EOD + +# +# Set default library paths if not already set +# +DEFAULT_LIBPATH=/usr/lib:/usr/local/lib +LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH} +LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} +LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} +export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + +# +# Search for OpenSSL headers and print versions +# +echo Searching for OpenSSL header files. +if [ -x "`which locate`" ] +then + headers=`locate opensslv.h` +else + headers=`find / -name opensslv.h -print 2>/dev/null` +fi + +for header in $headers +do + ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header` + echo "$ver $header" +done +echo + +# +# Search for shared libraries. +# Relies on shared libraries looking like "libcrypto.s*" +# +echo Searching for OpenSSL shared library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.s` +else + libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null` +fi + +for lib in $libraries +do + (echo "Trying libcrypto $lib" >>findssl.log + dir=`dirname $lib` + LIBPATH="$dir:$LIBPATH" + LD_LIBRARY_PATH="$dir:$LIBPATH" + LIBRARY_PATH="$dir:$LIBPATH" + export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + ${CC} -o conftest conftest.c $lib 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi) +done +echo + +# +# Search for static OpenSSL libraries and print versions +# +echo Searching for OpenSSL static library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.a` +else + libraries=`find / -name libcrypto.a -print 2>/dev/null` +fi + +for lib in $libraries +do + libdir=`dirname $lib` + echo "Trying libcrypto $lib" >>findssl.log + ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi +done + +# +# Clean up +# +rm -f conftest.c diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/gnome-ssh-askpass1.c openssh-4.2p1/contrib/gnome-ssh-askpass1.c --- ssh-openbsd-2005090100/contrib/gnome-ssh-askpass1.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/gnome-ssh-askpass1.c Fri Nov 21 23:48:56 2003 @@ -0,0 +1,171 @@ +/* + * Copyright (c) 2000-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * + * There is only two run-time options: if you set the environment variable + * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if + * you don't trust your X server. We grab the keyboard always. + */ + +/* + * Compile with: + * + * cc `gnome-config --cflags gnome gnomeui` \ + * gnome-ssh-askpass1.c -o gnome-ssh-askpass \ + * `gnome-config --libs gnome gnomeui` + * + */ + +#include +#include +#include +#include +#include +#include + +void +report_failed_grab (void) +{ + GtkWidget *err; + + err = gnome_message_box_new("Could not grab keyboard or mouse.\n" + "A malicious client may be eavesdropping on your session.", + GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL); + + gnome_dialog_run_and_close(GNOME_DIALOG(err)); +} + +int +passphrase_dialog(char *message) +{ + char *passphrase; + char **messages; + int result, i, grab_server, grab_pointer; + GtkWidget *dialog, *entry, *label; + + grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); + grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + messages = g_strsplit(message, "\\n", 0); + if (messages) + for(i = 0; messages[i]; i++) { + label = gtk_label_new(messages[i]); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), + label, FALSE, FALSE, 0); + } + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), + GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + if (grab_server) + XGrabServer(GDK_DISPLAY()); + if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, + NULL, NULL, GDK_CURRENT_TIME)) + goto nograb; + if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) + goto nograbkb; + + /* Make close dialog */ + gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry)); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + if (result == 0) + puts(passphrase); + + /* Zero passphrase in memory */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + return (result == 0 ? 0 : -1); + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + gnome_dialog_close(GNOME_DIALOG(dialog)); + + report_failed_grab(); + return (-1); +} + +int +main(int argc, char **argv) +{ + char *message; + int result; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + setvbuf(stdout, 0, _IONBF, 0); + result = passphrase_dialog(message); + + return (result); +} diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/gnome-ssh-askpass2.c openssh-4.2p1/contrib/gnome-ssh-askpass2.c --- ssh-openbsd-2005090100/contrib/gnome-ssh-askpass2.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/gnome-ssh-askpass2.c Fri Nov 21 23:48:56 2003 @@ -0,0 +1,220 @@ +/* + * Copyright (c) 2000-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* GTK2 support by Nalin Dahyabhai */ + +/* + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * + * There is only two run-time options: if you set the environment variable + * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if + * you don't trust your X server. We grab the keyboard always. + */ + +#define GRAB_TRIES 16 +#define GRAB_WAIT 250 /* milliseconds */ + +/* + * Compile with: + * + * cc -Wall `pkg-config --cflags gtk+-2.0` \ + * gnome-ssh-askpass2.c -o gnome-ssh-askpass \ + * `pkg-config --libs gtk+-2.0` + * + */ + +#include +#include +#include +#include +#include +#include +#include + +static void +report_failed_grab (const char *what) +{ + GtkWidget *err; + + err = gtk_message_dialog_new(NULL, 0, + GTK_MESSAGE_ERROR, + GTK_BUTTONS_CLOSE, + "Could not grab %s. " + "A malicious client may be eavesdropping " + "on your session.", what); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label), + TRUE); + + gtk_dialog_run(GTK_DIALOG(err)); + + gtk_widget_destroy(err); +} + +static void +ok_dialog(GtkWidget *entry, gpointer dialog) +{ + g_return_if_fail(GTK_IS_DIALOG(dialog)); + gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); +} + +static int +passphrase_dialog(char *message) +{ + const char *failed; + char *passphrase, *local; + int result, grab_tries, grab_server, grab_pointer; + GtkWidget *dialog, *entry; + GdkGrabStatus status; + + grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); + grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + grab_tries = 0; + + dialog = gtk_message_dialog_new(NULL, 0, + GTK_MESSAGE_QUESTION, + GTK_BUTTONS_OK_CANCEL, + "%s", + message); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + gtk_widget_show(entry); + + gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label), + TRUE); + + /* Make close dialog */ + gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + g_signal_connect(G_OBJECT(entry), "activate", + G_CALLBACK(ok_dialog), dialog); + + /* Grab focus */ + gtk_widget_show_now(dialog); + if (grab_pointer) { + for(;;) { + status = gdk_pointer_grab( + (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, + NULL, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "mouse"; + goto nograb; + } + } + } + for(;;) { + status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, + FALSE, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "keyboard"; + goto nograbkb; + } + } + if (grab_server) { + gdk_x11_grab_server(); + } + + result = gtk_dialog_run(GTK_DIALOG(dialog)); + + /* Ungrab */ + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); + if (result == GTK_RESPONSE_OK) { + local = g_locale_from_utf8(passphrase, strlen(passphrase), + NULL, NULL, NULL); + if (local != NULL) { + puts(local); + memset(local, '\0', strlen(local)); + g_free(local); + } else { + puts(passphrase); + } + } + + /* Zero passphrase in memory */ + memset(passphrase, '\b', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + memset(passphrase, '\0', strlen(passphrase)); + g_free(passphrase); + + gtk_widget_destroy(dialog); + return (result == GTK_RESPONSE_OK ? 0 : -1); + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + gtk_widget_destroy(dialog); + + report_failed_grab(failed); + + return (-1); +} + +int +main(int argc, char **argv) +{ + char *message; + int result; + + gtk_init(&argc, &argv); + + if (argc > 1) { + message = g_strjoinv(" ", argv + 1); + } else { + message = g_strdup("Enter your OpenSSH passphrase:"); + } + + setvbuf(stdout, 0, _IONBF, 0); + result = passphrase_dialog(message); + g_free(message); + + return (result); +} diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/hpux/README openssh-4.2p1/contrib/hpux/README --- ssh-openbsd-2005090100/contrib/hpux/README Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/hpux/README Tue Dec 12 11:08:12 2000 @@ -0,0 +1,45 @@ +README for OpenSSH HP-UX contrib files +Kevin Steves + +sshd: configuration file for sshd.rc +sshd.rc: SSH startup script +egd: configuration file for egd.rc +egd.rc: EGD (entropy gathering daemon) startup script + +To install: + +sshd.rc: + +o Verify paths in sshd.rc match your local installation + (WHAT_PATH and WHAT_PID) +o Customize sshd if needed (SSHD_ARGS) +o Install: + + # cp sshd /etc/rc.config.d + # chmod 444 /etc/rc.config.d/sshd + # cp sshd.rc /sbin/init.d + # chmod 555 /sbin/init.d/sshd.rc + # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd + # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd + +egd.rc: + +o Verify egd.pl path in egd.rc matches your local installation + (WHAT_PATH) +o Customize egd if needed (EGD_ARGS and EGD_LOG) +o Add pseudo account: + + # groupadd egd + # useradd -g egd egd + # mkdir -p /etc/opt/egd + # chown egd:egd /etc/opt/egd + # chmod 711 /etc/opt/egd + +o Install: + + # cp egd /etc/rc.config.d + # chmod 444 /etc/rc.config.d/egd + # cp egd.rc /sbin/init.d + # chmod 555 /sbin/init.d/egd.rc + # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd + # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/hpux/egd openssh-4.2p1/contrib/hpux/egd --- ssh-openbsd-2005090100/contrib/hpux/egd Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/hpux/egd Thu Oct 19 00:45:40 2000 @@ -0,0 +1,15 @@ +# EGD_START: Set to 1 to start entropy gathering daemon +# EGD_ARGS: Command line arguments to pass to egd +# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log) +# +# To configure the egd environment: + +# groupadd egd +# useradd -g egd egd +# mkdir -p /etc/opt/egd +# chown egd:egd /etc/opt/egd +# chmod 711 /etc/opt/egd + +EGD_START=1 +EGD_ARGS='/etc/opt/egd/entropy' +EGD_LOG= diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/hpux/egd.rc openssh-4.2p1/contrib/hpux/egd.rc --- ssh-openbsd-2005090100/contrib/hpux/egd.rc Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/hpux/egd.rc Thu Oct 19 00:45:40 2000 @@ -0,0 +1,98 @@ +#!/sbin/sh + +# +# egd.rc: EGD start-up and shutdown script +# + +# Allowed exit values: +# 0 = success; causes "OK" to show up in checklist. +# 1 = failure; causes "FAIL" to show up in checklist. +# 2 = skip; causes "N/A" to show up in the checklist. +# Use this value if execution of this script is overridden +# by the use of a control variable, or if this script is not +# appropriate to execute for some other reason. +# 3 = reboot; causes the system to be rebooted after execution. + +# Input and output: +# stdin is redirected from /dev/null +# +# stdout and stderr are redirected to the /etc/rc.log file +# during checklist mode, or to the console in raw mode. + +umask 022 + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +WHAT='EGD (entropy gathering daemon)' +WHAT_PATH=/opt/perl/bin/egd.pl +WHAT_CONFIG=/etc/rc.config.d/egd +WHAT_LOG=/etc/opt/egd/egd.log + +# NOTE: If your script executes in run state 0 or state 1, then /usr might +# not be available. Do not attempt to access commands or files in +# /usr unless your script executes in run state 2 or greater. Other +# file systems typically not mounted until run state 2 include /var +# and /opt. + +rval=0 + +# Check the exit value of a command run by this script. If non-zero, the +# exit code is echoed to the log file and the return value of this script +# is set to indicate failure. + +set_return() { + x=$? + if [ $x -ne 0 ]; then + echo "EXIT CODE: $x" + rval=1 # script FAILed + fi +} + +case $1 in +'start_msg') + echo "Starting $WHAT" + ;; + +'stop_msg') + echo "Stopping $WHAT" + ;; + +'start') + if [ -f $WHAT_CONFIG ] ; then + . $WHAT_CONFIG + else + echo "ERROR: $WHAT_CONFIG defaults file MISSING" + fi + + + if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then + EGD_LOG=${EGD_LOG:-$WHAT_LOG} + su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" && + echo $WHAT started + set_return + else + rval=2 + fi + ;; + +'stop') + pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'` + if [ "X$pid" != "X" ]; then + if kill "$pid"; then + echo "$WHAT stopped" + else + rval=1 + echo "Unable to stop $WHAT" + fi + fi + set_return + ;; + +*) + echo "usage: $0 {start|stop|start_msg|stop_msg}" + rval=1 + ;; +esac + +exit $rval diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/hpux/sshd openssh-4.2p1/contrib/hpux/sshd --- ssh-openbsd-2005090100/contrib/hpux/sshd Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/hpux/sshd Sat Sep 16 15:39:57 2000 @@ -0,0 +1,5 @@ +# SSHD_START: Set to 1 to start SSH daemon +# SSHD_ARGS: Command line arguments to pass to sshd +# +SSHD_START=1 +SSHD_ARGS= diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/hpux/sshd.rc openssh-4.2p1/contrib/hpux/sshd.rc --- ssh-openbsd-2005090100/contrib/hpux/sshd.rc Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/hpux/sshd.rc Sat Sep 16 15:39:57 2000 @@ -0,0 +1,90 @@ +#!/sbin/sh + +# +# sshd.rc: SSH daemon start-up and shutdown script +# + +# Allowed exit values: +# 0 = success; causes "OK" to show up in checklist. +# 1 = failure; causes "FAIL" to show up in checklist. +# 2 = skip; causes "N/A" to show up in the checklist. +# Use this value if execution of this script is overridden +# by the use of a control variable, or if this script is not +# appropriate to execute for some other reason. +# 3 = reboot; causes the system to be rebooted after execution. + +# Input and output: +# stdin is redirected from /dev/null +# +# stdout and stderr are redirected to the /etc/rc.log file +# during checklist mode, or to the console in raw mode. + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +WHAT='OpenSSH' +WHAT_PATH=/opt/openssh/sbin/sshd +WHAT_PID=/var/run/sshd.pid +WHAT_CONFIG=/etc/rc.config.d/sshd + +# NOTE: If your script executes in run state 0 or state 1, then /usr might +# not be available. Do not attempt to access commands or files in +# /usr unless your script executes in run state 2 or greater. Other +# file systems typically not mounted until run state 2 include /var +# and /opt. + +rval=0 + +# Check the exit value of a command run by this script. If non-zero, the +# exit code is echoed to the log file and the return value of this script +# is set to indicate failure. + +set_return() { + x=$? + if [ $x -ne 0 ]; then + echo "EXIT CODE: $x" + rval=1 # script FAILed + fi +} + +case $1 in +'start_msg') + echo "Starting $WHAT" + ;; + +'stop_msg') + echo "Stopping $WHAT" + ;; + +'start') + if [ -f $WHAT_CONFIG ] ; then + . $WHAT_CONFIG + else + echo "ERROR: $WHAT_CONFIG defaults file MISSING" + fi + + if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then + $WHAT_PATH $SSHD_ARGS && echo "$WHAT started" + set_return + else + rval=2 + fi + ;; + +'stop') + if kill `cat $WHAT_PID`; then + echo "$WHAT stopped" + else + rval=1 + echo "Unable to stop $WHAT" + fi + set_return + ;; + +*) + echo "usage: $0 {start|stop|start_msg|stop_msg}" + rval=1 + ;; +esac + +exit $rval diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/gnome-ssh-askpass.csh openssh-4.2p1/contrib/redhat/gnome-ssh-askpass.csh --- ssh-openbsd-2005090100/contrib/redhat/gnome-ssh-askpass.csh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/gnome-ssh-askpass.csh Fri May 10 12:19:23 2002 @@ -0,0 +1 @@ +setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/gnome-ssh-askpass.sh openssh-4.2p1/contrib/redhat/gnome-ssh-askpass.sh --- ssh-openbsd-2005090100/contrib/redhat/gnome-ssh-askpass.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/gnome-ssh-askpass.sh Fri May 10 12:19:23 2002 @@ -0,0 +1,2 @@ +SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass +export SSH_ASKPASS diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/openssh.spec openssh-4.2p1/contrib/redhat/openssh.spec --- ssh-openbsd-2005090100/contrib/redhat/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/openssh.spec Thu Sep 1 19:10:50 2005 @@ -0,0 +1,804 @@ +%define ver 4.2p1 +%define rel 1 + +# OpenSSH privilege separation requires a user & group ID +%define sshd_uid 74 +%define sshd_gid 74 + +# Version of ssh-askpass +%define aversion 1.2.4.1 + +# Do we want to disable building of x11-askpass? (1=yes 0=no) +%define no_x11_askpass 0 + +# Do we want to disable building of gnome-askpass? (1=yes 0=no) +%define no_gnome_askpass 0 + +# Do we want to link against a static libcrypto? (1=yes 0=no) +%define static_libcrypto 0 + +# Do we want smartcard support (1=yes 0=no) +%define scard 0 + +# Use GTK2 instead of GNOME in gnome-ssh-askpass +%define gtk2 1 + +# Is this build for RHL 6.x? +%define build6x 0 + +# Do we want kerberos5 support (1=yes 0=no) +%define kerberos5 1 + +# Reserve options to override askpass settings with: +# rpm -ba|--rebuild --define 'skip_xxx 1' +%{?skip_x11_askpass:%define no_x11_askpass 1} +%{?skip_gnome_askpass:%define no_gnome_askpass 1} + +# Add option to build without GTK2 for older platforms with only GTK+. +# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. +# rpm -ba|--rebuild --define 'no_gtk2 1' +%{?no_gtk2:%define gtk2 0} + +# Is this a build for RHL 6.x or earlier? +%{?build_6x:%define build6x 1} + +# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. +%if %{build6x} +%define _sysconfdir /etc +%endif + +# Options for static OpenSSL link: +# rpm -ba|--rebuild --define "static_openssl 1" +%{?static_openssl:%define static_libcrypto 1} + +# Options for Smartcard support: (needs libsectok and openssl-engine) +# rpm -ba|--rebuild --define "smartcard 1" +%{?smartcard:%define scard 1} + +# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) +%define rescue 0 +%{?build_rescue:%define rescue 1} + +# Turn off some stuff for resuce builds +%if %{rescue} +%define kerberos5 0 +%endif + +Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. +Name: openssh +Version: %{ver} +%if %{rescue} +Release: %{rel}rescue +%else +Release: %{rel} +%endif +URL: http://www.openssh.com/portable.html +Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +License: BSD +Group: Applications/Internet +BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot +Obsoletes: ssh +%if %{build6x} +PreReq: initscripts >= 5.00 +%else +PreReq: initscripts >= 5.20 +%endif +BuildPreReq: perl, openssl-devel, tcp_wrappers +BuildPreReq: /bin/login +%if ! %{build6x} +BuildPreReq: glibc-devel, pam +%else +BuildPreReq: /usr/include/security/pam_appl.h +%endif +%if ! %{no_x11_askpass} +BuildPreReq: XFree86-devel +%endif +%if ! %{no_gnome_askpass} +BuildPreReq: pkgconfig +%endif +%if %{kerberos5} +BuildPreReq: krb5-devel +BuildPreReq: krb5-libs +%endif + +%package clients +Summary: OpenSSH clients. +Requires: openssh = %{version}-%{release} +Group: Applications/Internet +Obsoletes: ssh-clients + +%package server +Summary: The OpenSSH server daemon. +Group: System Environment/Daemons +Obsoletes: ssh-server +PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 +%if ! %{build6x} +Requires: /etc/pam.d/system-auth +%endif + +%package askpass +Summary: A passphrase dialog for OpenSSH and X. +Group: Applications/Internet +Requires: openssh = %{version}-%{release} +Obsoletes: ssh-extras + +%package askpass-gnome +Summary: A passphrase dialog for OpenSSH, X, and GNOME. +Group: Applications/Internet +Requires: openssh = %{version}-%{release} +Obsoletes: ssh-extras + +%description +SSH (Secure SHell) is a program for logging into and executing +commands on a remote machine. SSH is intended to replace rlogin and +rsh, and to provide secure encrypted communications between two +untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's version of the last free version of SSH, bringing +it up to date in terms of security and features, as well as removing +all patented algorithms to separate libraries. + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package includes +the clients necessary to make encrypted connections to SSH servers. +You'll also need to install the openssh package on OpenSSH clients. + +%description server +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +the secure shell daemon (sshd). The sshd daemon allows SSH clients to +securely connect to your SSH server. You also need to have the openssh +package installed. + +%description askpass +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH. + +%description askpass-gnome +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop +environment. + +%prep + +%if ! %{no_x11_askpass} +%setup -q -a 1 +%else +%setup -q +%endif + +%build +%if %{rescue} +CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS +%endif + +%if %{kerberos5} +K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` +echo K5DIR=$K5DIR +%endif + +%configure \ + --sysconfdir=%{_sysconfdir}/ssh \ + --libexecdir=%{_libexecdir}/openssh \ + --datadir=%{_datadir}/openssh \ + --with-tcp-wrappers \ + --with-rsh=%{_bindir}/rsh \ + --with-default-path=/usr/local/bin:/bin:/usr/bin \ + --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ + --with-privsep-path=%{_var}/empty/sshd \ + --with-md5-passwords \ +%if %{scard} + --with-smartcard \ +%endif +%if %{rescue} + --without-pam \ +%else + --with-pam \ +%endif +%if %{kerberos5} + --with-kerberos5=$K5DIR \ +%endif + + +%if %{static_libcrypto} +perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile +%endif + +make + +%if ! %{no_x11_askpass} +pushd x11-ssh-askpass-%{aversion} +%configure --libexecdir=%{_libexecdir}/openssh +xmkmf -a +make +popd +%endif + +# Define a variable to toggle gnome1/gtk2 building. This is necessary +# because RPM doesn't handle nested %if statements. +%if %{gtk2} + gtk2=yes +%else + gtk2=no +%endif + +%if ! %{no_gnome_askpass} +pushd contrib +if [ $gtk2 = yes ] ; then + make gnome-ssh-askpass2 + mv gnome-ssh-askpass2 gnome-ssh-askpass +else + make gnome-ssh-askpass1 + mv gnome-ssh-askpass1 gnome-ssh-askpass +fi +popd +%endif + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd + +make install DESTDIR=$RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh +%if %{build6x} +install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd +%else +install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif +install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +%if ! %{no_x11_askpass} +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass +ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +%if ! %{scard} + rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin +%endif + +%if ! %{no_gnome_askpass} +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +%endif + +perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* + +%clean +rm -rf $RPM_BUILD_ROOT + +%triggerun server -- ssh-server +if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then + touch /var/run/sshd.restart +fi + +%triggerun server -- openssh-server < 2.5.0p1 +# Count the number of HostKey and HostDsaKey statements we have. +gawk 'BEGIN {IGNORECASE=1} + /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} + END {exit sawhostkey}' /etc/ssh/sshd_config +# And if we only found one, we know the client was relying on the old default +# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't +# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying +# one nullifies the default, which would have loaded both. +if [ $? -eq 1 ] ; then + echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config + echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config +fi + +%triggerpostun server -- ssh-server +if [ "$1" != 0 ] ; then + /sbin/chkconfig --add sshd + if test -f /var/run/sshd.restart ; then + rm -f /var/run/sshd.restart + /sbin/service sshd start > /dev/null 2>&1 || : + fi +fi + +%pre server +%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || : +%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ + -g sshd -M -r sshd 2>/dev/null || : + +%post server +/sbin/chkconfig --add sshd + +%postun server +/sbin/service sshd condrestart > /dev/null 2>&1 || : + +%preun server +if [ "$1" = 0 ] +then + /sbin/service sshd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%attr(0755,root,root) %{_bindir}/scp +%attr(0644,root,root) %{_mandir}/man1/scp.1* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%if ! %{rescue} +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0755,root,root) %dir %{_libexecdir}/openssh +%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign +%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* +%endif +%if %{scard} +%attr(0755,root,root) %dir %{_datadir}/openssh +%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin +%endif + +%files clients +%defattr(-,root,root) +%attr(0755,root,root) %{_bindir}/ssh +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(-,root,root) %{_bindir}/slogin +%attr(-,root,root) %{_mandir}/man1/slogin.1* +%if ! %{rescue} +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp +%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %{_mandir}/man1/sftp.1* +%endif + +%if ! %{rescue} +%files server +%defattr(-,root,root) +%dir %attr(0111,root,root) %{_var}/empty/sshd +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd +%endif + +%if ! %{no_x11_askpass} +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.* +%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +%changelog +* Mon Jun 2 2003 Damien Miller +- Remove noip6 option. This may be controlled at run-time in client config + file using new AddressFamily directive + +* Mon May 12 2003 Damien Miller +- Don't install profile.d scripts when not building with GNOME/GTK askpass + (patch from bet@rahul.net) + +* Wed Oct 01 2002 Damien Miller +- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks + +* Mon Sep 30 2002 Damien Miller +- Use contrib/ Makefile for building askpass programs + +* Fri Jun 21 2002 Damien Miller +- Merge in spec changes from seba@iq.pl (Sebastian Pachuta) +- Add new {ssh,sshd}_config.5 manpages +- Add new ssh-keysign program and remove setuid from ssh client + +* Fri May 10 2002 Damien Miller +- Merge in spec changes from RedHat, reorgansie a little +- Add Privsep user, group and directory + +* Thu Mar 7 2002 Nalin Dahyabhai 3.1p1-2 +- bump and grind (through the build system) + +* Thu Mar 7 2002 Nalin Dahyabhai 3.1p1-1 +- require sharutils for building (mindrot #137) +- require db1-devel only when building for 6.x (#55105), which probably won't + work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck +- require pam-devel by file (not by package name) again +- add Markus's patch to compile with OpenSSL 0.9.5a (from + http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're + building for 6.x + +* Thu Mar 7 2002 Nalin Dahyabhai 3.1p1-0 +- update to 3.1p1 + +* Tue Mar 5 2002 Nalin Dahyabhai SNAP-20020305 +- update to SNAP-20020305 +- drop debug patch, fixed upstream + +* Wed Feb 20 2002 Nalin Dahyabhai SNAP-20020220 +- update to SNAP-20020220 for testing purposes (you've been warned, if there's + anything to be warned about, gss patches won't apply, I don't mind) + +* Wed Feb 13 2002 Nalin Dahyabhai 3.0.2p1-3 +- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key + exchange, authentication, and named key support + +* Wed Jan 23 2002 Nalin Dahyabhai 3.0.2p1-2 +- remove dependency on db1-devel, which has just been swallowed up whole + by gnome-libs-devel + +* Sun Dec 29 2001 Nalin Dahyabhai +- adjust build dependencies so that build6x actually works right (fix + from Hugo van der Kooij) + +* Tue Dec 4 2001 Nalin Dahyabhai 3.0.2p1-1 +- update to 3.0.2p1 + +* Fri Nov 16 2001 Nalin Dahyabhai 3.0.1p1-1 +- update to 3.0.1p1 + +* Tue Nov 13 2001 Nalin Dahyabhai +- update to current CVS (not for use in distribution) + +* Thu Nov 8 2001 Nalin Dahyabhai 3.0p1-1 +- merge some of Damien Miller changes from the upstream + 3.0p1 spec file and init script + +* Wed Nov 7 2001 Nalin Dahyabhai +- update to 3.0p1 +- update to x11-ssh-askpass 1.2.4.1 +- change build dependency on a file from pam-devel to the pam-devel package +- replace primes with moduli + +* Thu Sep 27 2001 Nalin Dahyabhai 2.9p2-9 +- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs + +* Thu Sep 13 2001 Bernhard Rosenkraenzer 2.9p2-8 +- Merge changes to rescue build from current sysadmin survival cd + +* Thu Sep 6 2001 Nalin Dahyabhai 2.9p2-7 +- fix scp's server's reporting of file sizes, and build with the proper + preprocessor define to get large-file capable open(), stat(), etc. + (sftp has been doing this correctly all along) (#51827) +- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247) +- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298) +- mark profile.d scriptlets as config files (#42337) +- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug +- change a couple of log() statements to debug() statements (#50751) +- pull cvs patch to add -t flag to sshd (#28611) +- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221) + +* Mon Aug 20 2001 Nalin Dahyabhai 2.9p2-6 +- add db1-devel as a BuildPrerequisite (noted by Hans Ecke) + +* Thu Aug 16 2001 Nalin Dahyabhai +- pull cvs patch to fix remote port forwarding with protocol 2 + +* Thu Aug 9 2001 Nalin Dahyabhai +- pull cvs patch to add session initialization to no-pty sessions +- pull cvs patch to not cut off challengeresponse auth needlessly +- refuse to do X11 forwarding if xauth isn't there, handy if you enable + it by default on a system that doesn't have X installed (#49263) + +* Wed Aug 8 2001 Nalin Dahyabhai +- don't apply patches to code we don't intend to build (spotted by Matt Galgoci) + +* Mon Aug 6 2001 Nalin Dahyabhai +- pass OPTIONS correctly to initlog (#50151) + +* Wed Jul 25 2001 Nalin Dahyabhai +- switch to x11-ssh-askpass 1.2.2 + +* Wed Jul 11 2001 Nalin Dahyabhai +- rebuild in new environment + +* Mon Jun 25 2001 Nalin Dahyabhai +- disable the gssapi patch + +* Mon Jun 18 2001 Nalin Dahyabhai +- update to 2.9p2 +- refresh to a new version of the gssapi patch + +* Thu Jun 7 2001 Nalin Dahyabhai +- change Copyright: BSD to License: BSD +- add Markus Friedl's unverified patch for the cookie file deletion problem + so that we can verify it +- drop patch to check if xauth is present (was folded into cookie patch) +- don't apply gssapi patches for the errata candidate +- clear supplemental groups list at startup + +* Fri May 25 2001 Nalin Dahyabhai +- fix an error parsing the new default sshd_config +- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not + dealing with comments right + +* Thu May 24 2001 Nalin Dahyabhai +- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house, + to be removed before the next beta cycle because it's a big departure + from the upstream version + +* Thu May 3 2001 Nalin Dahyabhai +- finish marking strings in the init script for translation +- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd + at startup (change merged from openssh.com init script, originally by + Pekka Savola) +- refuse to do X11 forwarding if xauth isn't there, handy if you enable + it by default on a system that doesn't have X installed + +* Wed May 2 2001 Nalin Dahyabhai +- update to 2.9 +- drop various patches that came from or went upstream or to or from CVS + +* Wed Apr 18 2001 Nalin Dahyabhai +- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer) + +* Sun Apr 8 2001 Preston Brown +- remove explicit openssl requirement, fixes builddistro issue +- make initscript stop() function wait until sshd really dead to avoid + races in condrestart + +* Mon Apr 2 2001 Nalin Dahyabhai +- mention that challengereponse supports PAM, so disabling password doesn't + limit users to pubkey and rsa auth (#34378) +- bypass the daemon() function in the init script and call initlog directly, + because daemon() won't start a daemon it detects is already running (like + open connections) +- require the version of openssl we had when we were built + +* Fri Mar 23 2001 Nalin Dahyabhai +- make do_pam_setcred() smart enough to know when to establish creds and + when to reinitialize them +- add in a couple of other fixes from Damien for inclusion in the errata + +* Thu Mar 22 2001 Nalin Dahyabhai +- update to 2.5.2p2 +- call setcred() again after initgroups, because the "creds" could actually + be group memberships + +* Tue Mar 20 2001 Nalin Dahyabhai +- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) +- don't enable challenge-response by default until we find a way to not + have too many userauth requests (we may make up to six pubkey and up to + three password attempts as it is) +- remove build dependency on rsh to match openssh.com's packages more closely + +* Sat Mar 3 2001 Nalin Dahyabhai +- remove dependency on openssl -- would need to be too precise + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Mon Feb 26 2001 Nalin Dahyabhai +- Revert the patch to move pam_open_session. +- Init script and spec file changes from Pekka Savola. (#28750) +- Patch sftp to recognize '-o protocol' arguments. (#29540) + +* Thu Feb 22 2001 Nalin Dahyabhai +- Chuck the closing patch. +- Add a trigger to add host keys for protocol 2 to the config file, now that + configuration file syntax requires us to specify it with HostKey if we + specify any other HostKey values, which we do. + +* Tue Feb 20 2001 Nalin Dahyabhai +- Redo patch to move pam_open_session after the server setuid()s to the user. +- Rework the nopam patch to use be picked up by autoconf. + +* Mon Feb 19 2001 Nalin Dahyabhai +- Update for 2.5.1p1. +- Add init script mods from Pekka Savola. +- Tweak the init script to match the CVS contrib script more closely. +- Redo patch to ssh-add to try to adding both identity and id_dsa to also try + adding id_rsa. + +* Fri Feb 16 2001 Nalin Dahyabhai +- Update for 2.5.0p1. +- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass +- Resync with parts of Damien Miller's openssh.spec from CVS, including + update of x11 askpass to 1.2.0. +- Only require openssl (don't prereq) because we generate keys in the init + script now. + +* Tue Feb 13 2001 Nalin Dahyabhai +- Don't open a PAM session until we've forked and become the user (#25690). +- Apply Andrew Bartlett's patch for letting pam_authenticate() know which + host the user is attempting a login from. +- Resync with parts of Damien Miller's openssh.spec from CVS. +- Don't expose KbdInt responses in debug messages (from CVS). +- Detect and handle errors in rsa_{public,private}_decrypt (from CVS). + +* Wed Feb 7 2001 Trond Eivind Glomsrxd +- i18n-tweak to initscript. + +* Tue Jan 23 2001 Nalin Dahyabhai +- More gettextizing. +- Close all files after going into daemon mode (needs more testing). +- Extract patch from CVS to handle auth banners (in the client). +- Extract patch from CVS to handle compat weirdness. + +* Fri Jan 19 2001 Nalin Dahyabhai +- Finish with the gettextizing. + +* Thu Jan 18 2001 Nalin Dahyabhai +- Fix a bug in auth2-pam.c (#23877) +- Gettextize the init script. + +* Wed Dec 20 2000 Nalin Dahyabhai +- Incorporate a switch for using PAM configs for 6.x, just in case. + +* Tue Dec 5 2000 Nalin Dahyabhai +- Incorporate Bero's changes for a build specifically for rescue CDs. + +* Wed Nov 29 2000 Nalin Dahyabhai +- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has + succeeded, to allow public-key authentication after a failure with "none" + authentication. (#21268) + +* Tue Nov 28 2000 Nalin Dahyabhai +- Update to x11-askpass 1.1.1. (#21301) +- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290) + +* Mon Nov 27 2000 Nalin Dahyabhai +- Merge multiple PAM text messages into subsequent prompts when possible when + doing keyboard-interactive authentication. + +* Sun Nov 26 2000 Nalin Dahyabhai +- Disable the built-in MD5 password support. We're using PAM. +- Take a crack at doing keyboard-interactive authentication with PAM, and + enable use of it in the default client configuration so that the client + will try it when the server disallows password authentication. +- Build with debugging flags. Build root policies strip all binaries anyway. + +* Tue Nov 21 2000 Nalin Dahyabhai +- Use DESTDIR instead of %%makeinstall. +- Remove /usr/X11R6/bin from the path-fixing patch. + +* Mon Nov 20 2000 Nalin Dahyabhai +- Add the primes file from the latest snapshot to the main package (#20884). +- Add the dev package to the prereq list (#19984). +- Remove the default path and mimic login's behavior in the server itself. + +* Fri Nov 17 2000 Nalin Dahyabhai +- Resync with conditional options in Damien Miller's .spec file for an errata. +- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh. + +* Tue Nov 7 2000 Nalin Dahyabhai +- Update to OpenSSH 2.3.0p1. +- Update to x11-askpass 1.1.0. +- Enable keyboard-interactive authentication. + +* Mon Oct 30 2000 Nalin Dahyabhai +- Update to ssh-askpass-x11 1.0.3. +- Change authentication related messages to be private (#19966). + +* Tue Oct 10 2000 Nalin Dahyabhai +- Patch ssh-keygen to be able to list signatures for DSA public key files + it generates. + +* Thu Oct 5 2000 Nalin Dahyabhai +- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always + build PAM authentication in. +- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. +- Clean out no-longer-used patches. +- Patch ssh-add to try to add both identity and id_dsa, and to error only + when neither exists. + +* Mon Oct 2 2000 Nalin Dahyabhai +- Update x11-askpass to 1.0.2. (#17835) +- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will + always find them in the right place. (#17909) +- Set the default path to be the same as the one supplied by /bin/login, but + add /usr/X11R6/bin. (#17909) +- Try to handle obsoletion of ssh-server more cleanly. Package names + are different, but init script name isn't. (#17865) + +* Wed Sep 6 2000 Nalin Dahyabhai +- Update to 2.2.0p1. (#17835) +- Tweak the init script to allow proper restarting. (#18023) + +* Wed Aug 23 2000 Nalin Dahyabhai +- Update to 20000823 snapshot. +- Change subpackage requirements from %%{version} to %%{version}-%%{release} +- Back out the pipe patch. + +* Mon Jul 17 2000 Nalin Dahyabhai +- Update to 2.1.1p4, which includes fixes for config file parsing problems. +- Move the init script back. +- Add Damien's quick fix for wackiness. + +* Wed Jul 12 2000 Nalin Dahyabhai +- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok(). + +* Thu Jul 6 2000 Nalin Dahyabhai +- Move condrestart to server postun. +- Move key generation to init script. +- Actually use the right patch for moving the key generation to the init script. +- Clean up the init script a bit. + +* Wed Jul 5 2000 Nalin Dahyabhai +- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard. + +* Sun Jul 2 2000 Nalin Dahyabhai +- Update to 2.1.1p2. +- Use of strtok() considered harmful. + +* Sat Jul 1 2000 Nalin Dahyabhai +- Get the build root out of the man pages. + +* Thu Jun 29 2000 Nalin Dahyabhai +- Add and use condrestart support in the init script. +- Add newer initscripts as a prereq. + +* Tue Jun 27 2000 Nalin Dahyabhai +- Build in new environment (release 2) +- Move -clients subpackage to Applications/Internet group + +* Fri Jun 9 2000 Nalin Dahyabhai +- Update to 2.2.1p1 + +* Sat Jun 3 2000 Nalin Dahyabhai +- Patch to build with neither RSA nor RSAref. +- Miscellaneous FHS-compliance tweaks. +- Fix for possibly-compressed man pages. + +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build + +* Sun Dec 26 1999 Damien Miller +- Added Jim Knoble's askpass + +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble + +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives + +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages + +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages + +* Sat Oct 30 1999 Damien Miller +- Renamed init script + +* Fri Oct 29 1999 Damien Miller +- Back to old binary names + +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names + +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/sshd.init openssh-4.2p1/contrib/redhat/sshd.init --- ssh-openbsd-2005090100/contrib/redhat/sshd.init Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/sshd.init Fri May 10 12:19:23 2002 @@ -0,0 +1,154 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +SSHD=/usr/sbin/sshd +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +PID_FILE=/var/run/sshd.pid + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + echo -n $"Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + success $"RSA1 key generation" + echo + else + failure $"RSA1 key generation" + echo + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n $"Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + success $"RSA key generation" + echo + else + failure $"RSA key generation" + echo + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + echo -n $"Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + success $"DSA key generation" + echo + else + failure $"DSA key generation" + echo + exit 1 + fi + fi +} + +do_restart_sanity_check() +{ + $SSHD -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + failure $"Configuration file or keys are invalid" + echo + fi +} + +start() +{ + # Create keys if necessary + do_rsa1_keygen + do_rsa_keygen + do_dsa_keygen + + echo -n $"Starting $prog:" + initlog -c "$SSHD $OPTIONS" && success || failure + RETVAL=$? + [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd + echo +} + +stop() +{ + echo -n $"Stopping $prog:" + killproc $SSHD -TERM + RETVAL=$? + [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd + echo +} + +reload() +{ + echo -n $"Reloading $prog:" + killproc $SSHD -HUP + RETVAL=$? + echo +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + reload) + reload + ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check + if [ "$RETVAL" = 0 ] ; then + stop + # avoid race + sleep 3 + start + fi + fi + ;; + status) + status $SSHD + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" + RETVAL=1 +esac +exit $RETVAL diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/sshd.init.old openssh-4.2p1/contrib/redhat/sshd.init.old --- ssh-openbsd-2005090100/contrib/redhat/sshd.init.old Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/sshd.init.old Fri May 10 12:19:23 2002 @@ -0,0 +1,172 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +SSHD=/usr/sbin/sshd +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +PID_FILE=/var/run/sshd.pid + +my_success() { + local msg + if [ $# -gt 1 ]; then + msg="$2" + else + msg="done" + fi + case "`type -type success`" in + function) + success "$1" + ;; + *) + echo -n "${msg}" + ;; + esac +} +my_failure() { + local msg + if [ $# -gt 1 ]; then + msg="$2" + else + msg="FAILED" + fi + case "`type -type failure`" in + function) + failure "$1" + ;; + *) + echo -n "${msg}" + ;; + esac +} +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + echo -n "Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + my_success "RSA1 key generation" + echo + else + my_failure "RSA1 key generation" + echo + exit 1 + fi + fi +} +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n "Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + my_success "RSA key generation" + echo + else + my_failure "RSA key generation" + echo + exit 1 + fi + fi +} +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + echo -n "Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + my_success "DSA key generation" + echo + else + my_failure "DSA key generation" + echo + exit 1 + fi + fi +} +do_restart_sanity_check() { + $SSHD -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + my_failure "Configuration file or keys" + echo + fi +} + + +case "$1" in + start) + # Create keys if necessary + do_rsa1_keygen; + do_rsa_keygen; + do_dsa_keygen; + + echo -n "Starting sshd: " + if [ ! -f $PID_FILE ] ; then + sshd $OPTIONS + RETVAL=$? + if [ "$RETVAL" = "0" ] ; then + my_success "sshd startup" "sshd" + touch /var/lock/subsys/sshd + else + my_failure "sshd startup" "" + fi + fi + echo + ;; + stop) + echo -n "Shutting down sshd: " + if [ -f $PID_FILE ] ; then + killproc sshd + RETVAL=$? + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + fi + echo + ;; + restart) + do_restart_sanity_check + $0 stop + $0 start + RETVAL=$? + ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check + $0 stop + $0 start + RETVAL=$? + fi + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status|condrestart}" + exit 1 + ;; +esac + +exit $RETVAL diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/sshd.pam openssh-4.2p1/contrib/redhat/sshd.pam --- ssh-openbsd-2005090100/contrib/redhat/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/sshd.pam Wed Jul 21 11:01:41 2004 @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_stack.so service=system-auth +auth required pam_nologin.so +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/redhat/sshd.pam.old openssh-4.2p1/contrib/redhat/sshd.pam.old --- ssh-openbsd-2005090100/contrib/redhat/sshd.pam.old Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/redhat/sshd.pam.old Fri May 10 12:19:24 2002 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/solaris/README openssh-4.2p1/contrib/solaris/README --- ssh-openbsd-2005090100/contrib/solaris/README Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/solaris/README Sun Jun 20 12:31:07 2004 @@ -0,0 +1,30 @@ +The following is a new package build script for Solaris. This is being +introduced into OpenSSH 3.0 and above in hopes of simplifying the build +process. As of 3.1p2 the script should work on all platforms that have +SVR4 style package tools. + +The build process is called a 'dummy install'.. Which means the software does +a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should +be handled correctly and key are defered until the first time the sshd +is started. + +Directions: + +1. make -F Makefile.in distprep (Only if you are getting from the CVS tree) +2. ./configure --with-pam [..any other options you want..] +3. look at the top of buildpkg.sh for the configurable options and put + any changes you want in openssh-config.local. Additional customizations + can be done to the build process by creating one or more of the following + scripts that will be sourced by buildpkg.sh. + pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh + pkg-preinstall.local pkg-postinstall.local pkg-preremove.local + pkg-postremove.local pkg-request.local +4. Run "make package" + +If all goes well you should have a solaris package ready to be installed. + +If you have any problems with this script please post them to +openssh-unix-dev@mindrot.org and I will try to assist you as best as I can. + +- Ben Lindstrom + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/ssh-copy-id openssh-4.2p1/contrib/ssh-copy-id --- ssh-openbsd-2005090100/contrib/ssh-copy-id Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/ssh-copy-id Mon Aug 30 21:33:02 2004 @@ -0,0 +1,50 @@ +#!/bin/sh + +# Shell script to install your identity.pub on a remote machine +# Takes the remote machine name as an argument. +# Obviously, the remote machine must accept password authentication, +# or one of the other keys in your ssh-agent, for this to work. + +ID_FILE="${HOME}/.ssh/identity.pub" + +if [ "-i" = "$1" ]; then + shift + # check if we have 2 parameters left, if so the first is the new ID file + if [ -n "$2" ]; then + if expr "$1" : ".*\.pub" ; then + ID_FILE="$1" + else + ID_FILE="$1.pub" + fi + shift # and this should leave $1 as the target name + fi +else + if [ x$SSH_AUTH_SOCK != x ] ; then + GET_ID="$GET_ID ssh-add -L" + fi +fi + +if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then + GET_ID="cat ${ID_FILE}" +fi + +if [ -z "`eval $GET_ID`" ]; then + echo "$0: ERROR: No identities found" >&2 + exit 1 +fi + +if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 + exit 1 +fi + +{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 + +cat < + +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. + +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. + +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the Free Software Foundation instead of in +the original English. +.. +.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" +.SH NAME +ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys +.SH SYNOPSIS +.B ssh-copy-id [-i [identity_file]] +.I "[user@]machine" +.br +.SH DESCRIPTION +.BR ssh-copy-id +is a script that uses ssh to log into a remote machine (presumably +using a login password, so password authentication should be enabled, +unless you've done some clever use of multiple identities) +.PP +It also changes the permissions of the remote user's home, +.BR ~/.ssh , +and +.B ~/.ssh/authorized_keys +to remove group writability (which would otherwise prevent you from logging in, if the remote +.B sshd +has +.B StrictModes +set in its configuration). +.PP +If the +.B -i +option is given then the identity file (defaults to +.BR ~/.ssh/identity.pub ) +is used, regardless of whether there are any keys in your +.BR ssh-agent . +Otherwise, if this: +.PP +.B " ssh-add -L" +.PP +provides any output, it uses that in preference to the identity file. +.PP +If the +.B -i +option is used, or the +.B ssh-add +produced no output, then it uses the contents of the identity +file. Once it has one or more fingerprints (by whatever means) it +uses ssh to append them to +.B ~/.ssh/authorized_keys +on the remote machine (creating the file, and directory, if necessary) + +.SH "SEE ALSO" +.BR ssh (1), +.BR ssh-agent (1), +.BR sshd (8) diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/sshd.pam.freebsd openssh-4.2p1/contrib/sshd.pam.freebsd --- ssh-openbsd-2005090100/contrib/sshd.pam.freebsd Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/sshd.pam.freebsd Wed Mar 15 12:25:06 2000 @@ -0,0 +1,5 @@ +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/sshd.pam.generic openssh-4.2p1/contrib/sshd.pam.generic --- ssh-openbsd-2005090100/contrib/sshd.pam.generic Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/sshd.pam.generic Wed Mar 15 12:25:06 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_unix.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_unix.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_unix.so shadow nullok use_authtok +session required /lib/security/pam_unix.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/suse/openssh.spec openssh-4.2p1/contrib/suse/openssh.spec --- ssh-openbsd-2005090100/contrib/suse/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/suse/openssh.spec Thu Sep 1 19:10:50 2005 @@ -0,0 +1,199 @@ +Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation +Name: openssh +Version: 4.2p1 +URL: http://www.openssh.com/ +Release: 1 +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +# +# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) +# building prerequisites -- stuff for +# OpenSSL (openssl-devel), +# TCP Wrappers (nkitb), +# and Gnome (glibdev, gtkdev, and gnlibsd) +# +BuildPrereq: openssl +BuildPrereq: nkitb +BuildPrereq: glibdev +BuildPrereq: gtkdev +BuildPrereq: gnlibsd + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes all files necessary for both the OpenSSH +client and server. Additionally, this package contains the GNOME +passphrase dialog. + +%changelog +* Mon Jun 12 2000 Damien Miller +- Glob manpages to catch compressed files +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Chris Saia +- Made symlink to gnome-ssh-askpass called ssh-askpass +* Wed Nov 24 1999 Chris Saia +- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and + /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into + his released tarfile +- Changed permissions on ssh_config in the install procedure to 644 from 600 + even though it was correct in the %files section and thus right in the RPMs +- Postinstall script for the server now only prints "Generating SSH host + key..." if we need to actually do this, in order to eliminate a confusing + message if an SSH host key is already in place +- Marked all manual pages as %doc(umentation) +* Mon Nov 22 1999 Chris Saia +- Added flag to configure daemon with TCP Wrappers support +- Added building prerequisites (works in RPM 3.0 and newer) +* Thu Nov 18 1999 Chris Saia +- Made this package correct for SuSE. +- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly + with SuSE, and lib_pwdb.so isn't installed by default. +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -q + +%build +CFLAGS="$RPM_OPT_FLAGS" \ +./configure --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --datadir=/usr/share/openssh \ + --with-pam \ + --with-gnome-askpass \ + --with-tcp-wrappers \ + --with-ipv4-default \ + --libexecdir=/usr/lib/ssh +make + +cd contrib +gcc -O -g `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ +install -d $RPM_BUILD_ROOT/etc/ssh/ +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/sbin/init.d/ +install -d $RPM_BUILD_ROOT/var/adm/fillup-templates +install -d $RPM_BUILD_ROOT/usr/lib/ssh +install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd +ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass +ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass +install -m744 contrib/suse/rc.config.sshd \ + $RPM_BUILD_ROOT/var/adm/fillup-templates + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +if [ "$1" = 1 ]; then + echo "Creating SSH stop/start scripts in the rc directories..." + ln -s ../sshd /sbin/init.d/rc2.d/K20sshd + ln -s ../sshd /sbin/init.d/rc2.d/S20sshd + ln -s ../sshd /sbin/init.d/rc3.d/K20sshd + ln -s ../sshd /sbin/init.d/rc3.d/S20sshd +fi +echo "Updating /etc/rc.config..." +if [ -x /bin/fillup ] ; then + /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd +else + echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." + echo "Update /etc/rc.config by hand from the following template file:" + echo " /var/adm/fillup-templates/rc.config.sshd" +fi +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + echo "Generating SSH host key..." + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then + echo "Generating SSH DSA host key..." + /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + echo "Restarting the running SSH daemon..." + /usr/sbin/rcsshd restart >&2 +fi + +%preun +if [ "$1" = 0 ] +then + echo "Stopping the SSH daemon..." + /usr/sbin/rcsshd stop >&2 + echo "Removing SSH stop/start scripts from the rc directories..." + rm /sbin/init.d/rc2.d/K20sshd + rm /sbin/init.d/rc2.d/S20sshd + rm /sbin/init.d/rc3.d/K20sshd + rm /sbin/init.d/rc3.d/S20sshd +fi + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW README* +%doc RFC.nroff TODO CREDITS LICENCE +%attr(0755,root,root) %dir /etc/ssh +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0600,root,root) %config /etc/ssh/moduli +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /sbin/init.d/sshd +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(4755,root,root) /usr/bin/ssh +%attr(-,root,root) /usr/bin/slogin +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0755,root,root) /usr/bin/ssh-keyscan +%attr(0755,root,root) /usr/bin/sftp +%attr(0755,root,root) /usr/sbin/sshd +%attr(-,root,root) /usr/sbin/rcsshd +%attr(0755,root,root) %dir /usr/lib/ssh +%attr(0755,root,root) /usr/lib/ssh/ssh-askpass +%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass +%attr(0644,root,root) %doc /usr/man/man1/scp.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh.1* +%attr(-,root,root) %doc /usr/man/man1/slogin.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* +%attr(0644,root,root) %doc /usr/man/man8/sshd.8* +%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/suse/rc.config.sshd openssh-4.2p1/contrib/suse/rc.config.sshd --- ssh-openbsd-2005090100/contrib/suse/rc.config.sshd Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/suse/rc.config.sshd Wed Mar 15 12:25:07 2000 @@ -0,0 +1,5 @@ +# +# Start the Secure Shell (SSH) Daemon? +# +START_SSHD="yes" + diff -ruN --exclude CVS ssh-openbsd-2005090100/contrib/suse/rc.sshd openssh-4.2p1/contrib/suse/rc.sshd --- ssh-openbsd-2005090100/contrib/suse/rc.sshd Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/contrib/suse/rc.sshd Wed Mar 15 12:25:07 2000 @@ -0,0 +1,80 @@ +#! /bin/sh +# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. +# +# Author: Chris Saia +# +# /sbin/init.d/sshd +# +# and symbolic its link +# +# /sbin/rcsshd +# + +. /etc/rc.config + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +# Force execution if not called by a runlevel directory. +test $link = $base && START_SSHD=yes +test "$START_SSHD" = yes || exit 0 + +# The echo return value for success (defined in /etc/rc.config). +return=$rc_done +case "$1" in + start) + echo -n "Starting service sshd" + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + startproc /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + stop) + echo -n "Stopping service sshd" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -TERM /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + restart) + ## If first returns OK call the second, if first or + ## second command fails, set echo return value. + $0 stop && $0 start || return=$rc_failed + ;; + reload) + ## Choose ONE of the following two cases: + + ## First possibility: A few services accepts a signal + ## to reread the (changed) configuration. + + echo -n "Reload service sshd" + killproc -HUP /usr/sbin/sshd || return=$rc_failed + echo -e "$return" + ;; + status) + echo -n "Checking for service sshd" + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + checkproc /usr/sbin/sshd && echo OK || echo No process + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" + exit 1 + ;; +esac + +# Inform the caller not only verbosely and set an exit status. +test "$return" = "$rc_done" || exit 1 +exit 0 diff -ruN --exclude CVS ssh-openbsd-2005090100/crc32.c openssh-4.2p1/crc32.c --- ssh-openbsd-2005090100/crc32.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/crc32.c Tue Feb 25 10:22:36 2003 @@ -23,8 +23,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include +#include "includes.h" #include "crc32.h" static const u_int32_t crc32tab[] = { diff -ruN --exclude CVS ssh-openbsd-2005090100/defines.h openssh-4.2p1/defines.h --- ssh-openbsd-2005090100/defines.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/defines.h Thu Sep 1 02:59:49 2005 @@ -0,0 +1,714 @@ +/* + * Copyright (c) 1999-2003 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _DEFINES_H +#define _DEFINES_H + +/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */ + + +/* Constants */ + +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ + SHUT_WR, /* No more transmissions. */ + SHUT_RDWR /* No more receptions or transmissions. */ +}; +# define SHUT_RD SHUT_RD +# define SHUT_WR SHUT_WR +# define SHUT_RDWR SHUT_RDWR +#endif + +#ifndef IPTOS_LOWDELAY +# define IPTOS_LOWDELAY 0x10 +# define IPTOS_THROUGHPUT 0x08 +# define IPTOS_RELIABILITY 0x04 +# define IPTOS_LOWCOST 0x02 +# define IPTOS_MINCOST IPTOS_LOWCOST +#endif /* IPTOS_LOWDELAY */ + +#ifndef MAXPATHLEN +# ifdef PATH_MAX +# define MAXPATHLEN PATH_MAX +# else /* PATH_MAX */ +# define MAXPATHLEN 64 +/* realpath uses a fixed buffer of size MAXPATHLEN, so force use of ours */ +# ifndef BROKEN_REALPATH +# define BROKEN_REALPATH 1 +# endif /* BROKEN_REALPATH */ +# endif /* PATH_MAX */ +#endif /* MAXPATHLEN */ + +#ifndef PATH_MAX +# ifdef _POSIX_PATH_MAX +# define PATH_MAX _POSIX_PATH_MAX +# endif +#endif + +#ifndef MAXSYMLINKS +# define MAXSYMLINKS 5 +#endif + +#ifndef STDIN_FILENO +# define STDIN_FILENO 0 +#endif +#ifndef STDOUT_FILENO +# define STDOUT_FILENO 1 +#endif +#ifndef STDERR_FILENO +# define STDERR_FILENO 2 +#endif + +#ifndef NGROUPS_MAX /* Disable groupaccess if NGROUP_MAX is not set */ +#ifdef NGROUPS +#define NGROUPS_MAX NGROUPS +#else +#define NGROUPS_MAX 0 +#endif +#endif + +#ifndef O_NONBLOCK /* Non Blocking Open */ +# define O_NONBLOCK 00004 +#endif + +#ifndef S_ISDIR +# define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) +#endif /* S_ISDIR */ + +#ifndef S_ISREG +# define S_ISREG(mode) (((mode) & (_S_IFMT)) == (_S_IFREG)) +#endif /* S_ISREG */ + +#ifndef S_ISLNK +# define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK) +#endif /* S_ISLNK */ + +#ifndef S_IXUSR +# define S_IXUSR 0000100 /* execute/search permission, */ +# define S_IXGRP 0000010 /* execute/search permission, */ +# define S_IXOTH 0000001 /* execute/search permission, */ +# define _S_IWUSR 0000200 /* write permission, */ +# define S_IWUSR _S_IWUSR /* write permission, owner */ +# define S_IWGRP 0000020 /* write permission, group */ +# define S_IWOTH 0000002 /* write permission, other */ +# define S_IRUSR 0000400 /* read permission, owner */ +# define S_IRGRP 0000040 /* read permission, group */ +# define S_IROTH 0000004 /* read permission, other */ +# define S_IRWXU 0000700 /* read, write, execute */ +# define S_IRWXG 0000070 /* read, write, execute */ +# define S_IRWXO 0000007 /* read, write, execute */ +#endif /* S_IXUSR */ + +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +#define MAP_ANON MAP_ANONYMOUS +#endif + +#ifndef MAP_FAILED +# define MAP_FAILED ((void *)-1) +#endif + +/* *-*-nto-qnx doesn't define this constant in the system headers */ +#ifdef MISSING_NFDBITS +# define NFDBITS (8 * sizeof(unsigned long)) +#endif + +/* +SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but +including rpc/rpc.h breaks Solaris 6 +*/ +#ifndef INADDR_LOOPBACK +#define INADDR_LOOPBACK ((u_long)0x7f000001) +#endif + +#ifndef __unused +#define __unused +#endif + +/* Types */ + +/* If sys/types.h does not supply intXX_t, supply them ourselves */ +/* (or die trying) */ + + +#ifndef HAVE_U_INT +typedef unsigned int u_int; +#endif + +#ifndef HAVE_INTXX_T +# if (SIZEOF_CHAR == 1) +typedef char int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef short int int16_t; +# else +# ifdef _UNICOS +# if (SIZEOF_SHORT_INT == 4) +typedef short int16_t; +# else +typedef long int16_t; +# endif +# else +# error "16 bit int type not found." +# endif /* _UNICOS */ +# endif +# if (SIZEOF_INT == 4) +typedef int int32_t; +# else +# ifdef _UNICOS +typedef long int32_t; +# else +# error "32 bit int type not found." +# endif /* _UNICOS */ +# endif +#endif + +/* If sys/types.h does not supply u_intXX_t, supply them ourselves */ +#ifndef HAVE_U_INTXX_T +# ifdef HAVE_UINTXX_T +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +# define HAVE_U_INTXX_T 1 +# else +# if (SIZEOF_CHAR == 1) +typedef unsigned char u_int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef unsigned short int u_int16_t; +# else +# ifdef _UNICOS +# if (SIZEOF_SHORT_INT == 4) +typedef unsigned short u_int16_t; +# else +typedef unsigned long u_int16_t; +# endif +# else +# error "16 bit int type not found." +# endif +# endif +# if (SIZEOF_INT == 4) +typedef unsigned int u_int32_t; +# else +# ifdef _UNICOS +typedef unsigned long u_int32_t; +# else +# error "32 bit int type not found." +# endif +# endif +# endif +#define __BIT_TYPES_DEFINED__ +#endif + +/* 64-bit types */ +#ifndef HAVE_INT64_T +# if (SIZEOF_LONG_INT == 8) +typedef long int int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef long long int int64_t; +# endif +# endif +#endif +#ifndef HAVE_U_INT64_T +# if (SIZEOF_LONG_INT == 8) +typedef unsigned long int u_int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef unsigned long long int u_int64_t; +# endif +# endif +#endif + +#ifndef HAVE_U_CHAR +typedef unsigned char u_char; +# define HAVE_U_CHAR +#endif /* HAVE_U_CHAR */ + +#ifndef SIZE_T_MAX +#define SIZE_T_MAX ULONG_MAX +#endif /* SIZE_T_MAX */ + +#ifndef HAVE_SIZE_T +typedef unsigned int size_t; +# define HAVE_SIZE_T +# define SIZE_T_MAX UINT_MAX +#endif /* HAVE_SIZE_T */ + +#ifndef HAVE_SSIZE_T +typedef int ssize_t; +# define HAVE_SSIZE_T +#endif /* HAVE_SSIZE_T */ + +#ifndef HAVE_CLOCK_T +typedef long clock_t; +# define HAVE_CLOCK_T +#endif /* HAVE_CLOCK_T */ + +#ifndef HAVE_SA_FAMILY_T +typedef int sa_family_t; +# define HAVE_SA_FAMILY_T +#endif /* HAVE_SA_FAMILY_T */ + +#ifndef HAVE_PID_T +typedef int pid_t; +# define HAVE_PID_T +#endif /* HAVE_PID_T */ + +#ifndef HAVE_SIG_ATOMIC_T +typedef int sig_atomic_t; +# define HAVE_SIG_ATOMIC_T +#endif /* HAVE_SIG_ATOMIC_T */ + +#ifndef HAVE_MODE_T +typedef int mode_t; +# define HAVE_MODE_T +#endif /* HAVE_MODE_T */ + +#if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS) +# define ss_family __ss_family +#endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */ + +#ifndef HAVE_SYS_UN_H +struct sockaddr_un { + short sun_family; /* AF_UNIX */ + char sun_path[108]; /* path name (gag) */ +}; +#endif /* HAVE_SYS_UN_H */ + +#ifndef HAVE_IN_ADDR_T +typedef u_int32_t in_addr_t; +#endif + +#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE) +#define _STRUCT_WINSIZE +struct winsize { + unsigned short ws_row; /* rows, in characters */ + unsigned short ws_col; /* columns, in character */ + unsigned short ws_xpixel; /* horizontal size, pixels */ + unsigned short ws_ypixel; /* vertical size, pixels */ +}; +#endif + +/* *-*-nto-qnx does not define this type in the system headers */ +#ifdef MISSING_FD_MASK + typedef unsigned long int fd_mask; +#endif + +/* Paths */ + +#ifndef _PATH_BSHELL +# define _PATH_BSHELL "/bin/sh" +#endif +#ifndef _PATH_CSHELL +# define _PATH_CSHELL "/bin/csh" +#endif +#ifndef _PATH_SHELLS +# define _PATH_SHELLS "/etc/shells" +#endif + +#ifdef USER_PATH +# ifdef _PATH_STDPATH +# undef _PATH_STDPATH +# endif +# define _PATH_STDPATH USER_PATH +#endif + +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +#endif + +#ifndef SUPERUSER_PATH +# define SUPERUSER_PATH _PATH_STDPATH +#endif + +#ifndef _PATH_DEVNULL +# define _PATH_DEVNULL "/dev/null" +#endif + +#ifndef MAIL_DIRECTORY +# define MAIL_DIRECTORY "/var/spool/mail" +#endif + +#ifndef MAILDIR +# define MAILDIR MAIL_DIRECTORY +#endif + +#if !defined(_PATH_MAILDIR) && defined(MAILDIR) +# define _PATH_MAILDIR MAILDIR +#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ + +#ifndef _PATH_NOLOGIN +# define _PATH_NOLOGIN "/etc/nologin" +#endif + +/* Define this to be the path of the xauth program. */ +#ifdef XAUTH_PATH +#define _PATH_XAUTH XAUTH_PATH +#endif /* XAUTH_PATH */ + +/* derived from XF4/xc/lib/dps/Xlibnet.h */ +#ifndef X_UNIX_PATH +# ifdef __hpux +# define X_UNIX_PATH "/var/spool/sockets/X11/%u" +# else +# define X_UNIX_PATH "/tmp/.X11-unix/X%u" +# endif +#endif /* X_UNIX_PATH */ +#define _PATH_UNIX_X X_UNIX_PATH + +#ifndef _PATH_TTY +# define _PATH_TTY "/dev/tty" +#endif + +/* Macros */ + +#if defined(HAVE_LOGIN_GETCAPBOOL) && defined(HAVE_LOGIN_CAP_H) +# define HAVE_LOGIN_CAP +#endif + +#ifndef MAX +# define MAX(a,b) (((a)>(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +#ifndef roundup +# define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) +#endif + +#ifndef timersub +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#ifndef TIMEVAL_TO_TIMESPEC +#define TIMEVAL_TO_TIMESPEC(tv, ts) { \ + (ts)->tv_sec = (tv)->tv_sec; \ + (ts)->tv_nsec = (tv)->tv_usec * 1000; \ +} +#endif + +#ifndef TIMESPEC_TO_TIMEVAL +#define TIMESPEC_TO_TIMEVAL(tv, ts) { \ + (tv)->tv_sec = (ts)->tv_sec; \ + (tv)->tv_usec = (ts)->tv_nsec / 1000; \ +} +#endif + +#ifndef __P +# define __P(x) x +#endif + +#if !defined(IN6_IS_ADDR_V4MAPPED) +# define IN6_IS_ADDR_V4MAPPED(a) \ + ((((u_int32_t *) (a))[0] == 0) && (((u_int32_t *) (a))[1] == 0) && \ + (((u_int32_t *) (a))[2] == htonl (0xffff))) +#endif /* !defined(IN6_IS_ADDR_V4MAPPED) */ + +#if !defined(__GNUC__) || (__GNUC__ < 2) +# define __attribute__(x) +#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ + +#ifndef __dead +# define __dead __attribute__((noreturn)) +#endif + +#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__) +# define __sentinel__ +#endif + +/* *-*-nto-qnx doesn't define this macro in the system headers */ +#ifdef MISSING_HOWMANY +# define howmany(x,y) (((x)+((y)-1))/(y)) +#endif + +#ifndef OSSH_ALIGNBYTES +#define OSSH_ALIGNBYTES (sizeof(int) - 1) +#endif +#ifndef __CMSG_ALIGN +#define __CMSG_ALIGN(p) (((u_int)(p) + OSSH_ALIGNBYTES) &~ OSSH_ALIGNBYTES) +#endif + +/* Length of the contents of a control message of length len */ +#ifndef CMSG_LEN +#define CMSG_LEN(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + (len)) +#endif + +/* Length of the space taken up by a padded control message of length len */ +#ifndef CMSG_SPACE +#define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len)) +#endif + +/* given pointer to struct cmsghdr, return pointer to data */ +#ifndef CMSG_DATA +#define CMSG_DATA(cmsg) ((u_char *)(cmsg) + __CMSG_ALIGN(sizeof(struct cmsghdr))) +#endif /* CMSG_DATA */ + +/* + * RFC 2292 requires to check msg_controllen, in case that the kernel returns + * an empty list for some reasons. + */ +#ifndef CMSG_FIRSTHDR +#define CMSG_FIRSTHDR(mhdr) \ + ((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \ + (struct cmsghdr *)(mhdr)->msg_control : \ + (struct cmsghdr *)NULL) +#endif /* CMSG_FIRSTHDR */ + +#ifndef offsetof +# define offsetof(type, member) ((size_t) &((type *)0)->member) +#endif + +/* Function replacement / compatibility hacks */ + +#if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO)) +# define HAVE_GETADDRINFO +#endif + +#ifndef HAVE_GETOPT_OPTRESET +# undef getopt +# undef opterr +# undef optind +# undef optopt +# undef optreset +# undef optarg +# define getopt(ac, av, o) BSDgetopt(ac, av, o) +# define opterr BSDopterr +# define optind BSDoptind +# define optopt BSDoptopt +# define optreset BSDoptreset +# define optarg BSDoptarg +#endif + +/* In older versions of libpam, pam_strerror takes a single argument */ +#ifdef HAVE_OLD_PAM +# define PAM_STRERROR(a,b) pam_strerror((b)) +#else +# define PAM_STRERROR(a,b) pam_strerror((a),(b)) +#endif + +#ifdef PAM_SUN_CODEBASE +# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member) +#else +# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member) +#endif + +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) +# undef HAVE_GETADDRINFO +#endif +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_FREEADDRINFO) +# undef HAVE_FREEADDRINFO +#endif +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GAI_STRERROR) +# undef HAVE_GAI_STRERROR +#endif + +#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX) +# undef HAVE_UPDWTMPX +#endif + +#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) +# define memmove(s1, s2, n) bcopy((s2), (s1), (n)) +#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ + +#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) +# define USE_VHANGUP +#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */ + +#ifndef GETPGRP_VOID +# define getpgrp() getpgrp(0) +#endif + +#ifdef USE_BSM_AUDIT +# define SSH_AUDIT_EVENTS +# define CUSTOM_SSH_AUDIT_EVENTS +#endif + +/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */ +#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f) +# define OPENSSL_free(x) Free(x) +#endif + +#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) +# define __func__ __FUNCTION__ +#elif !defined(HAVE___func__) +# define __func__ "" +#endif + +#if defined(KRB5) && !defined(HEIMDAL) +# define krb5_get_err_text(context,code) error_message(code) +#endif + +#if defined(SKEYCHALLENGE_4ARG) +# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d) +#else +# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c) +#endif + +/* Maximum number of file descriptors available */ +#ifdef HAVE_SYSCONF +# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) +#else +# define SSH_SYSFDMAX 10000 +#endif + +#if defined(__Lynx__) + /* + * LynxOS defines these in param.h which we do not want to include since + * it will also pull in a bunch of kernel definitions. + */ +# define ALIGNBYTES (sizeof(int) - 1) +# define ALIGN(p) (((unsigned)p + ALIGNBYTES) & ~ALIGNBYTES) + /* Missing prototypes on LynxOS */ + int snprintf (char *, size_t, const char *, ...); + int mkstemp (char *); + char *crypt (const char *, const char *); + int seteuid (uid_t); + int setegid (gid_t); + char *mkdtemp (char *); + int rresvport_af (int *, sa_family_t); + int innetgr (const char *, const char *, const char *, const char *); +#endif + +/* + * Define this to use pipes instead of socketpairs for communicating with the + * client program. Socketpairs do not seem to work on all systems. + * + * configure.ac sets this for a few OS's which are known to have problems + * but you may need to set it yourself + */ +/* #define USE_PIPES 1 */ + +/** + ** login recorder definitions + **/ + +/* FIXME: put default paths back in */ +#ifndef UTMP_FILE +# ifdef _PATH_UTMP +# define UTMP_FILE _PATH_UTMP +# else +# ifdef CONF_UTMP_FILE +# define UTMP_FILE CONF_UTMP_FILE +# endif +# endif +#endif +#ifndef WTMP_FILE +# ifdef _PATH_WTMP +# define WTMP_FILE _PATH_WTMP +# else +# ifdef CONF_WTMP_FILE +# define WTMP_FILE CONF_WTMP_FILE +# endif +# endif +#endif +/* pick up the user's location for lastlog if given */ +#ifndef LASTLOG_FILE +# ifdef _PATH_LASTLOG +# define LASTLOG_FILE _PATH_LASTLOG +# else +# ifdef CONF_LASTLOG_FILE +# define LASTLOG_FILE CONF_LASTLOG_FILE +# endif +# endif +#endif + +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# define USE_SHADOW +#endif + +/* The login() library function in libutil is first choice */ +#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN) +# define USE_LOGIN + +#else +/* Simply select your favourite login types. */ +/* Can't do if-else because some systems use several... */ +# if defined(UTMPX_FILE) && !defined(DISABLE_UTMPX) +# define USE_UTMPX +# endif +# if defined(UTMP_FILE) && !defined(DISABLE_UTMP) +# define USE_UTMP +# endif +# if defined(WTMPX_FILE) && !defined(DISABLE_WTMPX) +# define USE_WTMPX +# endif +# if defined(WTMP_FILE) && !defined(DISABLE_WTMP) +# define USE_WTMP +# endif + +#endif + +#ifndef UT_LINESIZE +# define UT_LINESIZE 8 +#endif + +/* I hope that the presence of LASTLOG_FILE is enough to detect this */ +#if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG) +# define USE_LASTLOG +#endif + +#ifdef HAVE_OSF_SIA +# ifdef USE_SHADOW +# undef USE_SHADOW +# endif +# define CUSTOM_SYS_AUTH_PASSWD 1 +#endif + +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) +# define CUSTOM_SYS_AUTH_PASSWD 1 +#endif + +/* HP-UX 11.11 */ +#ifdef BTMP_FILE +# define _PATH_BTMP BTMP_FILE +#endif + +#if defined(USE_BTMP) && defined(_PATH_BTMP) +# define CUSTOM_FAILED_LOGIN +#endif + +/** end of login recorder definitions */ + +#ifdef BROKEN_GETGROUPS +# define getgroups(a,b) ((a)==0 && (b)==NULL ? NGROUPS_MAX : getgroups((a),(b))) +#endif + +#if defined(HAVE_MMAP) && defined(BROKEN_MMAP) +# undef HAVE_MMAP +#endif + +#endif /* _DEFINES_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/entropy.c openssh-4.2p1/entropy.c --- ssh-openbsd-2005090100/entropy.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/entropy.c Sun Jul 17 17:26:44 2005 @@ -0,0 +1,154 @@ +/* + * Copyright (c) 2001 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include + +#include "ssh.h" +#include "misc.h" +#include "xmalloc.h" +#include "atomicio.h" +#include "pathnames.h" +#include "log.h" + +/* + * Portable OpenSSH PRNG seeding: + * If OpenSSL has not "internally seeded" itself (e.g. pulled data from + * /dev/random), then we execute a "ssh-rand-helper" program which + * collects entropy and writes it to stdout. The child program must + * write at least RANDOM_SEED_SIZE bytes. The child is run with stderr + * attached, so error/debugging output should be visible. + * + * XXX: we should tell the child how many bytes we need. + */ + +RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $"); + +#ifndef OPENSSL_PRNG_ONLY +#define RANDOM_SEED_SIZE 48 +static uid_t original_uid, original_euid; +#endif + +void +seed_rng(void) +{ +#ifndef OPENSSL_PRNG_ONLY + int devnull; + int p[2]; + pid_t pid; + int ret; + unsigned char buf[RANDOM_SEED_SIZE]; + mysig_t old_sigchld; + + if (RAND_status() == 1) { + debug3("RNG is ready, skipping seeding"); + return; + } + + debug3("Seeding PRNG from %s", SSH_RAND_HELPER); + + if ((devnull = open("/dev/null", O_RDWR)) == -1) + fatal("Couldn't open /dev/null: %s", strerror(errno)); + if (pipe(p) == -1) + fatal("pipe: %s", strerror(errno)); + + old_sigchld = signal(SIGCHLD, SIG_DFL); + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + if (pid == 0) { + dup2(devnull, STDIN_FILENO); + dup2(p[1], STDOUT_FILENO); + /* Keep stderr open for errors */ + close(p[0]); + close(p[1]); + close(devnull); + + if (original_uid != original_euid && + ( seteuid(getuid()) == -1 || + setuid(original_uid) == -1) ) { + fprintf(stderr, "(rand child) setuid(%li): %s\n", + (long int)original_uid, strerror(errno)); + _exit(1); + } + + execl(SSH_RAND_HELPER, "ssh-rand-helper", NULL); + fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n", + SSH_RAND_HELPER, strerror(errno)); + _exit(1); + } + + close(devnull); + close(p[1]); + + memset(buf, '\0', sizeof(buf)); + ret = atomicio(read, p[0], buf, sizeof(buf)); + if (ret == -1) + fatal("Couldn't read from ssh-rand-helper: %s", + strerror(errno)); + if (ret != sizeof(buf)) + fatal("ssh-rand-helper child produced insufficient data"); + + close(p[0]); + + if (waitpid(pid, &ret, 0) == -1) + fatal("Couldn't wait for ssh-rand-helper completion: %s", + strerror(errno)); + signal(SIGCHLD, old_sigchld); + + /* We don't mind if the child exits upon a SIGPIPE */ + if (!WIFEXITED(ret) && + (!WIFSIGNALED(ret) || WTERMSIG(ret) != SIGPIPE)) + fatal("ssh-rand-helper terminated abnormally"); + if (WEXITSTATUS(ret) != 0) + fatal("ssh-rand-helper exit with exit status %d", ret); + + RAND_add(buf, sizeof(buf), sizeof(buf)); + memset(buf, '\0', sizeof(buf)); + +#endif /* OPENSSL_PRNG_ONLY */ + if (RAND_status() != 1) + fatal("PRNG is not seeded"); +} + +void +init_rng(void) +{ + /* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status + * We match major, minor, fix and status (not patch) + */ + if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) + fatal("OpenSSL version mismatch. Built against %lx, you " + "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); + +#ifndef OPENSSL_PRNG_ONLY + if ((original_uid = getuid()) == -1) + fatal("getuid: %s", strerror(errno)); + if ((original_euid = geteuid()) == -1) + fatal("geteuid: %s", strerror(errno)); +#endif +} + diff -ruN --exclude CVS ssh-openbsd-2005090100/entropy.h openssh-4.2p1/entropy.h --- ssh-openbsd-2005090100/entropy.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/entropy.h Fri Feb 9 12:55:36 2001 @@ -0,0 +1,33 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ + +#ifndef _RANDOMS_H +#define _RANDOMS_H + +void seed_rng(void); +void init_rng(void); + +#endif /* _RANDOMS_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/envpass.sh openssh-4.2p1/envpass.sh --- ssh-openbsd-2005090100/envpass.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/envpass.sh Wed Jun 16 20:08:56 2004 @@ -0,0 +1,44 @@ +# $OpenBSD: envpass.sh,v 1.1 2004/04/27 09:47:30 djm Exp $ +# Placed in the Public Domain. + +tid="environment passing" + +# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST) + +trace "pass env, don't accept" +verbose "test $tid: pass env, don't accept" +_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy otherhost \ + '[ -z "$_TEST_ENV" ]' +r=$? +if [ $r -ne 0 ]; then + fail "environment found" +fi + +trace "don't pass env, accept" +verbose "test $tid: don't pass env, accept" +${SSH} -F $OBJ/ssh_proxy otherhost \ + '[ -z "$_XXX_TEST_A" -a -z "$_XXX_TEST_B" ]' +r=$? +if [ $r -ne 0 ]; then + fail "environment found" +fi + +trace "pass single env, accept single env" +verbose "test $tid: pass single env, accept single env" +_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy otherhost \ + '[ "x$_XXX_TEST" = "xblah" ]' +r=$? +if [ $r -ne 0 ]; then + fail "environment not found" +fi + +trace "pass multiple env, accept multiple env" +verbose "test $tid: pass multiple env, accept multiple env" +_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \ + -F $OBJ/ssh_proxy otherhost \ + '[ "x$_XXX_TEST_A" = "x1" -a "x$_XXX_TEST_B" = "x2" ]' +r=$? +if [ $r -ne 0 ]; then + fail "environment not found" +fi + diff -ruN --exclude CVS ssh-openbsd-2005090100/fixpaths openssh-4.2p1/fixpaths --- ssh-openbsd-2005090100/fixpaths Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/fixpaths Thu Dec 5 20:59:33 2002 @@ -0,0 +1,22 @@ +#!/bin/sh +# +# fixpaths - substitute makefile variables into text files +# Usage: fixpaths -Dsomething=somethingelse ... + +die() { + echo $* + exit -1 +} + +test -n "`echo $1|grep -- -D`" || \ + die $0: nothing to do - no substitutions listed! + +test -n "`echo $1|grep -- '-D[^=]\+=[^ ]\+'`" || \ + die $0: error in command line arguments. + +test -n "`echo $*|grep -- ' [^-]'`" || \ + die Usage: $0 '[-Dstring=replacement] [[infile] ...]' + +sed `echo $*|sed -e 's/-D\([^=]\+\)=\([^ ]*\)/-e s=\1=\2=g/g'` + +exit 0 diff -ruN --exclude CVS ssh-openbsd-2005090100/fixprogs openssh-4.2p1/fixprogs --- ssh-openbsd-2005090100/fixprogs Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/fixprogs Fri Nov 21 23:48:55 2003 @@ -0,0 +1,72 @@ +#!/usr/bin/perl +# +# fixprogs - run through the list of entropy commands and +# score out the losers +# + +$entscale = 50; # divisor for optional entropy measurement + +sub usage { + return("Usage: $0 \n"); +} + +if (($#ARGV == -1) || ($#ARGV>1)) { + die(&usage); +} + +# 'undocumented' option - run ent (in second param) on the output +if ($#ARGV==1) { + $entcmd=$ARGV[1] +} else { + $entcmd = "" +}; + +$infilename = $ARGV[0]; + +if (!open(IN, "<".$infilename)) { + die("Couldn't open input file"); +} +$outfilename=$infilename.".out"; +if (!open(OUT, ">$outfilename")) { + die("Couldn't open output file $outfilename"); +} +@infile=; + +select(OUT); $|=1; select(STDOUT); + +foreach (@infile) { + if (/^\s*\#/ || /^\s*$/) { + print OUT; + next; + } + ($cmd, $path, $est) = /^\"([^\"]+)\"\s+([\w\/_-]+)\s+([\d\.\-]+)/o; + @args = split(/ /, $cmd); + if (! ($pid = fork())) { + # child + close STDIN; close STDOUT; close STDERR; + open (STDIN, "/dev/null"); + open (STDERR, ">/dev/null"); + exec $path @args; + exit 1; # shouldn't be here + } + # parent + waitpid ($pid, 0); $ret=$? >> 8; + + if ($ret != 0) { + $path = "undef"; + } else { + if ($entcmd ne "") { + # now try to run ent on the command + $mostargs=join(" ", splice(@args,1)); + print "Evaluating '$path $mostargs'\n"; + @ent = qx{$path $mostargs | $entcmd -b -t}; + @ent = grep(/^1,/, @ent); + ($null, $null, $rate) = split(/,/, $ent[0]); + $est = $rate / $entscale; # scale the estimate back + } + } + print OUT "\"$cmd\" $path $est\n"; +} + +close(IN); diff -ruN --exclude CVS ssh-openbsd-2005090100/groupaccess.c openssh-4.2p1/groupaccess.c --- ssh-openbsd-2005090100/groupaccess.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/groupaccess.c Tue Feb 24 13:05:12 2004 @@ -31,7 +31,7 @@ #include "log.h" static int ngroups; -static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ +static char **groups_byname; /* * Initialize group access list for user with primary (base) and @@ -40,19 +40,27 @@ int ga_init(const char *user, gid_t base) { - gid_t groups_bygid[NGROUPS_MAX + 1]; + gid_t *groups_bygid; int i, j; struct group *gr; if (ngroups > 0) ga_free(); - ngroups = sizeof(groups_bygid) / sizeof(gid_t); + ngroups = NGROUPS_MAX; +#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) + ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX)); +#endif + + groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid)); + groups_byname = xmalloc(ngroups * sizeof(*groups_byname)); + if (getgrouplist(user, base, groups_bygid, &ngroups) == -1) logit("getgrouplist: groups list too small"); for (i = 0, j = 0; i < ngroups; i++) if ((gr = getgrgid(groups_bygid[i])) != NULL) groups_byname[j++] = xstrdup(gr->gr_name); + xfree(groups_bygid); return (ngroups = j); } @@ -84,5 +92,6 @@ for (i = 0; i < ngroups; i++) xfree(groups_byname[i]); ngroups = 0; + xfree(groups_byname); } } diff -ruN --exclude CVS ssh-openbsd-2005090100/gss-serv-krb5.c openssh-4.2p1/gss-serv-krb5.c --- ssh-openbsd-2005090100/gss-serv-krb5.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/gss-serv-krb5.c Thu Jul 7 20:33:36 2005 @@ -38,7 +38,15 @@ extern ServerOptions options; -#include +#ifdef HEIMDAL +# include +#else +# ifdef HAVE_GSSAPI_KRB5 +# include +# elif HAVE_GSSAPI_GSSAPI_KRB5 +# include +# endif +#endif static krb5_context krb_context = NULL; @@ -57,7 +65,6 @@ logit("Cannot initialize krb5 context"); return 0; } - krb5_init_ets(krb_context); return 1; } @@ -104,6 +111,7 @@ krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; + int len; if (client->creds == NULL) { debug("No credentials stored"); @@ -113,11 +121,19 @@ if (ssh_gssapi_krb5_init() == 0) return; +#ifdef HEIMDAL if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { logit("krb5_cc_gen_new(): %.100s", krb5_get_err_text(krb_context, problem)); return; } +#else + if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { + logit("ssh_krb5_cc_gen(): %.100s", + krb5_get_err_text(krb_context, problem)); + return; + } +#endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { @@ -146,7 +162,14 @@ client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); client->store.envvar = "KRB5CCNAME"; - client->store.envval = xstrdup(client->store.filename); + len = strlen(client->store.filename) + 6; + client->store.envval = xmalloc(len); + snprintf(client->store.envval, len, "FILE:%s", client->store.filename); + +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv(client->store.envvar, client->store.envval); +#endif krb5_cc_close(krb_context, ccache); diff -ruN --exclude CVS ssh-openbsd-2005090100/includes.h openssh-4.2p1/includes.h --- ssh-openbsd-2005090100/includes.h Sat Jul 16 11:31:00 2005 +++ openssh-4.2p1/includes.h Sat Aug 27 06:15:20 2005 @@ -19,49 +19,195 @@ #define RCSID(msg) \ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include "config.h" -#include -#include -#include -#include -#include -#include - -#include -#include +#include #include #include #include -#include +#include /* For O_NONBLOCK */ #include -#include #include #include #include #include #include -#include #include -#include #include +#include -#include "version.h" +#ifdef HAVE_LIMITS_H +# include /* For PATH_MAX */ +#endif +#ifdef HAVE_GETOPT_H +# include +#endif +#ifdef HAVE_BSTRING_H +# include +#endif +#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \ + defined(GLOB_HAS_GL_MATCHC) +# include +#endif +#ifdef HAVE_NETGROUP_H +# include +#endif +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_TTYENT_H +# include +#endif +#ifdef HAVE_UTIME_H +# include +#endif +#ifdef HAVE_MAILLOCK_H +# include /* For _PATH_MAILDIR */ +#endif +#ifdef HAVE_NEXT +# include +#endif +#define __USE_GNU /* before unistd.h, activate extra prototypes for glibc */ +#include /* For STDIN_FILENO, etc */ +#include /* Struct winsize */ /* - * Define this to use pipes instead of socketpairs for communicating with the - * client program. Socketpairs do not seem to work on all systems. + *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively */ -#define USE_PIPES 1 +#ifdef HAVE_STRINGS_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif -#endif /* INCLUDES_H */ +#ifdef HAVE_UTMP_H +# include +#endif +#ifdef HAVE_UTMPX_H +# ifdef HAVE_TV_IN_UTMPX +# include +# endif +# include +#endif +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include /* For _PATH_XXX */ +#endif + +#include +#include +#include +#include +#ifdef HAVE_SYS_TIME_H +# include /* For timersub */ +#endif +#include +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#ifdef HAVE_SYS_BSDTTY_H +# include +#endif +#include /* For MAXPATHLEN and roundup() */ +#ifdef HAVE_SYS_UN_H +# include /* For sockaddr_un */ +#endif +#ifdef HAVE_STDINT_H +# include +#endif +#ifdef HAVE_SYS_BITYPES_H +# include /* For u_intXX_t */ +#endif +#ifdef HAVE_SYS_CDEFS_H +# include /* For __P() */ +#endif +#ifdef HAVE_SYS_STAT_H +# include /* For S_* constants and macros */ +#endif +#ifdef HAVE_SYS_SYSMACROS_H +# include /* For MIN, MAX, etc */ +#endif +#ifdef HAVE_SYS_MMAN_H +#include /* for MAP_ANONYMOUS */ +#endif +#ifdef HAVE_SYS_STRTIO_H +#include /* for TIOCCBRK on HP-UX */ +#endif +#if defined(HAVE_SYS_PTMS_H) && defined(HAVE_DEV_PTMX) +# if defined(HAVE_SYS_STREAM_H) +# include /* reqd for queue_t on Solaris 2.5.1 */ +# endif +#include /* for grantpt() and friends */ +#endif + +#include /* For typedefs */ +#include /* For IPv6 macros */ +#include /* For IPTOS macros */ +#include +#include +#if defined(HAVE_NETDB_H) +# include +#endif +#ifdef HAVE_RPC_TYPES_H +# include /* For INADDR_LOOPBACK */ +#endif +#ifdef USE_PAM +#if defined(HAVE_SECURITY_PAM_APPL_H) +# include +#elif defined (HAVE_PAM_PAM_APPL_H) +# include +#endif +#endif +#ifdef HAVE_READPASSPHRASE_H +# include +#endif + +#ifdef HAVE_IA_H +# include +#endif + +#ifdef HAVE_IAF_H +# include +#endif + +#ifdef HAVE_TMPDIR_H +# include +#endif + +#ifdef HAVE_LIBUTIL_H +# include /* Openpty on FreeBSD at least */ +#endif + +#if defined(KRB5) && defined(USE_AFS) +# include +# include +#endif + +#if defined(HAVE_SYS_SYSLOG_H) +# include +#endif + +/* + * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations + * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. + */ +#ifdef GETSPNAM_CONFLICTING_DEFS +# ifdef _INCLUDE__STDC__ +# undef _INCLUDE__STDC__ +# endif +#endif + +#include /* For OPENSSL_VERSION_NUMBER */ + +#include "defines.h" + +#include "version.h" +#include "openbsd-compat/openbsd-compat.h" +#include "openbsd-compat/bsd-nextstep.h" + +#include "entropy.h" + +#endif /* INCLUDES_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/install-sh openssh-4.2p1/install-sh --- ssh-openbsd-2005090100/install-sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/install-sh Fri Nov 21 23:48:55 2003 @@ -0,0 +1,251 @@ +#!/bin/sh +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. It can only install one file at a time, a restriction +# shared with many OS's install programs. + + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" + + +# put in absolute paths if you don't have them in your path; or use env. vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +transformbasename="" +transform_arg="" +instcmd="$mvprog" +chmodcmd="$chmodprog 0755" +chowncmd="" +chgrpcmd="" +stripcmd="" +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src="" +dst="" +dir_arg="" + +while [ x"$1" != x ]; do + case $1 in + -c) instcmd="$cpprog" + shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -m) chmodcmd="$chmodprog $2" + shift + shift + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + -s) stripcmd="$stripprog" + shift + continue;; + + -t=*) transformarg=`echo $1 | sed 's/-t=//'` + shift + continue;; + + -b=*) transformbasename=`echo $1 | sed 's/-b=//'` + shift + continue;; + + *) if [ x"$src" = x ] + then + src=$1 + else + # this colon is to work around a 386BSD /bin/sh bug + : + dst=$1 + fi + shift + continue;; + esac +done + +if [ x"$src" = x ] +then + echo "install: no input file specified" + exit 1 +else + true +fi + +if [ x"$dir_arg" != x ]; then + dst=$src + src="" + + if [ -d $dst ]; then + instcmd=: + chmodcmd="" + else + instcmd=mkdir + fi +else + +# Waiting for this to be detected by the "$instcmd $src $dsttmp" command +# might cause directories to be created, which would be especially bad +# if $src (and thus $dsttmp) contains '*'. + + if [ -f $src -o -d $src ] + then + true + else + echo "install: $src does not exist" + exit 1 + fi + + if [ x"$dst" = x ] + then + echo "install: no destination specified" + exit 1 + else + true + fi + +# If destination is a directory, append the input filename; if your system +# does not like double slashes in filenames, you may need to add some logic + + if [ -d $dst ] + then + dst="$dst"/`basename $src` + else + true + fi +fi + +## this sed command emulates the dirname command +dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` + +# Make sure that the destination directory exists. +# this part is taken from Noah Friedman's mkinstalldirs script + +# Skip lots of stat calls in the usual case. +if [ ! -d "$dstdir" ]; then +defaultIFS=' +' +IFS="${IFS-${defaultIFS}}" + +oIFS="${IFS}" +# Some sh's can't handle IFS=/ for some reason. +IFS='%' +set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS="${oIFS}" + +pathcomp='' + +while [ $# -ne 0 ] ; do + pathcomp="${pathcomp}${1}" + shift + + if [ ! -d "${pathcomp}" ] ; + then + $mkdirprog "${pathcomp}" + else + true + fi + + pathcomp="${pathcomp}/" +done +fi + +if [ x"$dir_arg" != x ] +then + $doit $instcmd $dst && + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi +else + +# If we're going to rename the final executable, determine the name now. + + if [ x"$transformarg" = x ] + then + dstfile=`basename $dst` + else + dstfile=`basename $dst $transformbasename | + sed $transformarg`$transformbasename + fi + +# don't allow the sed command to completely eliminate the filename + + if [ x"$dstfile" = x ] + then + dstfile=`basename $dst` + else + true + fi + +# Make a temp file name in the proper directory. + + dsttmp=$dstdir/#inst.$$# + +# Move or copy the file name to the temp name + + $doit $instcmd $src $dsttmp && + + trap "rm -f ${dsttmp}" 0 && + +# and set any options; do chmod last to preserve setuid bits + +# If any of these fail, we abort the whole thing. If we want to +# ignore errors from any of these, just make sure not to ignore +# errors from the above "$doit $instcmd $src $dsttmp" command. + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + +# Now rename the file to the real destination. + + $doit $rmcmd -f $dstdir/$dstfile && + $doit $mvcmd $dsttmp $dstdir/$dstfile + +fi && + + +exit 0 diff -ruN --exclude CVS ssh-openbsd-2005090100/lib/Makefile openssh-4.2p1/lib/Makefile --- ssh-openbsd-2005090100/lib/Makefile Sat Apr 9 14:32:54 2005 +++ openssh-4.2p1/lib/Makefile Thu Jan 1 10:00:00 1970 @@ -1,32 +0,0 @@ -# $OpenBSD: Makefile,v 1.51 2005/04/09 04:32:54 djm Exp $ - -.PATH: ${.CURDIR}/.. - -LIB= ssh -SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ - cipher.c cipher-3des1.c cipher-bf1.c cipher-ctr.c \ - cleanup.c compat.c compress.c crc32.c deattack.c fatal.c \ - hostfile.c log.c match.c nchan.c packet.c readpass.c \ - rsa.c ttymodes.c xmalloc.c atomicio.c \ - key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \ - ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \ - kexdhc.c kexgexc.c scard.c msg.c progressmeter.c dns.c \ - monitor_fdpass.c - -DEBUGLIBS= no -NOPROFILE= yes -NOPIC= yes - -install: - @echo -n - -.include - -.if (${KERBEROS5:L} == "yes") -CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV - -SRCS+= gss-genr.c -CFLAGS+= -DGSSAPI -.endif # KERBEROS5 - -.include diff -ruN --exclude CVS ssh-openbsd-2005090100/log.c openssh-4.2p1/log.c --- ssh-openbsd-2005090100/log.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/log.c Wed Mar 9 20:12:48 2005 @@ -40,7 +40,9 @@ #include "xmalloc.h" #include -#include +#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) +# include +#endif static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; @@ -49,6 +51,9 @@ extern char *__progname; +#define LOG_SYSLOG_VIS (VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL) +#define LOG_STDERR_VIS (VIS_SAFE|VIS_OCTAL) + /* textual representation of log-facilities/levels */ static struct { @@ -58,6 +63,9 @@ { "DAEMON", SYSLOG_FACILITY_DAEMON }, { "USER", SYSLOG_FACILITY_USER }, { "AUTH", SYSLOG_FACILITY_AUTH }, +#ifdef LOG_AUTHPRIV + { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, +#endif { "LOCAL0", SYSLOG_FACILITY_LOCAL0 }, { "LOCAL1", SYSLOG_FACILITY_LOCAL1 }, { "LOCAL2", SYSLOG_FACILITY_LOCAL2 }, @@ -185,6 +193,10 @@ void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) { +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) + struct syslog_data sdata = SYSLOG_DATA_INIT; +#endif + argv0 = av0; switch (level) { @@ -218,6 +230,11 @@ case SYSLOG_FACILITY_AUTH: log_facility = LOG_AUTH; break; +#ifdef LOG_AUTHPRIV + case SYSLOG_FACILITY_AUTHPRIV: + log_facility = LOG_AUTHPRIV; + break; +#endif case SYSLOG_FACILITY_LOCAL0: log_facility = LOG_LOCAL0; break; @@ -248,6 +265,19 @@ (int) facility); exit(1); } + + /* + * If an external library (eg libwrap) attempts to use syslog + * immediately after reexec, syslog may be pointing to the wrong + * facility, so we force an open/close of syslog here. + */ +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) + openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); + closelog_r(&sdata); +#else + openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); + closelog(); +#endif } #define MSGBUFSIZ 1024 @@ -255,7 +285,9 @@ void do_log(LogLevel level, const char *fmt, va_list args) { +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; +#endif char msgbuf[MSGBUFSIZ]; char fmtbuf[MSGBUFSIZ]; char *txt = NULL; @@ -304,13 +336,20 @@ } else { vsnprintf(msgbuf, sizeof(msgbuf), fmt, args); } - strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), VIS_SAFE|VIS_OCTAL); + strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), + log_on_stderr ? LOG_STDERR_VIS : LOG_SYSLOG_VIS); if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); +#else + openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); + syslog(pri, "%.500s", fmtbuf); + closelog(); +#endif } } diff -ruN --exclude CVS ssh-openbsd-2005090100/log.h openssh-4.2p1/log.h --- ssh-openbsd-2005090100/log.h Sat Jul 16 11:31:00 2005 +++ openssh-4.2p1/log.h Tue Jun 22 12:57:44 2004 @@ -15,11 +15,16 @@ #ifndef SSH_LOG_H #define SSH_LOG_H +#include /* Needed for LOG_AUTHPRIV (if present) */ + /* Supported syslog facilities and levels. */ typedef enum { SYSLOG_FACILITY_DAEMON, SYSLOG_FACILITY_USER, SYSLOG_FACILITY_AUTH, +#ifdef LOG_AUTHPRIV + SYSLOG_FACILITY_AUTHPRIV, +#endif SYSLOG_FACILITY_LOCAL0, SYSLOG_FACILITY_LOCAL1, SYSLOG_FACILITY_LOCAL2, diff -ruN --exclude CVS ssh-openbsd-2005090100/loginrec.c openssh-4.2p1/loginrec.c --- ssh-openbsd-2005090100/loginrec.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/loginrec.c Sun Jul 17 17:26:44 2005 @@ -0,0 +1,1678 @@ +/* + * Copyright (c) 2000 Andre Lucas. All rights reserved. + * Portions copyright (c) 1998 Todd C. Miller + * Portions copyright (c) 1996 Jason Downs + * Portions copyright (c) 1996 Theo de Raadt + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * The btmp logging code is derived from login.c from util-linux and is under + * the the following license: + * + * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that the above copyright notice and this paragraph are + * duplicated in all such forms and that any documentation, + * advertising materials, and other materials related to such + * distribution and use acknowledge that the software was developed + * by the University of California, Berkeley. The name of the + * University may not be used to endorse or promote products derived + * from this software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + + +/** + ** loginrec.c: platform-independent login recording and lastlog retrieval + **/ + +/* + * The new login code explained + * ============================ + * + * This code attempts to provide a common interface to login recording + * (utmp and friends) and last login time retrieval. + * + * Its primary means of achieving this is to use 'struct logininfo', a + * union of all the useful fields in the various different types of + * system login record structures one finds on UNIX variants. + * + * We depend on autoconf to define which recording methods are to be + * used, and which fields are contained in the relevant data structures + * on the local system. Many C preprocessor symbols affect which code + * gets compiled here. + * + * The code is designed to make it easy to modify a particular + * recording method, without affecting other methods nor requiring so + * many nested conditional compilation blocks as were commonplace in + * the old code. + * + * For login recording, we try to use the local system's libraries as + * these are clearly most likely to work correctly. For utmp systems + * this usually means login() and logout() or setutent() etc., probably + * in libutil, along with logwtmp() etc. On these systems, we fall back + * to writing the files directly if we have to, though this method + * requires very thorough testing so we do not corrupt local auditing + * information. These files and their access methods are very system + * specific indeed. + * + * For utmpx systems, the corresponding library functions are + * setutxent() etc. To the author's knowledge, all utmpx systems have + * these library functions and so no direct write is attempted. If such + * a system exists and needs support, direct analogues of the [uw]tmp + * code should suffice. + * + * Retrieving the time of last login ('lastlog') is in some ways even + * more problemmatic than login recording. Some systems provide a + * simple table of all users which we seek based on uid and retrieve a + * relatively standard structure. Others record the same information in + * a directory with a separate file, and others don't record the + * information separately at all. For systems in the latter category, + * we look backwards in the wtmp or wtmpx file for the last login entry + * for our user. Naturally this is slower and on busy systems could + * incur a significant performance penalty. + * + * Calling the new code + * -------------------- + * + * In OpenSSH all login recording and retrieval is performed in + * login.c. Here you'll find working examples. Also, in the logintest.c + * program there are more examples. + * + * Internal handler calling method + * ------------------------------- + * + * When a call is made to login_login() or login_logout(), both + * routines set a struct logininfo flag defining which action (log in, + * or log out) is to be taken. They both then call login_write(), which + * calls whichever of the many structure-specific handlers autoconf + * selects for the local system. + * + * The handlers themselves handle system data structure specifics. Both + * struct utmp and struct utmpx have utility functions (see + * construct_utmp*()) to try to make it simpler to add extra systems + * that introduce new features to either structure. + * + * While it may seem terribly wasteful to replicate so much similar + * code for each method, experience has shown that maintaining code to + * write both struct utmp and utmpx in one function, whilst maintaining + * support for all systems whether they have library support or not, is + * a difficult and time-consuming task. + * + * Lastlog support proceeds similarly. Functions login_get_lastlog() + * (and its OpenSSH-tuned friend login_get_lastlog_time()) call + * getlast_entry(), which tries one of three methods to find the last + * login time. It uses local system lastlog support if it can, + * otherwise it tries wtmp or wtmpx before giving up and returning 0, + * meaning "tilt". + * + * Maintenance + * ----------- + * + * In many cases it's possible to tweak autoconf to select the correct + * methods for a particular platform, either by improving the detection + * code (best), or by presetting DISABLE_ or CONF__FILE + * symbols for the platform. + * + * Use logintest to check which symbols are defined before modifying + * configure.ac and loginrec.c. (You have to build logintest yourself + * with 'make logintest' as it's not built by default.) + * + * Otherwise, patches to the specific method(s) are very helpful! + */ + +#include "includes.h" + +#include "ssh.h" +#include "xmalloc.h" +#include "loginrec.h" +#include "log.h" +#include "atomicio.h" +#include "packet.h" +#include "canohost.h" +#include "auth.h" +#include "buffer.h" + +#ifdef HAVE_UTIL_H +# include +#endif + +#ifdef HAVE_LIBUTIL_H +# include +#endif + +RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $"); + +/** + ** prototypes for helper functions in this file + **/ + +#if HAVE_UTMP_H +void set_utmp_time(struct logininfo *li, struct utmp *ut); +void construct_utmp(struct logininfo *li, struct utmp *ut); +#endif + +#ifdef HAVE_UTMPX_H +void set_utmpx_time(struct logininfo *li, struct utmpx *ut); +void construct_utmpx(struct logininfo *li, struct utmpx *ut); +#endif + +int utmp_write_entry(struct logininfo *li); +int utmpx_write_entry(struct logininfo *li); +int wtmp_write_entry(struct logininfo *li); +int wtmpx_write_entry(struct logininfo *li); +int lastlog_write_entry(struct logininfo *li); +int syslogin_write_entry(struct logininfo *li); + +int getlast_entry(struct logininfo *li); +int lastlog_get_entry(struct logininfo *li); +int wtmp_get_entry(struct logininfo *li); +int wtmpx_get_entry(struct logininfo *li); + +extern Buffer loginmsg; + +/* pick the shortest string */ +#define MIN_SIZEOF(s1,s2) (sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2)) + +/** + ** platform-independent login functions + **/ + +/* + * login_login(struct logininfo *) - Record a login + * + * Call with a pointer to a struct logininfo initialised with + * login_init_entry() or login_alloc_entry() + * + * Returns: + * >0 if successful + * 0 on failure (will use OpenSSH's logging facilities for diagnostics) + */ +int +login_login(struct logininfo *li) +{ + li->type = LTYPE_LOGIN; + return (login_write(li)); +} + + +/* + * login_logout(struct logininfo *) - Record a logout + * + * Call as with login_login() + * + * Returns: + * >0 if successful + * 0 on failure (will use OpenSSH's logging facilities for diagnostics) + */ +int +login_logout(struct logininfo *li) +{ + li->type = LTYPE_LOGOUT; + return (login_write(li)); +} + +/* + * login_get_lastlog_time(int) - Retrieve the last login time + * + * Retrieve the last login time for the given uid. Will try to use the + * system lastlog facilities if they are available, but will fall back + * to looking in wtmp/wtmpx if necessary + * + * Returns: + * 0 on failure, or if user has never logged in + * Time in seconds from the epoch if successful + * + * Useful preprocessor symbols: + * DISABLE_LASTLOG: If set, *never* even try to retrieve lastlog + * info + * USE_LASTLOG: If set, indicates the presence of system lastlog + * facilities. If this and DISABLE_LASTLOG are not set, + * try to retrieve lastlog information from wtmp/wtmpx. + */ +unsigned int +login_get_lastlog_time(const int uid) +{ + struct logininfo li; + + if (login_get_lastlog(&li, uid)) + return (li.tv_sec); + else + return (0); +} + +/* + * login_get_lastlog(struct logininfo *, int) - Retrieve a lastlog entry + * + * Retrieve a logininfo structure populated (only partially) with + * information from the system lastlog data, or from wtmp/wtmpx if no + * system lastlog information exists. + * + * Note this routine must be given a pre-allocated logininfo. + * + * Returns: + * >0: A pointer to your struct logininfo if successful + * 0 on failure (will use OpenSSH's logging facilities for diagnostics) + */ +struct logininfo * +login_get_lastlog(struct logininfo *li, const int uid) +{ + struct passwd *pw; + + memset(li, '\0', sizeof(*li)); + li->uid = uid; + + /* + * If we don't have a 'real' lastlog, we need the username to + * reliably search wtmp(x) for the last login (see + * wtmp_get_entry().) + */ + pw = getpwuid(uid); + if (pw == NULL) + fatal("%s: Cannot find account for uid %i", __func__, uid); + + /* No MIN_SIZEOF here - we absolutely *must not* truncate the + * username (XXX - so check for trunc!) */ + strlcpy(li->username, pw->pw_name, sizeof(li->username)); + + if (getlast_entry(li)) + return (li); + else + return (NULL); +} + + +/* + * login_alloc_entry(int, char*, char*, char*) - Allocate and initialise + * a logininfo structure + * + * This function creates a new struct logininfo, a data structure + * meant to carry the information required to portably record login info. + * + * Returns a pointer to a newly created struct logininfo. If memory + * allocation fails, the program halts. + */ +struct +logininfo *login_alloc_entry(int pid, const char *username, + const char *hostname, const char *line) +{ + struct logininfo *newli; + + newli = xmalloc(sizeof(*newli)); + login_init_entry(newli, pid, username, hostname, line); + return (newli); +} + + +/* login_free_entry(struct logininfo *) - free struct memory */ +void +login_free_entry(struct logininfo *li) +{ + xfree(li); +} + + +/* login_init_entry(struct logininfo *, int, char*, char*, char*) + * - initialise a struct logininfo + * + * Populates a new struct logininfo, a data structure meant to carry + * the information required to portably record login info. + * + * Returns: 1 + */ +int +login_init_entry(struct logininfo *li, int pid, const char *username, + const char *hostname, const char *line) +{ + struct passwd *pw; + + memset(li, 0, sizeof(*li)); + + li->pid = pid; + + /* set the line information */ + if (line) + line_fullname(li->line, line, sizeof(li->line)); + + if (username) { + strlcpy(li->username, username, sizeof(li->username)); + pw = getpwnam(li->username); + if (pw == NULL) { + fatal("%s: Cannot find user \"%s\"", __func__, + li->username); + } + li->uid = pw->pw_uid; + } + + if (hostname) + strlcpy(li->hostname, hostname, sizeof(li->hostname)); + + return (1); +} + +/* + * login_set_current_time(struct logininfo *) - set the current time + * + * Set the current time in a logininfo structure. This function is + * meant to eliminate the need to deal with system dependencies for + * time handling. + */ +void +login_set_current_time(struct logininfo *li) +{ + struct timeval tv; + + gettimeofday(&tv, NULL); + + li->tv_sec = tv.tv_sec; + li->tv_usec = tv.tv_usec; +} + +/* copy a sockaddr_* into our logininfo */ +void +login_set_addr(struct logininfo *li, const struct sockaddr *sa, + const unsigned int sa_size) +{ + unsigned int bufsize = sa_size; + + /* make sure we don't overrun our union */ + if (sizeof(li->hostaddr) < sa_size) + bufsize = sizeof(li->hostaddr); + + memcpy(&li->hostaddr.sa, sa, bufsize); +} + + +/** + ** login_write: Call low-level recording functions based on autoconf + ** results + **/ +int +login_write(struct logininfo *li) +{ +#ifndef HAVE_CYGWIN + if (geteuid() != 0) { + logit("Attempt to write login records by non-root user (aborting)"); + return (1); + } +#endif + + /* set the timestamp */ + login_set_current_time(li); +#ifdef USE_LOGIN + syslogin_write_entry(li); +#endif +#ifdef USE_LASTLOG + if (li->type == LTYPE_LOGIN) + lastlog_write_entry(li); +#endif +#ifdef USE_UTMP + utmp_write_entry(li); +#endif +#ifdef USE_WTMP + wtmp_write_entry(li); +#endif +#ifdef USE_UTMPX + utmpx_write_entry(li); +#endif +#ifdef USE_WTMPX + wtmpx_write_entry(li); +#endif +#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN + if (li->type == LTYPE_LOGIN && + !sys_auth_record_login(li->username,li->hostname,li->line, + &loginmsg)) + logit("Writing login record failed for %s", li->username); +#endif +#ifdef SSH_AUDIT_EVENTS + if (li->type == LTYPE_LOGIN) + audit_session_open(li->line); + else if (li->type == LTYPE_LOGOUT) + audit_session_close(li->line); +#endif + return (0); +} + +#ifdef LOGIN_NEEDS_UTMPX +int +login_utmp_only(struct logininfo *li) +{ + li->type = LTYPE_LOGIN; + login_set_current_time(li); +# ifdef USE_UTMP + utmp_write_entry(li); +# endif +# ifdef USE_WTMP + wtmp_write_entry(li); +# endif +# ifdef USE_UTMPX + utmpx_write_entry(li); +# endif +# ifdef USE_WTMPX + wtmpx_write_entry(li); +# endif + return (0); +} +#endif + +/** + ** getlast_entry: Call low-level functions to retrieve the last login + ** time. + **/ + +/* take the uid in li and return the last login time */ +int +getlast_entry(struct logininfo *li) +{ +#ifdef USE_LASTLOG + return(lastlog_get_entry(li)); +#else /* !USE_LASTLOG */ + +#if defined(DISABLE_LASTLOG) + /* On some systems we shouldn't even try to obtain last login + * time, e.g. AIX */ + return (0); +# elif defined(USE_WTMP) && \ + (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) + /* retrieve last login time from utmp */ + return (wtmp_get_entry(li)); +# elif defined(USE_WTMPX) && \ + (defined(HAVE_TIME_IN_UTMPX) || defined(HAVE_TV_IN_UTMPX)) + /* If wtmp isn't available, try wtmpx */ + return (wtmpx_get_entry(li)); +# else + /* Give up: No means of retrieving last login time */ + return (0); +# endif /* DISABLE_LASTLOG */ +#endif /* USE_LASTLOG */ +} + + + +/* + * 'line' string utility functions + * + * These functions process the 'line' string into one of three forms: + * + * 1. The full filename (including '/dev') + * 2. The stripped name (excluding '/dev') + * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 + * /dev/pts/1 -> ts/1 ) + * + * Form 3 is used on some systems to identify a .tmp.? entry when + * attempting to remove it. Typically both addition and removal is + * performed by one application - say, sshd - so as long as the choice + * uniquely identifies a terminal it's ok. + */ + + +/* + * line_fullname(): add the leading '/dev/' if it doesn't exist make + * sure dst has enough space, if not just copy src (ugh) + */ +char * +line_fullname(char *dst, const char *src, u_int dstsize) +{ + memset(dst, '\0', dstsize); + if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5))) + strlcpy(dst, src, dstsize); + else { + strlcpy(dst, "/dev/", dstsize); + strlcat(dst, src, dstsize); + } + return (dst); +} + +/* line_stripname(): strip the leading '/dev' if it exists, return dst */ +char * +line_stripname(char *dst, const char *src, int dstsize) +{ + memset(dst, '\0', dstsize); + if (strncmp(src, "/dev/", 5) == 0) + strlcpy(dst, src + 5, dstsize); + else + strlcpy(dst, src, dstsize); + return (dst); +} + +/* + * line_abbrevname(): Return the abbreviated (usually four-character) + * form of the line (Just use the last characters of the + * full name.) + * + * NOTE: use strncpy because we do NOT necessarily want zero + * termination + */ +char * +line_abbrevname(char *dst, const char *src, int dstsize) +{ + size_t len; + + memset(dst, '\0', dstsize); + + /* Always skip prefix if present */ + if (strncmp(src, "/dev/", 5) == 0) + src += 5; + +#ifdef WITH_ABBREV_NO_TTY + if (strncmp(src, "tty", 3) == 0) + src += 3; +#endif + + len = strlen(src); + + if (len > 0) { + if (((int)len - dstsize) > 0) + src += ((int)len - dstsize); + + /* note: _don't_ change this to strlcpy */ + strncpy(dst, src, (size_t)dstsize); + } + + return (dst); +} + +/** + ** utmp utility functions + ** + ** These functions manipulate struct utmp, taking system differences + ** into account. + **/ + +#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) + +/* build the utmp structure */ +void +set_utmp_time(struct logininfo *li, struct utmp *ut) +{ +# if defined(HAVE_TV_IN_UTMP) + ut->ut_tv.tv_sec = li->tv_sec; + ut->ut_tv.tv_usec = li->tv_usec; +# elif defined(HAVE_TIME_IN_UTMP) + ut->ut_time = li->tv_sec; +# endif +} + +void +construct_utmp(struct logininfo *li, + struct utmp *ut) +{ +# ifdef HAVE_ADDR_V6_IN_UTMP + struct sockaddr_in6 *sa6; +# endif + + memset(ut, '\0', sizeof(*ut)); + + /* First fill out fields used for both logins and logouts */ + +# ifdef HAVE_ID_IN_UTMP + line_abbrevname(ut->ut_id, li->line, sizeof(ut->ut_id)); +# endif + +# ifdef HAVE_TYPE_IN_UTMP + /* This is done here to keep utmp constants out of struct logininfo */ + switch (li->type) { + case LTYPE_LOGIN: + ut->ut_type = USER_PROCESS; +#ifdef _UNICOS + cray_set_tmpdir(ut); +#endif + break; + case LTYPE_LOGOUT: + ut->ut_type = DEAD_PROCESS; +#ifdef _UNICOS + cray_retain_utmp(ut, li->pid); +#endif + break; + } +# endif + set_utmp_time(li, ut); + + line_stripname(ut->ut_line, li->line, sizeof(ut->ut_line)); + +# ifdef HAVE_PID_IN_UTMP + ut->ut_pid = li->pid; +# endif + + /* If we're logging out, leave all other fields blank */ + if (li->type == LTYPE_LOGOUT) + return; + + /* + * These fields are only used when logging in, and are blank + * for logouts. + */ + + /* Use strncpy because we don't necessarily want null termination */ + strncpy(ut->ut_name, li->username, + MIN_SIZEOF(ut->ut_name, li->username)); +# ifdef HAVE_HOST_IN_UTMP + strncpy(ut->ut_host, li->hostname, + MIN_SIZEOF(ut->ut_host, li->hostname)); +# endif +# ifdef HAVE_ADDR_IN_UTMP + /* this is just a 32-bit IP address */ + if (li->hostaddr.sa.sa_family == AF_INET) + ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; +# endif +# ifdef HAVE_ADDR_V6_IN_UTMP + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); + memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; + ut->ut_addr_v6[1] = 0; + ut->ut_addr_v6[2] = 0; + ut->ut_addr_v6[3] = 0; + } + } +# endif +} +#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ + +/** + ** utmpx utility functions + ** + ** These functions manipulate struct utmpx, accounting for system + ** variations. + **/ + +#if defined(USE_UTMPX) || defined (USE_WTMPX) +/* build the utmpx structure */ +void +set_utmpx_time(struct logininfo *li, struct utmpx *utx) +{ +# if defined(HAVE_TV_IN_UTMPX) + utx->ut_tv.tv_sec = li->tv_sec; + utx->ut_tv.tv_usec = li->tv_usec; +# elif defined(HAVE_TIME_IN_UTMPX) + utx->ut_time = li->tv_sec; +# endif +} + +void +construct_utmpx(struct logininfo *li, struct utmpx *utx) +{ +# ifdef HAVE_ADDR_V6_IN_UTMP + struct sockaddr_in6 *sa6; +# endif + memset(utx, '\0', sizeof(*utx)); + +# ifdef HAVE_ID_IN_UTMPX + line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id)); +# endif + + /* this is done here to keep utmp constants out of loginrec.h */ + switch (li->type) { + case LTYPE_LOGIN: + utx->ut_type = USER_PROCESS; + break; + case LTYPE_LOGOUT: + utx->ut_type = DEAD_PROCESS; + break; + } + line_stripname(utx->ut_line, li->line, sizeof(utx->ut_line)); + set_utmpx_time(li, utx); + utx->ut_pid = li->pid; + + /* strncpy(): Don't necessarily want null termination */ + strncpy(utx->ut_name, li->username, + MIN_SIZEOF(utx->ut_name, li->username)); + + if (li->type == LTYPE_LOGOUT) + return; + + /* + * These fields are only used when logging in, and are blank + * for logouts. + */ + +# ifdef HAVE_HOST_IN_UTMPX + strncpy(utx->ut_host, li->hostname, + MIN_SIZEOF(utx->ut_host, li->hostname)); +# endif +# ifdef HAVE_ADDR_IN_UTMPX + /* this is just a 32-bit IP address */ + if (li->hostaddr.sa.sa_family == AF_INET) + utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; +# endif +# ifdef HAVE_ADDR_V6_IN_UTMP + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); + memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; + ut->ut_addr_v6[1] = 0; + ut->ut_addr_v6[2] = 0; + ut->ut_addr_v6[3] = 0; + } + } +# endif +# ifdef HAVE_SYSLEN_IN_UTMPX + /* ut_syslen is the length of the utx_host string */ + utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host)); +# endif +} +#endif /* USE_UTMPX || USE_WTMPX */ + +/** + ** Low-level utmp functions + **/ + +/* FIXME: (ATL) utmp_write_direct needs testing */ +#ifdef USE_UTMP + +/* if we can, use pututline() etc. */ +# if !defined(DISABLE_PUTUTLINE) && defined(HAVE_SETUTENT) && \ + defined(HAVE_PUTUTLINE) +# define UTMP_USE_LIBRARY +# endif + + +/* write a utmp entry with the system's help (pututline() and pals) */ +# ifdef UTMP_USE_LIBRARY +static int +utmp_write_library(struct logininfo *li, struct utmp *ut) +{ + setutent(); + pututline(ut); +# ifdef HAVE_ENDUTENT + endutent(); +# endif + return (1); +} +# else /* UTMP_USE_LIBRARY */ + +/* + * Write a utmp entry direct to the file + * This is a slightly modification of code in OpenBSD's login.c + */ +static int +utmp_write_direct(struct logininfo *li, struct utmp *ut) +{ + struct utmp old_ut; + register int fd; + int tty; + + /* FIXME: (ATL) ttyslot() needs local implementation */ + +#if defined(HAVE_GETTTYENT) + struct ttyent *ty; + + tty=0; + setttyent(); + while (NULL != (ty = getttyent())) { + tty++; + if (!strncmp(ty->ty_name, ut->ut_line, sizeof(ut->ut_line))) + break; + } + endttyent(); + + if (NULL == ty) { + logit("%s: tty not found", __func__); + return (0); + } +#else /* FIXME */ + + tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */ + +#endif /* HAVE_GETTTYENT */ + + if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) { + off_t pos, ret; + + pos = (off_t)tty * sizeof(struct utmp); + if ((ret = lseek(fd, pos, SEEK_SET)) == -1) { + logit("%s: lseek: %s", __func__, strerror(errno)); + return (0); + } + if (ret != pos) { + logit("%s: Couldn't seek to tty %d slot in %s", + __func__, tty, UTMP_FILE); + return (0); + } + /* + * Prevent luser from zero'ing out ut_host. + * If the new ut_line is empty but the old one is not + * and ut_line and ut_name match, preserve the old ut_line. + */ + if (atomicio(read, fd, &old_ut, sizeof(old_ut)) == sizeof(old_ut) && + (ut->ut_host[0] == '\0') && (old_ut.ut_host[0] != '\0') && + (strncmp(old_ut.ut_line, ut->ut_line, sizeof(ut->ut_line)) == 0) && + (strncmp(old_ut.ut_name, ut->ut_name, sizeof(ut->ut_name)) == 0)) + memcpy(ut->ut_host, old_ut.ut_host, sizeof(ut->ut_host)); + + if ((ret = lseek(fd, pos, SEEK_SET)) == -1) { + logit("%s: lseek: %s", __func__, strerror(errno)); + return (0); + } + if (ret != pos) { + logit("%s: Couldn't seek to tty %d slot in %s", + __func__, tty, UTMP_FILE); + return (0); + } + if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut)) { + logit("%s: error writing %s: %s", __func__, + UTMP_FILE, strerror(errno)); + } + + close(fd); + return (1); + } else { + return (0); + } +} +# endif /* UTMP_USE_LIBRARY */ + +static int +utmp_perform_login(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); +# ifdef UTMP_USE_LIBRARY + if (!utmp_write_library(li, &ut)) { + logit("%s: utmp_write_library() failed", __func__); + return (0); + } +# else + if (!utmp_write_direct(li, &ut)) { + logit("%s: utmp_write_direct() failed", __func__); + return (0); + } +# endif + return (1); +} + + +static int +utmp_perform_logout(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); +# ifdef UTMP_USE_LIBRARY + if (!utmp_write_library(li, &ut)) { + logit("%s: utmp_write_library() failed", __func__); + return (0); + } +# else + if (!utmp_write_direct(li, &ut)) { + logit("%s: utmp_write_direct() failed", __func__); + return (0); + } +# endif + return (1); +} + + +int +utmp_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (utmp_perform_login(li)); + + case LTYPE_LOGOUT: + return (utmp_perform_logout(li)); + + default: + logit("%s: invalid type field", __func__); + return (0); + } +} +#endif /* USE_UTMP */ + + +/** + ** Low-level utmpx functions + **/ + +/* not much point if we don't want utmpx entries */ +#ifdef USE_UTMPX + +/* if we have the wherewithall, use pututxline etc. */ +# if !defined(DISABLE_PUTUTXLINE) && defined(HAVE_SETUTXENT) && \ + defined(HAVE_PUTUTXLINE) +# define UTMPX_USE_LIBRARY +# endif + + +/* write a utmpx entry with the system's help (pututxline() and pals) */ +# ifdef UTMPX_USE_LIBRARY +static int +utmpx_write_library(struct logininfo *li, struct utmpx *utx) +{ + setutxent(); + pututxline(utx); + +# ifdef HAVE_ENDUTXENT + endutxent(); +# endif + return (1); +} + +# else /* UTMPX_USE_LIBRARY */ + +/* write a utmp entry direct to the file */ +static int +utmpx_write_direct(struct logininfo *li, struct utmpx *utx) +{ + logit("%s: not implemented!", __func__); + return (0); +} +# endif /* UTMPX_USE_LIBRARY */ + +static int +utmpx_perform_login(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); +# ifdef UTMPX_USE_LIBRARY + if (!utmpx_write_library(li, &utx)) { + logit("%s: utmp_write_library() failed", __func__); + return (0); + } +# else + if (!utmpx_write_direct(li, &ut)) { + logit("%s: utmp_write_direct() failed", __func__); + return (0); + } +# endif + return (1); +} + + +static int +utmpx_perform_logout(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); +# ifdef HAVE_ID_IN_UTMPX + line_abbrevname(utx.ut_id, li->line, sizeof(utx.ut_id)); +# endif +# ifdef HAVE_TYPE_IN_UTMPX + utx.ut_type = DEAD_PROCESS; +# endif + +# ifdef UTMPX_USE_LIBRARY + utmpx_write_library(li, &utx); +# else + utmpx_write_direct(li, &utx); +# endif + return (1); +} + +int +utmpx_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (utmpx_perform_login(li)); + case LTYPE_LOGOUT: + return (utmpx_perform_logout(li)); + default: + logit("%s: invalid type field", __func__); + return (0); + } +} +#endif /* USE_UTMPX */ + + +/** + ** Low-level wtmp functions + **/ + +#ifdef USE_WTMP + +/* + * Write a wtmp entry direct to the end of the file + * This is a slight modification of code in OpenBSD's logwtmp.c + */ +static int +wtmp_write(struct logininfo *li, struct utmp *ut) +{ + struct stat buf; + int fd, ret = 1; + + if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0) { + logit("%s: problem writing %s: %s", __func__, + WTMP_FILE, strerror(errno)); + return (0); + } + if (fstat(fd, &buf) == 0) + if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut)) { + ftruncate(fd, buf.st_size); + logit("%s: problem writing %s: %s", __func__, + WTMP_FILE, strerror(errno)); + ret = 0; + } + close(fd); + return (ret); +} + +static int +wtmp_perform_login(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); + return (wtmp_write(li, &ut)); +} + + +static int +wtmp_perform_logout(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); + return (wtmp_write(li, &ut)); +} + + +int +wtmp_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (wtmp_perform_login(li)); + case LTYPE_LOGOUT: + return (wtmp_perform_logout(li)); + default: + logit("%s: invalid type field", __func__); + return (0); + } +} + + +/* + * Notes on fetching login data from wtmp/wtmpx + * + * Logouts are usually recorded with (amongst other things) a blank + * username on a given tty line. However, some systems (HP-UX is one) + * leave all fields set, but change the ut_type field to DEAD_PROCESS. + * + * Since we're only looking for logins here, we know that the username + * must be set correctly. On systems that leave it in, we check for + * ut_type==USER_PROCESS (indicating a login.) + * + * Portability: Some systems may set something other than USER_PROCESS + * to indicate a login process. I don't know of any as I write. Also, + * it's possible that some systems may both leave the username in + * place and not have ut_type. + */ + +/* return true if this wtmp entry indicates a login */ +static int +wtmp_islogin(struct logininfo *li, struct utmp *ut) +{ + if (strncmp(li->username, ut->ut_name, + MIN_SIZEOF(li->username, ut->ut_name)) == 0) { +# ifdef HAVE_TYPE_IN_UTMP + if (ut->ut_type & USER_PROCESS) + return (1); +# else + return (1); +# endif + } + return (0); +} + +int +wtmp_get_entry(struct logininfo *li) +{ + struct stat st; + struct utmp ut; + int fd, found = 0; + + /* Clear the time entries in our logininfo */ + li->tv_sec = li->tv_usec = 0; + + if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) { + logit("%s: problem opening %s: %s", __func__, + WTMP_FILE, strerror(errno)); + return (0); + } + if (fstat(fd, &st) != 0) { + logit("%s: couldn't stat %s: %s", __func__, + WTMP_FILE, strerror(errno)); + close(fd); + return (0); + } + + /* Seek to the start of the last struct utmp */ + if (lseek(fd, -(off_t)sizeof(struct utmp), SEEK_END) == -1) { + /* Looks like we've got a fresh wtmp file */ + close(fd); + return (0); + } + + while (!found) { + if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) { + logit("%s: read of %s failed: %s", __func__, + WTMP_FILE, strerror(errno)); + close (fd); + return (0); + } + if ( wtmp_islogin(li, &ut) ) { + found = 1; + /* + * We've already checked for a time in struct + * utmp, in login_getlast() + */ +# ifdef HAVE_TIME_IN_UTMP + li->tv_sec = ut.ut_time; +# else +# if HAVE_TV_IN_UTMP + li->tv_sec = ut.ut_tv.tv_sec; +# endif +# endif + line_fullname(li->line, ut.ut_line, + MIN_SIZEOF(li->line, ut.ut_line)); +# ifdef HAVE_HOST_IN_UTMP + strlcpy(li->hostname, ut.ut_host, + MIN_SIZEOF(li->hostname, ut.ut_host)); +# endif + continue; + } + /* Seek back 2 x struct utmp */ + if (lseek(fd, -(off_t)(2 * sizeof(struct utmp)), SEEK_CUR) == -1) { + /* We've found the start of the file, so quit */ + close(fd); + return (0); + } + } + + /* We found an entry. Tidy up and return */ + close(fd); + return (1); +} +# endif /* USE_WTMP */ + + +/** + ** Low-level wtmpx functions + **/ + +#ifdef USE_WTMPX +/* + * Write a wtmpx entry direct to the end of the file + * This is a slight modification of code in OpenBSD's logwtmp.c + */ +static int +wtmpx_write(struct logininfo *li, struct utmpx *utx) +{ +#ifndef HAVE_UPDWTMPX + struct stat buf; + int fd, ret = 1; + + if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) { + logit("%s: problem opening %s: %s", __func__, + WTMPX_FILE, strerror(errno)); + return (0); + } + + if (fstat(fd, &buf) == 0) + if (atomicio(vwrite, fd, utx, sizeof(*utx)) != sizeof(*utx)) { + ftruncate(fd, buf.st_size); + logit("%s: problem writing %s: %s", __func__, + WTMPX_FILE, strerror(errno)); + ret = 0; + } + close(fd); + + return (ret); +#else + updwtmpx(WTMPX_FILE, utx); + return (1); +#endif +} + + +static int +wtmpx_perform_login(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); + return (wtmpx_write(li, &utx)); +} + + +static int +wtmpx_perform_logout(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); + return (wtmpx_write(li, &utx)); +} + + +int +wtmpx_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (wtmpx_perform_login(li)); + case LTYPE_LOGOUT: + return (wtmpx_perform_logout(li)); + default: + logit("%s: invalid type field", __func__); + return (0); + } +} + +/* Please see the notes above wtmp_islogin() for information about the + next two functions */ + +/* Return true if this wtmpx entry indicates a login */ +static int +wtmpx_islogin(struct logininfo *li, struct utmpx *utx) +{ + if (strncmp(li->username, utx->ut_name, + MIN_SIZEOF(li->username, utx->ut_name)) == 0 ) { +# ifdef HAVE_TYPE_IN_UTMPX + if (utx->ut_type == USER_PROCESS) + return (1); +# else + return (1); +# endif + } + return (0); +} + + +int +wtmpx_get_entry(struct logininfo *li) +{ + struct stat st; + struct utmpx utx; + int fd, found=0; + + /* Clear the time entries */ + li->tv_sec = li->tv_usec = 0; + + if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) { + logit("%s: problem opening %s: %s", __func__, + WTMPX_FILE, strerror(errno)); + return (0); + } + if (fstat(fd, &st) != 0) { + logit("%s: couldn't stat %s: %s", __func__, + WTMPX_FILE, strerror(errno)); + close(fd); + return (0); + } + + /* Seek to the start of the last struct utmpx */ + if (lseek(fd, -(off_t)sizeof(struct utmpx), SEEK_END) == -1 ) { + /* probably a newly rotated wtmpx file */ + close(fd); + return (0); + } + + while (!found) { + if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) { + logit("%s: read of %s failed: %s", __func__, + WTMPX_FILE, strerror(errno)); + close (fd); + return (0); + } + /* + * Logouts are recorded as a blank username on a particular + * line. So, we just need to find the username in struct utmpx + */ + if (wtmpx_islogin(li, &utx)) { + found = 1; +# if defined(HAVE_TV_IN_UTMPX) + li->tv_sec = utx.ut_tv.tv_sec; +# elif defined(HAVE_TIME_IN_UTMPX) + li->tv_sec = utx.ut_time; +# endif + line_fullname(li->line, utx.ut_line, sizeof(li->line)); +# if defined(HAVE_HOST_IN_UTMPX) + strlcpy(li->hostname, utx.ut_host, + MIN_SIZEOF(li->hostname, utx.ut_host)); +# endif + continue; + } + if (lseek(fd, -(off_t)(2 * sizeof(struct utmpx)), SEEK_CUR) == -1) { + close(fd); + return (0); + } + } + + close(fd); + return (1); +} +#endif /* USE_WTMPX */ + +/** + ** Low-level libutil login() functions + **/ + +#ifdef USE_LOGIN +static int +syslogin_perform_login(struct logininfo *li) +{ + struct utmp *ut; + + ut = xmalloc(sizeof(*ut)); + construct_utmp(li, ut); + login(ut); + free(ut); + + return (1); +} + +static int +syslogin_perform_logout(struct logininfo *li) +{ +# ifdef HAVE_LOGOUT + char line[UT_LINESIZE]; + + (void)line_stripname(line, li->line, sizeof(line)); + + if (!logout(line)) + logit("%s: logout() returned an error", __func__); +# ifdef HAVE_LOGWTMP + else + logwtmp(line, "", ""); +# endif + /* FIXME: (ATL - if the need arises) What to do if we have + * login, but no logout? what if logout but no logwtmp? All + * routines are in libutil so they should all be there, + * but... */ +# endif + return (1); +} + +int +syslogin_write_entry(struct logininfo *li) +{ + switch (li->type) { + case LTYPE_LOGIN: + return (syslogin_perform_login(li)); + case LTYPE_LOGOUT: + return (syslogin_perform_logout(li)); + default: + logit("%s: Invalid type field", __func__); + return (0); + } +} +#endif /* USE_LOGIN */ + +/* end of file log-syslogin.c */ + +/** + ** Low-level lastlog functions + **/ + +#ifdef USE_LASTLOG +#define LL_FILE 1 +#define LL_DIR 2 +#define LL_OTHER 3 + +static void +lastlog_construct(struct logininfo *li, struct lastlog *last) +{ + /* clear the structure */ + memset(last, '\0', sizeof(*last)); + + line_stripname(last->ll_line, li->line, sizeof(last->ll_line)); + strlcpy(last->ll_host, li->hostname, + MIN_SIZEOF(last->ll_host, li->hostname)); + last->ll_time = li->tv_sec; +} + +static int +lastlog_filetype(char *filename) +{ + struct stat st; + + if (stat(LASTLOG_FILE, &st) != 0) { + logit("%s: Couldn't stat %s: %s", __func__, + LASTLOG_FILE, strerror(errno)); + return (0); + } + if (S_ISDIR(st.st_mode)) + return (LL_DIR); + else if (S_ISREG(st.st_mode)) + return (LL_FILE); + else + return (LL_OTHER); +} + + +/* open the file (using filemode) and seek to the login entry */ +static int +lastlog_openseek(struct logininfo *li, int *fd, int filemode) +{ + off_t offset; + int type; + char lastlog_file[1024]; + + type = lastlog_filetype(LASTLOG_FILE); + switch (type) { + case LL_FILE: + strlcpy(lastlog_file, LASTLOG_FILE, + sizeof(lastlog_file)); + break; + case LL_DIR: + snprintf(lastlog_file, sizeof(lastlog_file), "%s/%s", + LASTLOG_FILE, li->username); + break; + default: + logit("%s: %.100s is not a file or directory!", __func__, + LASTLOG_FILE); + return (0); + } + + *fd = open(lastlog_file, filemode, 0600); + if (*fd < 0) { + debug("%s: Couldn't open %s: %s", __func__, + lastlog_file, strerror(errno)); + return (0); + } + + if (type == LL_FILE) { + /* find this uid's offset in the lastlog file */ + offset = (off_t) ((long)li->uid * sizeof(struct lastlog)); + + if (lseek(*fd, offset, SEEK_SET) != offset) { + logit("%s: %s->lseek(): %s", __func__, + lastlog_file, strerror(errno)); + return (0); + } + } + + return (1); +} + +static int +lastlog_perform_login(struct logininfo *li) +{ + struct lastlog last; + int fd; + + /* create our struct lastlog */ + lastlog_construct(li, &last); + + if (!lastlog_openseek(li, &fd, O_RDWR|O_CREAT)) + return (0); + + /* write the entry */ + if (atomicio(vwrite, fd, &last, sizeof(last)) != sizeof(last)) { + close(fd); + logit("%s: Error writing to %s: %s", __func__, + LASTLOG_FILE, strerror(errno)); + return (0); + } + + close(fd); + return (1); +} + +int +lastlog_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (lastlog_perform_login(li)); + default: + logit("%s: Invalid type field", __func__); + return (0); + } +} + +static void +lastlog_populate_entry(struct logininfo *li, struct lastlog *last) +{ + line_fullname(li->line, last->ll_line, sizeof(li->line)); + strlcpy(li->hostname, last->ll_host, + MIN_SIZEOF(li->hostname, last->ll_host)); + li->tv_sec = last->ll_time; +} + +int +lastlog_get_entry(struct logininfo *li) +{ + struct lastlog last; + int fd, ret; + + if (!lastlog_openseek(li, &fd, O_RDONLY)) + return (0); + + ret = atomicio(read, fd, &last, sizeof(last)); + close(fd); + + switch (ret) { + case 0: + memset(&last, '\0', sizeof(last)); + /* FALLTHRU */ + case sizeof(last): + lastlog_populate_entry(li, &last); + return (1); + case -1: + error("%s: Error reading from %s: %s", __func__, + LASTLOG_FILE, strerror(errno)); + return (0); + default: + error("%s: Error reading from %s: Expecting %d, got %d", + __func__, LASTLOG_FILE, sizeof(last), ret); + return (0); + } + + /* NOTREACHED */ + return (0); +} +#endif /* USE_LASTLOG */ + +#ifdef USE_BTMP + /* + * Logs failed login attempts in _PATH_BTMP if that exists. + * The most common login failure is to give password instead of username. + * So the _PATH_BTMP file checked for the correct permission, so that + * only root can read it. + */ + +void +record_failed_login(const char *username, const char *hostname, + const char *ttyn) +{ + int fd; + struct utmp ut; + struct sockaddr_storage from; + size_t fromlen = sizeof(from); + struct sockaddr_in *a4; + struct sockaddr_in6 *a6; + time_t t; + struct stat fst; + + if (geteuid() != 0) + return; + if ((fd = open(_PATH_BTMP, O_WRONLY | O_APPEND)) < 0) { + debug("Unable to open the btmp file %s: %s", _PATH_BTMP, + strerror(errno)); + return; + } + if (fstat(fd, &fst) < 0) { + logit("%s: fstat of %s failed: %s", __func__, _PATH_BTMP, + strerror(errno)); + goto out; + } + if((fst.st_mode & (S_IRWXG | S_IRWXO)) || (fst.st_uid != 0)){ + logit("Excess permission or bad ownership on file %s", + _PATH_BTMP); + goto out; + } + + memset(&ut, 0, sizeof(ut)); + /* strncpy because we don't necessarily want nul termination */ + strncpy(ut.ut_user, username, sizeof(ut.ut_user)); + strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line)); + + time(&t); + ut.ut_time = t; /* ut_time is not always a time_t */ + ut.ut_type = LOGIN_PROCESS; + ut.ut_pid = getpid(); + + /* strncpy because we don't necessarily want nul termination */ + strncpy(ut.ut_host, hostname, sizeof(ut.ut_host)); + + if (packet_connection_is_on_socket() && + getpeername(packet_get_connection_in(), + (struct sockaddr *)&from, &fromlen) == 0) { + ipv64_normalise_mapped(&from, &fromlen); + if (from.ss_family == AF_INET) { + a4 = (struct sockaddr_in *)&from; + memcpy(&ut.ut_addr, &(a4->sin_addr), + MIN_SIZEOF(ut.ut_addr, a4->sin_addr)); + } +#ifdef HAVE_ADDR_V6_IN_UTMP + if (from.ss_family == AF_INET6) { + a6 = (struct sockaddr_in6 *)&from; + memcpy(&ut.ut_addr_v6, &(a6->sin6_addr), + MIN_SIZEOF(ut.ut_addr_v6, a6->sin6_addr)); + } +#endif + } + + if (atomicio(vwrite, fd, &ut, sizeof(ut)) != sizeof(ut)) + error("Failed to write to %s: %s", _PATH_BTMP, + strerror(errno)); + +out: + close(fd); +} +#endif /* USE_BTMP */ diff -ruN --exclude CVS ssh-openbsd-2005090100/loginrec.h openssh-4.2p1/loginrec.h --- ssh-openbsd-2005090100/loginrec.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/loginrec.h Sun Jun 19 10:19:44 2005 @@ -0,0 +1,137 @@ +#ifndef _HAVE_LOGINREC_H_ +#define _HAVE_LOGINREC_H_ + +/* + * Copyright (c) 2000 Andre Lucas. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + ** loginrec.h: platform-independent login recording and lastlog retrieval + **/ + +#include "includes.h" + +#include +#include +#include + +/* RCSID("$Id: loginrec.h,v 1.10 2005/06/19 00:19:44 djm Exp $"); */ + +/** + ** you should use the login_* calls to work around platform dependencies + **/ + +/* + * login_netinfo structure + */ + +union login_netinfo { + struct sockaddr sa; + struct sockaddr_in sa_in; + struct sockaddr_storage sa_storage; +}; + +/* + * * logininfo structure * + */ +/* types - different to utmp.h 'type' macros */ +/* (though set to the same value as linux, openbsd and others...) */ +#define LTYPE_LOGIN 7 +#define LTYPE_LOGOUT 8 + +/* string lengths - set very long */ +#define LINFO_PROGSIZE 64 +#define LINFO_LINESIZE 64 +#define LINFO_NAMESIZE 128 +#define LINFO_HOSTSIZE 256 + +struct logininfo { + char progname[LINFO_PROGSIZE]; /* name of program (for PAM) */ + int progname_null; + short int type; /* type of login (LTYPE_*) */ + int pid; /* PID of login process */ + int uid; /* UID of this user */ + char line[LINFO_LINESIZE]; /* tty/pty name */ + char username[LINFO_NAMESIZE]; /* login username */ + char hostname[LINFO_HOSTSIZE]; /* remote hostname */ + /* 'exit_status' structure components */ + int exit; /* process exit status */ + int termination; /* process termination status */ + /* struct timeval (sys/time.h) isn't always available, if it isn't we'll + * use time_t's value as tv_sec and set tv_usec to 0 + */ + unsigned int tv_sec; + unsigned int tv_usec; + union login_netinfo hostaddr; /* caller's host address(es) */ +}; /* struct logininfo */ + +/* + * login recording functions + */ + +/** 'public' functions */ + +/* construct a new login entry */ +struct logininfo *login_alloc_entry(int pid, const char *username, + const char *hostname, const char *line); +/* free a structure */ +void login_free_entry(struct logininfo *li); +/* fill out a pre-allocated structure with useful information */ +int login_init_entry(struct logininfo *li, int pid, const char *username, + const char *hostname, const char *line); +/* place the current time in a logininfo struct */ +void login_set_current_time(struct logininfo *li); + +/* record the entry */ +int login_login (struct logininfo *li); +int login_logout(struct logininfo *li); +#ifdef LOGIN_NEEDS_UTMPX +int login_utmp_only(struct logininfo *li); +#endif + +/** End of public functions */ + +/* record the entry */ +int login_write (struct logininfo *li); +int login_log_entry(struct logininfo *li); + +/* set the network address based on network address type */ +void login_set_addr(struct logininfo *li, const struct sockaddr *sa, + const unsigned int sa_size); + +/* + * lastlog retrieval functions + */ +/* lastlog *entry* functions fill out a logininfo */ +struct logininfo *login_get_lastlog(struct logininfo *li, const int uid); +/* lastlog *time* functions return time_t equivalent (uint) */ +unsigned int login_get_lastlog_time(const int uid); + +/* produce various forms of the line filename */ +char *line_fullname(char *dst, const char *src, u_int dstsize); +char *line_stripname(char *dst, const char *src, int dstsize); +char *line_abbrevname(char *dst, const char *src, int dstsize); + +void record_failed_login(const char *, const char *, const char *); + +#endif /* _HAVE_LOGINREC_H_ */ diff -ruN --exclude CVS ssh-openbsd-2005090100/logintest.c openssh-4.2p1/logintest.c --- ssh-openbsd-2005090100/logintest.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/logintest.c Sat Jul 17 14:07:42 2004 @@ -0,0 +1,306 @@ +/* + * Copyright (c) 2000 Andre Lucas. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + ** logintest.c: simple test driver for platform-independent login recording + ** and lastlog retrieval + **/ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_TIME_H +#include +#endif + +#include "loginrec.h" + +RCSID("$Id: logintest.c,v 1.11 2004/07/17 04:07:42 dtucker Exp $"); + +extern char *__progname; + +#define PAUSE_BEFORE_LOGOUT 3 + +int nologtest = 0; +int compile_opts_only = 0; +int be_verbose = 0; + + +/* Dump a logininfo to stdout. Assumes a tab size of 8 chars. */ +void +dump_logininfo(struct logininfo *li, char *descname) +{ + /* yes I know how nasty this is */ + printf("struct logininfo %s = {\n\t" + "progname\t'%s'\n\ttype\t\t%d\n\t" + "pid\t\t%d\n\tuid\t\t%d\n\t" + "line\t\t'%s'\n\tusername\t'%s'\n\t" + "hostname\t'%s'\n\texit\t\t%d\n\ttermination\t%d\n\t" + "tv_sec\t%d\n\ttv_usec\t%d\n\t" + "struct login_netinfo hostaddr {\n\t\t" + "struct sockaddr sa {\n" + "\t\t\tfamily\t%d\n\t\t}\n" + "\t}\n" + "}\n", + descname, li->progname, li->type, + li->pid, li->uid, li->line, + li->username, li->hostname, li->exit, + li->termination, li->tv_sec, li->tv_usec, + li->hostaddr.sa.sa_family); +} + + +int +testAPI() +{ + struct logininfo *li1; + struct passwd *pw; + struct hostent *he; + struct sockaddr_in sa_in4; + char cmdstring[256], stripline[8]; + char username[32]; +#ifdef HAVE_TIME_H + time_t t0, t1, t2, logintime, logouttime; + char s_t0[64],s_t1[64],s_t2[64]; + char s_logintime[64], s_logouttime[64]; /* ctime() strings */ +#endif + + printf("**\n** Testing the API...\n**\n"); + + pw = getpwuid(getuid()); + strlcpy(username, pw->pw_name, sizeof(username)); + + /* gethostname(hostname, sizeof(hostname)); */ + + printf("login_alloc_entry test (no host info):\n"); + + /* FIXME fake tty more effectively - this could upset some platforms */ + li1 = login_alloc_entry((int)getpid(), username, NULL, ttyname(0)); + strlcpy(li1->progname, "OpenSSH-logintest", sizeof(li1->progname)); + + if (be_verbose) + dump_logininfo(li1, "li1"); + + printf("Setting host address info for 'localhost' (may call out):\n"); + if (! (he = gethostbyname("localhost"))) { + printf("Couldn't set hostname(lookup failed)\n"); + } else { + /* NOTE: this is messy, but typically a program wouldn't have to set + * any of this, a sockaddr_in* would be already prepared */ + memcpy((void *)&(sa_in4.sin_addr), (void *)&(he->h_addr_list[0][0]), + sizeof(struct in_addr)); + login_set_addr(li1, (struct sockaddr *) &sa_in4, sizeof(sa_in4)); + strlcpy(li1->hostname, "localhost", sizeof(li1->hostname)); + } + if (be_verbose) + dump_logininfo(li1, "li1"); + + if ((int)geteuid() != 0) { + printf("NOT RUNNING LOGIN TESTS - you are not root!\n"); + return 1; + } + + if (nologtest) + return 1; + + line_stripname(stripline, li1->line, sizeof(stripline)); + + printf("Performing an invalid login attempt (no type field)\n--\n"); + login_write(li1); + printf("--\n(Should have written errors to stderr)\n"); + +#ifdef HAVE_TIME_H + (void)time(&t0); + strlcpy(s_t0, ctime(&t0), sizeof(s_t0)); + t1 = login_get_lastlog_time(getuid()); + strlcpy(s_t1, ctime(&t1), sizeof(s_t1)); + printf("Before logging in:\n\tcurrent time is %d - %s\t" + "lastlog time is %d - %s\n", + (int)t0, s_t0, (int)t1, s_t1); +#endif + + printf("Performing a login on line %s ", stripline); +#ifdef HAVE_TIME_H + (void)time(&logintime); + strlcpy(s_logintime, ctime(&logintime), sizeof(s_logintime)); + printf("at %d - %s", (int)logintime, s_logintime); +#endif + printf("--\n"); + login_login(li1); + + snprintf(cmdstring, sizeof(cmdstring), "who | grep '%s '", + stripline); + system(cmdstring); + + printf("--\nPausing for %d second(s)...\n", PAUSE_BEFORE_LOGOUT); + sleep(PAUSE_BEFORE_LOGOUT); + + printf("Performing a logout "); +#ifdef HAVE_TIME_H + (void)time(&logouttime); + strlcpy(s_logouttime, ctime(&logouttime), sizeof(s_logouttime)); + printf("at %d - %s", (int)logouttime, s_logouttime); +#endif + printf("\nThe root login shown above should be gone.\n" + "If the root login hasn't gone, but another user on the same\n" + "pty has, this is OK - we're hacking it here, and there\n" + "shouldn't be two users on one pty in reality...\n" + "-- ('who' output follows)\n"); + login_logout(li1); + + system(cmdstring); + printf("-- ('who' output ends)\n"); + +#ifdef HAVE_TIME_H + t2 = login_get_lastlog_time(getuid()); + strlcpy(s_t2, ctime(&t2), sizeof(s_t2)); + printf("After logging in, lastlog time is %d - %s\n", (int)t2, s_t2); + if (t1 == t2) + printf("The lastlog times before and after logging in are the " + "same.\nThis indicates that lastlog is ** NOT WORKING " + "CORRECTLY **\n"); + else if (t0 != t2) + /* We can be off by a second or so, even when recording works fine. + * I'm not 100% sure why, but it's true. */ + printf("** The login time and the lastlog time differ.\n" + "** This indicates that lastlog is either recording the " + "wrong time,\n** or retrieving the wrong entry.\n" + "If it's off by less than %d second(s) " + "run the test again.\n", PAUSE_BEFORE_LOGOUT); + else + printf("lastlog agrees with the login time. This is a good thing.\n"); + +#endif + + printf("--\nThe output of 'last' shown next should have " + "an entry for root \n on %s for the time shown above:\n--\n", + stripline); + snprintf(cmdstring, sizeof(cmdstring), "last | grep '%s ' | head -3", + stripline); + system(cmdstring); + + printf("--\nEnd of login test.\n"); + + login_free_entry(li1); + + return 1; +} /* testAPI() */ + + +void +testLineName(char *line) +{ + /* have to null-terminate - these functions are designed for + * structures with fixed-length char arrays, and don't null-term.*/ + char full[17], strip[9], abbrev[5]; + + memset(full, '\0', sizeof(full)); + memset(strip, '\0', sizeof(strip)); + memset(abbrev, '\0', sizeof(abbrev)); + + line_fullname(full, line, sizeof(full)-1); + line_stripname(strip, full, sizeof(strip)-1); + line_abbrevname(abbrev, full, sizeof(abbrev)-1); + printf("%s: %s, %s, %s\n", line, full, strip, abbrev); + +} /* testLineName() */ + + +int +testOutput() +{ + printf("**\n** Testing linename functions\n**\n"); + testLineName("/dev/pts/1"); + testLineName("pts/1"); + testLineName("pts/999"); + testLineName("/dev/ttyp00"); + testLineName("ttyp00"); + + return 1; +} /* testOutput() */ + + +/* show which options got compiled in */ +void +showOptions(void) +{ + printf("**\n** Compile-time options\n**\n"); + + printf("login recording methods selected:\n"); +#ifdef USE_LOGIN + printf("\tUSE_LOGIN\n"); +#endif +#ifdef USE_UTMP + printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE); +#endif +#ifdef USE_UTMPX + printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE); +#endif +#ifdef USE_WTMP + printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE); +#endif +#ifdef USE_WTMPX + printf("\tUSE_WTMPX (WTMPX_FILE=%s)\n", WTMPX_FILE); +#endif +#ifdef USE_LASTLOG + printf("\tUSE_LASTLOG (LASTLOG_FILE=%s)\n", LASTLOG_FILE); +#endif + printf("\n"); + +} /* showOptions() */ + + +int +main(int argc, char *argv[]) +{ + printf("Platform-independent login recording test driver\n"); + + __progname = ssh_get_progname(argv[0]); + if (argc == 2) { + if (strncmp(argv[1], "-i", 3) == 0) + compile_opts_only = 1; + else if (strncmp(argv[1], "-v", 3) == 0) + be_verbose=1; + } + + if (!compile_opts_only) { + if (be_verbose && !testOutput()) + return 1; + + if (!testAPI()) + return 1; + } + + showOptions(); + + return 0; +} /* main() */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/md5crypt.c openssh-4.2p1/md5crypt.c --- ssh-openbsd-2005090100/md5crypt.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/md5crypt.c Fri Nov 21 23:56:47 2003 @@ -0,0 +1,165 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this + * notice you can do whatever you want with this stuff. If we meet some + * day, and you think this stuff is worth it, you can buy me a beer in + * return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +#include "includes.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +#include + +RCSID("$Id: md5crypt.c,v 1.9 2003/11/21 12:56:47 djm Exp $"); + +/* 0 ... 63 => ascii - 64 */ +static unsigned char itoa64[] = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static char *magic = "$1$"; + +static char * +to64(unsigned long v, int n) +{ + static char buf[5]; + char *s = buf; + + if (n > 4) + return (NULL); + + memset(buf, '\0', sizeof(buf)); + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } + + return (buf); +} + +int +is_md5_salt(const char *salt) +{ + return (strncmp(salt, magic, strlen(magic)) == 0); +} + +char * +md5_crypt(const char *pw, const char *salt) +{ + static char passwd[120], salt_copy[9], *p; + static const char *sp, *ep; + unsigned char final[16]; + int sl, pl, i, j; + MD5_CTX ctx, ctx1; + unsigned long l; + + /* Refine the Salt first */ + sp = salt; + + /* If it starts with the magic string, then skip that */ + if(strncmp(sp, magic, strlen(magic)) == 0) + sp += strlen(magic); + + /* It stops at the first '$', max 8 chars */ + for (ep = sp; *ep != '$'; ep++) { + if (*ep == '\0' || ep >= (sp + 8)) + return (NULL); + } + + /* get the length of the true salt */ + sl = ep - sp; + + /* Stash the salt */ + memcpy(salt_copy, sp, sl); + salt_copy[sl] = '\0'; + + MD5_Init(&ctx); + + /* The password first, since that is what is most unknown */ + MD5_Update(&ctx, pw, strlen(pw)); + + /* Then our magic string */ + MD5_Update(&ctx, magic, strlen(magic)); + + /* Then the raw salt */ + MD5_Update(&ctx, sp, sl); + + /* Then just as many characters of the MD5(pw, salt, pw) */ + MD5_Init(&ctx1); + MD5_Update(&ctx1, pw, strlen(pw)); + MD5_Update(&ctx1, sp, sl); + MD5_Update(&ctx1, pw, strlen(pw)); + MD5_Final(final, &ctx1); + + for(pl = strlen(pw); pl > 0; pl -= 16) + MD5_Update(&ctx, final, pl > 16 ? 16 : pl); + + /* Don't leave anything around in vm they could use. */ + memset(final, '\0', sizeof final); + + /* Then something really weird... */ + for (j = 0, i = strlen(pw); i != 0; i >>= 1) + if (i & 1) + MD5_Update(&ctx, final + j, 1); + else + MD5_Update(&ctx, pw + j, 1); + + /* Now make the output string */ + snprintf(passwd, sizeof(passwd), "%s%s$", magic, salt_copy); + + MD5_Final(final, &ctx); + + /* + * and now, just to make sure things don't run too fast + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for(i = 0; i < 1000; i++) { + MD5_Init(&ctx1); + if (i & 1) + MD5_Update(&ctx1, pw, strlen(pw)); + else + MD5_Update(&ctx1, final, 16); + + if (i % 3) + MD5_Update(&ctx1, sp, sl); + + if (i % 7) + MD5_Update(&ctx1, pw, strlen(pw)); + + if (i & 1) + MD5_Update(&ctx1, final, 16); + else + MD5_Update(&ctx1, pw, strlen(pw)); + + MD5_Final(final, &ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; + strlcat(passwd, to64(l, 4), sizeof(passwd)); + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; + strlcat(passwd, to64(l, 4), sizeof(passwd)); + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; + strlcat(passwd, to64(l, 4), sizeof(passwd)); + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; + strlcat(passwd, to64(l, 4), sizeof(passwd)); + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; + strlcat(passwd, to64(l, 4), sizeof(passwd)); + l = final[11] ; + strlcat(passwd, to64(l, 2), sizeof(passwd)); + + /* Don't leave anything around in vm they could use. */ + memset(final, 0, sizeof(final)); + memset(salt_copy, 0, sizeof(salt_copy)); + memset(&ctx, 0, sizeof(ctx)); + memset(&ctx1, 0, sizeof(ctx1)); + (void)to64(0, 4); + + return (passwd); +} + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/md5crypt.h openssh-4.2p1/md5crypt.h --- ssh-openbsd-2005090100/md5crypt.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/md5crypt.h Mon May 19 00:46:46 2003 @@ -0,0 +1,24 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* $Id: md5crypt.h,v 1.4 2003/05/18 14:46:46 djm Exp $ */ + +#ifndef _MD5CRYPT_H +#define _MD5CRYPT_H + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +int is_md5_salt(const char *); +char *md5_crypt(const char *, const char *); + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + +#endif /* MD5CRYPT_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/mdoc2man.awk openssh-4.2p1/mdoc2man.awk --- ssh-openbsd-2005090100/mdoc2man.awk Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/mdoc2man.awk Tue May 31 16:59:17 2005 @@ -0,0 +1,351 @@ +#!/usr/bin/awk +# +# Version history: +# v3, I put the program under a proper license +# Dan Nelson added .An, .Aq and fixed a typo +# v2, fixed to work on GNU awk --posix and MacOS X +# v1, first attempt, didn't work on MacOS X +# +# Copyright (c) 2003 Peter Stuge +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +BEGIN { + optlist=0 + oldoptlist=0 + nospace=0 + synopsis=0 + reference=0 + block=0 + ext=0 + extopt=0 + literal=0 + prenl=0 + breakw=0 + line="" +} + +function wtail() { + retval="" + while(w0;i--) { + add(refauthors[i]) + if(i>1) + add(", ") + } + if(nrefauthors>1) + add(" and ") + add(refauthors[0] ", \\fI" reftitle "\\fP") + if(length(refissue)) + add(", " refissue) + if(length(refdate)) + add(", " refdate) + if(length(refopt)) + add(", " refopt) + add(".") + reference=0 + } else if(reference) { + if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() } + if(match(words[w],"^%T$")) { + reftitle=wtail() + sub("^\"","",reftitle) + sub("\"$","",reftitle) + } + if(match(words[w],"^%N$")) { refissue=wtail() } + if(match(words[w],"^%D$")) { refdate=wtail() } + if(match(words[w],"^%O$")) { refopt=wtail() } + } else if(match(words[w],"^Nm$")) { + if(synopsis) { + add(".br") + prenl++ + } + n=words[++w] + if(!length(name)) + name=n + if(!length(n)) + n=name + add("\\fB" n "\\fP") + if(!nospace&&match(words[w+1],"^[\\.,]")) + nospace=1 + } else if(match(words[w],"^Nd$")) { + add("\\- " wtail()) + } else if(match(words[w],"^Fl$")) { + add("\\fB\\-" words[++w] "\\fP") + if(!nospace&&match(words[w+1],"^[\\.,]")) + nospace=1 + } else if(match(words[w],"^Ar$")) { + add("\\fI") + if(w==nwords) + add("file ...\\fP") + else { + add(words[++w] "\\fP") + while(match(words[w+1],"^\\|$")) + add(OFS words[++w] " \\fI" words[++w] "\\fP") + } + if(!nospace&&match(words[w+1],"^[\\.,]")) + nospace=1 + } else if(match(words[w],"^Cm$")) { + add("\\fB" words[++w] "\\fP") + while(w") + if(option) + add("]") + if(ext&&!extopt&&!match(line," $")) + add(OFS) + if(!ext&&!extopt&&length(line)) { + print line + prenl=0 + line="" + } +} diff -ruN --exclude CVS ssh-openbsd-2005090100/misc.c openssh-4.2p1/misc.c --- ssh-openbsd-2005090100/misc.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/misc.c Thu Jul 14 17:05:02 2005 @@ -159,9 +159,15 @@ copy->pw_gecos = xstrdup(pw->pw_gecos); copy->pw_uid = pw->pw_uid; copy->pw_gid = pw->pw_gid; +#ifdef HAVE_PW_EXPIRE_IN_PASSWD copy->pw_expire = pw->pw_expire; +#endif +#ifdef HAVE_PW_CHANGE_IN_PASSWD copy->pw_change = pw->pw_change; +#endif +#ifdef HAVE_PW_CLASS_IN_PASSWD copy->pw_class = xstrdup(pw->pw_class); +#endif copy->pw_dir = xstrdup(pw->pw_dir); copy->pw_shell = xstrdup(pw->pw_shell); return copy; diff -ruN --exclude CVS ssh-openbsd-2005090100/mkinstalldirs openssh-4.2p1/mkinstalldirs --- ssh-openbsd-2005090100/mkinstalldirs Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/mkinstalldirs Fri Nov 21 23:48:55 2003 @@ -0,0 +1,40 @@ +#! /bin/sh +# mkinstalldirs --- make directory hierarchy +# Author: Noah Friedman +# Created: 1993-05-16 +# Public domain + +# $Id: mkinstalldirs,v 1.2 2003/11/21 12:48:55 djm Exp $ + +errstatus=0 + +for file +do + set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` + shift + + pathcomp= + for d + do + pathcomp="$pathcomp$d" + case "$pathcomp" in + -* ) pathcomp=./$pathcomp ;; + esac + + if test ! -d "$pathcomp"; then + echo "mkdir $pathcomp" + + mkdir "$pathcomp" || lasterr=$? + + if test ! -d "$pathcomp"; then + errstatus=$lasterr + fi + fi + + pathcomp="$pathcomp/" + done +done + +exit $errstatus + +# mkinstalldirs ends here diff -ruN --exclude CVS ssh-openbsd-2005090100/moduli openssh-4.2p1/moduli --- ssh-openbsd-2005090100/moduli Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/moduli Mon Jan 24 22:00:40 2005 @@ -0,0 +1,200 @@ +# $OpenBSD: moduli,v 1.3 2005/01/24 10:29:06 dtucker Exp $ +# Time Type Tests Tries Size Generator Modulus +20040225025212 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7AFFE86A7 +20040225025304 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B01F83CB +20040225025357 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B03F2B73 +20040225025411 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B041C8C7 +20040225025444 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0546E93 +20040225025458 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0573767 +20040225025522 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0629E73 +20040225025545 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B06CD95B +20040225025616 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B07C93A3 +20040225025655 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B093C72B +20040225025710 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B096450B +20040225025750 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0AF2C83 +20040225025830 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0C7F1FF +20040225025845 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0CB565B +20040225025858 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0CD8557 +20040225025915 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0D20473 +20040225025934 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0D924F7 +20040225025952 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0DFD8BB +20040225030015 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0E8E59F +20040225030039 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0F43B0B +20040225030104 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0FEB103 +20040225030130 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B10AC3DB +20040225030149 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1122527 +20040225030214 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B11E494B +20040225030245 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B12E727B +20040225030319 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1416743 +20040225030347 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1507F2B +20040225030404 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1560FE3 +20040225030418 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1591CF7 +20040225030432 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B15B57FF +20040225030455 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B165D0AF +20040225030511 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B169C97F +20040225030551 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B182715B +20040225030621 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1920737 +20040225030648 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B19FB54B +20040225030718 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1AFAE87 +20040225030736 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1B5A7AF +20040225030753 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1BC3C47 +20040225030815 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1C6AF33 +20040225030831 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1CAD9FB +20040225030902 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1DC6A8F +20040225035226 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844800C47CAB +20040225035359 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844800D3866B +20040225035635 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844800F43DFF +20040225035846 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448010B4D93 +20040225040147 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448013094F3 +20040225040301 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448013AA0FB +20040225040619 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480163EC83 +20040225040718 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448016AEB8F +20040225041023 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480190871F +20040225041328 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844801B5F1B3 +20040225041740 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844801ED6FBB +20040225041921 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844801FEC44F +20040225042229 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802245FF7 +20040225042513 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480246F93B +20040225042547 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802473F4F +20040225042707 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480253B03B +20040225043111 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480287CD9B +20040225043513 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802BC32FB +20040225043609 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802C2125B +20040225043847 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802E1B733 +20040225043925 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802E2E963 +20040225044335 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448031AC423 +20040225045303 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803A10E07 +20040225045443 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803B0EF43 +20040225045518 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803B15033 +20040225045923 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803E58317 +20040225050120 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803F9EB4F +20040225050333 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448041304B3 +20040225050524 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804279B2F +20040225050559 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804281047 +20040225050810 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448043F454F +20040225051113 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804672F1F +20040225051335 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804809CB3 +20040225051442 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480489545F +20040225052303 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804FE918B +20040225062215 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6B9F68B3E7 +20040225063823 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6B9FD47307 +20040225064402 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6B9FF43C0F +20040225065646 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA04740DB +20040225065825 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA04B01BF +20040225070116 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA056DD47 +20040225074027 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA172E1B3 +20040225080343 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA217422F +20040225081159 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA24927DB +20040225081331 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA24C058B +20040225082528 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA2993EBF +20040225084537 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3242BE3 +20040225085012 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA33EF643 +20040225085829 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3729D77 +20040225090710 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3AC0143 +20040225091002 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3B8AE6B +20040225092648 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA42B65D7 +20040225093120 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA4442793 +20040225093517 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA459441F +20040225094409 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA491BE4B +20040225095209 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA4C4E437 +20040225095548 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA4D5D7AB +20040225100531 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA51404EB +20040225100644 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5145C87 +20040225101834 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5609CBB +20040225102317 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA57AC86F +20040225103220 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5B631A3 +20040225103355 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5B98D2F +20040225103756 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5CEBAFB +20040225104020 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5D77CDF +20040225104557 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5F6FD9F +20040225110302 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA66A70DF +20040225110515 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA6721A43 +20040225110913 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA6879A53 +20040225111338 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA69FE2FB +20040225111911 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA6C04F47 +20040225112902 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA7007CD3 +20040225143208 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8968A91B +20040225144922 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8987DF6B +20040225150309 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD899E0F8B +20040225161716 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8A3A91CF +20040225163012 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8A4CED2B +20040225175457 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8B02C5DB +20040225182539 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8B3E9D13 +20040225194030 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8BDE269B +20040225201420 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C203553 +20040225203219 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C40B747 +20040225203908 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C46ED83 +20040225210230 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C72586B +20040225212746 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8CA15F2F +20040225214624 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8CC34833 +20040225223007 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8D1B23AB +20040225234913 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8DC36C9B +20040226001353 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8DF174B3 +20040226004101 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8E24518B +20040226010652 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8E543397 +20040226015415 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8EB6152F +20040226022931 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8EFD1773 +20040226025740 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8F3376D7 +20040226053010 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD90786CE3 +20040226054156 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD908AC36B +20040226081600 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD91D61A43 +20040226083039 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD91ED4AE3 +20040226092910 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9265F7DB +20040226112913 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD93696533 +20040226115826 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD93A210A3 +20040226135326 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD949596D7 +20040226145128 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD95096CCF +20040226153142 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD95582C7B +20040226164905 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD95FACE7B +20040226171921 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9633F443 +20040226182347 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD96BAC3A7 +20040226200555 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD97972EFB +20040226202801 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD97C0B5C3 +20040226214755 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9868011B +20040226215843 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9876E7FB +20040226220422 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD987B4983 +20040226222346 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD989D61D3 +20040227091438 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC5737ECF +20040227101541 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC5AE7363 +20040227160657 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC7295F4F +20040227180410 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC7A46573 +20040227225950 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC8E6D5E3 +20040227233727 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC9079B33 +20040228032633 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCA006227 +20040228060859 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCAAE6E63 +20040228101703 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCBBC54FB +20040228192850 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCE191D13 +20040229084451 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD1804AF3 +20040229164933 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD3887E07 +20040229210220 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD49457B7 +20040229222958 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD4EA3223 +20040301003324 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD566C79B +20040301030228 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD6032D8F +20040301040042 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD63B1113 +20040301073501 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD71C4A67 +20040301133631 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD8A0BBD3 +20040301165652 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD96E4053 +20040301184021 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD9D662FB +20040302045553 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDC5FE8E3 +20040302112648 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDDFE9D13 +20040302120026 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDE1A5AD3 +20040302130757 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDE5E4073 +20040302142004 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDEA4AA9B +20040302145603 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDEC2C32B +20040302212946 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFE0652EC7 +20040303003544 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFE127CF63 +20040303072925 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFE2D793F3 +20040305011518 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E4CE974B +20040305043124 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E5050933 +20040305084728 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E54C7783 +20040306205350 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E809C413 +20040309221333 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080ED7F9CFB +20040311222059 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F103209F +20040312160304 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F247861B +20040312210904 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F29D939F +20040316074005 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F8B1F7DB +20040317113309 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080FAAE1F73 +20040317195246 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080FB3F2B93 +20040319025848 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080FD81741B +20040323194658 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C708105AF04AF +20040324041535 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C70810643E737 diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor.c openssh-4.2p1/monitor.c --- ssh-openbsd-2005090100/monitor.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/monitor.c Sun Jul 17 17:53:31 2005 @@ -37,7 +37,13 @@ #include "auth.h" #include "kex.h" #include "dh.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "packet.h" #include "auth-options.h" #include "sshpty.h" @@ -121,6 +127,15 @@ int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); +#ifdef USE_PAM +int mm_answer_pam_start(int, Buffer *); +int mm_answer_pam_account(int, Buffer *); +int mm_answer_pam_init_ctx(int, Buffer *); +int mm_answer_pam_query(int, Buffer *); +int mm_answer_pam_respond(int, Buffer *); +int mm_answer_pam_free_ctx(int, Buffer *); +#endif + #ifdef GSSAPI int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); @@ -128,6 +143,11 @@ int mm_answer_gss_checkmic(int, Buffer *); #endif +#ifdef SSH_AUDIT_EVENTS +int mm_answer_audit_event(int, Buffer *); +int mm_answer_audit_command(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -163,6 +183,17 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, + {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, + {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, + {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, + {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, +#endif +#ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, +#endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond}, @@ -188,6 +219,10 @@ {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, +#endif {0, 0, NULL} }; @@ -208,6 +243,17 @@ {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif +#ifdef USE_PAM + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, + {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, + {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, + {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, + {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, +#endif +#ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, +#endif {0, 0, NULL} }; @@ -215,6 +261,10 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef SSH_AUDIT_EVENTS + {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, + {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command}, +#endif {0, 0, NULL} }; @@ -260,6 +310,8 @@ authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); + authctxt->loginmsg = &loginmsg; + if (compat20) { mon_dispatch = mon_dispatch_proto20; @@ -282,6 +334,18 @@ if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(auth_method)) authenticated = 0; +#ifdef USE_PAM + /* PAM needs to perform account checks after auth */ + if (options.use_pam && authenticated) { + Buffer m; + + buffer_init(&m); + mm_request_receive_expect(pmonitor->m_sendfd, + MONITOR_REQ_PAM_ACCOUNT, &m); + authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); + buffer_free(&m); + } +#endif } if (ent->flags & MON_AUTHDECIDE) { @@ -543,7 +607,9 @@ buffer_put_cstring(m, pwent->pw_name); buffer_put_cstring(m, "*"); buffer_put_cstring(m, pwent->pw_gecos); +#ifdef HAVE_PW_CLASS_IN_PASSWD buffer_put_cstring(m, pwent->pw_class); +#endif buffer_put_cstring(m, pwent->pw_dir); buffer_put_cstring(m, pwent->pw_shell); @@ -560,6 +626,13 @@ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } +#ifdef USE_PAM + if (options.use_pam) + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif +#ifdef SSH_AUDIT_EVENTS + monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1); +#endif return (0); } @@ -695,7 +768,8 @@ char challenge[1024]; u_int success; - success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; + success = _compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) < 0 ? 0 : 1; buffer_clear(m); buffer_put_int(m, success); @@ -735,6 +809,138 @@ } #endif +#ifdef USE_PAM +int +mm_answer_pam_start(int sock, Buffer *m) +{ + if (!options.use_pam) + fatal("UsePAM not set, but ended up in %s anyway", __func__); + + start_pam(authctxt); + + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); + + return (0); +} + +int +mm_answer_pam_account(int sock, Buffer *m) +{ + u_int ret; + + if (!options.use_pam) + fatal("UsePAM not set, but ended up in %s anyway", __func__); + + ret = do_pam_account(); + + buffer_put_int(m, ret); + buffer_append(&loginmsg, "\0", 1); + buffer_put_cstring(m, buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + + mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); + + return (ret); +} + +static void *sshpam_ctxt, *sshpam_authok; +extern KbdintDevice sshpam_device; + +int +mm_answer_pam_init_ctx(int sock, Buffer *m) +{ + + debug3("%s", __func__); + authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); + if (sshpam_ctxt != NULL) { + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); + buffer_put_int(m, 1); + } else { + buffer_put_int(m, 0); + } + mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m); + return (0); +} + +int +mm_answer_pam_query(int sock, Buffer *m) +{ + char *name, *info, **prompts; + u_int i, num, *echo_on; + int ret; + + debug3("%s", __func__); + sshpam_authok = NULL; + ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); + if (ret == 0 && num == 0) + sshpam_authok = sshpam_ctxt; + if (num > 1 || name == NULL || info == NULL) + ret = -1; + buffer_clear(m); + buffer_put_int(m, ret); + buffer_put_cstring(m, name); + xfree(name); + buffer_put_cstring(m, info); + xfree(info); + buffer_put_int(m, num); + for (i = 0; i < num; ++i) { + buffer_put_cstring(m, prompts[i]); + xfree(prompts[i]); + buffer_put_int(m, echo_on[i]); + } + if (prompts != NULL) + xfree(prompts); + if (echo_on != NULL) + xfree(echo_on); + mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); + return (0); +} + +int +mm_answer_pam_respond(int sock, Buffer *m) +{ + char **resp; + u_int i, num; + int ret; + + debug3("%s", __func__); + sshpam_authok = NULL; + num = buffer_get_int(m); + if (num > 0) { + resp = xmalloc(num * sizeof(char *)); + for (i = 0; i < num; ++i) + resp[i] = buffer_get_string(m, NULL); + ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); + for (i = 0; i < num; ++i) + xfree(resp[i]); + xfree(resp); + } else { + ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); + } + buffer_clear(m); + buffer_put_int(m, ret); + mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); + auth_method = "keyboard-interactive/pam"; + if (ret == 0) + sshpam_authok = sshpam_ctxt; + return (0); +} + +int +mm_answer_pam_free_ctx(int sock, Buffer *m) +{ + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + return (sshpam_authok == sshpam_ctxt); +} +#endif + static void mm_append_debug(Buffer *m) { @@ -1309,6 +1515,48 @@ exit(res); } +#ifdef SSH_AUDIT_EVENTS +/* Report that an audit event occurred */ +int +mm_answer_audit_event(int socket, Buffer *m) +{ + ssh_audit_event_t event; + + debug3("%s entering", __func__); + + event = buffer_get_int(m); + switch(event) { + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: + case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_ROOT_DENIED: + case SSH_CONNECTION_CLOSE: + case SSH_INVALID_USER: + audit_event(event); + break; + default: + fatal("Audit event type %d not permitted", event); + } + + return (0); +} + +int +mm_answer_audit_command(int socket, Buffer *m) +{ + u_int len; + char *cmd; + + debug3("%s entering", __func__); + cmd = buffer_get_string(m, &len); + /* sanity check command, if so how? */ + audit_run_command(cmd); + xfree(cmd); + return (0); +} +#endif /* SSH_AUDIT_EVENTS */ + void monitor_apply_keystate(struct monitor *pmonitor) { @@ -1515,8 +1763,13 @@ static void monitor_socketpair(int *pair) { +#ifdef HAVE_SOCKETPAIR if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) fatal("%s: socketpair", __func__); +#else + fatal("%s: UsePrivilegeSeparation=yes not supported", + __func__); +#endif FD_CLOSEONEXEC(pair[0]); FD_CLOSEONEXEC(pair[1]); } diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor.h openssh-4.2p1/monitor.h --- ssh-openbsd-2005090100/monitor.h Sat Jul 16 11:31:01 2005 +++ openssh-4.2p1/monitor.h Thu Feb 3 00:20:53 2005 @@ -53,6 +53,13 @@ MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, + MONITOR_REQ_PAM_START, + MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, + MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, + MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, + MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, + MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, + MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, MONITOR_REQ_TERM }; diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor_fdpass.c openssh-4.2p1/monitor_fdpass.c --- ssh-openbsd-2005090100/monitor_fdpass.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/monitor_fdpass.c Fri Aug 13 21:29:02 2004 @@ -34,14 +34,21 @@ void mm_send_fd(int sock, int fd) { +#if defined(HAVE_SENDMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR)) struct msghdr msg; - char tmp[CMSG_SPACE(sizeof(int))]; - struct cmsghdr *cmsg; struct iovec vec; char ch = '\0'; ssize_t n; +#ifndef HAVE_ACCRIGHTS_IN_MSGHDR + char tmp[CMSG_SPACE(sizeof(int))]; + struct cmsghdr *cmsg; +#endif memset(&msg, 0, sizeof(msg)); +#ifdef HAVE_ACCRIGHTS_IN_MSGHDR + msg.msg_accrights = (caddr_t)&fd; + msg.msg_accrightslen = sizeof(fd); +#else msg.msg_control = (caddr_t)tmp; msg.msg_controllen = CMSG_LEN(sizeof(int)); cmsg = CMSG_FIRSTHDR(&msg); @@ -49,6 +56,7 @@ cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; *(int *)CMSG_DATA(cmsg) = fd; +#endif vec.iov_base = &ch; vec.iov_len = 1; @@ -61,26 +69,38 @@ if (n != 1) fatal("%s: sendmsg: expected sent 1 got %ld", __func__, (long)n); +#else + fatal("%s: UsePrivilegeSeparation=yes not supported", + __func__); +#endif } int mm_receive_fd(int sock) { +#if defined(HAVE_RECVMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR)) struct msghdr msg; - char tmp[CMSG_SPACE(sizeof(int))]; - struct cmsghdr *cmsg; struct iovec vec; ssize_t n; char ch; int fd; +#ifndef HAVE_ACCRIGHTS_IN_MSGHDR + char tmp[CMSG_SPACE(sizeof(int))]; + struct cmsghdr *cmsg; +#endif memset(&msg, 0, sizeof(msg)); vec.iov_base = &ch; vec.iov_len = 1; msg.msg_iov = &vec; msg.msg_iovlen = 1; +#ifdef HAVE_ACCRIGHTS_IN_MSGHDR + msg.msg_accrights = (caddr_t)&fd; + msg.msg_accrightslen = sizeof(fd); +#else msg.msg_control = tmp; msg.msg_controllen = sizeof(tmp); +#endif if ((n = recvmsg(sock, &msg, 0)) == -1) fatal("%s: recvmsg: %s", __func__, strerror(errno)); @@ -88,12 +108,23 @@ fatal("%s: recvmsg: expected received 1 got %ld", __func__, (long)n); +#ifdef HAVE_ACCRIGHTS_IN_MSGHDR + if (msg.msg_accrightslen != sizeof(fd)) + fatal("%s: no fd", __func__); +#else cmsg = CMSG_FIRSTHDR(&msg); if (cmsg == NULL) fatal("%s: no message header", __func__); +#ifndef BROKEN_CMSG_TYPE if (cmsg->cmsg_type != SCM_RIGHTS) fatal("%s: expected type %d got %d", __func__, SCM_RIGHTS, cmsg->cmsg_type); +#endif fd = (*(int *)CMSG_DATA(cmsg)); +#endif return fd; +#else + fatal("%s: UsePrivilegeSeparation=yes not supported", + __func__); +#endif } diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor_mm.c openssh-4.2p1/monitor_mm.c --- ssh-openbsd-2005090100/monitor_mm.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/monitor_mm.c Wed Oct 6 23:15:44 2004 @@ -26,7 +26,9 @@ #include "includes.h" RCSID("$OpenBSD: monitor_mm.c,v 1.9 2004/05/11 19:01:43 deraadt Exp $"); +#ifdef HAVE_SYS_MMAN_H #include +#endif #include "ssh.h" #include "xmalloc.h" @@ -89,9 +91,8 @@ */ mm->mmalloc = mmalloc; - address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, - -1, (off_t)0); - if (address == MAP_FAILED) + address = xmmap(size); + if (address == (void *)MAP_FAILED) fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); mm->address = address; @@ -130,9 +131,14 @@ mm_freelist(mm->mmalloc, &mm->rb_free); mm_freelist(mm->mmalloc, &mm->rb_allocated); +#ifdef HAVE_MMAP if (munmap(mm->address, mm->size) == -1) fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size, strerror(errno)); +#else + fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", + __func__); +#endif if (mm->mmalloc == NULL) xfree(mm); else diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor_mm.h openssh-4.2p1/monitor_mm.h --- ssh-openbsd-2005090100/monitor_mm.h Sat Jul 16 11:31:01 2005 +++ openssh-4.2p1/monitor_mm.h Thu Sep 12 10:43:31 2002 @@ -27,7 +27,7 @@ #ifndef _MM_H_ #define _MM_H_ -#include +#include "openbsd-compat/sys-tree.h" struct mm_share { RB_ENTRY(mm_share) next; diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor_wrap.c openssh-4.2p1/monitor_wrap.c --- ssh-openbsd-2005090100/monitor_wrap.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/monitor_wrap.c Sun Jul 17 17:53:31 2005 @@ -40,13 +40,20 @@ #include "packet.h" #include "mac.h" #include "log.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "monitor.h" #include "monitor_wrap.h" #include "xmalloc.h" #include "atomicio.h" #include "monitor_fdpass.h" #include "getput.h" +#include "servconf.h" #include "auth.h" #include "channels.h" @@ -64,6 +71,8 @@ extern struct monitor *pmonitor; extern Buffer input, output; extern Buffer loginmsg; +extern ServerOptions options; +extern Buffer loginmsg; int mm_is_monitor(void) @@ -210,7 +219,9 @@ pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); pw->pw_gecos = buffer_get_string(&m, NULL); +#ifdef HAVE_PW_CLASS_IN_PASSWD pw->pw_class = buffer_get_string(&m, NULL); +#endif pw->pw_dir = buffer_get_string(&m, NULL); pw->pw_shell = buffer_get_string(&m, NULL); buffer_free(&m); @@ -682,6 +693,135 @@ s->ttyfd = -1; } +#ifdef USE_PAM +void +mm_start_pam(Authctxt *authctxt) +{ + Buffer m; + + debug3("%s entering", __func__); + if (!options.use_pam) + fatal("UsePAM=no, but ended up in %s anyway", __func__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); + + buffer_free(&m); +} + +u_int +mm_do_pam_account(void) +{ + Buffer m; + u_int ret; + char *msg; + + debug3("%s entering", __func__); + if (!options.use_pam) + fatal("UsePAM=no, but ended up in %s anyway", __func__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_PAM_ACCOUNT, &m); + ret = buffer_get_int(&m); + msg = buffer_get_string(&m, NULL); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + + buffer_free(&m); + + debug3("%s returning %d", __func__, ret); + + return (ret); +} + +void * +mm_sshpam_init_ctx(Authctxt *authctxt) +{ + Buffer m; + int success; + + debug3("%s", __func__); + buffer_init(&m); + buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); + success = buffer_get_int(&m); + if (success == 0) { + debug3("%s: pam_init_ctx failed", __func__); + buffer_free(&m); + return (NULL); + } + buffer_free(&m); + return (authctxt); +} + +int +mm_sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + Buffer m; + u_int i; + int ret; + + debug3("%s", __func__); + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); + ret = buffer_get_int(&m); + debug3("%s: pam_query returned %d", __func__, ret); + *name = buffer_get_string(&m, NULL); + *info = buffer_get_string(&m, NULL); + *num = buffer_get_int(&m); + *prompts = xmalloc((*num + 1) * sizeof(char *)); + *echo_on = xmalloc((*num + 1) * sizeof(u_int)); + for (i = 0; i < *num; ++i) { + (*prompts)[i] = buffer_get_string(&m, NULL); + (*echo_on)[i] = buffer_get_int(&m); + } + buffer_free(&m); + return (ret); +} + +int +mm_sshpam_respond(void *ctx, u_int num, char **resp) +{ + Buffer m; + u_int i; + int ret; + + debug3("%s", __func__); + buffer_init(&m); + buffer_put_int(&m, num); + for (i = 0; i < num; ++i) + buffer_put_cstring(&m, resp[i]); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); + ret = buffer_get_int(&m); + debug3("%s: pam_respond returned %d", __func__, ret); + buffer_free(&m); + return (ret); +} + +void +mm_sshpam_free_ctx(void *ctxtp) +{ + Buffer m; + + debug3("%s", __func__); + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); + buffer_free(&m); +} +#endif /* USE_PAM */ + /* Request process termination */ void @@ -961,6 +1101,36 @@ return (success); } + +#ifdef SSH_AUDIT_EVENTS +void +mm_audit_event(ssh_audit_event_t event) +{ + Buffer m; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_int(&m, event); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); + buffer_free(&m); +} + +void +mm_audit_run_command(const char *command) +{ + Buffer m; + + debug3("%s entering command %s", __func__, command); + + buffer_init(&m); + buffer_put_cstring(&m, command); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ #ifdef GSSAPI OM_uint32 diff -ruN --exclude CVS ssh-openbsd-2005090100/monitor_wrap.h openssh-4.2p1/monitor_wrap.h --- ssh-openbsd-2005090100/monitor_wrap.h Sat Jul 16 11:31:01 2005 +++ openssh-4.2p1/monitor_wrap.h Tue Feb 8 21:52:48 2005 @@ -65,6 +65,21 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); #endif +#ifdef USE_PAM +void mm_start_pam(struct Authctxt *); +u_int mm_do_pam_account(void); +void *mm_sshpam_init_ctx(struct Authctxt *); +int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_sshpam_respond(void *, u_int, char **); +void mm_sshpam_free_ctx(void *); +#endif + +#ifdef SSH_AUDIT_EVENTS +#include "audit.h" +void mm_audit_event(ssh_audit_event_t); +void mm_audit_run_command(const char *); +#endif + struct Session; void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); diff -ruN --exclude CVS ssh-openbsd-2005090100/nchan.c openssh-4.2p1/nchan.c --- ssh-openbsd-2005090100/nchan.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/nchan.c Sat Jul 17 16:12:08 2004 @@ -463,7 +463,13 @@ return; debug2("channel %d: close_read", c->self); if (c->sock != -1) { - if (shutdown(c->sock, SHUT_RD) < 0) + /* + * shutdown(sock, SHUT_READ) may return ENOTCONN if the + * write side has been closed already. (bug on Linux) + * HP-UX may return ENOTCONN also. + */ + if (shutdown(c->sock, SHUT_RD) < 0 + && errno != ENOTCONN) error("channel %d: chan_shutdown_read: " "shutdown() failed for fd%d [i%d o%d]: %.100s", c->self, c->sock, c->istate, c->ostate, diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/.cvsignore openssh-4.2p1/openbsd-compat/.cvsignore --- ssh-openbsd-2005090100/openbsd-compat/.cvsignore Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/.cvsignore Mon Apr 30 13:55:39 2001 @@ -0,0 +1 @@ +Makefile diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/Makefile.in openssh-4.2p1/openbsd-compat/Makefile.in --- ssh-openbsd-2005090100/openbsd-compat/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/Makefile.in Sat Aug 27 06:15:20 2005 @@ -0,0 +1,42 @@ +# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $ + +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +VPATH=@srcdir@ +CC=@CC@ +LD=@LD@ +CFLAGS=@CFLAGS@ +CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +LDFLAGS=-L. @LDFLAGS@ + +OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o + +COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + +PORTS=port-irix.o port-aix.o port-uw.o + +.c.o: + $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + +all: libopenbsd-compat.a + +$(COMPAT): ../config.h +$(OPENBSD): ../config.h +$(PORTS): ../config.h + +libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) + $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) + $(RANLIB) $@ + +clean: + rm -f *.o *.a core + +distclean: clean + rm -f Makefile *~ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/base64.c openssh-4.2p1/openbsd-compat/base64.c --- ssh-openbsd-2005090100/openbsd-compat/base64.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/base64.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,324 @@ +/* OPENBSD ORIGINAL: lib/libc/net/base64.c */ + +/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */ + +/* + * Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + */ + +#include "includes.h" + +#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) + +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include "base64.h" + +/* XXX abort illegal in library */ +#define Assert(Cond) if (!(Cond)) abort() + +static const char Base64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char Pad64 = '='; + +/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) + The following encoding technique is taken from RFC 1521 by Borenstein + and Freed. It is reproduced here in a slightly edited form for + convenience. + + A 65-character subset of US-ASCII is used, enabling 6 bits to be + represented per printable character. (The extra 65th character, "=", + is used to signify a special processing function.) + + The encoding process represents 24-bit groups of input bits as output + strings of 4 encoded characters. Proceeding from left to right, a + 24-bit input group is formed by concatenating 3 8-bit input groups. + These 24 bits are then treated as 4 concatenated 6-bit groups, each + of which is translated into a single digit in the base64 alphabet. + + Each 6-bit group is used as an index into an array of 64 printable + characters. The character referenced by the index is placed in the + output string. + + Table 1: The Base64 Alphabet + + Value Encoding Value Encoding Value Encoding Value Encoding + 0 A 17 R 34 i 51 z + 1 B 18 S 35 j 52 0 + 2 C 19 T 36 k 53 1 + 3 D 20 U 37 l 54 2 + 4 E 21 V 38 m 55 3 + 5 F 22 W 39 n 56 4 + 6 G 23 X 40 o 57 5 + 7 H 24 Y 41 p 58 6 + 8 I 25 Z 42 q 59 7 + 9 J 26 a 43 r 60 8 + 10 K 27 b 44 s 61 9 + 11 L 28 c 45 t 62 + + 12 M 29 d 46 u 63 / + 13 N 30 e 47 v + 14 O 31 f 48 w (pad) = + 15 P 32 g 49 x + 16 Q 33 h 50 y + + Special processing is performed if fewer than 24 bits are available + at the end of the data being encoded. A full encoding quantum is + always completed at the end of a quantity. When fewer than 24 input + bits are available in an input group, zero bits are added (on the + right) to form an integral number of 6-bit groups. Padding at the + end of the data is performed using the '=' character. + + Since all base64 input is an integral number of octets, only the + ------------------------------------------------- + following cases can arise: + + (1) the final quantum of encoding input is an integral + multiple of 24 bits; here, the final unit of encoded + output will be an integral multiple of 4 characters + with no "=" padding, + (2) the final quantum of encoding input is exactly 8 bits; + here, the final unit of encoded output will be two + characters followed by two "=" padding characters, or + (3) the final quantum of encoding input is exactly 16 bits; + here, the final unit of encoded output will be three + characters followed by one "=" padding character. + */ + +#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) +int +b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) +{ + size_t datalength = 0; + u_char input[3]; + u_char output[4]; + int i; + + while (2 < srclength) { + input[0] = *src++; + input[1] = *src++; + input[2] = *src++; + srclength -= 3; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + output[3] = input[2] & 0x3f; + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + Assert(output[3] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + target[datalength++] = Base64[output[2]]; + target[datalength++] = Base64[output[3]]; + } + + /* Now we worry about padding. */ + if (0 != srclength) { + /* Get what's left. */ + input[0] = input[1] = input[2] = '\0'; + for (i = 0; i < srclength; i++) + input[i] = *src++; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + if (srclength == 1) + target[datalength++] = Pad64; + else + target[datalength++] = Base64[output[2]]; + target[datalength++] = Pad64; + } + if (datalength >= targsize) + return (-1); + target[datalength] = '\0'; /* Returned value doesn't count \0. */ + return (datalength); +} +#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ + +#if !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) + +/* skips all whitespace anywhere. + converts characters, four at a time, starting at (or after) + src from base - 64 numbers into three 8 bit bytes in the target area. + it returns the number of data bytes stored at the target, or -1 on error. + */ + +int +b64_pton(char const *src, u_char *target, size_t targsize) +{ + int tarindex, state, ch; + char *pos; + + state = 0; + tarindex = 0; + + while ((ch = *src++) != '\0') { + if (isspace(ch)) /* Skip whitespace anywhere. */ + continue; + + if (ch == Pad64) + break; + + pos = strchr(Base64, ch); + if (pos == 0) /* A non-base64 character. */ + return (-1); + + switch (state) { + case 0: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] = (pos - Base64) << 2; + } + state = 1; + break; + case 1: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 4; + target[tarindex+1] = ((pos - Base64) & 0x0f) + << 4 ; + } + tarindex++; + state = 2; + break; + case 2: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 2; + target[tarindex+1] = ((pos - Base64) & 0x03) + << 6; + } + tarindex++; + state = 3; + break; + case 3: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] |= (pos - Base64); + } + tarindex++; + state = 0; + break; + } + } + + /* + * We are done decoding Base-64 chars. Let's see if we ended + * on a byte boundary, and/or with erroneous trailing characters. + */ + + if (ch == Pad64) { /* We got a pad char. */ + ch = *src++; /* Skip it, get next. */ + switch (state) { + case 0: /* Invalid = in first position */ + case 1: /* Invalid = in second position */ + return (-1); + + case 2: /* Valid, means one byte of info */ + /* Skip any number of spaces. */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + break; + /* Make sure there is another trailing = sign. */ + if (ch != Pad64) + return (-1); + ch = *src++; /* Skip the = */ + /* Fall through to "single trailing =" case. */ + /* FALLTHROUGH */ + + case 3: /* Valid, means two bytes of info */ + /* + * We know this char is an =. Is there anything but + * whitespace after it? + */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + return (-1); + + /* + * Now make sure for cases 2 and 3 that the "extra" + * bits that slopped past the last full byte were + * zeros. If we don't check them, they become a + * subliminal channel. + */ + if (target && target[tarindex] != 0) + return (-1); + } + } else { + /* + * We ended by seeing the end of the string. Make sure we + * have no partial bytes lying around. + */ + if (state != 0) + return (-1); + } + + return (tarindex); +} + +#endif /* !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) */ +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/base64.h openssh-4.2p1/openbsd-compat/base64.h --- ssh-openbsd-2005090100/openbsd-compat/base64.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/base64.h Sat Aug 30 02:59:52 2003 @@ -0,0 +1,65 @@ +/* $Id: base64.h,v 1.6 2003/08/29 16:59:52 mouring Exp $ */ + +/* + * Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + */ + +#ifndef _BSD_BASE64_H +#define _BSD_BASE64_H + +#include "includes.h" + +#ifndef HAVE___B64_NTOP +# ifndef HAVE_B64_NTOP +int b64_ntop(u_char const *src, size_t srclength, char *target, + size_t targsize); +# endif /* !HAVE_B64_NTOP */ +# define __b64_ntop(a,b,c,d) b64_ntop(a,b,c,d) +#endif /* HAVE___B64_NTOP */ + +#ifndef HAVE___B64_PTON +# ifndef HAVE_B64_PTON +int b64_pton(char const *src, u_char *target, size_t targsize); +# endif /* !HAVE_B64_PTON */ +# define __b64_pton(a,b,c) b64_pton(a,b,c) +#endif /* HAVE___B64_PTON */ + +#endif /* _BSD_BASE64_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/basename.c openssh-4.2p1/openbsd-compat/basename.c --- ssh-openbsd-2005090100/openbsd-compat/basename.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/basename.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,64 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */ + +/* $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $ */ + +/* + * Copyright (c) 1997 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#ifndef HAVE_BASENAME + +#ifndef lint +static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $"; +#endif /* not lint */ + +char * +basename(const char *path) +{ + static char bname[MAXPATHLEN]; + register const char *endp, *startp; + + /* Empty or NULL string gets treated as "." */ + if (path == NULL || *path == '\0') { + (void)strlcpy(bname, ".", sizeof bname); + return(bname); + } + + /* Strip trailing slashes */ + endp = path + strlen(path) - 1; + while (endp > path && *endp == '/') + endp--; + + /* All slashes become "/" */ + if (endp == path && *endp == '/') { + (void)strlcpy(bname, "/", sizeof bname); + return(bname); + } + + /* Find the start of the base */ + startp = endp; + while (startp > path && *(startp - 1) != '/') + startp--; + + if (endp - startp + 2 > sizeof(bname)) { + errno = ENAMETOOLONG; + return(NULL); + } + strlcpy(bname, startp, endp - startp + 2); + return(bname); +} + +#endif /* !defined(HAVE_BASENAME) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bindresvport.c openssh-4.2p1/openbsd-compat/bindresvport.c --- ssh-openbsd-2005090100/openbsd-compat/bindresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bindresvport.c Mon Jun 2 18:59:08 2003 @@ -0,0 +1,112 @@ +/* This file has be substantially modified from the original OpenBSD source */ + +/* $OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $ */ + +/* + * Copyright 1996, Jason Downs. All rights reserved. + * Copyright 1998, Theo de Raadt. All rights reserved. + * Copyright 2000, Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifndef HAVE_BINDRESVPORT_SA + +#include "includes.h" + +#define STARTPORT 600 +#define ENDPORT (IPPORT_RESERVED - 1) +#define NPORTS (ENDPORT - STARTPORT + 1) + +/* + * Bind a socket to a privileged IP port + */ +int +bindresvport_sa(sd, sa) + int sd; + struct sockaddr *sa; +{ + int error, af; + struct sockaddr_storage myaddr; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + u_int16_t *portp; + u_int16_t port; + socklen_t salen; + int i; + + if (sa == NULL) { + memset(&myaddr, 0, sizeof(myaddr)); + sa = (struct sockaddr *)&myaddr; + + if (getsockname(sd, sa, &salen) == -1) + return -1; /* errno is correctly set */ + + af = sa->sa_family; + memset(&myaddr, 0, salen); + } else + af = sa->sa_family; + + if (af == AF_INET) { + sin = (struct sockaddr_in *)sa; + salen = sizeof(struct sockaddr_in); + portp = &sin->sin_port; + } else if (af == AF_INET6) { + sin6 = (struct sockaddr_in6 *)sa; + salen = sizeof(struct sockaddr_in6); + portp = &sin6->sin6_port; + } else { + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + port = ntohs(*portp); + if (port == 0) + port = (arc4random() % NPORTS) + STARTPORT; + + /* Avoid warning */ + error = -1; + + for(i = 0; i < NPORTS; i++) { + *portp = htons(port); + + error = bind(sd, sa, salen); + + /* Terminate on success */ + if (error == 0) + break; + + /* Terminate on errors, except "address already in use" */ + if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL))) + break; + + port++; + if (port > ENDPORT) + port = STARTPORT; + } + + return (error); +} + +#endif /* HAVE_BINDRESVPORT_SA */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-arc4random.c openssh-4.2p1/openbsd-compat/bsd-arc4random.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-arc4random.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-arc4random.c Wed Feb 16 13:01:28 2005 @@ -0,0 +1,80 @@ +/* + * Copyright (c) 1999,2000,2004 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include "log.h" + +RCSID("$Id: bsd-arc4random.c,v 1.10 2005/02/16 02:01:28 djm Exp $"); + +#ifndef HAVE_ARC4RANDOM + +#include +#include +#include + +/* Size of key to use */ +#define SEED_SIZE 20 + +/* Number of bytes to reseed after */ +#define REKEY_BYTES (1 << 24) + +static int rc4_ready = 0; +static RC4_KEY rc4; + +unsigned int +arc4random(void) +{ + unsigned int r = 0; + static int first_time = 1; + + if (rc4_ready <= 0) { + if (first_time) + seed_rng(); + first_time = 0; + arc4random_stir(); + } + + RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r); + + rc4_ready -= sizeof(r); + + return(r); +} + +void +arc4random_stir(void) +{ + unsigned char rand_buf[SEED_SIZE]; + int i; + + memset(&rc4, 0, sizeof(rc4)); + if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) + fatal("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); + RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); + + /* + * Discard early keystream, as per recommendations in: + * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps + */ + for(i = 0; i <= 256; i += sizeof(rand_buf)) + RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf); + + memset(rand_buf, 0, sizeof(rand_buf)); + + rc4_ready = REKEY_BYTES; +} +#endif /* !HAVE_ARC4RANDOM */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-closefrom.c openssh-4.2p1/openbsd-compat/bsd-closefrom.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-closefrom.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-closefrom.c Sun Aug 15 18:41:00 2004 @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2004 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifndef HAVE_CLOSEFROM + +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_DIRENT_H +# include +# define NAMLEN(dirent) strlen((dirent)->d_name) +#else +# define dirent direct +# define NAMLEN(dirent) (dirent)->d_namlen +# ifdef HAVE_SYS_NDIR_H +# include +# endif +# ifdef HAVE_SYS_DIR_H +# include +# endif +# ifdef HAVE_NDIR_H +# include +# endif +#endif + +#ifndef OPEN_MAX +# define OPEN_MAX 256 +#endif + +RCSID("$Id: bsd-closefrom.c,v 1.1 2004/08/15 08:41:00 djm Exp $"); + +#ifndef lint +static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $"; +#endif /* lint */ + +/* + * Close all file descriptors greater than or equal to lowfd. + */ +void +closefrom(int lowfd) +{ + long fd, maxfd; +#if defined(HAVE_DIRFD) && defined(HAVE_PROC_PID) + char fdpath[PATH_MAX], *endp; + struct dirent *dent; + DIR *dirp; + int len; + + /* Check for a /proc/$$/fd directory. */ + len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid()); + if (len != -1 && len <= sizeof(fdpath) && (dirp = opendir(fdpath))) { + while ((dent = readdir(dirp)) != NULL) { + fd = strtol(dent->d_name, &endp, 10); + if (dent->d_name != endp && *endp == '\0' && + fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp)) + (void) close((int) fd); + } + (void) closedir(dirp); + } else +#endif + { + /* + * Fall back on sysconf() or getdtablesize(). We avoid checking + * resource limits since it is possible to open a file descriptor + * and then drop the rlimit such that it is below the open fd. + */ +#ifdef HAVE_SYSCONF + maxfd = sysconf(_SC_OPEN_MAX); +#else + maxfd = getdtablesize(); +#endif /* HAVE_SYSCONF */ + if (maxfd < 0) + maxfd = OPEN_MAX; + + for (fd = lowfd; fd < maxfd; fd++) + (void) close((int) fd); + } +} + +#endif /* HAVE_CLOSEFROM */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-cray.c openssh-4.2p1/openbsd-compat/bsd-cray.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-cray.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-cray.c Wed Feb 2 17:10:11 2005 @@ -0,0 +1,816 @@ +/* + * $Id: bsd-cray.c,v 1.14 2005/02/02 06:10:11 dtucker Exp $ + * + * bsd-cray.c + * + * Copyright (c) 2002, Cray Inc. (Wendy Palm ) + * Significant portions provided by + * Wayne Schroeder, SDSC + * William Jones, UTexas + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Created: Apr 22 16.34:00 2002 wp + * + * This file contains functions required for proper execution + * on UNICOS systems. + * + */ +#ifdef _UNICOS + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "ssh.h" + +#include "includes.h" +#include "sys/types.h" + +#ifndef HAVE_STRUCT_SOCKADDR_STORAGE +# define _SS_MAXSIZE 128 /* Implementation specific max size */ +# define _SS_PADSIZE (_SS_MAXSIZE - sizeof (struct sockaddr)) + +# define ss_family ss_sa.sa_family +#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ + +#ifndef IN6_IS_ADDR_LOOPBACK +# define IN6_IS_ADDR_LOOPBACK(a) \ + (((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \ + ((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1)) +#endif /* !IN6_IS_ADDR_LOOPBACK */ + +#ifndef AF_INET6 +/* Define it to something that should never appear */ +#define AF_INET6 AF_MAX +#endif + +#include "log.h" +#include "servconf.h" +#include "bsd-cray.h" + +#define MAXACID 80 + +extern ServerOptions options; + +char cray_tmpdir[TPATHSIZ + 1]; /* job TMPDIR path */ + +struct sysv sysv; /* system security structure */ +struct usrv usrv; /* user security structure */ + +/* + * Functions. + */ +void cray_retain_utmp(struct utmp *, int); +void cray_delete_tmpdir(char *, int, uid_t); +void cray_init_job(struct passwd *); +void cray_set_tmpdir(struct utmp *); +void cray_login_failure(char *, int); +int cray_setup(uid_t, char *, const char *); +int cray_access_denied(char *); + +void +cray_login_failure(char *username, int errcode) +{ + struct udb *ueptr; /* UDB pointer for username */ + ia_failure_t fsent; /* ia_failure structure */ + ia_failure_ret_t fret; /* ia_failure return stuff */ + struct jtab jtab; /* job table structure */ + int jid = 0; /* job id */ + + if ((jid = getjtab(&jtab)) < 0) + debug("cray_login_failure(): getjtab error"); + + getsysudb(); + if ((ueptr = getudbnam(username)) == UDB_NULL) + debug("cray_login_failure(): getudbname() returned NULL"); + endudb(); + + memset(&fsent, '\0', sizeof(fsent)); + fsent.revision = 0; + fsent.uname = username; + fsent.host = (char *)get_canonical_hostname(options.use_dns); + fsent.ttyn = "sshd"; + fsent.caller = IA_SSHD; + fsent.flags = IA_INTERACTIVE; + fsent.ueptr = ueptr; + fsent.jid = jid; + fsent.errcode = errcode; + fsent.pwdp = NULL; + fsent.exitcode = 0; /* dont exit in ia_failure() */ + + fret.revision = 0; + fret.normal = 0; + + /* + * Call ia_failure because of an login failure. + */ + ia_failure(&fsent, &fret); +} + +/* + * Cray access denied + */ +int +cray_access_denied(char *username) +{ + struct udb *ueptr; /* UDB pointer for username */ + int errcode; /* IA errorcode */ + + errcode = 0; + getsysudb(); + if ((ueptr = getudbnam(username)) == UDB_NULL) + debug("cray_login_failure(): getudbname() returned NULL"); + endudb(); + + if (ueptr != NULL && ueptr->ue_disabled) + errcode = IA_DISABLED; + if (errcode) + cray_login_failure(username, errcode); + + return (errcode); +} + +/* + * record_failed_login: generic "login failed" interface function + */ +void +record_failed_login(const char *user, const char *hostname, const char *ttyname) +{ + cray_login_failure((char *)user, IA_UDBERR); +} + +int +cray_setup (uid_t uid, char *username, const char *command) +{ + extern struct udb *getudb(); + extern char *setlimits(); + + int err; /* error return */ + time_t system_time; /* current system clock */ + time_t expiration_time; /* password expiration time */ + int maxattempts; /* maximum no. of failed login attempts */ + int SecureSys; /* unicos security flag */ + int minslevel = 0; /* system minimum security level */ + int i, j; + int valid_acct = -1; /* flag for reading valid acct */ + char acct_name[MAXACID] = { "" }; /* used to read acct name */ + struct jtab jtab; /* Job table struct */ + struct udb ue; /* udb entry for logging-in user */ + struct udb *up; /* pointer to UDB entry */ + struct secstat secinfo; /* file security attributes */ + struct servprov init_info; /* used for sesscntl() call */ + int jid; /* job ID */ + int pid; /* process ID */ + char *sr; /* status return from setlimits() */ + char *ttyn = NULL; /* ttyname or command name*/ + char hostname[MAXHOSTNAMELEN]; + /* passwd stuff for ia_user */ + passwd_t pwdacm, pwddialup, pwdudb, pwdwal, pwddce; + ia_user_ret_t uret; /* stuff returned from ia_user */ + ia_user_t usent; /* ia_user main structure */ + int ia_rcode; /* ia_user return code */ + ia_failure_t fsent; /* ia_failure structure */ + ia_failure_ret_t fret; /* ia_failure return stuff */ + ia_success_t ssent; /* ia_success structure */ + ia_success_ret_t sret; /* ia_success return stuff */ + int ia_mlsrcode; /* ia_mlsuser return code */ + int secstatrc; /* [f]secstat return code */ + + if (SecureSys = (int)sysconf(_SC_CRAY_SECURE_SYS)) { + getsysv(&sysv, sizeof(struct sysv)); + minslevel = sysv.sy_minlvl; + if (getusrv(&usrv) < 0) + fatal("getusrv() failed, errno = %d", errno); + } + hostname[0] = '\0'; + strlcpy(hostname, + (char *)get_canonical_hostname(options.use_dns), + MAXHOSTNAMELEN); + /* + * Fetch user's UDB entry. + */ + getsysudb(); + if ((up = getudbnam(username)) == UDB_NULL) + fatal("cannot fetch user's UDB entry"); + + /* + * Prevent any possible fudging so perform a data + * safety check and compare the supplied uid against + * the udb's uid. + */ + if (up->ue_uid != uid) + fatal("IA uid missmatch"); + endudb(); + + if ((jid = getjtab(&jtab)) < 0) { + debug("getjtab"); + return(-1); + } + pid = getpid(); + ttyn = ttyname(0); + if (SecureSys) { + if (ttyn != NULL) + secstatrc = secstat(ttyn, &secinfo); + else + secstatrc = fsecstat(1, &secinfo); + + if (secstatrc == 0) + debug("[f]secstat() successful"); + else + fatal("[f]secstat() error, rc = %d", secstatrc); + } + if ((ttyn == NULL) && ((char *)command != NULL)) + ttyn = (char *)command; + /* + * Initialize all structures to call ia_user + */ + usent.revision = 0; + usent.uname = username; + usent.host = hostname; + usent.ttyn = ttyn; + usent.caller = IA_SSHD; + usent.pswdlist = &pwdacm; + usent.ueptr = &ue; + usent.flags = IA_INTERACTIVE | IA_FFLAG; + pwdacm.atype = IA_SECURID; + pwdacm.pwdp = NULL; + pwdacm.next = &pwdudb; + + pwdudb.atype = IA_UDB; + pwdudb.pwdp = NULL; + pwdudb.next = &pwddce; + + pwddce.atype = IA_DCE; + pwddce.pwdp = NULL; + pwddce.next = &pwddialup; + + pwddialup.atype = IA_DIALUP; + pwddialup.pwdp = NULL; + /* pwddialup.next = &pwdwal; */ + pwddialup.next = NULL; + + pwdwal.atype = IA_WAL; + pwdwal.pwdp = NULL; + pwdwal.next = NULL; + + uret.revision = 0; + uret.pswd = NULL; + uret.normal = 0; + + ia_rcode = ia_user(&usent, &uret); + switch (ia_rcode) { + /* + * These are acceptable return codes from ia_user() + */ + case IA_UDBWEEK: /* Password Expires in 1 week */ + expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage; + printf ("WARNING - your current password will expire %s\n", + ctime((const time_t *)&expiration_time)); + break; + case IA_UDBEXPIRED: + if (ttyname(0) != NULL) { + /* Force a password change */ + printf("Your password has expired; Choose a new one.\n"); + execl("/bin/passwd", "passwd", username, 0); + exit(9); + } + break; + case IA_NORMAL: /* Normal Return Code */ + break; + case IA_BACKDOOR: + /* XXX: can we memset it to zero here so save some of this */ + strlcpy(ue.ue_name, "root", sizeof(ue.ue_name)); + strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir)); + strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell)); + + ue.ue_passwd[0] = '\0'; + ue.ue_age[0] = '\0'; + ue.ue_comment[0] = '\0'; + ue.ue_loghost[0] = '\0'; + ue.ue_logline[0] = '\0'; + + ue.ue_uid = -1; + ue.ue_nice[UDBRC_INTER] = 0; + + for (i = 0; i < MAXVIDS; i++) + ue.ue_gids[i] = 0; + + ue.ue_logfails = 0; + ue.ue_minlvl = ue.ue_maxlvl = ue.ue_deflvl = minslevel; + ue.ue_defcomps = 0; + ue.ue_comparts = 0; + ue.ue_permits = 0; + ue.ue_trap = 0; + ue.ue_disabled = 0; + ue.ue_logtime = 0; + break; + case IA_CONSOLE: /* Superuser not from Console */ + case IA_TRUSTED: /* Trusted user */ + if (options.permit_root_login > PERMIT_NO) + break; /* Accept root login */ + default: + /* + * These are failed return codes from ia_user() + */ + switch (ia_rcode) + { + case IA_BADAUTH: + printf("Bad authorization, access denied.\n"); + break; + case IA_DISABLED: + printf("Your login has been disabled. Contact the system "); + printf("administrator for assistance.\n"); + break; + case IA_GETSYSV: + printf("getsysv() failed - errno = %d\n", errno); + break; + case IA_MAXLOGS: + printf("Maximum number of failed login attempts exceeded.\n"); + printf("Access denied.\n"); + break; + case IA_UDBPWDNULL: + if (SecureSys) + printf("NULL Password not allowed on MLS systems.\n"); + break; + default: + break; + } + + /* + * Authentication failed. + */ + printf("sshd: Login incorrect, (0%o)\n", + ia_rcode-IA_ERRORCODE); + + /* + * Initialize structure for ia_failure + * which will exit. + */ + fsent.revision = 0; + fsent.uname = username; + fsent.host = hostname; + fsent.ttyn = ttyn; + fsent.caller = IA_SSHD; + fsent.flags = IA_INTERACTIVE; + fsent.ueptr = &ue; + fsent.jid = jid; + fsent.errcode = ia_rcode; + fsent.pwdp = uret.pswd; + fsent.exitcode = 1; + + fret.revision = 0; + fret.normal = 0; + + /* + * Call ia_failure because of an IA failure. + * There is no return because ia_failure exits. + */ + ia_failure(&fsent, &fret); + + exit(1); + } + + ia_mlsrcode = IA_NORMAL; + if (SecureSys) { + debug("calling ia_mlsuser()"); + ia_mlsrcode = ia_mlsuser(&ue, &secinfo, &usrv, NULL, 0); + } + if (ia_mlsrcode != IA_NORMAL) { + printf("sshd: Login incorrect, (0%o)\n", + ia_mlsrcode-IA_ERRORCODE); + /* + * Initialize structure for ia_failure + * which will exit. + */ + fsent.revision = 0; + fsent.uname = username; + fsent.host = hostname; + fsent.ttyn = ttyn; + fsent.caller = IA_SSHD; + fsent.flags = IA_INTERACTIVE; + fsent.ueptr = &ue; + fsent.jid = jid; + fsent.errcode = ia_mlsrcode; + fsent.pwdp = uret.pswd; + fsent.exitcode = 1; + fret.revision = 0; + fret.normal = 0; + + /* + * Call ia_failure because of an IA failure. + * There is no return because ia_failure exits. + */ + ia_failure(&fsent,&fret); + exit(1); + } + + /* Provide login status information */ + if (options.print_lastlog && ue.ue_logtime != 0) { + printf("Last successful login was : %.*s ", 19, + (char *)ctime(&ue.ue_logtime)); + + if (*ue.ue_loghost != '\0') { + printf("from %.*s\n", sizeof(ue.ue_loghost), + ue.ue_loghost); + } else { + printf("on %.*s\n", sizeof(ue.ue_logline), + ue.ue_logline); + } + + if (SecureSys && (ue.ue_logfails != 0)) { + printf(" followed by %d failed attempts\n", + ue.ue_logfails); + } + } + + /* + * Call ia_success to process successful I/A. + */ + ssent.revision = 0; + ssent.uname = username; + ssent.host = hostname; + ssent.ttyn = ttyn; + ssent.caller = IA_SSHD; + ssent.flags = IA_INTERACTIVE; + ssent.ueptr = &ue; + ssent.jid = jid; + ssent.errcode = ia_rcode; + ssent.us = NULL; + ssent.time = 1; /* Set ue_logtime */ + + sret.revision = 0; + sret.normal = 0; + + ia_success(&ssent, &sret); + + /* + * Query for account, iff > 1 valid acid & askacid permbit + */ + if (((ue.ue_permbits & PERMBITS_ACCTID) || + (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) && + ue.ue_permbits & PERMBITS_ASKACID) { + if (ttyname(0) != NULL) { + debug("cray_setup: ttyname true case, %.100s", ttyname); + while (valid_acct == -1) { + printf("Account (? for available accounts)" + " [%s]: ", acid2nam(ue.ue_acids[0])); + fgets(acct_name, MAXACID, stdin); + switch (acct_name[0]) { + case EOF: + exit(0); + break; + case '\0': + valid_acct = ue.ue_acids[0]; + strlcpy(acct_name, acid2nam(valid_acct), MAXACID); + break; + case '?': + /* Print the list 3 wide */ + for (i = 0, j = 0; i < MAXVIDS; i++) { + if (ue.ue_acids[i] == -1) { + printf("\n"); + break; + } + if (++j == 4) { + j = 1; + printf("\n"); + } + printf(" %s", + acid2nam(ue.ue_acids[i])); + } + if (ue.ue_permbits & PERMBITS_ACCTID) { + printf("\"acctid\" permbit also allows" + " you to select any valid " + "account name.\n"); + } + printf("\n"); + break; + default: + valid_acct = nam2acid(acct_name); + if (valid_acct == -1) + printf( + "Account id not found for" + " account name \"%s\"\n\n", + acct_name); + break; + } + /* + * If an account was given, search the user's + * acids array to verify they can use this account. + */ + if ((valid_acct != -1) && + !(ue.ue_permbits & PERMBITS_ACCTID)) { + for (i = 0; i < MAXVIDS; i++) { + if (ue.ue_acids[i] == -1) + break; + if (valid_acct == ue.ue_acids[i]) + break; + } + if (i == MAXVIDS || + ue.ue_acids[i] == -1) { + fprintf(stderr, "Cannot set" + " account name to " + "\"%s\", permission " + "denied\n\n", acct_name); + valid_acct = -1; + } + } + } + } else { + /* + * The client isn't connected to a terminal and can't + * respond to an acid prompt. Use default acid. + */ + debug("cray_setup: ttyname false case, %.100s", + ttyname); + valid_acct = ue.ue_acids[0]; + } + } else { + /* + * The user doesn't have the askacid permbit set or + * only has one valid account to use. + */ + valid_acct = ue.ue_acids[0]; + } + if (acctid(0, valid_acct) < 0) { + printf ("Bad account id: %d\n", valid_acct); + exit(1); + } + + /* + * Now set shares, quotas, limits, including CPU time for the + * (interactive) job and process, and set up permissions + * (for chown etc), etc. + */ + if (setshares(ue.ue_uid, valid_acct, printf, 0, 0)) { + printf("Unable to give %d shares to <%s>(%d/%d)\n", + ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct); + exit(1); + } + + sr = setlimits(username, C_PROC, pid, UDBRC_INTER); + if (sr != NULL) { + debug("%.200s", sr); + exit(1); + } + sr = setlimits(username, C_JOB, jid, UDBRC_INTER); + if (sr != NULL) { + debug("%.200s", sr); + exit(1); + } + /* + * Place the service provider information into + * the session table (Unicos) or job table (Unicos/mk). + * There exist double defines for the job/session table in + * unicos/mk (jtab.h) so no need for a compile time switch. + */ + memset(&init_info, '\0', sizeof(init_info)); + init_info.s_sessinit.si_id = URM_SPT_LOGIN; + init_info.s_sessinit.si_pid = getpid(); + init_info.s_sessinit.si_sid = jid; + sesscntl(0, S_SETSERVPO, (int)&init_info); + + /* + * Set user and controlling tty security attributes. + */ + if (SecureSys) { + if (setusrv(&usrv) == -1) { + debug("setusrv() failed, errno = %d",errno); + exit(1); + } + } + + return (0); +} + +/* + * The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk + * can have pal privileges that sshd can inherit which + * could allow a user to su to root with out a password. + * This subroutine clears all privileges. + */ +void +drop_cray_privs() +{ +#if defined(_SC_CRAY_PRIV_SU) + priv_proc_t *privstate; + int result; + extern int priv_set_proc(); + extern priv_proc_t *priv_init_proc(); + + /* + * If ether of theses two flags are not set + * then don't allow this version of ssh to run. + */ + if (!sysconf(_SC_CRAY_PRIV_SU)) + fatal("Not PRIV_SU system."); + if (!sysconf(_SC_CRAY_POSIX_PRIV)) + fatal("Not POSIX_PRIV."); + + debug("Setting MLS labels.");; + + if (sysconf(_SC_CRAY_SECURE_MAC)) { + usrv.sv_minlvl = SYSLOW; + usrv.sv_actlvl = SYSHIGH; + usrv.sv_maxlvl = SYSHIGH; + } else { + usrv.sv_minlvl = sysv.sy_minlvl; + usrv.sv_actlvl = sysv.sy_minlvl; + usrv.sv_maxlvl = sysv.sy_maxlvl; + } + usrv.sv_actcmp = 0; + usrv.sv_valcmp = sysv.sy_valcmp; + + usrv.sv_intcat = TFM_SYSTEM; + usrv.sv_valcat |= (TFM_SYSTEM | TFM_SYSFILE); + + if (setusrv(&usrv) < 0) { + fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__, + strerror(errno)); + } + + if ((privstate = priv_init_proc()) != NULL) { + result = priv_set_proc(privstate); + if (result != 0 ) { + fatal("%s(%d): priv_set_proc(): %s", + __FILE__, __LINE__, strerror(errno)); + } + priv_free_proc(privstate); + } + debug ("Privileges should be cleared..."); +#else + /* XXX: do this differently */ +# error Cray systems must be run with _SC_CRAY_PRIV_SU on! +#endif +} + + +/* + * Retain utmp/wtmp information - used by cray accounting. + */ +void +cray_retain_utmp(struct utmp *ut, int pid) +{ + int fd; + struct utmp utmp; + + if ((fd = open(UTMP_FILE, O_RDONLY)) != -1) { + /* XXX use atomicio */ + while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) { + if (pid == utmp.ut_pid) { + ut->ut_jid = utmp.ut_jid; + strncpy(ut->ut_tpath, utmp.ut_tpath, sizeof(utmp.ut_tpath)); + strncpy(ut->ut_host, utmp.ut_host, sizeof(utmp.ut_host)); + strncpy(ut->ut_name, utmp.ut_name, sizeof(utmp.ut_name)); + break; + } + } + close(fd); + } else + fatal("Unable to open utmp file"); +} + +/* + * tmpdir support. + */ + +/* + * find and delete jobs tmpdir. + */ +void +cray_delete_tmpdir(char *login, int jid, uid_t uid) +{ + static char jtmp[TPATHSIZ]; + struct stat statbuf; + int child, c, wstat; + + for (c = 'a'; c <= 'z'; c++) { + snprintf(jtmp, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c); + if (stat(jtmp, &statbuf) == 0 && statbuf.st_uid == uid) + break; + } + + if (c > 'z') + return; + + if ((child = fork()) == 0) { + execl(CLEANTMPCMD, CLEANTMPCMD, login, jtmp, (char *)NULL); + fatal("cray_delete_tmpdir: execl of CLEANTMPCMD failed"); + } + + while (waitpid(child, &wstat, 0) == -1 && errno == EINTR) + ; +} + +/* + * Remove tmpdir on job termination. + */ +void +cray_job_termination_handler(int sig) +{ + int jid; + char *login = NULL; + struct jtab jtab; + + debug("received signal %d",sig); + + if ((jid = waitjob(&jtab)) == -1 || + (login = uid2nam(jtab.j_uid)) == NULL) + return; + + cray_delete_tmpdir(login, jid, jtab.j_uid); +} + +/* + * Set job id and create tmpdir directory. + */ +void +cray_init_job(struct passwd *pw) +{ + int jid; + int c; + + jid = setjob(pw->pw_uid, WJSIGNAL); + if (jid < 0) + fatal("System call setjob failure"); + + for (c = 'a'; c <= 'z'; c++) { + snprintf(cray_tmpdir, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c); + if (mkdir(cray_tmpdir, JTMPMODE) != 0) + continue; + if (chown(cray_tmpdir, pw->pw_uid, pw->pw_gid) != 0) { + rmdir(cray_tmpdir); + continue; + } + break; + } + + if (c > 'z') + cray_tmpdir[0] = '\0'; +} + +void +cray_set_tmpdir(struct utmp *ut) +{ + int jid; + struct jtab jbuf; + + if ((jid = getjtab(&jbuf)) < 0) + return; + + /* + * Set jid and tmpdir in utmp record. + */ + ut->ut_jid = jid; + strncpy(ut->ut_tpath, cray_tmpdir, TPATHSIZ); +} +#endif /* UNICOS */ + +#ifdef _UNICOSMP +#include +/* + * Set job id and create tmpdir directory. + */ +void +cray_init_job(struct passwd *pw) +{ + initrm_silent(pw->pw_uid); + return; +} +#endif /* _UNICOSMP */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-cray.h openssh-4.2p1/openbsd-compat/bsd-cray.h --- ssh-openbsd-2005090100/openbsd-compat/bsd-cray.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-cray.h Wed Feb 2 17:10:11 2005 @@ -0,0 +1,61 @@ +/* $Id: bsd-cray.h,v 1.12 2005/02/02 06:10:11 dtucker Exp $ */ + +/* + * Copyright (c) 2002, Cray Inc. (Wendy Palm ) + * Significant portions provided by + * Wayne Schroeder, SDSC + * William Jones, UTexas + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Created: Apr 22 16.34:00 2002 wp + * + * This file contains functions required for proper execution + * on UNICOS systems. + * + */ + +#ifndef _BSD_CRAY_H +#define _BSD_CRAY_H + +#ifdef _UNICOS + +void cray_init_job(struct passwd *); +void cray_job_termination_handler(int); +void cray_login_failure(char *, int ); +int cray_access_denied(char *); +extern char cray_tmpdir[]; + +#define CUSTOM_FAILED_LOGIN 1 + +#ifndef IA_SSHD +# define IA_SSHD IA_LOGIN +#endif +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 64 +#endif +#ifndef _CRAYT3E +# define TIOCGPGRP (tIOC|20) +#endif + +#endif /* UNICOS */ + +#endif /* _BSD_CRAY_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-cygwin_util.c openssh-4.2p1/openbsd-compat/bsd-cygwin_util.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-cygwin_util.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-cygwin_util.c Wed May 25 19:42:11 2005 @@ -0,0 +1,290 @@ +/* + * Copyright (c) 2000, 2001, Corinna Vinschen + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Created: Sat Sep 02 12:17:00 2000 cv + * + * This file contains functions for forcing opened file descriptors to + * binary mode on Windows systems. + */ + +#include "includes.h" + +RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $"); + +#ifdef HAVE_CYGWIN + +#include +#include +#include +#include +#include +#include "xmalloc.h" +#define is_winnt (GetVersion() < 0x80000000) + +#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) +#define ntsec_off(c) ((c) && strstr((c),"nontsec")) +#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) + +#if defined(open) && open == binary_open +# undef open +#endif +#if defined(pipe) && open == binary_pipe +# undef pipe +#endif + +int +binary_open(const char *filename, int flags, ...) +{ + va_list ap; + mode_t mode; + + va_start(ap, flags); + mode = va_arg(ap, mode_t); + va_end(ap); + return (open(filename, flags | O_BINARY, mode)); +} + +int +binary_pipe(int fd[2]) +{ + int ret = pipe(fd); + + if (!ret) { + setmode(fd[0], O_BINARY); + setmode(fd[1], O_BINARY); + } + return (ret); +} + +#define HAS_CREATE_TOKEN 1 +#define HAS_NTSEC_BY_DEFAULT 2 +#define HAS_CREATE_TOKEN_WO_NTSEC 3 + +static int +has_capability(int what) +{ + static int inited; + static int has_create_token; + static int has_ntsec_by_default; + static int has_create_token_wo_ntsec; + + /* + * has_capability() basically calls uname() and checks if + * specific capabilities of Cygwin can be evaluated from that. + * This simplifies the calling functions which only have to ask + * for a capability using has_capability() instead of having + * to figure that out by themselves. + */ + if (!inited) { + struct utsname uts; + + if (!uname(&uts)) { + int major_high = 0, major_low = 0, minor = 0; + int api_major_version = 0, api_minor_version = 0; + char *c; + + sscanf(uts.release, "%d.%d.%d", &major_high, + &major_low, &minor); + if ((c = strchr(uts.release, '(')) != NULL) { + sscanf(c + 1, "%d.%d", &api_major_version, + &api_minor_version); + } + if (major_high > 1 || + (major_high == 1 && (major_low > 3 || + (major_low == 3 && minor >= 2)))) + has_create_token = 1; + if (api_major_version > 0 || api_minor_version >= 56) + has_ntsec_by_default = 1; + if (major_high > 1 || + (major_high == 1 && major_low >= 5)) + has_create_token_wo_ntsec = 1; + inited = 1; + } + } + switch (what) { + case HAS_CREATE_TOKEN: + return (has_create_token); + case HAS_NTSEC_BY_DEFAULT: + return (has_ntsec_by_default); + case HAS_CREATE_TOKEN_WO_NTSEC: + return (has_create_token_wo_ntsec); + } + return (0); +} + +int +check_nt_auth(int pwd_authenticated, struct passwd *pw) +{ + /* + * The only authentication which is able to change the user + * context on NT systems is the password authentication. So + * we deny all requsts for changing the user context if another + * authentication method is used. + * + * This doesn't apply to Cygwin versions >= 1.3.2 anymore which + * uses the undocumented NtCreateToken() call to create a user + * token if the process has the appropriate privileges and if + * CYGWIN ntsec setting is on. + */ + static int has_create_token = -1; + + if (pw == NULL) + return 0; + if (is_winnt) { + if (has_create_token < 0) { + char *cygwin = getenv("CYGWIN"); + + has_create_token = 0; + if (has_capability(HAS_CREATE_TOKEN) && + (ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)) || + has_capability(HAS_CREATE_TOKEN_WO_NTSEC))) + has_create_token = 1; + } + if (has_create_token < 1 && + !pwd_authenticated && geteuid() != pw->pw_uid) + return (0); + } + return (1); +} + +int +check_ntsec(const char *filename) +{ + char *cygwin; + int allow_ntea = 0, allow_ntsec = 0; + struct statfs fsstat; + + /* Windows 95/98/ME don't support file system security at all. */ + if (!is_winnt) + return (0); + + /* Evaluate current CYGWIN settings. */ + cygwin = getenv("CYGWIN"); + allow_ntea = ntea_on(cygwin); + allow_ntsec = ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && !ntsec_off(cygwin)); + + /* + * `ntea' is an emulation of POSIX attributes. It doesn't support + * real file level security as ntsec on NTFS file systems does + * but it supports FAT filesystems. `ntea' is minimum requirement + * for security checks. + */ + if (allow_ntea) + return (1); + + /* + * Retrieve file system flags. In Cygwin, file system flags are + * copied to f_type which has no meaning in Win32 itself. + */ + if (statfs(filename, &fsstat)) + return (1); + + /* + * Only file systems supporting ACLs are able to set permissions. + * `ntsec' is the setting in Cygwin which switches using of NTFS + * ACLs to support POSIX permissions on files. + */ + if (fsstat.f_type & FS_PERSISTENT_ACLS) + return (allow_ntsec); + + return (0); +} + +void +register_9x_service(void) +{ + HINSTANCE kerneldll; + DWORD (*RegisterServiceProcess)(DWORD, DWORD); + + /* The service register mechanism in 9x/Me is pretty different from + * NT/2K/XP. In NT/2K/XP we're using a special service starter + * application to register and control sshd as service. This method + * doesn't play nicely with 9x/Me. For that reason we register here + * as service when running under 9x/Me. This function is only called + * by the child sshd when it's going to daemonize. + */ + if (is_winnt) + return; + if (!(kerneldll = LoadLibrary("KERNEL32.DLL"))) + return; + if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD)) + GetProcAddress(kerneldll, "RegisterServiceProcess"))) + return; + RegisterServiceProcess(0, 1); +} + +#define NL(x) x, (sizeof (x) - 1) +#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) + +static struct wenv { + const char *name; + size_t namelen; +} wenv_arr[] = { + { NL("ALLUSERSPROFILE=") }, + { NL("COMMONPROGRAMFILES=") }, + { NL("COMPUTERNAME=") }, + { NL("COMSPEC=") }, + { NL("CYGWIN=") }, + { NL("NUMBER_OF_PROCESSORS=") }, + { NL("OS=") }, + { NL("PATH=") }, + { NL("PATHEXT=") }, + { NL("PROCESSOR_ARCHITECTURE=") }, + { NL("PROCESSOR_IDENTIFIER=") }, + { NL("PROCESSOR_LEVEL=") }, + { NL("PROCESSOR_REVISION=") }, + { NL("PROGRAMFILES=") }, + { NL("SYSTEMDRIVE=") }, + { NL("SYSTEMROOT=") }, + { NL("TMP=") }, + { NL("TEMP=") }, + { NL("WINDIR=") } +}; + +char ** +fetch_windows_environment(void) +{ + char **e, **p; + int i, idx = 0; + + p = xmalloc((WENV_SIZ + 1) * sizeof(char *)); + for (e = environ; *e != NULL; ++e) { + for (i = 0; i < WENV_SIZ; ++i) { + if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen)) + p[idx++] = *e; + } + } + p[idx] = NULL; + return p; +} + +void +free_windows_environment(char **p) +{ + xfree(p); +} + +#endif /* HAVE_CYGWIN */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-cygwin_util.h openssh-4.2p1/openbsd-compat/bsd-cygwin_util.h --- ssh-openbsd-2005090100/openbsd-compat/bsd-cygwin_util.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-cygwin_util.h Mon Aug 30 20:42:08 2004 @@ -0,0 +1,57 @@ +/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */ + +/* + * Copyright (c) 2000, 2001, Corinna Vinschen + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Created: Sat Sep 02 12:17:00 2000 cv + * + * This file contains functions for forcing opened file descriptors to + * binary mode on Windows systems. + */ + +#ifndef _BSD_CYGWIN_UTIL_H +#define _BSD_CYGWIN_UTIL_H + +#ifdef HAVE_CYGWIN + +#undef ERROR +#define is_winnt (GetVersion() < 0x80000000) + +#include +#include +#include + +int binary_open(const char *, int , ...); +int binary_pipe(int fd[2]); +int check_nt_auth(int, struct passwd *); +int check_ntsec(const char *); +void register_9x_service(void); +char **fetch_windows_environment(void); +void free_windows_environment(char **); + +#define open binary_open +#define pipe binary_pipe + +#endif /* HAVE_CYGWIN */ + +#endif /* _BSD_CYGWIN_UTIL_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-getpeereid.c openssh-4.2p1/openbsd-compat/bsd-getpeereid.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-getpeereid.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-getpeereid.c Tue Feb 17 16:49:55 2004 @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2002,2004 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +RCSID("$Id: bsd-getpeereid.c,v 1.3 2004/02/17 05:49:55 djm Exp $"); + +#if !defined(HAVE_GETPEEREID) + +#if defined(SO_PEERCRED) +int +getpeereid(int s, uid_t *euid, gid_t *gid) +{ + struct ucred cred; + socklen_t len = sizeof(cred); + + if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0) + return (-1); + *euid = cred.uid; + *gid = cred.gid; + + return (0); +} +#else +int +getpeereid(int s, uid_t *euid, gid_t *gid) +{ + *euid = geteuid(); + *gid = getgid(); + + return (0); +} +#endif /* defined(SO_PEERCRED) */ + +#endif /* !defined(HAVE_GETPEEREID) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-misc.c openssh-4.2p1/openbsd-compat/bsd-misc.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-misc.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-misc.c Fri May 27 21:13:41 2005 @@ -0,0 +1,232 @@ + +/* + * Copyright (c) 1999-2004 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include "xmalloc.h" + +RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $"); + +#ifndef HAVE___PROGNAME +char *__progname; +#endif + +/* + * NB. duplicate __progname in case it is an alias for argv[0] + * Otherwise it may get clobbered by setproctitle() + */ +char *ssh_get_progname(char *argv0) +{ +#ifdef HAVE___PROGNAME + extern char *__progname; + + return xstrdup(__progname); +#else + char *p; + + if (argv0 == NULL) + return ("unknown"); /* XXX */ + p = strrchr(argv0, '/'); + if (p == NULL) + p = argv0; + else + p++; + + return (xstrdup(p)); +#endif +} + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name) +{ + return (0); +} +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain) +{ + return (0); +} +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid) +{ + return (setreuid(-1, euid)); +} +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) +int setegid(uid_t egid) +{ + return(setresgid(-1, egid, -1)); +} +#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */ + +#if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR) +const char *strerror(int e) +{ + extern int sys_nerr; + extern char *sys_errlist[]; + + if ((e >= 0) && (e < sys_nerr)) + return (sys_errlist[e]); + + return ("unlisted error"); +} +#endif + +#ifndef HAVE_UTIMES +int utimes(char *filename, struct timeval *tvp) +{ + struct utimbuf ub; + + ub.actime = tvp[0].tv_sec; + ub.modtime = tvp[1].tv_sec; + + return (utime(filename, &ub)); +} +#endif + +#ifndef HAVE_TRUNCATE +int truncate(const char *path, off_t length) +{ + int fd, ret, saverrno; + + fd = open(path, O_WRONLY); + if (fd < 0) + return (-1); + + ret = ftruncate(fd, length); + saverrno = errno; + close(fd); + if (ret == -1) + errno = saverrno; + + return(ret); +} +#endif /* HAVE_TRUNCATE */ + +#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) +int nanosleep(const struct timespec *req, struct timespec *rem) +{ + int rc, saverrno; + extern int errno; + struct timeval tstart, tstop, tremain, time2wait; + + TIMESPEC_TO_TIMEVAL(&time2wait, req) + (void) gettimeofday(&tstart, NULL); + rc = select(0, NULL, NULL, NULL, &time2wait); + if (rc == -1) { + saverrno = errno; + (void) gettimeofday (&tstop, NULL); + errno = saverrno; + tremain.tv_sec = time2wait.tv_sec - + (tstop.tv_sec - tstart.tv_sec); + tremain.tv_usec = time2wait.tv_usec - + (tstop.tv_usec - tstart.tv_usec); + tremain.tv_sec += tremain.tv_usec / 1000000L; + tremain.tv_usec %= 1000000L; + } else { + tremain.tv_sec = 0; + tremain.tv_usec = 0; + } + TIMEVAL_TO_TIMESPEC(&tremain, rem) + + return(rc); +} +#endif + +#ifndef HAVE_TCGETPGRP +pid_t +tcgetpgrp(int fd) +{ + int ctty_pgrp; + + if (ioctl(fd, TIOCGPGRP, &ctty_pgrp) == -1) + return(-1); + else + return(ctty_pgrp); +} +#endif /* HAVE_TCGETPGRP */ + +#ifndef HAVE_TCSENDBREAK +int +tcsendbreak(int fd, int duration) +{ +# if defined(TIOCSBRK) && defined(TIOCCBRK) + struct timeval sleepytime; + + sleepytime.tv_sec = 0; + sleepytime.tv_usec = 400000; + if (ioctl(fd, TIOCSBRK, 0) == -1) + return (-1); + (void)select(0, 0, 0, 0, &sleepytime); + if (ioctl(fd, TIOCCBRK, 0) == -1) + return (-1); + return (0); +# else + return -1; +# endif +} +#endif /* HAVE_TCSENDBREAK */ + +mysig_t +mysignal(int sig, mysig_t act) +{ +#ifdef HAVE_SIGACTION + struct sigaction sa, osa; + + if (sigaction(sig, NULL, &osa) == -1) + return (mysig_t) -1; + if (osa.sa_handler != act) { + memset(&sa, 0, sizeof(sa)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; +#ifdef SA_INTERRUPT + if (sig == SIGALRM) + sa.sa_flags |= SA_INTERRUPT; +#endif + sa.sa_handler = act; + if (sigaction(sig, &sa, NULL) == -1) + return (mysig_t) -1; + } + return (osa.sa_handler); +#else + #undef signal + return (signal(sig, act)); +#endif +} + +#ifndef HAVE_STRDUP +char * +strdup(const char *str) +{ + size_t len; + char *cp; + + len = strlen(str) + 1; + cp = malloc(len); + if (cp != NULL) + if (strlcpy(cp, str, len) != len) { + free(cp); + return NULL; + } + return cp; +} +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-misc.h openssh-4.2p1/openbsd-compat/bsd-misc.h --- ssh-openbsd-2005090100/openbsd-compat/bsd-misc.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-misc.h Sat Feb 26 10:07:38 2005 @@ -0,0 +1,98 @@ +/* $Id: bsd-misc.h,v 1.18 2005/02/25 23:07:38 dtucker Exp $ */ + +/* + * Copyright (c) 1999-2004 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _BSD_MISC_H +#define _BSD_MISC_H + +#include "includes.h" + +char *ssh_get_progname(char *); + +#ifndef HAVE_SETSID +#define setsid() setpgrp(0, getpid()) +#endif /* !HAVE_SETSID */ + +#ifndef HAVE_SETENV +int setenv(const char *, const char *, int); +#endif /* !HAVE_SETENV */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *); +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *, const char *, const char *, const char *); +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t); +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) +int setegid(uid_t); +#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */ + +#if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR) +const char *strerror(int); +#endif + + +#ifndef HAVE_UTIMES +#ifndef HAVE_STRUCT_TIMEVAL +struct timeval { + long tv_sec; + long tv_usec; +} +#endif /* HAVE_STRUCT_TIMEVAL */ + +int utimes(char *, struct timeval *); +#endif /* HAVE_UTIMES */ + +#ifndef HAVE_TRUNCATE +int truncate (const char *, off_t); +#endif /* HAVE_TRUNCATE */ + +#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) +#ifndef HAVE_STRUCT_TIMESPEC +struct timespec { + time_t tv_sec; + long tv_nsec; +}; +#endif +int nanosleep(const struct timespec *, struct timespec *); +#endif + +#ifndef HAVE_TCGETPGRP +pid_t tcgetpgrp(int); +#endif + +#ifndef HAVE_TCSENDBREAK +int tcsendbreak(int, int); +#endif + +#ifndef HAVE_UNSETENV +void unsetenv(const char *); +#endif + +/* wrapper for signal interface */ +typedef void (*mysig_t)(int); +mysig_t mysignal(int sig, mysig_t act); + +#define signal(a,b) mysignal(a,b) + +#endif /* _BSD_MISC_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-nextstep.c openssh-4.2p1/openbsd-compat/bsd-nextstep.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-nextstep.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-nextstep.c Sun Jun 1 13:23:57 2003 @@ -0,0 +1,105 @@ +/* + * Copyright (c) 2000,2001 Ben Lindstrom. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +RCSID("$Id: bsd-nextstep.c,v 1.6 2003/06/01 03:23:57 mouring Exp $"); + +#ifdef HAVE_NEXT +#include +#include +#include "bsd-nextstep.h" + +pid_t +posix_wait(int *status) +{ + union wait statusp; + pid_t wait_pid; + + #undef wait /* Use NeXT's wait() function */ + wait_pid = wait(&statusp); + if (status) + *status = (int) statusp.w_status; + + return (wait_pid); +} + +int +tcgetattr(int fd, struct termios *t) +{ + return (ioctl(fd, TIOCGETA, t)); +} + +int +tcsetattr(int fd, int opt, const struct termios *t) +{ + struct termios localterm; + + if (opt & TCSASOFT) { + localterm = *t; + localterm.c_cflag |= CIGNORE; + t = &localterm; + } + switch (opt & ~TCSASOFT) { + case TCSANOW: + return (ioctl(fd, TIOCSETA, t)); + case TCSADRAIN: + return (ioctl(fd, TIOCSETAW, t)); + case TCSAFLUSH: + return (ioctl(fd, TIOCSETAF, t)); + default: + errno = EINVAL; + return (-1); + } +} + +int tcsetpgrp(int fd, pid_t pgrp) +{ + return (ioctl(fd, TIOCSPGRP, &pgrp)); +} + +speed_t cfgetospeed(const struct termios *t) +{ + return (t->c_ospeed); +} + +speed_t cfgetispeed(const struct termios *t) +{ + return (t->c_ispeed); +} + +int +cfsetospeed(struct termios *t,int speed) +{ + t->c_ospeed = speed; + return (0); +} + +int +cfsetispeed(struct termios *t, int speed) +{ + t->c_ispeed = speed; + return (0); +} +#endif /* HAVE_NEXT */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-nextstep.h openssh-4.2p1/openbsd-compat/bsd-nextstep.h --- ssh-openbsd-2005090100/openbsd-compat/bsd-nextstep.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-nextstep.h Sat Aug 30 02:59:52 2003 @@ -0,0 +1,59 @@ +/* $Id: bsd-nextstep.h,v 1.9 2003/08/29 16:59:52 mouring Exp $ */ + +/* + * Copyright (c) 2000,2001 Ben Lindstrom. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _NEXT_POSIX_H +#define _NEXT_POSIX_H + +#ifdef HAVE_NEXT +#include + +/* NGROUPS_MAX is behind -lposix. Use the BSD version which is NGROUPS */ +#undef NGROUPS_MAX +#define NGROUPS_MAX NGROUPS + +/* NeXT's readdir() is BSD (struct direct) not POSIX (struct dirent) */ +#define dirent direct + +/* Swap out NeXT's BSD wait() for a more POSIX complient one */ +pid_t posix_wait(int *); +#define wait(a) posix_wait(a) + +/* #ifdef wrapped functions that need defining for clean compiling */ +pid_t getppid(void); +void vhangup(void); +int innetgr(const char *, const char *, const char *, const char *); + +/* TERMCAP */ +int tcgetattr(int, struct termios *); +int tcsetattr(int, int, const struct termios *); +int tcsetpgrp(int, pid_t); +speed_t cfgetospeed(const struct termios *); +speed_t cfgetispeed(const struct termios *); +int cfsetospeed(struct termios *, int); +int cfsetispeed(struct termios *, int); +#endif /* HAVE_NEXT */ +#endif /* _NEXT_POSIX_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-openpty.c openssh-4.2p1/openbsd-compat/bsd-openpty.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-openpty.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-openpty.c Sat Feb 26 10:04:29 2005 @@ -0,0 +1,201 @@ +/* + * Please note: this implementation of openpty() is far from complete. + * it is just enough for portable OpenSSH's needs. + */ + +/* + * Copyright (c) 2004 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * Allocating a pseudo-terminal, and making it the controlling tty. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ + +#include "includes.h" +#if !defined(HAVE_OPENPTY) + +#ifdef HAVE_UTIL_H +# include +#endif /* HAVE_UTIL_H */ + +#ifdef HAVE_PTY_H +# include +#endif +#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) +# include +#endif + +#ifndef O_NOCTTY +#define O_NOCTTY 0 +#endif + +int +openpty(int *amaster, int *aslave, char *name, struct termios *termp, + struct winsize *winp) +{ +#if defined(HAVE__GETPTY) + /* + * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more + * pty's automagically when needed + */ + char *slave; + + if ((slave = _getpty(amaster, O_RDWR, 0622, 0)) == NULL) + return (-1); + + /* Open the slave side. */ + if ((*aslave = open(slave, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + return (0); + +#elif defined(HAVE_DEV_PTMX) + /* + * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 + * also has bsd-style ptys, but they simply do not work.) + */ + int ptm; + char *pts; + mysig_t old_signal; + + if ((ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY)) == -1) + return (-1); + + /* XXX: need to close ptm on error? */ + old_signal = signal(SIGCHLD, SIG_DFL); + if (grantpt(ptm) < 0) + return (-1); + signal(SIGCHLD, old_signal); + + if (unlockpt(ptm) < 0) + return (-1); + + if ((pts = ptsname(ptm)) == NULL) + return (-1); + *amaster = ptm; + + /* Open the slave side. */ + if ((*aslave = open(pts, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + + /* + * Try to push the appropriate streams modules, as described + * in Solaris pts(7). + */ + ioctl(*aslave, I_PUSH, "ptem"); + ioctl(*aslave, I_PUSH, "ldterm"); +# ifndef __hpux + ioctl(*aslave, I_PUSH, "ttcompat"); +# endif /* __hpux */ + + return (0); + +#elif defined(HAVE_DEV_PTS_AND_PTC) + /* AIX-style pty code. */ + const char *ttname; + + if ((*amaster = open("/dev/ptc", O_RDWR | O_NOCTTY)) == -1) + return (-1); + if ((ttname = ttyname(*amaster)) == NULL) + return (-1); + if ((*aslave = open(ttname, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + return (0); + +#elif defined(_UNICOS) + char ptbuf[64], ttbuf[64]; + int i; + int highpty; + + highpty = 128; +#ifdef _SC_CRAY_NPTY + if ((highpty = sysconf(_SC_CRAY_NPTY)) == -1) + highpty = 128; +#endif /* _SC_CRAY_NPTY */ + + for (i = 0; i < highpty; i++) { + snprintf(ptbuf, sizeof(ptbuf), "/dev/pty/%03d", i); + snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%03d", i); + if ((*amaster = open(ptbuf, O_RDWR|O_NOCTTY)) == -1) + continue; + /* Open the slave side. */ + if ((*aslave = open(ttbuf, O_RDWR|O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + return (0); + } + return (-1); + +#else + /* BSD-style pty code. */ + char ptbuf[64], ttbuf[64]; + int i; + const char *ptymajors = "pqrstuvwxyzabcdefghijklmno" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + const char *ptyminors = "0123456789abcdef"; + int num_minors = strlen(ptyminors); + int num_ptys = strlen(ptymajors) * num_minors; + struct termios tio; + + for (i = 0; i < num_ptys; i++) { + snprintf(ptbuf, sizeof(ptbuf), "/dev/pty%c%c", + ptymajors[i / num_minors], ptyminors[i % num_minors]); + snprintf(ttbuf, sizeof(ttbuf), "/dev/tty%c%c", + ptymajors[i / num_minors], ptyminors[i % num_minors]); + + if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1) { + /* Try SCO style naming */ + snprintf(ptbuf, sizeof(ptbuf), "/dev/ptyp%d", i); + snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%d", i); + if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1) + continue; + } + + /* Open the slave side. */ + if ((*aslave = open(ttbuf, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + /* set tty modes to a sane state for broken clients */ + if (tcgetattr(*amaster, &tio) != -1) { + tio.c_lflag |= (ECHO | ISIG | ICANON); + tio.c_oflag |= (OPOST | ONLCR); + tio.c_iflag |= ICRNL; + tcsetattr(*amaster, TCSANOW, &tio); + } + + return (0); + } + return (-1); +#endif +} + +#endif /* !defined(HAVE_OPENPTY) */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-snprintf.c openssh-4.2p1/openbsd-compat/bsd-snprintf.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-snprintf.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-snprintf.c Thu Sep 23 21:35:09 2004 @@ -0,0 +1,652 @@ +/* + * Copyright Patrick Powell 1995 + * This code is based on code written by Patrick Powell (papowell@astart.com) + * It may be used for any purpose as long as this notice remains intact + * on all source code distributions + */ + +/************************************************************** + * Original: + * Patrick Powell Tue Apr 11 09:48:21 PDT 1995 + * A bombproof version of doprnt (dopr) included. + * Sigh. This sort of thing is always nasty do deal with. Note that + * the version here does not include floating point... + * + * snprintf() is used instead of sprintf() as it does limit checks + * for string length. This covers a nasty loophole. + * + * The other functions are there to prevent NULL pointers from + * causing nast effects. + * + * More Recently: + * Brandon Long 9/15/96 for mutt 0.43 + * This was ugly. It is still ugly. I opted out of floating point + * numbers, but the formatter understands just about everything + * from the normal C string format, at least as far as I can tell from + * the Solaris 2.5 printf(3S) man page. + * + * Brandon Long 10/22/97 for mutt 0.87.1 + * Ok, added some minimal floating point support, which means this + * probably requires libm on most operating systems. Don't yet + * support the exponent (e,E) and sigfig (g,G). Also, fmtint() + * was pretty badly broken, it just wasn't being exercised in ways + * which showed it, so that's been fixed. Also, formated the code + * to mutt conventions, and removed dead code left over from the + * original. Also, there is now a builtin-test, just compile with: + * gcc -DTEST_SNPRINTF -o snprintf snprintf.c -lm + * and run snprintf for results. + * + * Thomas Roessler 01/27/98 for mutt 0.89i + * The PGP code was using unsigned hexadecimal formats. + * Unfortunately, unsigned formats simply didn't work. + * + * Michael Elkins 03/05/98 for mutt 0.90.8 + * The original code assumed that both snprintf() and vsnprintf() were + * missing. Some systems only have snprintf() but not vsnprintf(), so + * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF. + * + * Ben Lindstrom 09/27/00 for OpenSSH + * Welcome to the world of %lld and %qd support. With other + * long long support. This is needed for sftp-server to work + * right. + * + * Ben Lindstrom 02/12/01 for OpenSSH + * Removed all hint of VARARGS stuff and banished it to the void, + * and did a bit of KNF style work to make things a bit more + * acceptable. Consider stealing from mutt or enlightenment. + **************************************************************/ + +#include "includes.h" + +RCSID("$Id: bsd-snprintf.c,v 1.9 2004/09/23 11:35:09 dtucker Exp $"); + +#if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */ +# undef HAVE_SNPRINTF +# undef HAVE_VSNPRINTF +#endif + +#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) + +static void +dopr(char *buffer, size_t maxlen, const char *format, va_list args); + +static void +fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, + int min, int max); + +static void +fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base, + int min, int max, int flags); + +static void +fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, + int min, int max, int flags); + +static void +dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); + +/* + * dopr(): poor man's version of doprintf + */ + +/* format read states */ +#define DP_S_DEFAULT 0 +#define DP_S_FLAGS 1 +#define DP_S_MIN 2 +#define DP_S_DOT 3 +#define DP_S_MAX 4 +#define DP_S_MOD 5 +#define DP_S_CONV 6 +#define DP_S_DONE 7 + +/* format flags - Bits */ +#define DP_F_MINUS (1 << 0) +#define DP_F_PLUS (1 << 1) +#define DP_F_SPACE (1 << 2) +#define DP_F_NUM (1 << 3) +#define DP_F_ZERO (1 << 4) +#define DP_F_UP (1 << 5) +#define DP_F_UNSIGNED (1 << 6) + +/* Conversion Flags */ +#define DP_C_SHORT 1 +#define DP_C_LONG 2 +#define DP_C_LDOUBLE 3 +#define DP_C_LONG_LONG 4 + +#define char_to_int(p) (p - '0') +#define abs_val(p) (p < 0 ? -p : p) + + +static void +dopr(char *buffer, size_t maxlen, const char *format, va_list args) +{ + char *strvalue, ch; + long value; + long double fvalue; + int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0; + size_t currlen = 0; + + ch = *format++; + + while (state != DP_S_DONE) { + if ((ch == '\0') || (currlen >= maxlen)) + state = DP_S_DONE; + + switch(state) { + case DP_S_DEFAULT: + if (ch == '%') + state = DP_S_FLAGS; + else + dopr_outch(buffer, &currlen, maxlen, ch); + ch = *format++; + break; + case DP_S_FLAGS: + switch (ch) { + case '-': + flags |= DP_F_MINUS; + ch = *format++; + break; + case '+': + flags |= DP_F_PLUS; + ch = *format++; + break; + case ' ': + flags |= DP_F_SPACE; + ch = *format++; + break; + case '#': + flags |= DP_F_NUM; + ch = *format++; + break; + case '0': + flags |= DP_F_ZERO; + ch = *format++; + break; + default: + state = DP_S_MIN; + break; + } + break; + case DP_S_MIN: + if (isdigit((unsigned char)ch)) { + min = 10 * min + char_to_int (ch); + ch = *format++; + } else if (ch == '*') { + min = va_arg (args, int); + ch = *format++; + state = DP_S_DOT; + } else + state = DP_S_DOT; + break; + case DP_S_DOT: + if (ch == '.') { + state = DP_S_MAX; + ch = *format++; + } else + state = DP_S_MOD; + break; + case DP_S_MAX: + if (isdigit((unsigned char)ch)) { + if (max < 0) + max = 0; + max = 10 * max + char_to_int(ch); + ch = *format++; + } else if (ch == '*') { + max = va_arg (args, int); + ch = *format++; + state = DP_S_MOD; + } else + state = DP_S_MOD; + break; + case DP_S_MOD: + switch (ch) { + case 'h': + cflags = DP_C_SHORT; + ch = *format++; + break; + case 'l': + cflags = DP_C_LONG; + ch = *format++; + if (ch == 'l') { + cflags = DP_C_LONG_LONG; + ch = *format++; + } + break; + case 'q': + cflags = DP_C_LONG_LONG; + ch = *format++; + break; + case 'L': + cflags = DP_C_LDOUBLE; + ch = *format++; + break; + default: + break; + } + state = DP_S_CONV; + break; + case DP_S_CONV: + switch (ch) { + case 'd': + case 'i': + if (cflags == DP_C_SHORT) + value = va_arg(args, int); + else if (cflags == DP_C_LONG) + value = va_arg(args, long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, long long); + else + value = va_arg (args, int); + fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags); + break; + case 'o': + flags |= DP_F_UNSIGNED; + if (cflags == DP_C_SHORT) + value = va_arg(args, unsigned int); + else if (cflags == DP_C_LONG) + value = va_arg(args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg(args, unsigned long long); + else + value = va_arg(args, unsigned int); + fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags); + break; + case 'u': + flags |= DP_F_UNSIGNED; + if (cflags == DP_C_SHORT) + value = va_arg(args, unsigned int); + else if (cflags == DP_C_LONG) + value = va_arg(args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg(args, unsigned long long); + else + value = va_arg(args, unsigned int); + fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); + break; + case 'X': + flags |= DP_F_UP; + case 'x': + flags |= DP_F_UNSIGNED; + if (cflags == DP_C_SHORT) + value = va_arg(args, unsigned int); + else if (cflags == DP_C_LONG) + value = va_arg(args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg(args, unsigned long long); + else + value = va_arg(args, unsigned int); + fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags); + break; + case 'f': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, long double); + else + fvalue = va_arg(args, double); + /* um, floating point? */ + fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags); + break; + case 'E': + flags |= DP_F_UP; + case 'e': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, long double); + else + fvalue = va_arg(args, double); + break; + case 'G': + flags |= DP_F_UP; + case 'g': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, long double); + else + fvalue = va_arg(args, double); + break; + case 'c': + dopr_outch(buffer, &currlen, maxlen, va_arg(args, int)); + break; + case 's': + strvalue = va_arg(args, char *); + if (max < 0) + max = maxlen; /* ie, no max */ + fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max); + break; + case 'p': + strvalue = va_arg(args, void *); + fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags); + break; + case 'n': + if (cflags == DP_C_SHORT) { + short int *num; + num = va_arg(args, short int *); + *num = currlen; + } else if (cflags == DP_C_LONG) { + long int *num; + num = va_arg(args, long int *); + *num = currlen; + } else if (cflags == DP_C_LONG_LONG) { + long long *num; + num = va_arg(args, long long *); + *num = currlen; + } else { + int *num; + num = va_arg(args, int *); + *num = currlen; + } + break; + case '%': + dopr_outch(buffer, &currlen, maxlen, ch); + break; + case 'w': /* not supported yet, treat as next char */ + ch = *format++; + break; + default: /* Unknown, skip */ + break; + } + ch = *format++; + state = DP_S_DEFAULT; + flags = cflags = min = 0; + max = -1; + break; + case DP_S_DONE: + break; + default: /* hmm? */ + break; /* some picky compilers need this */ + } + } + if (currlen < maxlen - 1) + buffer[currlen] = '\0'; + else + buffer[maxlen - 1] = '\0'; +} + +static void +fmtstr(char *buffer, size_t *currlen, size_t maxlen, + char *value, int flags, int min, int max) +{ + int cnt = 0, padlen, strln; /* amount to pad */ + + if (value == 0) + value = ""; + + for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ + padlen = min - strln; + if (padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; /* Left Justify */ + + while ((padlen > 0) && (cnt < max)) { + dopr_outch(buffer, currlen, maxlen, ' '); + --padlen; + ++cnt; + } + while (*value && (cnt < max)) { + dopr_outch(buffer, currlen, maxlen, *value++); + ++cnt; + } + while ((padlen < 0) && (cnt < max)) { + dopr_outch(buffer, currlen, maxlen, ' '); + ++padlen; + ++cnt; + } +} + +/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */ + +static void +fmtint(char *buffer, size_t *currlen, size_t maxlen, + long value, int base, int min, int max, int flags) +{ + unsigned long uvalue; + char convert[20]; + int signvalue = 0, place = 0, caps = 0; + int spadlen = 0; /* amount to space pad */ + int zpadlen = 0; /* amount to zero pad */ + + if (max < 0) + max = 0; + + uvalue = value; + + if (!(flags & DP_F_UNSIGNED)) { + if (value < 0) { + signvalue = '-'; + uvalue = -value; + } else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ + signvalue = '+'; + else if (flags & DP_F_SPACE) + signvalue = ' '; + } + + if (flags & DP_F_UP) + caps = 1; /* Should characters be upper case? */ + do { + convert[place++] = + (caps ? "0123456789ABCDEF" : "0123456789abcdef") + [uvalue % (unsigned)base]; + uvalue = (uvalue / (unsigned)base ); + } while (uvalue && (place < 20)); + if (place == 20) + place--; + convert[place] = 0; + + zpadlen = max - place; + spadlen = min - MAX (max, place) - (signvalue ? 1 : 0); + if (zpadlen < 0) + zpadlen = 0; + if (spadlen < 0) + spadlen = 0; + if (flags & DP_F_ZERO) { + zpadlen = MAX(zpadlen, spadlen); + spadlen = 0; + } + if (flags & DP_F_MINUS) + spadlen = -spadlen; /* Left Justifty */ + + /* Spaces */ + while (spadlen > 0) { + dopr_outch(buffer, currlen, maxlen, ' '); + --spadlen; + } + + /* Sign */ + if (signvalue) + dopr_outch(buffer, currlen, maxlen, signvalue); + + /* Zeros */ + if (zpadlen > 0) { + while (zpadlen > 0) { + dopr_outch(buffer, currlen, maxlen, '0'); + --zpadlen; + } + } + + /* Digits */ + while (place > 0) + dopr_outch(buffer, currlen, maxlen, convert[--place]); + + /* Left Justified spaces */ + while (spadlen < 0) { + dopr_outch (buffer, currlen, maxlen, ' '); + ++spadlen; + } +} + +static long double +pow10(int exp) +{ + long double result = 1; + + while (exp) { + result *= 10; + exp--; + } + + return result; +} + +static long +round(long double value) +{ + long intpart = value; + + value -= intpart; + if (value >= 0.5) + intpart++; + + return intpart; +} + +static void +fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, + int min, int max, int flags) +{ + char iconvert[20], fconvert[20]; + int signvalue = 0, iplace = 0, fplace = 0; + int padlen = 0; /* amount to pad */ + int zpadlen = 0, caps = 0; + long intpart, fracpart; + long double ufvalue; + + /* + * AIX manpage says the default is 0, but Solaris says the default + * is 6, and sprintf on AIX defaults to 6 + */ + if (max < 0) + max = 6; + + ufvalue = abs_val(fvalue); + + if (fvalue < 0) + signvalue = '-'; + else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ + signvalue = '+'; + else if (flags & DP_F_SPACE) + signvalue = ' '; + + intpart = ufvalue; + + /* + * Sorry, we only support 9 digits past the decimal because of our + * conversion method + */ + if (max > 9) + max = 9; + + /* We "cheat" by converting the fractional part to integer by + * multiplying by a factor of 10 + */ + fracpart = round((pow10 (max)) * (ufvalue - intpart)); + + if (fracpart >= pow10 (max)) { + intpart++; + fracpart -= pow10 (max); + } + + /* Convert integer part */ + do { + iconvert[iplace++] = + (caps ? "0123456789ABCDEF" : "0123456789abcdef") + [intpart % 10]; + intpart = (intpart / 10); + } while(intpart && (iplace < 20)); + if (iplace == 20) + iplace--; + iconvert[iplace] = 0; + + /* Convert fractional part */ + do { + fconvert[fplace++] = + (caps ? "0123456789ABCDEF" : "0123456789abcdef") + [fracpart % 10]; + fracpart = (fracpart / 10); + } while(fracpart && (fplace < 20)); + if (fplace == 20) + fplace--; + fconvert[fplace] = 0; + + /* -1 for decimal point, another -1 if we are printing a sign */ + padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); + zpadlen = max - fplace; + if (zpadlen < 0) + zpadlen = 0; + if (padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; /* Left Justifty */ + + if ((flags & DP_F_ZERO) && (padlen > 0)) { + if (signvalue) { + dopr_outch(buffer, currlen, maxlen, signvalue); + --padlen; + signvalue = 0; + } + while (padlen > 0) { + dopr_outch(buffer, currlen, maxlen, '0'); + --padlen; + } + } + while (padlen > 0) { + dopr_outch(buffer, currlen, maxlen, ' '); + --padlen; + } + if (signvalue) + dopr_outch(buffer, currlen, maxlen, signvalue); + + while (iplace > 0) + dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]); + + /* + * Decimal point. This should probably use locale to find the + * correct char to print out. + */ + dopr_outch(buffer, currlen, maxlen, '.'); + + while (fplace > 0) + dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]); + + while (zpadlen > 0) { + dopr_outch(buffer, currlen, maxlen, '0'); + --zpadlen; + } + + while (padlen < 0) { + dopr_outch(buffer, currlen, maxlen, ' '); + ++padlen; + } +} + +static void +dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c) +{ + if (*currlen < maxlen) + buffer[(*currlen)++] = c; +} +#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ + +#ifndef HAVE_VSNPRINTF +int +vsnprintf(char *str, size_t count, const char *fmt, va_list args) +{ + str[0] = 0; + dopr(str, count, fmt, args); + + return(strlen(str)); +} +#endif /* !HAVE_VSNPRINTF */ + +#ifndef HAVE_SNPRINTF +int +snprintf(char *str,size_t count,const char *fmt,...) +{ + va_list ap; + + va_start(ap, fmt); + (void) vsnprintf(str, count, fmt, ap); + va_end(ap); + + return(strlen(str)); +} + +#endif /* !HAVE_SNPRINTF */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-waitpid.c openssh-4.2p1/openbsd-compat/bsd-waitpid.c --- ssh-openbsd-2005090100/openbsd-compat/bsd-waitpid.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-waitpid.c Sun Jun 1 13:23:57 2003 @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2000 Ben Lindstrom. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +RCSID("$Id: bsd-waitpid.c,v 1.5 2003/06/01 03:23:57 mouring Exp $"); + +#ifndef HAVE_WAITPID +#include +#include +#include "bsd-waitpid.h" + +pid_t +waitpid(int pid, int *stat_loc, int options) +{ + union wait statusp; + pid_t wait_pid; + + if (pid <= 0) { + if (pid != -1) { + errno = EINVAL; + return (-1); + } + /* wait4() wants pid=0 for indiscriminate wait. */ + pid = 0; + } + wait_pid = wait4(pid, &statusp, options, NULL); + if (stat_loc) + *stat_loc = (int) statusp.w_status; + + return (wait_pid); +} + +#endif /* !HAVE_WAITPID */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/bsd-waitpid.h openssh-4.2p1/openbsd-compat/bsd-waitpid.h --- ssh-openbsd-2005090100/openbsd-compat/bsd-waitpid.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/bsd-waitpid.h Sat Aug 30 02:59:52 2003 @@ -0,0 +1,51 @@ +/* $Id: bsd-waitpid.h,v 1.5 2003/08/29 16:59:52 mouring Exp $ */ + +/* + * Copyright (c) 2000 Ben Lindstrom. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _BSD_WAITPID_H +#define _BSD_WAITPID_H + +#ifndef HAVE_WAITPID +/* Clean out any potental issues */ +#undef WIFEXITED +#undef WIFSTOPPED +#undef WIFSIGNALED + +/* Define required functions to mimic a POSIX look and feel */ +#define _W_INT(w) (*(int*)&(w)) /* convert union wait to int */ +#define WIFEXITED(w) (!((_W_INT(w)) & 0377)) +#define WIFSTOPPED(w) ((_W_INT(w)) & 0100) +#define WIFSIGNALED(w) (!WIFEXITED(w) && !WIFSTOPPED(w)) +#define WEXITSTATUS(w) (int)(WIFEXITED(w) ? ((_W_INT(w) >> 8) & 0377) : -1) +#define WTERMSIG(w) (int)(WIFSIGNALED(w) ? (_W_INT(w) & 0177) : -1) +#define WCOREFLAG 0x80 +#define WCOREDUMP(w) ((_W_INT(w)) & WCOREFLAG) + +/* Prototype */ +pid_t waitpid(int, int *, int); + +#endif /* !HAVE_WAITPID */ +#endif /* _BSD_WAITPID_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/daemon.c openssh-4.2p1/openbsd-compat/daemon.c --- ssh-openbsd-2005090100/openbsd-compat/daemon.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/daemon.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,81 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */ + +/*- + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#ifndef HAVE_DAEMON + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +int +daemon(int nochdir, int noclose) +{ + int fd; + + switch (fork()) { + case -1: + return (-1); + case 0: +#ifdef HAVE_CYGWIN + register_9x_service(); +#endif + break; + default: +#ifdef HAVE_CYGWIN + /* + * This sleep avoids a race condition which kills the + * child process if parent is started by a NT/W2K service. + */ + sleep(1); +#endif + _exit(0); + } + + if (setsid() == -1) + return (-1); + + if (!nochdir) + (void)chdir("/"); + + if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { + (void)dup2(fd, STDIN_FILENO); + (void)dup2(fd, STDOUT_FILENO); + (void)dup2(fd, STDERR_FILENO); + if (fd > 2) + (void)close (fd); + } + return (0); +} + +#endif /* !HAVE_DAEMON */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/dirname.c openssh-4.2p1/openbsd-compat/dirname.c --- ssh-openbsd-2005090100/openbsd-compat/dirname.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/dirname.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,70 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */ + +/* $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $ */ + +/* + * Copyright (c) 1997 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#ifndef HAVE_DIRNAME + +#ifndef lint +static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $"; +#endif /* not lint */ + +#include +#include +#include + +char * +dirname(const char *path) +{ + static char bname[MAXPATHLEN]; + register const char *endp; + + /* Empty or NULL string gets treated as "." */ + if (path == NULL || *path == '\0') { + (void)strlcpy(bname, ".", sizeof bname); + return(bname); + } + + /* Strip trailing slashes */ + endp = path + strlen(path) - 1; + while (endp > path && *endp == '/') + endp--; + + /* Find the start of the dir */ + while (endp > path && *endp != '/') + endp--; + + /* Either the dir is "/" or there are no slashes */ + if (endp == path) { + (void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname); + return(bname); + } else { + do { + endp--; + } while (endp > path && *endp == '/'); + } + + if (endp - path + 2 > sizeof(bname)) { + errno = ENAMETOOLONG; + return(NULL); + } + strlcpy(bname, path, endp - path + 2); + return(bname); +} +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/fake-rfc2553.c openssh-4.2p1/openbsd-compat/fake-rfc2553.c --- ssh-openbsd-2005090100/openbsd-compat/fake-rfc2553.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/fake-rfc2553.c Mon Sep 22 12:08:23 2003 @@ -0,0 +1,224 @@ +/* + * Copyright (C) 2000-2003 Damien Miller. All rights reserved. + * Copyright (C) 1999 WIDE Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Pseudo-implementation of RFC2553 name / address resolution functions + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For example, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + */ + +#include "includes.h" + +RCSID("$Id: fake-rfc2553.c,v 1.5 2003/09/22 02:08:23 dtucker Exp $"); + +#ifndef HAVE_GETNAMEINFO +int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags) +{ + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + struct hostent *hp; + char tmpserv[16]; + + if (serv != NULL) { + snprintf(tmpserv, sizeof(tmpserv), "%d", ntohs(sin->sin_port)); + if (strlcpy(serv, tmpserv, servlen) >= servlen) + return (EAI_MEMORY); + } + + if (host != NULL) { + if (flags & NI_NUMERICHOST) { + if (strlcpy(host, inet_ntoa(sin->sin_addr), + hostlen) >= hostlen) + return (EAI_MEMORY); + else + return (0); + } else { + hp = gethostbyaddr((char *)&sin->sin_addr, + sizeof(struct in_addr), AF_INET); + if (hp == NULL) + return (EAI_NODATA); + + if (strlcpy(host, hp->h_name, hostlen) >= hostlen) + return (EAI_MEMORY); + else + return (0); + } + } + return (0); +} +#endif /* !HAVE_GETNAMEINFO */ + +#ifndef HAVE_GAI_STRERROR +#ifdef HAVE_CONST_GAI_STRERROR_PROTO +const char * +#else +char * +#endif +gai_strerror(int err) +{ + switch (err) { + case EAI_NODATA: + return ("no address associated with name"); + case EAI_MEMORY: + return ("memory allocation failure."); + case EAI_NONAME: + return ("nodename nor servname provided, or not known"); + default: + return ("unknown/invalid error."); + } +} +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void +freeaddrinfo(struct addrinfo *ai) +{ + struct addrinfo *next; + + for(; ai != NULL;) { + next = ai->ai_next; + free(ai); + ai = next; + } +} +#endif /* !HAVE_FREEADDRINFO */ + +#ifndef HAVE_GETADDRINFO +static struct +addrinfo *malloc_ai(int port, u_long addr, const struct addrinfo *hints) +{ + struct addrinfo *ai; + + ai = malloc(sizeof(*ai) + sizeof(struct sockaddr_in)); + if (ai == NULL) + return (NULL); + + memset(ai, '\0', sizeof(*ai) + sizeof(struct sockaddr_in)); + + ai->ai_addr = (struct sockaddr *)(ai + 1); + /* XXX -- ssh doesn't use sa_len */ + ai->ai_addrlen = sizeof(struct sockaddr_in); + ai->ai_addr->sa_family = ai->ai_family = AF_INET; + + ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; + ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; + + /* XXX: the following is not generally correct, but does what we want */ + if (hints->ai_socktype) + ai->ai_socktype = hints->ai_socktype; + else + ai->ai_socktype = SOCK_STREAM; + + if (hints->ai_protocol) + ai->ai_protocol = hints->ai_protocol; + + return (ai); +} + +int +getaddrinfo(const char *hostname, const char *servname, + const struct addrinfo *hints, struct addrinfo **res) +{ + struct hostent *hp; + struct servent *sp; + struct in_addr in; + int i; + long int port; + u_long addr; + + port = 0; + if (servname != NULL) { + char *cp; + + port = strtol(servname, &cp, 10); + if (port > 0 && port <= 65535 && *cp == '\0') + port = htons(port); + else if ((sp = getservbyname(servname, NULL)) != NULL) + port = sp->s_port; + else + port = 0; + } + + if (hints && hints->ai_flags & AI_PASSIVE) { + addr = htonl(0x00000000); + if (hostname && inet_aton(hostname, &in) != 0) + addr = in.s_addr; + *res = malloc_ai(port, addr, hints); + if (*res == NULL) + return (EAI_MEMORY); + return (0); + } + + if (!hostname) { + *res = malloc_ai(port, htonl(0x7f000001), hints); + if (*res == NULL) + return (EAI_MEMORY); + return (0); + } + + if (inet_aton(hostname, &in)) { + *res = malloc_ai(port, in.s_addr, hints); + if (*res == NULL) + return (EAI_MEMORY); + return (0); + } + + /* Don't try DNS if AI_NUMERICHOST is set */ + if (hints && hints->ai_flags & AI_NUMERICHOST) + return (EAI_NONAME); + + hp = gethostbyname(hostname); + if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { + struct addrinfo *cur, *prev; + + cur = prev = *res = NULL; + for (i = 0; hp->h_addr_list[i]; i++) { + struct in_addr *in = (struct in_addr *)hp->h_addr_list[i]; + + cur = malloc_ai(port, in->s_addr, hints); + if (cur == NULL) { + if (*res != NULL) + freeaddrinfo(*res); + return (EAI_MEMORY); + } + if (prev) + prev->ai_next = cur; + else + *res = cur; + + prev = cur; + } + return (0); + } + + return (EAI_NODATA); +} +#endif /* !HAVE_GETADDRINFO */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/fake-rfc2553.h openssh-4.2p1/openbsd-compat/fake-rfc2553.h --- ssh-openbsd-2005090100/openbsd-compat/fake-rfc2553.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/fake-rfc2553.h Wed Aug 3 15:36:21 2005 @@ -0,0 +1,168 @@ +/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */ + +/* + * Copyright (C) 2000-2003 Damien Miller. All rights reserved. + * Copyright (C) 1999 WIDE Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Pseudo-implementation of RFC2553 name / address resolution functions + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For example, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + */ + +#ifndef _FAKE_RFC2553_H +#define _FAKE_RFC2553_H + +#include "includes.h" +#include "sys/types.h" + +/* + * First, socket and INET6 related definitions + */ +#ifndef HAVE_STRUCT_SOCKADDR_STORAGE +# define _SS_MAXSIZE 128 /* Implementation specific max size */ +# define _SS_PADSIZE (_SS_MAXSIZE - sizeof (struct sockaddr)) +struct sockaddr_storage { + struct sockaddr ss_sa; + char __ss_pad2[_SS_PADSIZE]; +}; +# define ss_family ss_sa.sa_family +#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ + +#ifndef IN6_IS_ADDR_LOOPBACK +# define IN6_IS_ADDR_LOOPBACK(a) \ + (((u_int32_t *)(a))[0] == 0 && ((u_int32_t *)(a))[1] == 0 && \ + ((u_int32_t *)(a))[2] == 0 && ((u_int32_t *)(a))[3] == htonl(1)) +#endif /* !IN6_IS_ADDR_LOOPBACK */ + +#ifndef HAVE_STRUCT_IN6_ADDR +struct in6_addr { + u_int8_t s6_addr[16]; +}; +#endif /* !HAVE_STRUCT_IN6_ADDR */ + +#ifndef HAVE_STRUCT_SOCKADDR_IN6 +struct sockaddr_in6 { + unsigned short sin6_family; + u_int16_t sin6_port; + u_int32_t sin6_flowinfo; + struct in6_addr sin6_addr; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */ + +#ifndef AF_INET6 +/* Define it to something that should never appear */ +#define AF_INET6 AF_MAX +#endif + +/* + * Next, RFC2553 name / address resolution API + */ + +#ifndef NI_NUMERICHOST +# define NI_NUMERICHOST (1) +#endif +#ifndef NI_NAMEREQD +# define NI_NAMEREQD (1<<1) +#endif +#ifndef NI_NUMERICSERV +# define NI_NUMERICSERV (1<<2) +#endif + +#ifndef AI_PASSIVE +# define AI_PASSIVE (1) +#endif +#ifndef AI_CANONNAME +# define AI_CANONNAME (1<<1) +#endif +#ifndef AI_NUMERICHOST +# define AI_NUMERICHOST (1<<2) +#endif + +#ifndef NI_MAXSERV +# define NI_MAXSERV 32 +#endif /* !NI_MAXSERV */ +#ifndef NI_MAXHOST +# define NI_MAXHOST 1025 +#endif /* !NI_MAXHOST */ + +#ifndef EAI_NODATA +# define EAI_NODATA (INT_MAX - 1) +#endif +#ifndef EAI_MEMORY +# define EAI_MEMORY (INT_MAX - 2) +#endif +#ifndef EAI_NONAME +# define EAI_NONAME (INT_MAX - 3) +#endif +#ifndef EAI_SYSTEM +# define EAI_SYSTEM (INT_MAX - 4) +#endif + +#ifndef HAVE_STRUCT_ADDRINFO +struct addrinfo { + int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ + int ai_family; /* PF_xxx */ + int ai_socktype; /* SOCK_xxx */ + int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ + size_t ai_addrlen; /* length of ai_addr */ + char *ai_canonname; /* canonical name for hostname */ + struct sockaddr *ai_addr; /* binary address */ + struct addrinfo *ai_next; /* next structure in linked list */ +}; +#endif /* !HAVE_STRUCT_ADDRINFO */ + +#ifndef HAVE_GETADDRINFO +#ifdef getaddrinfo +# undef getaddrinfo +#endif +#define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d)) +int getaddrinfo(const char *, const char *, + const struct addrinfo *, struct addrinfo **); +#endif /* !HAVE_GETADDRINFO */ + +#if !defined(HAVE_GAI_STRERROR) && !defined(HAVE_CONST_GAI_STRERROR_PROTO) +#define gai_strerror(a) (ssh_gai_strerror(a)) +char *gai_strerror(int); +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +#define freeaddrinfo(a) (ssh_freeaddrinfo(a)) +void freeaddrinfo(struct addrinfo *); +#endif /* !HAVE_FREEADDRINFO */ + +#ifndef HAVE_GETNAMEINFO +#define getnameinfo(a,b,c,d,e,f,g) (ssh_getnameinfo(a,b,c,d,e,f,g)) +int getnameinfo(const struct sockaddr *, size_t, char *, size_t, + char *, size_t, int); +#endif /* !HAVE_GETNAMEINFO */ + +#endif /* !_FAKE_RFC2553_H */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/getcwd.c openssh-4.2p1/openbsd-compat/getcwd.c --- ssh-openbsd-2005090100/openbsd-compat/getcwd.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/getcwd.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,242 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */ + +/* + * Copyright (c) 1989, 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#if !defined(HAVE_GETCWD) + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "includes.h" + +#define ISDOT(dp) \ + (dp->d_name[0] == '.' && (dp->d_name[1] == '\0' || \ + (dp->d_name[1] == '.' && dp->d_name[2] == '\0'))) + +char * +getcwd(char *pt, size_t size) +{ + register struct dirent *dp; + register DIR *dir = NULL; + register dev_t dev; + register ino_t ino; + register int first; + register char *bpt, *bup; + struct stat s; + dev_t root_dev; + ino_t root_ino; + size_t ptsize, upsize; + int save_errno; + char *ept, *eup, *up; + + /* + * If no buffer specified by the user, allocate one as necessary. + * If a buffer is specified, the size has to be non-zero. The path + * is built from the end of the buffer backwards. + */ + if (pt) { + ptsize = 0; + if (!size) { + errno = EINVAL; + return (NULL); + } + ept = pt + size; + } else { + if ((pt = malloc(ptsize = 1024 - 4)) == NULL) + return (NULL); + ept = pt + ptsize; + } + bpt = ept - 1; + *bpt = '\0'; + + /* + * Allocate bytes (1024 - malloc space) for the string of "../"'s. + * Should always be enough (it's 340 levels). If it's not, allocate + * as necessary. Special * case the first stat, it's ".", not "..". + */ + if ((up = malloc(upsize = 1024 - 4)) == NULL) + goto err; + eup = up + MAXPATHLEN; + bup = up; + up[0] = '.'; + up[1] = '\0'; + + /* Save root values, so know when to stop. */ + if (stat("/", &s)) + goto err; + root_dev = s.st_dev; + root_ino = s.st_ino; + + errno = 0; /* XXX readdir has no error return. */ + + for (first = 1;; first = 0) { + /* Stat the current level. */ + if (lstat(up, &s)) + goto err; + + /* Save current node values. */ + ino = s.st_ino; + dev = s.st_dev; + + /* Check for reaching root. */ + if (root_dev == dev && root_ino == ino) { + *--bpt = '/'; + /* + * It's unclear that it's a requirement to copy the + * path to the beginning of the buffer, but it's always + * been that way and stuff would probably break. + */ + memmove(pt, bpt, ept - bpt); + free(up); + return (pt); + } + + /* + * Build pointer to the parent directory, allocating memory + * as necessary. Max length is 3 for "../", the largest + * possible component name, plus a trailing NUL. + */ + if (bup + 3 + MAXNAMLEN + 1 >= eup) { + char *nup; + + if ((nup = realloc(up, upsize *= 2)) == NULL) + goto err; + up = nup; + bup = up; + eup = up + upsize; + } + *bup++ = '.'; + *bup++ = '.'; + *bup = '\0'; + + /* Open and stat parent directory. + * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s) + */ + if (!(dir = opendir(up)) || lstat(up,&s)) + goto err; + + /* Add trailing slash for next directory. */ + *bup++ = '/'; + + /* + * If it's a mount point, have to stat each element because + * the inode number in the directory is for the entry in the + * parent directory, not the inode number of the mounted file. + */ + save_errno = 0; + if (s.st_dev == dev) { + for (;;) { + if (!(dp = readdir(dir))) + goto notfound; + if (dp->d_fileno == ino) + break; + } + } else + for (;;) { + if (!(dp = readdir(dir))) + goto notfound; + if (ISDOT(dp)) + continue; + memmove(bup, dp->d_name, dp->d_namlen + 1); + + /* Save the first error for later. */ + if (lstat(up, &s)) { + if (!save_errno) + save_errno = errno; + errno = 0; + continue; + } + if (s.st_dev == dev && s.st_ino == ino) + break; + } + + /* + * Check for length of the current name, preceding slash, + * leading slash. + */ + if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) { + size_t len, off; + char *npt; + + if (!ptsize) { + errno = ERANGE; + goto err; + } + off = bpt - pt; + len = ept - bpt; + if ((npt = realloc(pt, ptsize *= 2)) == NULL) + goto err; + pt = npt; + bpt = pt + off; + ept = pt + ptsize; + memmove(ept - len, bpt, len); + bpt = ept - len; + } + if (!first) + *--bpt = '/'; + bpt -= dp->d_namlen; + memmove(bpt, dp->d_name, dp->d_namlen); + (void)closedir(dir); + + /* Truncate any file name. */ + *bup = '\0'; + } + +notfound: + /* + * If readdir set errno, use it, not any saved error; otherwise, + * didn't find the current directory in its parent directory, set + * errno to ENOENT. + */ + if (!errno) + errno = save_errno ? save_errno : ENOENT; + /* FALLTHROUGH */ +err: + if (ptsize) + free(pt); + if (up) + free(up); + if (dir) + (void)closedir(dir); + return (NULL); +} + +#endif /* !defined(HAVE_GETCWD) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/getgrouplist.c openssh-4.2p1/openbsd-compat/getgrouplist.c --- ssh-openbsd-2005090100/openbsd-compat/getgrouplist.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/getgrouplist.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,102 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */ + +/* + * Copyright (c) 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#ifndef HAVE_GETGROUPLIST + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +/* + * get credential + */ +#include +#include +#include +#include + +int +getgrouplist(uname, agroup, groups, grpcnt) + const char *uname; + gid_t agroup; + register gid_t *groups; + int *grpcnt; +{ + register struct group *grp; + register int i, ngroups; + int ret, maxgroups; + int bail; + + ret = 0; + ngroups = 0; + maxgroups = *grpcnt; + + /* + * install primary group + */ + if (ngroups >= maxgroups) { + *grpcnt = ngroups; + return (-1); + } + groups[ngroups++] = agroup; + + /* + * Scan the group file to find additional groups. + */ + setgrent(); + while ((grp = getgrent())) { + if (grp->gr_gid == agroup) + continue; + for (bail = 0, i = 0; bail == 0 && i < ngroups; i++) + if (groups[i] == grp->gr_gid) + bail = 1; + if (bail) + continue; + for (i = 0; grp->gr_mem[i]; i++) { + if (!strcmp(grp->gr_mem[i], uname)) { + if (ngroups >= maxgroups) { + ret = -1; + goto out; + } + groups[ngroups++] = grp->gr_gid; + break; + } + } + } +out: + endgrent(); + *grpcnt = ngroups; + return (ret); +} + +#endif /* HAVE_GETGROUPLIST */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/getopt.c openssh-4.2p1/openbsd-compat/getopt.c --- ssh-openbsd-2005090100/openbsd-compat/getopt.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/getopt.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,123 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ + +/* + * Copyright (c) 1987, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include + +int BSDopterr = 1, /* if error message should be printed */ + BSDoptind = 1, /* index into parent argv vector */ + BSDoptopt, /* character checked for validity */ + BSDoptreset; /* reset getopt */ +char *BSDoptarg; /* argument associated with option */ + +#define BADCH (int)'?' +#define BADARG (int)':' +#define EMSG "" + +/* + * getopt -- + * Parse argc/argv argument vector. + */ +int +BSDgetopt(nargc, nargv, ostr) + int nargc; + char * const *nargv; + const char *ostr; +{ + extern char *__progname; + static char *place = EMSG; /* option letter processing */ + char *oli; /* option letter list index */ + + if (ostr == NULL) + return (-1); + + if (BSDoptreset || !*place) { /* update scanning pointer */ + BSDoptreset = 0; + if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { + place = EMSG; + return (-1); + } + if (place[1] && *++place == '-') { /* found "--" */ + ++BSDoptind; + place = EMSG; + return (-1); + } + } /* option letter okay? */ + if ((BSDoptopt = (int)*place++) == (int)':' || + !(oli = strchr(ostr, BSDoptopt))) { + /* + * if the user didn't specify '-' as an option, + * assume it means -1. + */ + if (BSDoptopt == (int)'-') + return (-1); + if (!*place) + ++BSDoptind; + if (BSDopterr && *ostr != ':') + (void)fprintf(stderr, + "%s: illegal option -- %c\n", __progname, BSDoptopt); + return (BADCH); + } + if (*++oli != ':') { /* don't need argument */ + BSDoptarg = NULL; + if (!*place) + ++BSDoptind; + } + else { /* need an argument */ + if (*place) /* no white space */ + BSDoptarg = place; + else if (nargc <= ++BSDoptind) { /* no arg */ + place = EMSG; + if (*ostr == ':') + return (BADARG); + if (BSDopterr) + (void)fprintf(stderr, + "%s: option requires an argument -- %c\n", + __progname, BSDoptopt); + return (BADCH); + } + else /* white space */ + BSDoptarg = nargv[BSDoptind]; + place = EMSG; + ++BSDoptind; + } + return (BSDoptopt); /* dump back option letter */ +} + +#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/getrrsetbyname.c openssh-4.2p1/openbsd-compat/getrrsetbyname.c --- ssh-openbsd-2005090100/openbsd-compat/getrrsetbyname.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/getrrsetbyname.c Thu May 26 20:12:15 2005 @@ -0,0 +1,585 @@ +/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */ + +/* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */ + +/* + * Copyright (c) 2001 Jakob Schlyter. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Portions Copyright (c) 1999-2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifndef HAVE_GETRRSETBYNAME + +#include "getrrsetbyname.h" + +#define ANSWER_BUFFER_SIZE 1024*64 + +#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO +extern int h_errno; +#endif + +struct dns_query { + char *name; + u_int16_t type; + u_int16_t class; + struct dns_query *next; +}; + +struct dns_rr { + char *name; + u_int16_t type; + u_int16_t class; + u_int16_t ttl; + u_int16_t size; + void *rdata; + struct dns_rr *next; +}; + +struct dns_response { + HEADER header; + struct dns_query *query; + struct dns_rr *answer; + struct dns_rr *authority; + struct dns_rr *additional; +}; + +static struct dns_response *parse_dns_response(const u_char *, int); +static struct dns_query *parse_dns_qsection(const u_char *, int, + const u_char **, int); +static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **, + int); + +static void free_dns_query(struct dns_query *); +static void free_dns_rr(struct dns_rr *); +static void free_dns_response(struct dns_response *); + +static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t); + +/* + * Inline versions of get/put short/long. Pointer is advanced. + * + * These macros demonstrate the property of C whereby it can be + * portable or it can be elegant but rarely both. + */ + +#ifndef INT32SZ +# define INT32SZ 4 +#endif +#ifndef INT16SZ +# define INT16SZ 2 +#endif + +#ifndef GETSHORT +#define GETSHORT(s, cp) { \ + register u_char *t_cp = (u_char *)(cp); \ + (s) = ((u_int16_t)t_cp[0] << 8) \ + | ((u_int16_t)t_cp[1]) \ + ; \ + (cp) += INT16SZ; \ +} +#endif + +#ifndef GETLONG +#define GETLONG(l, cp) { \ + register u_char *t_cp = (u_char *)(cp); \ + (l) = ((u_int32_t)t_cp[0] << 24) \ + | ((u_int32_t)t_cp[1] << 16) \ + | ((u_int32_t)t_cp[2] << 8) \ + | ((u_int32_t)t_cp[3]) \ + ; \ + (cp) += INT32SZ; \ +} +#endif + +/* + * Routines to insert/extract short/long's. + */ + +#ifndef HAVE__GETSHORT +static u_int16_t +_getshort(msgp) + register const u_char *msgp; +{ + register u_int16_t u; + + GETSHORT(u, msgp); + return (u); +} +#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0) +u_int16_t _getshort(register const u_char *); +#endif + +#ifndef HAVE__GETLONG +static u_int32_t +_getlong(msgp) + register const u_char *msgp; +{ + register u_int32_t u; + + GETLONG(u, msgp); + return (u); +} +#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0) +u_int32_t _getlong(register const u_char *); +#endif + +int +getrrsetbyname(const char *hostname, unsigned int rdclass, + unsigned int rdtype, unsigned int flags, + struct rrsetinfo **res) +{ + int result; + struct rrsetinfo *rrset = NULL; + struct dns_response *response; + struct dns_rr *rr; + struct rdatainfo *rdata; + int length; + unsigned int index_ans, index_sig; + u_char answer[ANSWER_BUFFER_SIZE]; + + /* check for invalid class and type */ + if (rdclass > 0xffff || rdtype > 0xffff) { + result = ERRSET_INVAL; + goto fail; + } + + /* don't allow queries of class or type ANY */ + if (rdclass == 0xff || rdtype == 0xff) { + result = ERRSET_INVAL; + goto fail; + } + + /* don't allow flags yet, unimplemented */ + if (flags) { + result = ERRSET_INVAL; + goto fail; + } + + /* initialize resolver */ + if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + result = ERRSET_FAIL; + goto fail; + } + +#ifdef DEBUG + _res.options |= RES_DEBUG; +#endif /* DEBUG */ + +#ifdef RES_USE_DNSSEC + /* turn on DNSSEC if EDNS0 is configured */ + if (_res.options & RES_USE_EDNS0) + _res.options |= RES_USE_DNSSEC; +#endif /* RES_USE_DNSEC */ + + /* make query */ + length = res_query(hostname, (signed int) rdclass, (signed int) rdtype, + answer, sizeof(answer)); + if (length < 0) { + switch(h_errno) { + case HOST_NOT_FOUND: + result = ERRSET_NONAME; + goto fail; + case NO_DATA: + result = ERRSET_NODATA; + goto fail; + default: + result = ERRSET_FAIL; + goto fail; + } + } + + /* parse result */ + response = parse_dns_response(answer, length); + if (response == NULL) { + result = ERRSET_FAIL; + goto fail; + } + + if (response->header.qdcount != 1) { + result = ERRSET_FAIL; + goto fail; + } + + /* initialize rrset */ + rrset = calloc(1, sizeof(struct rrsetinfo)); + if (rrset == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + rrset->rri_rdclass = response->query->class; + rrset->rri_rdtype = response->query->type; + rrset->rri_ttl = response->answer->ttl; + rrset->rri_nrdatas = response->header.ancount; + +#ifdef HAVE_HEADER_AD + /* check for authenticated data */ + if (response->header.ad == 1) + rrset->rri_flags |= RRSET_VALIDATED; +#endif + + /* copy name from answer section */ + length = strlen(response->answer->name); + rrset->rri_name = malloc(length + 1); + if (rrset->rri_name == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + strlcpy(rrset->rri_name, response->answer->name, length + 1); + + /* count answers */ + rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass, + rrset->rri_rdtype); + rrset->rri_nsigs = count_dns_rr(response->answer, rrset->rri_rdclass, + T_SIG); + + /* allocate memory for answers */ + rrset->rri_rdatas = calloc(rrset->rri_nrdatas, + sizeof(struct rdatainfo)); + if (rrset->rri_rdatas == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + /* allocate memory for signatures */ + rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); + if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + /* copy answers & signatures */ + for (rr = response->answer, index_ans = 0, index_sig = 0; + rr; rr = rr->next) { + + rdata = NULL; + + if (rr->class == rrset->rri_rdclass && + rr->type == rrset->rri_rdtype) + rdata = &rrset->rri_rdatas[index_ans++]; + + if (rr->class == rrset->rri_rdclass && + rr->type == T_SIG) + rdata = &rrset->rri_sigs[index_sig++]; + + if (rdata) { + rdata->rdi_length = rr->size; + rdata->rdi_data = malloc(rr->size); + + if (rdata->rdi_data == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + memcpy(rdata->rdi_data, rr->rdata, rr->size); + } + } + + *res = rrset; + return (ERRSET_SUCCESS); + +fail: + if (rrset != NULL) + freerrset(rrset); + return (result); +} + +void +freerrset(struct rrsetinfo *rrset) +{ + u_int16_t i; + + if (rrset == NULL) + return; + + if (rrset->rri_rdatas) { + for (i = 0; i < rrset->rri_nrdatas; i++) { + if (rrset->rri_rdatas[i].rdi_data == NULL) + break; + free(rrset->rri_rdatas[i].rdi_data); + } + free(rrset->rri_rdatas); + } + + if (rrset->rri_sigs) { + for (i = 0; i < rrset->rri_nsigs; i++) { + if (rrset->rri_sigs[i].rdi_data == NULL) + break; + free(rrset->rri_sigs[i].rdi_data); + } + free(rrset->rri_sigs); + } + + if (rrset->rri_name) + free(rrset->rri_name); + free(rrset); +} + +/* + * DNS response parsing routines + */ +static struct dns_response * +parse_dns_response(const u_char *answer, int size) +{ + struct dns_response *resp; + const u_char *cp; + + /* allocate memory for the response */ + resp = calloc(1, sizeof(*resp)); + if (resp == NULL) + return (NULL); + + /* initialize current pointer */ + cp = answer; + + /* copy header */ + memcpy(&resp->header, cp, HFIXEDSZ); + cp += HFIXEDSZ; + + /* fix header byte order */ + resp->header.qdcount = ntohs(resp->header.qdcount); + resp->header.ancount = ntohs(resp->header.ancount); + resp->header.nscount = ntohs(resp->header.nscount); + resp->header.arcount = ntohs(resp->header.arcount); + + /* there must be at least one query */ + if (resp->header.qdcount < 1) { + free_dns_response(resp); + return (NULL); + } + + /* parse query section */ + resp->query = parse_dns_qsection(answer, size, &cp, + resp->header.qdcount); + if (resp->header.qdcount && resp->query == NULL) { + free_dns_response(resp); + return (NULL); + } + + /* parse answer section */ + resp->answer = parse_dns_rrsection(answer, size, &cp, + resp->header.ancount); + if (resp->header.ancount && resp->answer == NULL) { + free_dns_response(resp); + return (NULL); + } + + /* parse authority section */ + resp->authority = parse_dns_rrsection(answer, size, &cp, + resp->header.nscount); + if (resp->header.nscount && resp->authority == NULL) { + free_dns_response(resp); + return (NULL); + } + + /* parse additional section */ + resp->additional = parse_dns_rrsection(answer, size, &cp, + resp->header.arcount); + if (resp->header.arcount && resp->additional == NULL) { + free_dns_response(resp); + return (NULL); + } + + return (resp); +} + +static struct dns_query * +parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count) +{ + struct dns_query *head, *curr, *prev; + int i, length; + char name[MAXDNAME]; + + for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) { + + /* allocate and initialize struct */ + curr = calloc(1, sizeof(struct dns_query)); + if (curr == NULL) { + free_dns_query(head); + return (NULL); + } + if (head == NULL) + head = curr; + if (prev != NULL) + prev->next = curr; + + /* name */ + length = dn_expand(answer, answer + size, *cp, name, + sizeof(name)); + if (length < 0) { + free_dns_query(head); + return (NULL); + } + curr->name = strdup(name); + if (curr->name == NULL) { + free_dns_query(head); + return (NULL); + } + *cp += length; + + /* type */ + curr->type = _getshort(*cp); + *cp += INT16SZ; + + /* class */ + curr->class = _getshort(*cp); + *cp += INT16SZ; + } + + return (head); +} + +static struct dns_rr * +parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count) +{ + struct dns_rr *head, *curr, *prev; + int i, length; + char name[MAXDNAME]; + + for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) { + + /* allocate and initialize struct */ + curr = calloc(1, sizeof(struct dns_rr)); + if (curr == NULL) { + free_dns_rr(head); + return (NULL); + } + if (head == NULL) + head = curr; + if (prev != NULL) + prev->next = curr; + + /* name */ + length = dn_expand(answer, answer + size, *cp, name, + sizeof(name)); + if (length < 0) { + free_dns_rr(head); + return (NULL); + } + curr->name = strdup(name); + if (curr->name == NULL) { + free_dns_rr(head); + return (NULL); + } + *cp += length; + + /* type */ + curr->type = _getshort(*cp); + *cp += INT16SZ; + + /* class */ + curr->class = _getshort(*cp); + *cp += INT16SZ; + + /* ttl */ + curr->ttl = _getlong(*cp); + *cp += INT32SZ; + + /* rdata size */ + curr->size = _getshort(*cp); + *cp += INT16SZ; + + /* rdata itself */ + curr->rdata = malloc(curr->size); + if (curr->rdata == NULL) { + free_dns_rr(head); + return (NULL); + } + memcpy(curr->rdata, *cp, curr->size); + *cp += curr->size; + } + + return (head); +} + +static void +free_dns_query(struct dns_query *p) +{ + if (p == NULL) + return; + + if (p->name) + free(p->name); + free_dns_query(p->next); + free(p); +} + +static void +free_dns_rr(struct dns_rr *p) +{ + if (p == NULL) + return; + + if (p->name) + free(p->name); + if (p->rdata) + free(p->rdata); + free_dns_rr(p->next); + free(p); +} + +static void +free_dns_response(struct dns_response *p) +{ + if (p == NULL) + return; + + free_dns_query(p->query); + free_dns_rr(p->answer); + free_dns_rr(p->authority); + free_dns_rr(p->additional); + free(p); +} + +static int +count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type) +{ + int n = 0; + + while(p) { + if (p->class == class && p->type == type) + n++; + p = p->next; + } + + return (n); +} + +#endif /* !defined(HAVE_GETRRSETBYNAME) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/getrrsetbyname.h openssh-4.2p1/openbsd-compat/getrrsetbyname.h --- ssh-openbsd-2005090100/openbsd-compat/getrrsetbyname.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/getrrsetbyname.h Tue Jan 27 16:40:35 2004 @@ -0,0 +1,110 @@ +/* OPENBSD BASED ON : include/netdb.h */ + +/* $OpenBSD: getrrsetbyname.c,v 1.4 2001/08/16 18:16:43 ho Exp $ */ + +/* + * Copyright (c) 2001 Jakob Schlyter. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Portions Copyright (c) 1999-2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _GETRRSETBYNAME_H +#define _GETRRSETBYNAME_H + +#include "includes.h" + +#ifndef HAVE_GETRRSETBYNAME + +#include +#include +#include +#include +#include + +#ifndef HFIXEDSZ +#define HFIXEDSZ 12 +#endif + +#ifndef T_SIG +#define T_SIG 24 +#endif + +/* + * Flags for getrrsetbyname() + */ +#ifndef RRSET_VALIDATED +# define RRSET_VALIDATED 1 +#endif + +/* + * Return codes for getrrsetbyname() + */ +#ifndef ERRSET_SUCCESS +# define ERRSET_SUCCESS 0 +# define ERRSET_NOMEMORY 1 +# define ERRSET_FAIL 2 +# define ERRSET_INVAL 3 +# define ERRSET_NONAME 4 +# define ERRSET_NODATA 5 +#endif + +struct rdatainfo { + unsigned int rdi_length; /* length of data */ + unsigned char *rdi_data; /* record data */ +}; + +struct rrsetinfo { + unsigned int rri_flags; /* RRSET_VALIDATED ... */ + unsigned int rri_rdclass; /* class number */ + unsigned int rri_rdtype; /* RR type number */ + unsigned int rri_ttl; /* time to live */ + unsigned int rri_nrdatas; /* size of rdatas array */ + unsigned int rri_nsigs; /* size of sigs array */ + char *rri_name; /* canonical name */ + struct rdatainfo *rri_rdatas; /* individual records */ + struct rdatainfo *rri_sigs; /* individual signatures */ +}; + +int getrrsetbyname(const char *, unsigned int, unsigned int, unsigned int, struct rrsetinfo **); +void freerrset(struct rrsetinfo *); + +#endif /* !defined(HAVE_GETRRSETBYNAME) */ + +#endif /* _GETRRSETBYNAME_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/glob.c openssh-4.2p1/openbsd-compat/glob.c --- ssh-openbsd-2005090100/openbsd-compat/glob.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/glob.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,914 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */ + +/* + * Copyright (c) 1989, 1993 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Guido van Rossum. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#include + +static long +get_arg_max(void) +{ +#ifdef ARG_MAX + return(ARG_MAX); +#elif defined(HAVE_SYSCONF) && defined(_SC_ARG_MAX) + return(sysconf(_SC_ARG_MAX)); +#else + return(256); /* XXX: arbitrary */ +#endif +} + +#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \ + !defined(GLOB_HAS_GL_MATCHC) + +#if defined(LIBC_SCCS) && !defined(lint) +#if 0 +static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93"; +#else +static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $"; +#endif +#endif /* LIBC_SCCS and not lint */ + +/* + * glob(3) -- a superset of the one defined in POSIX 1003.2. + * + * The [!...] convention to negate a range is supported (SysV, Posix, ksh). + * + * Optional extra services, controlled by flags not defined by POSIX: + * + * GLOB_QUOTE: + * Escaping convention: \ inhibits any special meaning the following + * character might have (except \ at end of string is retained). + * GLOB_MAGCHAR: + * Set in gl_flags if pattern contained a globbing character. + * GLOB_NOMAGIC: + * Same as GLOB_NOCHECK, but it will only append pattern if it did + * not contain any magic characters. [Used in csh style globbing] + * GLOB_ALTDIRFUNC: + * Use alternately specified directory access functions. + * GLOB_TILDE: + * expand ~user/foo to the /home/dir/of/user/foo + * GLOB_BRACE: + * expand {1,2}{a,b} to 1a 1b 2a 2b + * gl_matchc: + * Number of matches in the current invocation of glob. + */ + + +#define DOLLAR '$' +#define DOT '.' +#define EOS '\0' +#define LBRACKET '[' +#define NOT '!' +#define QUESTION '?' +#define QUOTE '\\' +#define RANGE '-' +#define RBRACKET ']' +#define SEP '/' +#define STAR '*' +#undef TILDE /* Some platforms may already define it */ +#define TILDE '~' +#define UNDERSCORE '_' +#define LBRACE '{' +#define RBRACE '}' +#define SLASH '/' +#define COMMA ',' + +#ifndef DEBUG + +#define M_QUOTE 0x8000 +#define M_PROTECT 0x4000 +#define M_MASK 0xffff +#define M_ASCII 0x00ff + +typedef u_short Char; + +#else + +#define M_QUOTE 0x80 +#define M_PROTECT 0x40 +#define M_MASK 0xff +#define M_ASCII 0x7f + +typedef char Char; + +#endif + + +#define CHAR(c) ((Char)((c)&M_ASCII)) +#define META(c) ((Char)((c)|M_QUOTE)) +#define M_ALL META('*') +#define M_END META(']') +#define M_NOT META('!') +#define M_ONE META('?') +#define M_RNG META('-') +#define M_SET META('[') +#define ismeta(c) (((c)&M_QUOTE) != 0) + + +static int compare(const void *, const void *); +static int g_Ctoc(const Char *, char *, u_int); +static int g_lstat(Char *, struct stat *, glob_t *); +static DIR *g_opendir(Char *, glob_t *); +static Char *g_strchr(Char *, int); +static int g_stat(Char *, struct stat *, glob_t *); +static int glob0(const Char *, glob_t *); +static int glob1(Char *, Char *, glob_t *, size_t *); +static int glob2(Char *, Char *, Char *, Char *, Char *, Char *, + glob_t *, size_t *); +static int glob3(Char *, Char *, Char *, Char *, Char *, Char *, + Char *, Char *, glob_t *, size_t *); +static int globextend(const Char *, glob_t *, size_t *); +static const Char * + globtilde(const Char *, Char *, size_t, glob_t *); +static int globexp1(const Char *, glob_t *); +static int globexp2(const Char *, const Char *, glob_t *, int *); +static int match(Char *, Char *, Char *); +#ifdef DEBUG +static void qprintf(const char *, Char *); +#endif + +int +glob(pattern, flags, errfunc, pglob) + const char *pattern; + int flags, (*errfunc)(const char *, int); + glob_t *pglob; +{ + const u_char *patnext; + int c; + Char *bufnext, *bufend, patbuf[MAXPATHLEN]; + + patnext = (u_char *) pattern; + if (!(flags & GLOB_APPEND)) { + pglob->gl_pathc = 0; + pglob->gl_pathv = NULL; + if (!(flags & GLOB_DOOFFS)) + pglob->gl_offs = 0; + } + pglob->gl_flags = flags & ~GLOB_MAGCHAR; + pglob->gl_errfunc = errfunc; + pglob->gl_matchc = 0; + + bufnext = patbuf; + bufend = bufnext + MAXPATHLEN - 1; + if (flags & GLOB_NOESCAPE) + while (bufnext < bufend && (c = *patnext++) != EOS) + *bufnext++ = c; + else { + /* Protect the quoted characters. */ + while (bufnext < bufend && (c = *patnext++) != EOS) + if (c == QUOTE) { + if ((c = *patnext++) == EOS) { + c = QUOTE; + --patnext; + } + *bufnext++ = c | M_PROTECT; + } else + *bufnext++ = c; + } + *bufnext = EOS; + + if (flags & GLOB_BRACE) + return globexp1(patbuf, pglob); + else + return glob0(patbuf, pglob); +} + +/* + * Expand recursively a glob {} pattern. When there is no more expansion + * invoke the standard globbing routine to glob the rest of the magic + * characters + */ +static int +globexp1(pattern, pglob) + const Char *pattern; + glob_t *pglob; +{ + const Char* ptr = pattern; + int rv; + + /* Protect a single {}, for find(1), like csh */ + if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS) + return glob0(pattern, pglob); + + while ((ptr = (const Char *) g_strchr((Char *) ptr, LBRACE)) != NULL) + if (!globexp2(ptr, pattern, pglob, &rv)) + return rv; + + return glob0(pattern, pglob); +} + + +/* + * Recursive brace globbing helper. Tries to expand a single brace. + * If it succeeds then it invokes globexp1 with the new pattern. + * If it fails then it tries to glob the rest of the pattern and returns. + */ +static int +globexp2(ptr, pattern, pglob, rv) + const Char *ptr, *pattern; + glob_t *pglob; + int *rv; +{ + int i; + Char *lm, *ls; + const Char *pe, *pm, *pl; + Char patbuf[MAXPATHLEN]; + + /* copy part up to the brace */ + for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++) + ; + *lm = EOS; + ls = lm; + + /* Find the balanced brace */ + for (i = 0, pe = ++ptr; *pe; pe++) + if (*pe == LBRACKET) { + /* Ignore everything between [] */ + for (pm = pe++; *pe != RBRACKET && *pe != EOS; pe++) + ; + if (*pe == EOS) { + /* + * We could not find a matching RBRACKET. + * Ignore and just look for RBRACE + */ + pe = pm; + } + } else if (*pe == LBRACE) + i++; + else if (*pe == RBRACE) { + if (i == 0) + break; + i--; + } + + /* Non matching braces; just glob the pattern */ + if (i != 0 || *pe == EOS) { + *rv = glob0(patbuf, pglob); + return 0; + } + + for (i = 0, pl = pm = ptr; pm <= pe; pm++) { + switch (*pm) { + case LBRACKET: + /* Ignore everything between [] */ + for (pl = pm++; *pm != RBRACKET && *pm != EOS; pm++) + ; + if (*pm == EOS) { + /* + * We could not find a matching RBRACKET. + * Ignore and just look for RBRACE + */ + pm = pl; + } + break; + + case LBRACE: + i++; + break; + + case RBRACE: + if (i) { + i--; + break; + } + /* FALLTHROUGH */ + case COMMA: + if (i && *pm == COMMA) + break; + else { + /* Append the current string */ + for (lm = ls; (pl < pm); *lm++ = *pl++) + ; + + /* + * Append the rest of the pattern after the + * closing brace + */ + for (pl = pe + 1; (*lm++ = *pl++) != EOS; ) + ; + + /* Expand the current pattern */ +#ifdef DEBUG + qprintf("globexp2:", patbuf); +#endif + *rv = globexp1(patbuf, pglob); + + /* move after the comma, to the next string */ + pl = pm + 1; + } + break; + + default: + break; + } + } + *rv = 0; + return 0; +} + + + +/* + * expand tilde from the passwd file. + */ +static const Char * +globtilde(pattern, patbuf, patbuf_len, pglob) + const Char *pattern; + Char *patbuf; + size_t patbuf_len; + glob_t *pglob; +{ + struct passwd *pwd; + char *h; + const Char *p; + Char *b, *eb; + + if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE)) + return pattern; + + /* Copy up to the end of the string or / */ + eb = &patbuf[patbuf_len - 1]; + for (p = pattern + 1, h = (char *) patbuf; + h < (char *)eb && *p && *p != SLASH; *h++ = *p++) + ; + + *h = EOS; + +#if 0 + if (h == (char *)eb) + return what; +#endif + + if (((char *) patbuf)[0] == EOS) { + /* + * handle a plain ~ or ~/ by expanding $HOME + * first and then trying the password file + */ +#if 0 + if (issetugid() != 0 || (h = getenv("HOME")) == NULL) { +#endif + if ((getuid() != geteuid()) || (h = getenv("HOME")) == NULL) { + if ((pwd = getpwuid(getuid())) == NULL) + return pattern; + else + h = pwd->pw_dir; + } + } else { + /* + * Expand a ~user + */ + if ((pwd = getpwnam((char*) patbuf)) == NULL) + return pattern; + else + h = pwd->pw_dir; + } + + /* Copy the home directory */ + for (b = patbuf; b < eb && *h; *b++ = *h++) + ; + + /* Append the rest of the pattern */ + while (b < eb && (*b++ = *p++) != EOS) + ; + *b = EOS; + + return patbuf; +} + + +/* + * The main glob() routine: compiles the pattern (optionally processing + * quotes), calls glob1() to do the real pattern matching, and finally + * sorts the list (unless unsorted operation is requested). Returns 0 + * if things went well, nonzero if errors occurred. It is not an error + * to find no matches. + */ +static int +glob0(pattern, pglob) + const Char *pattern; + glob_t *pglob; +{ + const Char *qpatnext; + int c, err, oldpathc; + Char *bufnext, patbuf[MAXPATHLEN]; + size_t limit = 0; + + qpatnext = globtilde(pattern, patbuf, MAXPATHLEN, pglob); + oldpathc = pglob->gl_pathc; + bufnext = patbuf; + + /* We don't need to check for buffer overflow any more. */ + while ((c = *qpatnext++) != EOS) { + switch (c) { + case LBRACKET: + c = *qpatnext; + if (c == NOT) + ++qpatnext; + if (*qpatnext == EOS || + g_strchr((Char *) qpatnext+1, RBRACKET) == NULL) { + *bufnext++ = LBRACKET; + if (c == NOT) + --qpatnext; + break; + } + *bufnext++ = M_SET; + if (c == NOT) + *bufnext++ = M_NOT; + c = *qpatnext++; + do { + *bufnext++ = CHAR(c); + if (*qpatnext == RANGE && + (c = qpatnext[1]) != RBRACKET) { + *bufnext++ = M_RNG; + *bufnext++ = CHAR(c); + qpatnext += 2; + } + } while ((c = *qpatnext++) != RBRACKET); + pglob->gl_flags |= GLOB_MAGCHAR; + *bufnext++ = M_END; + break; + case QUESTION: + pglob->gl_flags |= GLOB_MAGCHAR; + *bufnext++ = M_ONE; + break; + case STAR: + pglob->gl_flags |= GLOB_MAGCHAR; + /* collapse adjacent stars to one, + * to avoid exponential behavior + */ + if (bufnext == patbuf || bufnext[-1] != M_ALL) + *bufnext++ = M_ALL; + break; + default: + *bufnext++ = CHAR(c); + break; + } + } + *bufnext = EOS; +#ifdef DEBUG + qprintf("glob0:", patbuf); +#endif + + if ((err = glob1(patbuf, patbuf+MAXPATHLEN-1, pglob, &limit)) != 0) + return(err); + + /* + * If there was no match we are going to append the pattern + * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified + * and the pattern did not contain any magic characters + * GLOB_NOMAGIC is there just for compatibility with csh. + */ + if (pglob->gl_pathc == oldpathc) { + if ((pglob->gl_flags & GLOB_NOCHECK) || + ((pglob->gl_flags & GLOB_NOMAGIC) && + !(pglob->gl_flags & GLOB_MAGCHAR))) + return(globextend(pattern, pglob, &limit)); + else + return(GLOB_NOMATCH); + } + if (!(pglob->gl_flags & GLOB_NOSORT)) + qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc, + pglob->gl_pathc - oldpathc, sizeof(char *), compare); + return(0); +} + +static int +compare(p, q) + const void *p, *q; +{ + return(strcmp(*(char **)p, *(char **)q)); +} + +static int +glob1(pattern, pattern_last, pglob, limitp) + Char *pattern, *pattern_last; + glob_t *pglob; + size_t *limitp; +{ + Char pathbuf[MAXPATHLEN]; + + /* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */ + if (*pattern == EOS) + return(0); + return(glob2(pathbuf, pathbuf+MAXPATHLEN-1, + pathbuf, pathbuf+MAXPATHLEN-1, + pattern, pattern_last, pglob, limitp)); +} + +/* + * The functions glob2 and glob3 are mutually recursive; there is one level + * of recursion for each segment in the pattern that contains one or more + * meta characters. + */ +static int +glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern, + pattern_last, pglob, limitp) + Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; + Char *pattern, *pattern_last; + glob_t *pglob; + size_t *limitp; +{ + struct stat sb; + Char *p, *q; + int anymeta; + + /* + * Loop over pattern segments until end of pattern or until + * segment with meta character found. + */ + for (anymeta = 0;;) { + if (*pattern == EOS) { /* End of pattern? */ + *pathend = EOS; + if (g_lstat(pathbuf, &sb, pglob)) + return(0); + + if (((pglob->gl_flags & GLOB_MARK) && + pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) || + (S_ISLNK(sb.st_mode) && + (g_stat(pathbuf, &sb, pglob) == 0) && + S_ISDIR(sb.st_mode)))) { + if (pathend+1 > pathend_last) + return (1); + *pathend++ = SEP; + *pathend = EOS; + } + ++pglob->gl_matchc; + return(globextend(pathbuf, pglob, limitp)); + } + + /* Find end of next segment, copy tentatively to pathend. */ + q = pathend; + p = pattern; + while (*p != EOS && *p != SEP) { + if (ismeta(*p)) + anymeta = 1; + if (q+1 > pathend_last) + return (1); + *q++ = *p++; + } + + if (!anymeta) { /* No expansion, do next segment. */ + pathend = q; + pattern = p; + while (*pattern == SEP) { + if (pathend+1 > pathend_last) + return (1); + *pathend++ = *pattern++; + } + } else + /* Need expansion, recurse. */ + return(glob3(pathbuf, pathbuf_last, pathend, + pathend_last, pattern, pattern_last, + p, pattern_last, pglob, limitp)); + } + /* NOTREACHED */ +} + +static int +glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, + restpattern, restpattern_last, pglob, limitp) + Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; + Char *pattern, *pattern_last, *restpattern, *restpattern_last; + glob_t *pglob; + size_t *limitp; +{ + register struct dirent *dp; + DIR *dirp; + int err; + char buf[MAXPATHLEN]; + + /* + * The readdirfunc declaration can't be prototyped, because it is + * assigned, below, to two functions which are prototyped in glob.h + * and dirent.h as taking pointers to differently typed opaque + * structures. + */ + struct dirent *(*readdirfunc)(void *); + + if (pathend > pathend_last) + return (1); + *pathend = EOS; + errno = 0; + + if ((dirp = g_opendir(pathbuf, pglob)) == NULL) { + /* TODO: don't call for ENOENT or ENOTDIR? */ + if (pglob->gl_errfunc) { + if (g_Ctoc(pathbuf, buf, sizeof(buf))) + return(GLOB_ABORTED); + if (pglob->gl_errfunc(buf, errno) || + pglob->gl_flags & GLOB_ERR) + return(GLOB_ABORTED); + } + return(0); + } + + err = 0; + + /* Search directory for matching names. */ + if (pglob->gl_flags & GLOB_ALTDIRFUNC) + readdirfunc = pglob->gl_readdir; + else + readdirfunc = (struct dirent *(*)(void *))readdir; + while ((dp = (*readdirfunc)(dirp))) { + register u_char *sc; + register Char *dc; + + /* Initial DOT must be matched literally. */ + if (dp->d_name[0] == DOT && *pattern != DOT) + continue; + dc = pathend; + sc = (u_char *) dp->d_name; + while (dc < pathend_last && (*dc++ = *sc++) != EOS) + ; + if (dc >= pathend_last) { + *dc = EOS; + err = 1; + break; + } + + if (!match(pathend, pattern, restpattern)) { + *pathend = EOS; + continue; + } + err = glob2(pathbuf, pathbuf_last, --dc, pathend_last, + restpattern, restpattern_last, pglob, limitp); + if (err) + break; + } + + if (pglob->gl_flags & GLOB_ALTDIRFUNC) + (*pglob->gl_closedir)(dirp); + else + closedir(dirp); + return(err); +} + + +/* + * Extend the gl_pathv member of a glob_t structure to accommodate a new item, + * add the new item, and update gl_pathc. + * + * This assumes the BSD realloc, which only copies the block when its size + * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic + * behavior. + * + * Return 0 if new item added, error code if memory couldn't be allocated. + * + * Invariant of the glob_t structure: + * Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and + * gl_pathv points to (gl_offs + gl_pathc + 1) items. + */ +static int +globextend(path, pglob, limitp) + const Char *path; + glob_t *pglob; + size_t *limitp; +{ + register char **pathv; + register int i; + u_int newsize, len; + char *copy; + const Char *p; + + newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs); + pathv = pglob->gl_pathv ? realloc((char *)pglob->gl_pathv, newsize) : + malloc(newsize); + if (pathv == NULL) { + if (pglob->gl_pathv) { + free(pglob->gl_pathv); + pglob->gl_pathv = NULL; + } + return(GLOB_NOSPACE); + } + + if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) { + /* first time around -- clear initial gl_offs items */ + pathv += pglob->gl_offs; + for (i = pglob->gl_offs; --i >= 0; ) + *--pathv = NULL; + } + pglob->gl_pathv = pathv; + + for (p = path; *p++;) + ; + len = (size_t)(p - path); + *limitp += len; + if ((copy = malloc(len)) != NULL) { + if (g_Ctoc(path, copy, len)) { + free(copy); + return(GLOB_NOSPACE); + } + pathv[pglob->gl_offs + pglob->gl_pathc++] = copy; + } + pathv[pglob->gl_offs + pglob->gl_pathc] = NULL; + + if ((pglob->gl_flags & GLOB_LIMIT) && + newsize + *limitp >= (u_int) get_arg_max()) { + errno = 0; + return(GLOB_NOSPACE); + } + + return(copy == NULL ? GLOB_NOSPACE : 0); +} + + +/* + * pattern matching function for filenames. Each occurrence of the * + * pattern causes a recursion level. + */ +static int +match(name, pat, patend) + register Char *name, *pat, *patend; +{ + int ok, negate_range; + Char c, k; + + while (pat < patend) { + c = *pat++; + switch (c & M_MASK) { + case M_ALL: + if (pat == patend) + return(1); + do + if (match(name, pat, patend)) + return(1); + while (*name++ != EOS) + ; + return(0); + case M_ONE: + if (*name++ == EOS) + return(0); + break; + case M_SET: + ok = 0; + if ((k = *name++) == EOS) + return(0); + if ((negate_range = ((*pat & M_MASK) == M_NOT)) != EOS) + ++pat; + while (((c = *pat++) & M_MASK) != M_END) + if ((*pat & M_MASK) == M_RNG) { + if (c <= k && k <= pat[1]) + ok = 1; + pat += 2; + } else if (c == k) + ok = 1; + if (ok == negate_range) + return(0); + break; + default: + if (*name++ != c) + return(0); + break; + } + } + return(*name == EOS); +} + +/* Free allocated data belonging to a glob_t structure. */ +void +globfree(pglob) + glob_t *pglob; +{ + register int i; + register char **pp; + + if (pglob->gl_pathv != NULL) { + pp = pglob->gl_pathv + pglob->gl_offs; + for (i = pglob->gl_pathc; i--; ++pp) + if (*pp) + free(*pp); + free(pglob->gl_pathv); + pglob->gl_pathv = NULL; + } +} + +static DIR * +g_opendir(str, pglob) + register Char *str; + glob_t *pglob; +{ + char buf[MAXPATHLEN]; + + if (!*str) + strlcpy(buf, ".", sizeof buf); + else { + if (g_Ctoc(str, buf, sizeof(buf))) + return(NULL); + } + + if (pglob->gl_flags & GLOB_ALTDIRFUNC) + return((*pglob->gl_opendir)(buf)); + + return(opendir(buf)); +} + +static int +g_lstat(fn, sb, pglob) + register Char *fn; + struct stat *sb; + glob_t *pglob; +{ + char buf[MAXPATHLEN]; + + if (g_Ctoc(fn, buf, sizeof(buf))) + return(-1); + if (pglob->gl_flags & GLOB_ALTDIRFUNC) + return((*pglob->gl_lstat)(buf, sb)); + return(lstat(buf, sb)); +} + +static int +g_stat(fn, sb, pglob) + register Char *fn; + struct stat *sb; + glob_t *pglob; +{ + char buf[MAXPATHLEN]; + + if (g_Ctoc(fn, buf, sizeof(buf))) + return(-1); + if (pglob->gl_flags & GLOB_ALTDIRFUNC) + return((*pglob->gl_stat)(buf, sb)); + return(stat(buf, sb)); +} + +static Char * +g_strchr(str, ch) + Char *str; + int ch; +{ + do { + if (*str == ch) + return (str); + } while (*str++); + return (NULL); +} + +static int +g_Ctoc(str, buf, len) + register const Char *str; + char *buf; + u_int len; +{ + + while (len--) { + if ((*buf++ = *str++) == EOS) + return (0); + } + return (1); +} + +#ifdef DEBUG +static void +qprintf(str, s) + const char *str; + register Char *s; +{ + register Char *p; + + (void)printf("%s:\n", str); + for (p = s; *p; p++) + (void)printf("%c", CHAR(*p)); + (void)printf("\n"); + for (p = s; *p; p++) + (void)printf("%c", *p & M_PROTECT ? '"' : ' '); + (void)printf("\n"); + for (p = s; *p; p++) + (void)printf("%c", ismeta(*p) ? '_' : ' '); + (void)printf("\n"); +} +#endif + +#endif /* !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || + !defined(GLOB_HAS_GL_MATCHC) */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/glob.h openssh-4.2p1/openbsd-compat/glob.h --- ssh-openbsd-2005090100/openbsd-compat/glob.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/glob.h Mon Nov 24 13:33:34 2003 @@ -0,0 +1,99 @@ +/* OPENBSD ORIGINAL: include/glob.h */ + +/* $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $ */ +/* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */ + +/* + * Copyright (c) 1989, 1993 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Guido van Rossum. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)glob.h 8.1 (Berkeley) 6/2/93 + */ + +#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \ + !defined(GLOB_HAS_GL_MATCHC) + +#ifndef _GLOB_H_ +#define _GLOB_H_ + +struct stat; +typedef struct { + int gl_pathc; /* Count of total paths so far. */ + int gl_matchc; /* Count of paths matching pattern. */ + int gl_offs; /* Reserved at beginning of gl_pathv. */ + int gl_flags; /* Copy of flags parameter to glob. */ + char **gl_pathv; /* List of paths matching pattern. */ + /* Copy of errfunc parameter to glob. */ + int (*gl_errfunc)(const char *, int); + + /* + * Alternate filesystem access methods for glob; replacement + * versions of closedir(3), readdir(3), opendir(3), stat(2) + * and lstat(2). + */ + void (*gl_closedir)(void *); + struct dirent *(*gl_readdir)(void *); + void *(*gl_opendir)(const char *); + int (*gl_lstat)(const char *, struct stat *); + int (*gl_stat)(const char *, struct stat *); +} glob_t; + +/* Flags */ +#define GLOB_APPEND 0x0001 /* Append to output from previous call. */ +#define GLOB_DOOFFS 0x0002 /* Use gl_offs. */ +#define GLOB_ERR 0x0004 /* Return on error. */ +#define GLOB_MARK 0x0008 /* Append / to matching directories. */ +#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */ +#define GLOB_NOSORT 0x0020 /* Don't sort. */ + +#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */ +#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ +#define GLOB_MAGCHAR 0x0100 /* Pattern had globbing characters. */ +#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */ +#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */ +#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */ +#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */ +#define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */ + +/* Error values returned by glob(3) */ +#define GLOB_NOSPACE (-1) /* Malloc call failed. */ +#define GLOB_ABORTED (-2) /* Unignored error. */ +#define GLOB_NOMATCH (-3) /* No match and GLOB_NOCHECK not set. */ +#define GLOB_NOSYS (-4) /* Function not supported. */ +#define GLOB_ABEND GLOB_ABORTED + +int glob(const char *, int, int (*)(const char *, int), glob_t *); +void globfree(glob_t *); + +#endif /* !_GLOB_H_ */ + +#endif /* !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || + !defined(GLOB_HAS_GL_MATCHC */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/inet_aton.c openssh-4.2p1/openbsd-compat/inet_aton.c --- ssh-openbsd-2005090100/openbsd-compat/inet_aton.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/inet_aton.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,189 @@ +/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */ + +/* $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $ */ + +/* + * Copyright (c) 1983, 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * - + * Portions Copyright (c) 1993 by Digital Equipment Corporation. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies, and that + * the name of Digital Equipment Corporation not be used in advertising or + * publicity pertaining to distribution of the document or software without + * specific, written prior permission. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL + * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT + * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + * - + * --Copyright-- + */ + +#include "includes.h" + +#if !defined(HAVE_INET_ATON) + +#if defined(LIBC_SCCS) && !defined(lint) +#if 0 +static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; +static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $"; +#else +static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $"; +#endif +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include + +#if 0 +/* + * Ascii internet address interpretation routine. + * The value returned is in network order. + */ +in_addr_t +inet_addr(cp) + register const char *cp; +{ + struct in_addr val; + + if (inet_aton(cp, &val)) + return (val.s_addr); + return (INADDR_NONE); +} +#endif + +/* + * Check whether "cp" is a valid ascii representation + * of an Internet address and convert to a binary address. + * Returns 1 if the address is valid, 0 if not. + * This replaces inet_addr, the return value from which + * cannot distinguish between failure and a local broadcast address. + */ +int +inet_aton(const char *cp, struct in_addr *addr) +{ + register u_int32_t val; + register int base, n; + register char c; + unsigned int parts[4]; + register unsigned int *pp = parts; + + c = *cp; + for (;;) { + /* + * Collect number up to ``.''. + * Values are specified as for C: + * 0x=hex, 0=octal, isdigit=decimal. + */ + if (!isdigit(c)) + return (0); + val = 0; base = 10; + if (c == '0') { + c = *++cp; + if (c == 'x' || c == 'X') + base = 16, c = *++cp; + else + base = 8; + } + for (;;) { + if (isascii(c) && isdigit(c)) { + val = (val * base) + (c - '0'); + c = *++cp; + } else if (base == 16 && isascii(c) && isxdigit(c)) { + val = (val << 4) | + (c + 10 - (islower(c) ? 'a' : 'A')); + c = *++cp; + } else + break; + } + if (c == '.') { + /* + * Internet format: + * a.b.c.d + * a.b.c (with c treated as 16 bits) + * a.b (with b treated as 24 bits) + */ + if (pp >= parts + 3) + return (0); + *pp++ = val; + c = *++cp; + } else + break; + } + /* + * Check for trailing characters. + */ + if (c != '\0' && (!isascii(c) || !isspace(c))) + return (0); + /* + * Concoct the address according to + * the number of parts specified. + */ + n = pp - parts + 1; + switch (n) { + + case 0: + return (0); /* initial nondigit */ + + case 1: /* a -- 32 bits */ + break; + + case 2: /* a.b -- 8.24 bits */ + if ((val > 0xffffff) || (parts[0] > 0xff)) + return (0); + val |= parts[0] << 24; + break; + + case 3: /* a.b.c -- 8.8.16 bits */ + if ((val > 0xffff) || (parts[0] > 0xff) || (parts[1] > 0xff)) + return (0); + val |= (parts[0] << 24) | (parts[1] << 16); + break; + + case 4: /* a.b.c.d -- 8.8.8.8 bits */ + if ((val > 0xff) || (parts[0] > 0xff) || (parts[1] > 0xff) || (parts[2] > 0xff)) + return (0); + val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8); + break; + } + if (addr) + addr->s_addr = htonl(val); + return (1); +} + +#endif /* !defined(HAVE_INET_ATON) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/inet_ntoa.c openssh-4.2p1/openbsd-compat/inet_ntoa.c --- ssh-openbsd-2005090100/openbsd-compat/inet_ntoa.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/inet_ntoa.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,61 @@ +/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */ + +/* + * Copyright (c) 1983, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +/* + * Convert network-format internet address + * to base 256 d.d.d.d representation. + */ +#include +#include +#include +#include + +char *inet_ntoa(struct in_addr in) +{ + static char b[18]; + register char *p; + + p = (char *)∈ +#define UC(b) (((int)b)&0xff) + (void)snprintf(b, sizeof(b), + "%u.%u.%u.%u", UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3])); + return (b); +} + +#endif /* defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/inet_ntop.c openssh-4.2p1/openbsd-compat/inet_ntop.c --- ssh-openbsd-2005090100/openbsd-compat/inet_ntop.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/inet_ntop.c Sat Feb 26 10:04:29 2005 @@ -0,0 +1,229 @@ +/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */ + +/* $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $ */ + +/* Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include "includes.h" + +#ifndef HAVE_INET_NTOP + +#if defined(LIBC_SCCS) && !defined(lint) +#if 0 +static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $"; +#else +static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $"; +#endif +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef IN6ADDRSZ +#define IN6ADDRSZ 16 /* IPv6 T_AAAA */ +#endif + +#ifndef INT16SZ +#define INT16SZ 2 /* for systems without 16-bit ints */ +#endif + +/* + * WARNING: Don't even consider trying to compile this on a system where + * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. + */ + +static const char *inet_ntop4(const u_char *src, char *dst, size_t size); +static const char *inet_ntop6(const u_char *src, char *dst, size_t size); + +/* char * + * inet_ntop(af, src, dst, size) + * convert a network format address to presentation format. + * return: + * pointer to presentation format address (`dst'), or NULL (see errno). + * author: + * Paul Vixie, 1996. + */ +const char * +inet_ntop(af, src, dst, size) + int af; + const void *src; + char *dst; + size_t size; +{ + switch (af) { + case AF_INET: + return (inet_ntop4(src, dst, size)); + case AF_INET6: + return (inet_ntop6(src, dst, size)); + default: + errno = EAFNOSUPPORT; + return (NULL); + } + /* NOTREACHED */ +} + +/* const char * + * inet_ntop4(src, dst, size) + * format an IPv4 address, more or less like inet_ntoa() + * return: + * `dst' (as a const) + * notes: + * (1) uses no statics + * (2) takes a u_char* not an in_addr as input + * author: + * Paul Vixie, 1996. + */ +static const char * +inet_ntop4(src, dst, size) + const u_char *src; + char *dst; + size_t size; +{ + static const char fmt[] = "%u.%u.%u.%u"; + char tmp[sizeof "255.255.255.255"]; + int l; + + l = snprintf(tmp, size, fmt, src[0], src[1], src[2], src[3]); + if (l <= 0 || l >= size) { + errno = ENOSPC; + return (NULL); + } + strlcpy(dst, tmp, size); + return (dst); +} + +/* const char * + * inet_ntop6(src, dst, size) + * convert IPv6 binary address into presentation (printable) format + * author: + * Paul Vixie, 1996. + */ +static const char * +inet_ntop6(src, dst, size) + const u_char *src; + char *dst; + size_t size; +{ + /* + * Note that int32_t and int16_t need only be "at least" large enough + * to contain a value of the specified size. On some systems, like + * Crays, there is no such thing as an integer variable with 16 bits. + * Keep this in mind if you think this function should have been coded + * to use pointer overlays. All the world's not a VAX. + */ + char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"]; + char *tp, *ep; + struct { int base, len; } best, cur; + u_int words[IN6ADDRSZ / INT16SZ]; + int i; + int advance; + + /* + * Preprocess: + * Copy the input (bytewise) array into a wordwise array. + * Find the longest run of 0x00's in src[] for :: shorthanding. + */ + memset(words, '\0', sizeof words); + for (i = 0; i < IN6ADDRSZ; i++) + words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3)); + best.base = -1; + cur.base = -1; + for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++) { + if (words[i] == 0) { + if (cur.base == -1) + cur.base = i, cur.len = 1; + else + cur.len++; + } else { + if (cur.base != -1) { + if (best.base == -1 || cur.len > best.len) + best = cur; + cur.base = -1; + } + } + } + if (cur.base != -1) { + if (best.base == -1 || cur.len > best.len) + best = cur; + } + if (best.base != -1 && best.len < 2) + best.base = -1; + + /* + * Format the result. + */ + tp = tmp; + ep = tmp + sizeof(tmp); + for (i = 0; i < (IN6ADDRSZ / INT16SZ) && tp < ep; i++) { + /* Are we inside the best run of 0x00's? */ + if (best.base != -1 && i >= best.base && + i < (best.base + best.len)) { + if (i == best.base) { + if (tp + 1 >= ep) + return (NULL); + *tp++ = ':'; + } + continue; + } + /* Are we following an initial run of 0x00s or any real hex? */ + if (i != 0) { + if (tp + 1 >= ep) + return (NULL); + *tp++ = ':'; + } + /* Is this address an encapsulated IPv4? */ + if (i == 6 && best.base == 0 && + (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) { + if (!inet_ntop4(src+12, tp, (size_t)(ep - tp))) + return (NULL); + tp += strlen(tp); + break; + } + advance = snprintf(tp, ep - tp, "%x", words[i]); + if (advance <= 0 || advance >= ep - tp) + return (NULL); + tp += advance; + } + /* Was it a trailing run of 0x00's? */ + if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ)) { + if (tp + 1 >= ep) + return (NULL); + *tp++ = ':'; + } + if (tp + 1 >= ep) + return (NULL); + *tp++ = '\0'; + + /* + * Check for overflow, copy, and we're done. + */ + if ((size_t)(tp - tmp) > size) { + errno = ENOSPC; + return (NULL); + } + strlcpy(dst, tmp, size); + return (dst); +} + +#endif /* !HAVE_INET_NTOP */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/mktemp.c openssh-4.2p1/openbsd-compat/mktemp.c --- ssh-openbsd-2005090100/openbsd-compat/mktemp.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/mktemp.c Sat Aug 28 15:46:58 2004 @@ -0,0 +1,177 @@ +/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */ + +/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ +/* Changes: Removed mktemp */ + +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +static int _gettemp(char *, int *, int, int); + +int +mkstemps(path, slen) + char *path; + int slen; +{ + int fd; + + return (_gettemp(path, &fd, 0, slen) ? fd : -1); +} + +int +mkstemp(path) + char *path; +{ + int fd; + + return (_gettemp(path, &fd, 0, 0) ? fd : -1); +} + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int rval; + pid_t pid; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (trv >= path && *trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (trv >= path && *trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} + +#endif /* !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/openbsd-compat.h openssh-4.2p1/openbsd-compat/openbsd-compat.h --- ssh-openbsd-2005090100/openbsd-compat/openbsd-compat.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/openbsd-compat.h Sat Aug 27 06:15:20 2005 @@ -0,0 +1,178 @@ +/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */ + +/* + * Copyright (c) 1999-2003 Damien Miller. All rights reserved. + * Copyright (c) 2003 Ben Lindstrom. All rights reserved. + * Copyright (c) 2002 Tim Rice. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _OPENBSD_COMPAT_H +#define _OPENBSD_COMPAT_H + +#include "includes.h" + +/* OpenBSD function replacements */ +#include "base64.h" +#include "sigact.h" +#include "glob.h" +#include "readpassphrase.h" +#include "vis.h" +#include "getrrsetbyname.h" + + +#ifndef HAVE_BASENAME +char *basename(const char *path); +#endif + +#ifndef HAVE_BINDRESVPORT_SA +int bindresvport_sa(int sd, struct sockaddr *sa); +#endif + +#ifndef HAVE_CLOSEFROM +void closefrom(int); +#endif + +#ifndef HAVE_GETCWD +char *getcwd(char *pt, size_t size); +#endif + +#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) +char *realpath(const char *path, char *resolved); +#endif + +#ifndef HAVE_RRESVPORT_AF +int rresvport_af(int *alport, sa_family_t af); +#endif + +#ifndef HAVE_STRLCPY +/* #include XXX Still needed? */ +size_t strlcpy(char *dst, const char *src, size_t siz); +#endif + +#ifndef HAVE_STRLCAT +/* #include XXX Still needed? */ +size_t strlcat(char *dst, const char *src, size_t siz); +#endif + +#ifndef HAVE_SETENV +int setenv(register const char *name, register const char *value, int rewrite); +#endif + +#ifndef HAVE_STRMODE +void strmode(int mode, char *p); +#endif + +#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) +int mkstemps(char *path, int slen); +int mkstemp(char *path); +char *mkdtemp(char *path); +#endif + +#ifndef HAVE_DAEMON +int daemon(int nochdir, int noclose); +#endif + +#ifndef HAVE_DIRNAME +char *dirname(const char *path); +#endif + +#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) +char *inet_ntoa(struct in_addr in); +#endif + +#ifndef HAVE_INET_NTOP +const char *inet_ntop(int af, const void *src, char *dst, size_t size); +#endif + +#ifndef HAVE_INET_ATON +int inet_aton(const char *cp, struct in_addr *addr); +#endif + +#ifndef HAVE_STRSEP +char *strsep(char **stringp, const char *delim); +#endif + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...); +void compat_init_setproctitle(int argc, char *argv[]); +#endif + +#ifndef HAVE_GETGROUPLIST +/* #include XXXX Still needed ? */ +int getgrouplist(const char *, gid_t, gid_t *, int *); +#endif + +#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) +int BSDgetopt(int argc, char * const *argv, const char *opts); +#endif + + +/* Home grown routines */ +#include "bsd-misc.h" +#include "bsd-waitpid.h" + +/*#include XXX Still needed? * For uid_t, gid_t * */ + +#ifndef HAVE_GETPEEREID +int getpeereid(int , uid_t *, gid_t *); +#endif + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_OPENPTY +int openpty(int *, int *, char *, struct termios *, struct winsize *); +#endif /* HAVE_OPENPTY */ + +/* #include XXX needed? For size_t */ + +#ifndef HAVE_SNPRINTF +int snprintf(char *, size_t, const char *, ...); +#endif + +#ifndef HAVE_STRTONUM +long long strtonum(const char *, long long, long long, const char **); +#endif + +#ifndef HAVE_VSNPRINTF +int vsnprintf(char *, size_t, const char *, va_list); +#endif + +void *xmmap(size_t size); +char *xcrypt(const char *password, const char *salt); +char *shadow_pw(struct passwd *pw); + + +/* rfc2553 socket API replacements */ +#include "fake-rfc2553.h" + +/* Routines for a single OS platform */ +#include "bsd-cray.h" +#include "bsd-cygwin_util.h" +#include "port-irix.h" +#include "port-aix.h" +#include "port-uw.h" + +#endif /* _OPENBSD_COMPAT_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/openssl-compat.c openssh-4.2p1/openbsd-compat/openssl-compat.c --- ssh-openbsd-2005090100/openbsd-compat/openssl-compat.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/openssl-compat.c Fri Jun 17 21:15:21 2005 @@ -0,0 +1,46 @@ +/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */ + +/* + * Copyright (c) 2005 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER + * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#define SSH_DONT_REDEF_EVP +#include "openssl-compat.h" + +#ifdef SSH_OLD_EVP +int +ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, + unsigned char *key, unsigned char *iv, int enc) +{ + EVP_CipherInit(evp, type, key, iv, enc); + return 1; +} + +int +ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len) +{ + EVP_Cipher(evp, dst, src, len); + return 1; +} + +int +ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) +{ + EVP_CIPHER_CTX_cleanup(evp); + return 1; +} +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/openssl-compat.h openssh-4.2p1/openbsd-compat/openssl-compat.h --- ssh-openbsd-2005090100/openbsd-compat/openssl-compat.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/openssl-compat.h Thu Jun 9 21:45:11 2005 @@ -0,0 +1,65 @@ +/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */ + +/* + * Copyright (c) 2005 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER + * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include + +#if OPENSSL_VERSION_NUMBER < 0x00906000L +# define SSH_OLD_EVP +# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) +#endif + +#if OPENSSL_VERSION_NUMBER < 0x00907000L +# define EVP_aes_128_cbc evp_rijndael +# define EVP_aes_192_cbc evp_rijndael +# define EVP_aes_256_cbc evp_rijndael +extern const EVP_CIPHER *evp_rijndael(void); +extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); +#endif + +#if !defined(EVP_CTRL_SET_ACSS_MODE) +# if (OPENSSL_VERSION_NUMBER >= 0x00907000L) +# define USE_CIPHER_ACSS 1 +extern const EVP_CIPHER *evp_acss(void); +# define EVP_acss evp_acss +# else +# define EVP_acss NULL +# endif +#endif + +/* + * insert comment here + */ +#ifdef SSH_OLD_EVP + +# ifndef SSH_DONT_REDEF_EVP + +# ifdef EVP_Cipher +# undef EVP_Cipher +# endif + +# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e)) +# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d)) +# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a)) +# endif + +int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, + unsigned char *, int); +int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); +int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/port-aix.c openssh-4.2p1/openbsd-compat/port-aix.c --- ssh-openbsd-2005090100/openbsd-compat/port-aix.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/port-aix.c Sun May 29 10:54:28 2005 @@ -0,0 +1,375 @@ +/* + * + * Copyright (c) 2001 Gert Doering. All rights reserved. + * Copyright (c) 2003,2004,2005 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#include "includes.h" +#include "auth.h" +#include "ssh.h" +#include "log.h" +#include "xmalloc.h" +#include "buffer.h" + +#ifdef _AIX + +#include +#include +#include "port-aix.h" + +# ifdef HAVE_SETAUTHDB +static char old_registry[REGISTRY_SIZE] = ""; +# endif + +/* + * AIX has a "usrinfo" area where logname and other stuff is stored - + * a few applications actually use this and die if it's not set + * + * NOTE: TTY= should be set, but since no one uses it and it's hard to + * acquire due to privsep code. We will just drop support. + */ +void +aix_usrinfo(struct passwd *pw) +{ + u_int i; + size_t len; + char *cp; + + len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name)); + cp = xmalloc(len); + + i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0', + pw->pw_name, '\0'); + if (usrinfo(SETUINFO, cp, i) == -1) + fatal("Couldn't set usrinfo: %s", strerror(errno)); + debug3("AIX/UsrInfo: set len %d", i); + + xfree(cp); +} + +# ifdef WITH_AIXAUTHENTICATE +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing whitespace */ + if (*--p == ' ') + *p = '\0'; +} + +/* + * Test specifically for the case where SYSTEM == NONE and AUTH1 contains + * anything other than NONE or SYSTEM, which indicates that the admin has + * configured the account for purely AUTH1-type authentication. + * + * Since authenticate() doesn't check AUTH1, and sshd can't sanely support + * AUTH1 itself, in such a case authenticate() will allow access without + * authentation, which is almost certainly not what the admin intends. + * + * (The native tools, eg login, will process the AUTH1 list in addition to + * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods + * have been deprecated since AIX 4.2.x and would be very difficult for sshd + * to support. + * + * Returns 0 if an unsupportable combination is found, 1 otherwise. + */ +static int +aix_valid_authentications(const char *user) +{ + char *auth1, *sys, *p; + int valid = 1; + + if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) { + logit("Can't retrieve attribute SYSTEM for %s: %.100s", + user, strerror(errno)); + return 0; + } + + debug3("AIX SYSTEM attribute %s", sys); + if (strcmp(sys, "NONE") != 0) + return 1; /* not "NONE", so is OK */ + + if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) { + logit("Can't retrieve attribute auth1 for %s: %.100s", + user, strerror(errno)); + return 0; + } + + p = auth1; + /* A SEC_LIST is concatenated strings, ending with two NULs. */ + while (p[0] != '\0' && p[1] != '\0') { + debug3("AIX auth1 attribute list member %s", p); + if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) { + logit("Account %s has unsupported auth1 value '%s'", + user, p); + valid = 0; + } + p += strlen(p) + 1; + } + + return (valid); +} + +/* + * Do authentication via AIX's authenticate routine. We loop until the + * reenter parameter is 0, but normally authenticate is called only once. + * + * Note: this function returns 1 on success, whereas AIX's authenticate() + * returns 0. + */ +int +sys_auth_passwd(Authctxt *ctxt, const char *password) +{ + char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name; + int authsuccess = 0, expired, reenter, result; + + do { + result = authenticate((char *)name, (char *)password, &reenter, + &authmsg); + aix_remove_embedded_newlines(authmsg); + debug3("AIX/authenticate result %d, authmsg %.100s", result, + authmsg); + } while (reenter); + + if (!aix_valid_authentications(name)) + result = -1; + + if (result == 0) { + authsuccess = 1; + + /* + * Record successful login. We don't have a pty yet, so just + * label the line as "ssh" + */ + aix_setauthdb(name); + + /* + * Check if the user's password is expired. + */ + expired = passwdexpired(name, &msg); + if (msg && *msg) { + buffer_append(ctxt->loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); + + switch (expired) { + case 0: /* password not expired */ + break; + case 1: /* expired, password change required */ + ctxt->force_pwchange = 1; + break; + default: /* user can't change(2) or other error (-1) */ + logit("Password can't be changed for user %s: %.100s", + name, msg); + if (msg) + xfree(msg); + authsuccess = 0; + } + + aix_restoreauthdb(); + } + + if (authmsg != NULL) + xfree(authmsg); + + return authsuccess; +} + +/* + * Check if specified account is permitted to log in. + * Returns 1 if login is allowed, 0 if not allowed. + */ +int +sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg) +{ + char *msg = NULL; + int result, permitted = 0; + struct stat st; + + /* + * Don't perform checks for root account (PermitRootLogin controls + * logins via * ssh) or if running as non-root user (since + * loginrestrictions will always fail due to insufficient privilege). + */ + if (pw->pw_uid == 0 || geteuid() != 0) { + debug3("%s: not checking", __func__); + return 1; + } + + result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg); + if (result == 0) + permitted = 1; + /* + * If restricted because /etc/nologin exists, the login will be denied + * in session.c after the nologin message is sent, so allow for now + * and do not append the returned message. + */ + if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0) + permitted = 1; + else if (msg != NULL) + buffer_append(loginmsg, msg, strlen(msg)); + if (msg == NULL) + msg = xstrdup("(none)"); + aix_remove_embedded_newlines(msg); + debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg); + + if (!permitted) + logit("Login restricted for %s: %.100s", pw->pw_name, msg); + xfree(msg); + return permitted; +} + +int +sys_auth_record_login(const char *user, const char *host, const char *ttynm, + Buffer *loginmsg) +{ + char *msg = NULL; + int success = 0; + + aix_setauthdb(user); + if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) { + success = 1; + if (msg != NULL) { + debug("AIX/loginsuccess: msg %s", msg); + buffer_append(loginmsg, msg, strlen(msg)); + xfree(msg); + } + } + aix_restoreauthdb(); + return (success); +} + +# ifdef CUSTOM_FAILED_LOGIN +/* + * record_failed_login: generic "login failed" interface function + */ +void +record_failed_login(const char *user, const char *hostname, const char *ttyname) +{ + if (geteuid() != 0) + return; + + aix_setauthdb(user); +# ifdef AIX_LOGINFAILED_4ARG + loginfailed((char *)user, (char *)hostname, (char *)ttyname, + AUDIT_FAIL_AUTH); +# else + loginfailed((char *)user, (char *)hostname, (char *)ttyname); +# endif + aix_restoreauthdb(); +} +# endif /* CUSTOM_FAILED_LOGIN */ + +/* + * If we have setauthdb, retrieve the password registry for the user's + * account then feed it to setauthdb. This will mean that subsequent AIX auth + * functions will only use the specified loadable module. If we don't have + * setauthdb this is a no-op. + */ +void +aix_setauthdb(const char *user) +{ +# ifdef HAVE_SETAUTHDB + char *registry; + + if (setuserdb(S_READ) == -1) { + debug3("%s: Could not open userdb to read", __func__); + return; + } + + if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { + if (setauthdb(registry, old_registry) == 0) + debug3("AIX/setauthdb set registry '%s'", registry); + else + debug3("AIX/setauthdb set registry '%s' failed: %s", + registry, strerror(errno)); + } else + debug3("%s: Could not read S_REGISTRY for user: %s", __func__, + strerror(errno)); + enduserdb(); +# endif /* HAVE_SETAUTHDB */ +} + +/* + * Restore the user's registry settings from old_registry. + * Note that if the first aix_setauthdb fails, setauthdb("") is still safe + * (it restores the system default behaviour). If we don't have setauthdb, + * this is a no-op. + */ +void +aix_restoreauthdb(void) +{ +# ifdef HAVE_SETAUTHDB + if (setauthdb(old_registry, NULL) == 0) + debug3("%s: restoring old registry '%s'", __func__, + old_registry); + else + debug3("%s: failed to restore old registry %s", __func__, + old_registry); +# endif /* HAVE_SETAUTHDB */ +} + +# endif /* WITH_AIXAUTHENTICATE */ + +# if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO) +# undef getnameinfo +/* + * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros + * IPv6 address into its textual representation ("::"), so we wrap it + * with a function that will. + */ +int +sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags) +{ + struct sockaddr_in6 *sa6; + u_int32_t *a6; + + if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) && + sa->sa_family == AF_INET6) { + sa6 = (struct sockaddr_in6 *)sa; + a6 = sa6->sin6_addr.u6_addr.u6_addr32; + + if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) { + strlcpy(host, "::", hostlen); + snprintf(serv, servlen, "%d", sa6->sin6_port); + return 0; + } + } + return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags); +} +# endif /* AIX_GETNAMEINFO_HACK */ + +#endif /* _AIX */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/port-aix.h openssh-4.2p1/openbsd-compat/port-aix.h --- ssh-openbsd-2005090100/openbsd-compat/port-aix.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/port-aix.h Sat May 28 20:28:40 2005 @@ -0,0 +1,118 @@ +/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */ + +/* + * + * Copyright (c) 2001 Gert Doering. All rights reserved. + * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef _AIX + +#ifdef HAVE_SYS_SOCKET_H +# include +#endif +#ifdef HAVE_UNISTD_H +# include /* for seteuid() */ +#endif + +#ifdef WITH_AIXAUTHENTICATE +# include +# include +# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG) +# include +# endif +# include +#endif + +#include "buffer.h" + +/* These should be in the system headers but are not. */ +int usrinfo(int, char *, int); +#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0) +int setauthdb(const char *, char *); +#endif +/* these may or may not be in the headers depending on the version */ +#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0) +int authenticate(char *, char *, int *, char **); +#endif +#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0) +int loginfailed(char *, char *, char *); +#endif +#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0) +int loginrestrictions(char *, int, char *, char **); +#endif +#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0) +int loginsuccess(char *, char *, char *, char **); +#endif +#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0) +int passwdexpired(char *, char **); +#endif + +/* Some versions define r_type in the above headers, which causes a conflict */ +#ifdef r_type +# undef r_type +#endif + +/* AIX 4.2.x doesn't have nanosleep but does have nsleep which is equivalent */ +#if !defined(HAVE_NANOSLEEP) && defined(HAVE_NSLEEP) +# define nanosleep(a,b) nsleep(a,b) +#endif + +/* For struct timespec on AIX 4.2.x */ +#ifdef HAVE_SYS_TIMERS_H +# include +#endif + +/* + * According to the setauthdb man page, AIX password registries must be 15 + * chars or less plus terminating NUL. + */ +#ifdef HAVE_SETAUTHDB +# define REGISTRY_SIZE 16 +#endif + +void aix_usrinfo(struct passwd *); + +#ifdef WITH_AIXAUTHENTICATE +# define CUSTOM_SYS_AUTH_PASSWD 1 +# define CUSTOM_SYS_AUTH_ALLOWED_USER 1 +int sys_auth_allowed_user(struct passwd *, Buffer *); +# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1 +int sys_auth_record_login(const char *, const char *, const char *, Buffer *); +# define CUSTOM_FAILED_LOGIN 1 +#endif + +void aix_setauthdb(const char *); +void aix_restoreauthdb(void); +void aix_remove_embedded_newlines(char *); + +#if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_GETADDRINFO) +# ifdef getnameinfo +# undef getnameinfo +# endif +int sshaix_getnameinfo(const struct sockaddr *, size_t, char *, size_t, + char *, size_t, int); +# define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g)) +#endif + +#endif /* _AIX */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/port-irix.c openssh-4.2p1/openbsd-compat/port-irix.c --- ssh-openbsd-2005090100/openbsd-compat/port-irix.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/port-irix.c Sun Jun 1 13:23:57 2003 @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2000 Denis Parker. All rights reserved. + * Copyright (c) 2000 Michael Stone. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#if defined(WITH_IRIX_PROJECT) || \ + defined(WITH_IRIX_JOBS) || \ + defined(WITH_IRIX_ARRAY) + +#ifdef WITH_IRIX_PROJECT +# include +#endif /* WITH_IRIX_PROJECT */ +#ifdef WITH_IRIX_JOBS +# include +#endif +#ifdef WITH_IRIX_AUDIT +# include +#endif /* WITH_IRIX_AUDIT */ + +void +irix_setusercontext(struct passwd *pw) +{ +#ifdef WITH_IRIX_PROJECT + prid_t projid; +#endif +#ifdef WITH_IRIX_JOBS + jid_t jid = 0; +#elif defined(WITH_IRIX_ARRAY) + int jid = 0; +#endif + +#ifdef WITH_IRIX_JOBS + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); + if (jid == -1) + fatal("Failed to create job container: %.100s", + strerror(errno)); +#endif /* WITH_IRIX_JOBS */ +#ifdef WITH_IRIX_ARRAY + /* initialize array session */ + if (jid == 0 && newarraysess() != 0) + fatal("Failed to set up new array session: %.100s", + strerror(errno)); +#endif /* WITH_IRIX_ARRAY */ +#ifdef WITH_IRIX_PROJECT + /* initialize irix project info */ + if ((projid = getdfltprojuser(pw->pw_name)) == -1) { + debug("Failed to get project id, using projid 0"); + projid = 0; + } + if (setprid(projid)) + fatal("Failed to initialize project %d for %s: %.100s", + (int)projid, pw->pw_name, strerror(errno)); +#endif /* WITH_IRIX_PROJECT */ +#ifdef WITH_IRIX_AUDIT + if (sysconf(_SC_AUDIT)) { + debug("Setting sat id to %d", (int) pw->pw_uid); + if (satsetid(pw->pw_uid)) + debug("error setting satid: %.100s", strerror(errno)); + } +#endif /* WITH_IRIX_AUDIT */ +} + + +#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/port-irix.h openssh-4.2p1/openbsd-compat/port-irix.h --- ssh-openbsd-2005090100/openbsd-compat/port-irix.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/port-irix.h Sat Aug 30 02:59:52 2003 @@ -0,0 +1,39 @@ +/* $Id: port-irix.h,v 1.4 2003/08/29 16:59:52 mouring Exp $ */ + +/* + * Copyright (c) 2000 Denis Parker. All rights reserved. + * Copyright (c) 2000 Michael Stone. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _PORT_IRIX_H +#define _PORT_IRIX_H + +#if defined(WITH_IRIX_PROJECT) || \ + defined(WITH_IRIX_JOBS) || \ + defined(WITH_IRIX_ARRAY) + +void irix_setusercontext(struct passwd *pw); + +#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ + +#endif /* ! _PORT_IRIX_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/port-uw.c openssh-4.2p1/openbsd-compat/port-uw.c --- ssh-openbsd-2005090100/openbsd-compat/port-uw.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/port-uw.c Thu Sep 1 02:59:49 2005 @@ -0,0 +1,134 @@ +/* + * Copyright (c) 2005 The SCO Group. All rights reserved. + * Copyright (c) 2005 Tim Rice. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) +#ifdef HAVE_CRYPT_H +#include +#endif +#include "packet.h" +#include "buffer.h" +#include "log.h" +#include "servconf.h" +#include "auth.h" +#include "auth-options.h" + +int nischeck(char *); + +int +sys_auth_passwd(Authctxt *authctxt, const char *password) +{ + struct passwd *pw = authctxt->pw; + char *encrypted_password; + char *salt; + int result; + + /* Just use the supplied fake password if authctxt is invalid */ + char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; + + /* Check for users with no password. */ + if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) + return (1); + + /* Encrypt the candidate password using the proper salt. */ + salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx"; +#ifdef UNIXWARE_LONG_PASSWORDS + if (!nischeck(pw->pw_name)) + encrypted_password = bigcrypt(password, salt); + else +#endif /* UNIXWARE_LONG_PASSWORDS */ + encrypted_password = xcrypt(password, salt); + + /* + * Authentication is accepted if the encrypted passwords + * are identical. + */ + result = (strcmp(encrypted_password, pw_password) == 0); + + if (authctxt->valid) + free(pw_password); + return(result); +} + +#ifdef UNIXWARE_LONG_PASSWORDS +int +nischeck(char *namep) +{ + char password_file[] = "/etc/passwd"; + FILE *fd; + struct passwd *ent = NULL; + + if ((fd = fopen (password_file, "r")) == NULL) { + /* + * If the passwd file has dissapeared we are in a bad state. + * However, returning 0 will send us back through the + * authentication scheme that has checked the ia database for + * passwords earlier. + */ + return(0); + } + + /* + * fgetpwent() only reads from password file, so we know for certain + * that the user is local. + */ + while (ent = fgetpwent(fd)) { + if (strcmp (ent->pw_name, namep) == 0) { + /* Local user */ + fclose (fd); + return(0); + } + } + + fclose (fd); + return (1); +} + +#endif /* UNIXWARE_LONG_PASSWORDS */ + +/* + NOTE: ia_get_logpwd() allocates memory for arg 2 + functions that call shadow_pw() will need to free + */ + +char * +get_iaf_password(struct passwd *pw) +{ + char *pw_password = NULL; + + uinfo_t uinfo; + if (!ia_openinfo(pw->pw_name,&uinfo)) { + ia_get_logpwd(uinfo, &pw_password); + if (pw_password == NULL) + fatal("ia_get_logpwd: Unable to get the shadow passwd"); + ia_closeinfo(uinfo); + return pw_password; + } + else + fatal("ia_openinfo: Unable to open the shadow passwd file"); +} +#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/port-uw.h openssh-4.2p1/openbsd-compat/port-uw.h --- ssh-openbsd-2005090100/openbsd-compat/port-uw.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/port-uw.h Thu Sep 1 02:59:49 2005 @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2005 Tim Rice. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) +char * get_iaf_password(struct passwd *pw); +#endif + diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/readpassphrase.c openssh-4.2p1/openbsd-compat/readpassphrase.c --- ssh-openbsd-2005090100/openbsd-compat/readpassphrase.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/readpassphrase.c Tue May 24 16:42:00 2005 @@ -0,0 +1,189 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ + +/* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */ + +/* + * Copyright (c) 2000-2002 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include "includes.h" + +#ifndef HAVE_READPASSPHRASE + +#include +#include + +#ifdef TCSASOFT +# define _T_FLUSH (TCSAFLUSH|TCSASOFT) +#else +# define _T_FLUSH (TCSAFLUSH) +#endif + +/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */ +#if !defined(_POSIX_VDISABLE) && defined(VDISABLE) +# define _POSIX_VDISABLE VDISABLE +#endif + +static volatile sig_atomic_t signo; + +static void handler(int); + +char * +readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags) +{ + ssize_t nr; + int input, output, save_errno; + char ch, *p, *end; + struct termios term, oterm; + struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm; + struct sigaction savetstp, savettin, savettou, savepipe; + + /* I suppose we could alloc on demand in this case (XXX). */ + if (bufsiz == 0) { + errno = EINVAL; + return(NULL); + } + +restart: + signo = 0; + /* + * Read and write to /dev/tty if available. If not, read from + * stdin and write to stderr unless a tty is required. + */ + if ((flags & RPP_STDIN) || + (input = output = open(_PATH_TTY, O_RDWR)) == -1) { + if (flags & RPP_REQUIRE_TTY) { + errno = ENOTTY; + return(NULL); + } + input = STDIN_FILENO; + output = STDERR_FILENO; + } + + /* + * Catch signals that would otherwise cause the user to end + * up with echo turned off in the shell. Don't worry about + * things like SIGXCPU and SIGVTALRM for now. + */ + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; /* don't restart system calls */ + sa.sa_handler = handler; + (void)sigaction(SIGALRM, &sa, &savealrm); + (void)sigaction(SIGHUP, &sa, &savehup); + (void)sigaction(SIGINT, &sa, &saveint); + (void)sigaction(SIGPIPE, &sa, &savepipe); + (void)sigaction(SIGQUIT, &sa, &savequit); + (void)sigaction(SIGTERM, &sa, &saveterm); + (void)sigaction(SIGTSTP, &sa, &savetstp); + (void)sigaction(SIGTTIN, &sa, &savettin); + (void)sigaction(SIGTTOU, &sa, &savettou); + + /* Turn off echo if possible. */ + if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) { + memcpy(&term, &oterm, sizeof(term)); + if (!(flags & RPP_ECHO_ON)) + term.c_lflag &= ~(ECHO | ECHONL); +#ifdef VSTATUS + if (term.c_cc[VSTATUS] != _POSIX_VDISABLE) + term.c_cc[VSTATUS] = _POSIX_VDISABLE; +#endif + (void)tcsetattr(input, _T_FLUSH, &term); + } else { + memset(&term, 0, sizeof(term)); + term.c_lflag |= ECHO; + memset(&oterm, 0, sizeof(oterm)); + oterm.c_lflag |= ECHO; + } + + if (!(flags & RPP_STDIN)) + (void)write(output, prompt, strlen(prompt)); + end = buf + bufsiz - 1; + for (p = buf; (nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r';) { + if (p < end) { + if ((flags & RPP_SEVENBIT)) + ch &= 0x7f; + if (isalpha(ch)) { + if ((flags & RPP_FORCELOWER)) + ch = tolower(ch); + if ((flags & RPP_FORCEUPPER)) + ch = toupper(ch); + } + *p++ = ch; + } + } + *p = '\0'; + save_errno = errno; + if (!(term.c_lflag & ECHO)) + (void)write(output, "\n", 1); + + /* Restore old terminal settings and signals. */ + if (memcmp(&term, &oterm, sizeof(term)) != 0) { + while (tcsetattr(input, _T_FLUSH, &oterm) == -1 && + errno == EINTR) + continue; + } + (void)sigaction(SIGALRM, &savealrm, NULL); + (void)sigaction(SIGHUP, &savehup, NULL); + (void)sigaction(SIGINT, &saveint, NULL); + (void)sigaction(SIGQUIT, &savequit, NULL); + (void)sigaction(SIGPIPE, &savepipe, NULL); + (void)sigaction(SIGTERM, &saveterm, NULL); + (void)sigaction(SIGTSTP, &savetstp, NULL); + (void)sigaction(SIGTTIN, &savettin, NULL); + if (input != STDIN_FILENO) + (void)close(input); + + /* + * If we were interrupted by a signal, resend it to ourselves + * now that we have restored the signal handlers. + */ + if (signo) { + kill(getpid(), signo); + switch (signo) { + case SIGTSTP: + case SIGTTIN: + case SIGTTOU: + goto restart; + } + } + + errno = save_errno; + return(nr == -1 ? NULL : buf); +} + +#if 0 +char * +getpass(const char *prompt) +{ + static char buf[_PASSWORD_LEN + 1]; + + return(readpassphrase(prompt, buf, sizeof(buf), RPP_ECHO_OFF)); +} +#endif + +static void handler(int s) +{ + + signo = s; +} +#endif /* HAVE_READPASSPHRASE */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/readpassphrase.h openssh-4.2p1/openbsd-compat/readpassphrase.h --- ssh-openbsd-2005090100/openbsd-compat/readpassphrase.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/readpassphrase.h Mon Nov 24 13:33:34 2003 @@ -0,0 +1,51 @@ +/* OPENBSD ORIGINAL: include/readpassphrase.h */ + +/* $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $ */ + +/* + * Copyright (c) 2000 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _READPASSPHRASE_H_ +#define _READPASSPHRASE_H_ + +#include "includes.h" + +#ifndef HAVE_READPASSPHRASE + +#define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */ +#define RPP_ECHO_ON 0x01 /* Leave echo on. */ +#define RPP_REQUIRE_TTY 0x02 /* Fail if there is no tty. */ +#define RPP_FORCELOWER 0x04 /* Force input to lower case. */ +#define RPP_FORCEUPPER 0x08 /* Force input to upper case. */ +#define RPP_SEVENBIT 0x10 /* Strip the high bit from input. */ +#define RPP_STDIN 0x20 /* Read from stdin, not /dev/tty */ + +char * readpassphrase(const char *, char *, size_t, int); + +#endif /* HAVE_READPASSPHRASE */ + +#endif /* !_READPASSPHRASE_H_ */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/realpath.c openssh-4.2p1/openbsd-compat/realpath.c --- ssh-openbsd-2005090100/openbsd-compat/realpath.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/realpath.c Wed Aug 10 21:52:36 2005 @@ -0,0 +1,196 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ + +/* + * Copyright (c) 2003 Constantin S. Svintsoff + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The names of the authors may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) + +#include +#include + +#include +#include +#include +#include + +/* + * char *realpath(const char *path, char resolved[PATH_MAX]); + * + * Find the real name of path, by removing all ".", ".." and symlink + * components. Returns (resolved) on success, or (NULL) on failure, + * in which case the path which caused trouble is left in (resolved). + */ +char * +realpath(const char *path, char resolved[PATH_MAX]) +{ + struct stat sb; + char *p, *q, *s; + size_t left_len, resolved_len; + unsigned symlinks; + int serrno, slen; + char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX]; + + serrno = errno; + symlinks = 0; + if (path[0] == '/') { + resolved[0] = '/'; + resolved[1] = '\0'; + if (path[1] == '\0') + return (resolved); + resolved_len = 1; + left_len = strlcpy(left, path + 1, sizeof(left)); + } else { + if (getcwd(resolved, PATH_MAX) == NULL) { + strlcpy(resolved, ".", PATH_MAX); + return (NULL); + } + resolved_len = strlen(resolved); + left_len = strlcpy(left, path, sizeof(left)); + } + if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) { + errno = ENAMETOOLONG; + return (NULL); + } + + /* + * Iterate over path components in `left'. + */ + while (left_len != 0) { + /* + * Extract the next path component and adjust `left' + * and its length. + */ + p = strchr(left, '/'); + s = p ? p : left + left_len; + if (s - left >= sizeof(next_token)) { + errno = ENAMETOOLONG; + return (NULL); + } + memcpy(next_token, left, s - left); + next_token[s - left] = '\0'; + left_len -= s - left; + if (p != NULL) + memmove(left, s + 1, left_len + 1); + if (resolved[resolved_len - 1] != '/') { + if (resolved_len + 1 >= PATH_MAX) { + errno = ENAMETOOLONG; + return (NULL); + } + resolved[resolved_len++] = '/'; + resolved[resolved_len] = '\0'; + } + if (next_token[0] == '\0') + continue; + else if (strcmp(next_token, ".") == 0) + continue; + else if (strcmp(next_token, "..") == 0) { + /* + * Strip the last path component except when we have + * single "/" + */ + if (resolved_len > 1) { + resolved[resolved_len - 1] = '\0'; + q = strrchr(resolved, '/') + 1; + *q = '\0'; + resolved_len = q - resolved; + } + continue; + } + + /* + * Append the next path component and lstat() it. If + * lstat() fails we still can return successfully if + * there are no more path components left. + */ + resolved_len = strlcat(resolved, next_token, PATH_MAX); + if (resolved_len >= PATH_MAX) { + errno = ENAMETOOLONG; + return (NULL); + } + if (lstat(resolved, &sb) != 0) { + if (errno == ENOENT && p == NULL) { + errno = serrno; + return (resolved); + } + return (NULL); + } + if (S_ISLNK(sb.st_mode)) { + if (symlinks++ > MAXSYMLINKS) { + errno = ELOOP; + return (NULL); + } + slen = readlink(resolved, symlink, sizeof(symlink) - 1); + if (slen < 0) + return (NULL); + symlink[slen] = '\0'; + if (symlink[0] == '/') { + resolved[1] = 0; + resolved_len = 1; + } else if (resolved_len > 1) { + /* Strip the last path component. */ + resolved[resolved_len - 1] = '\0'; + q = strrchr(resolved, '/') + 1; + *q = '\0'; + resolved_len = q - resolved; + } + + /* + * If there are any path components left, then + * append them to symlink. The result is placed + * in `left'. + */ + if (p != NULL) { + if (symlink[slen - 1] != '/') { + if (slen + 1 >= sizeof(symlink)) { + errno = ENAMETOOLONG; + return (NULL); + } + symlink[slen] = '/'; + symlink[slen + 1] = 0; + } + left_len = strlcat(symlink, left, sizeof(left)); + if (left_len >= sizeof(left)) { + errno = ENAMETOOLONG; + return (NULL); + } + } + left_len = strlcpy(left, symlink, sizeof(left)); + } + } + + /* + * Remove trailing slash except when the resolved pathname + * is a single "/". + */ + if (resolved_len > 1 && resolved[resolved_len - 1] == '/') + resolved[resolved_len - 1] = '\0'; + return (resolved); +} +#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/rresvport.c openssh-4.2p1/openbsd-compat/rresvport.c --- ssh-openbsd-2005090100/openbsd-compat/rresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/rresvport.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,103 @@ +/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */ + +/* + * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. + * Copyright (c) 1983, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#ifndef HAVE_RRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include "includes.h" + +#if 0 +int +rresvport(alport) + int *alport; +{ + return rresvport_af(alport, AF_INET); +} +#endif + +int +rresvport_af(int *alport, sa_family_t af) +{ + struct sockaddr_storage ss; + struct sockaddr *sa; + u_int16_t *portp; + int s; + socklen_t salen; + + memset(&ss, '\0', sizeof ss); + sa = (struct sockaddr *)&ss; + + switch (af) { + case AF_INET: + salen = sizeof(struct sockaddr_in); + portp = &((struct sockaddr_in *)sa)->sin_port; + break; + case AF_INET6: + salen = sizeof(struct sockaddr_in6); + portp = &((struct sockaddr_in6 *)sa)->sin6_port; + break; + default: + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + s = socket(af, SOCK_STREAM, 0); + if (s < 0) + return (-1); + + *portp = htons(*alport); + if (*alport < IPPORT_RESERVED - 1) { + if (bind(s, sa, salen) >= 0) + return (s); + if (errno != EADDRINUSE) { + (void)close(s); + return (-1); + } + } + + *portp = 0; + sa->sa_family = af; + if (bindresvport_sa(s, sa) == -1) { + (void)close(s); + return (-1); + } + *alport = ntohs(*portp); + return (s); +} + +#endif /* HAVE_RRESVPORT_AF */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/setenv.c openssh-4.2p1/openbsd-compat/setenv.c --- ssh-openbsd-2005090100/openbsd-compat/setenv.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/setenv.c Mon Mar 8 22:59:03 2004 @@ -0,0 +1,165 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */ + +/* + * Copyright (c) 1987 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +char *__findenv(const char *name, int *offset); + +/* + * __findenv -- + * Returns pointer to value associated with name, if any, else NULL. + * Sets offset to be the offset of the name/value combination in the + * environmental array, for use by setenv(3) and unsetenv(3). + * Explicitly removes '=' in argument name. + * + * This routine *should* be a static; don't use it. + */ +char * +__findenv(name, offset) + register const char *name; + int *offset; +{ + extern char **environ; + register int len, i; + register const char *np; + register char **p, *cp; + + if (name == NULL || environ == NULL) + return (NULL); + for (np = name; *np && *np != '='; ++np) + ; + len = np - name; + for (p = environ; (cp = *p) != NULL; ++p) { + for (np = name, i = len; i && *cp; i--) + if (*cp++ != *np++) + break; + if (i == 0 && *cp++ == '=') { + *offset = p - environ; + return (cp); + } + } + return (NULL); +} + +#ifndef HAVE_SETENV +/* + * setenv -- + * Set the value of the environmental variable "name" to be + * "value". If rewrite is set, replace any current value. + */ +int +setenv(name, value, rewrite) + register const char *name; + register const char *value; + int rewrite; +{ + extern char **environ; + static int alloced; /* if allocated space before */ + register char *C; + int l_value, offset; + + if (*value == '=') /* no `=' in value */ + ++value; + l_value = strlen(value); + if ((C = __findenv(name, &offset))) { /* find if already exists */ + if (!rewrite) + return (0); + if (strlen(C) >= l_value) { /* old larger; copy over */ + while ((*C++ = *value++)) + ; + return (0); + } + } else { /* create new slot */ + register int cnt; + register char **P; + + for (P = environ, cnt = 0; *P; ++P, ++cnt); + if (alloced) { /* just increase size */ + P = (char **)realloc((void *)environ, + (size_t)(sizeof(char *) * (cnt + 2))); + if (!P) + return (-1); + environ = P; + } + else { /* get new space */ + alloced = 1; /* copy old entries into it */ + P = (char **)malloc((size_t)(sizeof(char *) * + (cnt + 2))); + if (!P) + return (-1); + memmove(P, environ, cnt * sizeof(char *)); + environ = P; + } + environ[cnt + 1] = NULL; + offset = cnt; + } + for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ + if (!(environ[offset] = /* name + `=' + value */ + malloc((size_t)((int)(C - name) + l_value + 2)))) + return (-1); + for (C = environ[offset]; (*C = *name++) && *C != '='; ++C) + ; + for (*C++ = '='; (*C++ = *value++); ) + ; + return (0); +} +#endif /* HAVE_SETENV */ + +#ifndef HAVE_UNSETENV +/* + * unsetenv(name) -- + * Delete environmental variable "name". + */ +void +unsetenv(name) + const char *name; +{ + extern char **environ; + register char **P; + int offset; + char *__findenv(); + + while (__findenv(name, &offset)) /* if set multiple times */ + for (P = &environ[offset];; ++P) + if (!(*P = *(P + 1))) + break; +} +#endif /* HAVE_UNSETENV */ + +#endif /* !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/setproctitle.c openssh-4.2p1/openbsd-compat/setproctitle.c --- ssh-openbsd-2005090100/openbsd-compat/setproctitle.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/setproctitle.c Fri Feb 20 20:38:17 2004 @@ -0,0 +1,157 @@ +/* Based on conf.c from UCB sendmail 8.8.8 */ + +/* + * Copyright 2003 Damien Miller + * Copyright (c) 1983, 1995-1997 Eric P. Allman + * Copyright (c) 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#ifndef HAVE_SETPROCTITLE + +#include +#ifdef HAVE_SYS_PSTAT_H +#include +#endif + +#define SPT_NONE 0 /* don't use it at all */ +#define SPT_PSTAT 1 /* use pstat(PSTAT_SETCMD, ...) */ +#define SPT_REUSEARGV 2 /* cover argv with title information */ + +#ifndef SPT_TYPE +# define SPT_TYPE SPT_NONE +#endif + +#ifndef SPT_PADCHAR +# define SPT_PADCHAR '\0' +#endif + +#if SPT_TYPE == SPT_REUSEARGV +static char *argv_start = NULL; +static size_t argv_env_len = 0; +#endif + +#endif /* HAVE_SETPROCTITLE */ + +void +compat_init_setproctitle(int argc, char *argv[]) +{ +#if defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV + extern char **environ; + char *lastargv = NULL; + char **envp = environ; + int i; + + /* + * NB: This assumes that argv has already been copied out of the + * way. This is true for sshd, but may not be true for other + * programs. Beware. + */ + + if (argc == 0 || argv[0] == NULL) + return; + + /* Fail if we can't allocate room for the new environment */ + for (i = 0; envp[i] != NULL; i++) + ; + if ((environ = malloc(sizeof(*environ) * (i + 1))) == NULL) { + environ = envp; /* put it back */ + return; + } + + /* + * Find the last argv string or environment variable within + * our process memory area. + */ + for (i = 0; i < argc; i++) { + if (lastargv == NULL || lastargv + 1 == argv[i]) + lastargv = argv[i] + strlen(argv[i]); + } + for (i = 0; envp[i] != NULL; i++) { + if (lastargv + 1 == envp[i]) + lastargv = envp[i] + strlen(envp[i]); + } + + argv[1] = NULL; + argv_start = argv[0]; + argv_env_len = lastargv - argv[0] - 1; + + /* + * Copy environment + * XXX - will truncate env on strdup fail + */ + for (i = 0; envp[i] != NULL; i++) + environ[i] = strdup(envp[i]); + environ[i] = NULL; +#endif /* SPT_REUSEARGV */ +} + +#ifndef HAVE_SETPROCTITLE +void +setproctitle(const char *fmt, ...) +{ +#if SPT_TYPE != SPT_NONE + va_list ap; + char buf[1024]; + size_t len; + extern char *__progname; +#if SPT_TYPE == SPT_PSTAT + union pstun pst; +#endif + +#if SPT_TYPE == SPT_REUSEARGV + if (argv_env_len <= 0) + return; +#endif + + strlcpy(buf, __progname, sizeof(buf)); + + va_start(ap, fmt); + if (fmt != NULL) { + len = strlcat(buf, ": ", sizeof(buf)); + if (len < sizeof(buf)) + vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); + } + va_end(ap); + +#if SPT_TYPE == SPT_PSTAT + pst.pst_command = buf; + pstat(PSTAT_SETCMD, pst, strlen(buf), 0, 0); +#elif SPT_TYPE == SPT_REUSEARGV +/* debug("setproctitle: copy \"%s\" into len %d", + buf, argv_env_len); */ + len = strlcpy(argv_start, buf, argv_env_len); + for(; len < argv_env_len; len++) + argv_start[len] = SPT_PADCHAR; +#endif + +#endif /* SPT_NONE */ +} + +#endif /* HAVE_SETPROCTITLE */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/sigact.c openssh-4.2p1/openbsd-compat/sigact.c --- ssh-openbsd-2005090100/openbsd-compat/sigact.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/sigact.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,104 @@ +/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */ + +/* $OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $ */ + +/**************************************************************************** + * Copyright (c) 1998 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * + * "Software"), to deal in the Software without restriction, including * + * without limitation the rights to use, copy, modify, merge, publish, * + * distribute, distribute with modifications, sublicense, and/or sell * + * copies of the Software, and to permit persons to whom the Software is * + * furnished to do so, subject to the following conditions: * + * * + * The above copyright notice and this permission notice shall be included * + * in all copies or substantial portions of the Software. * + * * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * + * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * + * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * + * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * + * THE USE OR OTHER DEALINGS IN THE SOFTWARE. * + * * + * Except as contained in this notice, the name(s) of the above copyright * + * holders shall not be used in advertising or otherwise to promote the * + * sale, use or other dealings in this Software without prior written * + * authorization. * + ****************************************************************************/ + +/**************************************************************************** + * Author: Zeyd M. Ben-Halim 1992,1995 * + * and: Eric S. Raymond * + ****************************************************************************/ + +#include "includes.h" +#include +#include "sigact.h" + +/* This file provides sigaction() emulation using sigvec() */ +/* Use only if this is non POSIX system */ + +#if !HAVE_SIGACTION && HAVE_SIGVEC + +int +sigaction(int sig, struct sigaction *sigact, struct sigaction *osigact) +{ + return sigvec(sig, &(sigact->sv), &(osigact->sv)); +} + +int +sigemptyset (sigset_t * mask) +{ + *mask = 0; + return 0; +} + +int +sigprocmask (int mode, sigset_t * mask, sigset_t * omask) +{ + sigset_t current = sigsetmask(0); + + if (omask) *omask = current; + + if (mode==SIG_BLOCK) + current |= *mask; + else if (mode==SIG_UNBLOCK) + current &= ~*mask; + else if (mode==SIG_SETMASK) + current = *mask; + + sigsetmask(current); + return 0; +} + +int +sigsuspend (sigset_t * mask) +{ + return sigpause(*mask); +} + +int +sigdelset (sigset_t * mask, int sig) +{ + *mask &= ~sigmask(sig); + return 0; +} + +int +sigaddset (sigset_t * mask, int sig) +{ + *mask |= sigmask(sig); + return 0; +} + +int +sigismember (sigset_t * mask, int sig) +{ + return (*mask & sigmask(sig)) != 0; +} + +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/sigact.h openssh-4.2p1/openbsd-compat/sigact.h --- ssh-openbsd-2005090100/openbsd-compat/sigact.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/sigact.h Sat Feb 24 11:24:20 2001 @@ -0,0 +1,88 @@ +/* $OpenBSD: SigAction.h,v 1.2 1999/06/27 08:15:19 millert Exp $ */ + +/**************************************************************************** + * Copyright (c) 1998 Free Software Foundation, Inc. * + * * + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * + * "Software"), to deal in the Software without restriction, including * + * without limitation the rights to use, copy, modify, merge, publish, * + * distribute, distribute with modifications, sublicense, and/or sell * + * copies of the Software, and to permit persons to whom the Software is * + * furnished to do so, subject to the following conditions: * + * * + * The above copyright notice and this permission notice shall be included * + * in all copies or substantial portions of the Software. * + * * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * + * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * + * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * + * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * + * THE USE OR OTHER DEALINGS IN THE SOFTWARE. * + * * + * Except as contained in this notice, the name(s) of the above copyright * + * holders shall not be used in advertising or otherwise to promote the * + * sale, use or other dealings in this Software without prior written * + * authorization. * + ****************************************************************************/ + +/**************************************************************************** + * Author: Zeyd M. Ben-Halim 1992,1995 * + * and: Eric S. Raymond * + ****************************************************************************/ + +/* + * $From: SigAction.h,v 1.5 1999/06/19 23:00:54 tom Exp $ + * + * This file exists to handle non-POSIX systems which don't have , + * and usually no sigaction() nor + */ + +#ifndef _SIGACTION_H +#define _SIGACTION_H + +#if !defined(HAVE_SIGACTION) && defined(HAVE_SIGVEC) + +#undef SIG_BLOCK +#define SIG_BLOCK 00 + +#undef SIG_UNBLOCK +#define SIG_UNBLOCK 01 + +#undef SIG_SETMASK +#define SIG_SETMASK 02 + +/* + * is in the Linux 1.2.8 + gcc 2.7.0 configuration, + * and is useful for testing this header file. + */ +#if HAVE_BSD_SIGNAL_H +# include +#endif + +struct sigaction +{ + struct sigvec sv; +}; + +typedef unsigned long sigset_t; + +#undef sa_mask +#define sa_mask sv.sv_mask +#undef sa_handler +#define sa_handler sv.sv_handler +#undef sa_flags +#define sa_flags sv.sv_flags + +int sigaction(int sig, struct sigaction *sigact, struct sigaction *osigact); +int sigprocmask (int how, sigset_t *mask, sigset_t *omask); +int sigemptyset (sigset_t *mask); +int sigsuspend (sigset_t *mask); +int sigdelset (sigset_t *mask, int sig); +int sigaddset (sigset_t *mask, int sig); + +#endif /* !defined(HAVE_SIGACTION) && defined(HAVE_SIGVEC) */ + +#endif /* !defined(_SIGACTION_H) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strlcat.c openssh-4.2p1/openbsd-compat/strlcat.c --- ssh-openbsd-2005090100/openbsd-compat/strlcat.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strlcat.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,66 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ + +/* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#ifndef HAVE_STRLCAT + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Appends src to string dst of size siz (unlike strncat, siz is the + * full size of dst, not space left). At most siz-1 characters + * will be copied. Always NUL terminates (unless siz <= strlen(dst)). + * Returns strlen(src) + MIN(siz, strlen(initial dst)). + * If retval >= siz, truncation occurred. + */ +size_t +strlcat(char *dst, const char *src, size_t siz) +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (n-- != 0 && *d != '\0') + d++; + dlen = d - dst; + n = siz - dlen; + + if (n == 0) + return(dlen + strlen(s)); + while (*s != '\0') { + if (n != 1) { + *d++ = *s; + n--; + } + s++; + } + *d = '\0'; + + return(dlen + (s - src)); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCAT */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strlcpy.c openssh-4.2p1/openbsd-compat/strlcpy.c --- ssh-openbsd-2005090100/openbsd-compat/strlcpy.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strlcpy.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,62 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ + +/* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#ifndef HAVE_STRLCPY + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t +strlcpy(char *dst, const char *src, size_t siz) +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCPY */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strmode.c openssh-4.2p1/openbsd-compat/strmode.c --- ssh-openbsd-2005090100/openbsd-compat/strmode.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strmode.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,156 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */ + +/*- + * Copyright (c) 1990 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#ifndef HAVE_STRMODE + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include + +/* XXX mode should be mode_t */ + +void +strmode(int mode, char *p) +{ + /* print type */ + switch (mode & S_IFMT) { + case S_IFDIR: /* directory */ + *p++ = 'd'; + break; + case S_IFCHR: /* character special */ + *p++ = 'c'; + break; + case S_IFBLK: /* block special */ + *p++ = 'b'; + break; + case S_IFREG: /* regular */ + *p++ = '-'; + break; + case S_IFLNK: /* symbolic link */ + *p++ = 'l'; + break; +#ifdef S_IFSOCK + case S_IFSOCK: /* socket */ + *p++ = 's'; + break; +#endif +#ifdef S_IFIFO + case S_IFIFO: /* fifo */ + *p++ = 'p'; + break; +#endif +#ifdef S_IFWHT + case S_IFWHT: /* whiteout */ + *p++ = 'w'; + break; +#endif + default: /* unknown */ + *p++ = '?'; + break; + } + /* usr */ + if (mode & S_IRUSR) + *p++ = 'r'; + else + *p++ = '-'; + if (mode & S_IWUSR) + *p++ = 'w'; + else + *p++ = '-'; + switch (mode & (S_IXUSR | S_ISUID)) { + case 0: + *p++ = '-'; + break; + case S_IXUSR: + *p++ = 'x'; + break; + case S_ISUID: + *p++ = 'S'; + break; + case S_IXUSR | S_ISUID: + *p++ = 's'; + break; + } + /* group */ + if (mode & S_IRGRP) + *p++ = 'r'; + else + *p++ = '-'; + if (mode & S_IWGRP) + *p++ = 'w'; + else + *p++ = '-'; + switch (mode & (S_IXGRP | S_ISGID)) { + case 0: + *p++ = '-'; + break; + case S_IXGRP: + *p++ = 'x'; + break; + case S_ISGID: + *p++ = 'S'; + break; + case S_IXGRP | S_ISGID: + *p++ = 's'; + break; + } + /* other */ + if (mode & S_IROTH) + *p++ = 'r'; + else + *p++ = '-'; + if (mode & S_IWOTH) + *p++ = 'w'; + else + *p++ = '-'; + switch (mode & (S_IXOTH | S_ISVTX)) { + case 0: + *p++ = '-'; + break; + case S_IXOTH: + *p++ = 'x'; + break; + case S_ISVTX: + *p++ = 'T'; + break; + case S_IXOTH | S_ISVTX: + *p++ = 't'; + break; + } + *p++ = ' '; /* will be a '+' if ACL's implemented */ + *p = '\0'; +} +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strsep.c openssh-4.2p1/openbsd-compat/strsep.c --- ssh-openbsd-2005090100/openbsd-compat/strsep.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strsep.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,87 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */ + +/* $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $ */ + +/*- + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" + +#if !defined(HAVE_STRSEP) + +#include +#include + +#if defined(LIBC_SCCS) && !defined(lint) +#if 0 +static char sccsid[] = "@(#)strsep.c 8.1 (Berkeley) 6/4/93"; +#else +static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $"; +#endif +#endif /* LIBC_SCCS and not lint */ + +/* + * Get next token from string *stringp, where tokens are possibly-empty + * strings separated by characters from delim. + * + * Writes NULs into the string at *stringp to end tokens. + * delim need not remain constant from call to call. + * On return, *stringp points past the last NUL written (if there might + * be further tokens), or is NULL (if there are definitely no more tokens). + * + * If *stringp is NULL, strsep returns NULL. + */ +char * +strsep(char **stringp, const char *delim) +{ + char *s; + const char *spanp; + int c, sc; + char *tok; + + if ((s = *stringp) == NULL) + return (NULL); + for (tok = s;;) { + c = *s++; + spanp = delim; + do { + if ((sc = *spanp++) == c) { + if (c == 0) + s = NULL; + else + s[-1] = 0; + *stringp = s; + return (tok); + } + } while (sc != 0); + } + /* NOTREACHED */ +} + +#endif /* !defined(HAVE_STRSEP) */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strtoll.c openssh-4.2p1/openbsd-compat/strtoll.c --- ssh-openbsd-2005090100/openbsd-compat/strtoll.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strtoll.c Wed Jun 1 21:39:34 2005 @@ -0,0 +1,151 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */ + +/*- + * Copyright (c) 1992 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#ifndef HAVE_STRTOLL + +#if defined(LIBC_SCCS) && !defined(lint) +static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include + +#include +#include +#include +#include + +/* + * Convert a string to a long long. + * + * Ignores `locale' stuff. Assumes that the upper and lower case + * alphabets and digits are each contiguous. + */ +long long +strtoll(const char *nptr, char **endptr, int base) +{ + const char *s; + long long acc, cutoff; + int c; + int neg, any, cutlim; + + /* + * Skip white space and pick up leading +/- sign if any. + * If base is 0, allow 0x for hex and 0 for octal, else + * assume decimal; if base is already 16, allow 0x. + */ + s = nptr; + do { + c = (unsigned char) *s++; + } while (isspace(c)); + if (c == '-') { + neg = 1; + c = *s++; + } else { + neg = 0; + if (c == '+') + c = *s++; + } + if ((base == 0 || base == 16) && + c == '0' && (*s == 'x' || *s == 'X')) { + c = s[1]; + s += 2; + base = 16; + } + if (base == 0) + base = c == '0' ? 8 : 10; + + /* + * Compute the cutoff value between legal numbers and illegal + * numbers. That is the largest legal value, divided by the + * base. An input number that is greater than this value, if + * followed by a legal input character, is too big. One that + * is equal to this value may be valid or not; the limit + * between valid and invalid numbers is then based on the last + * digit. For instance, if the range for long longs is + * [-9223372036854775808..9223372036854775807] and the input base + * is 10, cutoff will be set to 922337203685477580 and cutlim to + * either 7 (neg==0) or 8 (neg==1), meaning that if we have + * accumulated a value > 922337203685477580, or equal but the + * next digit is > 7 (or 8), the number is too big, and we will + * return a range error. + * + * Set any if any `digits' consumed; make it negative to indicate + * overflow. + */ + cutoff = neg ? LLONG_MIN : LLONG_MAX; + cutlim = cutoff % base; + cutoff /= base; + if (neg) { + if (cutlim > 0) { + cutlim -= base; + cutoff += 1; + } + cutlim = -cutlim; + } + for (acc = 0, any = 0;; c = (unsigned char) *s++) { + if (isdigit(c)) + c -= '0'; + else if (isalpha(c)) + c -= isupper(c) ? 'A' - 10 : 'a' - 10; + else + break; + if (c >= base) + break; + if (any < 0) + continue; + if (neg) { + if (acc < cutoff || (acc == cutoff && c > cutlim)) { + any = -1; + acc = LLONG_MIN; + errno = ERANGE; + } else { + any = 1; + acc *= base; + acc -= c; + } + } else { + if (acc > cutoff || (acc == cutoff && c > cutlim)) { + any = -1; + acc = LLONG_MAX; + errno = ERANGE; + } else { + any = 1; + acc *= base; + acc += c; + } + } + } + if (endptr != 0) + *endptr = (char *) (any ? s - 1 : nptr); + return (acc); +} +#endif /* HAVE_STRTOLL */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strtonum.c openssh-4.2p1/openbsd-compat/strtonum.c --- ssh-openbsd-2005090100/openbsd-compat/strtonum.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strtonum.c Thu May 26 20:48:25 2005 @@ -0,0 +1,69 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */ + +/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */ + +/* + * Copyright (c) 2004 Ted Unangst and Todd Miller + * All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#ifndef HAVE_STRTONUM +#include + +#define INVALID 1 +#define TOOSMALL 2 +#define TOOLARGE 3 + +long long +strtonum(const char *numstr, long long minval, long long maxval, + const char **errstrp) +{ + long long ll = 0; + char *ep; + int error = 0; + struct errval { + const char *errstr; + int err; + } ev[4] = { + { NULL, 0 }, + { "invalid", EINVAL }, + { "too small", ERANGE }, + { "too large", ERANGE }, + }; + + ev[0].err = errno; + errno = 0; + if (minval > maxval) + error = INVALID; + else { + ll = strtoll(numstr, &ep, 10); + if (numstr == ep || *ep != '\0') + error = INVALID; + else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval) + error = TOOSMALL; + else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval) + error = TOOLARGE; + } + if (errstrp != NULL) + *errstrp = ev[error].errstr; + errno = ev[error].err; + if (error) + ll = 0; + + return (ll); +} + +#endif /* HAVE_STRTONUM */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/strtoul.c openssh-4.2p1/openbsd-compat/strtoul.c --- ssh-openbsd-2005090100/openbsd-compat/strtoul.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/strtoul.c Mon Nov 24 13:33:34 2003 @@ -0,0 +1,114 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */ + +/* + * Copyright (c) 1990 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#ifndef HAVE_STRTOUL + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include + +/* + * Convert a string to an unsigned long integer. + * + * Ignores `locale' stuff. Assumes that the upper and lower case + * alphabets and digits are each contiguous. + */ +unsigned long +strtoul(nptr, endptr, base) + const char *nptr; + char **endptr; + register int base; +{ + register const char *s; + register unsigned long acc, cutoff; + register int c; + register int neg, any, cutlim; + + /* + * See strtol for comments as to the logic used. + */ + s = nptr; + do { + c = (unsigned char) *s++; + } while (isspace(c)); + if (c == '-') { + neg = 1; + c = *s++; + } else { + neg = 0; + if (c == '+') + c = *s++; + } + if ((base == 0 || base == 16) && + c == '0' && (*s == 'x' || *s == 'X')) { + c = s[1]; + s += 2; + base = 16; + } + if (base == 0) + base = c == '0' ? 8 : 10; + + cutoff = ULONG_MAX / (unsigned long)base; + cutlim = ULONG_MAX % (unsigned long)base; + for (acc = 0, any = 0;; c = (unsigned char) *s++) { + if (isdigit(c)) + c -= '0'; + else if (isalpha(c)) + c -= isupper(c) ? 'A' - 10 : 'a' - 10; + else + break; + if (c >= base) + break; + if (any < 0) + continue; + if (acc > cutoff || acc == cutoff && c > cutlim) { + any = -1; + acc = ULONG_MAX; + errno = ERANGE; + } else { + any = 1; + acc *= (unsigned long)base; + acc += c; + } + } + if (neg && any > 0) + acc = -acc; + if (endptr != 0) + *endptr = (char *) (any ? s - 1 : nptr); + return (acc); +} +#endif /* !HAVE_STRTOUL */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/sys-queue.h openssh-4.2p1/openbsd-compat/sys-queue.h --- ssh-openbsd-2005090100/openbsd-compat/sys-queue.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/sys-queue.h Sun May 23 16:22:27 2004 @@ -0,0 +1,593 @@ +/* OPENBSD ORIGINAL: sys/sys/queue.h */ + +/* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */ +/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ + +/* + * Copyright (c) 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)queue.h 8.5 (Berkeley) 8/20/94 + */ + +#ifndef _FAKE_QUEUE_H_ +#define _FAKE_QUEUE_H_ + +/* + * Require for OS/X and other platforms that have old/broken/incomplete + * . + */ +#undef SLIST_HEAD +#undef SLIST_HEAD_INITIALIZER +#undef SLIST_ENTRY +#undef SLIST_FOREACH_PREVPTR +#undef SLIST_FIRST +#undef SLIST_END +#undef SLIST_EMPTY +#undef SLIST_NEXT +#undef SLIST_FOREACH +#undef SLIST_INIT +#undef SLIST_INSERT_AFTER +#undef SLIST_INSERT_HEAD +#undef SLIST_REMOVE_HEAD +#undef SLIST_REMOVE +#undef SLIST_REMOVE_NEXT +#undef LIST_HEAD +#undef LIST_HEAD_INITIALIZER +#undef LIST_ENTRY +#undef LIST_FIRST +#undef LIST_END +#undef LIST_EMPTY +#undef LIST_NEXT +#undef LIST_FOREACH +#undef LIST_INIT +#undef LIST_INSERT_AFTER +#undef LIST_INSERT_BEFORE +#undef LIST_INSERT_HEAD +#undef LIST_REMOVE +#undef LIST_REPLACE +#undef SIMPLEQ_HEAD +#undef SIMPLEQ_HEAD_INITIALIZER +#undef SIMPLEQ_ENTRY +#undef SIMPLEQ_FIRST +#undef SIMPLEQ_END +#undef SIMPLEQ_EMPTY +#undef SIMPLEQ_NEXT +#undef SIMPLEQ_FOREACH +#undef SIMPLEQ_INIT +#undef SIMPLEQ_INSERT_HEAD +#undef SIMPLEQ_INSERT_TAIL +#undef SIMPLEQ_INSERT_AFTER +#undef SIMPLEQ_REMOVE_HEAD +#undef TAILQ_HEAD +#undef TAILQ_HEAD_INITIALIZER +#undef TAILQ_ENTRY +#undef TAILQ_FIRST +#undef TAILQ_END +#undef TAILQ_NEXT +#undef TAILQ_LAST +#undef TAILQ_PREV +#undef TAILQ_EMPTY +#undef TAILQ_FOREACH +#undef TAILQ_FOREACH_REVERSE +#undef TAILQ_INIT +#undef TAILQ_INSERT_HEAD +#undef TAILQ_INSERT_TAIL +#undef TAILQ_INSERT_AFTER +#undef TAILQ_INSERT_BEFORE +#undef TAILQ_REMOVE +#undef TAILQ_REPLACE +#undef CIRCLEQ_HEAD +#undef CIRCLEQ_HEAD_INITIALIZER +#undef CIRCLEQ_ENTRY +#undef CIRCLEQ_FIRST +#undef CIRCLEQ_LAST +#undef CIRCLEQ_END +#undef CIRCLEQ_NEXT +#undef CIRCLEQ_PREV +#undef CIRCLEQ_EMPTY +#undef CIRCLEQ_FOREACH +#undef CIRCLEQ_FOREACH_REVERSE +#undef CIRCLEQ_INIT +#undef CIRCLEQ_INSERT_AFTER +#undef CIRCLEQ_INSERT_BEFORE +#undef CIRCLEQ_INSERT_HEAD +#undef CIRCLEQ_INSERT_TAIL +#undef CIRCLEQ_REMOVE +#undef CIRCLEQ_REPLACE + +/* + * This file defines five types of data structures: singly-linked lists, + * lists, simple queues, tail queues, and circular queues. + * + * + * A singly-linked list is headed by a single forward pointer. The elements + * are singly linked for minimum space and pointer manipulation overhead at + * the expense of O(n) removal for arbitrary elements. New elements can be + * added to the list after an existing element or at the head of the list. + * Elements being removed from the head of the list should use the explicit + * macro for this purpose for optimum efficiency. A singly-linked list may + * only be traversed in the forward direction. Singly-linked lists are ideal + * for applications with large datasets and few or no removals or for + * implementing a LIFO queue. + * + * A list is headed by a single forward pointer (or an array of forward + * pointers for a hash table header). The elements are doubly linked + * so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before + * or after an existing element or at the head of the list. A list + * may only be traversed in the forward direction. + * + * A simple queue is headed by a pair of pointers, one the head of the + * list and the other to the tail of the list. The elements are singly + * linked to save space, so elements can only be removed from the + * head of the list. New elements can be added to the list before or after + * an existing element, at the head of the list, or at the end of the + * list. A simple queue may only be traversed in the forward direction. + * + * A tail queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are doubly + * linked so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before or + * after an existing element, at the head of the list, or at the end of + * the list. A tail queue may be traversed in either direction. + * + * A circle queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are doubly + * linked so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before or after + * an existing element, at the head of the list, or at the end of the list. + * A circle queue may be traversed in either direction, but has a more + * complex end of list detection. + * + * For details on the use of these macros, see the queue(3) manual page. + */ + +/* + * Singly-linked List definitions. + */ +#define SLIST_HEAD(name, type) \ +struct name { \ + struct type *slh_first; /* first element */ \ +} + +#define SLIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define SLIST_ENTRY(type) \ +struct { \ + struct type *sle_next; /* next element */ \ +} + +/* + * Singly-linked List access methods. + */ +#define SLIST_FIRST(head) ((head)->slh_first) +#define SLIST_END(head) NULL +#define SLIST_EMPTY(head) (SLIST_FIRST(head) == SLIST_END(head)) +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) + +#define SLIST_FOREACH(var, head, field) \ + for((var) = SLIST_FIRST(head); \ + (var) != SLIST_END(head); \ + (var) = SLIST_NEXT(var, field)) + +#define SLIST_FOREACH_PREVPTR(var, varp, head, field) \ + for ((varp) = &SLIST_FIRST((head)); \ + ((var) = *(varp)) != SLIST_END(head); \ + (varp) = &SLIST_NEXT((var), field)) + +/* + * Singly-linked List functions. + */ +#define SLIST_INIT(head) { \ + SLIST_FIRST(head) = SLIST_END(head); \ +} + +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ + (elm)->field.sle_next = (slistelm)->field.sle_next; \ + (slistelm)->field.sle_next = (elm); \ +} while (0) + +#define SLIST_INSERT_HEAD(head, elm, field) do { \ + (elm)->field.sle_next = (head)->slh_first; \ + (head)->slh_first = (elm); \ +} while (0) + +#define SLIST_REMOVE_NEXT(head, elm, field) do { \ + (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ +} while (0) + +#define SLIST_REMOVE_HEAD(head, field) do { \ + (head)->slh_first = (head)->slh_first->field.sle_next; \ +} while (0) + +#define SLIST_REMOVE(head, elm, type, field) do { \ + if ((head)->slh_first == (elm)) { \ + SLIST_REMOVE_HEAD((head), field); \ + } \ + else { \ + struct type *curelm = (head)->slh_first; \ + while( curelm->field.sle_next != (elm) ) \ + curelm = curelm->field.sle_next; \ + curelm->field.sle_next = \ + curelm->field.sle_next->field.sle_next; \ + } \ +} while (0) + +/* + * List definitions. + */ +#define LIST_HEAD(name, type) \ +struct name { \ + struct type *lh_first; /* first element */ \ +} + +#define LIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define LIST_ENTRY(type) \ +struct { \ + struct type *le_next; /* next element */ \ + struct type **le_prev; /* address of previous next element */ \ +} + +/* + * List access methods + */ +#define LIST_FIRST(head) ((head)->lh_first) +#define LIST_END(head) NULL +#define LIST_EMPTY(head) (LIST_FIRST(head) == LIST_END(head)) +#define LIST_NEXT(elm, field) ((elm)->field.le_next) + +#define LIST_FOREACH(var, head, field) \ + for((var) = LIST_FIRST(head); \ + (var)!= LIST_END(head); \ + (var) = LIST_NEXT(var, field)) + +/* + * List functions. + */ +#define LIST_INIT(head) do { \ + LIST_FIRST(head) = LIST_END(head); \ +} while (0) + +#define LIST_INSERT_AFTER(listelm, elm, field) do { \ + if (((elm)->field.le_next = (listelm)->field.le_next) != NULL) \ + (listelm)->field.le_next->field.le_prev = \ + &(elm)->field.le_next; \ + (listelm)->field.le_next = (elm); \ + (elm)->field.le_prev = &(listelm)->field.le_next; \ +} while (0) + +#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.le_prev = (listelm)->field.le_prev; \ + (elm)->field.le_next = (listelm); \ + *(listelm)->field.le_prev = (elm); \ + (listelm)->field.le_prev = &(elm)->field.le_next; \ +} while (0) + +#define LIST_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.le_next = (head)->lh_first) != NULL) \ + (head)->lh_first->field.le_prev = &(elm)->field.le_next;\ + (head)->lh_first = (elm); \ + (elm)->field.le_prev = &(head)->lh_first; \ +} while (0) + +#define LIST_REMOVE(elm, field) do { \ + if ((elm)->field.le_next != NULL) \ + (elm)->field.le_next->field.le_prev = \ + (elm)->field.le_prev; \ + *(elm)->field.le_prev = (elm)->field.le_next; \ +} while (0) + +#define LIST_REPLACE(elm, elm2, field) do { \ + if (((elm2)->field.le_next = (elm)->field.le_next) != NULL) \ + (elm2)->field.le_next->field.le_prev = \ + &(elm2)->field.le_next; \ + (elm2)->field.le_prev = (elm)->field.le_prev; \ + *(elm2)->field.le_prev = (elm2); \ +} while (0) + +/* + * Simple queue definitions. + */ +#define SIMPLEQ_HEAD(name, type) \ +struct name { \ + struct type *sqh_first; /* first element */ \ + struct type **sqh_last; /* addr of last next element */ \ +} + +#define SIMPLEQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).sqh_first } + +#define SIMPLEQ_ENTRY(type) \ +struct { \ + struct type *sqe_next; /* next element */ \ +} + +/* + * Simple queue access methods. + */ +#define SIMPLEQ_FIRST(head) ((head)->sqh_first) +#define SIMPLEQ_END(head) NULL +#define SIMPLEQ_EMPTY(head) (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head)) +#define SIMPLEQ_NEXT(elm, field) ((elm)->field.sqe_next) + +#define SIMPLEQ_FOREACH(var, head, field) \ + for((var) = SIMPLEQ_FIRST(head); \ + (var) != SIMPLEQ_END(head); \ + (var) = SIMPLEQ_NEXT(var, field)) + +/* + * Simple queue functions. + */ +#define SIMPLEQ_INIT(head) do { \ + (head)->sqh_first = NULL; \ + (head)->sqh_last = &(head)->sqh_first; \ +} while (0) + +#define SIMPLEQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.sqe_next = (head)->sqh_first) == NULL) \ + (head)->sqh_last = &(elm)->field.sqe_next; \ + (head)->sqh_first = (elm); \ +} while (0) + +#define SIMPLEQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.sqe_next = NULL; \ + *(head)->sqh_last = (elm); \ + (head)->sqh_last = &(elm)->field.sqe_next; \ +} while (0) + +#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\ + (head)->sqh_last = &(elm)->field.sqe_next; \ + (listelm)->field.sqe_next = (elm); \ +} while (0) + +#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do { \ + if (((head)->sqh_first = (elm)->field.sqe_next) == NULL) \ + (head)->sqh_last = &(head)->sqh_first; \ +} while (0) + +/* + * Tail queue definitions. + */ +#define TAILQ_HEAD(name, type) \ +struct name { \ + struct type *tqh_first; /* first element */ \ + struct type **tqh_last; /* addr of last next element */ \ +} + +#define TAILQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).tqh_first } + +#define TAILQ_ENTRY(type) \ +struct { \ + struct type *tqe_next; /* next element */ \ + struct type **tqe_prev; /* address of previous next element */ \ +} + +/* + * tail queue access methods + */ +#define TAILQ_FIRST(head) ((head)->tqh_first) +#define TAILQ_END(head) NULL +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) +#define TAILQ_LAST(head, headname) \ + (*(((struct headname *)((head)->tqh_last))->tqh_last)) +/* XXX */ +#define TAILQ_PREV(elm, headname, field) \ + (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) +#define TAILQ_EMPTY(head) \ + (TAILQ_FIRST(head) == TAILQ_END(head)) + +#define TAILQ_FOREACH(var, head, field) \ + for((var) = TAILQ_FIRST(head); \ + (var) != TAILQ_END(head); \ + (var) = TAILQ_NEXT(var, field)) + +#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ + for((var) = TAILQ_LAST(head, headname); \ + (var) != TAILQ_END(head); \ + (var) = TAILQ_PREV(var, headname, field)) + +/* + * Tail queue functions. + */ +#define TAILQ_INIT(head) do { \ + (head)->tqh_first = NULL; \ + (head)->tqh_last = &(head)->tqh_first; \ +} while (0) + +#define TAILQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.tqe_next = (head)->tqh_first) != NULL) \ + (head)->tqh_first->field.tqe_prev = \ + &(elm)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm)->field.tqe_next; \ + (head)->tqh_first = (elm); \ + (elm)->field.tqe_prev = &(head)->tqh_first; \ +} while (0) + +#define TAILQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.tqe_next = NULL; \ + (elm)->field.tqe_prev = (head)->tqh_last; \ + *(head)->tqh_last = (elm); \ + (head)->tqh_last = &(elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\ + (elm)->field.tqe_next->field.tqe_prev = \ + &(elm)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm)->field.tqe_next; \ + (listelm)->field.tqe_next = (elm); \ + (elm)->field.tqe_prev = &(listelm)->field.tqe_next; \ +} while (0) + +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ + (elm)->field.tqe_next = (listelm); \ + *(listelm)->field.tqe_prev = (elm); \ + (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_REMOVE(head, elm, field) do { \ + if (((elm)->field.tqe_next) != NULL) \ + (elm)->field.tqe_next->field.tqe_prev = \ + (elm)->field.tqe_prev; \ + else \ + (head)->tqh_last = (elm)->field.tqe_prev; \ + *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_REPLACE(head, elm, elm2, field) do { \ + if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL) \ + (elm2)->field.tqe_next->field.tqe_prev = \ + &(elm2)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm2)->field.tqe_next; \ + (elm2)->field.tqe_prev = (elm)->field.tqe_prev; \ + *(elm2)->field.tqe_prev = (elm2); \ +} while (0) + +/* + * Circular queue definitions. + */ +#define CIRCLEQ_HEAD(name, type) \ +struct name { \ + struct type *cqh_first; /* first element */ \ + struct type *cqh_last; /* last element */ \ +} + +#define CIRCLEQ_HEAD_INITIALIZER(head) \ + { CIRCLEQ_END(&head), CIRCLEQ_END(&head) } + +#define CIRCLEQ_ENTRY(type) \ +struct { \ + struct type *cqe_next; /* next element */ \ + struct type *cqe_prev; /* previous element */ \ +} + +/* + * Circular queue access methods + */ +#define CIRCLEQ_FIRST(head) ((head)->cqh_first) +#define CIRCLEQ_LAST(head) ((head)->cqh_last) +#define CIRCLEQ_END(head) ((void *)(head)) +#define CIRCLEQ_NEXT(elm, field) ((elm)->field.cqe_next) +#define CIRCLEQ_PREV(elm, field) ((elm)->field.cqe_prev) +#define CIRCLEQ_EMPTY(head) \ + (CIRCLEQ_FIRST(head) == CIRCLEQ_END(head)) + +#define CIRCLEQ_FOREACH(var, head, field) \ + for((var) = CIRCLEQ_FIRST(head); \ + (var) != CIRCLEQ_END(head); \ + (var) = CIRCLEQ_NEXT(var, field)) + +#define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ + for((var) = CIRCLEQ_LAST(head); \ + (var) != CIRCLEQ_END(head); \ + (var) = CIRCLEQ_PREV(var, field)) + +/* + * Circular queue functions. + */ +#define CIRCLEQ_INIT(head) do { \ + (head)->cqh_first = CIRCLEQ_END(head); \ + (head)->cqh_last = CIRCLEQ_END(head); \ +} while (0) + +#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ + (elm)->field.cqe_next = (listelm)->field.cqe_next; \ + (elm)->field.cqe_prev = (listelm); \ + if ((listelm)->field.cqe_next == CIRCLEQ_END(head)) \ + (head)->cqh_last = (elm); \ + else \ + (listelm)->field.cqe_next->field.cqe_prev = (elm); \ + (listelm)->field.cqe_next = (elm); \ +} while (0) + +#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do { \ + (elm)->field.cqe_next = (listelm); \ + (elm)->field.cqe_prev = (listelm)->field.cqe_prev; \ + if ((listelm)->field.cqe_prev == CIRCLEQ_END(head)) \ + (head)->cqh_first = (elm); \ + else \ + (listelm)->field.cqe_prev->field.cqe_next = (elm); \ + (listelm)->field.cqe_prev = (elm); \ +} while (0) + +#define CIRCLEQ_INSERT_HEAD(head, elm, field) do { \ + (elm)->field.cqe_next = (head)->cqh_first; \ + (elm)->field.cqe_prev = CIRCLEQ_END(head); \ + if ((head)->cqh_last == CIRCLEQ_END(head)) \ + (head)->cqh_last = (elm); \ + else \ + (head)->cqh_first->field.cqe_prev = (elm); \ + (head)->cqh_first = (elm); \ +} while (0) + +#define CIRCLEQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.cqe_next = CIRCLEQ_END(head); \ + (elm)->field.cqe_prev = (head)->cqh_last; \ + if ((head)->cqh_first == CIRCLEQ_END(head)) \ + (head)->cqh_first = (elm); \ + else \ + (head)->cqh_last->field.cqe_next = (elm); \ + (head)->cqh_last = (elm); \ +} while (0) + +#define CIRCLEQ_REMOVE(head, elm, field) do { \ + if ((elm)->field.cqe_next == CIRCLEQ_END(head)) \ + (head)->cqh_last = (elm)->field.cqe_prev; \ + else \ + (elm)->field.cqe_next->field.cqe_prev = \ + (elm)->field.cqe_prev; \ + if ((elm)->field.cqe_prev == CIRCLEQ_END(head)) \ + (head)->cqh_first = (elm)->field.cqe_next; \ + else \ + (elm)->field.cqe_prev->field.cqe_next = \ + (elm)->field.cqe_next; \ +} while (0) + +#define CIRCLEQ_REPLACE(head, elm, elm2, field) do { \ + if (((elm2)->field.cqe_next = (elm)->field.cqe_next) == \ + CIRCLEQ_END(head)) \ + (head).cqh_last = (elm2); \ + else \ + (elm2)->field.cqe_next->field.cqe_prev = (elm2); \ + if (((elm2)->field.cqe_prev = (elm)->field.cqe_prev) == \ + CIRCLEQ_END(head)) \ + (head).cqh_first = (elm2); \ + else \ + (elm2)->field.cqe_prev->field.cqe_next = (elm2); \ +} while (0) + +#endif /* !_FAKE_QUEUE_H_ */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/sys-tree.h openssh-4.2p1/openbsd-compat/sys-tree.h --- ssh-openbsd-2005090100/openbsd-compat/sys-tree.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/sys-tree.h Mon Nov 24 13:33:34 2003 @@ -0,0 +1,679 @@ +/* OPENBSD ORIGINAL: sys/sys/tree.h */ + +/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ +/* + * Copyright 2002 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_TREE_H_ +#define _SYS_TREE_H_ + +/* + * This file defines data structures for different types of trees: + * splay trees and red-black trees. + * + * A splay tree is a self-organizing data structure. Every operation + * on the tree causes a splay to happen. The splay moves the requested + * node to the root of the tree and partly rebalances it. + * + * This has the benefit that request locality causes faster lookups as + * the requested nodes move to the top of the tree. On the other hand, + * every lookup causes memory writes. + * + * The Balance Theorem bounds the total access time for m operations + * and n inserts on an initially empty tree as O((m + n)lg n). The + * amortized cost for a sequence of m accesses to a splay tree is O(lg n); + * + * A red-black tree is a binary search tree with the node color as an + * extra attribute. It fulfills a set of conditions: + * - every search path from the root to a leaf consists of the + * same number of black nodes, + * - each red node (except for the root) has a black parent, + * - each leaf node is black. + * + * Every operation on a red-black tree is bounded as O(lg n). + * The maximum height of a red-black tree is 2lg (n+1). + */ + +#define SPLAY_HEAD(name, type) \ +struct name { \ + struct type *sph_root; /* root of the tree */ \ +} + +#define SPLAY_INITIALIZER(root) \ + { NULL } + +#define SPLAY_INIT(root) do { \ + (root)->sph_root = NULL; \ +} while (0) + +#define SPLAY_ENTRY(type) \ +struct { \ + struct type *spe_left; /* left element */ \ + struct type *spe_right; /* right element */ \ +} + +#define SPLAY_LEFT(elm, field) (elm)->field.spe_left +#define SPLAY_RIGHT(elm, field) (elm)->field.spe_right +#define SPLAY_ROOT(head) (head)->sph_root +#define SPLAY_EMPTY(head) (SPLAY_ROOT(head) == NULL) + +/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */ +#define SPLAY_ROTATE_RIGHT(head, tmp, field) do { \ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field); \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (0) + +#define SPLAY_ROTATE_LEFT(head, tmp, field) do { \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field); \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (0) + +#define SPLAY_LINKLEFT(head, tmp, field) do { \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field); \ +} while (0) + +#define SPLAY_LINKRIGHT(head, tmp, field) do { \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field); \ +} while (0) + +#define SPLAY_ASSEMBLE(head, node, left, right, field) do { \ + SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field); \ + SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field); \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field); \ +} while (0) + +/* Generates prototypes and inline functions */ + +#define SPLAY_PROTOTYPE(name, type, field, cmp) \ +void name##_SPLAY(struct name *, struct type *); \ +void name##_SPLAY_MINMAX(struct name *, int); \ +struct type *name##_SPLAY_INSERT(struct name *, struct type *); \ +struct type *name##_SPLAY_REMOVE(struct name *, struct type *); \ + \ +/* Finds the node with the same key as elm */ \ +static __inline struct type * \ +name##_SPLAY_FIND(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) \ + return(NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) \ + return (head->sph_root); \ + return (NULL); \ +} \ + \ +static __inline struct type * \ +name##_SPLAY_NEXT(struct name *head, struct type *elm) \ +{ \ + name##_SPLAY(head, elm); \ + if (SPLAY_RIGHT(elm, field) != NULL) { \ + elm = SPLAY_RIGHT(elm, field); \ + while (SPLAY_LEFT(elm, field) != NULL) { \ + elm = SPLAY_LEFT(elm, field); \ + } \ + } else \ + elm = NULL; \ + return (elm); \ +} \ + \ +static __inline struct type * \ +name##_SPLAY_MIN_MAX(struct name *head, int val) \ +{ \ + name##_SPLAY_MINMAX(head, val); \ + return (SPLAY_ROOT(head)); \ +} + +/* Main splay operation. + * Moves node close to the key of elm to top + */ +#define SPLAY_GENERATE(name, type, field, cmp) \ +struct type * \ +name##_SPLAY_INSERT(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) { \ + SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL; \ + } else { \ + int __comp; \ + name##_SPLAY(head, elm); \ + __comp = (cmp)(elm, (head)->sph_root); \ + if(__comp < 0) { \ + SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\ + SPLAY_RIGHT(elm, field) = (head)->sph_root; \ + SPLAY_LEFT((head)->sph_root, field) = NULL; \ + } else if (__comp > 0) { \ + SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT(elm, field) = (head)->sph_root; \ + SPLAY_RIGHT((head)->sph_root, field) = NULL; \ + } else \ + return ((head)->sph_root); \ + } \ + (head)->sph_root = (elm); \ + return (NULL); \ +} \ + \ +struct type * \ +name##_SPLAY_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *__tmp; \ + if (SPLAY_EMPTY(head)) \ + return (NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) { \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL) { \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\ + } else { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\ + name##_SPLAY(head, elm); \ + SPLAY_RIGHT((head)->sph_root, field) = __tmp; \ + } \ + return (elm); \ + } \ + return (NULL); \ +} \ + \ +void \ +name##_SPLAY(struct name *head, struct type *elm) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ + int __comp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while ((__comp = (cmp)(elm, (head)->sph_root))) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) > 0){ \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} \ + \ +/* Splay with either the minimum or the maximum element \ + * Used to find minimum or maximum element in tree. \ + */ \ +void name##_SPLAY_MINMAX(struct name *head, int __comp) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while (1) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp > 0) { \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} + +#define SPLAY_NEGINF -1 +#define SPLAY_INF 1 + +#define SPLAY_INSERT(name, x, y) name##_SPLAY_INSERT(x, y) +#define SPLAY_REMOVE(name, x, y) name##_SPLAY_REMOVE(x, y) +#define SPLAY_FIND(name, x, y) name##_SPLAY_FIND(x, y) +#define SPLAY_NEXT(name, x, y) name##_SPLAY_NEXT(x, y) +#define SPLAY_MIN(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF)) +#define SPLAY_MAX(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_INF)) + +#define SPLAY_FOREACH(x, name, head) \ + for ((x) = SPLAY_MIN(name, head); \ + (x) != NULL; \ + (x) = SPLAY_NEXT(name, head, x)) + +/* Macros that define a red-back tree */ +#define RB_HEAD(name, type) \ +struct name { \ + struct type *rbh_root; /* root of the tree */ \ +} + +#define RB_INITIALIZER(root) \ + { NULL } + +#define RB_INIT(root) do { \ + (root)->rbh_root = NULL; \ +} while (0) + +#define RB_BLACK 0 +#define RB_RED 1 +#define RB_ENTRY(type) \ +struct { \ + struct type *rbe_left; /* left element */ \ + struct type *rbe_right; /* right element */ \ + struct type *rbe_parent; /* parent element */ \ + int rbe_color; /* node color */ \ +} + +#define RB_LEFT(elm, field) (elm)->field.rbe_left +#define RB_RIGHT(elm, field) (elm)->field.rbe_right +#define RB_PARENT(elm, field) (elm)->field.rbe_parent +#define RB_COLOR(elm, field) (elm)->field.rbe_color +#define RB_ROOT(head) (head)->rbh_root +#define RB_EMPTY(head) (RB_ROOT(head) == NULL) + +#define RB_SET(elm, parent, field) do { \ + RB_PARENT(elm, field) = parent; \ + RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL; \ + RB_COLOR(elm, field) = RB_RED; \ +} while (0) + +#define RB_SET_BLACKRED(black, red, field) do { \ + RB_COLOR(black, field) = RB_BLACK; \ + RB_COLOR(red, field) = RB_RED; \ +} while (0) + +#ifndef RB_AUGMENT +#define RB_AUGMENT(x) +#endif + +#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ + (tmp) = RB_RIGHT(elm, field); \ + if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field))) { \ + RB_PARENT(RB_LEFT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_LEFT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (0) + +#define RB_ROTATE_RIGHT(head, elm, tmp, field) do { \ + (tmp) = RB_LEFT(elm, field); \ + if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field))) { \ + RB_PARENT(RB_RIGHT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_RIGHT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (0) + +/* Generates prototypes and inline functions */ +#define RB_PROTOTYPE(name, type, field, cmp) \ +void name##_RB_INSERT_COLOR(struct name *, struct type *); \ +void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ +struct type *name##_RB_REMOVE(struct name *, struct type *); \ +struct type *name##_RB_INSERT(struct name *, struct type *); \ +struct type *name##_RB_FIND(struct name *, struct type *); \ +struct type *name##_RB_NEXT(struct name *, struct type *); \ +struct type *name##_RB_MINMAX(struct name *, int); \ + \ + +/* Main rb operation. + * Moves node close to the key of elm to top + */ +#define RB_GENERATE(name, type, field, cmp) \ +void \ +name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ +{ \ + struct type *parent, *gparent, *tmp; \ + while ((parent = RB_PARENT(elm, field)) && \ + RB_COLOR(parent, field) == RB_RED) { \ + gparent = RB_PARENT(parent, field); \ + if (parent == RB_LEFT(gparent, field)) { \ + tmp = RB_RIGHT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_RIGHT(parent, field) == elm) { \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_RIGHT(head, gparent, tmp, field); \ + } else { \ + tmp = RB_LEFT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_LEFT(parent, field) == elm) { \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_LEFT(head, gparent, tmp, field); \ + } \ + } \ + RB_COLOR(head->rbh_root, field) = RB_BLACK; \ +} \ + \ +void \ +name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ +{ \ + struct type *tmp; \ + while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) && \ + elm != RB_ROOT(head)) { \ + if (RB_LEFT(parent, field) == elm) { \ + tmp = RB_RIGHT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\ + struct type *oleft; \ + if ((oleft = RB_LEFT(tmp, field)))\ + RB_COLOR(oleft, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_RIGHT(head, tmp, oleft, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_RIGHT(tmp, field)) \ + RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } else { \ + tmp = RB_LEFT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\ + struct type *oright; \ + if ((oright = RB_RIGHT(tmp, field)))\ + RB_COLOR(oright, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_LEFT(head, tmp, oright, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_LEFT(tmp, field)) \ + RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } \ + } \ + if (elm) \ + RB_COLOR(elm, field) = RB_BLACK; \ +} \ + \ +struct type * \ +name##_RB_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *child, *parent, *old = elm; \ + int color; \ + if (RB_LEFT(elm, field) == NULL) \ + child = RB_RIGHT(elm, field); \ + else if (RB_RIGHT(elm, field) == NULL) \ + child = RB_LEFT(elm, field); \ + else { \ + struct type *left; \ + elm = RB_RIGHT(elm, field); \ + while ((left = RB_LEFT(elm, field))) \ + elm = left; \ + child = RB_RIGHT(elm, field); \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ + if (RB_PARENT(elm, field) == old) \ + parent = elm; \ + (elm)->field = (old)->field; \ + if (RB_PARENT(old, field)) { \ + if (RB_LEFT(RB_PARENT(old, field), field) == old)\ + RB_LEFT(RB_PARENT(old, field), field) = elm;\ + else \ + RB_RIGHT(RB_PARENT(old, field), field) = elm;\ + RB_AUGMENT(RB_PARENT(old, field)); \ + } else \ + RB_ROOT(head) = elm; \ + RB_PARENT(RB_LEFT(old, field), field) = elm; \ + if (RB_RIGHT(old, field)) \ + RB_PARENT(RB_RIGHT(old, field), field) = elm; \ + if (parent) { \ + left = parent; \ + do { \ + RB_AUGMENT(left); \ + } while ((left = RB_PARENT(left, field))); \ + } \ + goto color; \ + } \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ +color: \ + if (color == RB_BLACK) \ + name##_RB_REMOVE_COLOR(head, parent, child); \ + return (old); \ +} \ + \ +/* Inserts a node into the RB tree */ \ +struct type * \ +name##_RB_INSERT(struct name *head, struct type *elm) \ +{ \ + struct type *tmp; \ + struct type *parent = NULL; \ + int comp = 0; \ + tmp = RB_ROOT(head); \ + while (tmp) { \ + parent = tmp; \ + comp = (cmp)(elm, parent); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + RB_SET(elm, parent, field); \ + if (parent != NULL) { \ + if (comp < 0) \ + RB_LEFT(parent, field) = elm; \ + else \ + RB_RIGHT(parent, field) = elm; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = elm; \ + name##_RB_INSERT_COLOR(head, elm); \ + return (NULL); \ +} \ + \ +/* Finds the node with the same key as elm */ \ +struct type * \ +name##_RB_FIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (NULL); \ +} \ + \ +struct type * \ +name##_RB_NEXT(struct name *head, struct type *elm) \ +{ \ + if (RB_RIGHT(elm, field)) { \ + elm = RB_RIGHT(elm, field); \ + while (RB_LEFT(elm, field)) \ + elm = RB_LEFT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +struct type * \ +name##_RB_MINMAX(struct name *head, int val) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *parent = NULL; \ + while (tmp) { \ + parent = tmp; \ + if (val < 0) \ + tmp = RB_LEFT(tmp, field); \ + else \ + tmp = RB_RIGHT(tmp, field); \ + } \ + return (parent); \ +} + +#define RB_NEGINF -1 +#define RB_INF 1 + +#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) +#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) +#define RB_FIND(name, x, y) name##_RB_FIND(x, y) +#define RB_NEXT(name, x, y) name##_RB_NEXT(x, y) +#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) +#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) + +#define RB_FOREACH(x, name, head) \ + for ((x) = RB_MIN(name, head); \ + (x) != NULL; \ + (x) = name##_RB_NEXT(head, x)) + +#endif /* _SYS_TREE_H_ */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/vis.c openssh-4.2p1/openbsd-compat/vis.c --- ssh-openbsd-2005090100/openbsd-compat/vis.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/vis.c Mon Nov 24 13:33:35 2003 @@ -0,0 +1,239 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ + +/*- + * Copyright (c) 1989, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +#include "includes.h" +#if !defined(HAVE_STRNVIS) + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +#include "vis.h" + +#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') +#define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ + isgraph((u_char)(c))) || \ + ((flag & VIS_SP) == 0 && (c) == ' ') || \ + ((flag & VIS_TAB) == 0 && (c) == '\t') || \ + ((flag & VIS_NL) == 0 && (c) == '\n') || \ + ((flag & VIS_SAFE) && ((c) == '\b' || \ + (c) == '\007' || (c) == '\r' || \ + isgraph((u_char)(c))))) + +/* + * vis - visually encode characters + */ +char * +vis(dst, c, flag, nextc) + register char *dst; + int c, nextc; + register int flag; +{ + if (isvisible(c)) { + *dst++ = c; + if (c == '\\' && (flag & VIS_NOSLASH) == 0) + *dst++ = '\\'; + *dst = '\0'; + return (dst); + } + + if (flag & VIS_CSTYLE) { + switch(c) { + case '\n': + *dst++ = '\\'; + *dst++ = 'n'; + goto done; + case '\r': + *dst++ = '\\'; + *dst++ = 'r'; + goto done; + case '\b': + *dst++ = '\\'; + *dst++ = 'b'; + goto done; + case '\a': + *dst++ = '\\'; + *dst++ = 'a'; + goto done; + case '\v': + *dst++ = '\\'; + *dst++ = 'v'; + goto done; + case '\t': + *dst++ = '\\'; + *dst++ = 't'; + goto done; + case '\f': + *dst++ = '\\'; + *dst++ = 'f'; + goto done; + case ' ': + *dst++ = '\\'; + *dst++ = 's'; + goto done; + case '\0': + *dst++ = '\\'; + *dst++ = '0'; + if (isoctal(nextc)) { + *dst++ = '0'; + *dst++ = '0'; + } + goto done; + } + } + if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) { + *dst++ = '\\'; + *dst++ = ((u_char)c >> 6 & 07) + '0'; + *dst++ = ((u_char)c >> 3 & 07) + '0'; + *dst++ = ((u_char)c & 07) + '0'; + goto done; + } + if ((flag & VIS_NOSLASH) == 0) + *dst++ = '\\'; + if (c & 0200) { + c &= 0177; + *dst++ = 'M'; + } + if (iscntrl(c)) { + *dst++ = '^'; + if (c == 0177) + *dst++ = '?'; + else + *dst++ = c + '@'; + } else { + *dst++ = '-'; + *dst++ = c; + } +done: + *dst = '\0'; + return (dst); +} + +/* + * strvis, strnvis, strvisx - visually encode characters from src into dst + * + * Dst must be 4 times the size of src to account for possible + * expansion. The length of dst, not including the trailing NULL, + * is returned. + * + * Strnvis will write no more than siz-1 bytes (and will NULL terminate). + * The number of bytes needed to fully encode the string is returned. + * + * Strvisx encodes exactly len bytes from src into dst. + * This is useful for encoding a block of data. + */ +int +strvis(dst, src, flag) + register char *dst; + register const char *src; + int flag; +{ + register char c; + char *start; + + for (start = dst; (c = *src);) + dst = vis(dst, c, flag, *++src); + *dst = '\0'; + return (dst - start); +} + +int +strnvis(dst, src, siz, flag) + char *dst; + const char *src; + size_t siz; + int flag; +{ + char c; + char *start, *end; + char tbuf[5]; + int i; + + i = 0; + for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) { + if (isvisible(c)) { + i = 1; + *dst++ = c; + if (c == '\\' && (flag & VIS_NOSLASH) == 0) { + /* need space for the extra '\\' */ + if (dst < end) + *dst++ = '\\'; + else { + dst--; + i = 2; + break; + } + } + src++; + } else { + i = vis(tbuf, c, flag, *++src) - tbuf; + if (dst + i <= end) { + memcpy(dst, tbuf, i); + dst += i; + } else { + src--; + break; + } + } + } + if (siz > 0) + *dst = '\0'; + if (dst + i > end) { + /* adjust return value for truncation */ + while ((c = *src)) + dst += vis(tbuf, c, flag, *++src) - tbuf; + } + return (dst - start); +} + +int +strvisx(dst, src, len, flag) + register char *dst; + register const char *src; + register size_t len; + int flag; +{ + register char c; + char *start; + + for (start = dst; len > 1; len--) { + c = *src; + dst = vis(dst, c, flag, *++src); + } + if (len) + dst = vis(dst, *src, flag, '\0'); + *dst = '\0'; + return (dst - start); +} + +#endif diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/vis.h openssh-4.2p1/openbsd-compat/vis.h --- ssh-openbsd-2005090100/openbsd-compat/vis.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/vis.h Mon Nov 24 13:33:35 2003 @@ -0,0 +1,90 @@ +/* OPENBSD ORIGINAL: include/vis.h */ + +/* $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */ +/* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */ + +/*- + * Copyright (c) 1990 The Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)vis.h 5.9 (Berkeley) 4/3/91 + */ + +#include "includes.h" +#if !defined(HAVE_STRNVIS) + +#ifndef _VIS_H_ +#define _VIS_H_ + +#include +#include + +/* + * to select alternate encoding format + */ +#define VIS_OCTAL 0x01 /* use octal \ddd format */ +#define VIS_CSTYLE 0x02 /* use \[nrft0..] where appropriate */ + +/* + * to alter set of characters encoded (default is to encode all + * non-graphic except space, tab, and newline). + */ +#define VIS_SP 0x04 /* also encode space */ +#define VIS_TAB 0x08 /* also encode tab */ +#define VIS_NL 0x10 /* also encode newline */ +#define VIS_WHITE (VIS_SP | VIS_TAB | VIS_NL) +#define VIS_SAFE 0x20 /* only encode "unsafe" characters */ + +/* + * other + */ +#define VIS_NOSLASH 0x40 /* inhibit printing '\' */ + +/* + * unvis return codes + */ +#define UNVIS_VALID 1 /* character valid */ +#define UNVIS_VALIDPUSH 2 /* character valid, push back passed char */ +#define UNVIS_NOCHAR 3 /* valid sequence, no character produced */ +#define UNVIS_SYNBAD -1 /* unrecognized escape sequence */ +#define UNVIS_ERROR -2 /* decoder in unknown state (unrecoverable) */ + +/* + * unvis flags + */ +#define UNVIS_END 1 /* no more characters */ + +char *vis(char *, int, int, int); +int strvis(char *, const char *, int); +int strnvis(char *, const char *, size_t, int); +int strvisx(char *, const char *, size_t, int); +int strunvis(char *, const char *); +int unvis(char *, char, int *, int); + +#endif /* !_VIS_H_ */ + +#endif /* !HAVE_STRNVIS */ diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/xcrypt.c openssh-4.2p1/openbsd-compat/xcrypt.c --- ssh-openbsd-2005090100/openbsd-compat/xcrypt.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/xcrypt.c Thu Sep 1 02:59:49 2005 @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2003 Ben Lindstrom. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +# ifdef HAVE_CRYPT_H +# include +# endif + +# ifdef __hpux +# include +# include +# endif + +# ifdef HAVE_SECUREWARE +# include +# include +# include +# endif + +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# include +# endif + +# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) +# include +# include +# include +# endif + +# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +# endif + +char * +xcrypt(const char *password, const char *salt) +{ + char *crypted; + +# ifdef HAVE_MD5_PASSWORDS + if (is_md5_salt(salt)) + crypted = md5_crypt(password, salt); + else + crypted = crypt(password, salt); +# elif defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec()) + crypted = bigcrypt(password, salt); + else + crypted = crypt(password, salt); +# elif defined(HAVE_SECUREWARE) + crypted = bigcrypt(password, salt); +# else + crypted = crypt(password, salt); +# endif + + return crypted; +} + +/* + * Handle shadowed password systems in a cleaner way for portable + * version. + */ + +char * +shadow_pw(struct passwd *pw) +{ + char *pw_password = pw->pw_passwd; + +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + struct spwd *spw = getspnam(pw->pw_name); + + if (spw != NULL) + pw_password = spw->sp_pwdp; +# endif + +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) + return(get_iaf_password(pw)); +#endif + +# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) + struct passwd_adjunct *spw; + if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) + pw_password = spw->pwa_passwd; +# elif defined(HAVE_SECUREWARE) + struct pr_passwd *spw = getprpwnam(pw->pw_name); + + if (spw != NULL) + pw_password = spw->ufld.fd_encrypt; +# endif + + return pw_password; +} diff -ruN --exclude CVS ssh-openbsd-2005090100/openbsd-compat/xmmap.c openssh-4.2p1/openbsd-compat/xmmap.c --- ssh-openbsd-2005090100/openbsd-compat/xmmap.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/openbsd-compat/xmmap.c Wed Oct 6 23:15:44 2004 @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2002 Tim Rice. All rights reserved. + * MAP_FAILED code by Solar Designer. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* $Id: xmmap.c,v 1.6 2004/10/06 13:15:44 dtucker Exp $ */ + +#include "includes.h" + +#ifdef HAVE_SYS_MMAN_H +#include +#endif + +#include "log.h" + +void *xmmap(size_t size) +{ + void *address; + +#ifdef HAVE_MMAP +# ifdef MAP_ANON + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, + -1, (off_t)0); +# else + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, + open("/dev/zero", O_RDWR), (off_t)0); +# endif + +#define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX" + if (address == (void *)MAP_FAILED) { + char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE; + int tmpfd; + mode_t old_umask; + + old_umask = umask(0177); + tmpfd = mkstemp(tmpname); + umask(old_umask); + if (tmpfd == -1) + fatal("mkstemp(\"%s\"): %s", + MM_SWAP_TEMPLATE, strerror(errno)); + unlink(tmpname); + ftruncate(tmpfd, size); + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, + tmpfd, (off_t)0); + close(tmpfd); + } + + return (address); +#else + fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", + __func__); +#endif /* HAVE_MMAP */ + +} + diff -ruN --exclude CVS ssh-openbsd-2005090100/opensshd.init.in openssh-4.2p1/opensshd.init.in --- ssh-openbsd-2005090100/opensshd.init.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/opensshd.init.in Sun Jun 20 12:31:06 2004 @@ -0,0 +1,82 @@ +#!/sbin/sh +# Donated code that was put under PD license. +# +# Stripped PRNGd out of it for the time being. + +umask 022 + +CAT=@CAT@ +KILL=@KILL@ + +prefix=@prefix@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ + +SSHD=$prefix/sbin/sshd +PIDFILE=$piddir/sshd.pid +SSH_KEYGEN=$prefix/bin/ssh-keygen +HOST_KEY_RSA1=$sysconfdir/ssh_host_key +HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key +HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key + + +checkkeys() { + if [ ! -f $HOST_KEY_RSA1 ]; then + ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" + fi + if [ ! -f $HOST_KEY_DSA ]; then + ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" + fi + if [ ! -f $HOST_KEY_RSA ]; then + ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" + fi +} + +stop_service() { + if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then + PID=`${CAT} ${PIDFILE}` + fi + if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then + ${KILL} ${PID} + else + echo "Unable to read PID file" + fi +} + +start_service() { + # XXX We really should check if the service is already going, but + # XXX we will opt out at this time. - Bal + + # Check to see if we have keys that need to be made + checkkeys + + # Start SSHD + echo "starting $SSHD... \c" ; $SSHD + + sshd_rc=$? + if [ $sshd_rc -ne 0 ]; then + echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." + exit $sshd_rc + fi + echo done. +} + +case $1 in + +'start') + start_service + ;; + +'stop') + stop_service + ;; + +'restart') + stop_service + start_service + ;; + +*) + echo "$0: usage: $0 {start|stop|restart}" + ;; +esac diff -ruN --exclude CVS ssh-openbsd-2005090100/packet.c openssh-4.2p1/packet.c --- ssh-openbsd-2005090100/packet.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/packet.c Fri Aug 12 22:10:29 2005 @@ -39,7 +39,7 @@ #include "includes.h" RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $"); -#include +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "buffer.h" @@ -309,9 +309,14 @@ memset(&to, 0, sizeof(to)); if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0) return 0; - if (to.ss_family != AF_INET) - return 0; - return 1; + if (to.ss_family == AF_INET) + return 1; +#ifdef IPV4_IN_IPV6 + if (to.ss_family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr)) + return 1; +#endif + return 0; } /* Sets the connection into non-blocking mode. */ @@ -1441,9 +1446,11 @@ return buffer_len(&output) < 128 * 1024; } + static void packet_set_tos(int interactive) { +#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT; if (!packet_connection_is_on_socket() || @@ -1453,6 +1460,7 @@ sizeof(tos)) < 0) error("setsockopt IP_TOS %d: %.100s:", tos, strerror(errno)); +#endif } /* Informs that the current session is interactive. Sets IP flags for that. */ diff -ruN --exclude CVS ssh-openbsd-2005090100/pathnames.h openssh-4.2p1/pathnames.h --- ssh-openbsd-2005090100/pathnames.h Sat Jul 16 11:31:02 2005 +++ openssh-4.2p1/pathnames.h Sat Jul 17 16:12:08 2004 @@ -13,8 +13,14 @@ */ #define ETCDIR "/etc" + +#ifndef SSHDIR #define SSHDIR ETCDIR "/ssh" +#endif + +#ifndef _PATH_SSH_PIDDIR #define _PATH_SSH_PIDDIR "/var/run" +#endif /* * System-wide file containing host keys of known hosts. This file should be @@ -33,11 +39,13 @@ #define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" -#define _PATH_DH_MODULI ETCDIR "/moduli" +#define _PATH_DH_MODULI SSHDIR "/moduli" /* Backwards compatibility */ -#define _PATH_DH_PRIMES ETCDIR "/primes" +#define _PATH_DH_PRIMES SSHDIR "/primes" +#ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" +#endif /* * The process id of the daemon listening for connections is saved here to @@ -102,32 +110,65 @@ * Ssh-only version of /etc/hosts.equiv. Additionally, the daemon may use * ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled. */ -#define _PATH_SSH_HOSTS_EQUIV ETCDIR "/shosts.equiv" +#define _PATH_SSH_HOSTS_EQUIV SSHDIR "/shosts.equiv" #define _PATH_RHOSTS_EQUIV "/etc/hosts.equiv" /* * Default location of askpass */ +#ifndef _PATH_SSH_ASKPASS_DEFAULT #define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#endif /* Location of ssh-keysign for hostbased authentication */ +#ifndef _PATH_SSH_KEY_SIGN #define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign" +#endif /* xauth for X11 forwarding */ +#ifndef _PATH_XAUTH #define _PATH_XAUTH "/usr/X11R6/bin/xauth" +#endif /* UNIX domain socket for X11 server; displaynum will replace %u */ +#ifndef _PATH_UNIX_X #define _PATH_UNIX_X "/tmp/.X11-unix/X%u" +#endif /* for scp */ +#ifndef _PATH_CP #define _PATH_CP "cp" +#endif /* for sftp */ +#ifndef _PATH_SFTP_SERVER #define _PATH_SFTP_SERVER "/usr/libexec/sftp-server" -#define _PATH_LS "ls" +#endif /* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */ +#ifndef _PATH_PRIVSEP_CHROOT_DIR #define _PATH_PRIVSEP_CHROOT_DIR "/var/empty" +#endif /* for passwd change */ -#define _PATH_PASSWD_PROG "/usr/bin/passwd" +#ifndef _PATH_PASSWD_PROG +#define _PATH_PASSWD_PROG "/usr/bin/passwd" +#endif + +#ifndef _PATH_LS +#define _PATH_LS "ls" +#endif + +/* path to login program */ +#ifndef LOGIN_PROGRAM +# ifdef LOGIN_PROGRAM_FALLBACK +# define LOGIN_PROGRAM LOGIN_PROGRAM_FALLBACK +# else +# define LOGIN_PROGRAM "/usr/bin/login" +# endif +#endif /* LOGIN_PROGRAM */ + +/* Askpass program define */ +#ifndef ASKPASS_PROGRAM +#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" +#endif /* ASKPASS_PROGRAM */ diff -ruN --exclude CVS ssh-openbsd-2005090100/progressmeter.c openssh-4.2p1/progressmeter.c --- ssh-openbsd-2005090100/progressmeter.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/progressmeter.c Thu Jun 16 13:18:05 2005 @@ -27,6 +27,7 @@ #include "progressmeter.h" #include "atomicio.h" +#include "misc.h" #define DEFAULT_WINSIZE 80 #define MAX_WINSIZE 512 @@ -84,8 +85,8 @@ bytes = (bytes + 512) / 1024; } snprintf(buf, size, "%3lld.%1lld%c%s", - (long long) (bytes + 5) / 100, - (long long) (bytes + 5) / 10 % 10, + (int64_t) (bytes + 5) / 100, + (int64_t) (bytes + 5) / 10 % 10, unit[i], i ? "B" : " "); } @@ -98,7 +99,7 @@ for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++) bytes = (bytes + 512) / 1024; snprintf(buf, size, "%4lld%c%s", - (long long) bytes, + (int64_t) bytes, unit[i], i ? "B" : " "); } diff -ruN --exclude CVS ssh-openbsd-2005090100/readconf.c openssh-4.2p1/readconf.c --- ssh-openbsd-2005090100/readconf.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/readconf.c Fri Aug 12 22:11:18 2005 @@ -210,9 +210,11 @@ add_local_forward(Options *options, const Forward *newfwd) { Forward *fwd; +#ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); +#endif if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); fwd = &options->local_forwards[options->num_local_forwards++]; diff -ruN --exclude CVS ssh-openbsd-2005090100/readpass.c openssh-4.2p1/readpass.c --- ssh-openbsd-2005090100/readpass.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/readpass.c Thu May 26 12:07:48 2005 @@ -25,8 +25,6 @@ #include "includes.h" RCSID("$OpenBSD: readpass.c,v 1.33 2005/05/02 21:13:22 markus Exp $"); -#include - #include "xmalloc.h" #include "misc.h" #include "pathnames.h" diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/Makefile openssh-4.2p1/regress/Makefile --- ssh-openbsd-2005090100/regress/Makefile Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/Makefile Mon Mar 7 18:35:34 2005 @@ -0,0 +1,96 @@ +# $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $ + +REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec +tests: $(REGRESS_TARGETS) + +clean: + for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done +distclean: clean + +LTESTS= connect \ + proxy-connect \ + connect-privsep \ + proto-version \ + proto-mismatch \ + exit-status \ + envpass \ + transfer \ + banner \ + rekey \ + stderr-data \ + stderr-after-eof \ + broken-pipe \ + try-ciphers \ + yes-head \ + login-timeout \ + agent \ + agent-getpeereid \ + agent-timeout \ + agent-ptrace \ + keyscan \ + keygen-change \ + scp \ + sftp \ + sftp-cmds \ + sftp-badcmds \ + sftp-batch \ + sftp-glob \ + reconfigure \ + dynamic-forward \ + forwarding \ + multiplex \ + reexec \ + brokenkeys + +USER!= id -un +CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ + authorized_keys_${USER} known_hosts pidfile \ + ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ + rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ + rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ + ls.copy banner.in banner.out empty.in \ + scp-ssh-wrapper.scp ssh_proxy_envpass \ + remote_pid + +#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp + +t1: + ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv + +t2: + cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out + chmod 600 $(OBJ)/t2.out + ssh-keygen -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub + +t3: + ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/rsa_secsh.pub + ssh-keygen -if $(OBJ)/rsa_secsh.pub | diff - ${.CURDIR}/rsa_openssh.pub + rm -f ${.CURDIR}/rsa_secsh.pub + +t4: + ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t4.ok + +t5: + ssh-keygen -Bf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t5.ok + +t6: + ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 + ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 + chmod 600 $(OBJ)/t6.out1 + ssh-keygen -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2 + +$(OBJ)/t7.out: + ssh-keygen -q -t rsa -N '' -f $@ + +t7: $(OBJ)/t7.out + ssh-keygen -lf $(OBJ)/t7.out > /dev/null + ssh-keygen -Bf $(OBJ)/t7.out > /dev/null + +t-exec: ${LTESTS:=.sh} + @if [ "x$?" = "x" ]; then exit 0; fi; \ + for TEST in ""$?; do \ + echo "run test $${TEST}" ... 1>&2; \ + (env SUDO=${SUDO} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/README.regress openssh-4.2p1/regress/README.regress --- ssh-openbsd-2005090100/regress/README.regress Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/README.regress Tue Aug 17 22:31:33 2004 @@ -0,0 +1,104 @@ +Overview. + +$ ./configure && make tests + +You'll see some progress info. A failure will cause either the make to +abort or the driver script to report a "FATAL" failure. + +The test consists of 2 parts. The first is the file-based tests which is +driven by the Makefile, and the second is a set of network or proxycommand +based tests, which are driven by a driver script (test-exec.sh) which is +called multiple times by the Makefile. + +Failures in the first part will cause the Makefile to return an error. +Failures in the second part will print a "FATAL" message for the failed +test and continue. + +OpenBSD has a system-wide regression test suite. OpenSSH Portable's test +suite is based on OpenBSD's with modifications. + + +Environment variables. + +SUDO: path to sudo command, if desired. Note that some systems (notably + systems using PAM) require sudo to execute some tests. +TEST_SSH_TRACE: set to "yes" for verbose output from tests +TEST_SSH_QUIET: set to "yes" to suppress non-fatal output. +TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD + SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER +OBJ: used by test scripts to access build dir. +TEST_SHELL: shell used for running the test scripts. +TEST_SSH_PORT: TCP port to be used for the listening tests. +TEST_SSH_SSH_CONFOTPS: Configuration directives to be added to ssh_config + before running each test. +TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config + before running each test. + + +Individual tests. + +You can run an individual test from the top-level Makefile, eg: +$ make tests LTESTS=agent-timeout + +If you need to manipulate the environment more you can invoke test-exec.sh +directly if you set up the path to find the binaries under test and the +test scripts themselves, for example: + +$ cd regress +$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \ + agent-timeout.sh +ok agent timeout test + + +Files. + +test-exec.sh: the main test driver. Sets environment, creates config files +and keys and runs the specified test. + +At the time of writing, the individual tests are: +agent-timeout.sh: agent timeout test +agent.sh: simple agent test +broken-pipe.sh: broken pipe test +connect-privsep.sh: proxy connect with privsep +connect.sh: simple connect +exit-status.sh: remote exit status +forwarding.sh: local and remote forwarding +keygen-change.sh: change passphrase for key +keyscan.sh: keyscan +proto-mismatch.sh: protocol version mismatch +proto-version.sh: sshd version with different protocol combinations +proxy-connect.sh: proxy connect +sftp.sh: basic sftp put/get +ssh-com-client.sh: connect with ssh.com client +ssh-com-keygen.sh: ssh.com key import +ssh-com-sftp.sh: basic sftp put/get with ssh.com server +ssh-com.sh: connect to ssh.com server +stderr-after-eof.sh: stderr data after eof +stderr-data.sh: stderr data transfer +transfer.sh: transfer data +try-ciphers.sh: try ciphers +yes-head.sh: yes pipe head + + +Problems? + +Run the failing test with shell tracing (-x) turned on: +$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh + +Failed tests can be difficult to diagnose. Suggestions: +- run the individual test via ./test-exec.sh `pwd` [testname] +- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of + auth.debug (eg to /var/log/authlog). + + +Known Issues. + +- If your build requires ssh-rand-helper regress tests will fail + unless ssh-rand-helper is in pre-installed (the path to + ssh-rand-helper is hard coded). + +- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head + test to fail. The old behaviour can be restored by setting (and + exporting) _POSIX2_VERSION=199209 before running the tests. + +$Id: README.regress,v 1.9 2004/08/17 12:31:33 dtucker Exp $ diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/agent-getpeereid.sh openssh-4.2p1/regress/agent-getpeereid.sh --- ssh-openbsd-2005090100/regress/agent-getpeereid.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/agent-getpeereid.sh Thu Sep 4 18:04:16 2003 @@ -0,0 +1,40 @@ +# $OpenBSD: agent-getpeereid.sh,v 1.1 2002/12/09 16:05:02 markus Exp $ +# Placed in the Public Domain. + +tid="disallow agent attach from other uid" + +UNPRIV=nobody +ASOCK=${OBJ}/agent +SSH_AUTH_SOCK=/nonexistant + +if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 +then + echo "skipped (not supported on this platform)" + exit 0 +fi + +trace "start agent" +eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + chmod 644 ${SSH_AUTH_SOCK} + + ssh-add -l > /dev/null 2>&1 + r=$? + if [ $r -ne 1 ]; then + fail "ssh-add failed with $r != 1" + fi + + < /dev/null sudo -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1 + r=$? + if [ $r -lt 2 ]; then + fail "ssh-add did not fail for ${UNPRIV}: $r < 2" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi + +rm -f ${OBJ}/agent diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/agent-ptrace.sh openssh-4.2p1/regress/agent-ptrace.sh --- ssh-openbsd-2005090100/regress/agent-ptrace.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/agent-ptrace.sh Thu Mar 3 16:49:56 2005 @@ -0,0 +1,53 @@ +# $OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $ +# Placed in the Public Domain. + +tid="disallow agent ptrace attach" + +if have_prog uname ; then + case `uname` in + AIX|CYGWIN*|OSF1) + echo "skipped (not supported on this platform)" + exit 0 + ;; + esac +fi + +if have_prog gdb ; then + : ok +else + echo "skipped (gdb not found)" + exit 0 +fi + +if test -z "$SUDO" ; then + echo "skipped (SUDO not set)" + exit 0 +else + $SUDO chown 0 ${SSHAGENT} + $SUDO chgrp 0 ${SSHAGENT} + $SUDO chmod 2755 ${SSHAGENT} +fi + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + # ls -l ${SSH_AUTH_SOCK} + gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF + quit +EOF + if [ $? -ne 0 ]; then + fail "gdb failed: exit code $?" + fi + egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out + r=$? + rm -f ${OBJ}/gdb.out + if [ $r -ne 0 ]; then + fail "ptrace succeeded?: exit code $r" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/agent-timeout.sh openssh-4.2p1/regress/agent-timeout.sh --- ssh-openbsd-2005090100/regress/agent-timeout.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/agent-timeout.sh Sat Sep 13 09:46:03 2003 @@ -0,0 +1,36 @@ +# $OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $ +# Placed in the Public Domain. + +tid="agent timeout test" + +SSHAGENT_TIMEOUT=10 + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + trace "add keys with timeout" + for t in rsa rsa1; do + ${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add did succeed exit code 0" + fi + done + n=`${SSHADD} -l 2> /dev/null | wc -l` + trace "agent has $n keys" + if [ $n -ne 2 ]; then + fail "ssh-add -l did not return 2 keys: $n" + fi + trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds" + sleep ${SSHAGENT_TIMEOUT} + sleep ${SSHAGENT_TIMEOUT} + ${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null + if [ $? -ne 0 ]; then + fail "ssh-add -l still returns keys after timeout" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/agent.sh openssh-4.2p1/regress/agent.sh --- ssh-openbsd-2005090100/regress/agent.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/agent.sh Thu Sep 4 15:16:57 2003 @@ -0,0 +1,75 @@ +# $OpenBSD: agent.sh,v 1.6 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="simple agent test" + +SSH_AUTH_SOCK=/nonexistant ${SSHADD} -l > /dev/null 2>&1 +if [ $? -ne 2 ]; then + fail "ssh-add -l did not fail with exit code 2" +fi + +trace "start agent" +eval `${SSHAGENT} -s` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fail "could not start ssh-agent: exit code $r" +else + ${SSHADD} -l > /dev/null 2>&1 + if [ $? -ne 1 ]; then + fail "ssh-add -l did not fail with exit code 1" + fi + trace "overwrite authorized keys" + echon > $OBJ/authorized_keys_$USER + for t in rsa rsa1; do + # generate user key for agent + rm -f $OBJ/$t-agent + ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ + fail "ssh-keygen for $t-agent failed" + # add to authorized keys + cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER + # add privat key to agent + ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add did succeed exit code 0" + fi + done + ${SSHADD} -l > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add -l failed: exit code $?" + fi + # the same for full pubkey output + ${SSHADD} -L > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add -L failed: exit code $?" + fi + + trace "simple connect via agent" + for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p + if [ $? -ne 5$p ]; then + fail "ssh connect with protocol $p failed (exit code $?)" + fi + done + + trace "agent forwarding" + for p in 1 2; do + ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" + fi + ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ + "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" + if [ $? -ne 5$p ]; then + fail "agent fwd proto $p failed (exit code $?)" + fi + done + + trace "delete all agent keys" + ${SSHADD} -D > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add -D failed: exit code $?" + fi + + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/banner.sh openssh-4.2p1/regress/banner.sh --- ssh-openbsd-2005090100/regress/banner.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/banner.sh Fri Jan 30 12:58:51 2004 @@ -0,0 +1,44 @@ +# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ +# Placed in the Public Domain. + +tid="banner" +echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy + +rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in +touch $OBJ/empty.in + +trace "test missing banner file" +verbose "test $tid: missing banner file" +( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/empty.in $OBJ/banner.out ) || \ + fail "missing banner file" + +for s in 0 10 100 1000 10000 100000 ; do + if [ "$s" = "0" ]; then + # create empty banner + touch $OBJ/banner.in + elif [ "$s" = "10" ]; then + # create 10-byte banner file + echo "abcdefghi" >$OBJ/banner.in + else + # increase size 10x + cp $OBJ/banner.in $OBJ/banner.out + for i in 0 1 2 3 4 5 6 7 8 ; do + cat $OBJ/banner.out >> $OBJ/banner.in + done + fi + + trace "test banner size $s" + verbose "test $tid: size $s" + ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/banner.in $OBJ/banner.out ) || \ + fail "banner size $s mismatch" +done + +trace "test suppress banner (-q)" +verbose "test $tid: suppress banner (-q)" +( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/empty.in $OBJ/banner.out ) || \ + fail "suppress banner (-q)" + +rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/broken-pipe.sh openssh-4.2p1/regress/broken-pipe.sh --- ssh-openbsd-2005090100/regress/broken-pipe.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/broken-pipe.sh Wed May 1 13:17:34 2002 @@ -0,0 +1,15 @@ +# $OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="broken pipe test" + +for p in 1 2; do + trace "protocol $p" + for i in 1 2 3 4; do + ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true + r=$? + if [ $r -ne 0 ]; then + fail "broken pipe returns $r for protocol $p" + fi + done +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/brokenkeys.sh openssh-4.2p1/regress/brokenkeys.sh --- ssh-openbsd-2005090100/regress/brokenkeys.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/brokenkeys.sh Mon Dec 6 23:07:38 2004 @@ -0,0 +1,23 @@ +# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $ +# Placed in the Public Domain. + +tid="broken keys" + +KEYS="$OBJ/authorized_keys_${USER}" + +start_sshd + +mv ${KEYS} ${KEYS}.bak + +# Truncated key +echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS +cat ${KEYS}.bak >> ${KEYS} +cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + +${SSH} -2 -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect with protocol $p failed" +fi + +mv ${KEYS}.bak ${KEYS} + diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/bsd.regress.mk openssh-4.2p1/regress/bsd.regress.mk --- ssh-openbsd-2005090100/regress/bsd.regress.mk Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/bsd.regress.mk Wed May 1 13:17:34 2002 @@ -0,0 +1,79 @@ +# $OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $ +# No man pages for regression tests. +NOMAN= + +# No installation. +install: + +# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG +.if defined(REGRESSTARGETS) && !defined(PROG) +NOPROG= +.endif + +.include + +.MAIN: all +all: regress + +# XXX - Need full path to REGRESSLOG, otherwise there will be much pain. + +REGRESSLOG?=/dev/null +REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///} + +.if defined(PROG) && !empty(PROG) +run-regress-${PROG}: ${PROG} + ./${PROG} +.endif + +.if !defined(REGRESSTARGETS) +REGRESSTARGETS=run-regress-${PROG} +. if defined(REGRESSSKIP) +REGRESSSKIPTARGETS=run-regress-${PROG} +. endif +.endif + +REGRESSSKIPSLOW?=no + +#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS) + +.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS) +REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS} +.endif + +.if defined(REGRESSROOTTARGETS) +ROOTUSER!=id -g +SUDO?= +. if (${ROOTUSER} != 0) && empty(SUDO) +REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS} +. endif +.endif + +REGRESSSKIPTARGETS?= + +regress: +.for RT in ${REGRESSTARGETS} +. if ${REGRESSSKIPTARGETS:M${RT}} + @echo -n "SKIP " >> ${REGRESSLOG} +. else +# XXX - we need a better method to see if a test fails due to timeout or just +# normal failure. +. if !defined(REGRESSMAXTIME) + @if cd ${.CURDIR} && ${MAKE} ${RT}; then \ + echo -n "SUCCESS " >> ${REGRESSLOG} ; \ + else \ + echo -n "FAIL " >> ${REGRESSLOG} ; \ + echo FAILED ; \ + fi +. else + @if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \ + echo -n "SUCCESS " >> ${REGRESSLOG} ; \ + else \ + echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \ + echo FAILED ; \ + fi +. endif +. endif + @echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG} +.endfor + +.PHONY: regress diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/connect-privsep.sh openssh-4.2p1/regress/connect-privsep.sh --- ssh-openbsd-2005090100/regress/connect-privsep.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/connect-privsep.sh Wed May 1 13:17:34 2002 @@ -0,0 +1,13 @@ +# $OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $ +# Placed in the Public Domain. + +tid="proxy connect with privsep" + +echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy + +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh privsep+proxyconnect protocol $p failed" + fi +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/connect.sh openssh-4.2p1/regress/connect.sh --- ssh-openbsd-2005090100/regress/connect.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/connect.sh Wed May 1 13:17:34 2002 @@ -0,0 +1,13 @@ +# $OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="simple connect" + +start_sshd + +for p in 1 2; do + ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true + if [ $? -ne 0 ]; then + fail "ssh connect with protocol $p failed" + fi +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/dsa_ssh2.prv openssh-4.2p1/regress/dsa_ssh2.prv --- ssh-openbsd-2005090100/regress/dsa_ssh2.prv Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/dsa_ssh2.prv Wed May 1 13:17:34 2002 @@ -0,0 +1,14 @@ +---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- +Subject: ssh-keygen test +Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100" +P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA +AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR +Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg +x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv +MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt +F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1 +kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik +ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6 +75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV +zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A== +---- END SSH2 ENCRYPTED PRIVATE KEY ---- diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/dsa_ssh2.pub openssh-4.2p1/regress/dsa_ssh2.pub --- ssh-openbsd-2005090100/regress/dsa_ssh2.pub Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/dsa_ssh2.pub Wed May 1 13:17:34 2002 @@ -0,0 +1,13 @@ +---- BEGIN SSH2 PUBLIC KEY ---- +Subject: ssh-keygen test +Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100" +AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8 +NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l +ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo +0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE +MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk +JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC +eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv +JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1 +ixaVivLt8RgTwGF99uI= +---- END SSH2 PUBLIC KEY ---- diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/dynamic-forward.sh openssh-4.2p1/regress/dynamic-forward.sh --- ssh-openbsd-2005090100/regress/dynamic-forward.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/dynamic-forward.sh Mon Dec 6 22:58:11 2004 @@ -0,0 +1,50 @@ +# $OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $ +# Placed in the Public Domain. + +tid="dynamic forwarding" + +FWDPORT=`expr $PORT + 1` + +DATA=/bin/ls${EXEEXT} + +if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then + proxycmd="nc -x 127.0.0.1:$FWDPORT -X" +elif have_prog connect; then + proxycmd="connect -S 127.0.0.1:$FWDPORT -" +else + echo "skipped (no suitable ProxyCommand found)" + exit 0 +fi +trace "will use ProxyCommand $proxycmd" + +start_sshd + +for p in 1 2; do + trace "start dynamic forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ + exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + + for s in 4 5; do + for h in 127.0.0.1 localhost; do + trace "testing ssh protocol $p socks version $s host $h" + ${SSH} -F $OBJ/ssh_config \ + -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ + somehost cat $DATA > $OBJ/ls.copy + test -f $OBJ/ls.copy || fail "failed copy $DATA" + cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" + done + done + + if [ -f $OBJ/remote_pid ]; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" + if [ $remote -gt 1 ]; then + kill -HUP $remote + fi + else + fail "no pid file: $OBJ/remote_pid" + fi + + # Must allow time for connection tear-down + sleep 2 +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/envpass.sh openssh-4.2p1/regress/envpass.sh --- ssh-openbsd-2005090100/regress/envpass.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/envpass.sh Mon Mar 7 18:35:34 2005 @@ -0,0 +1,60 @@ +# $OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $ +# Placed in the Public Domain. + +tid="environment passing" + +# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST) + +# Prepare a custom config to test for a configuration parsing bug fixed in 4.0 +cat << EOF > $OBJ/ssh_proxy_envpass +Host test-sendenv-confparse-bug + SendEnv * +EOF +cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass + +trace "pass env, don't accept" +verbose "test $tid: pass env, don't accept" +_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \ + sh << 'EOF' + test -z "$_TEST_ENV" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment found" +fi + +trace "don't pass env, accept" +verbose "test $tid: don't pass env, accept" +_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \ + sh << 'EOF' + test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment found" +fi + +trace "pass single env, accept single env" +verbose "test $tid: pass single env, accept single env" +_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \ + otherhost sh << 'EOF' + test X"$_XXX_TEST" = X"blah" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment not found" +fi + +trace "pass multiple env, accept multiple env" +verbose "test $tid: pass multiple env, accept multiple env" +_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \ + -F $OBJ/ssh_proxy_envpass otherhost \ + sh << 'EOF' + test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2" +EOF +r=$? +if [ $r -ne 0 ]; then + fail "environment not found" +fi + +rm -f $OBJ/ssh_proxy_envpass diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/exit-status.sh openssh-4.2p1/regress/exit-status.sh --- ssh-openbsd-2005090100/regress/exit-status.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/exit-status.sh Wed May 1 13:17:34 2002 @@ -0,0 +1,24 @@ +# $OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="remote exit status" + +for p in 1 2; do + for s in 0 1 4 5 44; do + trace "proto $p status $s" + verbose "test $tid: proto $p status $s" + ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s + r=$? + if [ $r -ne $s ]; then + fail "exit code mismatch for protocol $p: $r != $s" + fi + + # same with early close of stdout/err + ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \ + exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' + r=$? + if [ $r -ne $s ]; then + fail "exit code (with sleep) mismatch for protocol $p: $r != $s" + fi + done +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/forwarding.sh openssh-4.2p1/regress/forwarding.sh --- ssh-openbsd-2005090100/regress/forwarding.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/forwarding.sh Sun Sep 7 09:28:04 2003 @@ -0,0 +1,34 @@ +# $OpenBSD: forwarding.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="local and remote forwarding" +DATA=/bin/ls${EXEEXT} + +start_sshd + +base=33 +last=$PORT +fwd="" +for j in 0 1 2; do + for i in 0 1 2; do + a=$base$j$i + b=`expr $a + 50` + c=$last + # fwd chain: $a -> $b -> $c + fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c" + last=$a + done +done +for p in 1 2; do + q=`expr 3 - $p` + trace "start forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10 + + trace "transfer over forwarded channels and check result" + ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ + somehost cat $DATA > $OBJ/ls.copy + test -f $OBJ/ls.copy || fail "failed copy $DATA" + cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" + + sleep 10 +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/keygen-change.sh openssh-4.2p1/regress/keygen-change.sh --- ssh-openbsd-2005090100/regress/keygen-change.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/keygen-change.sh Wed Jan 22 17:53:17 2003 @@ -0,0 +1,23 @@ +# $OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $ +# Placed in the Public Domain. + +tid="change passphrase for key" + +S1="secret1" +S2="2secret" + +for t in rsa dsa rsa1; do + # generate user key for agent + trace "generating $t key" + rm -f $OBJ/$t-key + ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key + if [ $? -eq 0 ]; then + ${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null + if [ $? -ne 0 ]; then + fail "ssh-keygen -p failed for $t-key" + fi + else + fail "ssh-keygen for $t-key failed" + fi + rm -f $OBJ/$t-key $OBJ/$t-key.pub +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/keyscan.sh openssh-4.2p1/regress/keyscan.sh --- ssh-openbsd-2005090100/regress/keyscan.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/keyscan.sh Wed May 1 13:17:34 2002 @@ -0,0 +1,19 @@ +# $OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="keyscan" + +# remove DSA hostkey +rm -f ${OBJ}/host.dsa + +start_sshd + +for t in rsa1 rsa dsa; do + trace "keyscan type $t" + ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ + > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "ssh-keyscan -t $t failed with: $r" + fi +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/login-timeout.sh openssh-4.2p1/regress/login-timeout.sh --- ssh-openbsd-2005090100/regress/login-timeout.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/login-timeout.sh Mon Mar 7 18:34:05 2005 @@ -0,0 +1,29 @@ +# $OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $ +# Placed in the Public Domain. + +tid="connect after login grace timeout" + +trace "test login grace with privsep" +echo "LoginGraceTime 10s" >> $OBJ/sshd_config +echo "MaxStartups 1" >> $OBJ/sshd_config +start_sshd + +(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & +sleep 15 +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect after login grace timeout failed with privsep" +fi + +$SUDO kill `cat $PIDFILE` + +trace "test login grace without privsep" +echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config +start_sshd + +(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & +sleep 15 +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect after login grace timeout failed without privsep" +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/multiplex.sh openssh-4.2p1/regress/multiplex.sh --- ssh-openbsd-2005090100/regress/multiplex.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/multiplex.sh Mon Apr 25 17:01:26 2005 @@ -0,0 +1,92 @@ +# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $ +# Placed in the Public Domain. + +CTL=/tmp/openssh.regress.ctl-sock.$$ + +tid="connection multiplexing" + +if grep "#define.*DISABLE_FD_PASSING" ${BUILDDIR}/config.h >/dev/null 2>&1 +then + echo "skipped (not supported on this platform)" + exit 0 +fi + +DATA=/bin/ls${EXEEXT} +COPY=$OBJ/ls.copy +LOG=$TEST_SSH_LOGFILE + +start_sshd + +trace "start master, fork to background" +${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost & +MASTER_PID=$! + +# Wait for master to start and authenticate +sleep 5 + +verbose "test $tid: envpass" +trace "env passing over multiplexed connection" +_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF' + test X"$_XXX_TEST" = X"blah" +EOF +if [ $? -ne 0 ]; then + fail "environment not found" +fi + +verbose "test $tid: transfer" +rm -f ${COPY} +trace "ssh transfer over multiplexed connection and check result" +${SSH} -S$CTL otherhost cat ${DATA} > ${COPY} +test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}" + +rm -f ${COPY} +trace "ssh transfer over multiplexed connection and check result" +${SSH} -S $CTL otherhost cat ${DATA} > ${COPY} +test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" + +rm -f ${COPY} +trace "sftp transfer over multiplexed connection and check result" +echo "get ${DATA} ${COPY}" | \ + ${SFTP} -S ${SSH} -oControlPath=$CTL otherhost >$LOG 2>&1 +test -f ${COPY} || fail "sftp: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" + +rm -f ${COPY} +trace "scp transfer over multiplexed connection and check result" +${SCP} -S ${SSH} -oControlPath=$CTL otherhost:${DATA} ${COPY} >$LOG 2>&1 +test -f ${COPY} || fail "scp: failed copy ${DATA}" +cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" + +rm -f ${COPY} + +for s in 0 1 4 5 44; do + trace "exit status $s over multiplexed connection" + verbose "test $tid: status $s" + ${SSH} -S $CTL otherhost exit $s + r=$? + if [ $r -ne $s ]; then + fail "exit code mismatch for protocol $p: $r != $s" + fi + + # same with early close of stdout/err + trace "exit status $s with early close over multiplexed connection" + ${SSH} -S $CTL -n otherhost \ + exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' + r=$? + if [ $r -ne $s ]; then + fail "exit code (with sleep) mismatch for protocol $p: $r != $s" + fi +done + +trace "test check command" +${SSH} -S $CTL -Ocheck otherhost || fail "check command failed" + +trace "test exit command" +${SSH} -S $CTL -Oexit otherhost || fail "send exit command failed" + +# Wait for master to exit +sleep 2 + +kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/proto-mismatch.sh openssh-4.2p1/regress/proto-mismatch.sh --- ssh-openbsd-2005090100/regress/proto-mismatch.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/proto-mismatch.sh Wed May 1 13:17:34 2002 @@ -0,0 +1,19 @@ +# $OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="protocol version mismatch" + +mismatch () +{ + server=$1 + client=$2 + banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy` + r=$? + trace "sshd prints ${banner}" + if [ $r -ne 255 ]; then + fail "sshd prints ${banner} and accepts connect with version ${client}" + fi +} + +mismatch 2 SSH-1.5-HALLO +mismatch 1 SSH-2.0-HALLO diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/proto-version.sh openssh-4.2p1/regress/proto-version.sh --- ssh-openbsd-2005090100/regress/proto-version.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/proto-version.sh Thu Sep 4 15:16:57 2003 @@ -0,0 +1,34 @@ +# $OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="sshd version with different protocol combinations" + +# we just start sshd in inetd mode and check the banner +check_version () +{ + version=$1 + expect=$2 + banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` + case ${banner} in + SSH-1.99-*) + proto=199 + ;; + SSH-2.0-*) + proto=20 + ;; + SSH-1.5-*) + proto=15 + ;; + *) + proto=0 + ;; + esac + if [ ${expect} -ne ${proto} ]; then + fail "wrong protocol version ${banner} for ${version}" + fi +} + +check_version 2,1 199 +check_version 1,2 199 +check_version 2 20 +check_version 1 15 diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/proxy-connect.sh openssh-4.2p1/regress/proxy-connect.sh --- ssh-openbsd-2005090100/regress/proxy-connect.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/proxy-connect.sh Wed Jan 22 17:53:17 2003 @@ -0,0 +1,18 @@ +# $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $ +# Placed in the Public Domain. + +tid="proxy connect" + +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh proxyconnect protocol $p failed" + fi + SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "ssh proxyconnect protocol $p failed" + fi + if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "bad SSH_CONNECTION" + fi +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/reconfigure.sh openssh-4.2p1/regress/reconfigure.sh --- ssh-openbsd-2005090100/regress/reconfigure.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/reconfigure.sh Thu Sep 4 13:59:49 2003 @@ -0,0 +1,35 @@ +# $OpenBSD: reconfigure.sh,v 1.2 2003/06/21 09:14:05 markus Exp $ +# Placed in the Public Domain. + +tid="simple connect after reconfigure" + +# we need the full path to sshd for -HUP +case $SSHD in +/*) + # full path is OK + ;; +*) + # otherwise make fully qualified + SSHD=$OBJ/$SSHD +esac + +start_sshd + +$SUDO kill -HUP `cat $PIDFILE` +sleep 1 + +trace "wait for sshd to restart" +i=0; +while [ ! -f $PIDFILE -a $i -lt 10 ]; do + i=`expr $i + 1` + sleep $i +done + +test -f $PIDFILE || fatal "sshd did not restart" + +for p in 1 2; do + ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true + if [ $? -ne 0 ]; then + fail "ssh connect with protocol $p failed after reconfigure" + fi +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/reexec.sh openssh-4.2p1/regress/reexec.sh --- ssh-openbsd-2005090100/regress/reexec.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/reexec.sh Thu May 26 13:43:57 2005 @@ -0,0 +1,72 @@ +# $OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $ +# Placed in the Public Domain. + +tid="reexec tests" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +SSHD_ORIG=$SSHD${EXEEXT} +SSHD_COPY=$OBJ/sshd${EXEEXT} + +# Start a sshd and then delete it +start_sshd_copy () +{ + cp $SSHD_ORIG $SSHD_COPY + SSHD=$SSHD_COPY + start_sshd + SSHD=$SSHD_ORIG +} + +# Do basic copy tests +copy_tests () +{ + rm -f ${COPY} + for p in 1 2; do + verbose "$tid: proto $p" + ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + rm -f ${COPY} + done +} + +verbose "test config passing" + +cp $OBJ/sshd_config $OBJ/sshd_config.orig +start_sshd +echo "InvalidXXX=no" >> $OBJ/sshd_config + +copy_tests + +$SUDO kill `cat $PIDFILE` +rm -f $PIDFILE + +cp $OBJ/sshd_config.orig $OBJ/sshd_config + +verbose "test reexec fallback" + +start_sshd_copy +rm -f $SSHD_COPY + +copy_tests + +$SUDO kill `cat $PIDFILE` +rm -f $PIDFILE + +verbose "test reexec fallback without privsep" + +cp $OBJ/sshd_config.orig $OBJ/sshd_config +echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config + +start_sshd_copy +rm -f $SSHD_COPY + +copy_tests + +$SUDO kill `cat $PIDFILE` +rm -f $PIDFILE + + diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/rekey.sh openssh-4.2p1/regress/rekey.sh --- ssh-openbsd-2005090100/regress/rekey.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/rekey.sh Mon Dec 20 12:35:43 2004 @@ -0,0 +1,32 @@ +# $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $ +# Placed in the Public Domain. + +tid="rekey during transfer data" + +DATA=${OBJ}/data +COPY=${OBJ}/copy +LOG=${OBJ}/log + +rm -f ${COPY} ${LOG} ${DATA} +touch ${DATA} +dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 + +for s in 16 1k 128k 256k; do + trace "rekeylimit ${s}" + rm -f ${COPY} + cat $DATA | \ + ${SSH} -oCompression=no -oRekeyLimit=$s \ + -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \ + 2> ${LOG} + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done +rm -f ${COPY} ${LOG} ${DATA} diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/rsa_openssh.prv openssh-4.2p1/regress/rsa_openssh.prv --- ssh-openbsd-2005090100/regress/rsa_openssh.prv Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/rsa_openssh.prv Wed May 1 13:17:34 2002 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko ++dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3 +xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB +An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7 +Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN +wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V +mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj +qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI +7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ +9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC +/ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg +PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr +dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i +-----END RSA PRIVATE KEY----- diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/rsa_openssh.pub openssh-4.2p1/regress/rsa_openssh.pub --- ssh-openbsd-2005090100/regress/rsa_openssh.pub Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/rsa_openssh.pub Wed May 1 13:17:34 2002 @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ== diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/rsa_ssh2.prv openssh-4.2p1/regress/rsa_ssh2.prv --- ssh-openbsd-2005090100/regress/rsa_ssh2.prv Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/rsa_ssh2.prv Wed May 1 13:17:34 2002 @@ -0,0 +1,16 @@ +---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- +Subject: ssh-keygen test +Comment: "1024-bit rsa, Sat Jun 23 2001 12:21:26 -0400" +P2/56wAAAi4AAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS +1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAB3wAAAdsAAAARAQABAAAD9icflXO8eQxtKonp +45gOxXCiZG9hsfkgRpiXXHpUBMhM28C72RR1Dg2xKm4xz7smP2Apm+Y7XLZgIpzQ/+I76L +95XQv7JCHVHDXyNBmWX7XZP4tmspFq/Tdg28zHSA3CpZjjwq3qG/b8395tDMpF7v34PS3Z +xOH3aFPvEQ0UsgEAAAQA7IpcCnGijesEjDXdVoEPfh0akBJA9JAk1bba2sxrtDoQVN1JKP +nRQ9SKdAsXV5jduSUFsTmBe4fznLvD948790U1/O8SkdGM5V0y1/ki7Rf8knm0t8Vj65X0 +VA4YdN4UeVfvMcb78vcInT2CsP6CLcBkrnjrBKtS03Mwg79nQI0AAAH/VdpOHYCMLPl/GF ++uRLMshY55Q6l+MdJ0jo0AdZrCCnxwa3YeVywwU0wsZyoTCdGMf6KYDr39PVxwRcGkJ7Ue +YgAAAgDWXpLlKafIgS3i0moMORZHD8D86us3xMW4b7GV2/AaP+En5TbOCR18CO0g/WfGiS +7zOLkP+TO9JW5QzEONIt6NAAACAQEaegYoWMBSQkLA7VWbOlSowelFlU6uo/2FSY+PM0nm +gE8UZ7j6HWGhJEU4DNo25m3yyxuposKTMHxt/OOqFmoB +---- END SSH2 ENCRYPTED PRIVATE KEY ---- +--- diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/runtests.sh openssh-4.2p1/regress/runtests.sh --- ssh-openbsd-2005090100/regress/runtests.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/runtests.sh Wed May 1 13:17:35 2002 @@ -0,0 +1,13 @@ +#!/bin/sh + +TEST_SSH_SSH=../ssh +TEST_SSH_SSHD=../sshd +TEST_SSH_SSHAGENT=../ssh-agent +TEST_SSH_SSHADD=../ssh-add +TEST_SSH_SSHKEYGEN=../ssh-keygen +TEST_SSH_SSHKEYSCAN=../ssh-keyscan +TEST_SSH_SFTP=../sftp +TEST_SSH_SFTPSERVER=../sftp-server + +pmake + diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/scp-ssh-wrapper.sh openssh-4.2p1/regress/scp-ssh-wrapper.sh --- ssh-openbsd-2005090100/regress/scp-ssh-wrapper.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/scp-ssh-wrapper.sh Wed Jun 16 20:15:59 2004 @@ -0,0 +1,54 @@ +#!/bin/sh +# $OpenBSD: scp-ssh-wrapper.sh,v 1.1 2004/06/13 13:51:02 dtucker Exp $ +# Placed in the Public Domain. + +printname () { + NAME=$1 + save_IFS=$IFS + IFS=/ + set -- `echo "$NAME"` + IFS="$save_IFS" + while [ $# -ge 1 ] ; do + if [ "x$1" != "x" ]; then + echo "D0755 0 $1" + fi + shift; + done +} + +# discard first 5 args +shift; shift; shift; shift; shift + +BAD="../../../../../../../../../../../../../${DIR}/dotpathdir" + +case "$SCPTESTMODE" in +badserver_0) + echo "D0755 0 /${DIR}/rootpathdir" + echo "C755 2 rootpathfile" + echo "X" + ;; +badserver_1) + echo "D0755 0 $BAD" + echo "C755 2 file" + echo "X" + ;; +badserver_2) + echo "D0755 0 $BAD" + echo "C755 2 file" + echo "X" + ;; +badserver_3) + printname $BAD + echo "C755 2 file" + echo "X" + ;; +badserver_4) + printname $BAD + echo "D0755 0 .." + echo "C755 2 file" + echo "X" + ;; +*) + exec $1 + ;; +esac diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/scp.sh openssh-4.2p1/regress/scp.sh --- ssh-openbsd-2005090100/regress/scp.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/scp.sh Tue Dec 7 11:26:15 2004 @@ -0,0 +1,95 @@ +# $OpenBSD: scp.sh,v 1.3 2004/07/08 12:59:35 dtucker Exp $ +# Placed in the Public Domain. + +tid="scp" + +#set -x + +# Figure out if diff understands "-N" +if diff -N ${SRC}/scp.sh ${SRC}/scp.sh 2>/dev/null; then + DIFFOPT="-rN" +else + DIFFOPT="-r" +fi + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +COPY2=${OBJ}/copy2 +DIR=${COPY}.dd +DIR2=${COPY}.dd2 + +SRC=`dirname ${SCRIPT}` +cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp +chmod 755 ${OBJ}/scp-ssh-wrapper.scp +scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp" + +scpclean() { + rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2} + mkdir ${DIR} ${DIR2} +} + +verbose "$tid: simple copy local file to remote file" +scpclean +$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed" +cmp ${DATA} ${COPY} || fail "corrupted copy" + +verbose "$tid: simple copy remote file to local file" +scpclean +$SCP $scpopts somehost:${DATA} ${COPY} || fail "copy failed" +cmp ${DATA} ${COPY} || fail "corrupted copy" + +verbose "$tid: simple copy local file to remote dir" +scpclean +cp ${DATA} ${COPY} +$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed" +cmp ${COPY} ${DIR}/copy || fail "corrupted copy" + +verbose "$tid: simple copy remote file to local dir" +scpclean +cp ${DATA} ${COPY} +$SCP $scpopts somehost:${COPY} ${DIR} || fail "copy failed" +cmp ${COPY} ${DIR}/copy || fail "corrupted copy" + +verbose "$tid: recursive local dir to remote dir" +scpclean +rm -rf ${DIR2} +cp ${DATA} ${DIR}/copy +$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed" +diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + +verbose "$tid: recursive remote dir to local dir" +scpclean +rm -rf ${DIR2} +cp ${DATA} ${DIR}/copy +$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed" +diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + +if [ ! -z "$SUDO" ]; then + verbose "$tid: skipped file after scp -p with failed chown+utimes" + scpclean + cp -p ${DATA} ${DIR}/copy + cp -p ${DATA} ${DIR}/copy2 + cp ${DATA} ${DIR2}/copy + chmod 660 ${DIR2}/copy + $SUDO chown root ${DIR2}/copy + $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1 + diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + $SUDO rm ${DIR2}/copy +fi + +for i in 0 1 2 3 4; do + verbose "$tid: disallow bad server #$i" + SCPTESTMODE=badserver_$i + export DIR SCPTESTMODE + scpclean + $SCP $scpopts somehost:${DATA} ${DIR} >/dev/null 2>/dev/null + [ -d {$DIR}/rootpathdir ] && fail "allows dir relative to root dir" + [ -d ${DIR}/dotpathdir ] && fail "allows dir creation in non-recursive mode" + + scpclean + $SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null + [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" +done + +scpclean +rm -f ${OBJ}/scp-ssh-wrapper.scp diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/sftp-badcmds.sh openssh-4.2p1/regress/sftp-badcmds.sh --- ssh-openbsd-2005090100/regress/sftp-badcmds.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/sftp-badcmds.sh Fri Feb 13 02:17:11 2004 @@ -0,0 +1,78 @@ +# $OpenBSD: sftp-badcmds.sh,v 1.2 2003/05/15 04:07:12 mouring Exp $ +# Placed in the Public Domain. + +tid="sftp invalid commands" + +DATA=/bin/ls${EXEEXT} +DATA2=/bin/sh${EXEEXT} +NONEXIST=/NONEXIST.$$ +COPY=${OBJ}/copy +GLOBFILES=`(cd /bin;echo l*)` + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd + +rm -f ${COPY} +verbose "$tid: get nonexistent" +echo "get $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get nonexistent failed" +test -f ${COPY} && fail "existing copy after get nonexistent" + +rm -f ${COPY}.dd/* +verbose "$tid: glob get to nonexistent directory" +echo "get /bin/l* $NONEXIST" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get nonexistent failed" +for x in $GLOBFILES; do + test -f ${COPY}.dd/$x && fail "existing copy after get nonexistent" +done + +rm -f ${COPY} +verbose "$tid: put nonexistent" +echo "put $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put nonexistent failed" +test -f ${COPY} && fail "existing copy after put nonexistent" + +rm -f ${COPY}.dd/* +verbose "$tid: glob put to nonexistent directory" +echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put nonexistent failed" +for x in $GLOBFILES; do + test -f ${COPY}.dd/$x && fail "existing copy after nonexistent" +done + +rm -f ${COPY} +verbose "$tid: rename nonexistent" +echo "rename $NONEXIST ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename nonexist failed" +test -f ${COPY}.1 && fail "file exists after rename nonexistent" + +rm -f ${COPY} ${COPY}.1 +cp $DATA $COPY +cp $DATA2 ${COPY}.1 +verbose "$tid: rename target exists" +echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename target exists failed" +test -f ${COPY} || fail "oldname missing after rename target exists" +test -f ${COPY}.1 || fail "newname missing after rename target exists" +cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists" +cmp $DATA2 ${COPY}.1 >/dev/null 2>&1 || fail "corrupted newname after rename target exists" + +rm -rf ${COPY} ${COPY}.dd +cp $DATA $COPY +mkdir ${COPY}.dd +verbose "$tid: rename target exists (directory)" +echo "rename $COPY ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename target exists (directory) failed" +test -f ${COPY} || fail "oldname missing after rename target exists (directory)" +test -d ${COPY}.dd || fail "newname missing after rename target exists (directory)" +cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists (directory)" + +rm -f ${COPY}.dd/* +rm -rf ${COPY} +cp ${DATA2} ${COPY} +verbose "$tid: glob put files to local file" +echo "put /bin/l* $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 +cmp ${DATA2} ${COPY} || fail "put successed when it should have failed" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd + + diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/sftp-batch.sh openssh-4.2p1/regress/sftp-batch.sh --- ssh-openbsd-2005090100/regress/sftp-batch.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/sftp-batch.sh Fri Jan 30 13:02:56 2004 @@ -0,0 +1,57 @@ +# $OpenBSD: sftp-batch.sh,v 1.3 2004/01/13 09:49:06 djm Exp $ +# Placed in the Public Domain. + +tid="sftp batchfile" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +BATCH=${OBJ}/sftp.bb + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* + +cat << EOF > ${BATCH}.pass.1 + get $DATA $COPY + put ${COPY} ${COPY}.1 + rm ${COPY} + -put ${COPY} ${COPY}.2 +EOF + +cat << EOF > ${BATCH}.pass.2 + # This is a comment + + # That was a blank line + ls +EOF + +cat << EOF > ${BATCH}.fail.1 + get $DATA $COPY + put ${COPY} ${COPY}.3 + rm ${COPY}.* + # The next command should fail + put ${COPY}.3 ${COPY}.4 +EOF + +cat << EOF > ${BATCH}.fail.2 + # The next command should fail + jajajajaja +EOF + +verbose "$tid: good commands" +${SFTP} -b ${BATCH}.pass.1 -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "good commands failed" + +verbose "$tid: bad commands" +${SFTP} -b ${BATCH}.fail.1 -P ${SFTPSERVER} >/dev/null 2>&1 \ + && fail "bad commands succeeded" + +verbose "$tid: comments and blanks" +${SFTP} -b ${BATCH}.pass.2 -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "comments & blanks failed" + +verbose "$tid: junk command" +${SFTP} -b ${BATCH}.fail.2 -P ${SFTPSERVER} >/dev/null 2>&1 \ + && fail "junk command succeeded" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* + + diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/sftp-cmds.sh openssh-4.2p1/regress/sftp-cmds.sh --- ssh-openbsd-2005090100/regress/sftp-cmds.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/sftp-cmds.sh Fri Apr 16 17:58:29 2004 @@ -0,0 +1,211 @@ +# $OpenBSD: sftp-cmds.sh,v 1.6 2003/10/07 07:04:52 djm Exp $ +# Placed in the Public Domain. + +# XXX - TODO: +# - chmod / chown / chgrp +# - -p flag for get & put + +tid="sftp commands" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +# test that these files are readable! +for i in `(cd /bin;echo l*)` +do + if [ -r $i ]; then + GLOBFILES="$GLOBFILES $i" + fi +done + +if have_prog uname +then + case `uname` in + CYGWIN*) + os=cygwin + ;; + *) + os=`uname` + ;; + esac +else + os="unknown" +fi + +# Path with embedded quote +QUOTECOPY=${COPY}".\"blah\"" +QUOTECOPY_ARG=${COPY}'.\"blah\"' + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 +mkdir ${COPY}.dd + +verbose "$tid: lls" +echo "lls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lls failed" +# XXX always successful + +verbose "$tid: ls" +echo "ls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "ls failed" +# XXX always successful + +verbose "$tid: shell" +echo "!echo hi there" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "shell failed" +# XXX always successful + +verbose "$tid: pwd" +echo "pwd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "pwd failed" +# XXX always successful + +verbose "$tid: lpwd" +echo "lpwd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lpwd failed" +# XXX always successful + +verbose "$tid: quit" +echo "quit" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "quit failed" +# XXX always successful + +verbose "$tid: help" +echo "help" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "help failed" +# XXX always successful + +rm -f ${COPY} +verbose "$tid: get" +echo "get $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY} || fail "corrupted copy after get" + +rm -f ${COPY} +verbose "$tid: get quoted" +echo "get \"$DATA\" $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY} || fail "corrupted copy after get" + +if [ "$os" != "cygwin" ]; then +rm -f ${QUOTECOPY} +cp $DATA ${QUOTECOPY} +verbose "$tid: get filename with quotes" +echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes" +rm -f ${QUOTECOPY} ${COPY} +fi + +rm -f ${COPY}.dd/* +verbose "$tid: get to directory" +echo "get $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" + +rm -f ${COPY}.dd/* +verbose "$tid: glob get to directory" +echo "get /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get" +done + +rm -f ${COPY}.dd/* +verbose "$tid: get to local dir" +(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" + +rm -f ${COPY}.dd/* +verbose "$tid: glob get to local dir" +(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get" +done + +rm -f ${COPY} +verbose "$tid: put" +echo "put $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp $DATA ${COPY} || fail "corrupted copy after put" + +if [ "$os" != "cygwin" ]; then +rm -f ${QUOTECOPY} +verbose "$tid: put filename with quotes" +echo "put $DATA \"$QUOTECOPY_ARG\"" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes" +fi + +rm -f ${COPY}.dd/* +verbose "$tid: put to directory" +echo "put $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" + +rm -f ${COPY}.dd/* +verbose "$tid: glob put to directory" +echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put" +done + +rm -f ${COPY}.dd/* +verbose "$tid: put to local dir" +(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" + +rm -f ${COPY}.dd/* +verbose "$tid: glob put to local dir" +(echo "cd ${COPY}.dd"; echo "put /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +for x in $GLOBFILES; do + cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put" +done + +verbose "$tid: rename" +echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename failed" +test -f ${COPY}.1 || fail "missing file after rename" +cmp $DATA ${COPY}.1 >/dev/null 2>&1 || fail "corrupted copy after rename" + +verbose "$tid: rename directory" +echo "rename ${COPY}.dd ${COPY}.dd2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rename directory failed" +test -d ${COPY}.dd && fail "oldname exists after rename directory" +test -d ${COPY}.dd2 || fail "missing newname after rename directory" + +verbose "$tid: ln" +echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed" +test -h ${COPY}.2 || fail "missing file after ln" + +verbose "$tid: mkdir" +echo "mkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "mkdir failed" +test -d ${COPY}.dd || fail "missing directory after mkdir" + +# XXX do more here +verbose "$tid: chdir" +echo "chdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "chdir failed" + +verbose "$tid: rmdir" +echo "rmdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "rmdir failed" +test -d ${COPY}.1 && fail "present directory after rmdir" + +verbose "$tid: lmkdir" +echo "lmkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lmkdir failed" +test -d ${COPY}.dd || fail "missing directory after lmkdir" + +# XXX do more here +verbose "$tid: lchdir" +echo "lchdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "lchdir failed" + +rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 + + diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/sftp-glob.sh openssh-4.2p1/regress/sftp-glob.sh --- ssh-openbsd-2005090100/regress/sftp-glob.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/sftp-glob.sh Mon Mar 7 18:25:54 2005 @@ -0,0 +1,28 @@ +# $OpenBSD: sftp-glob.sh,v 1.1 2004/12/10 01:31:30 fgsch Exp $ +# Placed in the Public Domain. + +tid="sftp glob" + +BASE=${OBJ}/glob +DIR=${BASE}/dir +DATA=${DIR}/file + +rm -rf ${BASE} +mkdir -p ${DIR} +touch ${DATA} + +verbose "$tid: ls file" +echo "ls -l ${DIR}/fil*" | ${SFTP} -P ${SFTPSERVER} 2>/dev/null | \ + grep ${DATA} >/dev/null 2>&1 +if [ $? -ne 0 ]; then + fail "globbed ls file failed" +fi + +verbose "$tid: ls dir" +echo "ls -l ${BASE}/d*" | ${SFTP} -P ${SFTPSERVER} 2>/dev/null | \ + grep file >/dev/null 2>&1 +if [ $? -ne 0 ]; then + fail "globbed ls dir failed" +fi + +rm -rf ${BASE} diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/sftp.sh openssh-4.2p1/regress/sftp.sh --- ssh-openbsd-2005090100/regress/sftp.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/sftp.sh Thu Sep 4 15:00:56 2003 @@ -0,0 +1,35 @@ +# $OpenBSD: sftp.sh,v 1.2 2002/03/27 22:39:52 markus Exp $ +# Placed in the Public Domain. + +tid="basic sftp put/get" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy + +SFTPCMDFILE=${OBJ}/batch +cat >$SFTPCMDFILE < /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "sftp failed with $r" + else + cmp $DATA ${COPY}.1 || fail "corrupted copy after get" + cmp $DATA ${COPY}.2 || fail "corrupted copy after put" + fi + done +done +rm -f ${COPY}.1 ${COPY}.2 +rm -f $SFTPCMDFILE diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/ssh-com-client.sh openssh-4.2p1/regress/ssh-com-client.sh --- ssh-openbsd-2005090100/regress/ssh-com-client.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/ssh-com-client.sh Sun Feb 29 20:33:51 2004 @@ -0,0 +1,134 @@ +# $OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $ +# Placed in the Public Domain. + +tid="connect with ssh.com client" + +#TEST_COMBASE=/path/to/ssh/com/binaries +if [ "X${TEST_COMBASE}" = "X" ]; then + fatal '$TEST_COMBASE is not set' +fi + +VERSIONS=" + 2.1.0 + 2.2.0 + 2.3.0 + 2.3.1 + 2.4.0 + 3.0.0 + 3.1.0 + 3.2.0 + 3.2.2 + 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 + 3.3.0" + +# 2.0.10 2.0.12 2.0.13 don't like the test setup + +# setup authorized keys +SRC=`dirname ${SCRIPT}` +cp ${SRC}/dsa_ssh2.prv ${OBJ}/id.com +chmod 600 ${OBJ}/id.com +${SSHKEYGEN} -i -f ${OBJ}/id.com > $OBJ/id.openssh +chmod 600 ${OBJ}/id.openssh +${SSHKEYGEN} -y -f ${OBJ}/id.openssh > $OBJ/authorized_keys_$USER +${SSHKEYGEN} -e -f ${OBJ}/id.openssh > $OBJ/id.com.pub +echo IdKey ${OBJ}/id.com > ${OBJ}/id.list + +# we need a DSA host key +t=dsa +rm -f ${OBJ}/$t ${OBJ}/$t.pub +${SSHKEYGEN} -q -N '' -t $t -f ${OBJ}/$t +$SUDO cp $OBJ/$t $OBJ/host.$t +echo HostKey $OBJ/host.$t >> $OBJ/sshd_config + +# add hostkeys to known hosts +mkdir -p ${OBJ}/${USER}/hostkeys +HK=${OBJ}/${USER}/hostkeys/key_${PORT}_127.0.0.1 +${SSHKEYGEN} -e -f ${OBJ}/rsa.pub > ${HK}.ssh-rsa.pub +${SSHKEYGEN} -e -f ${OBJ}/dsa.pub > ${HK}.ssh-dss.pub + +cat > ${OBJ}/ssh2_config << EOF +*: + QuietMode yes + StrictHostKeyChecking yes + Port ${PORT} + User ${USER} + Host 127.0.0.1 + IdentityFile ${OBJ}/id.list + RandomSeedFile ${OBJ}/random_seed + UserConfigDirectory ${OBJ}/%U + AuthenticationSuccessMsg no + BatchMode yes + ForwardX11 no +EOF + +# we need a real server (no ProxyConnect option) +start_sshd + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +rm -f ${COPY} + +# go for it +for v in ${VERSIONS}; do + ssh2=${TEST_COMBASE}/${v}/ssh2 + if [ ! -x ${ssh2} ]; then + continue + fi + verbose "ssh2 ${v}" + key=ssh-dss + skipcat=0 + case $v in + 2.1.*|2.3.0) + skipcat=1 + ;; + 3.0.*) + key=ssh-rsa + ;; + esac + cp ${HK}.$key.pub ${HK}.pub + + # check exit status + ${ssh2} -q -F ${OBJ}/ssh2_config somehost exit 42 + r=$? + if [ $r -ne 42 ]; then + fail "ssh2 ${v} exit code test failed (got $r, expected 42)" + fi + + # data transfer + rm -f ${COPY} + ${ssh2} -F ${OBJ}/ssh2_config somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh2 ${v} cat test (receive) failed" + fi + cmp ${DATA} ${COPY} || fail "ssh2 ${v} cat test (receive) data mismatch" + + # data transfer, again + if [ $skipcat -eq 0 ]; then + rm -f ${COPY} + cat ${DATA} | \ + ${ssh2} -F ${OBJ}/ssh2_config host "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh2 ${v} cat test (send) failed" + fi + cmp ${DATA} ${COPY} || \ + fail "ssh2 ${v} cat test (send) data mismatch" + fi + + # no stderr after eof + rm -f ${COPY} + ${ssh2} -F ${OBJ}/ssh2_config somehost \ + exec sh -c \'"exec > /dev/null; sleep 1; echo bla 1>&2; exit 0"\' \ + 2> /dev/null + if [ $? -ne 0 ]; then + fail "ssh2 ${v} stderr test failed" + fi +done + +rm -rf ${OBJ}/${USER} +for i in ssh2_config random_seed dsa.pub dsa host.dsa \ + id.list id.com id.com.pub id.openssh; do + rm -f ${OBJ}/$i +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/ssh-com-keygen.sh openssh-4.2p1/regress/ssh-com-keygen.sh --- ssh-openbsd-2005090100/regress/ssh-com-keygen.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/ssh-com-keygen.sh Sun Feb 29 20:33:51 2004 @@ -0,0 +1,74 @@ +# $OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $ +# Placed in the Public Domain. + +tid="ssh.com key import" + +#TEST_COMBASE=/path/to/ssh/com/binaries +if [ "X${TEST_COMBASE}" = "X" ]; then + fatal '$TEST_COMBASE is not set' +fi + +VERSIONS=" + 2.0.10 + 2.0.12 + 2.0.13 + 2.1.0 + 2.2.0 + 2.3.0 + 2.3.1 + 2.4.0 + 3.0.0 + 3.1.0 + 3.2.0 + 3.2.2 + 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 + 3.3.0" + +COMPRV=${OBJ}/comkey +COMPUB=${COMPRV}.pub +OPENSSHPRV=${OBJ}/opensshkey +OPENSSHPUB=${OPENSSHPRV}.pub + +# go for it +for v in ${VERSIONS}; do + keygen=${TEST_COMBASE}/${v}/ssh-keygen2 + if [ ! -x ${keygen} ]; then + continue + fi + types="dss" + case $v in + 2.3.1|3.*) + types="$types rsa" + ;; + esac + for t in $types; do + verbose "ssh-keygen $v/$t" + rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB + ${keygen} -q -P -t $t ${COMPRV} > /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "${keygen} -t $t failed" + continue + fi + ${SSHKEYGEN} -if ${COMPUB} > ${OPENSSHPUB} + if [ $? -ne 0 ]; then + fail "import public key ($v/$t) failed" + continue + fi + ${SSHKEYGEN} -if ${COMPRV} > ${OPENSSHPRV} + if [ $? -ne 0 ]; then + fail "import private key ($v/$t) failed" + continue + fi + chmod 600 ${OPENSSHPRV} + ${SSHKEYGEN} -yf ${OPENSSHPRV} |\ + diff - ${OPENSSHPUB} + if [ $? -ne 0 ]; then + fail "public keys ($v/$t) differ" + fi + done +done + +rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/ssh-com-sftp.sh openssh-4.2p1/regress/ssh-com-sftp.sh --- ssh-openbsd-2005090100/regress/ssh-com-sftp.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/ssh-com-sftp.sh Sun Feb 29 20:33:51 2004 @@ -0,0 +1,67 @@ +# $OpenBSD: ssh-com-sftp.sh,v 1.5 2004/02/24 17:06:52 markus Exp $ +# Placed in the Public Domain. + +tid="basic sftp put/get with ssh.com server" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +SFTPCMDFILE=${OBJ}/batch + +cat >$SFTPCMDFILE < /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then + fail "sftp failed with $r" + else + cmp $DATA ${COPY}.1 || fail "corrupted copy after get" + cmp $DATA ${COPY}.2 || fail "corrupted copy after put" + fi + done + done +done +rm -f ${COPY}.1 ${COPY}.2 +rm -f $SFTPCMDFILE diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/ssh-com.sh openssh-4.2p1/regress/ssh-com.sh --- ssh-openbsd-2005090100/regress/ssh-com.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/ssh-com.sh Sun Feb 29 20:33:51 2004 @@ -0,0 +1,119 @@ +# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $ +# Placed in the Public Domain. + +tid="connect to ssh.com server" + +#TEST_COMBASE=/path/to/ssh/com/binaries +if [ "X${TEST_COMBASE}" = "X" ]; then + fatal '$TEST_COMBASE is not set' +fi + +VERSIONS=" + 2.0.12 + 2.0.13 + 2.1.0 + 2.2.0 + 2.3.0 + 2.4.0 + 3.0.0 + 3.1.0 + 3.2.0 + 3.2.2 + 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 + 3.3.0" +# 2.0.10 does not support UserConfigDirectory +# 2.3.1 requires a config in $HOME/.ssh2 + +SRC=`dirname ${SCRIPT}` + +# ssh.com +cat << EOF > $OBJ/sshd2_config +#*: + # Port and ListenAddress are not used. + QuietMode yes + Port 4343 + ListenAddress 127.0.0.1 + UserConfigDirectory ${OBJ}/%U + Ciphers AnyCipher + PubKeyAuthentication yes + #AllowedAuthentications publickey + AuthorizationFile authorization + HostKeyFile ${SRC}/dsa_ssh2.prv + PublicHostKeyFile ${SRC}/dsa_ssh2.pub + RandomSeedFile ${OBJ}/random_seed + MaxConnections 0 + PermitRootLogin yes + VerboseMode no + CheckMail no + Ssh1Compatibility no +EOF + +# create client config +sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \ + < $OBJ/ssh_config > $OBJ/ssh_config_com + +# we need a DSA key for +rm -f ${OBJ}/dsa ${OBJ}/dsa.pub +${SSHKEYGEN} -q -N '' -t dsa -f ${OBJ}/dsa + +# setup userdir, try rsa first +mkdir -p ${OBJ}/${USER} +cp /dev/null ${OBJ}/${USER}/authorization +for t in rsa dsa; do + ${SSHKEYGEN} -e -f ${OBJ}/$t.pub > ${OBJ}/${USER}/$t.com + echo Key $t.com >> ${OBJ}/${USER}/authorization + echo IdentityFile ${OBJ}/$t >> ${OBJ}/ssh_config_com +done + +# convert and append DSA hostkey +( + echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' + ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub +) >> $OBJ/known_hosts + +# go for it +for v in ${VERSIONS}; do + sshd2=${TEST_COMBASE}/${v}/sshd2 + if [ ! -x ${sshd2} ]; then + continue + fi + trace "sshd2 ${v}" + PROXY="proxycommand ${sshd2} -qif ${OBJ}/sshd2_config 2> /dev/null" + ${SSH} -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0 + if [ $? -ne 0 ]; then + fail "ssh connect to sshd2 ${v} failed" + fi + + ciphers="3des-cbc blowfish-cbc arcfour" + macs="hmac-md5" + case $v in + 2.4.*) + ciphers="$ciphers cast128-cbc" + macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96" + ;; + 3.*) + ciphers="$ciphers aes128-cbc cast128-cbc" + macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96" + ;; + esac + #ciphers="3des-cbc" + for m in $macs; do + for c in $ciphers; do + trace "sshd2 ${v} cipher $c mac $m" + verbose "test ${tid}: sshd2 ${v} cipher $c mac $m" + ${SSH} -c $c -m $m -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0 + if [ $? -ne 0 ]; then + fail "ssh connect to sshd2 ${v} with $c/$m failed" + fi + done + done +done + +rm -rf ${OBJ}/${USER} +for i in sshd_config_proxy ssh_config_proxy random_seed \ + sshd2_config dsa.pub dsa ssh_config_com; do + rm -f ${OBJ}/$i +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/sshd-log-wrapper.sh openssh-4.2p1/regress/sshd-log-wrapper.sh --- ssh-openbsd-2005090100/regress/sshd-log-wrapper.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/sshd-log-wrapper.sh Mon Mar 7 18:33:02 2005 @@ -0,0 +1,13 @@ +#!/bin/sh +# $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $ +# Placed in the Public Domain. +# +# simple wrapper for sshd proxy mode to catch stderr output +# sh sshd-log-wrapper.sh /path/to/sshd /path/to/logfile + +sshd=$1 +log=$2 +shift +shift + +exec $sshd $@ -e 2>>$log diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/stderr-after-eof.sh openssh-4.2p1/regress/stderr-after-eof.sh --- ssh-openbsd-2005090100/regress/stderr-after-eof.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/stderr-after-eof.sh Fri Sep 12 15:32:17 2003 @@ -0,0 +1,40 @@ +# $OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $ +# Placed in the Public Domain. + +tid="stderr data after eof" + +DATA=/etc/motd +DATA=${OBJ}/data +COPY=${OBJ}/copy + +if have_prog md5sum; then + CHECKSUM=md5sum +elif have_prog openssl; then + CHECKSUM="openssl md5" +elif have_prog cksum; then + CHECKSUM=cksum +elif have_prog sum; then + CHECKSUM=sum +else + fatal "No checksum program available, aborting $tid test" +fi + +# setup data +rm -f ${DATA} ${COPY} +cp /dev/null ${DATA} +for i in 1 2 3 4 5 6; do + (date;echo $i) | $CHECKSUM >> ${DATA} +done + +${SSH} -2 -F $OBJ/ssh_proxy otherhost \ + exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ + 2> ${COPY} +r=$? +if [ $r -ne 0 ]; then + fail "ssh failed with exit code $r" +fi +egrep 'Disconnecting: Received extended_data after EOF' ${COPY} && + fail "ext data received after eof" +cmp ${DATA} ${COPY} || fail "stderr corrupt" + +rm -f ${DATA} ${COPY} diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/stderr-data.sh openssh-4.2p1/regress/stderr-data.sh --- ssh-openbsd-2005090100/regress/stderr-data.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/stderr-data.sh Thu Sep 4 14:54:40 2003 @@ -0,0 +1,33 @@ +# $OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $ +# Placed in the Public Domain. + +tid="stderr data transfer" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy +rm -f ${COPY} + +for n in '' -n; do +for p in 1 2; do + verbose "test $tid: proto $p ($n)" + ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ + exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ + 2> ${COPY} + r=$? + if [ $r -ne 0 ]; then + fail "ssh failed with exit code $r" + fi + cmp ${DATA} ${COPY} || fail "stderr corrupt" + rm -f ${COPY} + + ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ + exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ + > /dev/null 2> ${COPY} + r=$? + if [ $r -ne 0 ]; then + fail "ssh failed with exit code $r" + fi + cmp ${DATA} ${COPY} || fail "stderr corrupt" + rm -f ${COPY} +done +done diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/t4.ok openssh-4.2p1/regress/t4.ok --- ssh-openbsd-2005090100/regress/t4.ok Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/t4.ok Wed May 1 13:17:35 2002 @@ -0,0 +1 @@ +3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/t5.ok openssh-4.2p1/regress/t5.ok --- ssh-openbsd-2005090100/regress/t5.ok Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/t5.ok Wed May 1 13:17:35 2002 @@ -0,0 +1 @@ +xokes-lylis-byleh-zebib-kalus-bihas-tevah-haroz-suhar-foved-noxex diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/test-exec.sh openssh-4.2p1/regress/test-exec.sh --- ssh-openbsd-2005090100/regress/test-exec.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/test-exec.sh Tue Aug 23 23:32:05 2005 @@ -0,0 +1,304 @@ +# $OpenBSD: test-exec.sh,v 1.27 2005/02/27 11:33:30 dtucker Exp $ +# Placed in the Public Domain. + +#SUDO=sudo + +# Unbreak GNU head(1) +_POSIX2_VERSION=199209 +export _POSIX2_VERSION + +case `uname -s 2>/dev/null` in +OSF1*) + BIN_SH=xpg4 + export BIN_SH + ;; +esac + +if [ ! -z "$TEST_SSH_PORT" ]; then + PORT="$TEST_SSH_PORT" +else + PORT=4242 +fi + +if [ -x /usr/ucb/whoami ]; then + USER=`/usr/ucb/whoami` +elif whoami >/dev/null 2>&1; then + USER=`whoami` +else + USER=`id -un` +fi + +OBJ=$1 +if [ "x$OBJ" = "x" ]; then + echo '$OBJ not defined' + exit 2 +fi +if [ ! -d $OBJ ]; then + echo "not a directory: $OBJ" + exit 2 +fi +SCRIPT=$2 +if [ "x$SCRIPT" = "x" ]; then + echo '$SCRIPT not defined' + exit 2 +fi +if [ ! -f $SCRIPT ]; then + echo "not a file: $SCRIPT" + exit 2 +fi +if $TEST_SHELL -n $SCRIPT; then + true +else + echo "syntax error in $SCRIPT" + exit 2 +fi +unset SSH_AUTH_SOCK + +SRC=`dirname ${SCRIPT}` + +# defaults +SSH=ssh +SSHD=sshd +SSHAGENT=ssh-agent +SSHADD=ssh-add +SSHKEYGEN=ssh-keygen +SSHKEYSCAN=ssh-keyscan +SFTP=sftp +SFTPSERVER=/usr/libexec/openssh/sftp-server +SCP=scp + +if [ "x$TEST_SSH_SSH" != "x" ]; then + SSH="${TEST_SSH_SSH}" +fi +if [ "x$TEST_SSH_SSHD" != "x" ]; then + SSHD="${TEST_SSH_SSHD}" +fi +if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then + SSHAGENT="${TEST_SSH_SSHAGENT}" +fi +if [ "x$TEST_SSH_SSHADD" != "x" ]; then + SSHADD="${TEST_SSH_SSHADD}" +fi +if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then + SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" +fi +if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then + SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" +fi +if [ "x$TEST_SSH_SFTP" != "x" ]; then + SFTP="${TEST_SSH_SFTP}" +fi +if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then + SFTPSERVER="${TEST_SSH_SFTPSERVER}" +fi +if [ "x$TEST_SSH_SCP" != "x" ]; then + SCP="${TEST_SSH_SCP}" +fi + +# Path to sshd must be absolute for rexec +case "$SSHD" in +/*) ;; +*) SSHD=`which sshd` ;; +esac + +if [ "x$TEST_SSH_LOGFILE" = "x" ]; then + TEST_SSH_LOGFILE=/dev/null +fi + +# these should be used in tests +export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP +#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP + +# helper +echon() +{ + if [ "x`echo -n`" = "x" ]; then + echo -n "$@" + elif [ "x`echo '\c'`" = "x" ]; then + echo "$@\c" + else + fatal "Don't know how to echo without newline." + fi +} + +have_prog() +{ + saved_IFS="$IFS" + IFS=":" + for i in $PATH + do + if [ -x $i/$1 ]; then + IFS="$saved_IFS" + return 0 + fi + done + IFS="$saved_IFS" + return 1 +} + +cleanup () +{ + if [ -f $PIDFILE ]; then + pid=`cat $PIDFILE` + if [ "X$pid" = "X" ]; then + echo no sshd running + else + if [ $pid -lt 2 ]; then + echo bad pid for ssd: $pid + else + $SUDO kill $pid + fi + fi + fi +} + +trace () +{ + echo "trace: $@" >>$TEST_SSH_LOGFILE + if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then + echo "$@" + fi +} + +verbose () +{ + echo "verbose: $@" >>$TEST_SSH_LOGFILE + if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then + echo "$@" + fi +} + + +fail () +{ + echo "FAIL: $@" >>$TEST_SSH_LOGFILE + RESULT=1 + echo "$@" +} + +fatal () +{ + echo "FATAL: $@" >>$TEST_SSH_LOGFILE + echon "FATAL: " + fail "$@" + cleanup + exit $RESULT +} + +RESULT=0 +PIDFILE=$OBJ/pidfile + +trap fatal 3 2 + +# create server config +cat << EOF > $OBJ/sshd_config + StrictModes no + Port $PORT + ListenAddress 127.0.0.1 + #ListenAddress ::1 + PidFile $PIDFILE + AuthorizedKeysFile $OBJ/authorized_keys_%u + LogLevel VERBOSE + AcceptEnv _XXX_TEST_* + AcceptEnv _XXX_TEST + Subsystem sftp $SFTPSERVER +EOF + +if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then + trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS" + echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config +fi + +# server config for proxy connects +cp $OBJ/sshd_config $OBJ/sshd_proxy + +# allow group-writable directories in proxy-mode +echo 'StrictModes no' >> $OBJ/sshd_proxy + +# create client config +cat << EOF > $OBJ/ssh_config +Host * + Hostname 127.0.0.1 + HostKeyAlias localhost-with-alias + Port $PORT + User $USER + GlobalKnownHostsFile $OBJ/known_hosts + UserKnownHostsFile $OBJ/known_hosts + RSAAuthentication yes + PubkeyAuthentication yes + ChallengeResponseAuthentication no + HostbasedAuthentication no + PasswordAuthentication no + BatchMode yes + StrictHostKeyChecking yes +EOF + +if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then + trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS" + echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config +fi + +rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER + +trace "generate keys" +for t in rsa rsa1; do + # generate user key + rm -f $OBJ/$t + ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ + fail "ssh-keygen for $t failed" + + # known hosts file for client + ( + echon 'localhost-with-alias,127.0.0.1,::1 ' + cat $OBJ/$t.pub + ) >> $OBJ/known_hosts + + # setup authorized keys + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + echo IdentityFile $OBJ/$t >> $OBJ/ssh_config + + # use key as host key, too + $SUDO cp $OBJ/$t $OBJ/host.$t + echo HostKey $OBJ/host.$t >> $OBJ/sshd_config + + # don't use SUDO for proxy connect + echo HostKey $OBJ/$t >> $OBJ/sshd_proxy +done +chmod 644 $OBJ/authorized_keys_$USER + +# create a proxy version of the client config +( + cat $OBJ/ssh_config + echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy +) > $OBJ/ssh_proxy + +# check proxy config +${SSHD} -t -f $OBJ/sshd_proxy || fatal "sshd_proxy broken" + +start_sshd () +{ + # start sshd + $SUDO ${SSHD} -f $OBJ/sshd_config -t || fatal "sshd_config broken" + $SUDO ${SSHD} -f $OBJ/sshd_config -e >>$TEST_SSH_LOGFILE 2>&1 + + trace "wait for sshd" + i=0; + while [ ! -f $PIDFILE -a $i -lt 10 ]; do + i=`expr $i + 1` + sleep $i + done + + test -f $PIDFILE || fatal "no sshd running on port $PORT" +} + +# source test body +. $SCRIPT + +# kill sshd +cleanup +if [ $RESULT -eq 0 ]; then + verbose ok $tid +else + echo failed $tid +fi +exit $RESULT diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/transfer.sh openssh-4.2p1/regress/transfer.sh --- ssh-openbsd-2005090100/regress/transfer.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/transfer.sh Thu Sep 4 14:54:40 2003 @@ -0,0 +1,29 @@ +# $OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $ +# Placed in the Public Domain. + +tid="transfer data" + +DATA=/bin/ls${EXEEXT} +COPY=${OBJ}/copy + +for p in 1 2; do + verbose "$tid: proto $p" + rm -f ${COPY} + ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + + for s in 10 100 1k 32k 64k 128k 256k; do + trace "proto $p dd-size ${s}" + rm -f ${COPY} + dd if=$DATA obs=${s} 2> /dev/null | \ + ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + done +done +rm -f ${COPY} diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/try-ciphers.sh openssh-4.2p1/regress/try-ciphers.sh --- ssh-openbsd-2005090100/regress/try-ciphers.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/try-ciphers.sh Wed Jun 23 13:53:02 2004 @@ -0,0 +1,48 @@ +# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $ +# Placed in the Public Domain. + +tid="try ciphers" + +ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour + aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se + aes128-ctr aes192-ctr aes256-ctr" +macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96" + +for c in $ciphers; do + for m in $macs; do + trace "proto 2 cipher $c mac $m" + verbose "test $tid: proto 2 cipher $c mac $m" + ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true + if [ $? -ne 0 ]; then + fail "ssh -2 failed with mac $m cipher $c" + fi + done +done + +ciphers="3des blowfish" +for c in $ciphers; do + trace "proto 1 cipher $c" + verbose "test $tid: proto 1 cipher $c" + ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true + if [ $? -ne 0 ]; then + fail "ssh -1 failed with cipher $c" + fi +done + +if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null +then + : +else + +echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy +c=acss@openssh.org +for m in $macs; do + trace "proto 2 $c mac $m" + verbose "test $tid: proto 2 cipher $c mac $m" + ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true + if [ $? -ne 0 ]; then + fail "ssh -2 failed with mac $m cipher $c" + fi +done + +fi diff -ruN --exclude CVS ssh-openbsd-2005090100/regress/yes-head.sh openssh-4.2p1/regress/yes-head.sh --- ssh-openbsd-2005090100/regress/yes-head.sh Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/regress/yes-head.sh Sat Sep 13 06:21:14 2003 @@ -0,0 +1,15 @@ +# $OpenBSD: yes-head.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# Placed in the Public Domain. + +tid="yes pipe head" + +for p in 1 2; do + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)` + if [ $? -ne 0 ]; then + fail "yes|head test failed" + lines = 0; + fi + if [ $lines -ne 2000 ]; then + fail "yes|head returns $lines lines instead of 2000" + fi +done diff -ruN --exclude CVS ssh-openbsd-2005090100/rijndael.c openssh-4.2p1/rijndael.c --- ssh-openbsd-2005090100/rijndael.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/rijndael.c Thu Jun 24 00:33:49 2004 @@ -0,0 +1,1244 @@ +/* $OpenBSD: rijndael.c,v 1.16 2004/06/23 00:39:38 mouring Exp $ */ + +/** + * rijndael-alg-fst.c + * + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen + * @author Antoon Bosselaers + * @author Paulo Barreto + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include "includes.h" + +#include +#include + +#include "rijndael.h" + +#define FULL_UNROLL + +/* +Te0[x] = S [x].[02, 01, 01, 03]; +Te1[x] = S [x].[03, 02, 01, 01]; +Te2[x] = S [x].[01, 03, 02, 01]; +Te3[x] = S [x].[01, 01, 03, 02]; +Te4[x] = S [x].[01, 01, 01, 01]; + +Td0[x] = Si[x].[0e, 09, 0d, 0b]; +Td1[x] = Si[x].[0b, 0e, 09, 0d]; +Td2[x] = Si[x].[0d, 0b, 0e, 09]; +Td3[x] = Si[x].[09, 0d, 0b, 0e]; +Td4[x] = Si[x].[01, 01, 01, 01]; +*/ + +static const u32 Te0[256] = { + 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, + 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, + 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU, + 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, + 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U, + 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU, + 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU, + 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU, + 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU, + 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU, + 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U, + 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU, + 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU, + 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U, + 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU, + 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU, + 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU, + 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU, + 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU, + 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U, + 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU, + 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU, + 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU, + 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU, + 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U, + 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U, + 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U, + 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U, + 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU, + 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U, + 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U, + 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU, + 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU, + 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U, + 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U, + 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U, + 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU, + 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U, + 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU, + 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U, + 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU, + 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U, + 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U, + 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU, + 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U, + 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U, + 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U, + 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U, + 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U, + 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U, + 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U, + 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U, + 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU, + 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U, + 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U, + 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U, + 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U, + 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U, + 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U, + 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU, + 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U, + 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U, + 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, + 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, +}; +static const u32 Te1[256] = { + 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU, + 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U, + 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU, + 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U, + 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU, + 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U, + 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU, + 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U, + 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U, + 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU, + 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U, + 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U, + 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U, + 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU, + 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U, + 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U, + 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU, + 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U, + 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U, + 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U, + 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU, + 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU, + 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U, + 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU, + 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU, + 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U, + 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU, + 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U, + 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU, + 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U, + 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U, + 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U, + 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU, + 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U, + 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU, + 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U, + 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU, + 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U, + 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U, + 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU, + 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU, + 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU, + 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U, + 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U, + 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU, + 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U, + 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU, + 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U, + 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU, + 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U, + 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU, + 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU, + 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U, + 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU, + 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U, + 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU, + 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U, + 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U, + 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U, + 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU, + 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU, + 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U, + 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU, + 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U, +}; +static const u32 Te2[256] = { + 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU, + 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U, + 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU, + 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U, + 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU, + 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U, + 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU, + 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U, + 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U, + 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU, + 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U, + 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U, + 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U, + 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU, + 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U, + 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U, + 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU, + 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U, + 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U, + 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U, + 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU, + 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU, + 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U, + 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU, + 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU, + 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U, + 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU, + 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U, + 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU, + 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U, + 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U, + 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U, + 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU, + 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U, + 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU, + 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U, + 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU, + 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U, + 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U, + 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU, + 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU, + 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU, + 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U, + 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U, + 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU, + 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U, + 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU, + 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U, + 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU, + 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U, + 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU, + 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU, + 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U, + 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU, + 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U, + 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU, + 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U, + 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U, + 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U, + 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU, + 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU, + 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U, + 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU, + 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U, +}; +static const u32 Te3[256] = { + + 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, + 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, + 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U, + 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, + 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU, + 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU, + 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U, + 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU, + 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU, + 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U, + 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U, + 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU, + 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU, + 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU, + 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU, + 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU, + 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U, + 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU, + 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU, + 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U, + 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U, + 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U, + 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U, + 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U, + 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU, + 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U, + 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU, + 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU, + 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U, + 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U, + 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U, + 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU, + 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U, + 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU, + 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU, + 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U, + 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U, + 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU, + 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U, + 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU, + 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U, + 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U, + 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U, + 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U, + 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU, + 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U, + 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU, + 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U, + 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU, + 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U, + 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU, + 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU, + 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU, + 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU, + 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U, + 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U, + 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U, + 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U, + 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U, + 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U, + 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU, + 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U, + 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, + 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, +}; +static const u32 Te4[256] = { + 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU, + 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U, + 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU, + 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U, + 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU, + 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U, + 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU, + 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U, + 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U, + 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU, + 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U, + 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U, + 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U, + 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU, + 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U, + 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U, + 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU, + 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U, + 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U, + 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U, + 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU, + 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU, + 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U, + 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU, + 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU, + 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U, + 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU, + 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U, + 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU, + 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U, + 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U, + 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U, + 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU, + 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U, + 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU, + 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U, + 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU, + 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U, + 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U, + 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU, + 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU, + 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU, + 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U, + 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U, + 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU, + 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U, + 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU, + 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U, + 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU, + 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U, + 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU, + 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU, + 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U, + 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU, + 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U, + 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU, + 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U, + 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U, + 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U, + 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU, + 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU, + 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U, + 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU, + 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U, +}; +static const u32 Td0[256] = { + 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, + 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U, + 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U, + 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU, + 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U, + 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U, + 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU, + 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U, + 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU, + 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U, + 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U, + 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U, + 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U, + 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU, + 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U, + 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU, + 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U, + 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU, + 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U, + 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U, + 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U, + 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU, + 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U, + 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU, + 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U, + 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU, + 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U, + 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU, + 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU, + 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U, + 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU, + 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U, + 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU, + 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U, + 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U, + 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U, + 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU, + 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U, + 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U, + 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU, + 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U, + 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U, + 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U, + 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U, + 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U, + 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU, + 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U, + 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U, + 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U, + 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U, + 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U, + 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU, + 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU, + 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU, + 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU, + 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U, + 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U, + 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU, + 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU, + 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U, + 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU, + 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U, + 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U, + 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U, +}; +static const u32 Td1[256] = { + 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU, + 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U, + 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU, + 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U, + 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U, + 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U, + 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U, + 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U, + 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U, + 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU, + 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU, + 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU, + 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U, + 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU, + 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U, + 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U, + 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U, + 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU, + 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU, + 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U, + 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU, + 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U, + 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU, + 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU, + 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U, + 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U, + 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U, + 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU, + 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U, + 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU, + 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U, + 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U, + 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U, + 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU, + 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U, + 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U, + 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U, + 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U, + 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U, + 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U, + 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU, + 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU, + 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U, + 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU, + 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U, + 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU, + 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU, + 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U, + 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU, + 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U, + 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U, + 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U, + 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U, + 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U, + 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U, + 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U, + 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU, + 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U, + 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U, + 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU, + 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U, + 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U, + 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U, + 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U, +}; +static const u32 Td2[256] = { + 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U, + 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U, + 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U, + 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U, + 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU, + 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U, + 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U, + 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U, + 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U, + 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU, + 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U, + 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U, + 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU, + 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U, + 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U, + 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U, + 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U, + 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U, + 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U, + 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU, + + 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U, + 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U, + 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U, + 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U, + 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U, + 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU, + 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU, + 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U, + 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU, + 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U, + 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU, + 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU, + 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU, + 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU, + 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U, + 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U, + 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U, + 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U, + 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U, + 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U, + 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U, + 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU, + 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU, + 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U, + 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U, + 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU, + 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU, + 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U, + 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U, + 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U, + 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U, + 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U, + 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U, + 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U, + 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU, + 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U, + 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U, + 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U, + 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U, + 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U, + 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U, + 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU, + 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U, + 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U, +}; +static const u32 Td3[256] = { + 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU, + 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU, + 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U, + 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U, + 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU, + 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU, + 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U, + 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU, + 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U, + 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU, + 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U, + 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U, + 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U, + 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U, + 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U, + 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU, + 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU, + 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U, + 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U, + 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU, + 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU, + 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U, + 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U, + 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U, + 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U, + 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU, + 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U, + 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U, + 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU, + 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU, + 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U, + 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U, + 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U, + 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU, + 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U, + 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U, + 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U, + 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U, + 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U, + 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U, + 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U, + 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU, + 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U, + 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U, + 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU, + 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU, + 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U, + 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU, + 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U, + 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U, + 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U, + 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U, + 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U, + 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U, + 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU, + 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU, + 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU, + 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU, + 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U, + 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U, + 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U, + 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU, + 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U, + 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U, +}; +static const u32 Td4[256] = { + 0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U, + 0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U, + 0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU, + 0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU, + 0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U, + 0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U, + 0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U, + 0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU, + 0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U, + 0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU, + 0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU, + 0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU, + 0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U, + 0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U, + 0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U, + 0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U, + 0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U, + 0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U, + 0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU, + 0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U, + 0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U, + 0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU, + 0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U, + 0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U, + 0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U, + 0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU, + 0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U, + 0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U, + 0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU, + 0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U, + 0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U, + 0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU, + 0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U, + 0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU, + 0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU, + 0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U, + 0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U, + 0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U, + 0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U, + 0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU, + 0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U, + 0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U, + 0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU, + 0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU, + 0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU, + 0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U, + 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU, + 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U, + 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U, + 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U, + 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U, + 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU, + 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U, + 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU, + 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU, + 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU, + 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU, + 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U, + 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU, + 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U, + 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU, + 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U, + 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U, + 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU, +}; +static const u32 rcon[] = { + 0x01000000, 0x02000000, 0x04000000, 0x08000000, + 0x10000000, 0x20000000, 0x40000000, 0x80000000, + 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */ +}; + +#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] << 8) ^ ((u32)(pt)[3])) +#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); } + +/** + * Expand the cipher key into the encryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) { + int i = 0; + u32 temp; + + rk[0] = GETU32(cipherKey ); + rk[1] = GETU32(cipherKey + 4); + rk[2] = GETU32(cipherKey + 8); + rk[3] = GETU32(cipherKey + 12); + if (keyBits == 128) { + for (;;) { + temp = rk[3]; + rk[4] = rk[0] ^ + (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te4[(temp ) & 0xff] & 0x0000ff00) ^ + (Te4[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[5] = rk[1] ^ rk[4]; + rk[6] = rk[2] ^ rk[5]; + rk[7] = rk[3] ^ rk[6]; + if (++i == 10) { + return 10; + } + rk += 4; + } + } + rk[4] = GETU32(cipherKey + 16); + rk[5] = GETU32(cipherKey + 20); + if (keyBits == 192) { + for (;;) { + temp = rk[ 5]; + rk[ 6] = rk[ 0] ^ + (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te4[(temp ) & 0xff] & 0x0000ff00) ^ + (Te4[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[ 7] = rk[ 1] ^ rk[ 6]; + rk[ 8] = rk[ 2] ^ rk[ 7]; + rk[ 9] = rk[ 3] ^ rk[ 8]; + if (++i == 8) { + return 12; + } + rk[10] = rk[ 4] ^ rk[ 9]; + rk[11] = rk[ 5] ^ rk[10]; + rk += 6; + } + } + rk[6] = GETU32(cipherKey + 24); + rk[7] = GETU32(cipherKey + 28); + if (keyBits == 256) { + for (;;) { + temp = rk[ 7]; + rk[ 8] = rk[ 0] ^ + (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ + (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^ + (Te4[(temp ) & 0xff] & 0x0000ff00) ^ + (Te4[(temp >> 24) ] & 0x000000ff) ^ + rcon[i]; + rk[ 9] = rk[ 1] ^ rk[ 8]; + rk[10] = rk[ 2] ^ rk[ 9]; + rk[11] = rk[ 3] ^ rk[10]; + if (++i == 7) { + return 14; + } + temp = rk[11]; + rk[12] = rk[ 4] ^ + (Te4[(temp >> 24) ] & 0xff000000) ^ + (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(temp ) & 0xff] & 0x000000ff); + rk[13] = rk[ 5] ^ rk[12]; + rk[14] = rk[ 6] ^ rk[13]; + rk[15] = rk[ 7] ^ rk[14]; + rk += 8; + } + } + return 0; +} + +/** + * Expand the cipher key into the decryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +static int +rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits, + int have_encrypt) { + int Nr, i, j; + u32 temp; + + if (have_encrypt) { + Nr = have_encrypt; + } else { + /* expand the cipher key: */ + Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits); + } + /* invert the order of the round keys: */ + for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) { + temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; + temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; + temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; + temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; + } + /* apply the inverse MixColumn transform to all round keys but the first and the last: */ + for (i = 1; i < Nr; i++) { + rk += 4; + rk[0] = + Td0[Te4[(rk[0] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[0] ) & 0xff] & 0xff]; + rk[1] = + Td0[Te4[(rk[1] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[1] ) & 0xff] & 0xff]; + rk[2] = + Td0[Te4[(rk[2] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[2] ) & 0xff] & 0xff]; + rk[3] = + Td0[Te4[(rk[3] >> 24) ] & 0xff] ^ + Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^ + Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^ + Td3[Te4[(rk[3] ) & 0xff] & 0xff]; + } + return Nr; +} + +static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]) { + u32 s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(pt ) ^ rk[0]; + s1 = GETU32(pt + 4) ^ rk[1]; + s2 = GETU32(pt + 8) ^ rk[2]; + s3 = GETU32(pt + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Te0[(s0 >> 24) ] ^ + Te1[(s1 >> 16) & 0xff] ^ + Te2[(s2 >> 8) & 0xff] ^ + Te3[(s3 ) & 0xff] ^ + rk[4]; + t1 = + Te0[(s1 >> 24) ] ^ + Te1[(s2 >> 16) & 0xff] ^ + Te2[(s3 >> 8) & 0xff] ^ + Te3[(s0 ) & 0xff] ^ + rk[5]; + t2 = + Te0[(s2 >> 24) ] ^ + Te1[(s3 >> 16) & 0xff] ^ + Te2[(s0 >> 8) & 0xff] ^ + Te3[(s1 ) & 0xff] ^ + rk[6]; + t3 = + Te0[(s3 >> 24) ] ^ + Te1[(s0 >> 16) & 0xff] ^ + Te2[(s1 >> 8) & 0xff] ^ + Te3[(s2 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) { + break; + } + + s0 = + Te0[(t0 >> 24) ] ^ + Te1[(t1 >> 16) & 0xff] ^ + Te2[(t2 >> 8) & 0xff] ^ + Te3[(t3 ) & 0xff] ^ + rk[0]; + s1 = + Te0[(t1 >> 24) ] ^ + Te1[(t2 >> 16) & 0xff] ^ + Te2[(t3 >> 8) & 0xff] ^ + Te3[(t0 ) & 0xff] ^ + rk[1]; + s2 = + Te0[(t2 >> 24) ] ^ + Te1[(t3 >> 16) & 0xff] ^ + Te2[(t0 >> 8) & 0xff] ^ + Te3[(t1 ) & 0xff] ^ + rk[2]; + s3 = + Te0[(t3 >> 24) ] ^ + Te1[(t0 >> 16) & 0xff] ^ + Te2[(t1 >> 8) & 0xff] ^ + Te3[(t2 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Te4[(t0 >> 24) ] & 0xff000000) ^ + (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t2 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t3 ) & 0xff] & 0x000000ff) ^ + rk[0]; + PUTU32(ct , s0); + s1 = + (Te4[(t1 >> 24) ] & 0xff000000) ^ + (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t3 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t0 ) & 0xff] & 0x000000ff) ^ + rk[1]; + PUTU32(ct + 4, s1); + s2 = + (Te4[(t2 >> 24) ] & 0xff000000) ^ + (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t0 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t1 ) & 0xff] & 0x000000ff) ^ + rk[2]; + PUTU32(ct + 8, s2); + s3 = + (Te4[(t3 >> 24) ] & 0xff000000) ^ + (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^ + (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^ + (Te4[(t2 ) & 0xff] & 0x000000ff) ^ + rk[3]; + PUTU32(ct + 12, s3); +} + +static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]) { + u32 s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(ct ) ^ rk[0]; + s1 = GETU32(ct + 4) ^ rk[1]; + s2 = GETU32(ct + 8) ^ rk[2]; + s3 = GETU32(ct + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Td0[(s0 >> 24) ] ^ + Td1[(s3 >> 16) & 0xff] ^ + Td2[(s2 >> 8) & 0xff] ^ + Td3[(s1 ) & 0xff] ^ + rk[4]; + t1 = + Td0[(s1 >> 24) ] ^ + Td1[(s0 >> 16) & 0xff] ^ + Td2[(s3 >> 8) & 0xff] ^ + Td3[(s2 ) & 0xff] ^ + rk[5]; + t2 = + Td0[(s2 >> 24) ] ^ + Td1[(s1 >> 16) & 0xff] ^ + Td2[(s0 >> 8) & 0xff] ^ + Td3[(s3 ) & 0xff] ^ + rk[6]; + t3 = + Td0[(s3 >> 24) ] ^ + Td1[(s2 >> 16) & 0xff] ^ + Td2[(s1 >> 8) & 0xff] ^ + Td3[(s0 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) { + break; + } + + s0 = + Td0[(t0 >> 24) ] ^ + Td1[(t3 >> 16) & 0xff] ^ + Td2[(t2 >> 8) & 0xff] ^ + Td3[(t1 ) & 0xff] ^ + rk[0]; + s1 = + Td0[(t1 >> 24) ] ^ + Td1[(t0 >> 16) & 0xff] ^ + Td2[(t3 >> 8) & 0xff] ^ + Td3[(t2 ) & 0xff] ^ + rk[1]; + s2 = + Td0[(t2 >> 24) ] ^ + Td1[(t1 >> 16) & 0xff] ^ + Td2[(t0 >> 8) & 0xff] ^ + Td3[(t3 ) & 0xff] ^ + rk[2]; + s3 = + Td0[(t3 >> 24) ] ^ + Td1[(t2 >> 16) & 0xff] ^ + Td2[(t1 >> 8) & 0xff] ^ + Td3[(t0 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Td4[(t0 >> 24) ] & 0xff000000) ^ + (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t1 ) & 0xff] & 0x000000ff) ^ + rk[0]; + PUTU32(pt , s0); + s1 = + (Td4[(t1 >> 24) ] & 0xff000000) ^ + (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t2 ) & 0xff] & 0x000000ff) ^ + rk[1]; + PUTU32(pt + 4, s1); + s2 = + (Td4[(t2 >> 24) ] & 0xff000000) ^ + (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t3 ) & 0xff] & 0x000000ff) ^ + rk[2]; + PUTU32(pt + 8, s2); + s3 = + (Td4[(t3 >> 24) ] & 0xff000000) ^ + (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t0 ) & 0xff] & 0x000000ff) ^ + rk[3]; + PUTU32(pt + 12, s3); +} + +void +rijndael_set_key(rijndael_ctx *ctx, u_char *key, int bits, int do_encrypt) +{ + ctx->Nr = rijndaelKeySetupEnc(ctx->ek, key, bits); + if (do_encrypt) { + ctx->decrypt = 0; + memset(ctx->dk, 0, sizeof(ctx->dk)); + } else { + ctx->decrypt = 1; + memcpy(ctx->dk, ctx->ek, sizeof(ctx->dk)); + rijndaelKeySetupDec(ctx->dk, key, bits, ctx->Nr); + } +} + +void +rijndael_decrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) +{ + rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst); +} + +void +rijndael_encrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) +{ + rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst); +} diff -ruN --exclude CVS ssh-openbsd-2005090100/rijndael.h openssh-4.2p1/rijndael.h --- ssh-openbsd-2005090100/rijndael.h Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/rijndael.h Fri Dec 21 14:45:49 2001 @@ -0,0 +1,51 @@ +/* $OpenBSD: rijndael.h,v 1.12 2001/12/19 07:18:56 deraadt Exp $ */ + +/** + * rijndael-alg-fst.h + * + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen + * @author Antoon Bosselaers + * @author Paulo Barreto + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef __RIJNDAEL_H +#define __RIJNDAEL_H + +#define MAXKC (256/32) +#define MAXKB (256/8) +#define MAXNR 14 + +typedef unsigned char u8; +typedef unsigned short u16; +typedef unsigned int u32; + +/* The structure for key information */ +typedef struct { + int decrypt; + int Nr; /* key-length-dependent number of rounds */ + u32 ek[4*(MAXNR + 1)]; /* encrypt key schedule */ + u32 dk[4*(MAXNR + 1)]; /* decrypt key schedule */ +} rijndael_ctx; + +void rijndael_set_key(rijndael_ctx *, u_char *, int, int); +void rijndael_decrypt(rijndael_ctx *, u_char *, u_char *); +void rijndael_encrypt(rijndael_ctx *, u_char *, u_char *); + +#endif /* __RIJNDAEL_H */ diff -ruN --exclude CVS ssh-openbsd-2005090100/scard/.cvsignore openssh-4.2p1/scard/.cvsignore --- ssh-openbsd-2005090100/scard/.cvsignore Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/scard/.cvsignore Sat Dec 29 18:00:08 2001 @@ -0,0 +1,2 @@ +Makefile +Ssh.bin diff -ruN --exclude CVS ssh-openbsd-2005090100/scard/Makefile openssh-4.2p1/scard/Makefile --- ssh-openbsd-2005090100/scard/Makefile Fri Jun 29 17:02:09 2001 +++ openssh-4.2p1/scard/Makefile Thu Jan 1 10:00:00 1970 @@ -1,20 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2001/06/29 07:02:09 markus Exp $ - -.PATH: ${.CURDIR}/.. - -CARDLET= Ssh.bin -DATADIR= /usr/libdata/ssh - -all: ${CARDLET} - -clean: - rm -f ${CARDLET} - -install: ${CARDLET} - install -c -m ${LIBMODE} -o ${LIBOWN} -g ${LIBGRP} \ - ${CARDLET} ${DESTDIR}${DATADIR} - -Ssh.bin: ${.CURDIR}/Ssh.bin.uu - uudecode ${.CURDIR}/$@.uu - -.include diff -ruN --exclude CVS ssh-openbsd-2005090100/scard/Makefile.in openssh-4.2p1/scard/Makefile.in --- ssh-openbsd-2005090100/scard/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/scard/Makefile.in Fri Apr 26 11:25:41 2002 @@ -0,0 +1,28 @@ +# $Id: Makefile.in,v 1.4 2002/04/26 01:25:41 djm Exp $ + +prefix=@prefix@ +datadir=@datadir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +INSTALL=@INSTALL@ + +VPATH=@srcdir@ + +all: + +#Ssh.bin: Ssh.bin.uu +# uudecode Ssh.bin.uu + +clean: +# rm -rf Ssh.bin + +distprep: + uudecode Ssh.bin.uu + +distclean: clean + rm -f Makefile *~ + +install: $(srcdir)/Ssh.bin + $(top_srcdir)/mkinstalldirs $(DESTDIR)$(datadir) + $(INSTALL) -m 0644 $(srcdir)/Ssh.bin $(DESTDIR)$(datadir)/Ssh.bin diff -ruN --exclude CVS ssh-openbsd-2005090100/scard/Ssh.java openssh-4.2p1/scard/Ssh.java --- ssh-openbsd-2005090100/scard/Ssh.java Fri Mar 22 09:44:05 2002 +++ openssh-4.2p1/scard/Ssh.java Wed May 22 14:24:02 2002 @@ -1,4 +1,4 @@ -// $Id: Ssh.java,v 1.3 2002/03/21 22:44:05 rees Exp $ +// $Id: Ssh.java,v 1.3 2002/05/22 04:24:02 djm Exp $ // // Ssh.java // SSH / smartcard integration project, smartcard side diff -ruN --exclude CVS ssh-openbsd-2005090100/scard-opensc.c openssh-4.2p1/scard-opensc.c --- ssh-openbsd-2005090100/scard-opensc.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/scard-opensc.c Thu May 13 17:29:35 2004 @@ -0,0 +1,525 @@ +/* + * Copyright (c) 2002 Juha Yrjölä. All rights reserved. + * Copyright (c) 2001 Markus Friedl. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +#if defined(SMARTCARD) && defined(USE_OPENSC) + +#include +#include + +#include +#include + +#include "key.h" +#include "log.h" +#include "xmalloc.h" +#include "misc.h" +#include "scard.h" + +#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE) +#define USE_ENGINE +#define RSA_get_default_method RSA_get_default_openssl_method +#else +#endif + +#ifdef USE_ENGINE +#include +#define sc_get_rsa sc_get_engine +#else +#define sc_get_rsa sc_get_rsa_method +#endif + +static int sc_reader_id; +static sc_context_t *ctx = NULL; +static sc_card_t *card = NULL; +static sc_pkcs15_card_t *p15card = NULL; + +static char *sc_pin = NULL; + +struct sc_priv_data +{ + struct sc_pkcs15_id cert_id; + int ref_count; +}; + +void +sc_close(void) +{ + if (p15card) { + sc_pkcs15_unbind(p15card); + p15card = NULL; + } + if (card) { + sc_disconnect_card(card, 0); + card = NULL; + } + if (ctx) { + sc_release_context(ctx); + ctx = NULL; + } +} + +static int +sc_init(void) +{ + int r; + + r = sc_establish_context(&ctx, "openssh"); + if (r) + goto err; + if (sc_reader_id >= ctx->reader_count) { + r = SC_ERROR_NO_READERS_FOUND; + error("Illegal reader number %d (max %d)", sc_reader_id, + ctx->reader_count -1); + goto err; + } + r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card); + if (r) + goto err; + r = sc_pkcs15_bind(card, &p15card); + if (r) + goto err; + return 0; +err: + sc_close(); + return r; +} + +/* private key operations */ + +static int +sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out, + unsigned int usage) +{ + int r; + struct sc_priv_data *priv; + struct sc_pkcs15_object *key_obj; + struct sc_pkcs15_prkey_info *key; + struct sc_pkcs15_object *pin_obj; + struct sc_pkcs15_pin_info *pin; + + priv = (struct sc_priv_data *) RSA_get_app_data(rsa); + if (priv == NULL) + return -1; + if (p15card == NULL) { + sc_close(); + r = sc_init(); + if (r) { + error("SmartCard init failed: %s", sc_strerror(r)); + goto err; + } + } + r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, + usage, &key_obj); + if (r) { + error("Unable to find private key from SmartCard: %s", + sc_strerror(r)); + goto err; + } + key = key_obj->data; + r = sc_pkcs15_find_pin_by_auth_id(p15card, &key_obj->auth_id, + &pin_obj); + if (r == SC_ERROR_OBJECT_NOT_FOUND) { + /* no pin required */ + r = sc_lock(card); + if (r) { + error("Unable to lock smartcard: %s", sc_strerror(r)); + goto err; + } + *key_obj_out = key_obj; + return 0; + } else if (r) { + error("Unable to find PIN object from SmartCard: %s", + sc_strerror(r)); + goto err; + } + pin = pin_obj->data; + r = sc_lock(card); + if (r) { + error("Unable to lock smartcard: %s", sc_strerror(r)); + goto err; + } + if (sc_pin != NULL) { + r = sc_pkcs15_verify_pin(p15card, pin, sc_pin, + strlen(sc_pin)); + if (r) { + sc_unlock(card); + error("PIN code verification failed: %s", + sc_strerror(r)); + goto err; + } + } + *key_obj_out = key_obj; + return 0; +err: + sc_close(); + return -1; +} + +#define SC_USAGE_DECRYPT SC_PKCS15_PRKEY_USAGE_DECRYPT | \ + SC_PKCS15_PRKEY_USAGE_UNWRAP + +static int +sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, + int padding) +{ + struct sc_pkcs15_object *key_obj; + int r; + + if (padding != RSA_PKCS1_PADDING) + return -1; + r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT); + if (r) + return -1; + r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, + from, flen, to, flen); + sc_unlock(card); + if (r < 0) { + error("sc_pkcs15_decipher() failed: %s", sc_strerror(r)); + goto err; + } + return r; +err: + sc_close(); + return -1; +} + +#define SC_USAGE_SIGN SC_PKCS15_PRKEY_USAGE_SIGN | \ + SC_PKCS15_PRKEY_USAGE_SIGNRECOVER + +static int +sc_sign(int type, u_char *m, unsigned int m_len, + unsigned char *sigret, unsigned int *siglen, RSA *rsa) +{ + struct sc_pkcs15_object *key_obj; + int r; + unsigned long flags = 0; + + /* XXX: sc_prkey_op_init will search for a pkcs15 private + * key object with the sign or signrecover usage flag set. + * If the signing key has only the non-repudiation flag set + * the key will be rejected as using a non-repudiation key + * for authentication is not recommended. Note: This does not + * prevent the use of a non-repudiation key for authentication + * if the sign or signrecover flag is set as well. + */ + r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN); + if (r) + return -1; + /* FIXME: length of sigret correct? */ + /* FIXME: check 'type' and modify flags accordingly */ + flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1; + r = sc_pkcs15_compute_signature(p15card, key_obj, flags, + m, m_len, sigret, RSA_size(rsa)); + sc_unlock(card); + if (r < 0) { + error("sc_pkcs15_compute_signature() failed: %s", + sc_strerror(r)); + goto err; + } + *siglen = r; + return 1; +err: + sc_close(); + return 0; +} + +static int +sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa, + int padding) +{ + error("Private key encryption not supported"); + return -1; +} + +/* called on free */ + +static int (*orig_finish)(RSA *rsa) = NULL; + +static int +sc_finish(RSA *rsa) +{ + struct sc_priv_data *priv; + + priv = RSA_get_app_data(rsa); + priv->ref_count--; + if (priv->ref_count == 0) { + free(priv); + sc_close(); + } + if (orig_finish) + orig_finish(rsa); + return 1; +} + +/* engine for overloading private key operations */ + +static RSA_METHOD * +sc_get_rsa_method(void) +{ + static RSA_METHOD smart_rsa; + const RSA_METHOD *def = RSA_get_default_method(); + + /* use the OpenSSL version */ + memcpy(&smart_rsa, def, sizeof(smart_rsa)); + + smart_rsa.name = "opensc"; + + /* overload */ + smart_rsa.rsa_priv_enc = sc_private_encrypt; + smart_rsa.rsa_priv_dec = sc_private_decrypt; + smart_rsa.rsa_sign = sc_sign; + + /* save original */ + orig_finish = def->finish; + smart_rsa.finish = sc_finish; + + return &smart_rsa; +} + +#ifdef USE_ENGINE +static ENGINE * +sc_get_engine(void) +{ + static ENGINE *smart_engine = NULL; + + if ((smart_engine = ENGINE_new()) == NULL) + fatal("ENGINE_new failed"); + + ENGINE_set_id(smart_engine, "opensc"); + ENGINE_set_name(smart_engine, "OpenSC"); + + ENGINE_set_RSA(smart_engine, sc_get_rsa_method()); + ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method()); + ENGINE_set_DH(smart_engine, DH_get_default_openssl_method()); + ENGINE_set_RAND(smart_engine, RAND_SSLeay()); + ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp); + + return smart_engine; +} +#endif + +static void +convert_rsa_to_rsa1(Key * in, Key * out) +{ + struct sc_priv_data *priv; + + out->rsa->flags = in->rsa->flags; + out->flags = in->flags; + RSA_set_method(out->rsa, RSA_get_method(in->rsa)); + BN_copy(out->rsa->n, in->rsa->n); + BN_copy(out->rsa->e, in->rsa->e); + priv = RSA_get_app_data(in->rsa); + priv->ref_count++; + RSA_set_app_data(out->rsa, priv); + return; +} + +static int +sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj) +{ + int r; + sc_pkcs15_cert_t *cert = NULL; + struct sc_priv_data *priv = NULL; + sc_pkcs15_cert_info_t *cinfo = cert_obj->data; + + X509 *x509 = NULL; + EVP_PKEY *pubkey = NULL; + u8 *p; + char *tmp; + + debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]); + r = sc_pkcs15_read_certificate(p15card, cinfo, &cert); + if (r) { + logit("Certificate read failed: %s", sc_strerror(r)); + goto err; + } + x509 = X509_new(); + if (x509 == NULL) { + r = -1; + goto err; + } + p = cert->data; + if (!d2i_X509(&x509, &p, cert->data_len)) { + logit("Unable to parse X.509 certificate"); + r = -1; + goto err; + } + sc_pkcs15_free_certificate(cert); + cert = NULL; + pubkey = X509_get_pubkey(x509); + X509_free(x509); + x509 = NULL; + if (pubkey->type != EVP_PKEY_RSA) { + logit("Public key is of unknown type"); + r = -1; + goto err; + } + k->rsa = EVP_PKEY_get1_RSA(pubkey); + EVP_PKEY_free(pubkey); + + k->rsa->flags |= RSA_FLAG_SIGN_VER; + RSA_set_method(k->rsa, sc_get_rsa_method()); + priv = xmalloc(sizeof(struct sc_priv_data)); + priv->cert_id = cinfo->id; + priv->ref_count = 1; + RSA_set_app_data(k->rsa, priv); + + k->flags = KEY_FLAG_EXT; + tmp = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); + debug("fingerprint %d %s", key_size(k), tmp); + xfree(tmp); + + return 0; +err: + if (cert) + sc_pkcs15_free_certificate(cert); + if (pubkey) + EVP_PKEY_free(pubkey); + if (x509) + X509_free(x509); + return r; +} + +Key ** +sc_get_keys(const char *id, const char *pin) +{ + Key *k, **keys; + int i, r, real_count = 0, key_count; + sc_pkcs15_id_t cert_id; + sc_pkcs15_object_t *certs[32]; + char *buf = xstrdup(id), *p; + + debug("sc_get_keys called: id = %s", id); + + if (sc_pin != NULL) + xfree(sc_pin); + sc_pin = (pin == NULL) ? NULL : xstrdup(pin); + + cert_id.len = 0; + if ((p = strchr(buf, ':')) != NULL) { + *p = 0; + p++; + sc_pkcs15_hex_string_to_id(p, &cert_id); + } + r = sscanf(buf, "%d", &sc_reader_id); + xfree(buf); + if (r != 1) + goto err; + if (p15card == NULL) { + sc_close(); + r = sc_init(); + if (r) { + error("Smartcard init failed: %s", sc_strerror(r)); + goto err; + } + } + if (cert_id.len) { + r = sc_pkcs15_find_cert_by_id(p15card, &cert_id, &certs[0]); + if (r < 0) + goto err; + key_count = 1; + } else { + r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509, + certs, 32); + if (r == 0) { + logit("No certificates found on smartcard"); + r = -1; + goto err; + } else if (r < 0) { + error("Certificate enumeration failed: %s", + sc_strerror(r)); + goto err; + } + key_count = r; + } + keys = xmalloc(sizeof(Key *) * (key_count*2+1)); + for (i = 0; i < key_count; i++) { + sc_pkcs15_object_t *tmp_obj = NULL; + cert_id = ((sc_pkcs15_cert_info_t *)(certs[i]->data))->id; + if (sc_pkcs15_find_prkey_by_id(p15card, &cert_id, &tmp_obj)) + /* skip the public key (certificate) if no + * corresponding private key is present */ + continue; + k = key_new(KEY_RSA); + if (k == NULL) + break; + r = sc_read_pubkey(k, certs[i]); + if (r) { + error("sc_read_pubkey failed: %s", sc_strerror(r)); + key_free(k); + continue; + } + keys[real_count] = k; + real_count++; + k = key_new(KEY_RSA1); + if (k == NULL) + break; + convert_rsa_to_rsa1(keys[real_count-1], k); + keys[real_count] = k; + real_count++; + } + keys[real_count] = NULL; + + return keys; +err: + sc_close(); + return NULL; +} + +int +sc_put_key(Key *prv, const char *id) +{ + error("key uploading not yet supported"); + return -1; +} + +char * +sc_get_key_label(Key *key) +{ + int r; + const struct sc_priv_data *priv; + struct sc_pkcs15_object *key_obj; + + priv = (const struct sc_priv_data *) RSA_get_app_data(key->rsa); + if (priv == NULL || p15card == NULL) { + logit("SmartCard key not loaded"); + /* internal error => return default label */ + return xstrdup("smartcard key"); + } + r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj); + if (r) { + logit("Unable to find private key from SmartCard: %s", + sc_strerror(r)); + return xstrdup("smartcard key"); + } + if (key_obj == NULL || key_obj->label == NULL) + /* the optional PKCS#15 label does not exists + * => return the default label */ + return xstrdup("smartcard key"); + return xstrdup(key_obj->label); +} + +#endif /* SMARTCARD */ diff -ruN --exclude CVS ssh-openbsd-2005090100/scard.c openssh-4.2p1/scard.c --- ssh-openbsd-2005090100/scard.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/scard.c Thu May 13 16:15:48 2004 @@ -22,8 +22,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef SMARTCARD #include "includes.h" +#if defined(SMARTCARD) && defined(USE_SECTOK) RCSID("$OpenBSD: scard.c,v 1.29 2004/05/08 00:21:31 djm Exp $"); #include @@ -561,4 +561,4 @@ return xstrdup("smartcard key"); } -#endif /* SMARTCARD */ +#endif /* SMARTCARD && USE_SECTOK */ diff -ruN --exclude CVS ssh-openbsd-2005090100/scp/Makefile openssh-4.2p1/scp/Makefile --- ssh-openbsd-2005090100/scp/Makefile Mon Jan 13 03:59:14 2003 +++ openssh-4.2p1/scp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,15 +0,0 @@ -# $OpenBSD: Makefile,v 1.16 2003/01/12 16:59:14 markus Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= scp -BINOWN= root - -BINMODE?=555 - -BINDIR= /usr/bin -MAN= scp.1 - -SRCS= scp.c - -.include diff -ruN --exclude CVS ssh-openbsd-2005090100/scp.c openssh-4.2p1/scp.c --- ssh-openbsd-2005090100/scp.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/scp.c Tue Aug 2 17:07:08 2005 @@ -80,7 +80,7 @@ #include "misc.h" #include "progressmeter.h" -int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); +extern char *__progname; void bwlimit(int); @@ -222,6 +222,8 @@ extern char *optarg; extern int optind; + __progname = ssh_get_progname(argv[0]); + args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-x"); @@ -286,6 +288,9 @@ case 't': /* "to" */ iamremote = 1; tflag = 1; +#ifdef HAVE_CYGWIN + setmode(0, O_BINARY); +#endif break; default: usage(); @@ -555,7 +560,7 @@ #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) snprintf(buf, sizeof buf, "C%04o %lld %s\n", (u_int) (stb.st_mode & FILEMODEMASK), - (long long)stb.st_size, last); + (int64_t)stb.st_size, last); if (verbose_mode) { fprintf(stderr, "Sending file modes: %s", buf); } @@ -940,14 +945,22 @@ } if (pflag) { if (exists || omode != mode) +#ifdef HAVE_FCHMOD if (fchmod(ofd, omode)) { +#else /* HAVE_FCHMOD */ + if (chmod(np, omode)) { +#endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", np, strerror(errno)); wrerr = DISPLAYED; } } else { if (!exists && omode != mode) +#ifdef HAVE_FCHMOD if (fchmod(ofd, omode & ~mask)) { +#else /* HAVE_FCHMOD */ + if (chmod(np, omode & ~mask)) { +#endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", np, strerror(errno)); wrerr = DISPLAYED; @@ -1098,6 +1111,7 @@ allocbuf(BUF *bp, int fd, int blksize) { size_t size; +#ifdef HAVE_STRUCT_STAT_ST_BLKSIZE struct stat stb; if (fstat(fd, &stb) < 0) { @@ -1107,6 +1121,9 @@ size = roundup(stb.st_blksize, blksize); if (size == 0) size = blksize; +#else /* HAVE_STRUCT_STAT_ST_BLKSIZE */ + size = blksize; +#endif /* HAVE_STRUCT_STAT_ST_BLKSIZE */ if (bp->cnt >= size) return (bp); if (bp->buf == NULL) diff -ruN --exclude CVS ssh-openbsd-2005090100/servconf.c openssh-4.2p1/servconf.c --- ssh-openbsd-2005090100/servconf.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/servconf.c Fri Aug 12 22:11:37 2005 @@ -35,6 +35,11 @@ initialize_server_options(ServerOptions *options) { memset(options, 0, sizeof(*options)); + + /* Portable-specific options */ + options->use_pam = -1; + + /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; @@ -104,6 +109,11 @@ void fill_default_server_options(ServerOptions *options) { + /* Portable-specific options */ + if (options->use_pam == -1) + options->use_pam = 0; + + /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -223,11 +233,24 @@ /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; + +#ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { + error("This platform does not support both privilege " + "separation and compression"); + error("Compression disabled"); + options->compression = 0; + } +#endif + } /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ + /* Portable-specific options */ + sUsePAM, + /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, @@ -257,6 +280,14 @@ const char *name; ServerOpCodes opcode; } keywords[] = { + /* Portable-specific options */ +#ifdef USE_PAM + { "usepam", sUsePAM }, +#else + { "usepam", sUnsupported }, +#endif + { "pamauthenticationviakbdint", sDeprecated }, + /* Standard Options */ { "port", sPort }, { "hostkey", sHostKeyFile }, { "hostdsakey", sHostKeyFile }, /* alias */ @@ -278,8 +309,12 @@ { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, +#ifdef USE_AFS { "kerberosgetafstoken", sKerberosGetAFSToken }, #else + { "kerberosgetafstoken", sUnsupported }, +#endif +#else { "kerberosauthentication", sUnsupported }, { "kerberosorlocalpasswd", sUnsupported }, { "kerberosticketcleanup", sUnsupported }, @@ -419,6 +454,12 @@ charptr = NULL; opcode = parse_token(arg, filename, linenum); switch (opcode) { + /* Portable-specific options */ + case sUsePAM: + intptr = &options->use_pam; + goto parse_flag; + + /* Standard Options */ case sBadOption: return -1; case sPort: diff -ruN --exclude CVS ssh-openbsd-2005090100/servconf.h openssh-4.2p1/servconf.h --- ssh-openbsd-2005090100/servconf.h Sat Jul 16 11:31:03 2005 +++ openssh-4.2p1/servconf.h Thu Jan 20 10:57:56 2005 @@ -133,6 +133,7 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + int use_pam; /* Enable auth via PAM */ } ServerOptions; void initialize_server_options(ServerOptions *); diff -ruN --exclude CVS ssh-openbsd-2005090100/serverloop.c openssh-4.2p1/serverloop.c --- ssh-openbsd-2005090100/serverloop.c Sun Jul 17 17:17:55 2005 +++ openssh-4.2p1/serverloop.c Sun Jul 17 17:26:44 2005 @@ -144,7 +144,9 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler); +#ifndef _UNICOS + mysignal(SIGCHLD, sigchld_handler); +#endif notify_parent(); errno = save_errno; } @@ -498,7 +500,7 @@ /* Initialize the SIGCHLD kludge. */ child_terminated = 0; - signal(SIGCHLD, sigchld_handler); + mysignal(SIGCHLD, sigchld_handler); /* Initialize our global variables. */ fdin = fdin_arg; @@ -670,7 +672,7 @@ channel_free_all(); /* We no longer want our SIGCHLD handler to be called. */ - signal(SIGCHLD, SIG_DFL); + mysignal(SIGCHLD, SIG_DFL); while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0) if (errno != EINTR) @@ -742,7 +744,7 @@ debug("Entering interactive session for SSH2."); - signal(SIGCHLD, sigchld_handler); + mysignal(SIGCHLD, sigchld_handler); child_terminated = 0; connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); @@ -977,8 +979,11 @@ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { diff -ruN --exclude CVS ssh-openbsd-2005090100/session.c openssh-4.2p1/session.c --- ssh-openbsd-2005090100/session.c Tue Jul 26 21:48:33 2005 +++ openssh-4.2p1/session.c Thu Sep 1 02:59:49 2005 @@ -59,7 +59,7 @@ #include "kex.h" #include "monitor_wrap.h" -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) #include #endif @@ -78,6 +78,9 @@ void do_exec_no_pty(Session *, const char *); void do_exec(Session *, const char *); void do_login(Session *, const char *); +#ifdef LOGIN_NEEDS_UTMPX +static void do_pre_login(Session *s); +#endif void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); @@ -399,6 +402,11 @@ session_proctitle(s); +#if defined(USE_PAM) + if (options.use_pam && !use_privsep) + do_pam_setcred(1); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { is_child = 1; @@ -450,10 +458,21 @@ perror("dup2 stderr"); #endif /* USE_PIPES */ +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ +#ifdef HAVE_CYGWIN + if (is_winnt) + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); +#endif if (pid < 0) packet_disconnect("fork failed: %.100s", strerror(errno)); s->pid = pid; @@ -482,6 +501,13 @@ close(err[0]); /* + * Clear loginmsg, since it's the child's responsibility to display + * it to the user, otherwise multiple sessions may accumulate + * multiple copies of the login messages. + */ + buffer_clear(&loginmsg); + + /* * Enter the interactive session. Note: server_loop must be able to * handle the case that fdin and fdout are the same. */ @@ -511,6 +537,14 @@ ptyfd = s->ptyfd; ttyfd = s->ttyfd; +#if defined(USE_PAM) + if (options.use_pam) { + do_pam_set_tty(s->tty); + if (!use_privsep) + do_pam_setcred(1); + } +#endif + /* Fork the child. */ if ((pid = fork()) == 0) { is_child = 1; @@ -535,13 +569,30 @@ close(ttyfd); /* record login, etc. similar to login(1) */ - if (!(options.use_login && command == NULL)) +#ifndef HAVE_OSF_SIA + if (!(options.use_login && command == NULL)) { +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _UNICOS */ do_login(s, command); + } +# ifdef LOGIN_NEEDS_UTMPX + else + do_pre_login(s); +# endif +#endif /* Do common processing for the child, such as execing the command. */ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ +#ifdef HAVE_CYGWIN + if (is_winnt) + cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); +#endif if (pid < 0) packet_disconnect("fork failed: %.100s", strerror(errno)); s->pid = pid; @@ -574,6 +625,34 @@ } } +#ifdef LOGIN_NEEDS_UTMPX +static void +do_pre_login(Session *s) +{ + socklen_t fromlen; + struct sockaddr_storage from; + pid_t pid = getpid(); + + /* + * Get IP address of client. If the connection is not a socket, let + * the address be 0.0.0.0. + */ + memset(&from, 0, sizeof(from)); + fromlen = sizeof(from); + if (packet_connection_is_on_socket()) { + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + cleanup_exit(255); + } + } + + record_utmp_only(pid, s->tty, s->pw->pw_name, + get_remote_name_or_ip(utmp_len, options.use_dns), + (struct sockaddr *)&from, fromlen); +} +#endif + /* * This is called to fork and execute a command. If another command is * to be forced, execute that instead. @@ -587,11 +666,15 @@ debug("Forced command '%.900s'", command); } -#ifdef GSSAPI - if (options.gss_authentication) { - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); +#ifdef SSH_AUDIT_EVENTS + if (command != NULL) + PRIVSEP(audit_run_command(command)); + else if (s->ttyfd == -1) { + char *shell = s->pw->pw_shell; + + if (shell[0] == '\0') /* empty shell means /bin/sh */ + shell =_PATH_BSHELL; + PRIVSEP(audit_run_command(shell)); } #endif @@ -610,7 +693,6 @@ buffer_clear(&loginmsg); } - /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) @@ -641,6 +723,19 @@ options.use_dns), (struct sockaddr *)&from, fromlen); +#ifdef USE_PAM + /* + * If password change is needed, do it now. + * This needs to occur before the ~/.hushlogin check. + */ + if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) { + display_loginmsg(); + do_pam_chauthtok(); + s->authctxt->force_pwchange = 0; + /* XXX - signal [net] parent to enable forwardings */ + } +#endif + if (check_quietlogin(s, command)) return; @@ -711,6 +806,16 @@ u_int i, namelen; /* + * If we're passed an uninitialized list, allocate a single null + * entry before continuing. + */ + if (*envp == NULL && *envsizep == 0) { + *envp = xmalloc(sizeof(char *)); + *envp[0] = NULL; + *envsizep = 1; + } + + /* * Find the slot where the value should be stored. If the variable * already exists, we reuse the slot; otherwise we append a new slot * at the end of the array, expanding if necessary. @@ -787,12 +892,91 @@ fclose(f); } +#ifdef HAVE_ETC_DEFAULT_LOGIN +/* + * Return named variable from specified environment, or NULL if not present. + */ +static char * +child_get_env(char **env, const char *name) +{ + int i; + size_t len; + + len = strlen(name); + for (i=0; env[i] != NULL; i++) + if (strncmp(name, env[i], len) == 0 && env[i][len] == '=') + return(env[i] + len + 1); + return NULL; +} + +/* + * Read /etc/default/login. + * We pick up the PATH (or SUPATH for root) and UMASK. + */ +static void +read_etc_default_login(char ***env, u_int *envsize, uid_t uid) +{ + char **tmpenv = NULL, *var; + u_int i, tmpenvsize = 0; + u_long mask; + + /* + * We don't want to copy the whole file to the child's environment, + * so we use a temporary environment and copy the variables we're + * interested in. + */ + read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login"); + + if (tmpenv == NULL) + return; + + if (uid == 0) + var = child_get_env(tmpenv, "SUPATH"); + else + var = child_get_env(tmpenv, "PATH"); + if (var != NULL) + child_set_env(env, envsize, "PATH", var); + + if ((var = child_get_env(tmpenv, "UMASK")) != NULL) + if (sscanf(var, "%5lo", &mask) == 1) + umask((mode_t)mask); + + for (i = 0; tmpenv[i] != NULL; i++) + xfree(tmpenv[i]); + xfree(tmpenv); +} +#endif /* HAVE_ETC_DEFAULT_LOGIN */ + +void +copy_environment(char **source, char ***env, u_int *envsize) +{ + char *var_name, *var_val; + int i; + + if (source == NULL) + return; + + for(i = 0; source[i] != NULL; i++) { + var_name = xstrdup(source[i]); + if ((var_val = strstr(var_name, "=")) == NULL) { + xfree(var_name); + continue; + } + *var_val++ = '\0'; + + debug3("Copy environment: %s=%s", var_name, var_val); + child_set_env(env, envsize, var_name, var_val); + + xfree(var_name); + } +} + static char ** do_setup_env(Session *s, const char *shell) { char buf[256]; u_int i, envsize; - char **env, *laddr; + char **env, *laddr, *path = NULL; struct passwd *pw = s->pw; /* Initialize the environment. */ @@ -800,6 +984,20 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; +#ifdef HAVE_CYGWIN + /* + * The Windows environment contains some setting which are + * important for a running system. They must not be dropped. + */ + { + char **p; + + p = fetch_windows_environment(); + copy_environment(p, &env, &envsize); + free_windows_environment(p); + } +#endif + #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit @@ -815,15 +1013,34 @@ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); +#ifdef _AIX + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); +#endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); else child_set_env(&env, &envsize, "PATH", getenv("PATH")); -#else - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -#endif +#else /* HAVE_LOGIN_CAP */ +# ifndef HAVE_CYGWIN + /* + * There's no standard path on Windows. The path contains + * important components pointing to the system directories, + * needed for loading shared libraries. So the path better + * remains intact here. + */ +# ifdef HAVE_ETC_DEFAULT_LOGIN + read_etc_default_login(&env, &envsize, pw->pw_uid); + path = child_get_env(env, "PATH"); +# endif /* HAVE_ETC_DEFAULT_LOGIN */ + if (path == NULL || *path == '\0') { + child_set_env(&env, &envsize, "PATH", + s->pw->pw_uid == 0 ? + SUPERUSER_PATH : _PATH_STDPATH); + } +# endif /* HAVE_CYGWIN */ +#endif /* HAVE_LOGIN_CAP */ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); @@ -873,11 +1090,56 @@ if (original_command) child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); + +#ifdef _UNICOS + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _UNICOS */ + + /* + * Since we clear KRB5CCNAME at startup, if it's set now then it + * must have been set by a native authentication method (eg AIX or + * SIA), so copy it to the child. + */ + { + char *cp; + + if ((cp = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env, &envsize, "KRB5CCNAME", cp); + } + +#ifdef _AIX + { + char *cp; + + if ((cp = getenv("AUTHSTATE")) != NULL) + child_set_env(&env, &envsize, "AUTHSTATE", cp); + read_environment_file(&env, &envsize, "/etc/environment"); + } +#endif #ifdef KRB5 - if (s->authctxt->krb5_ticket_file) + if (s->authctxt->krb5_ccname) child_set_env(&env, &envsize, "KRB5CCNAME", - s->authctxt->krb5_ticket_file); + s->authctxt->krb5_ccname); #endif +#ifdef USE_PAM + /* + * Pull in any environment variables that may have + * been set by PAM. + */ + if (options.use_pam) { + char **p; + + p = fetch_pam_child_environment(); + copy_environment(p, &env, &envsize); + free_pam_environment(p); + + p = fetch_pam_environment(); + copy_environment(p, &env, &envsize); + free_pam_environment(p); + } +#endif /* USE_PAM */ + if (auth_sock_name != NULL) child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, auth_sock_name); @@ -885,7 +1147,7 @@ /* read $HOME/.ssh/environment. */ if (options.permit_user_env && !options.use_login) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", - pw->pw_dir); + strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); } if (debug_flag) { @@ -989,6 +1251,7 @@ while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); + fflush(NULL); exit(254); } } @@ -997,14 +1260,44 @@ void do_setusercontext(struct passwd *pw) { - if (getuid() == 0 || geteuid() == 0) { +#ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) +#endif /* HAVE_CYGWIN */ + { + +#ifdef HAVE_SETPCRED + if (setpcred(pw->pw_name, (char **)NULL) == -1) + fatal("Failed to set process credentials"); +#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP +# ifdef __bsdi__ + setpgid(0, 0); +# endif +#ifdef GSSAPI + if (options.gss_authentication) { + temporarily_use_uid(pw); + ssh_gssapi_storecreds(); + restore_uid(); + } +#endif +# ifdef USE_PAM + if (options.use_pam) { + do_pam_session(); + do_pam_setcred(0); + } +# endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { perror("unable to set user context"); exit(1); } #else +# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) + /* Sets login uid for accounting */ + if (getluid() == -1 && setluid(pw->pw_uid) == -1) + error("setluid: %s", strerror(errno)); +# endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */ + if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); if (setgid(pw->pw_gid) < 0) { @@ -1017,11 +1310,43 @@ exit(1); } endgrent(); - +#ifdef GSSAPI + if (options.gss_authentication) { + temporarily_use_uid(pw); + ssh_gssapi_storecreds(); + restore_uid(); + } +#endif +# ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. + * These will have been wiped by the above initgroups() call. + * Reestablish them here. + */ + if (options.use_pam) { + do_pam_session(); + do_pam_setcred(0); + } +# endif /* USE_PAM */ +# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) + irix_setusercontext(pw); +# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ +# ifdef _AIX + aix_usrinfo(pw); +# endif /* _AIX */ +#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) + if (set_id(pw->pw_name) != 0) { + exit(1); + } +#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif } + +#ifdef HAVE_CYGWIN + if (is_winnt) +#endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); } @@ -1034,7 +1359,12 @@ if (s->ttyfd != -1) { fprintf(stderr, "You must change your password now and login again!\n"); +#ifdef PASSWD_NEEDS_USERNAME + execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name, + (char *)NULL); +#else execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL); +#endif perror("passwd"); } else { fprintf(stderr, @@ -1048,8 +1378,15 @@ { /* Launch login(1). */ - execl("/usr/bin/login", "login", "-h", hostname, + execl(LOGIN_PROGRAM, "login", "-h", hostname, +#ifdef xxxLOGIN_NEEDS_TERM + (s->term ? s->term : "unknown"), +#endif /* LOGIN_NEEDS_TERM */ +#ifdef LOGIN_NO_ENDOPT + "-p", "-f", pw->pw_name, (char *)NULL); +#else "-p", "-f", "--", pw->pw_name, (char *)NULL); +#endif /* Login couldn't be executed, die. */ @@ -1120,15 +1457,40 @@ if (options.use_login && command != NULL) options.use_login = 0; +#ifdef _UNICOS + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _UNICOS */ + /* * Login(1) does this as well, and it needs uid 0 for the "-h" * switch, so we let login(1) to this for us. */ if (!options.use_login) { +#ifdef HAVE_OSF_SIA + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); + if (!check_quietlogin(s, command)) + do_motd(); +#else /* HAVE_OSF_SIA */ do_nologin(pw); do_setusercontext(pw); + /* + * PAM session modules in do_setusercontext may have + * generated messages, so if this in an interactive + * login then display them too. + */ + if (!check_quietlogin(s, command)) + display_loginmsg(); +#endif /* HAVE_OSF_SIA */ } +#ifdef USE_PAM + if (options.use_pam && !options.use_login && !is_pam_session_open()) { + debug3("PAM session not opened, exiting"); + display_loginmsg(); + exit(254); + } +#endif + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. @@ -1164,7 +1526,7 @@ */ environ = env; -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) /* * At this point, we check to see if AFS is active and if we have * a valid Kerberos 5 TGT. If so, it seems like a good idea to see @@ -1687,7 +2049,7 @@ /* Record that the user has logged out. */ if (s->pid != 0) - record_logout(s->pid, s->tty); + record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ if (getuid() == 0) @@ -1807,7 +2169,11 @@ } else if (WIFSIGNALED(status)) { channel_request_start(s->chanid, "exit-signal", 0); packet_put_cstring(sig2name(WTERMSIG(status))); +#ifdef WCOREDUMP packet_put_char(WCOREDUMP(status)); +#else /* WCOREDUMP */ + packet_put_char(0); +#endif /* WCOREDUMP */ packet_put_cstring(""); packet_put_cstring(""); packet_send(); @@ -1933,13 +2299,22 @@ { static char buf[1024]; int i; + char *cp; + buf[0] = '\0'; for (i = 0; i < MAX_SESSIONS; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1) { + + if (strncmp(s->tty, "/dev/", 5) != 0) { + cp = strrchr(s->tty, '/'); + cp = (cp == NULL) ? s->tty : cp + 1; + } else + cp = s->tty + 5; + if (buf[0] != '\0') strlcat(buf, ",", sizeof buf); - strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf); + strlcat(buf, cp, sizeof buf); } } if (buf[0] == '\0') @@ -2013,8 +2388,23 @@ s->display = xstrdup(display); s->auth_display = xstrdup(auth_display); } else { +#ifdef IPADDR_IN_DISPLAY + struct hostent *he; + struct in_addr my_addr; + + he = gethostbyname(hostname); + if (he == NULL) { + error("Can't get IP address for X11 DISPLAY."); + packet_send_debug("Can't get IP address for X11 DISPLAY."); + return 0; + } + memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr)); + snprintf(display, sizeof display, "%.50s:%u.%u", inet_ntoa(my_addr), + s->display_number, s->screen); +#else snprintf(display, sizeof display, "%.400s:%u.%u", hostname, s->display_number, s->screen); +#endif s->display = xstrdup(display); s->auth_display = xstrdup(display); } @@ -2055,6 +2445,13 @@ #ifdef GSSAPI if (compat20 && options.gss_cleanup_creds) ssh_gssapi_cleanup_creds(); +#endif + +#ifdef USE_PAM + if (options.use_pam) { + sshpam_cleanup(); + sshpam_thread_cleanup(); + } #endif /* remove agent socket */ diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp/Makefile openssh-4.2p1/sftp/Makefile --- ssh-openbsd-2005090100/sftp/Makefile Fri Nov 5 23:19:56 2004 +++ openssh-4.2p1/sftp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 2004/11/05 12:19:56 djm Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= sftp -BINOWN= root - -BINMODE?=555 - -BINDIR= /usr/bin -MAN= sftp.1 - -SRCS= sftp.c sftp-client.c sftp-common.c sftp-glob.c - -.include - -LDADD+= -lcrypto -ledit -ltermcap -DPADD+= ${LIBCRYPTO} diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp-client.c openssh-4.2p1/sftp-client.c --- ssh-openbsd-2005090100/sftp-client.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/sftp-client.c Tue Aug 2 17:07:08 2005 @@ -22,7 +22,7 @@ #include "includes.h" RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $"); -#include +#include "openbsd-compat/sys-queue.h" #include "buffer.h" #include "bufaux.h" @@ -949,7 +949,11 @@ status = do_close(conn, handle, handle_len); /* Override umask and utimes if asked */ +#ifdef HAVE_FCHMOD if (pflag && fchmod(local_fd, mode) == -1) +#else + if (pflag && chmod(local_path, mode) == -1) +#endif /* HAVE_FCHMOD */ error("Couldn't set mode on \"%s\": %s", local_path, strerror(errno)); if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp-glob.c openssh-4.2p1/sftp-glob.c --- ssh-openbsd-2005090100/sftp-glob.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/sftp-glob.c Wed Feb 18 14:11:13 2004 @@ -17,8 +17,6 @@ #include "includes.h" RCSID("$OpenBSD: sftp-glob.c,v 1.15 2004/02/17 07:17:29 djm Exp $"); -#include - #include "buffer.h" #include "bufaux.h" #include "xmalloc.h" @@ -60,16 +58,40 @@ static struct dirent * fudge_readdir(struct SFTP_OPENDIR *od) { - static struct dirent ret; + /* Solaris needs sizeof(dirent) + path length (see below) */ + static char buf[sizeof(struct dirent) + MAXPATHLEN]; + struct dirent *ret = (struct dirent *)buf; +#ifdef __GNU_LIBRARY__ + static int inum = 1; +#endif /* __GNU_LIBRARY__ */ if (od->dir[od->offset] == NULL) return(NULL); - memset(&ret, 0, sizeof(ret)); - strlcpy(ret.d_name, od->dir[od->offset++]->filename, - sizeof(ret.d_name)); + memset(buf, 0, sizeof(buf)); - return(&ret); + /* + * Solaris defines dirent->d_name as a one byte array and expects + * you to hack around it. + */ +#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME + strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); +#else + strlcpy(ret->d_name, od->dir[od->offset++]->filename, + sizeof(ret->d_name)); +#endif +#ifdef __GNU_LIBRARY__ + /* + * Idiot glibc uses extensions to struct dirent for readdir with + * ALTDIRFUNCs. Not that this is documented anywhere but the + * source... Fake an inode number to appease it. + */ + ret->d_ino = inum++; + if (!inum) + inum = 1; +#endif /* __GNU_LIBRARY__ */ + + return(ret); } static void diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp-server/Makefile openssh-4.2p1/sftp-server/Makefile --- ssh-openbsd-2005090100/sftp-server/Makefile Sun Mar 4 10:59:36 2001 +++ openssh-4.2p1/sftp-server/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 2001/03/03 23:59:36 markus Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= sftp-server -BINOWN= root - -BINMODE?=555 - -BINDIR= /usr/libexec -MAN= sftp-server.8 - -SRCS= sftp-server.c sftp-common.c - -.include - -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp-server.8 openssh-4.2p1/sftp-server.8 --- ssh-openbsd-2005090100/sftp-server.8 Sat Jul 16 11:31:04 2005 +++ openssh-4.2p1/sftp-server.8 Wed Oct 15 15:50:43 2003 @@ -56,9 +56,8 @@ .%D January 2001 .%O work in progress material .Re -.Sh HISTORY -.Nm -first appeared in -.Ox 2.8 . .Sh AUTHORS .An Markus Friedl Aq markus@openbsd.org +.Sh HISTORY +.Nm +first appeared in OpenBSD 2.8 . diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp-server.c openssh-4.2p1/sftp-server.c --- ssh-openbsd-2005090100/sftp-server.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/sftp-server.c Fri Jun 17 12:59:35 2005 @@ -31,6 +31,8 @@ #define get_string(lenp) buffer_get_string(&iqueue, lenp); #define TRACE debug +extern char *__progname; + /* input and output queue */ Buffer iqueue; Buffer oqueue; @@ -425,7 +427,7 @@ len = get_int(); TRACE("read id %u handle %d off %llu len %d", id, handle, - (unsigned long long)off, len); + (u_int64_t)off, len); if (len > sizeof buf) { len = sizeof buf; logit("read change len %d", len); @@ -466,7 +468,7 @@ data = get_string(&len); TRACE("write id %u handle %d off %llu len %d", id, handle, - (unsigned long long)off, len); + (u_int64_t)off, len); fd = handle_to_fd(handle); if (fd >= 0) { if (lseek(fd, off, SEEK_SET) < 0) { @@ -607,13 +609,15 @@ u_int32_t id; int handle, fd, ret; int status = SSH2_FX_OK; + char *name; id = get_int(); handle = get_handle(); a = get_attrib(); TRACE("fsetstat id %u handle %d", id, handle); fd = handle_to_fd(handle); - if (fd < 0) { + name = handle_to_name(handle); + if (fd < 0 || name == NULL) { status = SSH2_FX_FAILURE; } else { if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { @@ -622,17 +626,29 @@ status = errno_to_portable(errno); } if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { +#ifdef HAVE_FCHMOD ret = fchmod(fd, a->perm & 0777); +#else + ret = chmod(name, a->perm & 0777); +#endif if (ret == -1) status = errno_to_portable(errno); } if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { +#ifdef HAVE_FUTIMES ret = futimes(fd, attrib_to_tv(a)); +#else + ret = utimes(name, attrib_to_tv(a)); +#endif if (ret == -1) status = errno_to_portable(errno); } if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { +#ifdef HAVE_FCHOWN ret = fchown(fd, a->uid, a->gid); +#else + ret = chown(name, a->uid, a->gid); +#endif if (ret == -1) status = errno_to_portable(errno); } @@ -820,7 +836,11 @@ else if (S_ISREG(sb.st_mode)) { /* Race-free rename of regular files */ if (link(oldpath, newpath) == -1) { - if (errno == EOPNOTSUPP) { + if (errno == EOPNOTSUPP +#ifdef LINK_OPNOTSUPP_ERRNO + || errno == LINK_OPNOTSUPP_ERRNO +#endif + ) { struct stat st; /* @@ -1018,6 +1038,7 @@ /* XXX should use getopt */ + __progname = ssh_get_progname(av[0]); handle_init(); #ifdef DEBUG_SFTP_SERVER @@ -1026,6 +1047,11 @@ in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); + +#ifdef HAVE_CYGWIN + setmode(in, O_BINARY); + setmode(out, O_BINARY); +#endif max = 0; if (in > max) diff -ruN --exclude CVS ssh-openbsd-2005090100/sftp.c openssh-4.2p1/sftp.c --- ssh-openbsd-2005090100/sftp.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/sftp.c Tue Aug 23 08:06:56 2005 @@ -18,8 +18,11 @@ RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $"); -#include +#ifdef USE_LIBEDIT #include +#else +typedef void EditLine; +#endif #include "buffer.h" #include "xmalloc.h" @@ -58,6 +61,8 @@ int remote_glob(struct sftp_conn *, const char *, int, int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */ +extern char *__progname; + /* Separators for interactive commands */ #define WHITESPACE " \t\r\n" @@ -1217,11 +1222,13 @@ return (0); } +#ifdef USE_LIBEDIT static char * prompt(EditLine *el) { return ("sftp> "); } +#endif int interactive_loop(int fd_in, int fd_out, char *file1, char *file2) @@ -1232,6 +1239,7 @@ struct sftp_conn *conn; int err, interactive; EditLine *el = NULL; +#ifdef USE_LIBEDIT History *hl = NULL; HistEvent hev; extern char *__progname; @@ -1250,6 +1258,7 @@ el_set(el, EL_SIGNAL, 1); el_source(el, NULL); } +#endif /* USE_LIBEDIT */ conn = do_init(fd_in, fd_out, copy_buffer_len, num_requests); if (conn == NULL) @@ -1286,15 +1295,18 @@ xfree(dir); } +#if defined(HAVE_SETVBUF) && !defined(BROKEN_SETVBUF) setvbuf(stdout, NULL, _IOLBF, 0); setvbuf(infile, NULL, _IOLBF, 0); +#else + setlinebuf(stdout); + setlinebuf(infile); +#endif interactive = !batchmode && isatty(STDIN_FILENO); err = 0; for (;;) { char *cp; - const char *line; - int count = 0; signal(SIGINT, SIG_IGN); @@ -1313,15 +1325,20 @@ printf("\n"); } } else { +#ifdef USE_LIBEDIT + const char *line; + int count = 0; + if ((line = el_gets(el, &count)) == NULL || count <= 0) { printf("\n"); - break; + break; } history(hl, &hev, H_ENTER, line); if (strlcpy(cmd, line, sizeof(cmd)) >= sizeof(cmd)) { fprintf(stderr, "Error: input line too long\n"); continue; } +#endif /* USE_LIBEDIT */ } cp = strrchr(cmd, '\n'); @@ -1338,8 +1355,10 @@ } xfree(pwd); +#ifdef USE_LIBEDIT if (el != NULL) el_end(el); +#endif /* USE_LIBEDIT */ /* err == 1 signifies normal "quit" exit */ return (err >= 0 ? 0 : -1); @@ -1428,6 +1447,7 @@ extern int optind; extern char *optarg; + __progname = ssh_get_progname(argv[0]); args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-oForwardX11 no"); @@ -1554,6 +1574,11 @@ } err = interactive_loop(in, out, file1, file2); + +#if !defined(USE_PIPES) + shutdown(in, SHUT_RDWR); + shutdown(out, SHUT_RDWR); +#endif close(in); close(out); diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh/Makefile openssh-4.2p1/ssh/Makefile --- ssh-openbsd-2005090100/ssh/Makefile Fri Nov 21 22:57:03 2003 +++ openssh-4.2p1/ssh/Makefile Thu Jan 1 10:00:00 1970 @@ -1,32 +0,0 @@ -# $OpenBSD: Makefile,v 1.51 2003/11/21 11:57:03 djm Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= ssh -BINOWN= root - -#BINMODE?=4555 - -BINDIR= /usr/bin -MAN= ssh.1 ssh_config.5 -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c readconf.c clientloop.c sshtty.c \ - sshconnect.c sshconnect1.c sshconnect2.c - -.include # for AFS - -.if (${KERBEROS5:L} == "yes") -CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI -.endif # KERBEROS5 - -.include - -.if (${KERBEROS5:L} == "yes") -DPADD+= ${LIBGSSAPI} ${LIBKRB5} -LDADD+= -lgssapi -lkrb5 -.endif # KERBEROS5 - -DPADD+= ${LIBCRYPTO} ${LIBZ} ${LIBDES} -LDADD+= -lcrypto -lz -ldes diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-add/Makefile openssh-4.2p1/ssh-add/Makefile --- ssh-openbsd-2005090100/ssh-add/Makefile Sun Mar 4 11:51:25 2001 +++ openssh-4.2p1/ssh-add/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.20 2001/03/04 00:51:25 markus Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= ssh-add -BINOWN= root - -BINMODE?=555 - -BINDIR= /usr/bin -MAN= ssh-add.1 - -SRCS= ssh-add.c - -.include - -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-add.c openssh-4.2p1/ssh-add.c --- ssh-openbsd-2005090100/ssh-add.c Sun Jul 17 17:17:55 2005 +++ openssh-4.2p1/ssh-add.c Sun Jul 17 17:22:46 2005 @@ -312,6 +312,10 @@ char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; + __progname = ssh_get_progname(argv[0]); + init_rng(); + seed_rng(); + SSLeay_add_all_algorithms(); /* At first, get a connection to the authentication agent. */ diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-agent/Makefile openssh-4.2p1/ssh-agent/Makefile --- ssh-openbsd-2005090100/ssh-agent/Makefile Mon Aug 12 20:46:35 2002 +++ openssh-4.2p1/ssh-agent/Makefile Thu Jan 1 10:00:00 1970 @@ -1,19 +0,0 @@ -# $OpenBSD: Makefile,v 1.22 2002/08/12 10:46:35 markus Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= ssh-agent -BINOWN= root -BINGRP= _sshagnt - -BINMODE?=2555 - -BINDIR= /usr/bin -MAN= ssh-agent.1 - -SRCS= ssh-agent.c - -.include - -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-agent.c openssh-4.2p1/ssh-agent.c --- ssh-openbsd-2005090100/ssh-agent.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/ssh-agent.c Fri Nov 5 20:38:03 2004 @@ -34,7 +34,7 @@ */ #include "includes.h" -#include +#include "openbsd-compat/sys-queue.h" RCSID("$OpenBSD: ssh-agent.c,v 1.122 2004/10/29 22:53:56 djm Exp $"); #include @@ -56,6 +56,10 @@ #include "scard.h" #endif +#if defined(HAVE_SYS_PRCTL_H) +#include /* For prctl() and PR_SET_DUMPABLE */ +#endif + typedef enum { AUTH_UNUSED, AUTH_SOCKET, @@ -966,7 +970,7 @@ /* printf("Parent has died - Authentication agent exiting.\n"); */ cleanup_handler(sig); /* safe */ } - signal(SIGALRM, check_parent_exists); + mysignal(SIGALRM, check_parent_exists); alarm(10); errno = save_errno; } @@ -995,7 +999,10 @@ char *shell, *format, *pidstr, *agentsocket = NULL; fd_set *readsetp = NULL, *writesetp = NULL; struct sockaddr_un sunaddr; +#ifdef HAVE_SETRLIMIT struct rlimit rlim; +#endif + int prev_mask; extern int optind; extern char *optarg; pid_t pid; @@ -1005,8 +1012,17 @@ setegid(getgid()); setgid(getgid()); +#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ + prctl(PR_SET_DUMPABLE, 0); +#endif + SSLeay_add_all_algorithms(); + __progname = ssh_get_progname(av[0]); + init_rng(); + seed_rng(); + while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { switch (ch) { case 'c': @@ -1104,11 +1120,14 @@ memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path)); + prev_mask = umask(0177); if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) { perror("bind"); *socket_name = '\0'; /* Don't unlink any existing file */ + umask(prev_mask); cleanup_exit(1); } + umask(prev_mask); if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { perror("listen"); cleanup_exit(1); @@ -1170,17 +1189,19 @@ close(fd); } +#ifdef HAVE_SETRLIMIT /* deny core dumps, since memory contains unencrypted private keys */ rlim.rlim_cur = rlim.rlim_max = 0; if (setrlimit(RLIMIT_CORE, &rlim) < 0) { error("setrlimit RLIMIT_CORE: %s", strerror(errno)); cleanup_exit(1); } +#endif skip: new_socket(AUTH_SOCKET, sock); if (ac > 0) { - signal(SIGALRM, check_parent_exists); + mysignal(SIGALRM, check_parent_exists); alarm(10); } idtab_init(); diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-gss.h openssh-4.2p1/ssh-gss.h --- ssh-openbsd-2005090100/ssh-gss.h Sat Jul 16 11:31:05 2005 +++ openssh-4.2p1/ssh-gss.h Tue Jun 22 12:56:02 2004 @@ -30,7 +30,27 @@ #include "buffer.h" +#ifdef HAVE_GSSAPI_H #include +#elif defined(HAVE_GSSAPI_GSSAPI_H) +#include +#endif + +#ifdef KRB5 +# ifndef HEIMDAL +# ifdef HAVE_GSSAPI_GENERIC_H +# include +# elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) +# include +# endif + +/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ + +#ifndef GSS_C_NT_HOSTBASED_SERVICE +#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +#endif /* GSS_C_NT_... */ +#endif /* !HEIMDAL */ +#endif /* KRB5 */ /* draft-ietf-secsh-gsskeyex-06 */ #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-keygen/Makefile openssh-4.2p1/ssh-keygen/Makefile --- ssh-openbsd-2005090100/ssh-keygen/Makefile Mon Jul 28 19:49:56 2003 +++ openssh-4.2p1/ssh-keygen/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.22 2003/07/28 09:49:56 djm Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= ssh-keygen -BINOWN= root - -BINMODE?=555 - -BINDIR= /usr/bin -MAN= ssh-keygen.1 - -SRCS= ssh-keygen.c moduli.c - -.include - -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-keygen.c openssh-4.2p1/ssh-keygen.c --- ssh-openbsd-2005090100/ssh-keygen.c Sun Jul 17 17:17:55 2005 +++ openssh-4.2p1/ssh-keygen.c Sun Jul 17 17:22:46 2005 @@ -1018,8 +1018,13 @@ extern int optind; extern char *optarg; + __progname = ssh_get_progname(av[0]); + SSLeay_add_all_algorithms(); log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + + init_rng(); + seed_rng(); /* we need this for the home * directory. */ pw = getpwuid(getuid()); diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-keyscan/Makefile openssh-4.2p1/ssh-keyscan/Makefile --- ssh-openbsd-2005090100/ssh-keyscan/Makefile Mon Aug 6 09:18:20 2001 +++ openssh-4.2p1/ssh-keyscan/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 2001/08/05 23:18:20 markus Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= ssh-keyscan -BINOWN= root - -BINMODE?=555 - -BINDIR= /usr/bin -MAN= ssh-keyscan.1 - -SRCS= ssh-keyscan.c - -.include - -LDADD+= -lcrypto -lz -DPADD+= ${LIBCRYPTO} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-keyscan.c openssh-4.2p1/ssh-keyscan.c --- ssh-openbsd-2005090100/ssh-keyscan.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/ssh-keyscan.c Fri Jun 17 12:59:35 2005 @@ -9,8 +9,7 @@ #include "includes.h" RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $"); -#include -#include +#include "openbsd-compat/sys-queue.h" #include @@ -208,28 +207,38 @@ static int fdlim_get(int hard) { +#if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE) struct rlimit rlfd; if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0) return (-1); if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY) - return sysconf(_SC_OPEN_MAX); + return SSH_SYSFDMAX; else return hard ? rlfd.rlim_max : rlfd.rlim_cur; +#else + return SSH_SYSFDMAX; +#endif } static int fdlim_set(int lim) { +#if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE) struct rlimit rlfd; +#endif if (lim <= 0) return (-1); +#if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE) if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0) return (-1); rlfd.rlim_cur = lim; if (setrlimit(RLIMIT_NOFILE, &rlfd) < 0) return (-1); +#elif defined (HAVE_SETDTABLESIZE) + setdtablesize(lim); +#endif return (0); } @@ -698,6 +707,9 @@ extern int optind; extern char *optarg; + __progname = ssh_get_progname(argv[0]); + init_rng(); + seed_rng(); TAILQ_INIT(&tq); if (argc <= 1) diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-keysign/Makefile openssh-4.2p1/ssh-keysign/Makefile --- ssh-openbsd-2005090100/ssh-keysign/Makefile Thu Jul 4 00:21:05 2002 +++ openssh-4.2p1/ssh-keysign/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 2002/07/03 14:21:05 markus Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= ssh-keysign -BINOWN= root - -BINMODE?=4555 - -BINDIR= /usr/libexec -MAN= ssh-keysign.8 - -SRCS= ssh-keysign.c readconf.c - -.include - -LDADD+= -lcrypto -lz -DPADD+= ${LIBCRYPTO} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-keysign.c openssh-4.2p1/ssh-keysign.c --- ssh-openbsd-2005090100/ssh-keysign.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/ssh-keysign.c Sun Aug 29 16:32:59 2004 @@ -46,6 +46,8 @@ /* XXX readconf.c needs these */ uid_t original_real_uid; +extern char *__progname; + static int valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, u_int datalen) @@ -155,6 +157,10 @@ pw = pwcopy(pw); permanently_set_uid(pw); + + init_rng(); + seed_rng(); + arc4random_stir(); #ifdef DEBUG_SSH_KEYSIGN log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-rand-helper.8 openssh-4.2p1/ssh-rand-helper.8 --- ssh-openbsd-2005090100/ssh-rand-helper.8 Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/ssh-rand-helper.8 Fri Nov 21 23:48:56 2003 @@ -0,0 +1,94 @@ +.\" $Id: ssh-rand-helper.8,v 1.2 2003/11/21 12:48:56 djm Exp $ +.\" +.\" Copyright (c) 2002 Damien Miller. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd April 14, 2002 +.Dt SSH-RAND-HELPER 8 +.Os +.Sh NAME +.Nm ssh-rand-helper +.Nd Random number gatherer for OpenSSH +.Sh SYNOPSIS +.Nm ssh-rand-hlper +.Op Fl vxXh +.Op Fl b Ar bytes +.Sh DESCRIPTION +.Nm +is a small helper program used by +.Xr ssh 1 , +.Xr ssh-add 1 , +.Xr ssh-agent 1 , +.Xr ssh-keygen 1 , +.Xr ssh-keyscan 1 +and +.Xr sshd 8 +to gather random numbers of cryptographic quality if the +.Xr openssl 4 +library has not been configured to provide them itself. +.Pp +Normally +.Nm +will generate a strong random seed and provide it to the calling +program via standard output. If standard output is a tty, +.Nm +will instead print the seed in hexidecimal format unless told otherwise. +.Pp +.Nm +will by default gather random numbers from the system commands listed +in +.Pa /etc/ssh/ssh_prng_cmds . +The output of each of the commands listed will be hashed and used to +generate a random seed for the calling program. +.Nm +will also store seed files in +.Pa ~/.ssh/prng_seed +between executions. +.Pp +Alternately, +.Nm +may be configured at build time to collect random numbers from a +EGD/PRNGd server via a unix domain or localhost tcp socket. +.Pp +This program is not intended to be run by the end-user, so the few +commandline options are for debugging purposes only. +.Bl -tag -width Ds +.It Fl b Ar bytes +Specify the number of random bytes to include in the output. +.It Fl x +Output a hexidecimal instead of a binary seed. +.It Fl X +Force output of a binary seed, even if standard output is a tty +.It Fl v +Turn on debugging message. Multiple +.Fl v +options will increase the debugging level. +.Fl h +Display a summary of options. +.El +.Sh AUTHORS +Damien Miller +.Sh SEE ALSO +.Xr ssh 1 , +.Xr ssh-add 1 , +.Xr ssh-keygen 1 , +.Xr sshd 8 diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh-rand-helper.c openssh-4.2p1/ssh-rand-helper.c --- ssh-openbsd-2005090100/ssh-rand-helper.c Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/ssh-rand-helper.c Sun Jul 17 17:26:44 2005 @@ -0,0 +1,902 @@ +/* + * Copyright (c) 2001-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include +#include +#include + +/* SunOS 4.4.4 needs this */ +#ifdef HAVE_FLOATINGPOINT_H +# include +#endif /* HAVE_FLOATINGPOINT_H */ + +#include "misc.h" +#include "xmalloc.h" +#include "atomicio.h" +#include "pathnames.h" +#include "log.h" + +RCSID("$Id: ssh-rand-helper.c,v 1.26 2005/07/17 07:26:44 djm Exp $"); + +/* Number of bytes we write out */ +#define OUTPUT_SEED_SIZE 48 + +/* Length of on-disk seedfiles */ +#define SEED_FILE_SIZE 1024 + +/* Maximum number of command-line arguments to read from file */ +#define NUM_ARGS 10 + +/* Minimum number of usable commands to be considered sufficient */ +#define MIN_ENTROPY_SOURCES 16 + +/* Path to on-disk seed file (relative to user's home directory */ +#ifndef SSH_PRNG_SEED_FILE +# define SSH_PRNG_SEED_FILE _PATH_SSH_USER_DIR"/prng_seed" +#endif + +/* Path to PRNG commands list */ +#ifndef SSH_PRNG_COMMAND_FILE +# define SSH_PRNG_COMMAND_FILE SSHDIR "/ssh_prng_cmds" +#endif + +extern char *__progname; + +#define WHITESPACE " \t\n" + +#ifndef RUSAGE_SELF +# define RUSAGE_SELF 0 +#endif +#ifndef RUSAGE_CHILDREN +# define RUSAGE_CHILDREN 0 +#endif + +#if !defined(PRNGD_SOCKET) && !defined(PRNGD_PORT) +# define USE_SEED_FILES +#endif + +typedef struct { + /* Proportion of data that is entropy */ + double rate; + /* Counter goes positive if this command times out */ + unsigned int badness; + /* Increases by factor of two each timeout */ + unsigned int sticky_badness; + /* Path to executable */ + char *path; + /* argv to pass to executable */ + char *args[NUM_ARGS]; /* XXX: arbitrary limit */ + /* full command string (debug) */ + char *cmdstring; +} entropy_cmd_t; + +/* slow command timeouts (all in milliseconds) */ +/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */ +static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; + +/* this is initialised from a file, by prng_read_commands() */ +static entropy_cmd_t *entropy_cmds = NULL; + +/* Prototypes */ +double stir_from_system(void); +double stir_from_programs(void); +double stir_gettimeofday(double entropy_estimate); +double stir_clock(double entropy_estimate); +double stir_rusage(int who, double entropy_estimate); +double hash_command_output(entropy_cmd_t *src, unsigned char *hash); +int get_random_bytes_prngd(unsigned char *buf, int len, + unsigned short tcp_port, char *socket_path); + +/* + * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon + * listening either on 'tcp_port', or via Unix domain socket at * + * 'socket_path'. + * Either a non-zero tcp_port or a non-null socket_path must be + * supplied. + * Returns 0 on success, -1 on error + */ +int +get_random_bytes_prngd(unsigned char *buf, int len, + unsigned short tcp_port, char *socket_path) +{ + int fd, addr_len, rval, errors; + u_char msg[2]; + struct sockaddr_storage addr; + struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr; + struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr; + mysig_t old_sigpipe; + + /* Sanity checks */ + if (socket_path == NULL && tcp_port == 0) + fatal("You must specify a port or a socket"); + if (socket_path != NULL && + strlen(socket_path) >= sizeof(addr_un->sun_path)) + fatal("Random pool path is too long"); + if (len <= 0 || len > 255) + fatal("Too many bytes (%d) to read from PRNGD", len); + + memset(&addr, '\0', sizeof(addr)); + + if (tcp_port != 0) { + addr_in->sin_family = AF_INET; + addr_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr_in->sin_port = htons(tcp_port); + addr_len = sizeof(*addr_in); + } else { + addr_un->sun_family = AF_UNIX; + strlcpy(addr_un->sun_path, socket_path, + sizeof(addr_un->sun_path)); + addr_len = offsetof(struct sockaddr_un, sun_path) + + strlen(socket_path) + 1; + } + + old_sigpipe = mysignal(SIGPIPE, SIG_IGN); + + errors = 0; + rval = -1; +reopen: + fd = socket(addr.ss_family, SOCK_STREAM, 0); + if (fd == -1) { + error("Couldn't create socket: %s", strerror(errno)); + goto done; + } + + if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { + if (tcp_port != 0) { + error("Couldn't connect to PRNGD port %d: %s", + tcp_port, strerror(errno)); + } else { + error("Couldn't connect to PRNGD socket \"%s\": %s", + addr_un->sun_path, strerror(errno)); + } + goto done; + } + + /* Send blocking read request to PRNGD */ + msg[0] = 0x02; + msg[1] = len; + + if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) { + if (errno == EPIPE && errors < 10) { + close(fd); + errors++; + goto reopen; + } + error("Couldn't write to PRNGD socket: %s", + strerror(errno)); + goto done; + } + + if (atomicio(read, fd, buf, len) != (size_t)len) { + if (errno == EPIPE && errors < 10) { + close(fd); + errors++; + goto reopen; + } + error("Couldn't read from PRNGD socket: %s", + strerror(errno)); + goto done; + } + + rval = 0; +done: + mysignal(SIGPIPE, old_sigpipe); + if (fd != -1) + close(fd); + return rval; +} + +static int +seed_from_prngd(unsigned char *buf, size_t bytes) +{ +#ifdef PRNGD_PORT + debug("trying egd/prngd port %d", PRNGD_PORT); + if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == 0) + return 0; +#endif +#ifdef PRNGD_SOCKET + debug("trying egd/prngd socket %s", PRNGD_SOCKET); + if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == 0) + return 0; +#endif + return -1; +} + +double +stir_gettimeofday(double entropy_estimate) +{ + struct timeval tv; + + if (gettimeofday(&tv, NULL) == -1) + fatal("Couldn't gettimeofday: %s", strerror(errno)); + + RAND_add(&tv, sizeof(tv), entropy_estimate); + + return entropy_estimate; +} + +double +stir_clock(double entropy_estimate) +{ +#ifdef HAVE_CLOCK + clock_t c; + + c = clock(); + RAND_add(&c, sizeof(c), entropy_estimate); + + return entropy_estimate; +#else /* _HAVE_CLOCK */ + return 0; +#endif /* _HAVE_CLOCK */ +} + +double +stir_rusage(int who, double entropy_estimate) +{ +#ifdef HAVE_GETRUSAGE + struct rusage ru; + + if (getrusage(who, &ru) == -1) + return 0; + + RAND_add(&ru, sizeof(ru), entropy_estimate); + + return entropy_estimate; +#else /* _HAVE_GETRUSAGE */ + return 0; +#endif /* _HAVE_GETRUSAGE */ +} + +static int +timeval_diff(struct timeval *t1, struct timeval *t2) +{ + int secdiff, usecdiff; + + secdiff = t2->tv_sec - t1->tv_sec; + usecdiff = (secdiff*1000000) + (t2->tv_usec - t1->tv_usec); + return (int)(usecdiff / 1000); +} + +double +hash_command_output(entropy_cmd_t *src, unsigned char *hash) +{ + char buf[8192]; + fd_set rdset; + int bytes_read, cmd_eof, error_abort, msec_elapsed, p[2]; + int status, total_bytes_read; + static int devnull = -1; + pid_t pid; + SHA_CTX sha; + struct timeval tv_start, tv_current; + + debug3("Reading output from \'%s\'", src->cmdstring); + + if (devnull == -1) { + devnull = open("/dev/null", O_RDWR); + if (devnull == -1) + fatal("Couldn't open /dev/null: %s", + strerror(errno)); + } + + if (pipe(p) == -1) + fatal("Couldn't open pipe: %s", strerror(errno)); + + (void)gettimeofday(&tv_start, NULL); /* record start time */ + + switch (pid = fork()) { + case -1: /* Error */ + close(p[0]); + close(p[1]); + fatal("Couldn't fork: %s", strerror(errno)); + /* NOTREACHED */ + case 0: /* Child */ + dup2(devnull, STDIN_FILENO); + dup2(p[1], STDOUT_FILENO); + dup2(p[1], STDERR_FILENO); + close(p[0]); + close(p[1]); + close(devnull); + + execv(src->path, (char**)(src->args)); + + debug("(child) Couldn't exec '%s': %s", + src->cmdstring, strerror(errno)); + _exit(-1); + default: /* Parent */ + break; + } + + RAND_add(&pid, sizeof(&pid), 0.0); + + close(p[1]); + + /* Hash output from child */ + SHA1_Init(&sha); + + cmd_eof = error_abort = msec_elapsed = total_bytes_read = 0; + while (!error_abort && !cmd_eof) { + int ret; + struct timeval tv; + int msec_remaining; + + (void) gettimeofday(&tv_current, 0); + msec_elapsed = timeval_diff(&tv_start, &tv_current); + if (msec_elapsed >= entropy_timeout_current) { + error_abort=1; + continue; + } + msec_remaining = entropy_timeout_current - msec_elapsed; + + FD_ZERO(&rdset); + FD_SET(p[0], &rdset); + tv.tv_sec = msec_remaining / 1000; + tv.tv_usec = (msec_remaining % 1000) * 1000; + + ret = select(p[0] + 1, &rdset, NULL, NULL, &tv); + + RAND_add(&tv, sizeof(tv), 0.0); + + switch (ret) { + case 0: + /* timer expired */ + error_abort = 1; + kill(pid, SIGINT); + break; + case 1: + /* command input */ + do { + bytes_read = read(p[0], buf, sizeof(buf)); + } while (bytes_read == -1 && errno == EINTR); + RAND_add(&bytes_read, sizeof(&bytes_read), 0.0); + if (bytes_read == -1) { + error_abort = 1; + break; + } else if (bytes_read) { + SHA1_Update(&sha, buf, bytes_read); + total_bytes_read += bytes_read; + } else { + cmd_eof = 1; + } + break; + case -1: + default: + /* error */ + debug("Command '%s': select() failed: %s", + src->cmdstring, strerror(errno)); + error_abort = 1; + break; + } + } + + SHA1_Final(hash, &sha); + + close(p[0]); + + debug3("Time elapsed: %d msec", msec_elapsed); + + if (waitpid(pid, &status, 0) == -1) { + error("Couldn't wait for child '%s' completion: %s", + src->cmdstring, strerror(errno)); + return 0.0; + } + + RAND_add(&status, sizeof(&status), 0.0); + + if (error_abort) { + /* + * Closing p[0] on timeout causes the entropy command to + * SIGPIPE. Take whatever output we got, and mark this + * command as slow + */ + debug2("Command '%s' timed out", src->cmdstring); + src->sticky_badness *= 2; + src->badness = src->sticky_badness; + return total_bytes_read; + } + + if (WIFEXITED(status)) { + if (WEXITSTATUS(status) == 0) { + return total_bytes_read; + } else { + debug2("Command '%s' exit status was %d", + src->cmdstring, WEXITSTATUS(status)); + src->badness = src->sticky_badness = 128; + return 0.0; + } + } else if (WIFSIGNALED(status)) { + debug2("Command '%s' returned on uncaught signal %d !", + src->cmdstring, status); + src->badness = src->sticky_badness = 128; + return 0.0; + } else + return 0.0; +} + +double +stir_from_system(void) +{ + double total_entropy_estimate; + long int i; + + total_entropy_estimate = 0; + + i = getpid(); + RAND_add(&i, sizeof(i), 0.5); + total_entropy_estimate += 0.1; + + i = getppid(); + RAND_add(&i, sizeof(i), 0.5); + total_entropy_estimate += 0.1; + + i = getuid(); + RAND_add(&i, sizeof(i), 0.0); + i = getgid(); + RAND_add(&i, sizeof(i), 0.0); + + total_entropy_estimate += stir_gettimeofday(1.0); + total_entropy_estimate += stir_clock(0.5); + total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0); + + return total_entropy_estimate; +} + +double +stir_from_programs(void) +{ + int c; + double entropy, total_entropy; + unsigned char hash[SHA_DIGEST_LENGTH]; + + total_entropy = 0; + for(c = 0; entropy_cmds[c].path != NULL; c++) { + if (!entropy_cmds[c].badness) { + /* Hash output from command */ + entropy = hash_command_output(&entropy_cmds[c], + hash); + + /* Scale back estimate by command's rate */ + entropy *= entropy_cmds[c].rate; + + /* Upper bound of entropy is SHA_DIGEST_LENGTH */ + if (entropy > SHA_DIGEST_LENGTH) + entropy = SHA_DIGEST_LENGTH; + + /* Stir it in */ + RAND_add(hash, sizeof(hash), entropy); + + debug3("Got %0.2f bytes of entropy from '%s'", + entropy, entropy_cmds[c].cmdstring); + + total_entropy += entropy; + + /* Execution time should be a bit unpredictable */ + total_entropy += stir_gettimeofday(0.05); + total_entropy += stir_clock(0.05); + total_entropy += stir_rusage(RUSAGE_SELF, 0.1); + total_entropy += stir_rusage(RUSAGE_CHILDREN, 0.1); + } else { + debug2("Command '%s' disabled (badness %d)", + entropy_cmds[c].cmdstring, + entropy_cmds[c].badness); + + if (entropy_cmds[c].badness > 0) + entropy_cmds[c].badness--; + } + } + + return total_entropy; +} + +/* + * prng seedfile functions + */ +int +prng_check_seedfile(char *filename) +{ + struct stat st; + + /* + * XXX raceable: eg replace seed between this stat and subsequent + * open. Not such a problem because we don't really trust the + * seed file anyway. + * XXX: use secure path checking as elsewhere in OpenSSH + */ + if (lstat(filename, &st) == -1) { + /* Give up on hard errors */ + if (errno != ENOENT) + debug("WARNING: Couldn't stat random seed file " + "\"%.100s\": %s", filename, strerror(errno)); + return 0; + } + + /* regular file? */ + if (!S_ISREG(st.st_mode)) + fatal("PRNG seedfile %.100s is not a regular file", + filename); + + /* mode 0600, owned by root or the current user? */ + if (((st.st_mode & 0177) != 0) || !(st.st_uid == getuid())) { + debug("WARNING: PRNG seedfile %.100s must be mode 0600, " + "owned by uid %li", filename, (long int)getuid()); + return 0; + } + + return 1; +} + +void +prng_write_seedfile(void) +{ + int fd, save_errno; + unsigned char seed[SEED_FILE_SIZE]; + char filename[MAXPATHLEN], tmpseed[MAXPATHLEN]; + struct passwd *pw; + mode_t old_umask; + + pw = getpwuid(getuid()); + if (pw == NULL) + fatal("Couldn't get password entry for current user " + "(%li): %s", (long int)getuid(), strerror(errno)); + + /* Try to ensure that the parent directory is there */ + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + _PATH_SSH_USER_DIR); + mkdir(filename, 0700); + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_PRNG_SEED_FILE); + + strlcpy(tmpseed, filename, sizeof(tmpseed)); + if (strlcat(tmpseed, ".XXXXXXXXXX", sizeof(tmpseed)) >= + sizeof(tmpseed)) + fatal("PRNG seed filename too long"); + + if (RAND_bytes(seed, sizeof(seed)) <= 0) + fatal("PRNG seed extraction failed"); + + /* Don't care if the seed doesn't exist */ + prng_check_seedfile(filename); + + old_umask = umask(0177); + + if ((fd = mkstemp(tmpseed)) == -1) { + debug("WARNING: couldn't make temporary PRNG seedfile %.100s " + "(%.100s)", tmpseed, strerror(errno)); + } else { + debug("writing PRNG seed to file %.100s", tmpseed); + if (atomicio(vwrite, fd, &seed, sizeof(seed)) < sizeof(seed)) { + save_errno = errno; + close(fd); + unlink(tmpseed); + fatal("problem writing PRNG seedfile %.100s " + "(%.100s)", filename, strerror(save_errno)); + } + close(fd); + debug("moving temporary PRNG seed to file %.100s", filename); + if (rename(tmpseed, filename) == -1) { + save_errno = errno; + unlink(tmpseed); + fatal("problem renaming PRNG seedfile from %.100s " + "to %.100s (%.100s)", tmpseed, filename, + strerror(save_errno)); + } + } + umask(old_umask); +} + +void +prng_read_seedfile(void) +{ + int fd; + char seed[SEED_FILE_SIZE], filename[MAXPATHLEN]; + struct passwd *pw; + + pw = getpwuid(getuid()); + if (pw == NULL) + fatal("Couldn't get password entry for current user " + "(%li): %s", (long int)getuid(), strerror(errno)); + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_PRNG_SEED_FILE); + + debug("loading PRNG seed from file %.100s", filename); + + if (!prng_check_seedfile(filename)) { + verbose("Random seed file not found or invalid, ignoring."); + return; + } + + /* open the file and read in the seed */ + fd = open(filename, O_RDONLY); + if (fd == -1) + fatal("could not open PRNG seedfile %.100s (%.100s)", + filename, strerror(errno)); + + if (atomicio(read, fd, &seed, sizeof(seed)) < sizeof(seed)) { + verbose("invalid or short read from PRNG seedfile " + "%.100s - ignoring", filename); + memset(seed, '\0', sizeof(seed)); + } + close(fd); + + /* stir in the seed, with estimated entropy zero */ + RAND_add(&seed, sizeof(seed), 0.0); +} + + +/* + * entropy command initialisation functions + */ +int +prng_read_commands(char *cmdfilename) +{ + char cmd[SEED_FILE_SIZE], *cp, line[1024], path[SEED_FILE_SIZE]; + double est; + entropy_cmd_t *entcmd; + FILE *f; + int cur_cmd, linenum, num_cmds, arg; + + if ((f = fopen(cmdfilename, "r")) == NULL) { + fatal("couldn't read entropy commands file %.100s: %.100s", + cmdfilename, strerror(errno)); + } + + num_cmds = 64; + entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t)); + memset(entcmd, '\0', num_cmds * sizeof(entropy_cmd_t)); + + /* Read in file */ + cur_cmd = linenum = 0; + while (fgets(line, sizeof(line), f)) { + linenum++; + + /* Skip leading whitespace, blank lines and comments */ + cp = line + strspn(line, WHITESPACE); + if ((*cp == 0) || (*cp == '#')) + continue; /* done with this line */ + + /* + * The first non-whitespace char should be a double quote + * delimiting the commandline + */ + if (*cp != '"') { + error("bad entropy command, %.100s line %d", + cmdfilename, linenum); + continue; + } + + /* + * First token, command args (incl. argv[0]) in double + * quotes + */ + cp = strtok(cp, "\""); + if (cp == NULL) { + error("missing or bad command string, %.100s " + "line %d -- ignored", cmdfilename, linenum); + continue; + } + strlcpy(cmd, cp, sizeof(cmd)); + + /* Second token, full command path */ + if ((cp = strtok(NULL, WHITESPACE)) == NULL) { + error("missing command path, %.100s " + "line %d -- ignored", cmdfilename, linenum); + continue; + } + + /* Did configure mark this as dead? */ + if (strncmp("undef", cp, 5) == 0) + continue; + + strlcpy(path, cp, sizeof(path)); + + /* Third token, entropy rate estimate for this command */ + if ((cp = strtok(NULL, WHITESPACE)) == NULL) { + error("missing entropy estimate, %.100s " + "line %d -- ignored", cmdfilename, linenum); + continue; + } + est = strtod(cp, NULL); + + /* end of line */ + if ((cp = strtok(NULL, WHITESPACE)) != NULL) { + error("garbage at end of line %d in %.100s " + "-- ignored", linenum, cmdfilename); + continue; + } + + /* save the command for debug messages */ + entcmd[cur_cmd].cmdstring = xstrdup(cmd); + + /* split the command args */ + cp = strtok(cmd, WHITESPACE); + arg = 0; + do { + entcmd[cur_cmd].args[arg] = xstrdup(cp); + arg++; + } while(arg < NUM_ARGS && (cp = strtok(NULL, WHITESPACE))); + + if (strtok(NULL, WHITESPACE)) + error("ignored extra commands (max %d), %.100s " + "line %d", NUM_ARGS, cmdfilename, linenum); + + /* Copy the command path and rate estimate */ + entcmd[cur_cmd].path = xstrdup(path); + entcmd[cur_cmd].rate = est; + + /* Initialise other values */ + entcmd[cur_cmd].sticky_badness = 1; + + cur_cmd++; + + /* + * If we've filled the array, reallocate it twice the size + * Do this now because even if this we're on the last + * command we need another slot to mark the last entry + */ + if (cur_cmd == num_cmds) { + num_cmds *= 2; + entcmd = xrealloc(entcmd, num_cmds * + sizeof(entropy_cmd_t)); + } + } + + /* zero the last entry */ + memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t)); + + /* trim to size */ + entropy_cmds = xrealloc(entcmd, (cur_cmd + 1) * + sizeof(entropy_cmd_t)); + + debug("Loaded %d entropy commands from %.100s", cur_cmd, + cmdfilename); + + return cur_cmd < MIN_ENTROPY_SOURCES ? -1 : 0; +} + +void +usage(void) +{ + fprintf(stderr, "Usage: %s [options]\n", __progname); + fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); + fprintf(stderr, " Multiple -v increases verbosity.\n"); + fprintf(stderr, " -x Force output in hexadecimal (for debugging)\n"); + fprintf(stderr, " -X Force output in binary\n"); + fprintf(stderr, " -b bytes Number of bytes to output (default %d)\n", + OUTPUT_SEED_SIZE); +} + +int +main(int argc, char **argv) +{ + unsigned char *buf; + int ret, ch, debug_level, output_hex, bytes; + extern char *optarg; + LogLevel ll; + + __progname = ssh_get_progname(argv[0]); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + + ll = SYSLOG_LEVEL_INFO; + debug_level = output_hex = 0; + bytes = OUTPUT_SEED_SIZE; + + /* Don't write binary data to a tty, unless we are forced to */ + if (isatty(STDOUT_FILENO)) + output_hex = 1; + + while ((ch = getopt(argc, argv, "vxXhb:")) != -1) { + switch (ch) { + case 'v': + if (debug_level < 3) + ll = SYSLOG_LEVEL_DEBUG1 + debug_level++; + break; + case 'x': + output_hex = 1; + break; + case 'X': + output_hex = 0; + break; + case 'b': + if ((bytes = atoi(optarg)) <= 0) + fatal("Invalid number of output bytes"); + break; + case 'h': + usage(); + exit(0); + default: + error("Invalid commandline option"); + usage(); + } + } + + log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); + +#ifdef USE_SEED_FILES + prng_read_seedfile(); +#endif + + buf = xmalloc(bytes); + + /* + * Seed the RNG from wherever we can + */ + + /* Take whatever is on the stack, but don't credit it */ + RAND_add(buf, bytes, 0); + + debug("Seeded RNG with %i bytes from system calls", + (int)stir_from_system()); + + /* try prngd, fall back to commands if prngd fails or not configured */ + if (seed_from_prngd(buf, bytes) == 0) { + RAND_add(buf, bytes, bytes); + } else { + /* Read in collection commands */ + if (prng_read_commands(SSH_PRNG_COMMAND_FILE) == -1) + fatal("PRNG initialisation failed -- exiting."); + debug("Seeded RNG with %i bytes from programs", + (int)stir_from_programs()); + } + +#ifdef USE_SEED_FILES + prng_write_seedfile(); +#endif + + /* + * Write the seed to stdout + */ + + if (!RAND_status()) + fatal("Not enough entropy in RNG"); + + if (RAND_bytes(buf, bytes) <= 0) + fatal("Couldn't extract entropy from PRNG"); + + if (output_hex) { + for(ret = 0; ret < bytes; ret++) + printf("%02x", (unsigned char)(buf[ret])); + printf("\n"); + } else + ret = atomicio(vwrite, STDOUT_FILENO, buf, bytes); + + memset(buf, '\0', bytes); + xfree(buf); + + return ret == bytes ? 0 : 1; +} + +/* + * We may attempt to re-seed during mkstemp if we are using the one in the + * compat library (via mkstemp -> _gettemp -> arc4random -> seed_rng) so we + * need our own seed_rng(). We must also check that we have enough entropy. + */ +void +seed_rng(void) +{ + if (!RAND_status()) + fatal("Not enough entropy in RNG"); +} diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh.c openssh-4.2p1/ssh.c --- ssh-openbsd-2005090100/ssh.c Fri Aug 12 22:07:52 2005 +++ openssh-4.2p1/ssh.c Fri Aug 12 22:10:56 2005 @@ -188,6 +188,9 @@ struct servent *sp; Forward fwd; + __progname = ssh_get_progname(av[0]); + init_rng(); + /* * Save the original real uid. It will be needed later (uid-swapping * may clobber the real uid). @@ -204,6 +207,7 @@ */ PRIV_END; +#ifdef HAVE_SETRLIMIT /* If we are installed setuid root be careful to not drop core. */ if (original_real_uid != original_effective_uid) { struct rlimit rlim; @@ -211,6 +215,7 @@ if (setrlimit(RLIMIT_CORE, &rlim) < 0) fatal("setrlimit failed: %.100s", strerror(errno)); } +#endif /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { @@ -328,7 +333,7 @@ /* FALLTHROUGH */ case 'V': fprintf(stderr, "%s, %s\n", - SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); break; @@ -587,6 +592,8 @@ /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); + seed_rng(); + if (options.user == NULL) options.user = xstrdup(pw->pw_name); @@ -629,7 +636,11 @@ /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, +#ifdef HAVE_CYGWIN + options.use_privileged_port, +#else original_effective_uid == 0 && options.use_privileged_port, +#endif options.proxy_command) != 0) exit(1); @@ -981,6 +992,7 @@ { struct sockaddr_un addr; mode_t old_umask; + int addr_len; if (options.control_path == NULL || options.control_master == SSHCTL_MASTER_NO) @@ -990,7 +1002,7 @@ memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; - addr.sun_len = offsetof(struct sockaddr_un, sun_path) + + addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(options.control_path) + 1; if (strlcpy(addr.sun_path, options.control_path, @@ -1001,7 +1013,7 @@ fatal("%s socket(): %s\n", __func__, strerror(errno)); old_umask = umask(0177); - if (bind(control_fd, (struct sockaddr*)&addr, addr.sun_len) == -1) { + if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) { control_fd = -1; if (errno == EINVAL || errno == EADDRINUSE) fatal("ControlSocket %s already exists", @@ -1195,7 +1207,7 @@ control_client(const char *path) { struct sockaddr_un addr; - int i, r, fd, sock, exitval, num_env; + int i, r, fd, sock, exitval, num_env, addr_len; Buffer m; char *term; extern char **environ; @@ -1217,7 +1229,7 @@ memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; - addr.sun_len = offsetof(struct sockaddr_un, sun_path) + + addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(path) + 1; if (strlcpy(addr.sun_path, path, @@ -1227,7 +1239,7 @@ if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) fatal("%s socket(): %s", __func__, strerror(errno)); - if (connect(sock, (struct sockaddr*)&addr, addr.sun_len) == -1) { + if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) { if (mux_command != SSHMUX_COMMAND_OPEN) { fatal("Control socket connect(%.100s): %s", path, strerror(errno)); diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh.h openssh-4.2p1/ssh.h --- ssh-openbsd-2005090100/ssh.h Sat Jul 16 11:31:06 2005 +++ openssh-4.2p1/ssh.h Mon Dec 6 22:47:42 2004 @@ -15,6 +15,15 @@ #ifndef SSH_H #define SSH_H +#include /* For struct sockaddr_in */ +#include /* For struct pw */ +#include /* For va_list */ +#include /* For LOG_AUTH and friends */ +#include /* For struct sockaddr_storage */ +#ifdef HAVE_SYS_SELECT_H +# include +#endif + /* Cipher used for encrypting authentication files. */ #define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES @@ -94,7 +103,9 @@ * sshd will change its privileges to this user and its * primary group. */ +#ifndef SSH_PRIVSEP_USER #define SSH_PRIVSEP_USER "sshd" +#endif /* Minimum modulus size (n) for RSA keys. */ #define SSH_RSA_MINIMUM_MODULUS_SIZE 768 diff -ruN --exclude CVS ssh-openbsd-2005090100/ssh_prng_cmds.in openssh-4.2p1/ssh_prng_cmds.in --- ssh-openbsd-2005090100/ssh_prng_cmds.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/ssh_prng_cmds.in Fri Nov 21 23:48:56 2003 @@ -0,0 +1,75 @@ +# entropy gathering commands + +# Format is: "program-name args" path rate + +# The "rate" represents the number of bits of usuable entropy per +# byte of command output. Be conservative. +# +# $Id: ssh_prng_cmds.in,v 1.9 2003/11/21 12:48:56 djm Exp $ + +"ls -alni /var/log" @PROG_LS@ 0.02 +"ls -alni /var/adm" @PROG_LS@ 0.02 +"ls -alni /usr/adm" @PROG_LS@ 0.02 +"ls -alni /var/mail" @PROG_LS@ 0.02 +"ls -alni /usr/mail" @PROG_LS@ 0.02 +"ls -alni /var/adm/syslog" @PROG_LS@ 0.02 +"ls -alni /usr/adm/syslog" @PROG_LS@ 0.02 +"ls -alni /var/spool/mail" @PROG_LS@ 0.02 +"ls -alni /proc" @PROG_LS@ 0.02 +"ls -alni /tmp" @PROG_LS@ 0.02 +"ls -alni /var/tmp" @PROG_LS@ 0.02 +"ls -alni /usr/tmp" @PROG_LS@ 0.02 +"ls -alTi /var/log" @PROG_LS@ 0.02 +"ls -alTi /var/adm" @PROG_LS@ 0.02 +"ls -alTi /var/mail" @PROG_LS@ 0.02 +"ls -alTi /var/adm/syslog" @PROG_LS@ 0.02 +"ls -alTi /var/spool/mail" @PROG_LS@ 0.02 +"ls -alTi /proc" @PROG_LS@ 0.02 +"ls -alTi /tmp" @PROG_LS@ 0.02 +"ls -alTi /var/tmp" @PROG_LS@ 0.02 +"ls -alTi /usr/tmp" @PROG_LS@ 0.02 + +"netstat -an" @PROG_NETSTAT@ 0.05 +"netstat -in" @PROG_NETSTAT@ 0.05 +"netstat -rn" @PROG_NETSTAT@ 0.02 +"netstat -pn" @PROG_NETSTAT@ 0.02 +"netstat -ia" @PROG_NETSTAT@ 0.05 +"netstat -s" @PROG_NETSTAT@ 0.02 +"netstat -is" @PROG_NETSTAT@ 0.07 + +"arp -n -a" @PROG_ARP@ 0.02 + +"ifconfig -a" @PROG_IFCONFIG@ 0.02 + +"ps laxww" @PROG_PS@ 0.03 +"ps -al" @PROG_PS@ 0.03 +"ps -efl" @PROG_PS@ 0.03 +"jstat" @PROG_JSTAT@ 0.07 + +"w" @PROG_W@ 0.05 + +"who -i" @PROG_WHO@ 0.01 + +"last" @PROG_LAST@ 0.01 + +"lastlog" @PROG_LASTLOG@ 0.01 + +"df" @PROG_DF@ 0.01 +"df -i" @PROG_DF@ 0.01 + +"sar -d" @PROG_SAR@ 0.04 + +"vmstat" @PROG_VMSTAT@ 0.01 +"uptime" @PROG_UPTIME@ 0.01 + +"ipcs -a" @PROG_IPCS@ 0.01 + +"tail -200 /var/log/messages" @PROG_TAIL@ 0.01 +"tail -200 /var/log/syslog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/messages" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/syslog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/syslog/syslog.log" @PROG_TAIL@ 0.01 +"tail -200 /var/log/maillog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/maillog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/syslog/mail.log" @PROG_TAIL@ 0.01 + diff -ruN --exclude CVS ssh-openbsd-2005090100/sshconnect.c openssh-4.2p1/sshconnect.c --- ssh-openbsd-2005090100/sshconnect.c Sun Jul 17 17:17:55 2005 +++ openssh-4.2p1/sshconnect.c Sun Jul 17 17:22:46 2005 @@ -46,6 +46,10 @@ extern uid_t original_effective_uid; extern pid_t proxy_command_pid; +#ifndef INET6_ADDRSTRLEN /* for non IPv6 machines */ +#define INET6_ADDRSTRLEN 46 +#endif + static int show_other_keys(const char *, Key *); static void warn_changed_key(Key *); @@ -525,6 +529,7 @@ HostStatus host_status; HostStatus ip_status; int r, local = 0, host_ip_differ = 0; + int salen; char ntop[NI_MAXHOST]; char msg[1024]; int len, host_line, ip_line; @@ -543,13 +548,16 @@ case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)-> sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + salen = sizeof(struct sockaddr_in); break; case AF_INET6: local = IN6_IS_ADDR_LOOPBACK( &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); + salen = sizeof(struct sockaddr_in6); break; default: local = 0; + salen = sizeof(struct sockaddr_storage); break; } if (options.no_host_authentication_for_localhost == 1 && local && @@ -564,7 +572,7 @@ * using a proxy command */ if (options.proxy_command == NULL) { - if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop), + if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("check_host_key: getnameinfo failed"); ip = xstrdup(ntop); diff -ruN --exclude CVS ssh-openbsd-2005090100/sshconnect2.c openssh-4.2p1/sshconnect2.c --- ssh-openbsd-2005090100/sshconnect2.c Wed Aug 31 19:41:45 2005 +++ openssh-4.2p1/sshconnect2.c Wed Aug 31 19:46:27 2005 @@ -25,6 +25,8 @@ #include "includes.h" RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); +#include "openbsd-compat/sys-queue.h" + #include "ssh.h" #include "ssh2.h" #include "xmalloc.h" @@ -754,7 +756,7 @@ * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST */ void -input_userauth_passwd_changereq(int type, uint32_t seqnr, void *ctxt) +input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) { Authctxt *authctxt = ctxt; char *info, *lang, *password = NULL, *retype = NULL; diff -ruN --exclude CVS ssh-openbsd-2005090100/sshd/Makefile openssh-4.2p1/sshd/Makefile --- ssh-openbsd-2005090100/sshd/Makefile Tue Aug 24 00:26:39 2004 +++ openssh-4.2p1/sshd/Makefile Thu Jan 1 10:00:00 1970 @@ -1,48 +0,0 @@ -# $OpenBSD: Makefile,v 1.64 2004/08/23 14:26:39 dtucker Exp $ - -.PATH: ${.CURDIR}/.. - -PROG= sshd -BINOWN= root -BINMODE=555 -BINDIR= /usr/sbin -MAN= sshd.8 sshd_config.5 -CFLAGS+=-DHAVE_LOGIN_CAP -DBSD_AUTH - -SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - sshpty.c sshlogin.c servconf.c serverloop.c \ - auth.c auth1.c auth2.c auth-options.c session.c \ - auth-chall.c auth2-chall.c groupaccess.c \ - auth-skey.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \ - auth2-none.c auth2-passwd.c auth2-pubkey.c \ - monitor_mm.c monitor.c monitor_wrap.c \ - kexdhs.c kexgexs.c - -.include # for KERBEROS and AFS - -.if (${KERBEROS5:L} == "yes") -CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI -SRCS+= auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c -.endif - -.include - -.if (${KERBEROS5:L} == "yes") -LDADD+= -lgssapi -lkrb5 -lkafs -DPADD+= ${LIBGSSAPI} ${LIBKRB5} -.endif - -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBDES} -LDADD+= -lcrypto -lutil -lz -ldes - -.if (${TCP_WRAPPERS:L} == "yes") -CFLAGS+= -DLIBWRAP -DPADD+= ${LIBWRAP} -LDADD+= -lwrap -.endif - -#.if (${SKEY:L} == "yes") -#CFLAGS+= -DSKEY -#DPADD+= ${SKEY} -#LDADD+= -lskey -#.endif diff -ruN --exclude CVS ssh-openbsd-2005090100/sshd.8 openssh-4.2p1/sshd.8 --- ssh-openbsd-2005090100/sshd.8 Sat Jul 16 11:31:07 2005 +++ openssh-4.2p1/sshd.8 Thu Jun 16 13:19:07 2005 @@ -105,12 +105,34 @@ .Pp Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using -.Em rhosts +.Em .rhosts authentication combined with RSA host authentication, RSA challenge-response authentication, or password based authentication. .Pp -System security is not improved unless +Regardless of the authentication type, the account is checked to +ensure that it is accessible. An account is not accessible if it is +locked, listed in +.Cm DenyUsers +or its group is listed in +.Cm DenyGroups +\&. The definition of a locked account is system dependant. Some platforms +have their own account database (eg AIX) and some modify the passwd field ( +.Ql \&*LK\&* +on Solaris, +.Ql \&* +on HP-UX, containing +.Ql Nologin +on Tru64 and a leading +.Ql \&!! +on Linux). If there is a requirement to disable password authentication +for the account while allowing still public-key, then the passwd field +should be set to something other than these values (eg +.Ql NP +or +.Ql \&*NP\&* +). +.Pp .Nm rshd , .Nm rlogind , and diff -ruN --exclude CVS ssh-openbsd-2005090100/sshd.c openssh-4.2p1/sshd.c --- ssh-openbsd-2005090100/sshd.c Tue Jul 26 21:48:33 2005 +++ openssh-4.2p1/sshd.c Tue Jul 26 21:54:56 2005 @@ -48,6 +48,10 @@ #include #include #include +#ifdef HAVE_SECUREWARE +#include +#include +#endif #include "ssh.h" #include "ssh1.h" @@ -129,6 +133,7 @@ /* Saved arguments to main(). */ char **saved_argv; +int saved_argc; /* re-exec */ int rexeced_flag = 0; @@ -622,7 +627,11 @@ static void privsep_postauth(Authctxt *authctxt) { +#ifdef DISABLE_FD_PASSING + if (1) { +#else if (authctxt->pw->pw_uid == 0 || options.use_login) { +#endif /* File descriptor passing is broken or root login */ monitor_apply_keystate(pmonitor); use_privsep = 0; @@ -765,7 +774,7 @@ usage(void) { fprintf(stderr, "%s, %s\n", - SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" " [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" @@ -882,10 +891,29 @@ int ret, key_used = 0; Buffer cfg; - /* Save argv. */ - saved_argv = av; +#ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +#endif + __progname = ssh_get_progname(av[0]); + init_rng(); + + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; rexec_argc = ac; + saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1)); + for (i = 0; i < ac; i++) + saved_argv[i] = xstrdup(av[i]); + saved_argv[i] = NULL; +#ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + compat_init_setproctitle(ac, av); + av = saved_argv; +#endif + + if (geteuid() == 0 && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); + /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -1009,6 +1037,22 @@ SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); + /* + * Unset KRB5CCNAME, otherwise the user's session may inherit it from + * root's environment + */ + if (getenv("KRB5CCNAME") != NULL) + unsetenv("KRB5CCNAME"); + +#ifdef _UNICOS + /* Cray can define user privs drop all privs now! + * Not needed on PRIV_SU systems! + */ + drop_cray_privs(); +#endif + + seed_rng(); + sensitive_data.server_key = NULL; sensitive_data.ssh1_host_key = NULL; sensitive_data.have_ssh1_key = 0; @@ -1039,7 +1083,7 @@ exit(1); } - debug("sshd version %.100s", SSH_VERSION); + debug("sshd version %.100s", SSH_RELEASE); /* load private host keys */ sensitive_data.host_keys = xmalloc(options.num_host_key_files * @@ -1118,7 +1162,14 @@ (S_ISDIR(st.st_mode) == 0)) fatal("Missing privilege separation directory: %s", _PATH_PRIVSEP_CHROOT_DIR); + +#ifdef HAVE_CYGWIN + if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && + (st.st_uid != getuid () || + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) +#else if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) +#endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); } @@ -1127,6 +1178,16 @@ if (test_flag) exit(0); + /* + * Clear out any supplemental groups we may have inherited. This + * prevents inadvertent creation of files with bad modes (in the + * portable version at least, it's certainly possible for PAM + * to create a file, and we can't control the code in every + * module which might be used). + */ + if (setgroups(0, NULL) < 0) + debug("setgroups() failed: %.200s", strerror(errno)); + if (rexec_flag) { rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2)); for (i = 0; i < rexec_argc; i++) { @@ -1246,8 +1307,9 @@ /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { - error("Bind to port %s on %s failed: %.200s.", - strport, ntop, strerror(errno)); + if (!ai->ai_next) + error("Bind to port %s on %s failed: %.200s.", + strport, ntop, strerror(errno)); close(listen_sock); continue; } @@ -1289,7 +1351,7 @@ * fail if there already is a daemon, and this will * overwrite any old pid in the file. */ - f = fopen(options.pid_file, "w"); + f = fopen(options.pid_file, "wb"); if (f == NULL) { error("Couldn't create pid file \"%s\": %s", options.pid_file, strerror(errno)); @@ -1497,8 +1559,15 @@ * setlogin() affects the entire process group. We don't * want the child to be able to affect the parent. */ +#if !defined(SSHD_ACQUIRES_CTTY) + /* + * If setsid is called, on some platforms sshd will later acquire a + * controlling terminal which will result in "could not set + * controlling tty" errors. + */ if (!debug_flag && !inetd_flag && setsid() < 0) error("setsid: %.100s", strerror(errno)); +#endif if (rexec_flag) { int fd; @@ -1551,6 +1620,7 @@ signal(SIGTERM, SIG_DFL); signal(SIGQUIT, SIG_DFL); signal(SIGCHLD, SIG_DFL); + signal(SIGINT, SIG_DFL); /* * Register our connection. This turns encryption off because we do @@ -1570,6 +1640,9 @@ } remote_ip = get_remote_ipaddr(); +#ifdef SSH_AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); +#endif #ifdef LIBWRAP /* Check whether logins are denied from this host. */ if (packet_connection_is_on_socket()) { @@ -1610,6 +1683,8 @@ authctxt = xmalloc(sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt)); + authctxt->loginmsg = &loginmsg; + /* XXX global for cleanup, access from other modules */ the_authctxt = authctxt; @@ -1639,6 +1714,10 @@ } authenticated: +#ifdef SSH_AUDIT_EVENTS + audit_event(SSH_AUTH_SUCCESS); +#endif + /* * In privilege separation, we fork another child and prepare * file descriptor passing. @@ -1655,6 +1734,16 @@ /* The connection has been terminated. */ verbose("Closing connection to %.100s", remote_ip); + +#ifdef USE_PAM + if (options.use_pam) + finish_pam(); +#endif /* USE_PAM */ + +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_CONNECTION_CLOSE)); +#endif + packet_close(); if (use_privsep) @@ -1950,5 +2039,10 @@ { if (the_authctxt) do_cleanup(the_authctxt); +#ifdef SSH_AUDIT_EVENTS + /* done after do_cleanup so it can cancel the PAM auth 'thread' */ + if (!use_privsep || mm_is_monitor()) + audit_event(SSH_CONNECTION_ABANDON); +#endif _exit(i); } diff -ruN --exclude CVS ssh-openbsd-2005090100/sshd_config openssh-4.2p1/sshd_config --- ssh-openbsd-2005090100/sshd_config Tue Jul 26 21:48:33 2005 +++ openssh-4.2p1/sshd_config Tue Jul 26 21:54:57 2005 @@ -3,6 +3,8 @@ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a @@ -66,6 +68,16 @@ # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no +#UsePAM no #AllowTcpForwarding yes #GatewayPorts no diff -ruN --exclude CVS ssh-openbsd-2005090100/sshd_config.5 openssh-4.2p1/sshd_config.5 --- ssh-openbsd-2005090100/sshd_config.5 Tue Jul 26 21:48:33 2005 +++ openssh-4.2p1/sshd_config.5 Tue Jul 26 21:54:57 2005 @@ -659,6 +659,27 @@ If .Cm UsePrivilegeSeparation is specified, it will be disabled after authentication. +.It Cm UsePAM +Enables the Pluggable Authentication Module interface. +If set to +.Dq yes +this will enable PAM authentication using +.Cm ChallengeResponseAuthentication +and PAM account and session module processing for all authentication types. +.Pp +Because PAM challenge-response authentication usually serves an equivalent +role to password authentication, you should disable either +.Cm PasswordAuthentication +or +.Cm ChallengeResponseAuthentication. +.Pp +If +.Cm UsePAM +is enabled, you will not be able to run +.Xr sshd 8 +as a non-root user. +The default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Nm sshd diff -ruN --exclude CVS ssh-openbsd-2005090100/sshlogin.c openssh-4.2p1/sshlogin.c --- ssh-openbsd-2005090100/sshlogin.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/sshlogin.c Fri Aug 13 21:21:47 2004 @@ -41,9 +41,7 @@ #include "includes.h" RCSID("$OpenBSD: sshlogin.c,v 1.13 2004/08/12 09:18:24 djm Exp $"); -#include -#include -#include "sshlogin.h" +#include "loginrec.h" #include "log.h" #include "buffer.h" #include "servconf.h" @@ -60,38 +58,11 @@ get_last_login_time(uid_t uid, const char *logname, char *buf, u_int bufsize) { - struct lastlog ll; - char *lastlog; - int fd; - off_t pos, r; + struct logininfo li; - lastlog = _PATH_LASTLOG; - buf[0] = '\0'; - - fd = open(lastlog, O_RDONLY); - if (fd < 0) - return 0; - - pos = (long) uid * sizeof(ll); - r = lseek(fd, pos, SEEK_SET); - if (r == -1) { - error("%s: lseek: %s", __func__, strerror(errno)); - return (0); - } - if (r != pos) { - debug("%s: truncated lastlog", __func__); - return (0); - } - if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) { - close(fd); - return 0; - } - close(fd); - if (bufsize > sizeof(ll.ll_host) + 1) - bufsize = sizeof(ll.ll_host) + 1; - strncpy(buf, ll.ll_host, bufsize - 1); - buf[bufsize - 1] = '\0'; - return ll.ll_time; + login_get_lastlog(&li, uid); + strlcpy(buf, li.hostname, bufsize); + return li.tv_sec; } /* @@ -104,6 +75,7 @@ char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512]; time_t last_login_time; +#ifndef NO_SSH_LASTLOG if (!options.print_lastlog) return; @@ -122,6 +94,7 @@ time_string, hostname); buffer_append(&loginmsg, buf, strlen(buf)); } +#endif /* NO_SSH_LASTLOG */ } /* @@ -132,51 +105,38 @@ record_login(pid_t pid, const char *tty, const char *user, uid_t uid, const char *host, struct sockaddr * addr, socklen_t addrlen) { - int fd; - struct lastlog ll; - char *lastlog; - struct utmp u; + struct logininfo *li; /* save previous login details before writing new */ store_lastlog_message(user, uid); - /* Construct an utmp/wtmp entry. */ - memset(&u, 0, sizeof(u)); - strncpy(u.ut_line, tty + 5, sizeof(u.ut_line)); - u.ut_time = time(NULL); - strncpy(u.ut_name, user, sizeof(u.ut_name)); - strncpy(u.ut_host, host, sizeof(u.ut_host)); + li = login_alloc_entry(pid, user, host, tty); + login_set_addr(li, addr, addrlen); + login_login(li); + login_free_entry(li); +} - login(&u); - lastlog = _PATH_LASTLOG; +#ifdef LOGIN_NEEDS_UTMPX +void +record_utmp_only(pid_t pid, const char *ttyname, const char *user, + const char *host, struct sockaddr * addr, socklen_t addrlen) +{ + struct logininfo *li; - /* Update lastlog unless actually recording a logout. */ - if (strcmp(user, "") != 0) { - /* - * It is safer to bzero the lastlog structure first because - * some systems might have some extra fields in it (e.g. SGI) - */ - memset(&ll, 0, sizeof(ll)); - - /* Update lastlog. */ - ll.ll_time = time(NULL); - strncpy(ll.ll_line, tty + 5, sizeof(ll.ll_line)); - strncpy(ll.ll_host, host, sizeof(ll.ll_host)); - fd = open(lastlog, O_RDWR); - if (fd >= 0) { - lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); - if (write(fd, &ll, sizeof(ll)) != sizeof(ll)) - logit("Could not write %.100s: %.100s", lastlog, strerror(errno)); - close(fd); - } - } + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, addrlen); + login_utmp_only(li); + login_free_entry(li); } +#endif /* Records that the user has logged out. */ void -record_logout(pid_t pid, const char *tty) +record_logout(pid_t pid, const char *tty, const char *user) { - const char *line = tty + 5; /* /dev/ttyq8 -> ttyq8 */ - if (logout(line)) - logwtmp(line, "", ""); + struct logininfo *li; + + li = login_alloc_entry(pid, user, NULL, tty); + login_logout(li); + login_free_entry(li); } diff -ruN --exclude CVS ssh-openbsd-2005090100/sshlogin.h openssh-4.2p1/sshlogin.h --- ssh-openbsd-2005090100/sshlogin.h Sat Jul 16 11:31:08 2005 +++ openssh-4.2p1/sshlogin.h Thu Jan 2 10:43:56 2003 @@ -17,7 +17,12 @@ void record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *, socklen_t); -void record_logout(pid_t, const char *); -u_long get_last_login_time(uid_t, const char *, char *, u_int); +void record_logout(pid_t, const char *, const char *); +u_long get_last_login_time(uid_t, const char *, char *, u_int); + +#ifdef LOGIN_NEEDS_UTMPX +void record_utmp_only(pid_t, const char *, const char *, const char *, + struct sockaddr *, socklen_t); +#endif #endif diff -ruN --exclude CVS ssh-openbsd-2005090100/sshpty.c openssh-4.2p1/sshpty.c --- ssh-openbsd-2005090100/sshpty.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/sshpty.c Fri May 27 21:13:41 2005 @@ -14,13 +14,16 @@ #include "includes.h" RCSID("$OpenBSD: sshpty.c,v 1.12 2004/06/21 17:36:31 avsm Exp $"); -#include +#ifdef HAVE_UTIL_H +# include +#endif /* HAVE_UTIL_H */ + #include "sshpty.h" #include "log.h" +#include "misc.h" -/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */ -#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY) -#undef HAVE_DEV_PTMX +#ifdef HAVE_PTY_H +# include #endif #ifndef O_NOCTTY @@ -37,15 +40,20 @@ int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) { - char buf[64]; + /* openpty(3) exists in OSF/1 and some other os'es */ + char *name; int i; - i = openpty(ptyfd, ttyfd, buf, NULL, NULL); + i = openpty(ptyfd, ttyfd, NULL, NULL, NULL); if (i < 0) { error("openpty: %.100s", strerror(errno)); return 0; } - strlcpy(namebuf, buf, namebuflen); /* possible truncation */ + name = ttyname(*ttyfd); + if (!name) + fatal("openpty returns device for which ttyname fails."); + + strlcpy(namebuf, name, namebuflen); /* possible truncation */ return 1; } @@ -66,7 +74,34 @@ pty_make_controlling_tty(int *ttyfd, const char *tty) { int fd; +#ifdef USE_VHANGUP + void *old; +#endif /* USE_VHANGUP */ +#ifdef _UNICOS + if (setsid() < 0) + error("setsid: %.100s", strerror(errno)); + + fd = open(tty, O_RDWR|O_NOCTTY); + if (fd != -1) { + signal(SIGHUP, SIG_IGN); + ioctl(fd, TCVHUP, (char *)NULL); + signal(SIGHUP, SIG_DFL); + setpgid(0, 0); + close(fd); + } else { + error("Failed to disconnect from controlling tty."); + } + + debug("Setting controlling tty using TCSETCTTY."); + ioctl(*ttyfd, TCSETCTTY, NULL); + fd = open("/dev/tty", O_RDWR); + if (fd < 0) + error("%.100s: %.100s", tty, strerror(errno)); + close(*ttyfd); + *ttyfd = fd; +#else /* _UNICOS */ + /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY fd = open(_PATH_TTY, O_RDWR | O_NOCTTY); @@ -93,12 +128,26 @@ if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0) error("ioctl(TIOCSCTTY): %.100s", strerror(errno)); #endif /* TIOCSCTTY */ +#ifdef NEED_SETPGRP + if (setpgrp(0,0) < 0) + error("SETPGRP %s",strerror(errno)); +#endif /* NEED_SETPGRP */ +#ifdef USE_VHANGUP + old = signal(SIGHUP, SIG_IGN); + vhangup(); + signal(SIGHUP, old); +#endif /* USE_VHANGUP */ fd = open(tty, O_RDWR); - if (fd < 0) + if (fd < 0) { error("%.100s: %.100s", tty, strerror(errno)); - else + } else { +#ifdef USE_VHANGUP + close(*ttyfd); + *ttyfd = fd; +#else /* USE_VHANGUP */ close(fd); - +#endif /* USE_VHANGUP */ + } /* Verify that we now have a controlling tty. */ fd = open(_PATH_TTY, O_WRONLY); if (fd < 0) @@ -106,6 +155,7 @@ strerror(errno)); else close(fd); +#endif /* _UNICOS */ } /* Changes the window size associated with the pty. */ diff -ruN --exclude CVS ssh-openbsd-2005090100/survey.sh.in openssh-4.2p1/survey.sh.in --- ssh-openbsd-2005090100/survey.sh.in Thu Jan 1 10:00:00 1970 +++ openssh-4.2p1/survey.sh.in Tue Feb 15 21:26:33 2005 @@ -0,0 +1,69 @@ +#!/bin/sh +# +# Copyright (c) 2004, 2005 Darren Tucker +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +host="@host@" +AWK="@AWK@" +CC="@CC@" +CPP="@CPP@" +CFLAGS="@CFLAGS@" +CPPFLAGS="@CPPFLAGS@" +LDFLAGS="@LDFLAGS@" +LIBS="@LIBS@" + +# Note format: +# identifier: [data] CRCR + +echo "openssh-survey-version: 1" +echo +echo "openssh-version: `./ssh -V 2>&1`" +echo +configinv=`$AWK '/^ \\\$.*configure/' config.log | sed 's/^ \\\$ //g'` +echo "configure-invocation: $configinv" +echo +echo "host: $host" +echo +echo "uname: `uname`" +echo +echo "uname-r: `uname -r`" +echo +echo "uname-m: `uname -m`" +echo +echo "uname-p: `uname -p`" +echo +echo "oslevel: `oslevel 2>/dev/null`" +echo +echo "oslevel-r: `oslevel -r 2>/dev/null`" +echo +echo "cc: $CC" +echo +echo "cflags: $CFLAGS" +echo +echo "cppflags: $CPPFLAGS" +echo +echo "ldflags: $LDFLAGS" +echo +echo "libs: $LIBS" +echo +echo "ccver-v: `$CC -v 2>&1 | sed '/^[ \t]*$/d'`" +echo +echo "ccver-V: `$CC -V 2>&1 | sed '/^[ \t]*$/d'`" +echo +echo "cppdefines:" +${CPP} -dM - pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid, (u_int)saved_egid); +#ifndef HAVE_CYGWIN if (saved_euid != 0) { privileged = 0; return; } +#endif +#else + if (geteuid() != 0) { + privileged = 0; + return; + } +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + privileged = 1; temporarily_use_uid_effective = 1; - saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + + saved_egroupslen = getgroups(0, NULL); if (saved_egroupslen < 0) fatal("getgroups: %.100s", strerror(errno)); + if (saved_egroupslen > 0) { + saved_egroups = xrealloc(saved_egroups, + saved_egroupslen * sizeof(gid_t)); + if (getgroups(saved_egroupslen, saved_egroups) < 0) + fatal("getgroups: %.100s", strerror(errno)); + } else { /* saved_egroupslen == 0 */ + if (saved_egroups != NULL) + xfree(saved_egroups); + } /* set and save the user's groups */ if (user_groupslen == -1) { if (initgroups(pw->pw_name, pw->pw_gid) < 0) fatal("initgroups: %s: %.100s", pw->pw_name, strerror(errno)); - user_groupslen = getgroups(NGROUPS_MAX, user_groups); + + user_groupslen = getgroups(0, NULL); if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); + if (user_groupslen > 0) { + user_groups = xrealloc(user_groups, + user_groupslen * sizeof(gid_t)); + if (getgroups(user_groupslen, user_groups) < 0) + fatal("getgroups: %.100s", strerror(errno)); + } else { /* user_groupslen == 0 */ + if (user_groups) + xfree(user_groups); + } } /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); +#ifndef SAVED_IDS_WORK_WITH_SETEUID + /* Propagate the privileged gid to all of our gids. */ + if (setgid(getegid()) < 0) + debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); + /* Propagate the privileged uid to all of our uids. */ + if (setuid(geteuid()) < 0) + debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ if (setegid(pw->pw_gid) < 0) fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); @@ -93,14 +136,26 @@ } if (!temporarily_use_uid_effective) fatal("restore_uid: temporarily_use_uid not effective"); + +#ifdef SAVED_IDS_WORK_WITH_SETEUID debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid); /* Set the effective uid back to the saved privileged uid. */ if (seteuid(saved_euid) < 0) fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno)); - if (setgroups(saved_egroupslen, saved_egroups) < 0) - fatal("setgroups: %.100s", strerror(errno)); if (setegid(saved_egid) < 0) fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno)); +#else /* SAVED_IDS_WORK_WITH_SETEUID */ + /* + * We are unable to restore the real uid to its unprivileged value. + * Propagate the real uid (usually more privileged) to effective uid + * as well. + */ + setuid(getuid()); + setgid(getgid()); +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + + if (setgroups(saved_egroupslen, saved_egroups) < 0) + fatal("setgroups: %.100s", strerror(errno)); temporarily_use_uid_effective = 0; } @@ -111,16 +166,67 @@ void permanently_set_uid(struct passwd *pw) { + uid_t old_uid = getuid(); + gid_t old_gid = getgid(); + if (temporarily_use_uid_effective) fatal("permanently_set_uid: temporarily_use_uid effective"); debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); + +#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) + fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); +#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) + if (setregid(pw->pw_gid, pw->pw_gid) < 0) + fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); +#else if (setegid(pw->pw_gid) < 0) fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); if (setgid(pw->pw_gid) < 0) fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); +#endif + +#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) + fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); +#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) + if (setreuid(pw->pw_uid, pw->pw_uid) < 0) + fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); +#else +# ifndef SETEUID_BREAKS_SETUID if (seteuid(pw->pw_uid) < 0) fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); +# endif if (setuid(pw->pw_uid) < 0) fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); +#endif + +#ifndef HAVE_CYGWIN + /* Try restoration of GID if changed (test clearing of saved gid) */ + if (old_gid != pw->pw_gid && pw->pw_uid != 0 && + (setgid(old_gid) != -1 || setegid(old_gid) != -1)) + fatal("%s: was able to restore old [e]gid", __func__); +#endif + + /* Verify GID drop was successful */ + if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) { + fatal("%s: egid incorrect gid:%u egid:%u (should be %u)", + __func__, (u_int)getgid(), (u_int)getegid(), + (u_int)pw->pw_gid); + } + +#ifndef HAVE_CYGWIN + /* Try restoration of UID if changed (test clearing of saved uid) */ + if (old_uid != pw->pw_uid && + (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) + fatal("%s: was able to restore old [e]uid", __func__); +#endif + + /* Verify UID drop was successful */ + if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { + fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", + __func__, (u_int)getuid(), (u_int)geteuid(), + (u_int)pw->pw_uid); + } } diff -ruN --exclude CVS ssh-openbsd-2005090100/uuencode.c openssh-4.2p1/uuencode.c --- ssh-openbsd-2005090100/uuencode.c Sat Jul 16 11:32:10 2005 +++ openssh-4.2p1/uuencode.c Mon Nov 17 21:18:23 2003 @@ -28,8 +28,6 @@ #include "xmalloc.h" #include "uuencode.h" -#include - int uuencode(const u_char *src, u_int srclength, char *target, size_t targsize) diff -ruN --exclude CVS ssh-openbsd-2005090100/version.h openssh-4.2p1/version.h --- ssh-openbsd-2005090100/version.h Wed Aug 31 19:41:45 2005 +++ openssh-4.2p1/version.h Wed Aug 31 19:47:07 2005 @@ -1,3 +1,6 @@ /* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */ #define SSH_VERSION "OpenSSH_4.2" + +#define SSH_PORTABLE "p1" +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE